Re: [c-nsp] Need help with IPv6 CoPP
On 07/05/2013 13:05, Rolf Hanßen wrote: So as far as I testet Sup2T only needs: permit 89 FE80::/10 any Sup720 needs: permit 89 FE80::/10 any permit ipv6 FE80::/10 FE80::/10 ok, odd. Some minutes later: 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits If I were debugging this and if there were differences between the sup720 and the sup2t, I would span the RP to see what sort of packets the sup2t is seeing. I don't have any sup2ts to test this out, but if you get a packet dump, you should be able to design a copp policy based on that. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hi, I captured on the Sup2T (001c.0f1c.bc00) with monitor capture start + sh monitor capture buffer | inc 86DD: len 130 , ..0005 001c.0f1c.bc00 86DD 6E4C5901FE80 len 114 , ..0005 001c.0f1c.bc00 86DD 6E3C5901FE80 len 90 , ..0005 001c.0f1c.bc00 86DD 6E245901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 94 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E285901FE80 len 82 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E1C5901FE80 len 94 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E285901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 82 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E1C5901FE80 len 162 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E6C5901FE80 len 82 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E1C5901FE80 len 82 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E1C5901FE80 len 118 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E405901FE80 len 246 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6EC05901FE80 len 130 , ..0005 001c.0f1c.bc00 86DD 6E4C5901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 114 , ..0005 001c.0f1c.bc00 86DD 6E3C5901FE80 len 114 , ..0005 0011.5d9b.a180 86DD 6E3C5901FE80 len 114 , ..0005 0011.5d9b.a180 86DD 6E3C5901FE80 len 94 , ..0005 0011.5d9b.a180 86DD 6E285901FE80 As far as I see everything directed to the Sup720 (0011.5d9b.a180) has next header 0x59, which is 89 / OSPF. kind regards Rolf On 07/05/2013 13:05, Rolf Hanßen wrote: So as far as I testet Sup2T only needs: permit 89 FE80::/10 any Sup720 needs: permit 89 FE80::/10 any permit ipv6 FE80::/10 FE80::/10 ok, odd. Some minutes later: 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits If I were debugging this and if there were differences between the sup720 and the sup2t, I would span the RP to see what sort of packets the sup2t is seeing. I don't have any sup2ts to test this out, but if you get a packet dump, you should be able to design a copp policy based on that. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hi Rolf That's right OSPF has many built in mechanisms to handle excessive traffic in either incoming or outgoing direction. Check out: ignore limit max-lsa queue-depth timers ttl-security As regards to CoPP. OSPFv3 should be using addresses from FF02 Multicast link-local address sub-range: FF02::5 all OSPF routers FF02::6 all OSPF designated routers So you should be able to limit the permit range to these two. adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dobbins, Roland Sent: Monday, May 06, 2013 6:51 PM To: cisco-nsp NSP Subject: Re: [c-nsp] Need help with IPv6 CoPP On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote: At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. Unless you're doing OSPF with an external organization and anticipate an attack (either deliberate or inadvertent) from the adjacent router(s), why not leave OSPF out of it entirely, and instead concentrate on traffic which is layer-3-agile? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
On 07/05/2013 08:31, Adam Vitkovsky wrote: OSPFv3 should be using addresses from FF02 Multicast link-local address sub-range: FF02::5 all OSPF routers FF02::6 all OSPF designated routers So you should be able to limit the permit range to these two. No, multicast is only used for hello and LSA transmission on broadcast medium networks. Outside this, unicast can be used and and will usually use addresses from the standard fe80::/10 range, but if you're using virtual links they can be global addresses. It's a more sensible idea to filter protocol 89 to your core address ranges using an iACL and then permit all 89 in the CoPP policy. Nick adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dobbins, Roland Sent: Monday, May 06, 2013 6:51 PM To: cisco-nsp NSP Subject: Re: [c-nsp] Need help with IPv6 CoPP On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote: At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. Unless you're doing OSPF with an external organization and anticipate an attack (either deliberate or inadvertent) from the adjacent router(s), why not leave OSPF out of it entirely, and instead concentrate on traffic which is layer-3-agile? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
On May 7, 2013, at 5:17 PM, Nick Hilliard wrote: It's a more sensible idea to filter protocol 89 to your core address ranges using an iACL and then permit all 89 in the CoPP policy. Concur 100%. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello Nick, that does not help if I cannot filter using the protocoll number. Maybe I described not exactly. Whatever OSPF sends, it is not protocol number 89 or CoPP is not able to filter the protocoll number. I did further testing and chnaged everything to a Sup2T compatible way (only one ACL each class). Those 3 rules were part of my initial config, only the first seams to match: permit 89 FE80::/10 any permit 89 any FE80::/10 permit ipv6 any FE02::/16 That rule makes it working (state changes to FULL): permit ipv6 FE80::/10 FE80::/10 That rules does not work (replacing the above one): permit 89 FE80::/10 FE80::/10 That rule works but the log does not log anmything: permit ipv6 FE80::/10 FE80::/10 log On Sup720 permit ipv6 FE80::/10 FE80::/10 matches and seams to be needed, on Sup2T it does not match and the ACL is not needed to make OSPF reach FULL. So as far as I testet Sup2T only needs: permit 89 FE80::/10 any Sup720 needs: permit 89 FE80::/10 any permit ipv6 FE80::/10 FE80::/10 Also no matter which router becomes DR / BDR. debug ipv6 ospf packet on the Sup720 shows: The second after clear ipv6 ospf process 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL to DOWN, Neighbor Down: Interface down or detached 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:5A51 inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:2 l:28 rid:123.123.123.123 aid:0.0.0.123 chk:634D inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:2 l:108 rid:123.123.123.123 aid:0.0.0.123 chk:81C3 inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:4 l:192 rid:123.123.123.123 aid:0.0.0.123 chk:594C inst:0 from Vlan25 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from LOADING to FULL, Loading Done Every few seconds: 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:C24C inst:0 from Vlan25 clear ipv6 ospf process without permit ipv6 FE80::/10 FE80::/10 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL to DOWN, Neighbor Down: Interface down or detached 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:59F7 inst:0 from Vlan25 Some minutes later: 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits kind regards Rolf On 07/05/2013 08:31, Adam Vitkovsky wrote: OSPFv3 should be using addresses from FF02 Multicast link-local address sub-range: FF02::5 all OSPF routers FF02::6 all OSPF designated routers So you should be able to limit the permit range to these two. No, multicast is only used for hello and LSA transmission on broadcast medium networks. Outside this, unicast can be used and and will usually use addresses from the standard fe80::/10 range, but if you're using virtual links they can be global addresses. It's a more sensible idea to filter protocol 89 to your core address ranges using an iACL and then permit all 89 in the CoPP policy. Nick adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dobbins, Roland Sent: Monday, May 06, 2013 6:51 PM To: cisco-nsp NSP Subject: Re: [c-nsp] Need help with IPv6 CoPP On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote: At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. Unless you're doing OSPF with an external organization and anticipate an attack (either deliberate or inadvertent) from the adjacent router(s), why not leave OSPF out of it entirely, and instead concentrate on traffic which is layer-3-agile? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help with IPv6 CoPP
Hello list, I am trying to configure IPv6 CoPP and could use some help with several issues. First of all I need to know how to allow/filter OSPFv3 sessions. I am filtering with those rules (reduced them to the minimum for testing): - mls ipv6 acl compress address unicast policy-map policy-copp-in class class-copp-ospf police cir 5000 bc 625000 conform-action transmit exceed-action drop violate-action drop class class-copp-icmp police cir 5000 bc 625000 conform-action transmit exceed-action drop violate-action drop class class-copp-any-ip police cir 128000 bc 1000 conform-action drop exceed-action drop violate-action drop class-map match-any class-copp-ospf match access-group name acl-copp-ospf ipv6 access-list acl-copp-ospf permit 89 FE80::/10 any permit 89 any FE80::/10 (should be obsoltete) class-map match-any class-copp-icmp match access-group name acl-copp-icmp ipv6 access-list acl-copp-icmp permit icmp any any class-map match-any class-copp-any-ip match access-group name acl-copp-any-ipv6 ipv6 access-list acl-copp-any-ipv6 permit ipv6 any any log - If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: %OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits %OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from DOWN to DOWN, Neighbor Down: Ignore timer expired If I change class-copp-any-ip to conform-action transmit, it works again and changes to FULL. Unfortunatelly none of the packets matched by permit ipv6 any any log is logged. I found out that a permit ipv6 FE80::/10 FE80::/10 (not protocol 89, must be something else) makes it going to full again but that is not very helpful rule to me. Can somebody tell me what type of packet does OSPF send or what additional/replacemnt ACL can be used ? Can furthermore somebody tell me if there is a way to make that box log all packets from log acl entries and not only random/software switched/whatever ? After finding out the above I included the rules to the prior created entries. And it did not work anymore. Plattform is Sup7203B in 6509. In hoped that Sup2T is able to log more/better or give me a hint what goes wrong and tried out. There I got that error here: R2(config-cp)# service-policy input policy-copp-in QoS: Multiple acl entries cannot be used in match-any in class class-copp-allowed-important Is there a way to allow multiple entries or do I need to built a giant policy-map and a mass of class-maps (one each acl) ? Is there maybe a way to bypass the class-map and directly configure the ACLs ? I then tried to move the permit ipv6 FE80::/10 FE80::/10 to an own class-map and it worked (even even though no match of that rule is shown). Does Sup720 also have some number of entries limitations (class-maps each policy, acls each class, entries each acl, maybe total number of entries) but just gives no error messages (just does not work/match in such cases) ? Or is there maybe some bug I hit ? Both could explain that behaviour imho. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
On May 6, 2013, at 7:49 PM, Rolf Hanßen wrote: I am trying to configure IPv6 CoPP and could use some help with several issues. I know this isn't what you're asking, but if you haven't done so already, you'll get more benefit from iACLs, GTSM, re-coloring at your edges, et. al. first, then worrying about CoPP. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello, I used no authentication for testing, but thanks for the hint, need to put that on the checklist before implementing. ;) kind regards Rolf If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello, in the non-working copp-config sh ipv6 ospf nei shows EXSTART/BDR and EXSTART/DR, so looks like they already found out. Anyway, do you know which protocol number and maybe port-number they use (if it is not 89 and CoPP just does not filter correctly) ? Using permit ipv6 FE80::/10 FE80::/10 without anything further does not make much sense because it matches half of the possible ipv6 risk traffic. kind regards Rolf At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. This traffic is unicast between neighbors. On Mon, May 6, 2013 at 11:30 AM, Rolf Hanßen n...@rhanssen.de wrote: Hello, I used no authentication for testing, but thanks for the hint, need to put that on the checklist before implementing. ;) kind regards Rolf If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. This traffic is unicast between neighbors. On Mon, May 6, 2013 at 11:30 AM, Rolf Hanßen n...@rhanssen.de wrote: Hello, I used no authentication for testing, but thanks for the hint, need to put that on the checklist before implementing. ;) kind regards Rolf If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote: At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. Unless you're doing OSPF with an external organization and anticipate an attack (either deliberate or inadvertent) from the adjacent router(s), why not leave OSPF out of it entirely, and instead concentrate on traffic which is layer-3-agile? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help with leaking routes from the main table to vrf tables
Guys Got a 7301 Main table has colocation on it and the main table. Our wholesaler supplies us 3G broadband, DSL and ipv6 via seperate vrf's while colo is via bgp (main routing table) Now when a customer is on a DSL connection (or 3g) they go into the wholesalers network before bouncing back and be routed to the colo 1 1 ms 1 ms 1 ms office-border..com.au [203.xxx.xxx.1] Me! 259 ms60 ms60 ms 203--1.eee.com.au [203.xxx.xxx.1] Gw for DSL VRF 360 ms61 ms60 ms bdr03.syd02.nsw.x.net.au [223.xxx.xxx.16] Wholesalers Network 461 ms61 ms61 ms lns01-syd.ie.net.au [223.xxx.xxx.116] Wholesalers sideof our lns 563 ms63 ms63 ms 203--242.eee.net.au [203.xxx.xxx.242] GW for colo 663 ms63 ms64 ms mail.e.com.au [203.xxx..130] Mail Server Thanks Sam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with leaking routes from the main table to vrf tables
On (2012-07-12 22:01 +1000), Sam wrote: 3G broadband, DSL and ipv6 via seperate vrf's while colo is via bgp (main routing table) Now when a customer is on a DSL connection (or 3g) they go into the wholesalers network before bouncing back and be routed to the colo I'm not sure I see question there. But one way to leak routes is by static routes to interface. int foo ip vrf bar ip address 42.42.42.1 255.255.255.252 ! ip route vrf bar 42.42.43.0 255.255.255.0 42.42.42.2 To allow interface foo to access internet, you could do ip route 42.42.43.0 255.255.255.0 foo 42.42.42.2 ip route vrf bar 0.0.0.0 0.0.0.0 10.10.10.10 global And you'd have 10.10.10.10/32 advertised in all core boxes loopback interface. Now packets coming from interface foo would default route to global table and global table would also have route to interface foo. You can also use 'import ipv4 unicast map xyzzy' to import routes from global table to vrf which pass route-map xyzzy. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help............
Dear Team, I am going to implement new project in which all cisco device will be replaced from cisco what should i take as a backup from devices Thanks Regards, Sumeet Salunke ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help............
Hi, I think Following outputs must be captured so that you can compare old and new routers. --show running --Show module --sh ip route summary --show ip ospf interface brief --show ip ospf neighbor --show ip protocols --show cdp neighbors --show ip bgp summary Best Regards, Umair Saeed Phone # +92-3332354591 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of sumeet salunke Sent: Monday, June 18, 2012 4:26 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help Dear Team, I am going to implement new project in which all cisco device will be replaced from cisco what should i take as a backup from devices Thanks Regards, Sumeet Salunke ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX
We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. We have a 48 port WS-X6748-GE-TX. On one interface we continue to see output drops when traffic goes above 200Mb/sec. The interface is defined as follows (very straightforward): interface GigabitEthernet9/29 mtu 9000 bandwidth 100 no ip redirects no ip unreachables ip route-cache flow ip ospf message-digest-key 1 md5 7 xx ip ospf network point-to-point load-interval 30 hold-queue 4096 out GigabitEthernet9/29 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0015.2c87.b240 (bia 0015.2c87.b240) MTU 9000 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 70/255, rxload 9/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:07, output 00:00:03, output hang never Last clearing of show interface counters 15:19:33 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1385749 Queueing strategy: fifo Output queue: 0/4096 (size/max) 30 second input rate 39197000 bits/sec, 15438 packets/sec 30 second output rate 276768000 bits/sec, 27265 packets/sec L2 Switched: ucast: 15526 pkt, 90533934 bytes - mcast: 6338 pkt, 90 bytes L3 in Switched: ucast: 673843076 pkt, 151541187645 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 1227451580 pkt, 1367583751541 bytes mcast: 0 pkt, 0 bytes 673834038 packets input, 151610506124 bytes, 0 no buffer Received 54234 broadcasts (0 IP multicasts) 0 runts, 1 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1225945267 packets output, 1365797313199 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out - Editted sho platform hardwa capa: Forwarding engine load: Module pps peak-pps peak-time 7 1860091442340 12:41:38 IDT Tue Sep 22 2009 9 232549 450263 22:10:57 IST Wed Nov 24 2010 Switch Fabric Resources Bus utilization: current: 0%, peak was 6% at 01:04:03 IST Sat May 29 2010 Fabric utilization: IngressEgress Module Chanl Speed rate peak rate peak 9 020G2%9% @18:39 15Dec107% 16% @15:14 23Nov10 9 120G0%6% @08:20 25Aug101%8% @20:51 25Jan10 Interface Resources Interface drops: ModuleTotal drops:TxRx Highest drop port: Tx Rx 9 18521265 1032837 14 12 -- Results for sho mls stat module 9 Statistics for Earl in Module 9 L2 Forwarding Engine Total packets Switched: 13534106672944 L3 Forwarding Engine Total packets L3 Switched : 7264929316950 @ 228064 pps Total Packets Bridged : 3492211276 Total Packets FIB Switched: 7210651379282 Total Packets ACL Routed : 0 Total Packets Netflow Switched: 1 Total Mcast Packets Switched/Routed : 68097738 Total ip packets with TOS changed : 38527077597 Total ip packets with COS changed : 5186771 Total non ip packets COS changed : 0 Total packets dropped by ACL : 2480178486 Total packets dropped by Policing : 5999570 Total packets exceeding CIR : 7349955 Total packets exceeding PIR : 7349955 Errors MAC/IP length inconsistencies : 303 Short IP packets received : 0 IP header checksum errors : 140 TTL failures : 933512031 MTU failures : 186689 -- gp#sho int gi9/29 flow PortSend FlowControl Receive FlowControl RxPause TxPause adminoper adminoper - --- --- Gi9/29 desired off off off 0 0 gp#sho int gi9/29 stats GigabitEthernet9/29 Switching pathPkts In Chars In Pkts Out Chars Out Processor 17357 91475075 17485 91588871 Route cache 0 0 1 40 Distributed cache 683233031 154080580279 1244084298 1388566226885 Total 683250388 154172055354 1244101784 1388657815796 gp#sho int gi9/29 capa
Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX
On Wed, 2011-01-05 at 11:36 +0200, Hank Nussbacher wrote: We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. We have a 48 port WS-X6748-GE-TX. On one interface we continue to see output drops when traffic goes above 200Mb/sec. [snip] Do you have QoS enabled? What does show queueing interface Gi9/29 tell you? Output drops are egress buffer overflow drops, so technically it happens because the box tries to send a packet out an interface already in use (transmitting another packet) when there is no buffer space to store the packet until transmission. Micro-bursts and oversubscription are possible causes. Short queues exacerbate the problem. With mls qos enabled and no interface-specific adjustments you could have (too) short queues for the relevant traffic. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX
At 10:56 05/01/2011 +0100, Peter Rathlev wrote: Do you have QoS enabled? What does show queueing interface Gi9/29 tell you? Output drops are egress buffer overflow drops, so technically it happens because the box tries to send a packet out an interface already in use (transmitting another packet) when there is no buffer space to store the packet until transmission. Micro-bursts and oversubscription are possible causes. Short queues exacerbate the problem. With mls qos enabled and no interface-specific adjustments you could have (too) short queues for the relevant traffic. gp#show queueing interface Gi9/29 Interface GigabitEthernet9/29 queueing strategy: Weighted Round-Robin Port QoS is enabled Port is untrusted Extend trust state: not trusted [COS = 0] Default COS is 0 Queueing Mode In Tx direction: mode-cos Transmit queues [type = 1p3q8t]: Queue IdScheduling Num of thresholds - 01 WRR 08 02 WRR 08 03 WRR 08 04 Priority01 WRR bandwidth ratios: 100[queue 1] 150[queue 2] 200[queue 3] queue-limit ratios: 50[queue 1] 20[queue 2] 15[queue 3] 15[Pri Queue] queue tail-drop-thresholds -- 1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue random-detect-min-thresholds -- 140[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 240[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 370[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] queue random-detect-max-thresholds -- 170[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 270[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] WRED disabled queues: queue thresh cos-map --- 1 1 0 1 2 1 1 3 1 4 1 5 1 6 1 7 1 8 2 1 2 2 2 3 4 2 3 2 4 2 5 2 6 2 7 2 8 3 1 6 7 3 2 3 3 3 4 3 5 3 6 3 7 3 8 4 1 5 Queueing Mode In Rx direction: mode-cos Receive queues [type = 2q8t]: Queue IdScheduling Num of thresholds - 01 WRR 08 02 WRR 08 WRR bandwidth ratios: 100[queue 1] 0[queue 2] queue-limit ratios:100[queue 1] 0[queue 2] queue tail-drop-thresholds -- 1 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 2 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue thresh cos-map --- 1 1 0 1 2 3 4 5 6 7 1 2 1 3 1 4 1 5 1 6 1 7 1 8 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 Packets dropped on Transmit: queue dropped [cos-map] - 1 1590686 [0 1 ] 2 250 [2 3 4 ] 30 [6 7 ] 40 [5 ] Packets dropped on Receive: BPDU packets: 0 queue dropped [cos-map] - 10 [0 1 2 3 4 5 6 7 ] 20 [] For mls: sh conf | incl mls mls ip multicast flow-stat-timer 9 mls ip multicast bidir gm-scan-interval 10 mls flow ip interface-full no mls flow ipv6 mls nde sender version 5 mls qos statistics-export mls qos mls rate-limit multicast ipv4 ip-options 500 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze How would you recommend adjusting the interface mls queues? Thanks, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX
At 10:56 05/01/2011 +0100, Peter Rathlev wrote: Content-Transfer-Encoding: 7bit On Wed, 2011-01-05 at 11:36 +0200, Hank Nussbacher wrote: We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. We have a 48 port WS-X6748-GE-TX. On one interface we continue to see output drops when traffic goes above 200Mb/sec. [snip] Do you have QoS enabled? What does show queueing interface Gi9/29 tell you? Output drops are egress buffer overflow drops, so technically it happens because the box tries to send a packet out an interface already in use (transmitting another packet) when there is no buffer space to store the packet until transmission. Micro-bursts and oversubscription are possible causes. Short queues exacerbate the problem. With mls qos enabled and no interface-specific adjustments you could have (too) short queues for the relevant traffic. Also: gp#sho mls qos QoS is enabled globally Policy marking depends on port_trust QoS ip packet dscp rewrite enabled globally Input mode for GRE Tunnel is Pipe mode Input mode for MPLS is Pipe mode Vlan or Portchannel(Multi-Earl) policies supported: Yes Egress policies supported: Yes - Module [7] - QoS global counters: Total packets: 3592763 IP shortcut packets: 0 Packets dropped by policing: 140 IP packets with TOS changed by policing: 96531 IP packets with COS changed by policing: 1700312 Non-IP packets with COS changed by policing: 0 MPLS packets with EXP changed by policing: 0 - Module [9] - QoS global counters: Total packets: 7865063 IP shortcut packets: 0 Packets dropped by policing: 765 IP packets with TOS changed by policing: 35559 IP packets with COS changed by policing: 8 Non-IP packets with COS changed by policing: 0 MPLS packets with EXP changed by policing: 0 -Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX
On Wed, 2011-01-05 at 12:47 +0200, Hank Nussbacher wrote: At 10:56 05/01/2011 +0100, Peter Rathlev wrote: Do you have QoS enabled? What does show queueing interface Gi9/29 tell you? ... gp#show queueing interface Gi9/29 Interface GigabitEthernet9/29 queueing strategy: Weighted Round-Robin ... WRR bandwidth ratios: 100[queue 1] 150[queue 2] 200[queue 3] queue-limit ratios: 50[queue 1] 20[queue 2] 15[queue 3] 15[Pri Queue] ... Packets dropped on Transmit: queue dropped [cos-map] - 1 1590686 [0 1 ] 2 250 [2 3 4 ] 30 [6 7 ] 40 [5 ] ... How would you recommend adjusting the interface mls queues? Queue 1 has 50% of the buffers and the most drops. You could increase queue 1 buffer size but that would of course be at the expense of the other queues. We've chosen to combine queues 1 and 2, since we don't really use a lot of classes. We use the following interface commands: interface GigabitEthernet4/1 wrr-queue cos-map 1 2 0 1 2 3 4 wrr-queue queue-limit 70 0 15 ! This gives 70% of the buffer space to queue one, and no space at all to queue 2. The cos-map-command puts CoS 0-4 in queue one, so queue 2 isn't used. Caveat #1: The wrr-queue cos-map command propagates to all other ports on same ASIC, typically blocks of 12 ports. So you can't have different CoS maps on ports on the same ASIC. Caveat #2: wrr-queue queue-limit 70 0 15 reserves no space for queue 2, so any traffic happening to end up in that queue for any reason is dropped. Instead of starving queue 2 completely you could just adjust the partitioning. Default as you can see is 50% queue 1 (CoS 0 + 1, typically Best Effort and Scavenger) 20% queue 2 (CoS 2 + 3 + 4, typically various Assured Forwarding) 15% queue 3 (CoS 6 + 7, network traffic (IGP etc)) 15% queue 4 (priority/EF, CoS 5, voice and jitter sensitive traffic) So 60/10/15/15 might also work. Or if you don't use EF much (or don't need buffers for it) then 65/10/15/10. Adjusting WRED threholds might also give good results, letting TCP back off gracefully. I don't know of any way to list interface buffer utilization, to trial and error seems to be the only way. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need help firewall in urgent
Hi I got pix501 but doesn't have asdm support How can I configure it as cli to map from private to public and open the port 53 named server to allow access from outside and inside Thank you so much ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On 10/12/2010 09:46 PM, Gert Doering wrote: Hi, On Tue, Oct 12, 2010 at 02:59:28PM -0500, christopher.mar...@usc-bt.com wrote: The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01?00?5e?00?00?01 · PIMv1 hello send to 01?00?5e?00?00?02 · PIMv2 hello send to 01?00?5e?00?00?0d · DVMRP probes send to 01?00?5e?00?04 · MOSPF message send to 01?00?5e?00?05 or 06 Thanks for clarifying this. Indeed, with this information, IGMP snooping should never be harmful for router-switch-router traffic. That is not my experience. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, On Wed, Oct 13, 2010 at 08:18:47AM +0100, Phil Mayers wrote: On 10/12/2010 09:46 PM, Gert Doering wrote: On Tue, Oct 12, 2010 at 02:59:28PM -0500, christopher.mar...@usc-bt.com wrote: The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01?00?5e?00?00?01 · PIMv1 hello send to 01?00?5e?00?00?02 · PIMv2 hello send to 01?00?5e?00?00?0d · DVMRP probes send to 01?00?5e?00?04 · MOSPF message send to 01?00?5e?00?05 or 06 Thanks for clarifying this. Indeed, with this information, IGMP snooping should never be harmful for router-switch-router traffic. That is not my experience. Can you share details? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpN3ecTvkTNF.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On 10/13/2010 08:37 AM, Gert Doering wrote: Hi, On Wed, Oct 13, 2010 at 08:18:47AM +0100, Phil Mayers wrote: On 10/12/2010 09:46 PM, Gert Doering wrote: On Tue, Oct 12, 2010 at 02:59:28PM -0500, christopher.mar...@usc-bt.com wrote: The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01?00?5e?00?00?01 · PIMv1 hello send to 01?00?5e?00?00?02 · PIMv2 hello send to 01?00?5e?00?00?0d · DVMRP probes send to 01?00?5e?00?04 · MOSPF message send to 01?00?5e?00?05 or 06 Thanks for clarifying this. Indeed, with this information, IGMP snooping should never be harmful for router-switch-router traffic. That is not my experience. Can you share details? Sorry, I did realise after sending that it was too terse to be useful. Essentially I've observed exactly the behaviour you described in a previous email. Two PIM routers either side of a layer2 switch would fail to pass any routed multicast traffic because IGMP snooping was enabled and was eating it. PIM snooping was the solution I decided I needed, but it was easier to just remove the switch and go for a direct link in that case. Now I must admit: when I think about it, I don't know what model the layer2 switch in question was; it may not even have been a Cisco (this was some time back) in which case Christopher may also be right ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On 10/13/2010 3:41 AM, Phil Mayers wrote: On 10/13/2010 08:37 AM, Gert Doering wrote: Hi, On Wed, Oct 13, 2010 at 08:18:47AM +0100, Phil Mayers wrote: On 10/12/2010 09:46 PM, Gert Doering wrote: On Tue, Oct 12, 2010 at 02:59:28PM -0500, christopher.mar...@usc-bt.com wrote: The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01?00?5e?00?00?01 · PIMv1 hello send to 01?00?5e?00?00?02 · PIMv2 hello send to 01?00?5e?00?00?0d · DVMRP probes send to 01?00?5e?00?04 · MOSPF message send to 01?00?5e?00?05 or 06 Thanks for clarifying this. Indeed, with this information, IGMP snooping should never be harmful for router-switch-router traffic. That is not my experience. Can you share details? Sorry, I did realise after sending that it was too terse to be useful. Essentially I've observed exactly the behaviour you described in a previous email. Two PIM routers either side of a layer2 switch would fail to pass any routed multicast traffic because IGMP snooping was enabled and was eating it. PIM snooping was the solution I decided I needed, but it was easier to just remove the switch and go for a direct link in that case. Now I must admit: when I think about it, I don't know what model the layer2 switch in question was; it may not even have been a Cisco (this was some time back) in which case Christopher may also be right ;o) Christopher is right here ... in this case, even with l2 switch in between, the mrouter ports should receive all mcast presented to the vlan, as well as any igmp group members on that vlan as well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On 13/10/10 13:32, Rob Taylor wrote: Now I must admit: when I think about it, I don't know what model the layer2 switch in question was; it may not even have been a Cisco (this was some time back) in which case Christopher may also be right ;o) Christopher is right here ... in this case, even with l2 switch in between, the mrouter ports should receive all mcast presented to the vlan, as well as any igmp group members on that vlan as well. Sure: should. I've seen it not. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
There is a document on cisco#39;s site regarding how IGMP snooping breaks multicast in typical LAN environments. I don#39;t have the link handy, but it should be googleable. Effectively, the issue is that the switches do not have a way to properly identify the mrouter port, and end up cutting off legitimate flows. -David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On Wed, 2010-10-13 at 06:08 -0700, David Barak wrote: There is a document on cisco#39;s site regarding how IGMP snooping breaks multicast in typical LAN environments. I don#39;t have the link handy, but it should be googleable. Effectively, the issue is that the switches do not have a way to properly identify the mrouter port, and end up cutting off legitimate flows. I don't think this is directly relevant for routing multicast. The problem is that a switch with IGMP snooping enabled will only forward multicast frames to other hosts on the same switch _unless_ it has an mrouter port for that VLAN. The solution to this is either: 1) Disable IGMP snooping for the VLAN, thereby forfeiting the advantages of less flooding. 2) Enable IGMP Snooping Querier on a L3 interface on some device (doesn't matter which) on this VLAN. 3) Enable PIM on a L3 interface on some device on this VLAN. If you're implementing multicast routing option 3 is the natural choice. If you only want to enable cross-switch multicast switching option 2 means you can avoid configuring PIM. (This was something I learned the hard way recently. :-]) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Peter said: On Wed, 2010-10-13 at 06:08 -0700, David Barak wrote: There is a document on cisco#39;s site regarding how IGMP snooping breaks multicast in typical LAN environments. I don#39;t have the link handy, but it should be googleable. Effectively, the issue is that the switches do not have a way to properly identify the mrouter port, and end up cutting off legitimate flows. I don't think this is directly relevant for routing multicast. The problem is that a switch with IGMP snooping enabled will only forward multicast frames to other hosts on the same switch _unless_ it has an mrouter port for that VLAN. The solution to this is either: 1) Disable IGMP snooping for the VLAN, thereby forfeiting the advantages of less flooding. 2) Enable IGMP Snooping Querier on a L3 interface on some device (doesn't matter which) on this VLAN. 3) Enable PIM on a L3 interface on some device on this VLAN. It sounds like you might be describing a case where - IGMP snooping is enabled on a switch - There's no IGMP querier on the VLAN If so, then we're in agreement. That doesn't work (though it may appear to work at first). There's a fourth option on some L2 switching platforms: enable an IGMP querier on the L2 device. The queries don't have to come from anywhere sensible.* As long as queries just appear on the LAN, clients will reply, and the IGMP snooping switch can eat the host reports that come in reply to his bogus queries. No L3 interface required. Definitely don't try to run IGMP snooping without a querier. /chris * There are rumors that some platforms won't respond to queries originated by 0.0.0.0. No good reason for it. I haven't run into it. Maybe use a sensible address afterall. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
It sounds like you might be describing a case where - IGMP snooping is enabled on a switch - There's no IGMP querier on the VLAN If so, then we're in agreement. That doesn't work (though it may appear to work at first). There's a fourth option on some L2 switching platforms: enable an IGMP querier on the L2 device. The queries don't have to come from anywhere sensible.* As long as queries just appear on the LAN, clients will reply, and the IGMP snooping switch can eat the host reports that come in reply to his bogus queries. No L3 interface required. Definitely don't try to run IGMP snooping without a querier. At some point, depending on the topology (and especially if it's a one-off thing), it might make sense to set up a GRE tunnel between the endpoints and just run PIM on the tunnel. John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Thanks again for everyone's help on this matter, and sorry about the quoting problems from yesterday... I think this is almost working. I was hoping to ask about one more point on this. The 8540 that is part of this equation is set up for IRB. The vlan that the servers are on is bridged through this device. Do I need to enable pim on any interface? Enabling it on any of the physical interfaces doesn't seem to do anything and the BVI interface doesn't support it. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
Hi, On Mon, Oct 11, 2010 at 04:35:24PM -0400, Matthew Huff wrote: If the switch doesn't provide layer 3 services (routing) itself, but is really a l2 switch, then you don't need multicast routing / pim, etc...However, you should have igmp snooping on. IGMP snooping won't help for router-switch-router traffic. No IGMP there gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpL1XXKxCcZm.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
That makes sense... igmp snooping seems to be enabled, but it still isn't working. Is there something else that needs to be done to the 2960? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Matthew Huff mh...@ox.com 10/11/2010 4:35 PM If the switch doesn't provide layer 3 services (routing) itself, but is really a l2 switch, then you don't need multicast routing / pim, etc...However, you should have igmp snooping on. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On Tue, Oct 12, 2010 at 8:50 AM, Steven Pfister spfis...@dps.k12.oh.us wrote: That makes sense... igmp snooping seems to be enabled, but it still isn't working. Is there something else that needs to be done to the 2960? Do you know if this is source-specific multicast? If so, your layer-two ports need to have IGMP v3 enabled. John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, On Tue, Oct 12, 2010 at 10:50:09AM -0400, Steven Pfister wrote: That makes sense... igmp snooping seems to be enabled, but it still isn't working. Is there something else that needs to be done to the 2960? Since there is no IGMP between routers, IGMP snooping can not be helpful here. Chance is that it's actually *eating* the multicast packets and waiting for IGMPs to show up to tell it where to send which packets... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpviJyCKGM1S.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On Tue, 2010-10-12 at 17:08 +0200, Gert Doering wrote: On Tue, Oct 12, 2010 at 10:50:09AM -0400, Steven Pfister wrote: That makes sense... igmp snooping seems to be enabled, but it still isn't working. Is there something else that needs to be done to the 2960? Since there is no IGMP between routers, IGMP snooping can not be helpful here. Chance is that it's actually *eating* the multicast packets and waiting for IGMPs to show up to tell it where to send which packets... I don't know much about multicast, but aren't routed multicast packets sent as L2 unicast between multicast routers? I'm just guessing here, but I don't see why routed multicast traffic would need to have the L2 group bit set. I that is the case then a switch in between two PIM interfaces shouldn't need to know anything about multicast. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On Tue, Oct 12, 2010 at 11:45 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-10-12 at 17:08 +0200, Gert Doering wrote: On Tue, Oct 12, 2010 at 10:50:09AM -0400, Steven Pfister wrote: That makes sense... igmp snooping seems to be enabled, but it still isn't working. Is there something else that needs to be done to the 2960? Since there is no IGMP between routers, IGMP snooping can not be helpful here. Chance is that it's actually *eating* the multicast packets and waiting for IGMPs to show up to tell it where to send which packets... I don't know much about multicast, but aren't routed multicast packets sent as L2 unicast between multicast routers? I'm just guessing here, but I don't see why routed multicast traffic would need to have the L2 group bit set. I that is the case then a switch in between two PIM interfaces shouldn't need to know anything about multicast. -- Peter That's correct. IGMP is only necessary on the switches connected to the end devices. If there are any L2 switches in the PIM path, they will be remain blissfully unaware of the details. John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
On 10/12/10, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Oct 11, 2010 at 04:35:24PM -0400, Matthew Huff wrote: If the switch doesn't provide layer 3 services (routing) itself, but is really a l2 switch, then you don't need multicast routing / pim, etc...However, you should have igmp snooping on. IGMP snooping won't help for router-switch-router traffic. No IGMP there I thought the problem on router-switch-router multicast traffic was that IGMP snooping didn't limit multicast traffic. I've never connected up routers through a 2950 (which is what the OP is using - right?), but it looks like igmp snooping on a 2950 does learn the ports going to PIM routers: c2950sh ip igmp snoop [.. snip ..] Vlan 1: IGMP snooping : Enabled Immediate leave : Disabled Multicast router learning mode : pim-dvmrp Source only learning age timer : 10 Last member query interval : 1000 CGMP interoperability mode : IGMP_ONLY Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
It's not really going router-switch-router... The video encoders are connected to the 2960, which connects to the 4506 at the remote side. The vendor has installed the video encoders but I haven't actually been to the remote end to see them yet. I'm not sure yet if they're still trying to connect or if they've given up. I'm trying to see if I can get someone to power cycle them. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Lee ler...@gmail.com 10/12/2010 2:20 PM I've never connected up routers through a 2950 (which is what the OP is using - right?) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, On Tue, Oct 12, 2010 at 07:45:10PM +0200, Peter Rathlev wrote: I don't know much about multicast, but aren't routed multicast packets sent as L2 unicast between multicast routers? No. I'm just guessing here, but I don't see why routed multicast traffic would need to have the L2 group bit set. Well, if you only ever have two routers in a subnet, it doesn't need to... But what if you have 20 routers in a subnet and want the multicast traffic to be heard by only those 5 that are interested in it? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpgrsjpYhyNk.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, *please* fix your quoting. Your top posting makes it very hard to see what you're referring to, and since you want something, it would be prudent to make it easy for us to help. On Tue, Oct 12, 2010 at 02:34:35PM -0400, Steven Pfister wrote: It's not really going router-switch-router... The video encoders are connected to the 2960, which connects to the 4506 at the remote side. In that case, IGMP snooping can help - it will stop the traffic in that L2 segment from spreading to ports where you don't want it to show up. If IGMP snooping is off, the multicast traffic will be flooded everywhere. But however IGMP snooping is set, directly connected routers should see the packets - in doubt, turn it *off*, and verify with a unrelated machine that the senders are indeed sending multicast packets. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpBgcYHdg4DB.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
On Tue, 2010-10-12 at 21:07 +0200, Gert Doering wrote: On Tue, Oct 12, 2010 at 07:45:10PM +0200, Peter Rathlev wrote: but I don't see why routed multicast traffic would need to have the L2 group bit set. Well, if you only ever have two routers in a subnet, it doesn't need to... But what if you have 20 routers in a subnet and want the multicast traffic to be heard by only those 5 that are interested in it? Ah, of course. Does the switch (e.g. some Catalyst 2k/3k) just learn many mrouter ports and forward correctly? Or would one need to add some specific configuration for that? (Sorry for veering a little OT here.) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, On Tue, Oct 12, 2010 at 09:18:04PM +0200, Peter Rathlev wrote: On Tue, 2010-10-12 at 21:07 +0200, Gert Doering wrote: But what if you have 20 routers in a subnet and want the multicast traffic to be heard by only those 5 that are interested in it? Ah, of course. Does the switch (e.g. some Catalyst 2k/3k) just learn many mrouter ports and forward correctly? Or would one need to add some specific configuration for that? As far as I understand, in the many-router scenario, things get tricky. - if the switch is dumb enough, all routers will see all traffic, and routers not interested will drop it (things will work, but you waste bandwidth, and potentially overload ports if there are many routers and each router only wants a small subset of the groups on the LAN) - if the switch is doing IGMP snooping, it might cause black holing, as it won't actually *see* the routers - the PIM routers elect a single PIM/DR, and if I remember correctly, only the DR will send IGMP queries (my memory is a bit fuzzy here, we disabled all our multicast routing some two years ago). But even if IGMP snooping does not harm anything, it won't bring any benefits either, as the routers won't use IGMP to send each outer group joins/leaves... - thus: if the switch is really smart, it can do *PIM* snooping, to really understand which router wants to receive which groups. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp5CCfOSTCq2.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Gert Doering said: On Tue, Oct 12, 2010 at 07:45:10PM +0200, Peter Rathlev wrote: I'm just guessing here, but I don't see why routed multicast traffic would need to have the L2 group bit set. Well, if you only ever have two routers in a subnet, it doesn't need to... But what if you have 20 routers in a subnet and want the multicast traffic to be heard by only those 5 that are interested in it? If those routers' interfaces are multicast enabled, an IGMP snooping switch will flood multicast traffic to them, regardless of interest in a particular group. http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00800b0871.shtml The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01−00−5e−00−00−01 · PIMv1 hello send to 01−00−5e−00−00−02 · PIMv2 hello send to 01−00−5e−00−00−0d · DVMRP probes send to 01−00−5e−00−04 · MOSPF message send to 01−00−5e−00−05 or 06 By enabling IGMP snooping on a switch, all the above MAC entries are added to the show cam system command output of the snooping switch. Once a router port is detected, it is added to the port list of all GDAs in that VLAN. /chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicastrouting
Hi, On Tue, Oct 12, 2010 at 02:59:28PM -0500, christopher.mar...@usc-bt.com wrote: The switch listens to the following messages in order to detect router ports with IGMP snooping: · IGMP Membership query send to 01?00?5e?00?00?01 · PIMv1 hello send to 01?00?5e?00?00?02 · PIMv2 hello send to 01?00?5e?00?00?0d · DVMRP probes send to 01?00?5e?00?04 · MOSPF message send to 01?00?5e?00?05 or 06 Thanks for clarifying this. Indeed, with this information, IGMP snooping should never be harmful for router-switch-router traffic. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpNsZOwHtYTo.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
So, in my configuration that I mentioned, not only the 4506 on the remote site, the central site 4510 and 8540 need PIM enabled (which I think is the case now), but the 3560 needs it as well? I think that may be my problem... I'll look into that. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us David Barak thegame...@yahoo.com 10/8/2010 4:22 PM You will need to have PIM enabled on all of the interfaces between the source and receiver, and all of those devices need to have an RP (and they should be the same: easiest solution is statically enter this on all of them). Also, make sure that PIM is enabled on the 8840's interface that matches the RP-address. There's a lot more to optimization and troubleshooting, but that should provide initial connectivity. Some good tutorials on the subject can be found at http://nanog.org/resources/tutorials/ David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Fri, 10/8/10, Steven Pfister spfis...@dps.k12.oh.us wrote: From: Steven Pfister spfis...@dps.k12.oh.us Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction To: cisco-nsp@puck.nether.net Date: Friday, October 8, 2010, 3:46 PM The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
Every routed hop in the path must be running PIM and your layer two interfaces need to have IGMP enabled. Let us know how it goes! John On Mon, Oct 11, 2010 at 9:15 AM, Steven Pfister spfis...@dps.k12.oh.us wrote: So, in my configuration that I mentioned, not only the 4506 on the remote site, the central site 4510 and 8540 need PIM enabled (which I think is the case now), but the 3560 needs it as well? I think that may be my problem... I'll look into that. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us David Barak thegame...@yahoo.com 10/8/2010 4:22 PM You will need to have PIM enabled on all of the interfaces between the source and receiver, and all of those devices need to have an RP (and they should be the same: easiest solution is statically enter this on all of them). Also, make sure that PIM is enabled on the 8840's interface that matches the RP-address. There's a lot more to optimization and troubleshooting, but that should provide initial connectivity. Some good tutorials on the subject can be found at http://nanog.org/resources/tutorials/ David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Fri, 10/8/10, Steven Pfister spfis...@dps.k12.oh.us wrote: From: Steven Pfister spfis...@dps.k12.oh.us Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction To: cisco-nsp@puck.nether.net Date: Friday, October 8, 2010, 3:46 PM The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
Thanks for your help... I think I almost got it but I'm running into a problem. It turns out the encoders on the remote site aren't connected directly to the 4506, but go to a 2960-48TC-L first. The IOS on that switch doesn't seem to support ip multicast routing and I tried to find one that does (I had to upgrade the switch the servers are connected to). Does the 2960 not support multicast routing? All other switches involved see pim neighbors now. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us John Neiberger jneiber...@gmail.com 10/11/2010 11:24 AM Every routed hop in the path must be running PIM and your layer two interfaces need to have IGMP enabled. Let us know how it goes! John On Mon, Oct 11, 2010 at 9:15 AM, Steven Pfister spfis...@dps.k12.oh.us wrote: So, in my configuration that I mentioned, not only the 4506 on the remote site, the central site 4510 and 8540 need PIM enabled (which I think is the case now), but the 3560 needs it as well? I think that may be my problem... I'll look into that. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us David Barak thegame...@yahoo.com 10/8/2010 4:22 PM You will need to have PIM enabled on all of the interfaces between the source and receiver, and all of those devices need to have an RP (and they should be the same: easiest solution is statically enter this on all of them). Also, make sure that PIM is enabled on the 8840's interface that matches the RP-address. There's a lot more to optimization and troubleshooting, but that should provide initial connectivity. Some good tutorials on the subject can be found at http://nanog.org/resources/tutorials/ David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Fri, 10/8/10, Steven Pfister spfis...@dps.k12.oh.us wrote: From: Steven Pfister spfis...@dps.k12.oh.us Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction To: cisco-nsp@puck.nether.net Date: Friday, October 8, 2010, 3:46 PM The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp
Re: [c-nsp] Need help with setting up ip multicast routing...correction
If the switch doesn't provide layer 3 services (routing) itself, but is really a l2 switch, then you don't need multicast routing / pim, etc...However, you should have igmp snooping on. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister Sent: Monday, October 11, 2010 4:14 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction Thanks for your help... I think I almost got it but I'm running into a problem. It turns out the encoders on the remote site aren't connected directly to the 4506, but go to a 2960-48TC-L first. The IOS on that switch doesn't seem to support ip multicast routing and I tried to find one that does (I had to upgrade the switch the servers are connected to). Does the 2960 not support multicast routing? All other switches involved see pim neighbors now. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us John Neiberger jneiber...@gmail.com 10/11/2010 11:24 AM Every routed hop in the path must be running PIM and your layer two interfaces need to have IGMP enabled. Let us know how it goes! John On Mon, Oct 11, 2010 at 9:15 AM, Steven Pfister spfis...@dps.k12.oh.us wrote: So, in my configuration that I mentioned, not only the 4506 on the remote site, the central site 4510 and 8540 need PIM enabled (which I think is the case now), but the 3560 needs it as well? I think that may be my problem... I'll look into that. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us David Barak thegame...@yahoo.com 10/8/2010 4:22 PM You will need to have PIM enabled on all of the interfaces between the source and receiver, and all of those devices need to have an RP (and they should be the same: easiest solution is statically enter this on all of them). Also, make sure that PIM is enabled on the 8840's interface that matches the RP-address. There's a lot more to optimization and troubleshooting, but that should provide initial connectivity. Some good tutorials on the subject can be found at http://nanog.org/resources/tutorials/ David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Fri, 10/8/10, Steven Pfister spfis...@dps.k12.oh.us wrote: From: Steven Pfister spfis...@dps.k12.oh.us Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction To: cisco-nsp@puck.nether.net Date: Friday, October 8, 2010, 3:46 PM The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before
Re: [c-nsp] Need help with setting up ip multicast routing...correction
Hi, On Mon, Oct 11, 2010 at 04:14:23PM -0400, Steven Pfister wrote: Thanks for your help... I think I almost got it but I'm running into a problem. It turns out the encoders on the remote site aren't connected directly to the 4506, but go to a 2960-48TC-L first. The IOS on that switch doesn't seem to support ip multicast routing and I tried to find one that does (I had to upgrade the switch the servers are connected to). Does the 2960 not support multicast routing? All other switches involved see pim neighbors now. The 2960 is a L2 switch. It can't do unicast routing either... The catch with L2 switches is that they're likely to flood all multicast to all ports (as if it were broadcast) unless the support PIM snooping to understand what goes where. gert PS: this thread is again showing signs of lazy quoting. No need to quote the previous 5 articles in full, adding new text on top of it - all of us have seen all of the previous mails as well. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpidLetrHWT7.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
On Mon, 11 Oct 2010 22:37:32 +0200, you wrote: The 2960 is a L2 switch. It can't do unicast routing either... OT, but actually it can. Just only static unicast routing. Release notes: When you configure the new lanbase-routing SDM template, the switch supports static routing and router ACLs on SVIs. (Catalyst 2960, 2960-S, and 2975) http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swipstatrout.html -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help with setting up ip multicast routing
We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
I have a few questions: 1. Can the servers ping the encoders? 2. Are the encoders connected at layer three and running PIM, or are they layer two? 3. Is this source-specific multicast? If so, you need to be running IGMP v3 on your layer two interfaces. -John On Fri, Oct 8, 2010 at 1:46 PM, Steven Pfister spfis...@dps.k12.oh.us wrote: The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with setting up ip multicast routing...correction
You will need to have PIM enabled on all of the interfaces between the source and receiver, and all of those devices need to have an RP (and they should be the same: easiest solution is statically enter this on all of them). Also, make sure that PIM is enabled on the 8840's interface that matches the RP-address. There's a lot more to optimization and troubleshooting, but that should provide initial connectivity. Some good tutorials on the subject can be found at http://nanog.org/resources/tutorials/ David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Fri, 10/8/10, Steven Pfister spfis...@dps.k12.oh.us wrote: From: Steven Pfister spfis...@dps.k12.oh.us Subject: Re: [c-nsp] Need help with setting up ip multicast routing...correction To: cisco-nsp@puck.nether.net Date: Friday, October 8, 2010, 3:46 PM The line below reading non-multicast traffic should be non-multicast traffic seems to be OK between the vlans Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Steven Pfister spfis...@dps.k12.oh.us 10/8/2010 3:39 PM We've got a client who needs to set up multicast routing between two sites (and between two vlans) in order for some video encoders at remote sites to find servers at the central site. I've never had experience with this. The setup looks something like: encoders - Cisco 4506 - (CSME) - Cisco 4510 - Cisco 8540 - Cisco 3560 - servers The Cisco 4506 is the default gateway for the remote site vlan, let's call it vlan 22. The Cisco 4510 is the default gateway for the central site vlan, let's call it vlan 33 Also factoring into this, a previous (before my time here) set up of ip multicasting in sparse mode was done using other remote sites using 3640 routers with the 8540 as the RP. I don't know what it was intended for, or if it was ever successfully configured, but I'm not sure it's in use any more. Here's what's been done so far... the Cisco 4506 now has: ip multicast-routing ip pim rp-address 10.99.99.1 [the address of the 8540] interface Vlan22 ip pim sparse-dense-mode [the video encoder vendor recomended this] [there's also a ip helper-address pointing to a local server for dhcp] The 4510 has: ip multicast-routing ip pim rp-address 10.99.99.1 interface Vlan33 ip pim sparse-dense-mode Observations: - non-multicast traffic - the encoders never see the servers - show ip pim neighbor shows no results (just headers) - show ip multi int vlan33 on the central site shows a large and growing number of multicast in packets, but zero out packets. Same results for vlan22 on the remote site. Could the problem be igmp packets not getting exchanged? Like I said, I've never set up ip multicast routing before. Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help with policy-based firewall (IOS 12.4T)
Hi, I have two 2821 routers with policy-based firewall configured on them. There's IPSec GRE tunnel configured between the routers. The problem is traffic can't pass through the tunnel (even though the tunnel is established). Here is message from the logs: === Nov 23 17:36:43 10.0.80.252 24385: rtr02.sj: [sys...@9 s_sn=22618 s_id=rtr02.sj:514 s_tc=1309483 s_dc=28318]: 033999: .Nov 23 17:36:42.608 PST: %FW-6-DROP_PKT: Dropping Unknown-l4 session 207.211.80.190:0 143.127.138.34:0 on zone-pair sdm-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0 === Router-A has IP address 207.211.80.190 Router-B has IP address 143.127.138.34 At the same time, I see messages like this in the logs: Nov 23 17:45:01 10.0.80.252 24410: rtr02.sj: [sys...@9 s_sn=22643 s_id=rtr02.sj:514 s_tc=1309542 s_dc=28318]: 034024: .Nov 23 17:45:00.681 PST: %FW-6-PASS_PKT: (target:class)-(sdm-zp-out-self:sdmgre) Passing Unknown-l4 pkt 143.127.138.34:0 = 207.211.80.190:0 with ip ident 0 Now, parts of the config from router-A (router-B is a mirror image of router-A): - rtr02.sj#show runn | sec zone zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit - rtr02.sj#show runn | sec policy-map policy-map type inspect sdm-permit class type inspect sdmgre pass log class type inspect SDM_VPN pass log class type inspect sdmself pass log class class-default drop log - rtr02.sj#show runn | sec class-map class-map type inspect match-all sdmgre match access-group 101 class-map type inspect match-all SDM_VPN match access-group name SDM_VPN - rtr02.sj#show access-lists 101 Extended IP access list 101 10 permit ip host 143.127.138.34 any (1132063 matches) 20 permit gre host 143.127.138.34 any 30 permit esp host 143.127.138.34 any 40 permit ahp host 143.127.138.34 any 50 permit udp host 143.127.138.34 eq isakmp any -- rtr02.sj#show access-lists SDM_VPN Extended IP access list SDM_VPN 10 permit gre any any 20 permit ahp any any 30 permit esp any any -- So, the DROP log message above is generated by this part of the config from policy-map: class class-default drop log At the same time, policy passes some traffic as can be seen from second log message. And if I replace 'drop' with 'pass' in 'class-default' everything works fine. For obvious reasons I don't want to do it. My first question is, what is 'ip ident 0'? My second question is, why router-A is skipping (for most part) ACLs 101 and SDM_VPN and hitting 'class-default' when traffic is coming from router-B? Any help is appreciated! Thank you! --ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
I've seen similar situations where a shaping fine tuning in the carrier equipment's settings solved the CRC errors. All the ATM VP/VC related equipment in the circuit should be shaped properly, depending on what type of service you get, CBR, VBR, etc. Either too high or too low values could cause cells drops thus rising the CRC errors. A 20% overhead needs to be taken in count for ATM to non-ATM conversions in the circuit HTH Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering Sent: Saturday, September 19, 2009 7:26 PM To: Steven Pfister Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Need help troubleshooting CRC errors Hi, On Thu, Sep 17, 2009 at 10:39:21AM -0400, Steven Pfister wrote: that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Is there a carrier network in between? In our cases, whenever we saw ATM CRC errors, it was due to dropped cells in the carrier network (overloaded). If the receiving router cannot reassemble a packet due to missing cells - CRC error. If the STM-1 is direct, no carrier ATM gear in between (just SDH/SONET) gear, it be a bad line. In that case it won't be cell drops. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
The 3640 has a ATM 1A-OC3MM. The 1500 MTU is hard coded in the config. These sites were all set up before I started here 2 years ago. We're gradually replacing the ATM at the older sites with CSME. thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Antonio Soares amsoa...@netcabo.pt 9/18/2009 7:08 PM This document might help you: Understanding Maximum Transmission Unit (MTU) on ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk371/technologies_tech_note09186a00800c8279.shtml This is what it says about Length Violations: A router increments the AAL5 length violation counter when the calculated size of a reassembled packet fails to match the received value of the AAL5 length field regardless of the MTU. To understand how these violations can occur, you need to understand how a receiving ATM interface recognizes the last cell of a frame. What ATM NM do you have in the 3640 ? Did you change the default MTU from 4470 to 1500 ? Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: Steven Pfister [mailto:spfis...@dps.k12.oh.us] Sent: sexta-feira, 18 de Setembro de 2009 19:09 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Need help troubleshooting CRC errors Thanks for the link... I have a little more detail about the problem now: 'show atm pvc x/y' shows: CrcErrors: 69402, SarTimeOuts: 2, OverSizedSDUs: 0, LengthViolation: 69294, CPIErrors: 0 Also, the router side shows, on 'show int': MTU 1500 bytes, sub MTU 1500, BW 155000 Kbit, DLY 80 usec, router side, on 'show atm int atm': Max. Datagram Size: 1558 8510 switch side, on 'show int': MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit, DLY 0 usec, Would this be a problem? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Antonio Soares amsoa...@netcabo.pt 9/17/2009 11:45 AM Try this document: CRC Troubleshooting Guide for ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister Sent: quinta-feira, 17 de Setembro de 2009 15:39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help troubleshooting CRC errors Some of our older remote sites are connected via ATM. Two or three T1s come into an Cisco 8510, and from there a 155mbps OC3 connection over fiber to a 3640 router. Lately, I've been noticing that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
Hi, On Thu, Sep 17, 2009 at 10:39:21AM -0400, Steven Pfister wrote: that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Is there a carrier network in between? In our cases, whenever we saw ATM CRC errors, it was due to dropped cells in the carrier network (overloaded). If the receiving router cannot reassemble a packet due to missing cells - CRC error. If the STM-1 is direct, no carrier ATM gear in between (just SDH/SONET) gear, it be a bad line. In that case it won't be cell drops. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpF6NvIctYDD.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
Thanks for the link... I have a little more detail about the problem now: 'show atm pvc x/y' shows: CrcErrors: 69402, SarTimeOuts: 2, OverSizedSDUs: 0, LengthViolation: 69294, CPIErrors: 0 Also, the router side shows, on 'show int': MTU 1500 bytes, sub MTU 1500, BW 155000 Kbit, DLY 80 usec, router side, on 'show atm int atm': Max. Datagram Size: 1558 8510 switch side, on 'show int': MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit, DLY 0 usec, Would this be a problem? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Antonio Soares amsoa...@netcabo.pt 9/17/2009 11:45 AM Try this document: CRC Troubleshooting Guide for ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister Sent: quinta-feira, 17 de Setembro de 2009 15:39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help troubleshooting CRC errors Some of our older remote sites are connected via ATM. Two or three T1s come into an Cisco 8510, and from there a 155mbps OC3 connection over fiber to a 3640 router. Lately, I've been noticing that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
This document might help you: Understanding Maximum Transmission Unit (MTU) on ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk371/technologies_tech_note09186a00800c8279.shtml This is what it says about Length Violations: A router increments the AAL5 length violation counter when the calculated size of a reassembled packet fails to match the received value of the AAL5 length field regardless of the MTU. To understand how these violations can occur, you need to understand how a receiving ATM interface recognizes the last cell of a frame. What ATM NM do you have in the 3640 ? Did you change the default MTU from 4470 to 1500 ? Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: Steven Pfister [mailto:spfis...@dps.k12.oh.us] Sent: sexta-feira, 18 de Setembro de 2009 19:09 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Need help troubleshooting CRC errors Thanks for the link... I have a little more detail about the problem now: 'show atm pvc x/y' shows: CrcErrors: 69402, SarTimeOuts: 2, OverSizedSDUs: 0, LengthViolation: 69294, CPIErrors: 0 Also, the router side shows, on 'show int': MTU 1500 bytes, sub MTU 1500, BW 155000 Kbit, DLY 80 usec, router side, on 'show atm int atm': Max. Datagram Size: 1558 8510 switch side, on 'show int': MTU 4470 bytes, sub MTU 4470, BW 155520 Kbit, DLY 0 usec, Would this be a problem? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Antonio Soares amsoa...@netcabo.pt 9/17/2009 11:45 AM Try this document: CRC Troubleshooting Guide for ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister Sent: quinta-feira, 17 de Setembro de 2009 15:39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help troubleshooting CRC errors Some of our older remote sites are connected via ATM. Two or three T1s come into an Cisco 8510, and from there a 155mbps OC3 connection over fiber to a 3640 router. Lately, I've been noticing that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help troubleshooting CRC errors
Some of our older remote sites are connected via ATM. Two or three T1s come into an Cisco 8510, and from there a 155mbps OC3 connection over fiber to a 3640 router. Lately, I've been noticing that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help troubleshooting CRC errors
Try this document: CRC Troubleshooting Guide for ATM Interfaces http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister Sent: quinta-feira, 17 de Setembro de 2009 15:39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help troubleshooting CRC errors Some of our older remote sites are connected via ATM. Two or three T1s come into an Cisco 8510, and from there a 155mbps OC3 connection over fiber to a 3640 router. Lately, I've been noticing that pretty much every one of them is showing what I think is a rather high receive error count on the 3640 end of the OC3 connection, and it all seems to be CRC errors. Not much of any errors are showing up on the 8510 end of the OC3 connection. For example, one site yesterday late afternoon showed 63, 763 receive errors for the day. Several others were in the 20Ks. I'm not really certain what the cause might be, or where to start. Can anyone help? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help on IOS
Hello, Can you provide me below IOS please. c3825-ipbasek9-mz.124-24.T.bin If someone have this IOS please send me by email tseveendorj2...@yahoo.com or assign my CCO account named otseveendorj without access privilege any resources of Cisco. Then I really appreciate. Thank you. Tseveen. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help.....
arup...@gmail.com (Arup Bhattacharya) wrote: Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 and default VLAN is 1... There is no VLAN 0. 0 means untagged. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help.....
C2950(config)#vlan 0 Command rejected: Bad VLAN list - character #2 (EOL) delimits a VLAN number (0) out of the range 1..4094. But go and check the following doc, you will see that VLAN 0 can be used by a Cisco switch to forward DOT1P-tagged voices frames : http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_19_ea1/configuration/guide/swvoip.html#wp1034347 Selon Arup Bhattacharya arup...@gmail.com: Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 and default VLAN is 1... -- Regards. Arup Bhattacharya GSM-9748238797 - Success is not final, failure is not fatal: it is the courage to continue that counts ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need help with 6509-E with WS-SUP32-GE-3B
I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon mode i was able to type the command boot so it can look for the right code to boot up but after i configured the switch i turned off and turned it back on, it boot up in rommon mode again and everything was lost. I know someone had upgraded the IOS and i am sure that's what causing the problem and i know there is command i can type to fix the problem but i can't remember it or find it on the web can someone please help me out with this ? Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B
Hi Renelson, What's the configuration register set to? (sh boot) once you're in IOS. 0x0 will bring you to rommon everytime, 0x2102 will boot the sup using the config file. Aaron - Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Renelson Panosky Sent: Wednesday, June 10, 2009 12:41 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon mode i was able to type the command boot so it can look for the right code to boot up but after i configured the switch i turned off and turned it back on, it boot up in rommon mode again and everything was lost. I know someone had upgraded the IOS and i am sure that's what causing the problem and i know there is command i can type to fix the problem but i can't remember it or find it on the web can someone please help me out with this ? Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B
Check the config-register, as Aaron suggests, but also check the SP's config-register. #remote command switch show boot If the RP shows 0x2102 but the SP is something else, that could be the problem. To fix, go into config mode on the RP and re-enter the 0x2102 config-register, ^Z, then write mem. Cheers, Dale On Thu, Jun 11, 2009 at 3:24 AM, Childs, Aaronaa...@wsc.ma.edu wrote: What's the configuration register set to? (sh boot) once you're in IOS. 0x0 will bring you to rommon everytime, 0x2102 will boot the sup using the config file. Aaron -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Renelson Panosky Sent: Wednesday, June 10, 2009 12:41 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B I Have a brand new 6509-E with WS-SUP32-GE-3B booting up in rommon mode i was able to type the command boot so it can look for the right code to boot up but after i configured the switch i turned off and turned it back on, it boot up in rommon mode again and everything was lost. I know someone had upgraded the IOS and i am sure that's what causing the problem and i know there is command i can type to fix the problem but i can't remember it or find it on the web can someone please help me out with this ? Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help with 6509-E with WS-SUP32-GE-3B
Check the config-register, as Aaron suggests, but also check the SP's config-register. #remote command switch show boot If the RP shows 0x2102 but the SP is something else, that could be the problem. To fix, go into config mode on the RP and re-enter the 0x2102 config-register, ^Z, then write mem. Cheers, Dale While looking at show boot, you should also verify the boot variable. It may be necessary to explicitly specify the image filename. show boot BOOT variable = disk0:c7600s72033-advipservicesk9-mz.122-33.SRC2.bin,1;,1; show star | i ^boot boot-start-marker boot system flash disk0:c7600s72033-advipservicesk9-mz.122-33.SRC2.bin boot system flash boot-end-marker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need help.....
Why VLAN 0 is not configur in Switch where as starting range of VLAN is 0 and default VLAN is 1... -- Regards. Arup Bhattacharya GSM-9748238797 - Success is not final, failure is not fatal: it is the courage to continue that counts ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help understanding mpls error message
I've search on Cisco's website to help understand the following message but I'm not 100% clear on how to find the network/router responsible for generating these error messages: .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255} .May 19 08:39:39.175 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:40:19.392 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:41:26.413 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:42:02.225 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 6 1 255} Since it's giving multiple labels, which one should I do a mpls forwarding-table label command on and will that point me to the offending block? FYI, Vlan101 is part of our NMS network and does not have LDP enabled on it. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help understanding mpls error message
If you sniff that vlan do you see packets coming in with 0x8847 on them? If could be bogus packets with that on them and no valid label stack behind them. Rodney On Tue, May 19, 2009 at 11:57:46AM -0400, Lobo wrote: I've search on Cisco's website to help understand the following message but I'm not 100% clear on how to find the network/router responsible for generating these error messages: .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255} .May 19 08:39:39.175 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:40:19.392 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:41:26.413 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {587 0 0 255} .May 19 08:42:02.225 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 6 1 255} Since it's giving multiple labels, which one should I do a mpls forwarding-table label command on and will that point me to the offending block? FYI, Vlan101 is part of our NMS network and does not have LDP enabled on it. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help understanding mpls error message
On Tue, 2009-05-19 at 11:57 -0400, Lobo wrote: I've search on Cisco's website to help understand the following message but I'm not 100% clear on how to find the network/router responsible for generating these error messages: .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255} ... Since it's giving multiple labels, which one should I do a mpls forwarding-table label command on and will that point me to the offending block? FYI, Vlan101 is part of our NMS network and does not have LDP enabled on it. You probably won't be able to look it up in the FIB. As it says: You received a MPLS tagged frame on a non MPLS interface. This frame was probably not tagged with labels that your router assigned. What else exists on VLAN 101? Any MPLS speakers? Is VLAN 101 a trusted interface? With a sniffer you'd be able to see the source MAC address of the frames. Something like tcpdump with the -e flag will show you: 18:14:39.807669 00:19:07:73:c9:40 00:0b:46:5a:74:20, ethertype MPLS unicast (0x8847), length 78: MPLS (label 54, exp 0, [S], ttl 247), IP, length: 64 Then you can look up the MAC-address in the L2 FIB. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help understanding mpls error message
Hmmm good point Peter. I didn't realize that it wouldn't show up in the FIB. VLAN 101 should be a trusted interface since only NMS type of traffic is supposed to traverse on it for this part of the network. I'll see if there's a way to hook up a packet sniffer to that 6524 and see if I can figure out the MAC address from there. Thanks. Jose Peter Rathlev wrote: On Tue, 2009-05-19 at 11:57 -0400, Lobo wrote: I've search on Cisco's website to help understand the following message but I'm not 100% clear on how to find the network/router responsible for generating these error messages: .May 19 08:39:06.235 EDT: %MPLS_PACKET-4-NOLFDSB: MPLS packet received on non MPLS enabled interface Vlan101 L3 type 0x8847 label {586 0 0 255} ... Since it's giving multiple labels, which one should I do a mpls forwarding-table label command on and will that point me to the offending block? FYI, Vlan101 is part of our NMS network and does not have LDP enabled on it. You probably won't be able to look it up in the FIB. As it says: You received a MPLS tagged frame on a non MPLS interface. This frame was probably not tagged with labels that your router assigned. What else exists on VLAN 101? Any MPLS speakers? Is VLAN 101 a trusted interface? With a sniffer you'd be able to see the source MAC address of the frames. Something like tcpdump with the -e flag will show you: 18:14:39.807669 00:19:07:73:c9:40 00:0b:46:5a:74:20, ethertype MPLS unicast (0x8847), length 78: MPLS (label 54, exp 0, [S], ttl 247), IP, length: 64 Then you can look up the MAC-address in the L2 FIB. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need Help troubleshooting a 6513
Thank you for all the responses and troubleshoot advice but the problem has been taking care of. Special thanks to Arie and the command to power up the module is config t power enable module 5 Just in case anybody else come accross that problem again thanks Arie Renelson On Mon, May 18, 2009 at 10:14 AM, harbor235 harbor...@gmail.com wrote: What type of module is it? Some modules are not supported on all versions of code. More info is needed, IOS version, module type. Is this a SPA module? and are youo running SRB code? If so this is fixed in SRC code. mike On Fri, May 15, 2009 at 2:05 PM, Renelson Panosky panocisc...@gmail.com wrote: Hello list I am configuring a 6513, I've created all my VLANs and assigned them to all my ports however when i do sho vlan i see all my ports except the one in slot 5 but when sho run i can see them with the correct vlan, when i do sho mod here is what i get Mod Online Diag Status --- 1 Pass 2 Pass 3 Pass 4 Pass 5 Not Applicable 7 Pass is that mean the module defective? or the slot is bad ? Any help will be appreciated Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help in cat6k.
Hey Folks, This is regarding Cisco Catalyst 6500 series Switch with PISA Sup32 engine which is running IOS version 12.2SXI. In a redundancy setup of 9 slot chassis, is there any command/rommon variable to predefine the 6th slot Supervisor to hold the position of active supervsior even after every reload. ( whereas in the case of the gear running in CatalystOS , the active supervisor will be decided based on the slot position i.e., 5th slot sup will try to become the active always) Thanks in advance R.Ramnath ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need Help troubleshooting a 6513
Hello list I am configuring a 6513, I've created all my VLANs and assigned them to all my ports however when i do sho vlan i see all my ports except the one in slot 5 but when sho run i can see them with the correct vlan, when i do sho mod here is what i get Mod Online Diag Status --- 1 Pass 2 Pass 3 Pass 4 Pass 5 Not Applicable 7 Pass is that mean the module defective? or the slot is bad ? Any help will be appreciated Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need Help troubleshooting a 6513
Renelson, Can you please share the output of show module? Thanks Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Renelson Panosky Sent: Friday, May 15, 2009 21:05 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need Help troubleshooting a 6513 Hello list I am configuring a 6513, I've created all my VLANs and assigned them to all my ports however when i do sho vlan i see all my ports except the one in slot 5 but when sho run i can see them with the correct vlan, when i do sho mod here is what i get Mod Online Diag Status --- 1 Pass 2 Pass 3 Pass 4 Pass 5 Not Applicable 7 Pass is that mean the module defective? or the slot is bad ? Any help will be appreciated Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need Help troubleshooting a 6513
Do outputs for the module...reseat the module, reload the microcode. These can be used at different moments. Jay Murphy IP Network Specialist NM State Government IT Services Division PSB - IP Network Management Center Santa Fé, New México 87502 Bus. Ph.: 505.827.2851 We move the information that moves your world. P Please consider the environment before printing e-mail -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Renelson Panosky Sent: Friday, May 15, 2009 12:05 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need Help troubleshooting a 6513 Hello list I am configuring a 6513, I've created all my VLANs and assigned them to all my ports however when i do sho vlan i see all my ports except the one in slot 5 but when sho run i can see them with the correct vlan, when i do sho mod here is what i get Mod Online Diag Status --- 1 Pass 2 Pass 3 Pass 4 Pass 5 Not Applicable 7 Pass is that mean the module defective? or the slot is bad ? Any help will be appreciated Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This inbound email has been scanned by the MessageLabs Email Security System. __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
I've learned to always specify the full path to the image you want to load. It's safer than assuming that rommon will find the image on its own on the assortment of drives that the newer, larger devices have these days. Justin Paul Zugnoni wrote: fwiw, (nearly 2 months later) on our 4948: boot system flash cat4500-ipbasek9-mz.122-31.SGA8.bin with a config-register of 0x2102 resulted in the switch booting into rommon mode, with an error message on the console that the device was not specified. Upon removing that configuration statement and replacing it with the following one, the 4948 booted as expected: boot system flash bootflash:cat4500-ipbasek9-mz.122-31.SGA8.binnotice the specification of bootflash: in front of the image name. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
fwiw, (nearly 2 months later) on our 4948: boot system flash cat4500-ipbasek9-mz.122-31.SGA8.bin with a config-register of 0x2102 resulted in the switch booting into rommon mode, with an error message on the console that the device was not specified. Upon removing that configuration statement and replacing it with the following one, the 4948 booted as expected: boot system flash bootflash:cat4500-ipbasek9-mz.122-31.SGA8.binnotice the specification of bootflash: in front of the image name. Paul On Sat, Feb 21, 2009 at 9:50 AM, ML m...@kenweb.org wrote: Antonio Soares wrote: Since you don't have a boot system flash statement in your config, you need a config-register = 0x2101. This way it will load the first available image in the bootflash. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt Just recently we had an issue where a 4924 wouldn't load our desired IOS image under any combination of boot system {flash:|bootflash:} commands we could think of. Only solution was to erase all but the desired image. It was a roll the dice hope you don't critically fail situation. Config register 0x2101. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
Antonio Soares wrote: Since you don't have a boot system flash statement in your config, you need a config-register = 0x2101. This way it will load the first available image in the bootflash. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt Just recently we had an issue where a 4924 wouldn't load our desired IOS image under any combination of boot system {flash:|bootflash:} commands we could think of. Only solution was to erase all but the desired image. It was a roll the dice hope you don't critically fail situation. Config register 0x2101. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need help about switch cisco 4 9 4 8
Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
config register 2142 means boot without config in the rommon set config-register to 0x2102 and type restart I'm not up on the 4948 management interface. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, February 20, 2009 2:08 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
the management port on a 4948 only works in rommon mode. Matthew Huff wrote: config register 2142 means boot without config in the rommon set config-register to 0x2102 and type restart I'm not up on the 4948 management interface. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, February 20, 2009 2:08 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
chloe K wrote: Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help Have you tried reading the documentation on cisco.com on how to do this? If you don't want to put that much effort into it, you could just copy the config from the other 4948. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
Hi James Can you give me more info? I have another switch 4948. I can see this FastEthernet1 in sh running or sh int When I configure ip in this interface, it can work in my management port interface FastEthernet1 ip address x.x.x.x y.y.y.y speed auto duplex auto But I can't see this FastEthernet1 in that switch in sh running config or sh int. I am so confused. Do you have idea? Thank you James Slepicka cisco-...@slepicka.net wrote: the management port on a 4948 only works in rommon mode. Matthew Huff wrote: config register 2142 means boot without configin the rommon set config-register to 0x2102 and type restartI'm not up on the 4948 management interface. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, February 20, 2009 2:08 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8Hi I have problems in this switch 49 48 1/ I can't setup the management interface.I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run startIt said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
Hi Rich Thank you so much for your fast response. for the 1st quesiton, what is config-register = 0x1? for the 2nd question, I have same model switch there is int FastEthernet1 to let me to configure the management int interface FastEthernet1 no ip address speed auto duplex auto But in this switch, I can't see this int in show running config so that I can't configure it for the management port Do you have any idea? Thank you Rich Davies rich.dav...@gmail.com wrote: Chloe, The config-register of 0x2142 is usually configured when someone does password recovery on the device. You need to change it back to 0x2102 then reset the switch: confreg 0x2102 reset This should cause switch to boot up with config register of 0x2102 which tells it to load the configuration from NVRAM (normal default operation). Once the Cisco IOS is booted and you can get in to do configuration on the switch you will want to setup a management IP address.Traditionally switches have a Vlan1 interface which is the interface you should put your management IP on. example shown assumes the following: x.x.x.x = management IP y.y.y.y = management IP subnet mask z.z.z.z = default gateway (.1 or whatever you are using for the subnet). config term ! ! interface vlan 1 ip address x.x.x.x y.y.y.y ! ip default-gateway z.z.z.z ! ! end wr mem Hope this helps! -Rich On Fri, Feb 20, 2009 at 2:08 PM, chloe K chloekcy2...@yahoo.ca wrote: Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Instant message from any web browser! Try the new Yahoo! Canada Messenger for the Web BETA ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and check the IOS releases. You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a boot system flash statement to load the IOS image. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chloe K Sent: sexta-feira, 20 de Fevereiro de 2009 19:08 To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
Thank you Now I change it to 0x2102 but it can't boot properly Can you help? Thank you The system will autoboot now config-register = 0x2102 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. BOOT variable can be set from IOS. To find currently set Rom Monitor variables, please type 'set' command. For help on choosing a boot method, type 'confreg' command. Antonio Soares amsoa...@netcabo.pt wrote: There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and check the IOS releases. You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a boot system flash statement to load the IOS image. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chloe K Sent: sexta-feira, 20 de Fevereiro de 2009 19:08 To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
Since you don't have a boot system flash statement in your config, you need a config-register = 0x2101. This way it will load the first available image in the bootflash. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt _ From: chloe K [mailto:chloekcy2...@yahoo.ca] Sent: sexta-feira, 20 de Fevereiro de 2009 21:00 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] need help about switch cisco 4 9 4 8 Thank you Now I change it to 0x2102 but it can't boot properly Can you help? Thank you The system will autoboot now config-register = 0x2102 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. BOOT variable can be set from IOS. To find currently set Rom Monitor variables, please type 'set' command. For help on choosing a boot method, type 'confreg' command. Antonio Soares amsoa...@netcabo.pt wrote: There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and check the IOS releases. You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a boot system flash statement to load the IOS image. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chloe K Sent: sexta-feira, 20 de Fevereiro de 2009 19:08 To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _ http://us.i1.yimg.com/us.yimg.com/i/ca/iotg_search.jpg http://ca.toolbar.yahoo.com/ Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch cisco 4 9 4 8
it may be that your flash is corrupt, is missing a ios image, etc... My rommon memory is a bit fuzy atm, but you should be able to do a dir flash: or dir /all and see what images are there. Then do a boot imagename Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, February 20, 2009 4:00 PM To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] need help about switch cisco 4 9 4 8 Thank you Now I change it to 0x2102 but it can't boot properly Can you help? Thank you The system will autoboot now config-register = 0x2102 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. BOOT variable can be set from IOS. To find currently set Rom Monitor variables, please type 'set' command. For help on choosing a boot method, type 'confreg' command. Antonio Soares amsoa...@netcabo.pt wrote: There are IOS releases that do not support the Management Interface. I know that 12.2.46SG supports it. So compare your 4948's and check the IOS releases. You need a config-register=0x2101. With 0x2142, the switch won't load the startup config and needs a boot system flash statement to load the IOS image. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of chloe K Sent: sexta-feira, 20 de Fevereiro de 2009 19:08 To: cisco-nsp@puck.nether.net Subject: [c-nsp] need help about switch cisco 4 9 4 8 Hi I have problems in this switch 49 48 1/ I can't setup the management interface. I have another same modeul. I can see there is Fasthernet to set it up as management port. 2/ After reload, I lost configuration. I did copy run start It said that it can't find the Valid boot environment config-register = 0x2142 Autobooting using BOOT variable specified file. Could not find a valid file in BOOT environment variable. rommon 1 Please help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help adding a device to an existing vlan
interface FastEthernet0/38 description to 1230 WAP switchport access vlan 199 switchport trunk encapsulation dot1q switchport mode trunk no ip address no snmp trap link-status storm-control broadcast level 1.00 storm-control multicast level 2.00 storm-control unicast level 5.00 end This won't work. Try the following: switchport mode access no switchport trunk encap dot1q -- Håvard Staub Nyhus Atea AS +47 41 88 00 99 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help adding a device to an existing vlan
I'm sure this is something simple, but I'm not quite seeing it... I need some help adding a device to an existing, recently created vlan. Here is the fragment of our network: [core 4507] - [8540] - [3550] - [1230 WAP] [configuration excerpts are below] The 1230 access point described is attached to our network, and is functioning properly. Recently, I tried to add another 3550 (in another part of the building), and a 1230 access point, copying the first configuration as the model. The vlan 99 (the user workstations) worked right away, but vlan 199 (the wireless access points) I cannot get working. I can still get to the first access point, but am having trouble with the new one: - it's unreachable when connected to the new switch, but I can get to it when connected to the first switch - I can get to the vlan 199 default gateway from the new switch, and can get to the first access point from the new switch, but I can't get to the new access point, even when logged into the new switch. - If I assign an ip address to the vlan 199 interface, I can get to the new access point from the new switch, but then I can't get to the vlan's default gateway or to the first access point. Can someone help me find where the problem is? Do I need to allow vlan 1 on the interface on the core 4507? Thanks for your help! --Steve Here are configuration fragments of each: 4507 (vtp server, domain ADM_VTP): -- interface GigabitEthernet1/1 description Trunk to 8540 switchport trunk encapsulation dot1q switchport trunk allowed vlan 40,51,99,199,997,998 switchport mode trunk switchport nonegotiate no logging event link-status qos trust dscp tx-queue 3 priority high ! interface Vlan199 description ADM WLAN Management ip address 192.168.199.1 255.255.255.0 ip helper-address 10.99.20.62 no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache end 8540 (vtp client, domain ADM_VTP): -- interface GigabitEthernet1/0/0 description Fiber to 99-c45-clan1 no ip address no ip redirects no ip proxy-arp no cdp enable ! interface GigabitEthernet1/0/0.1 description Native VLAN encapsulation dot1Q 1 native no ip redirects no ip proxy-arp ! interface GigabitEthernet1/0/0.40 description Security VLAN encapsulation dot1Q 40 no ip redirects no ip proxy-arp no cdp enable bridge-group 40 ! interface GigabitEthernet1/0/0.51 description Voice Network encapsulation dot1Q 51 no ip redirects no ip proxy-arp no cdp enable bridge-group 51 ! interface GigabitEthernet1/0/0.99 description ADM LAN Access VLAN encapsulation dot1Q 99 no ip redirects no ip proxy-arp no cdp enable bridge-group 99 ! interface GigabitEthernet1/0/0.199 description Admin WLAN Management encapsulation dot1Q 199 no ip redirects no ip proxy-arp no cdp enable bridge-group 199 ! interface GigabitEthernet1/0/0.997 description ADM IVDL encapsulation dot1Q 997 no ip redirects no ip proxy-arp bridge-group 97 ! interface GigabitEthernet1/0/0.998 description Admin WLAN encapsulation dot1Q 998 no ip redirects no ip proxy-arp bridge-group 98 ! interface GigabitEthernet1/0/2 description Fiber to 3550 no ip address no ip redirects no ip proxy-arp no cdp enable ! interface GigabitEthernet1/0/2.1 description Native VLAN encapsulation dot1Q 1 native no ip redirects no ip proxy-arp ! interface GigabitEthernet1/0/2.99 description ADM LAN Access VLAN encapsulation dot1Q 99 no ip redirects no ip proxy-arp no cdp enable bridge-group 99 ! interface GigabitEthernet1/0/2.199 description Admin WLAN Management encapsulation dot1Q 199 no ip redirects no ip proxy-arp bridge-group 199 ! interface GigabitEthernet1/0/2.998 description Admin WLAN encapsulation dot1Q 998 no ip redirects no ip proxy-arp bridge-group 98 ! interface BVI199 description Admin WLAN Management ip address 192.168.199.2 255.255.255.0 end 3550 (vtp client, domain ADM_VTP): - interface GigabitEthernet0/1 description to 99-c85-catm1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! interface GigabitEthernet0/2 switchport mode dynamic desirable no ip address shutdown ! interface Vlan1 no ip address no ip route-cache ! interface Vlan99 ip address 10.99.20.211 255.255.248.0 no ip route-cache ntp broadcast client ! interface Vlan199 no ip address ! interface FastEthernet0/38 description to 1230 WAP switchport access vlan 199 switchport trunk encapsulation dot1q switchport mode trunk no ip address no snmp trap link-status storm-control broadcast level 1.00 storm-control multicast level 2.00 storm-control unicast level 5.00 end Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us
Re: [c-nsp] need help about switch boot up question
Hi, In the default running config, there is interface FastEthernet1 no ip address speed auto duplex auto 2/ my switch is 48 ports Gig. Ethernet. Where is this phsically interface FastEthernet1 sounds suspiciously like a management interface, usually found lurking around the back near the console port alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need help about switch boot up question
Thank you How about this address when booting up IP Address : 192.168.0.5 Netmask : 255.255.255.0 Gateway : 10.1.1.1 TftpServer : 10.1.1.1 Main Memory : 256 MBytes What is this address for? Thank you again a.l.m.bu...@lboro.ac.uk wrote: Hi, In the default running config, there is interface FastEthernet1 no ip address speed auto duplex auto 2/ my switch is 48 ports Gig. Ethernet. Where is this phsically interface FastEthernet1 sounds suspiciously like a management interface, usually found lurking around the back near the console port alan - Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need help about switch boot up question
Hi I boot up the 4947 switch and see this address 1/ What is this address for? How can I change it? MAC Address : 00-35-24-05-fb-6f IP Address : 192.168.0.5 Netmask : 255.255.255.0 Gateway : 10.1.1.1 TftpServer : 10.1.1.1 Main Memory : 256 MBytes In the default running config, there is interface FastEthernet1 no ip address speed auto duplex auto 2/ my switch is 48 ports Gig. Ethernet. Where is this phsically interface FastEthernet1 Thank you for your help - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/