Re: [c-nsp] Shared Policy Instances and Aggregate Policing on ASR9K

Apologies, but it seems to have messed up my formating... trying again... I am looking for some clarification on QoS on the ASR9K with respect to VLANs and aggregate policing. I have 3 VLANs running over a Bundle and I am receiving unmarked traffic that I need to unconditionally mark based on VL

[c-nsp] Shared Policy Instances and Aggregate Policing on ASR9K

Hi, I am looking for some clarification on QoS on the ASR9K with respectto VLANs and aggregate policing. I have 3 VLANs running over aBundle and I am receiving unmarked traffic that I need to unconditionallymark based on VLAN. (I have omitted the ingress policy-map and class-map syntax forbrevity

Re: [c-nsp] zone based FW -- inside to inside

> when you do zone based firewalling on an ISR router. traffic from one > inside interface to another inside interface should not be affected by the > firewall correct? That is my understanding as long as the traffic is intra-zone and not inter-zone (i.e. between interfaces within the same zon

Re: [c-nsp] Feedback on "terminal exec prompt timestamp"

> No thanks. When I want that info I'll ask for it or I'll > turn this feature on. Plus it could break or confuse > scripts and programs that interact with Cisco routers. +1 It is already irritating when people configure it and leave it on when it can be enabled easily on a per terminal basis usi

Re: [c-nsp] interconnect with adsl

It depends on how many branches and your requirements (Egress QoS, IPSEC, etc?), but the ISR and ISR-G2 series of routers are ideal for this. I have used these previously in combination with IPSEC and DMVPN over ADSL to connect lots of branches (Cisco 87x and 18xx) to centralised hub sites (Cisco 2

Re: [c-nsp] forced path MPLS tunnel question

Apologies if I misinterpreted your question, but For MPLS/TE you need an IGP of ISIS or OSPF in conjunction with RSVP within the network. The requirement on ISIS or OSPF is because it requires a link state protocol with visibility of the entire network (EIGRP doesn't cut it). When you enable

[c-nsp] Cisco 6500 [SUP720-3B]: %QM-4-AGG_POL_EXCEEDED: QoS Hardware Resources Exceeded : Out of Aggregate policers

Hi All, I am running 12.2(18)SXF12a on a Cisco 6500 and I am getting the following error message when applying a service policy to an interface: %QM-4-AGG_POL_EXCEEDED: QoS Hardware Resources Exceeded : Out of Aggregate policers I understand the EARL7 SUP720 has a limit of 1023 aggregate policer

Re: [c-nsp] IP Accounting for IPv6

> For anyone elses benefit, this seems to work (15.0(1)M6): > > flow record IPv6-FLOW-RECORD >  match ipv6 destination address >  collect ipv6 source address Typo, the above should be "match" for the source as well to create an aggregate based on src/dst. Chris __

Re: [c-nsp] IP Accounting for IPv6

> ...depending on the availability of Flexible Netflow on your hardware/IOS, you > could use "permanent netflow caches" to simulate ip-accounting with flexible > netflow. > Permanent caches/cache entries are *not* exported to a collector by default > and must be reset manually (or scripted). This f

Re: [c-nsp] IP Accounting for IPv6

> netflow v9. > > "ip accounting" has been dead for about 10 years now...  it's still there, > but netflow scales much better and uses far less CPU. I knew you were going to say that :) I was looking for a solution which didn't involve an external collector and could provide on-box statistics aggr

[c-nsp] IP Accounting for IPv6

Hi, A quick question I am sure, but I can't seem to find any reference on CCO for IP Accounting for IPv6? I am looking for the IPv6 equivilent of the following command to provide aggregated per-prefix statistics that remain on the router: interface Vlan199 ip accounting output-packets ! If this

Re: [c-nsp] IPv6 Support in Cisco IOS AnyConnect?

> IOS SSL VPN doesn¹t currently support IPv6 for SVC. See Features Not > Supported on the Cisco IOS SSL VPN > guide/sec_ssl_vpn_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1 > 502587> Does anyone (Cisco peopl

[c-nsp] IPv6 Support in Cisco IOS AnyConnect?

Hi, Is anyone from Cisco able to confirm if IPv6 is supported when using the IOS based SSL VPN feature (inside the VPN)? The AnyConnect VPN client has a field for "Client Address (IPv6)" but I can't see how to enable it on the router. Using 15.0(1)M6 on the router and AnyConnect 2.5 on the client

Re: [c-nsp] Redistributed EIGRP Route Preferred over EBGP?

> Cisco implements two types of POI as defined in > http://tools.ietf.org/html/draft-retana-bgp-custom-decision-01 > ABSOLUTE_VALUE and IGP_COST. > > Cost:pre-bestpath means absolute value which is compared as FIRST step even > before weight. > > BTW:  This document is wrong: > http://www.cisco.

Re: [c-nsp] Redistributed EIGRP Route Preferred over EBGP?

> When EIGRP is redistributed to BGP the Cost Community is added to the prefix > - it's basically FD for EIGRP. This is where I think the problem is, but didn't believe that CC was compared until later down the BGP Path Selection Algorithm - by setting weight I preferred a path before that compar

Re: [c-nsp] Redistributed EIGRP Route Preferred over EBGP?

> If I understand you correctly, an internal EIGRP route is being preferred > in the RIB over an eBGP route.  That would make sense as EIGRP has an admin > distance of 20 and eBGP has an admin distance of 170. E-BGP has an AD of 20 and EIGRP has an AD of 90 (internal) and 170 (external). > In the

[c-nsp] Redistributed EIGRP Route Preferred over EBGP?

Hi, I have a DMVPN setup running EIGRP between the HUB and SPOKES. The HUB is then running E-BGP back to the core. The HUB and SPOKES are all within the same EIGRP AS so the routes being learnt are internal EIGRP routes. I have remote sites which have a primary and secondary router with EIGRP bei

Re: [c-nsp] High CPU util on a 2811 with two ipsec tunnels

> C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1.  Why would this traffic not I wouldn't recommend using that IOS as it was deferred a long time ago for IPSEC/GETVPN issues to name just a few - as well as T2, T3, etc. Try the latest 12.4(15)T13/T14 release, but I don't think it will help the CPU a

Re: [c-nsp] Router 2 factor authentication

>> I am looking for a 2FA solution in order to connect to Cisco devices. I >> would >> like to use either Radius or TACACS as the AAA part, however I'd like to >> know >> whether/how I could interconnect this to a 2nd auth such as a token based >> RSA >> securID platform >> >> I'd appreciate any in

Re: [c-nsp] Cisco 3750 - VTY ACL vrf-also

On 23 August 2010 17:26, Saku Ytti wrote: > You are probably hitting 'CSCsd25653' which is fixed in 12.2(52)SE and up. Yep, much appreciated - I changed it to a numbered ACL and it works fine with the "vrf-also" appearing in the config :) Thanks, Chris ___

[c-nsp] Cisco 3750 - VTY ACL vrf-also

Hi, Quick question - has anyone successfully deployed an ACL to a VTY line on a 3750 that is managed from within a VRF? I have tried to apply the configuration using the "vrf-also" keyword and although the CLI takes it, the "vrf-also" keyword is missing from the configuration. Example configurati

Re: [c-nsp] routing between VRF and global

> Which means the only real option is a "GRE internal hairpin". Except I > can't see how you would implement a tunnel with both endpoints are on > the same device - and even if you could, is that the sort of > configuration you'd want other people to see? I am not sure if this helps you or whether

Re: [c-nsp] match community support in PBR

> Does PBR supports match community in route-map? If yes which IOS release? Matching a community through PBR can be achieved through QPPB. You would have to use a table-map under BGP to assign an IP Prec value in CEF. route-map TABLE-MAP permit 10 match community QPPB-COMMUNITY set ip precedenc

[c-nsp] QPPB on Cisco 3750-ME

Hi, I am not having much luck on Google with regards to if this is supported or not, but I currently have a 3750-ME running 12.2(44)SE6 and I am having some interesting results when trying to use QPPB. The same configuration works perfectly well on an ISR, but the 3750 can be quite feature limitin

Re: [c-nsp] Inter-VRF OSPF Redistribution

Oli, sorry, missed this one. Unfortunately, this is not possible :-( You could move all global interfaces into "vrf global", but need to make sure all services you use in global are vrf-aware in your version.. That is the current solution that I am testing, which seems to work, but makes i

Re: [c-nsp] Inter-VRF OSPF Redistribution

Hi Oli, Chris, Does anyone know whether it is possible to redistribute routes between two different OSPF processes when they are associated with different VRFs? you need to use BGP and route-target import/export to exchange routes between the VRFs (even with vrf-lite). for example to import

[c-nsp] Inter-VRF OSPF Redistribution

Hi, Does anyone know whether it is possible to redistribute routes between two different OSPF processes when they are associated with different VRFs? I have the following setup on some routers running 12.4(15)T: +-+ [VRF] ++ | CPE +-[0/0][0/0]-+ S1 | +--+

Re: [c-nsp] Problems creating a new BGP neighbor

Hi Mihai, Check out CSCsz68307 - this occurs when someone attempts to configure an invalid IP address as a BGP peer - after that you are unable to create any additional peers as you get the error message "*% Create the peer-group first". To resolve the problem you either need to reload the box