|
Pretty sure with access lists you have to recreate the whole thing. When you type `no access-list 102` it will disregard anything beyond that and delete everything. Best thing to do is just copy all that to a text file and then dump it into the terminal sans the line you want removed.
|
# ¿ Jan 3, 2011 16:13 |
|
|
# ¿ Apr 27, 2024 05:06 |
|
Panthrax posted:Anyone have a lot of experience with the ONS 15454s? We're using a couple, and we had some problems with cards bouncing, and thought it was the chassis, so we swapped it out. I believe all the cards were removed and simply swapped to the other chassis (this was before I started working on them) and all circuit descriptions for the cross connects disappeared. Anything put in after that is there, but there's just huge swaths of missing circuit information. Does anyone know if there's a way to get them back? I was hoping maybe there was something in the database dump but it looks like it's binary or some other encoding. Any ideas how to get those back? We do have Smartnet, so I'll be opening a ticket, but hoping someone else experienced something like that and could give me some ideas what I'm going to be getting into. EDIT: I take that back. It didn't work after all. Did a bit of digging and found an upgrade guide which suggests taking screenshots/writing down all that info. http://www.ciscosecure.net/en/US/docs/optical/15000r9_0/upgrade/guide/454a90_upgrade.pdf greatapoc fucked around with this message at 18:22 on Mar 9, 2011 |
# ¿ Mar 9, 2011 18:15 |
|
Got a headscratcher here that I just can't figure out. A customer (we're an ISP) is having trouble accessing a LAN range at a remote site. Their pings stop at our PE to the remote site. If I ping from the PE it reaches. If I ping from another router within our network, it stops at the PE. The address is being advertised from the customer site through RIP and being redistributed into BGP. code:
code:
code:
Can anyone offer any insight into this? If theres any more outputs required please let me know.
|
# ¿ Mar 24, 2011 15:41 |
|
Sepist posted:Is there a firewall before the edge router or ACL on the interface?
|
# ¿ Mar 24, 2011 16:09 |
|
jwh posted:What routes are you advertising to the CE? Here is the CE. Fa4 is connected to the NTU onsite which connects to our PE. code:
|
# ¿ Mar 24, 2011 16:30 |
|
tortilla_chip posted:Shouldn't you also be redistributing from BGP into RIP?
|
# ¿ Mar 24, 2011 17:35 |
|
I am having trouble creating an EOS VC4 vcat circuit from a GigE-WAN-2 card in a 15305 to a CE-1000 4 card in a 15454 using CTC. The circuit will create itself but i receive the following alarm "Signal Label Mismatch Failure - Payload Label Mismatch - VT" and no traffic will pass. I have tried changing all sorts of different settings (which do seem to be limited). Has anyone ever been able to do this?
|
# ¿ Apr 20, 2011 00:56 |
|
ragzilla posted:Where do you get the SLMF? Is there any additional information on the Conditions tab of each node? Tried disabling LCAS on both sides? On the Conditions page of the 305 I've got VC4-2-1-1 STM16_PORT Excessive Pointer Justification VCM-3-3-1.2.0.0.0 WAN_MAP_1000_PORT Signal Label Mismatch Failure VCM-3-3-1.1.0.0.0 WAN_MAP_1000_PORT Signal Label Mismatch Failure This works as pure SDH though so I know the port isn't the issue.
|
# ¿ Apr 20, 2011 03:12 |
|
Had a 7206 crash while configuring an ACL code:
|
# ¿ Jun 24, 2011 01:35 |
|
Does anyone know how to route an MPLS xconnect over a TE tunnel? According to the Cisco documentation I should be able to type "preferred-path int tunnel x" under pseudowire-class but that command doesn't appear to be supported on my 7206VXR running 12.3(22). The xconnect is up and running fine I just want it to route over one of my TE tunnels.code:
|
# ¿ Nov 19, 2013 23:00 |
|
Apparently. http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srtunsel.html#wp1057815
|
# ¿ Nov 19, 2013 23:25 |
|
Ah bummer you're right. IOS (tm) 7200 Software (C7200-P-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
|
# ¿ Nov 19, 2013 23:38 |
|
What is the best way to reserve bandwidth for traffic that absolutely must not be shaped/dropped/etc in any way? I'm transporting DTV ASI over IP which is very sensitive to jitter and I'm using a 13 E1 Multilink to do it. Total ASI bandwidth is 24.2Mbit and 13 E1s gives me 26624kbit. I'd like to have the rest of the bandwidth available for general traffic, monitoring of devices etc. I'm using MPLS TE tunnels to transport the DTV data. At the moment what I've done is just apply a rate limit input/output on the subinterface for the miscellaneous traffic and I'm running jperf across the link. I'm thinking it's probably just jperf not allowing me to test it properly but the initial spike when running the jperf test knocks out the DTV traffic. In any event, I don't want that to be something that can ever occur, the DTV traffic needs to be retained at all costs.
|
# ¿ Jun 1, 2015 02:11 |
|
We currently receive an internet service into our head office and our provider gives us an additional /29 through a static route. We also have a second site with an internet service through the same provider and would like to use it as backup. It appears the best way to manage this is with BGP due to the need to retain the /29 during an outage on the main link. The sites are connected to each other by dark fiber. What’s the best way to manage the migration from static to BGP? Being that both services are with the same provider I assume we can ask them for a private ASN and have them accept our advertisement while they delete their static. Are we able to bring everything up and test it working before they delete the static? What sort of downtime could we expect for the various routing changes? We’re using OSPF internally and the internet services have their own /30s.
|
# ¿ Oct 9, 2019 08:51 |
|
Docjowles posted:It's worth noting this doesn't require BGP. Your ISP can configure a static route toward each site and prefer the one for the primary site. If that link goes down, it will use the route to the backup site. But using BGP will give you more control, which is usually a good thing. I did consider that but my concern was that if something breaks on the access tail their router port would likely still be up/up and not remove the static route facing that site. unknown posted:BGP is a sledgehammer - are you sure you don't just need something simple like a dynamically updated DNS entry to direct external apps inbound? It is a bit of a worry as it’s something I’ve never done before. If there’s an easier way I’m all ears. ’m comfortable with the routing for the outbound stuff I’m just not 100% on the inbound. We’re using Palo Alto firewalls and I believe if we make them active/active it should take care of any asymmetrical routing issues. Currently all of the servers using the public IPs are housed at the main site so they shouldn’t be impacted for external use during a fiber break to the backup.
|
# ¿ Oct 9, 2019 19:11 |
|
Thanks Ants posted:What services are hosted out of your location that have to fail over to the other? Is it more cost effective to remove/migrate those somewhere else? A few web servers, mail server and some proprietary services that need to be public. Weighted DNS did not even enter my mind so I think we may actually be able to work with that. Thank you for the suggestions.
|
# ¿ Oct 9, 2019 20:47 |
|
abigserve posted:I seriously cannot stress this enough: do not consider asymmetric routing a feature of your design. Any edge design that includes asymmetric routing paths is broken. It is a road to ruin. I’m not and I didn’t see the possibility for asymmetric routing if BGP was implemented correctly. I thought it would a reasonably simple failover scenario and in the event anything did go funky then the Palo Alto’s would be able to figure it out until I could correct the error.
|
# ¿ Oct 9, 2019 21:26 |
|
abigserve posted:In that example the "correct" topology would be to either have two independent firewalls (and take the hit that failover will force connection restarts ) or have a layer two network between the border routers and firewalls so regardless of which border router is actively routing traffic it transits the active firewall. Does that make sense? Yep that makes sense, thanks. I guess I'm still just stuck on how to handle the /29 without using BGP. If I just get the provider to point another static out the other internet service it could still in theory want to send traffic out a failed link if their interface doesn't go down. On our side we could just track it with an IP SLA but I doubt they'll want to do something like that on their side.
|
# ¿ Oct 9, 2019 22:41 |
|
I just set up a lab in EVE-NG with my current topology using a static route from the ISP side, OSPF internally and then went through the process of bringing up iBGP between the border, bringing the eBGP online to the ISP, advertising my route from both borders and then deleting the static route from the ISP router. Everything worked perfectly. I then setup the backup route with a higher MED and watched it change over so I'm pretty confident that's the best way to do it all as long as I can coordinate with the ISP to check they're receiving my routes and to delete the static. At least I know I can have everything running on my side in parallel. This probably sounds pretty dull I've just never worked with BGP in production before.
|
# ¿ Oct 10, 2019 11:34 |
|
Thanks Ants posted:I still can't see anything that you're running that requires failover of IP addresses. It requires devices that have public IP addresses to be reachable via a backup service that won’t have a static route pointed at it. If the primary goes down so do our addresses. Am I over complicating things and looking at it the wrong way?
|
# ¿ Oct 10, 2019 13:00 |
|
Edit: double post
|
# ¿ Oct 10, 2019 13:04 |
|
unknown posted:Don't tie yourself to an IP address. Thanks a lot this is all really helpful. Certainly got a lot to think about.
|
# ¿ Oct 10, 2019 19:30 |
|
abigserve posted:This is fine but you should use as-path prepending instead of MED as it will be better supported by most ISP's (check with them). I've just received their BGP routing policy handbook and it says they prefer MED but also support communities that will set the local preference on their side as well as AS prepending.
|
# ¿ Oct 11, 2019 00:01 |
|
|
# ¿ Apr 27, 2024 05:06 |
|
I've got 2 Nexus 3172s in a vPC domain and a bunch of vlans on both in HSRP groups. Everything appears to function correctly but both devices spam syslog with the following messages:code:
code:
code:
|
# ¿ May 25, 2020 01:37 |