Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
 
  • Post
  • Reply
greatapoc
Apr 4, 2005
 Pretty sure with access lists you have to recreate the whole thing. When you type `no access-list 102` it will disregard anything beyond that and delete everything. Best thing to do is just copy all that to a text file and then dump it into the terminal sans the line you want removed.

* # ¿ Jan 3, 2011 16:13
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 27, 2024 05:06
  • Quote
greatapoc
Apr 4, 2005

Panthrax posted:

Anyone have a lot of experience with the ONS 15454s? We're using a couple, and we had some problems with cards bouncing, and thought it was the chassis, so we swapped it out. I believe all the cards were removed and simply swapped to the other chassis (this was before I started working on them) and all circuit descriptions for the cross connects disappeared. Anything put in after that is there, but there's just huge swaths of missing circuit information. Does anyone know if there's a way to get them back? I was hoping maybe there was something in the database dump but it looks like it's binary or some other encoding. Any ideas how to get those back? We do have Smartnet, so I'll be opening a ticket, but hoping someone else experienced something like that and could give me some ideas what I'm going to be getting into.
If you're using CTC then you should just able to fully restore the database under the Maintenance tab. I just tried it on our test 454s and it worked.

EDIT: I take that back. It didn't work after all. Did a bit of digging and found an upgrade guide which suggests taking screenshots/writing down all that info. http://www.ciscosecure.net/en/US/docs/optical/15000r9_0/upgrade/guide/454a90_upgrade.pdf

greatapoc fucked around with this message at 18:22 on Mar 9, 2011

* # ¿ Mar 9, 2011 18:15
  • Quote
greatapoc
Apr 4, 2005
 Got a headscratcher here that I just can't figure out. A customer (we're an ISP) is having trouble accessing a LAN range at a remote site. Their pings stop at our PE to the remote site. If I ping from the PE it reaches. If I ping from another router within our network, it stops at the PE. The address is being advertised from the customer site through RIP and being redistributed into BGP.

code:
(PE)#sh ip ro vrf xxxxxx 10.161.168.250
Routing entry for 10.161.168.0/24
  Known via "rip", distance 120, metric 2
  Redistributing via bgp 9942, rip
  Advertised by bgp 9942 metric 1
  Last update from 10.248.64.158 on Serial5/1:0, 00:00:03 ago
  Routing Descriptor Blocks:
  * 10.248.64.158, from 10.248.64.158, 00:00:03 ago, via Serial5/1:0
      Route metric is 2, traffic share count is 1
(PE)#ping vrf xxxxxx 10.161.168.250

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.161.168.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
These are the address-family statements on the PE

code:
router rip
 address-family ipv4 vrf xxxxxx
 redistribute connected
 redistribute static
 network 10.0.0.0
 no auto-summary
 version 2
 exit-address-family

router bgp 9942
 address-family ipv4 vrf xxxxxx
 redistribute connected
 redistribute static
 redistribute rip metric 1
 no auto-summary
 no synchronization
 exit-address-family
Now from another edge router that isn't directly connected. This is learning the route from our route-reflector.

code:
(Other router)#sh ip ro vrf xxxxxx 10.161.168.250
Routing entry for 10.161.168.0/24
  Known via "bgp 9942", distance 200, metric 1, type internal
  Last update from 203.220.49.248 12:28:52 ago
  Routing Descriptor Blocks:
  * 203.220.49.248 (Default-IP-Routing-Table), from 203.194.30.229, 12:28:52 ago
      Route metric is 1, traffic share count is 1
      AS Hops 0
(Other router)#ping vrf xxxxxx 10.161.168.250      

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.161.168.250, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
(Other router)#traceroute vrf V1761:Equant_Aus_OBS_Atlas 10.161.168.250

Type escape sequence to abort.
Tracing the route to 10.161.168.250

  1 10.248.64.157 [AS 7545] [MPLS: Label 1063 Exp 0] 0 msec 0 msec 0 msec
  2  *  *  *
10.248.64.157 is the IP of the customer facing interface on the PE. This is also where it stops for the customer.

Can anyone offer any insight into this? If theres any more outputs required please let me know.

* # ¿ Mar 24, 2011 15:41
  • Quote
greatapoc
Apr 4, 2005

Sepist posted:

Is there a firewall before the edge router or ACL on the interface?
No firewall and there doesn't seem to be an ACL that would be blocking it.

* # ¿ Mar 24, 2011 16:09
  • Quote
greatapoc
Apr 4, 2005

jwh posted:

What routes are you advertising to the CE?

I suspect the CE doesn't have a route back to you.

Here is the CE. Fa4 is connected to the NTU onsite which connects to our PE.

code:
(CE)#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C       10.161.168.0/24 is directly connected, Vlan1
C       10.248.67.188/30 is directly connected, FastEthernet4
R       10.161.165.0/24 [120/3] via 10.248.67.189, 00:00:09, FastEthernet4
R       10.248.64.156/30 [120/1] via 10.248.67.189, 00:00:09, FastEthernet4
R       10.248.61.128/30 [120/2] via 10.248.67.189, 00:00:09, FastEthernet4
R       10.246.22.9/32 [120/3] via 10.248.67.189, 00:00:09, FastEthernet4
C       10.246.22.7/32 is directly connected, Loopback666
R       10.246.22.19/32 [120/1] via 10.248.67.189, 00:00:09, FastEthernet4
S*   0.0.0.0/0 is directly connected, FastEthernet4
* # ¿ Mar 24, 2011 16:30
  • Quote
greatapoc
Apr 4, 2005

tortilla_chip posted:

Shouldn't you also be redistributing from BGP into RIP?
You legend. It's alive! It's so glaringly obvious now I can't believe I missed that. Gonna put it down to lack of sleep on these long lonely nights in the NOC.

* # ¿ Mar 24, 2011 17:35
  • Quote
greatapoc
Apr 4, 2005
 I am having trouble creating an EOS VC4 vcat circuit from a GigE-WAN-2 card in a 15305 to a CE-1000 4 card in a 15454 using CTC. The circuit will create itself but i receive the following alarm "Signal Label Mismatch Failure - Payload Label Mismatch - VT" and no traffic will pass. I have tried changing all sorts of different settings (which do seem to be limited). Has anyone ever been able to do this?

* # ¿ Apr 20, 2011 00:56
  • Quote
greatapoc
Apr 4, 2005

ragzilla posted:

Where do you get the SLMF? Is there any additional information on the Conditions tab of each node? Tried disabling LCAS on both sides?
The SLMF is on the 305. The 454 has the usual Carrier Loss On The LAN. Tried disabling LCAS on both sides.

On the Conditions page of the 305 I've got
VC4-2-1-1 STM16_PORT Excessive Pointer Justification
VCM-3-3-1.2.0.0.0 WAN_MAP_1000_PORT Signal Label Mismatch Failure
VCM-3-3-1.1.0.0.0 WAN_MAP_1000_PORT Signal Label Mismatch Failure

This works as pure SDH though so I know the port isn't the issue.

* # ¿ Apr 20, 2011 03:12
  • Quote
greatapoc
Apr 4, 2005
 Had a 7206 crash while configuring an ACL :downs:

code:
CMD: 'en' 14:33:45 AEST Thu Jun 23 2011
CMD: 'sh ip int brief' 14:33:48 AEST Thu Jun 23 2011
CMD: 'sh run' 14:33:58 AEST Thu Jun 23 2011
CMD: 'sh ipv6 acc' 14:34:10 AEST Thu Jun 23 2011
CMD: 'sh ipv6 access-list ' 14:34:10 AEST Thu Jun 23 2011         
CMD: 'sh ipv6 pre' 14:34:13 AEST Thu Jun 23 2011
CMD: 'sh ipv6 prefix-list ' 14:34:13 AEST Thu Jun 23 2011
CMD: 'conf t' 14:34:27 AEST Thu Jun 23 2011
CMD: 'ipv6 acc' 14:34:29 AEST Thu Jun 23 2011
CMD: 'ipv6 access-list ' 14:34:29 AEST Thu Jun 23 2011
CMD: 'ipv6 access-list vty_clients_v6' 14:34:39 AEST Thu Jun 23 2011
CMD: 'deny ipv6 any any' 14:34:45 AEST Thu Jun 23 2011

 

 14:34:46 AEST Thu Jun 23 2011: Unexpected exception to CPU: vector 300, PC = 0x2BE3DF8 , LR = 0x2BE4224
* # ¿ Jun 24, 2011 01:35
  • Quote
greatapoc
Apr 4, 2005
 Does anyone know how to route an MPLS xconnect over a TE tunnel? According to the Cisco documentation I should be able to type "preferred-path int tunnel x" under pseudowire-class but that command doesn't appear to be supported on my 7206VXR running 12.3(22). The xconnect is up and running fine I just want it to route over one of my TE tunnels.

code:
Router(config)#pseudowire-class test
Router(config-pw-class)#preferr?
% Unrecognized command
Router#sh mpls l2transport vc deta
Local interface: Fa4/0.124 up, line protocol up, Eth VLAN 124 up
  Destination address: 10.1.200.2, VC ID: 124, VC status: up
    Next hop: point2point
    Output interface: PO2/0, imposed label stack {116 1369}
  Create time: 00:05:28, last status change time: 00:05:28
  Signaling protocol: LDP, peer 10.1.200.2:0 up
    MPLS VC labels: local 742, remote 1369
    Group ID: local 0, remote 0
    MTU: local 1500, remote 1500
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 218, send 955009
    byte totals:   receive 18080, send 1319822438
    packet drops:  receive 0, send 0
* # ¿ Nov 19, 2013 23:00
  • Quote
greatapoc
Apr 4, 2005
 Apparently.

http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srtunsel.html#wp1057815

* # ¿ Nov 19, 2013 23:25
  • Quote
greatapoc
Apr 4, 2005
 Ah bummer you're right.

IOS (tm) 7200 Software (C7200-P-M), Version 12.3(22), RELEASE SOFTWARE (fc2)

* # ¿ Nov 19, 2013 23:38
  • Quote
greatapoc
Apr 4, 2005
 What is the best way to reserve bandwidth for traffic that absolutely must not be shaped/dropped/etc in any way? I'm transporting DTV ASI over IP which is very sensitive to jitter and I'm using a 13 E1 Multilink to do it. Total ASI bandwidth is 24.2Mbit and 13 E1s gives me 26624kbit. I'd like to have the rest of the bandwidth available for general traffic, monitoring of devices etc. I'm using MPLS TE tunnels to transport the DTV data.

At the moment what I've done is just apply a rate limit input/output on the subinterface for the miscellaneous traffic and I'm running jperf across the link. I'm thinking it's probably just jperf not allowing me to test it properly but the initial spike when running the jperf test knocks out the DTV traffic. In any event, I don't want that to be something that can ever occur, the DTV traffic needs to be retained at all costs.

* # ¿ Jun 1, 2015 02:11
  • Quote
greatapoc
Apr 4, 2005
 We currently receive an internet service into our head office and our provider gives us an additional /29 through a static route. We also have a second site with an internet service through the same provider and would like to use it as backup. It appears the best way to manage this is with BGP due to the need to retain the /29 during an outage on the main link. The sites are connected to each other by dark fiber.

What’s the best way to manage the migration from static to BGP? Being that both services are with the same provider I assume we can ask them for a private ASN and have them accept our advertisement while they delete their static. Are we able to bring everything up and test it working before they delete the static? What sort of downtime could we expect for the various routing changes? We’re using OSPF internally and the internet services have their own /30s.

* # ¿ Oct 9, 2019 08:51
  • Quote
greatapoc
Apr 4, 2005

Docjowles posted:

It's worth noting this doesn't require BGP. Your ISP can configure a static route toward each site and prefer the one for the primary site. If that link goes down, it will use the route to the backup site. But using BGP will give you more control, which is usually a good thing.

I did consider that but my concern was that if something breaks on the access tail their router port would likely still be up/up and not remove the static route facing that site.

unknown posted:

BGP is a sledgehammer - are you sure you don't just need something simple like a dynamically updated DNS entry to direct external apps inbound?

It is a bit of a worry as it’s something I’ve never done before. If there’s an easier way I’m all ears. ’m comfortable with the routing for the outbound stuff I’m just not 100% on the inbound. We’re using Palo Alto firewalls and I believe if we make them active/active it should take care of any asymmetrical routing issues. Currently all of the servers using the public IPs are housed at the main site so they shouldn’t be impacted for external use during a fiber break to the backup.

* # ¿ Oct 9, 2019 19:11
  • Quote
greatapoc
Apr 4, 2005

Thanks Ants posted:

What services are hosted out of your location that have to fail over to the other? Is it more cost effective to remove/migrate those somewhere else?

A few web servers, mail server and some proprietary services that need to be public. Weighted DNS did not even enter my mind so I think we may actually be able to work with that.

Thank you for the suggestions.

* # ¿ Oct 9, 2019 20:47
  • Quote
greatapoc
Apr 4, 2005

abigserve posted:

I seriously cannot stress this enough: do not consider asymmetric routing a feature of your design. Any edge design that includes asymmetric routing paths is broken. It is a road to ruin.

I’m not and I didn’t see the possibility for asymmetric routing if BGP was implemented correctly. I thought it would a reasonably simple failover scenario and in the event anything did go funky then the Palo Alto’s would be able to figure it out until I could correct the error.

* # ¿ Oct 9, 2019 21:26
  • Quote
greatapoc
Apr 4, 2005

abigserve posted:

In that example the "correct" topology would be to either have two independent firewalls (and take the hit that failover will force connection restarts ) or have a layer two network between the border routers and firewalls so regardless of which border router is actively routing traffic it transits the active firewall. Does that make sense?

Yep that makes sense, thanks. I guess I'm still just stuck on how to handle the /29 without using BGP. If I just get the provider to point another static out the other internet service it could still in theory want to send traffic out a failed link if their interface doesn't go down. On our side we could just track it with an IP SLA but I doubt they'll want to do something like that on their side.

* # ¿ Oct 9, 2019 22:41
  • Quote
greatapoc
Apr 4, 2005
 I just set up a lab in EVE-NG with my current topology using a static route from the ISP side, OSPF internally and then went through the process of bringing up iBGP between the border, bringing the eBGP online to the ISP, advertising my route from both borders and then deleting the static route from the ISP router. Everything worked perfectly. I then setup the backup route with a higher MED and watched it change over so I'm pretty confident that's the best way to do it all as long as I can coordinate with the ISP to check they're receiving my routes and to delete the static. At least I know I can have everything running on my side in parallel.

This probably sounds pretty dull I've just never worked with BGP in production before.

* # ¿ Oct 10, 2019 11:34
  • Quote
greatapoc
Apr 4, 2005

Thanks Ants posted:

I still can't see anything that you're running that requires failover of IP addresses.

It requires devices that have public IP addresses to be reachable via a backup service that won’t have a static route pointed at it. If the primary goes down so do our addresses. Am I over complicating things and looking at it the wrong way?

* # ¿ Oct 10, 2019 13:00
  • Quote
greatapoc
Apr 4, 2005
 Edit: double post

* # ¿ Oct 10, 2019 13:04
  • Quote
greatapoc
Apr 4, 2005

unknown posted:

Don't tie yourself to an IP address.

Thanks a lot this is all really helpful. Certainly got a lot to think about.

* # ¿ Oct 10, 2019 19:30
  • Quote
greatapoc
Apr 4, 2005

abigserve posted:

This is fine but you should use as-path prepending instead of MED as it will be better supported by most ISP's (check with them).

I've just received their BGP routing policy handbook and it says they prefer MED but also support communities that will set the local preference on their side as well as AS prepending.

* # ¿ Oct 11, 2019 00:01
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 27, 2024 05:06
  • Quote
greatapoc
Apr 4, 2005
 I've got 2 Nexus 3172s in a vPC domain and a bunch of vlans on both in HSRP groups. Everything appears to function correctly but both devices spam syslog with the following messages:

code:
2020 May 25 08:38:41 AdminNX01 %ARP-4-OWN_SRCMAC:  arp [26188]  Received packet with a local source MAC address (7488.bb8a.1d41) from 192.168.199.2 on Vlan199
2020 May 25 09:17:08 AdminNX02 %ARP-4-OWN_SRCMAC:  arp [26507]  Received packet with a local source MAC address (6c8b.d37a.1041) from 192.168.199.3 on Vlan199
2020 May 25 09:17:49 AdminNX02 %ARP-4-OWN_SRCMAC:  arp [26507]  Received packet with a local source MAC address (6c8b.d37a.1041) from 192.168.200.3 on Vlan200
2020 May 25 09:18:13 AdminNX02 %ARP-4-OWN_SRCMAC:  arp [26507]  Received packet with a local source MAC address (6c8b.d37a.1041) from 192.168.140.3 on Vlan140
Somehow AdminNX01 only ever shows Vlan199 and AdminNX02 only ever shows Vlan140,199 and 200. There are a lot more vlans than these configured but they don't throw errors.

code:
AdminNX01# sh run int vl199

!Command: show running-config interface Vlan199
!Running configuration last done at: Mon May 25 09:26:50 2020
!Time: Mon May 25 10:18:58 2020

version 9.2(1) Bios:version 5.2.0

interface Vlan199
  description Infrastructure Network
  no shutdown
  no ip redirects
  ip address 192.168.199.2/24
  ip ospf passive-interface
  ip router ospf Network area 0.0.0.0
  hsrp 199
    preempt
    priority 90
    ip 192.168.199.1
code:
AdminNX02# sh run int vl199

!Command: show running-config interface Vlan199
!Running configuration last done at: Mon May 25 09:29:35 2020
!Time: Mon May 25 10:18:30 2020

version 9.2(1) Bios:version 5.2.0

interface Vlan199
  description Infrastructure Network
  no shutdown
  no ip redirects
  ip address 192.168.199.3/24
  ip ospf passive-interface
  ip router ospf Network area 0.0.0.0
  hsrp 199
    preempt
    priority 80
    ip 192.168.199.1
Has anyone ever seen this before? Not sure if I should just filter these events from the syslog.

* # ¿ May 25, 2020 01:37
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)