|
Zuhzuhzombie!! posted:Could someone explain or link to something explaining IGMP vs. PIM and IGMP snooping re: multi cast TV over IP? Are you looking to understand how to configure it or just how it works? If you think of it within the scope of network IGMP operates within the Layer 2 domain while PIM works within the Layer 3 domain. IGMP snooping lets the switch derive information about how to forward the multicast frames, without which the switch treats multicast like a broadcast and floods it as such. This is especially important if you have a VLAN that spans multiple switches and will allow the multicast to be pruned up to just the switches in the topology that have multicast listeners attached. Are you talking about PIM Sparse or Dense mode?
|
# ? Aug 9, 2013 19:25 |
|
|
# ? May 29, 2024 02:00 |
|
So I was trying to nail down exactly why voice traffic at three of my sites doesn't seem to be prioritized like I expected. The three sites are remote, over an hour away from any tech, so I do not want to travel to them. On our 1751v routers (lol) I executed the following: config t access-list 101 ip xxx.yyy.0.0 0.0.255.255 xxx.yyy.0.0 0.0.255.255 exit term mon debug ip packet 101 detail dump All of my phones are on legacy subnets at the branches, which match xxx.yyy.0.0/16. When I ping from router ip to router ip, I see the traffic. When I ping anything inside the network, the ACL doesn't match. I'm sure it's something that everyone should know about how ACLs work, but some googling didn't tell me that this kind of access list should only match traffic to the router interfaces themselves. Can anyone tell me what I have done wrong?
|
# ? Aug 9, 2013 23:20 |
|
e: nm
|
# ? Aug 9, 2013 23:37 |
OK this is one weird issue: IOS-XE applied an extended access list to line vtys inbound permit ip 10.10.10.0 0.0.0.255 any no problem right? Except that when I apply the ACL I can't make an ssh connection from that subnet even though the ACL shows matches on the permit line. There is no outbound access-group and transport input and output are ssh. I remove the ACL and BOOM - I connect via ssh just fine. I didn't have time to mess with this but it threw me for a loop today. Did something change in IOS-XE? Any idears?' EDIT: Looks like IOS-XE puts the mangement interface in a default mgmt vrf so I probably need access-group ACL in vrf-also World z0r Z fucked around with this message at 00:39 on Aug 10, 2013 |
|
# ? Aug 10, 2013 00:30 |
|
jwh posted:Multicast is weird. One frame, going to a group mac address. Showing it to folks in the 90's was like magic... they were in disbelief until they saw it actually work. Ghost always had that support so it could get off the same image to multiple targets without killing the source, so when blasting out a 24 PC classroom for cert classes, using a pentium 90 machine with a 100mb adapter, you would only see the single conversation. Its still weird.
|
# ? Aug 10, 2013 00:49 |
|
cheese-cube posted:Riverbed chat? I can dig that. My background is mostly with Citrix NetScaler appliances but at my current gig they are all Riverbed and so far I'm quite impressed. We have approximately 25 units deployed at branches and are seeing +50% data reduction: At first I was very skeptical of Riverbed, but after using them for 3 years over VSAT links, I have nothing but good things to say about them (but then I have not used one in over two years).
|
# ? Aug 10, 2013 17:43 |
|
workape posted:If you think of it within the scope of network IGMP operates within the Layer 2 domain while PIM works within the Layer 3 domain. IGMP joins will go up to the local multicast router which sends PIM joins upstream toward the DR. IGMP snooping allows the local l2 device to determine which ports are interested in the specific multicast groups so it does not have to flood the data everywhere. Where I work most of the confusion comes from (*,G) vs (S,G) and source vs shared trees. This link does a good job of showing the difference in the trees and this is useful for some basic PIM info. I've just done a decent sized enterprise deployment of IPTV so feel free to PM me if you have any specifics about whole stack.
|
# ? Aug 13, 2013 01:47 |
|
That feeling when you do a remote after-hours IOS upgrade and you're ready to hit reload to boot into the new image, like sending astronauts to the dark side of the moon.
|
# ? Aug 13, 2013 13:45 |
|
Gap In The Tooth posted:That feeling when you do a remote after-hours IOS upgrade and you're ready to hit reload to boot into the new image, like sending astronauts to the dark side of the moon. That feeling when you update 25 bridges to new IOS and they all lock up 8 hours later, "Houston, we have a problem", that was the moment years ago that I learned one must test new code more thoroughly before deployment.
|
# ? Aug 13, 2013 14:05 |
|
Tasty Wheat posted:That feeling when you update 25 bridges to new IOS and they all lock up 8 hours later, "Houston, we have a problem", that was the moment years ago that I learned one must test new code more thoroughly before deployment. That feeling when you do a network wide update, and the new code has a 50% chance of reloading when you logout using "exit" instead of "logout". Likewise we need to test more thoroughly, but without a lab it just results in staging the update over a month or so so it can burn in on lower impact boxes.
|
# ? Aug 13, 2013 14:46 |
|
Gonna throw this out there see if anyone knows any ideas. I don't have access to the hardware and the guys who do aren't the brightest. We have some Calix E7s out in the field that pull management IPs via a DHCP pool. He says that when the lease expires, they do not receive a new IP from the DHCP pool. Don't see anything on my end and Google has let me down.
|
# ? Aug 13, 2013 14:53 |
|
One year leases and a giant IP pool.
|
# ? Aug 13, 2013 16:16 |
|
I just gave him a 30 day lease. Gonna see if there's any wonky goin on in the mean time.
|
# ? Aug 13, 2013 16:39 |
|
If you have access to the DHCP server, watch the log file for the discover/offer/ack when the E7 should be requesting a new lease. DHCP is obviously working if the E7 is getting a lease on boot, I can't think of any reason it wouldn't get a new lease when it comes time to renew unless it's not asking.
|
# ? Aug 13, 2013 16:49 |
|
Filthy Lucre posted:If you have access to the DHCP server, watch the log file for the discover/offer/ack when the E7 should be requesting a new lease. DHCP is obviously working if the E7 is getting a lease on boot, I can't think of any reason it wouldn't get a new lease when it comes time to renew unless it's not asking. One time I had 1751 router and client that hated each other, PC did not like the address and the router had no reason to not renew the address to the MAC since the lease was free. Instead of dealing with the change management issue, I released the client's address, assigned my laptop the address, renewed the client's address. Crappy fix, but the user was happy.
|
# ? Aug 13, 2013 20:00 |
|
Zuhzuhzombie!! posted:Gonna throw this out there see if anyone knows any ideas. I don't have access to the hardware and the guys who do aren't the brightest. We have some Calix E7s out in the field that pull management IPs via a DHCP pool. He says that when the lease expires, they do not receive a new IP from the DHCP pool. That is normal behavior. The DHCP server should give them the same IP Address. The problem may be that they are not asking for a new IP when the lease expires, in which case just configure the DHCP server to give out perpetual leases.
|
# ? Aug 13, 2013 20:34 |
|
You'll probably have to trace it out, unfortunately. I bet the Calix isn't asking for a renewal.
|
# ? Aug 13, 2013 21:34 |
|
Yeah, just from knowing this guy, I'm 99% certain it's his problem, but my group being the Core Network group, everything gets blamed on us first. And correct, by "new IP" I meant an IP for the new lease time.
|
# ? Aug 13, 2013 21:44 |
|
Zuhzuhzombie!! posted:but my group being the Core Network group, everything gets blamed on us first.
|
# ? Aug 13, 2013 22:21 |
|
Yeah, that's my standard method of operation. :P I'll give it a look in thirty days. Thanks guys!
|
# ? Aug 13, 2013 22:29 |
|
It should try to renew in 15 days if your lease is 30.
|
# ? Aug 13, 2013 22:42 |
|
Zuhzuhzombie!! posted:Gonna throw this out there see if anyone knows any ideas. I don't have access to the hardware and the guys who do aren't the brightest. We have some Calix E7s out in the field that pull management IPs via a DHCP pool. He says that when the lease expires, they do not receive a new IP from the DHCP pool. You're not using a LAG on that E7 are you? I have seen E7s drop DHCP traffic on cross card LAGs before. Every other type of traffic would work, just not DHCP. I could see the DHCP server receive the renewal request and it offer the new lease, but the client never received the offer. Sniffing the traffic showed the E7 nearest the DHCP server receiving the offer, but the offer never made it to the far end E7. My suspicion was that the E7 was somehow getting the destination MAC on the stand-by port, but even after working with TAC and my SE we were never able to prove it. Making the other port of the LAG active will temporarily fix the problem. We never did find a solution, I finally gave up working with Calix on it and put a work around in place.
|
# ? Aug 14, 2013 06:44 |
Is there any easy way to create 3ms of latency in 12.2 IOS? I need to simulate and test something. I need 3ms of latency at 1g line rate.
|
|
# ? Aug 15, 2013 03:15 |
|
Flash z0rdon posted:Is there any easy way to create 3ms of latency in 12.2 IOS? I need to simulate and test something. I need 3ms of latency at 1g line rate. Pass the traffic through a FreeBSD host running dummynet or Linux running tc?
|
# ? Aug 15, 2013 07:40 |
Ninja Rope posted:Pass the traffic through a FreeBSD host running dummynet or Linux running tc? we are already trying that but the performance hit is too great.
|
|
# ? Aug 15, 2013 13:42 |
I just need the 3ms.
|
|
# ? Aug 15, 2013 13:43 |
|
Flash z0rdon posted:I just need the 3ms. Here's one option I've come across when looking in to link quality emulation in the past: http://www.gl.com/wan-link-emulation-iplinksim-packetexpert.html They claim full gigabit capability, but who knows. I don't need high bandwidth for my purposes so I always end up going back to dummynet boxes. Or comedy option it would "only" take about 250-300 miles of fiber to add that sort of latency if I'm remembering correctly.
|
# ? Aug 15, 2013 15:30 |
|
So I had a weird issue today involving a 3560 that's acting as a core switch/router. I had two default routes configured: S: 0.0.0.0 via 192.168.200.1, 10.0.200.1 And PBR with a route map to route through different gateways depending upon the source IP address (192.168.X.X -> 192.168.200.1, 10.X.X.X -> 10.0.200.1). Everything was working fine until I had to move the switch: when I booted it back up it started sending packets from the 192.168.X.X network out the wrong interface, which was obviously triggering the anti-spoofing function on my firewalls. I removed the default route to 10.0.200.1 and everything started working fine again. It's worth mentioning that I booted it up before the firewalls. Any ideas what might have caused this? Was it CEF acting weird, or are is my route map hosed up? e: Here's the route map and corresponding ACLs: access-list 165 deny ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 165 deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 165 deny ip 10.10.0.0 0.0.255.255 host 172.16.300.1 access-list 165 permit ip 10.10.0.0 0.0.255.255 any access-list 190 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 190 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255 access-list 190 deny ip 192.168.0.0 0.0.255.255 host 172.16.300.1 access-list 190 permit ip 192.168.0.0 0.0.255.255 any route-map OUT permit 10 match ip address 165 set ip next-hop 10.0.200.1 route-map OUT permit 20 match ip address 190 set ip next-hop 192.168.200.1 The map is applied to the respective host VLANs. psydude fucked around with this message at 16:41 on Aug 15, 2013 |
# ? Aug 15, 2013 16:35 |
|
Here's some ISP network porn I took if you guys are interested: http://imgur.com/a/Rqpw2
|
# ? Aug 15, 2013 16:51 |
|
So due to a YOTJ, I am now in a mixed Cisco/Juniper shop, coming from an all-Juniper shop. I am looking into the best way to handle 2x 10Gb BGP connections (separate ISP AS numbers) with a pair of 4500-X switches feeding a pair of ASAs. BGP-A bandwidth is cheap, BGP-B bandwidth is expensive. It looks like the 4500-X switches have a VSS option, which seems a lot like stacking/virtual chassis to me. My thought was to terminate one of the 10Gb BGP feeds into each 4500-X, combine them using VSS, set preference for BGP-A over BGP-B by passing a localpref community upstream, and then do MEC (LACP) to each ASA. Seems like that would buy me total redundancy without any major drawbacks. My concern is whether or not VSS on the 4500-X switches is going to give me reasonable convergence times. I understand that the standby supervisor will have to reestablish BGP, which I figure would have to happen anyway if I was using them in a non-VSS environment. Most of the traffic will be inbound, so it's not like router failure is going to be lossless anyway. My main issue with using something like HSRP or VRRP is how to make that work with the ASAs. I don't want for a 4500-X failure to require/cause an ASA failover as well.
|
# ? Aug 15, 2013 19:02 |
|
Is that true, though? I thought VSS was smart enough to carry BGP state information between the two boxes in the event of failure. Either way, though, your LACP idea to each ASA should be fine. The ASA's won't failover unless their fail their heartbeats or detect interface failures (depending on how you're configured). I will say, the one thing the ASAs seem to do really well is their failover. Everything else is obnoxious, to me, but the failover is really good.
|
# ? Aug 15, 2013 19:37 |
|
Bgp supports NSR and SSO so there wouldn't be a bgp failure. You can choose how many interfaces need to fail on an ASA before it performs a failover
|
# ? Aug 15, 2013 19:39 |
|
Flash z0rdon posted:I just need the 3ms. Honestly a spool of fiber is the best way. Otherwise talk to your Cisco account rep about PAGENT, it will run on an ASR now.
|
# ? Aug 15, 2013 20:02 |
|
wolrah posted:Or comedy option it would "only" take about 250-300 miles of fiber to add that sort of latency if I'm remembering correctly. Change miles to meters and this is correct.
|
# ? Aug 15, 2013 20:04 |
|
Sepist posted:Bgp supports NSR and SSO so there wouldn't be a bgp failure. You can choose how many interfaces need to fail on an ASA before it performs a failover Does the 4500-X support NSR though? I saw that it supports NSF/SSO, but for BGP that would require my upstream provider to also support NSF. If the 4500-X can indeed do NSR then that would be perfect. I can't find any documentation that says the 4500-X can do NSR, I was assuming that was only a feature of certain router series. madsushi fucked around with this message at 20:14 on Aug 15, 2013 |
# ? Aug 15, 2013 20:12 |
|
Hi All, I have a few 3845s that I'd like to repurpose for a lab. They have the no password recovery command applied and they don't seem to accept the break command on bootup. When I send the break command to a 2000 series it works fine. I've tried deleting the startup configuration file from the SD card, however it still finds its config file. I assume this is in nvram somewhere, is there any way to erase the NVRAM without getting into rommon? Such as a jumper or something?
|
# ? Aug 15, 2013 22:15 |
|
madsushi posted:Does the 4500-X support NSR though? I saw that it supports NSF/SSO, but for BGP that would require my upstream provider to also support NSF. If the 4500-X can indeed do NSR then that would be perfect. I can't find any documentation that says the 4500-X can do NSR, I was assuming that was only a feature of certain router series.
|
# ? Aug 15, 2013 22:31 |
|
madsushi posted:Does the 4500-X support NSR though? I saw that it supports NSF/SSO, but for BGP that would require my upstream provider to also support NSF. If the 4500-X can indeed do NSR then that would be perfect. I can't find any documentation that says the 4500-X can do NSR, I was assuming that was only a feature of certain router series. Cisco's wording for NSR is called Graceful Restart http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/01xo/configuration/guide/NSFwSSO.html#wp1131748
|
# ? Aug 15, 2013 22:33 |
|
Sepist posted:Cisco's wording for NSR is called Graceful Restart My understanding is that there is NSF/GR (nonstop forwarding, not routing) which requires my upstream peers to understand GR and for GR messages to be sent when one of my VSS switches fails. If my upstream doesn't support it, then I'm looking at route reconvergence. The 4500-X definitely supports this. NSR (nonstop routing) is where the BGP process info is replicated between nodes in the SSO cluster (usually a pair of 10000 or ASR routers, from what I gather) and when a node fails, the upstream peers never know anything happened (since link doesn't drop). If NSF/GR is all that I can do on the 4500-X, then I will have to contact my upstream providers and see if they're running something that will support GR on their side. If so, problem solved. If not, then it sounds like I can't do NSR on the 4500-X, so I might just have to eat the reconvergence times.
|
# ? Aug 15, 2013 22:46 |
|
|
# ? May 29, 2024 02:00 |
|
Powercrazy posted:Change miles to meters and this is correct. I am not sure why you think such a short run would have that latency. This is the host-to-host round-trip latency on one of our 1Gb DWDM circuits between two data centers that is 50 miles apart: code:
|
# ? Aug 15, 2013 23:17 |