next-hop-self under address-family vpnv4 also?

next-hop-self under address-family vpnv4 also?

BGP PIC Edge would be recommended but if it is not supported, use different RDs even for the same VPN. This would allow second best path to be installed for the same prefix.

Next-hop-self is enabled automatically under vpnvX AF.
If the code supports it I’d recommend:
address-family vpnv4
bgp advertise-best-external  <– enables best-external + pic(if supported).
no bgp recursion host <–disables recursive lookup for BGP NHs.
bgp nexthop route-map BGP_NHT <–specifies which prefixes qualify as BGP NHs.
bgp nexthop trigger delay 0 <–allows BGP to act on IGP events immediately(enable if FRR backup is available for the BGP NH).
route-map BGP_NHT permit 10
match ip address prefix-list PE_LOOPBACKS
match source-protocol “igp” <–if you are using hierarchical MPLS you need to add BGP there as well.
route-map BGP_NHT permit 20
match source-protocol connected
adam
> —–Original Message—–
> From: cisco-nsp [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of
> CiscoNSP List
> Sent: Friday, September 19, 2014 3:32 AM
> To: Will Tardy; cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] next-hop-self under address-family vpnv4 also?
>
> Cheers.
>
> Any other “tweaks” to default config you recommend?  i.e. timers etc?
>
>
> > From: will.tardy@vocus.com.au<mailto:will.tardy@vocus.com.au>
> > To: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> > Date: Fri, 19 Sep 2014 00:42:23 +0000
> > Subject: Re: [c-nsp] next-hop-self under address-family vpnv4 also?
> >
> > It¹s not needed.
> >
> >
> > “address-family vpnv4” section is used to define which routers
> > participate in the VPNv4.  The underlying MPLS network will forward
> > labels between the
> > VPNv4 end-point CE’s. Next-hop-self isn¹t required. All that¹s
> > required is MPLS and IGP reachability between the CE¹s participating
> > in the vpnv4 domain.
> >
> > On 19/09/2014 10:31 am, “CiscoNSP List” <cisconsp_list@hotmail.com<mailto:cisconsp_list@hotmail.com>>
> wrote:
> >
> > >Is it recommended to add it under vpnv4 also?
> > >
> > >i.e.
> > >
> > >router bgp xxxxxx
> > >…
> > >neighbor iBGP-IPv4-PEERS update-source Loopback0 neighbor
> > >iBGP-IPv4-PEERS next-hop-self neighbor xxx.xxx.xxx.xxx peer-group
> > >iBGP-IPv4-PEERS…
> > >address-family vpnv4
> > >  bgp redistribute-internal
> > >  neighbor  iBGP-IPv4-PEERS send-community extended
> > >  neighbor iBGP-IPv4-PEERS next-hop-self
> > >  neighbor xxx.xxx.xxx.xxx activate
> > >
> > >Cheers.
> > >
> > >
> > >
> > >_______________________________________________
> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > ________________________________________

 

IPv6 BGP peer info over SNMP

IPv6 BGP peers over SNMP

On 22/09/14 22:42, chiel wrote:
> So not yet for a 6500 with sup720? I believe 15.1 is the latest on that.

Looks to be the case….

7600 with SUP720 have 15.2, 15.3 & 15.4 releases:

http://software.cisco.com/download/release.html?mdfid=282201754&flowid=61102&softwareid=280805680&release=15.2.4S6&relind=AVAILABLE&rellifecycle=ED&reltype=latest

On 23/09/2014 04:05, Frank Bulk wrote:
> Do you happen to have the OIDs or MIB name for that info?

ftp://ftp.cisco.com/pub/mibs/v2/CISCO-BGP4-MIB.my

Cisco 7201 (G2) Traffic Performance (High CPU Utilization)

> If the CPU load is high, then check to see what’s causing it.
His sh proc c output snippet indicates that almost all his CPU usage is interrupts – on a software-based platform, that’s indicative of pps, whether directed to the box or through the box.

Is this router on the Internet, or on a private WAN?

Can you enabled NetFlow on the router and take a look at the contents of the NetFlow cache?  No, the additional CPU is not a big deal, it’s single-digit.

Take a look at this preso:

<https://app.box.com/s/mnshn99c13uekrggy99b>

sh proc c | e 0.00 would be helpful.

Here’s the older post:
https://puck.nether.net/pipermail/cisco-nsp/2007-April/039999.html

> Ultimately I want to know am I simply hitting a practical
> limit of the box already?
> I’m very scared to enable more WAN links on these routers
> as I am affraid it will max out the available resources.

It’s been a while since I ran any decent traffic through the
NPE-G2, but if memory serves, CPU utilization was not always
linear with traffic. But at some point, it levels out and
climbs slower (given that you’re not running any features
that could cause this).

That said, this was back in the days of SRC, and the NPE-
G2’s I have now are looking glasses, so no major drama
there.

We saw higher CPU utilization at low traffic levels compared
to the NPE-G1, but saw a slower climb as traffic climbed. In
the role you describe, we got to 950Mbps at ~93% CPU
utilization.

Cisco 6500 QOS

By enabling ‘mls qos’ you’re splitting your already small buffer space on this platform into 4 pieces and using just one of them for normal traffic “mls qos” activates QoS, and that includes _ALL_ of the default QoS configs including automatic classify and remark, and all the default queues.

This lets the interfaces use (almost) as much as possible from the common buffers on the switch.

mls qos queue-set output 1 threshold 1 3100 3100 100 3200 
mls qos queue-set output 1 threshold 2 3100 3100 100 3200 
mls qos queue-set output 1 threshold 3 3100 3100 100 3200 
mls qos queue-set output 1 threshold 4 3100 3100 100 3200 
mls qos
Voorbeeld:
http://ampere.rathlev.dk/3560-3750-QoS-basis-template.txt

The “QoS Overview” chapter of the “Cisco Catalyst 3750 QoS  Configuration Examples” document explains the architecture:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/91862-cat3750-qos-config.html#topic1

Any one ever worked on Cisco 6500 QOS specifically 6503 or 6524(help) needed
The 6500 series switch has unique, complex and restrictive hardware QOS compared to a software based router/switch.http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/qos.html6748 is a switch based line card. It has limited qos features supported as
compared to a routed platform such as ISR router.
On 12 Oct 2014 10:45, “Ahsan Rasheed” <ahsanrasheed9@gmail.com> wrote:> Hi All,
>
> I am having issue specifically doing QOS configuration on 6503 or 6524 or
> 6509 switches. I am unable to match any EF(voice) traffic for eompls(vlan
> based) on 6503 cisco switch. If i use any other router as 2811 or 2821 my
> QOS configuration works perfect but if i put 6503 as PE2 it does not work.i
> am using vlan based eompls.
>
> Below is the scenario & configuration which i am having issue.
>
>
> CE1(2821 router)(dot1Q)———>PE1(2821 router)——->P(6524
> switch)——–>PE2(6503 switch)——->(dot1Q)(2821 switch)CE2.
>
> On CE1 i can match ip-precedence 5 traffic and mark that traffic to cos5 on
> outbound port.On PE1 i can match cos5 packet and mark with mpls exp top5 on
> inbound port, on outbound port i can match mpls exp 5.
>
> On PE2(6503) i am unable to match that mpls exp5 packet on inbound port.
> none of the configuration worked on 6500 series switches with mls qos, ,mls
> qos trust dscp,mls qos trust cos etc. Although i can match cos5 traffic on
> CE2 on inbound interface.i can not match mpls exp 5 traffic on 6503 and all
> i can see traffic as default-class on 6503 switch. I tried many things and
> many configurations on 6503 but nothing worked.If i put 2821 router as PE2
> instead of 6503 my qos configuration works. but why if i put 6503 my same
> qos configuration does not work?
>
> —match means=classification or classify
>
> Can anyone tell me how qos works on 6500 series switches or where i am
> having issue in my scenario.
> i am using this ios on 6503: s72033-advipservicesk9_wan-mz.122-33.SXI3.bin.
>
> below r my questions for 6503 qos:
>
> 1.do i need to use some other map tables,am i  using correct map tables on
> 6503 as cos-dscp,dscp-cos,exp-dscp etc.
> 2.any other configuration of qos needed on 6503?
> 3.i am unable to match anything on outbound port of 6503.
> 4.on 6503 i am using sup720 and PFC3BXL.any specific configuration needed
> for PFC3bxl.
> 5. 6503 not allowing me to match qos-group on inbound interface, not
> allowing me to set cos5 on outbound interface. not allowing me to set cos5
> as an inbound interface.
>
>
> CE1(2821) config:
> ————————
> !
> class-map match-any EF
>  match ip precedence 5
> class-map match-any data
>  match ip precedence 3
> !
> !
> policy-map ip2mpls
>  class EF
>   set cos 5
>  class data
>   set cos 3
> !
> interface FastEthernet0/0
>  no ip address
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/0.455
>  encapsulation dot1Q 455
>  ip address 172.16.15.1 255.255.255.252
>  service-policy output EF
> !
>
> PE1(2821) config:
> ————————-
> ————————-
> mls qos map cos-dscp 0 8 16 24 32 40 48 56
> !
> class-map match-all exp_3
>  match mpls experimental topmost 3
> class-map match-all mpls_exp
>  match mpls experimental topmost 5
> class-map match-any cos3
>  match cos  3
> class-map match-any LOO1
>  match cos  5
> !
> !
> policy-map EF
>  class LOO1
>   set mpls experimental imposition 5
>  class cos3
>   set mpls experimental imposition 3
> policy-map QOS_G_5
>  class mpls_exp
>   priority
>  class exp_3
>   bandwidth 500
> !
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.23.2 255.255.255.0
>  ip ospf network point-to-point
>  duplex auto
>  speed auto
>  mpls ip
>  service-policy output QOS_G_5
> !
> interface FastEthernet0/1.455
>  encapsulation dot1Q 455
>  xconnect 5.5.5.5 455 encapsulation mpls
>  service-policy input EF
> !
> ——————————
> ——————————
> PE2(6503 qos):
> R1#show module
> Mod Ports Card Type                              Model              Serial
> No.
> — —– ————————————– ——————
> ———–
>   1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE
>  SAL09401U2L
>   2   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX
> SAL114247YN
>   3   16  16 port 1000mb GBIC ethernet           WS-X6416-GBIC
>  SAL0712AM69
>   4   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP
> SAL10019J4N
>   5    2  Supervisor Engine 720 (Hot)            WS-SUP720-3BXL
> SAD102805VM
>   6    2  Supervisor Engine 720 (Active)         WS-SUP720-BASE
> SAD0846060F
>
> Mod  Sub-Module                  Model              Serial       Hw
> Status
> —- ————————— —————— ———– ——-
> ——-
>   1  Distributed Forwarding Card WS-F6700-DFC3BXL   SAD102504EF  5.3    Ok
>   2  Centralized Forwarding Card WS-F6700-CFC       SAD111300PD  3.1    Ok
>   4  Centralized Forwarding Card WS-F6700-CFC       SAL1004BQ2A  2.0    Ok
>   5  Policy Feature Card 3       WS-F6K-PFC3BXL     SAD10270189  1.8    Ok
>   5  MSFC3 Daughterboard         WS-SUP720          SAD102801G5  2.5    Ok
>   6  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL1415FE95  1.11   Ok
>   6  MSFC3 Daughterboard         WS-SUP720          SAD08440794  2.4    Ok
>
> R1#show mls qos maps
>    Normal Burst Policed-dscp map:                                  (dscp=
> d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    01 01 02 03 04 05 06 07 08 09
>       1 :    10 11 12 13 14 15 16 17 18 19
>       2 :    20 21 22 23 24 25 26 27 28 29
>       3 :    30 31 32 33 34 35 36 37 38 39
>       4 :    40 41 42 43 44 45 01 47 48 49
>       5 :    50 51 52 53 54 55 56 57 58 59
>       6 :    60 61 62 63
>
>    Maximum Burst Policed-dscp map:                                  (dscp=
> d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 01 02 03 04 05 06 07 08 09
>       1 :    10 11 12 13 14 15 16 17 18 19
>       2 :    20 21 22 23 24 25 26 27 28 29
>       3 :    30 31 32 33 34 35 36 37 38 39
>       4 :    40 41 42 43 44 45 46 47 48 49
>       5 :    50 51 52 53 54 55 56 57 58 59
>       6 :    60 61 62 63
>
>    Dscp-cos map:                                  (dscp= d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 00 00 00 00 00 00 00 01 01
>       1 :    01 01 01 01 01 01 02 02 02 02
>       2 :    02 02 02 02 03 03 03 03 03 03
>       3 :    03 03 04 04 04 04 04 04 04 04
>       4 :    05 05 05 05 05 05 05 05 06 06
>       5 :    06 06 06 06 06 06 07 07 07 07
>       6 :    07 07 07 07
>
>    Dscp-exp map:                                  (dscp= d1d2)
>      d1 :  d2 0  1  2  3  4  5  6  7  8  9
>      ————————————-
>       0 :    00 00 00 00 00 00 00 00 01 01
>       1 :    01 01 01 01 01 01 02 02 02 02
>       2 :    02 02 02 02 03 03 03 03 03 03
>       3 :    03 03 04 04 04 04 04 04 04 04
>       4 :    05 05 05 05 05 05 05 05 06 06
>       5 :    06 06 06 06 06 06 07 07 07 07
>       6 :    07 07 07 07
>
> Cos-dscp map:
>          cos:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0 10 18 24 34 46 48 56
>
>    IpPrecedence-dscp map:
>       ipprec:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0  8 16 24 32 40 48 56
>
>    Exp-dscp map:
>          exp:   0  1  2  3  4  5  6  7
>      ————————————
>         dscp:   0  8 16 24 32 40 48 56
>
>
> mls netflow interface
> mls qos map cos-dscp 0 10 18 24 34 46 48 56
> mls qos
> !
> class-map match-all exp_3
>  match mpls experimental topmost 3
> class-map match-all EXP_5
>  match mpls experimental topmost 5
> class-map match-all QOS_GROUP_5
>  match qos-group 5
> class-map match-all prec5
>  match ip precedence 5
> class-map match-all cos5
>  match cos  5
> !
> policy-map mpls2ip
> class QOS_GROUP_5
>  set cos 5
> !
> policy-map IN_FROM_R3
>  class EXP_5
>   set qos-group 5
> !
> interface Loopback0
>  ip address 5.5.5.5 255.255.255.255
> !
> interface GigabitEthernet2/2
>  mls qos trust cos
> or <———— (tried both individually but none worked)
>  mls qos trust dscp
> !
> interface GigabitEthernet2/2.455
>  encapsulation dot1Q 455
>  xconnect 3.3.3.3 455 encapsulation mpls
>  service-policy output mpls2ip
> !
> interface GigabitEthernet2/1
>  ip address 192.168.34.4 255.255.255.0
>  ip ospf network point-to-point
>  mls qos trust cos
> or <———— (tried both individually but none worked)
>  mls qos trust dscp
>  mpls ip
>  service-policy input IN_FROM_R4
> !
> Thanks & regards,
> Ahsan Rasheed

 

Cisco ASA return traffic with explicit deny on outside interfac

I have an ASA running 8.4 in a pretty simple setup with 2 interfaces (inside/outside). I have to 2 ACLs where one is applied inbound on the inside, and one ACL applied inbound on the outside interface. The outside ACL has an explicit deny ip any any statement for logging purposes.

I am wondering, does return traffic (for connections originated on the inside network) get through  the ASA with the explicit deny ip any any statement in the outside ACL?  I know it works without an ACL applied to the outside interface, but the explicit deny got me thinking. I haven’t a device with me to test it unfortunately
Return traffic will be permitted.

Any traffic originating on a network connected to a higher security interface will not need an ACL to ingress.  When the traffic egresses to a lower security interface it will automatically be let back in.

Any traffic originating on a network connected to a lower security interface will need an ACL to allow ingress.  When the traffic egresses to a higher security interface it will also be let back in.

That’s how I remember it anyway.. 🙂

Point 3. In the below link seems to back me up.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

How to troubleshoot input queue drop continuously on Cisco7600?

> k1#sho int te1/4
>
>   Last clearing of “show interface” counters 00:12:35
>
>   Input queue: 0/200/69739/69739 (size/max/drops/flushes); Total
> output
> drops: 0

On this platform those drops could be for traffic forwarded to the CPU.
What does the interface configuration look like? Is it a L3 interface (“no switchport”), or is it a L2 interface? If the latter, and you have SVIs (VLAN interfaces) for some of the VLANs it carries, look for drops on those SVIs.

If they are “microburst” drops on L3-interfaces then you can possibly mitigate it using “hold-queue <N> in” on the L3-interfaces (SVIs or the “no switchport” interface itself). This is a trade-off; don’t use a too high setting for input-queue or you will get other problems.

You could use a SPAN session to look at what traffic might cause this.
The SPAN replication is before traffic is forwarded to the CPU so you should be able to see floods.

>   1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE

This card has rather small queues so it might simply be microbursts. In that case you might have to find a port on another card.

For general info about input queue drops this is a good read:

http://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/6343-queue-drops.html

Oversubscribing the card would cause output drops, not input queue drops.
As someone else mentioned, this is punted traffic.

I’d suggest using NetDR to find out.
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/116475-technote-product-00.html

On Mon, Oct 20, 2014 at 9:42 PM, PlaWanSai RMUTT CPE IX <
pws_admin@thaicpe.com> wrote:

CFC linecards on 7600 – traffic punted to RP

7606s-test#show fm sum

Interface: GigabitEthernet6/2 is up
TCAM screening for features: ACTIVE inbound
Interface: Vlan1600 is up
TCAM screening for features: ACTIVE inbound

Gi6/2 is mnagement port on RSP, Vlan1600 is active on Te4/1 in access mode.

!SVI of VLAN active on Te4/1
interface Vlan1600
ip address 192.168.100.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
end

! null routing of destination IP of packets generated by downstream
device on te4/1
ip route 192.168.115.1 255.255.255.255 null0

7606s-test#show int vlan 1600
Vlan1600 is up, line protocol is up
30 second input rate 48325000 bits/sec, 100677 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

7606s-test#top
CPU utilization for five seconds: 49%/48%; one minute: 48%; five
minutes: 34%

7606s-test#show ibc
Interface information:
Interface IBC0/0(idb 0x18D112A4)
5 minute rx rate 34956000 bits/sec, 72805 packets/sec
5 minute tx rate 0 bits/sec, 0 packets/sec

7606s-test#show netdr captured-packets
——- dump of incoming inband packet ——-
interface Vl1600, routine process_rx_packet_inline, timestamp 03:14:18.723
dbus info: src_vlan 0x640(1600), src_indx 0xC0(192), len 0x40(64)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896)
A8020400 06400000 00C00000 40000000 00110524 0E000040 00000000 03802000
destmac 00.21.D8.CB.4B.00, srcmac 00.1B.21.D7.36.74, protocol 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 28, identifier 6692
df 0, mf 0, fo 0, ttl 64, src 192.168.100.2, dst 192.168.115.1
udp src 3854, dst 10000 len 8 checksum 0x102A

>
> On 5 Nov 2014, at 18:32, Jiri Prochazka wrote:
>
>> We will try the same setup with another RSP720-3CXL. I am getting to
>> the point it may be faulty Sup, even it seems very odd for me.
>> Everything works, but uRPF on CFC equipped cards..
>
> What other features do you have turned on which use up TCAM space?
>
> It’s sure sounding like a bug, though.
>
> Also, the output from sh fm sum when the issue is occurring might be
> useful, as well.

H-VPLS/P2MP style functionality with L2TPv3 inside VFI

 I’m trying to lab up a hub and spoke L2 VPN scenario using L2TPv3.

CPEs are ISR G2s such as 1941 and the PE/Hub is an ME3600. I’m not having much luck so I wondered if I’m chasing a ghost; Has anyone used
L2TPv3 xconnects (due to lack of MPLS) into a VFI on an ME3600 to get this scenario to work?

Perhaps you used something else that worked? Or do you think this simply can’t be done?

When mixing L2TPv3 with VFIs, is the logic present to do things like MAC learning, I’ve never tried this without MPLS and/or BGP.


Something like;


pseudowire-class l2tpv3-class
 encapsulation l2tpv3
 interworking ethernet
 ip local interface looopback 0

l2 vfi TEST manual
 vpn id 100
  bridge-domain 200
  neighbor 1.1.1.1 pw-class l2tpv3-class
  neighbor 2.2.2.2 pw-class l2tpv3-class

int gi0/2
 switchport mode trunk
 switchport trunk allow vlan none
  service instance 200 ethernet
  uncapsulation untagged
  bridge-domain 200

int vlan200
 no ip address

1 10 11 12 13 14