When deal with Mtu issues on all out site to site vpn.  Gre plus IPSec plus other uses up 60 to 90 bytes.

There are some good docs on cisco site. Standard solution for tcp flows is, … for the constrained or tunnel int.

"IP Mtu 1400"
"IP tcp adjust-mss 1360"

This will cause the tcp 3way setup to negotiate a 1360byte mss which then fits into the 1500 byte max physical Mtu size.

In theory, setting the Mtu to 1400 will also cause the pmtu discovery process to auto adjust as well.  This is hit or miss, depending on stack and if icmp is being filtered in the path.

Windows tries hard to guess the Mtu and usually sets the do not frag bit on most packets.   The above usually works. But we often find some non-tcp app defaults to 1500 bytes anyway.  Since windows sends it with do not frag, the router drops it. To fix this use a route-map to clear the DF bit.  I only do this for udp now.  Seems a good compromise.

All this would be done on your Cpe or other edge router. Tunnelled ddos mitigation vendors also do this to avoid Mtu issues.

 

You are missing a bit more specifics on your event definition… It just doesn’t match a reaction event from IP SLA.

 

If you look here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-e1.html#wp2241131084

 

You can see that there are quite a few options to set what exactly you want to trigger on with regards to IP SLA.

I think you have to define reactions or triggers to match on IP SLA related events (events being state transitions… up to down, down to up, threshold limits, etc)

 

To be honest, I got best results from EEM and IP SLA by EEM matching on the syslog messages IP SLA produces…

 

 

working on an EEM script which is triggered by an IP SLA down

> state on an ASR1000 running IOS-XE 3.11.1S.  While the IP SLA entry

> detects the state properly, the EEM does not trigger.  I’m not finding

> anything relevant on the bug toolkit, and I am not seeing anything

> with my Google-fu.

>

> Here’s the configuration:

>

> ip sla 1

>   icmp-echo 1.1.1.1 source-ip 1.1.1.2

>   vrf GREEN

>   tag SITE-DOWN

>   frequency 5

> ip sla schedule 1 life forever start-time now !

> event manager applet SITE-DOWN

>   description Site 1.1.1.1 is down

>   event ipsla operation-id 1

>   action 1.0 syslog priority critical msg “ALERT: Site 1.1.1.1 is down”

> !

>

> And here is what I see when I look the status of the IP SLA entry and

> the EEM entry.  IP SLA looks fine, the EEM isn’t triggering despite

> being registered.

>

>

> rtr5#sh ip sla statistics 1

> IPSLAs Latest Operation Statistics

>

> IPSLA operation id: 1

>         Latest RTT: NoConnection/Busy/Timeout Latest operation start

> time: 11:42:21 EST Mon Jan 18 2016 Latest operation return code:

> Timeout Number of successes: 0 Number of failures: 301 Operation time

> to live: Forever !

> rtr5#sh event manager policy registered

> No.  Class     Type    Event Type          Trap  Time Registered

>     Name

> 1    applet    user    ipsla               Off   Mon Jan 18 11:24:46

> 2016  SITE-DOWN

>   operation-id {1}

>   maxrun 20.000

>   action 1.0 syslog priority critical msg “ALERT: Site 1.1.1.1 is down”

> !

> rtr5sh event manager statistics policy

>

>                                         Average        Maximum

> No.  Class     Triggered   Suppressed  Run Time       Run Time       Name

>

> ——————————————————————————-

> 1    applet    0           0           0.000          0.000

> SITE-DOWN

event {} ipsla

 

 

---

 

>(Specifically what I’m looking for is something that hooks into IP SLA

>or Ethernet OAM/CFM and takes a link out of IGP routing if packet loss

>crosses a certain threshold – we recently had a carrier break their

>metro network in interesting ways, leading to 50% packet loss, which

>was enough to effectively take the site offline, but IGP stubbornly

>clung to “I have seen a keepalive!”)

 

something like this could get you started, Gert?

 

1) Trigger based on SNMP interface error counters.

Rate is always calculated per second. Average factor identifies number of data points (one for each poll-interval) will be averaged for calculation of rate. Average factor needs to be a minimum of 2.

 

event manager applet INTERFACE-ERROS trap event snmp oid ifEntry.14.XX get-type exact entry-op ge entry-val 10 entry-type rate average-factor 2 poll-interval 5 action 20.0 syslog msg “disabling Gigxxx due to errors”

action 30.0 cli command “enable”

action 30.1 cli command “config terminal”

action 40.0 cli command “interface Gig XX”

action 50.0 cli command “ip ospf cost 9999”

action 60.0 cli command “end”

 

and a reverse to reduce the cost back in case error rates falls below a threshold?

 

you can also trigger based on IP-SLA, for example below trigger

 

2) Trigger based on RTT delay mib:

Use RTT delay mib associated with RTR probes to trigger when the delay is too long. rttMonLatestJitterOperRTTSum shows the sum of delays for probes sent during the last interval. By default 10 probes are sent. To trigger on 10ms RTT delay trigger value must be set below 100.

 

event manager applet TEST3-SNMP-RTT-Delay trap event snmp oid rttMonLatestJitterOperRTTSum.1 get-type exact entry-op ge entry-val 90 entry-type value exit-op le exit-val 20 poll-interval 10 […]

 

for Ethernet OAM/CFM, you could hook EEM into the syslog messages produced by the syslog? You can also parse the syslog string using regexp, check the applet I found somewhere:

 

event manager applet TunnelLost

event syslog occurs 1 pattern “OSPF-5-ADJCHG.*on Tunnel.*FULL to DOWN”

period 1

action 100 regexp “on (Tunnel[0-9]+) from” “$_syslog_msg” match ifname  action 200 if $_regexp_result eq 1  action 210  cli command “show interface $ifname | include Description:”

…

 

Just to avoid the confusion regarding MVPN profiles in the future Cause NG-MVPN could be RSVP or mLDP based and there is Rosen in there as well So I suggest using descriptions:

 

Rosen-mGRE profiles (profiles- 0, 3,11)

Rosen-mLDP profiles (profiles- 1,9, 12, 13,17) mLDP profiles (profiles- 2,4,5,14,15) inband mLDP profiles (profiles- 6,7)

 

List of profiles:

Profile 0 Default MDT – GRE – PIM C-mcast Signaling Profile 1 Default MDT – MLDP  MP2MP  PIM C-mcast Signaling Profile 2 Partitioned MDT – MLDP MP2MP – PIM C-mcast Signaling Profile 3 Default MDT – GRE – BGP-AD – PIM C-mcast Signaling Profile 4 Partitioned MDT – MLDP MP2MP – BGP-AD – PIM C-mcast Signaling Profile 5 Partitioned MDT – MLDP P2MP – BGP-AD – PIM C-mcast Signaling Profile 6 VRF MLDP – In-Band Signaling Profile 7 Global MLDP In-band Signaling Profile 8 Global Static – P2MP-TE Profile 9 Default MDT – MLDP – MP2MP – BGP-AD – PIM C-mcast Signaling Profile 10 VRF Static – P2MP TE – BGP-AD Profile 11 Default MDT – GRE – BGP-AD – BGP C-mcast Signaling Profile 12 Default MDT –  MLDP – P2MP – BGP-AD – BGP C-mcast Signaling Profile 13 Default MDT – MLDP – MP2MP – BGP-AD – BGP C-mcast Signaling Profile 14 Partitioned MDT – MLDP P2MP – BGP-AD – BGP C-mast Signaling Profile 15 Partitioned MDT – MLDP MP2MP – BGP-AD – BGP C-mast Signaling Profile 16 Default MDT Static – P2MP TE – BGP-AD – BGP C-mcast Signaling Profile 17 Default MDT – MLDP – P2MP – BGP-AD – PIM C-mcast Signaling Profile 18 Default Static MDT – P2MP TE – BGP-AD – PIM C-mcast Signaling Profile 19 Default MDT – IR – BGP-AD – PIM C-mcast Signaling Profile 20 Default MDT – P2MP-TE – BGP-AD – PIM – C-mcast Signaling Profile 21 Default MDT – IR – BGP-AD – BGP – C-mcast Signaling Profile 22 Default MDT – P2MP-TE – BGP-AD BGP – C-mcast Signaling Profile 23 Partitioned MDT – IR – BGP-AD – PIM C-mcast Signaling Profile 24 Partitioned MDT – P2MP-TE – BGP-AD – PIM C-mcast Signaling Profile 25 Partitioned MDT –  IR – BGP-AD – BGP C-mcast Signaling Profile 26 Partitioned MDT – P2MP TE – BGP-AD – BGP C-mcast Signaling

 

For more info please refer to:

http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/118983-configure-mpls-00.html#anc48

as well as:

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/multicast/configuration/guide/b_mcast_cg42asr9k/b_mcast_cg42asr9k_chapter_01.html#concept_071C3FD3AAB24A57A9AA711FAE7BE78F

all the way down to:

Summary of Supported MVPN Profiles

 

draft rosen model, as stated here for IOS XE 3.17

http://www.cisco.com/c/en/us/td/docs/routers/asr920/release/notes/ASR920_rel_notes/new_features.html#pgfId-1085169

you could simply use the “protected port” feature.

Devices connected to a Protected port are not able to talk to each other, even if they are within the same vlan.

 

conf t

int gi 0/1

switchport mode access

switchport acess vlan x

switchport protected

spanning-tree portfast

 

The protected port feature only works local on a switch while private vlans could span over multiple switches. Much easier then configure private vlans and should work for your use case just fine

Does the ASR1K not support layer-4 port # hash (src/dst IP + tcp ports) for port-channel load balancing?

All I can see that can be configured is src/dst IP:

 

asr1k(config)#port-channel load-balance-hash-algo ?

dst-ip       Destination IP

dst-mac      Destination MAC

src-dst-ip   Source XOR Destination IP Addr

src-dst-mac  Source XOR Destination MAC

src-ip       Source IP

src-mac      Source MAC

 

 

asr1k#sh etherchan load | in channel

Port-channel1                   :  flow-based (Source Destination IP)

 

Should be flow-based by default (just don’t configure anything else):

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/asr1000/lanswitch-xe-3s-asr1000-book/lnsw-flow-portchannel-load.html

 

Insieme is the skunkworks venture Cisco backed group they use for some new tech.   These guys operate outside Cisco and develop Product to eventually be bought / acquired.

 

Nx9k is the latest example.   I’m told the original catalyst and cat5k were similar.

No, the Catalysts were external acquisitions. Low end stuff like the 1900 came from Grand Junction, the 3K was Kalpana, and the 5K & 6K Crescendo.

>

> On Thu, Dec 31, 2015 at 04:17:07PM +0000, Justin Ream wrote:

>> As far as internal Cisco politics go: I’ve heard the situation has

>> changed with the new CEO. Nexus 7000/7700 sits in the same BU as

>> Cat6k. The Insieme/Nexus 9k guys operate in their own separate unit.

 

This should be straigt forward.

Configure the trunk towards the 9k via Trunk EFP [1] and the port as per [2].

 

Config should look like this:

! slvans:

bridge-domain 1-5, 7, 9-12

!

interface gigabitethernet2/0/1

descr Trunk to ASR9k

service instance trunk 1 ethernet

encapsulation dot1q 1 – 5, 7, 9 – 12

rewrite ingress tag pop 1 symmetric

bridge-domain from-encapsulation

!

!

interface gigabitethernet2/0/2

descr Customer C-vlan range 100-200 in S-vlan 5  service instance 5 Ethernet

encapsulation dot1q 100-200

bridge-domain 5

 

[1] http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/ce/b_ce_xe-313s-asr920-book/b_ce_xe-313s-asr920-book_chapter_00.html#GUID-FE6D829C-A814-46F3-A9E6-4AFC094AB066

[2] http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/ce/b_ce_xe-313s-asr920-book/b_ce_xe-313s-asr920-book_chapter_01.html#ID-1384-00000345

 

 

Show flow monitor exporter statistics

 

You need to use the show commands to see if the ASR thinks the traffic is leaving: What is the output of show flow exporter? I always find it’s something like “SE linux” on the collector, and this stops you from seeing it in tcpdump.

 

On my cisco asr1001x nat logging does not work.

I do not see traffic on collector with tcpdump.

I tryning soft:

System image file is “bootflash:/asr1001x-universalk9.03.12.01.S.154-2.S1-std.SPA.bin”

System image file is “bootflash:/asr1001x-universalk9.03.15.00.S.155-2.S-std.SPA.bin”

 

 

interface TenGigabitEthernet0/0/0

description Downlink-to-X670

ip address 10.254.253.18 255.255.255.252  no ip redirects  no ip unreachables  ip nat inside  ip flow monitor flow_v5 input  ip flow monitor flow_v5 output  service-policy type control CTRL-IPOE  ip subscriber routed

initiator unclassified ip-address

end

 

ip nat settings mode cgn

no ip nat settings support mapping outside ip nat settings pap limit 60 ip nat log translations flow-export v9 udp destination 10.0.0.122 9995 source TenGigabitEthernet0/0/0 ip nat log translations flow-export v9 vrf 0 on ip nat translation timeout 300 ip nat translation tcp-timeout 1800 ip nat translation pptp-timeout 1800 ip nat translation udp-timeout 60 ip nat translation finrst-timeout 10 ip nat translation syn-timeout 10 ip nat translation dns-timeout 10 ip nat translation icmp-timeout 10 ip nat translation port-timeout tcp 80 360 ip nat translation port-timeout tcp 8080 360 ip nat translation port-timeout tcp 1600 180 ip nat translation port-timeout tcp 110 180 ip nat translation port-timeout tcp 25 180 ip nat translation max-entries all-host 2000 ip nat pool NAT_POOL_18.19.142 18.19.142.0 18.19.142.254 netmask 255.255.255.0 ip nat inside source list ACL_NAT_18.19.142 pool NAT_POOL_18.19.142 overload

 

 

 

flow exporter carbon4_v5

destination 172.1.1.2

transport udp 9996

export-protocol netflow-v5

!

!

flow monitor flow_v5

exporter carbon4_v5

cache timeout inactive 10

cache timeout active 1000

record netflow-original