CFC linecards on 7600 – traffic punted to RP

7606s-test#show fm sum

Interface: GigabitEthernet6/2 is up
TCAM screening for features: ACTIVE inbound
Interface: Vlan1600 is up
TCAM screening for features: ACTIVE inbound

Gi6/2 is mnagement port on RSP, Vlan1600 is active on Te4/1 in access mode.

!SVI of VLAN active on Te4/1
interface Vlan1600
ip address 192.168.100.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
end

! null routing of destination IP of packets generated by downstream
device on te4/1
ip route 192.168.115.1 255.255.255.255 null0

7606s-test#show int vlan 1600
Vlan1600 is up, line protocol is up
30 second input rate 48325000 bits/sec, 100677 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

7606s-test#top
CPU utilization for five seconds: 49%/48%; one minute: 48%; five
minutes: 34%

7606s-test#show ibc
Interface information:
Interface IBC0/0(idb 0x18D112A4)
5 minute rx rate 34956000 bits/sec, 72805 packets/sec
5 minute tx rate 0 bits/sec, 0 packets/sec

7606s-test#show netdr captured-packets
——- dump of incoming inband packet ——-
interface Vl1600, routine process_rx_packet_inline, timestamp 03:14:18.723
dbus info: src_vlan 0x640(1600), src_indx 0xC0(192), len 0x40(64)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896)
A8020400 06400000 00C00000 40000000 00110524 0E000040 00000000 03802000
destmac 00.21.D8.CB.4B.00, srcmac 00.1B.21.D7.36.74, protocol 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 28, identifier 6692
df 0, mf 0, fo 0, ttl 64, src 192.168.100.2, dst 192.168.115.1
udp src 3854, dst 10000 len 8 checksum 0x102A

>
> On 5 Nov 2014, at 18:32, Jiri Prochazka wrote:
>
>> We will try the same setup with another RSP720-3CXL. I am getting to
>> the point it may be faulty Sup, even it seems very odd for me.
>> Everything works, but uRPF on CFC equipped cards..
>
> What other features do you have turned on which use up TCAM space?
>
> It’s sure sounding like a bug, though.
>
> Also, the output from sh fm sum when the issue is occurring might be
> useful, as well.

Cisco

H-VPLS/P2MP style functionality with L2TPv3 inside VFI

 I’m trying to lab up a hub and spoke L2 VPN scenario using L2TPv3.

CPEs are ISR G2s such as 1941 and the PE/Hub is an ME3600. I’m not having much luck so I wondered if I’m chasing a ghost; Has anyone used
L2TPv3 xconnects (due to lack of MPLS) into a VFI on an ME3600 to get this scenario to work?

Perhaps you used something else that worked? Or do you think this simply can’t be done?

When mixing L2TPv3 with VFIs, is the logic present to do things like MAC learning, I’ve never tried this without MPLS and/or BGP.


Something like;


pseudowire-class l2tpv3-class
 encapsulation l2tpv3
 interworking ethernet
 ip local interface looopback 0

l2 vfi TEST manual
 vpn id 100
  bridge-domain 200
  neighbor 1.1.1.1 pw-class l2tpv3-class
  neighbor 2.2.2.2 pw-class l2tpv3-class

int gi0/2
 switchport mode trunk
 switchport trunk allow vlan none
  service instance 200 ethernet
  uncapsulation untagged
  bridge-domain 200

int vlan200
 no ip address

Cisco

ASR1k capacity/operate

Operating an ASR 1000  | https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKARC-2019.pdf
http://www.slideshare.net/RouterAnalysis/cisco-asr-1000-series-testing-results-and-analysis
It would be a single pass through the QFP. The SIP could also be a limiting factor, but since you are split between SIPs that shouldn’t be an issue.
The SIP 40 has 2x 40Gig lanes on the backplane. Are you doing crypto or anything like that which would impact performance?There is a great Cisco Live preso on the ASR1k architecture that might help you get some ammo to go back to TAC with.
http://d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKARC-2001.pdf
According to cisco’s literature the 40G capacity is outbound direction only.
This includes traffic replication so you could have 1G in and 40G out or
50G in and 40G out but you should be able to get 40G out unless you are
using features that are causing core congestion on the QFP (which is possible).
Cisco

Cisco to support flow spec

Looks like 5.2.0 has been available since July.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/general/release/notes/reln_520a9k.html
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html

 7.3, last I heard..

Also, is this RFC 5575-compliant flowspec?

 yes, with some recent enhancements to the specs (v6 support, relaxed origin check, extra redirect options, and a few more)

Cisco, Security

Zoek in project Uni1c0rn

Project Un1c0rn is a search engine exposing open, vulnerable and weak services since May 2014 ... Leaking mysqlmongo and heartbleed services worldwide ... Disclosure is the solution ... Un1c0rn won't die ... We don't ask, we host ... Back online, uptime should now be good, DB migration coming later. Leakhorn
Security

Traffic Generators

opensource solutions, scapy will probably be able

to do the job.
> IMIX and other standard load tests.I’m using IPERF now, but this is
> simply a load gen.  No IMIX etc Suggestions ?A little script with bwping (TOS, MTU) is not enough to try to make a ~~pseudo~~ RFC2544 test ?
Sorry if it is not what you are searching for.

So I have started playing with this, I think it should do we you want (I have the same requirement);http://traffic.comics.unina.it/software/ITG/

> When it comes to minimum size packets, I’m not aware of open source
> software that can congest 1GE port. Operating systems are not really
> tuned to do 1Gbps UDP streams on small packets. You can achieve that,
> even more, but you need to go quite low level, UDP socket you must
> forget immediately event with sendmmsg/recvmmsg. Raw sockets and
> modern CPU and you’ll probably be able to reach 1Gbps per core, but I
> don’t know software available that would be productized even to iperf level here, would love to hear about one.

Some open source software I am writing can do 1Gbps (and likely beyond, I don’t have any 10G NICs to test on, yet!), although it’s for testing at the Ethernet layer so not really applicable here;

https://github.com/jwbensley/Etherate

One of the main features I am working on now (as I’m still writing the initial version) is loading the frame payload from file so that payload data *could* be UDP but it’s not really ment for testing higher than Ethernet and/or MPLS level.

Cheers,
James.

>
> When it comes to minimum size packets, I’m not aware of open source
> software that can congest 1GE port. Operating systems are not really
> tuned to do 1Gbps UDP streams on small packets. You can achieve that,
> even more, but you need to go quite low level, UDP socket you must
> forget immediately event with sendmmsg/recvmmsg. Raw sockets and
> modern CPU and you’ll probably be able to reach 1Gbps per core, but I
> don’t know software available that would be productized even to iperf level here, would love to hear about one. 

Scapy [1] should be able to do that easily, so should mausezahn [2]. Of course you don’t open use regular TCP/UDP socket API for this, but some raw form of it and generate the whole packet in userspace.[1] http://www.secdev.org/projects/scapy/
[2] http://www.perihel.at/sec/mz/

Netwerk (C-NSP)
1 18 19 20 21 22