Ciscoman's notes (Записки цыщика c дипломом)

I'm Cisco Champion Community member for 2017!

I'm Cisco Champion Community member for 2017!
"Cisco Champions are passionate about Cisco and happy to share our knowledge, experience, and feedback."

четверг, 27 октября 2011 г.

debug ip packet rcvd explanation

From the Cisco Support Community, https://supportforums.cisco.com/thread/2111309

"rcvd 0" we've decremented ttl on input.  it's now 0 but it might be for us (like OSPF MCAST which is TTL=1 from begining)

"rcvd 1" not routing this, we're passing it to bridging code. might also see this even with bridging turned off (router config'd as an endstation)

"rcvd 2" can't route the packet. final check to see if it's for us. usually packets sent to this router where debug is done.

"rcvd 3" input & output interface is the same but we can't redirect
the packet for some reason (NAT maybe?) and it's not for us

"rcvd local pkt" it came from us originally, dropping

"rcvd 4" not sure, but looks like it's for us, just not the input
interface (one of the other ones) - loopback in you case.


"rcvd 5" can't route the packet, see if it's for us before dropping
not sure but this could be failure at the output interface such as
encapsulation failure

"rcvd 6" looks like for us if we have an IP alias entry due to NAT
or something.  Should jive with "show ip alias"

"rcvd 7" goes to one of our secondary IP addresses

вторник, 25 октября 2011 г.

воскресенье, 23 октября 2011 г.

Cisco support community in Russian

А вы в курсе что сообщество NetPro теперь и на русском?  Особо приятно, что оно третье после Испанского и Японского. Присоединяйтесь: https://supportforums.cisco.com/community/russian?view=overview

Ho to track cause of high number of connections on ASA/FWSM

Today somebody asked on cisco support cummunity how to track cause of high number of connections on ASA/FWSM. I thinked little and write down this answer, hope it will be helpful for anybody facing this issue:


TIP: If you have some kind of unix box, you can use show conn  and export it to the file. This file should be placed on unix box. Than you can use on unix box:

cat | sed -e 's/:/ /g' | awk '{print $6}' | sort | uniq -c | sort -g

The output will be like this:

      7 10.96.158.1
      7 10.96.177.1
      7 10.96.19.1
      7 10.96.198.1
      7 10.97.29.1
      7 10.97.58.1
      7 10.97.60.1
      8 10.97.30.1
      8 10.97.43.1
      9 10.96.117.1
      9 10.96.34.1
      9 10.97.10.1
     10 10.96.159.1
     18 212.248.105.74
     26 10.96.2.34

Here is the first column is count and second column is address of the inside host. For outside host count use {print $3}

вторник, 18 октября 2011 г.

OSPF E1 vs N1 vs E2 vs N2

1. N1 & E1 are preferred over N2 & E2 for the same route
2. When N1 & E1 have the same route to the destination, The one that have lower cost / Metric will win and get into the route table
3. If both N1 & E1 have the same cost, P-bit in N1 will be used to break the tide.
4. If P-bit is 0 (Then it would become E1) then we will have 2 E1 routes install into the routing table. (otherwise if maximum-path = 1, LSA with Higher Router-ID will get installed)

See rfc 3101 for details.

Update1. Cisco IOS OSPF realization is significantly differs from RFC:
http://blog.ioshints.info/2008/01/e1-and-e2-routes-in-ospf.html This article is outdated.

Update2.  Enable 'capability rfc1587' to fall back to the "E2 is preferred over N2" route selection algorithm.

четверг, 13 октября 2011 г.

How to filter annoying syslog messages from Cisco IOS

SW_MATM-4-MACFLAP_NOTIF due to wifi devices
These messages can be annoying if you run a wireless network where there is a lot of roaming on a Cisco architecture such as C3750's.

Here is how to ensure the messages get completely ignored if you are tired of seeing them:

logging discriminator nolog msg-body drops flapping
logging buffered discriminator nolog
logging console discriminator nolog
logging monitor discriminator nolog
logging host X.X.X.X discriminator nolog

понедельник, 10 октября 2011 г.

VTI-based IPSec NB

With the Cisco IOS Software crypto map based system, the IPsec subsystem will
request SAs to be established upon seeing interesting traffic that matches the crypto map.
In a VTI-based IPsec VPN, IPsec requests SA establishment as soon as the virtual tunnel
interface (VTI)s are fully configured.

Постоянные читатели

Поиск по этому блогу