Tuesday, August 30, 2011

Maximum Number of Interfaces and Subinterfaces for Cisco IOS Platforms: IDB Limits


Background Information

An Interface Descriptor Block (IDB) is a special control structure internal to the Cisco IOS software that contains information such as the IP address, interface state, and packet statistics. Cisco IOS software maintains one IDB for each interface present on a platform and one IDB for each subinterface.
There are two main types of IDBs:
  • Hardware IDBs (HWIDBs)
  • Software IDBs (SWIDBs)
A HWIDB represents a physical interface, which includes physical ports and channelized interface definitions. A SWIDB represents a logical sub-interface (Permanent Virtual Circuit (PVC) or virtual LAN (VLAN)), or a Layer 2 encapsulation (Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC), and so forth).
Each physical interface on the router consumes a minimum of two IDBs:
  • One HWIDB for the physical port
  • One SWIDB for the Layer 2 encapsulation
A channelized port consumes N+1 HWIDBs, where N is the number of channels within the physical port, plus a minimum of N SWIDBs (Level 2 encapsulation per channel). Any sub-interfaces that you define each add another SWIDB.
Each tunnel interface definition, such as Universal Transport Interface (UTI), Generic Routing Encapsulation (GRE), Multiprotocol Label Switching Traffic Engineering (MPLS TE), or Any Transport over MPLS (AToM) consumes an HWIDB plus one SWIDB per tunnel, plus an additional SWIDB for each additional sub-interface, for example, a Frame Relay PVC, that is tunneled. The tunnel IDBs are in addition to the original interface(s) that are tunneled.
Layer 2 Tunnel Protocol Version 3 (L2TPv3), which replaces UTI in Cisco IOS Software Release 12.0(23)S, does not consume IDBs, because L2TPv3 is a session-based pseudo-wire implementation rather than a defined tunnel interface such as UTI.
The maximum number of interfaces (physical, subinterface, or virtual) a router can handle depends on the maximum number of SWIDBs that the router can use. This limit used to be set to 300 for all platforms, but with the emergence of features such as frame-relay subinterfaces, multilink Point-to-Point Protocol (PPP), and virtual private dial-up network (VPDN) that uses virtual interfaces, this value has proven to be insufficient on some platforms.
Cisco has performed extensive work to scale Cisco IOS software to these new requirements. From Cisco IOS Software Release 11.3T and later, the IDB limit depends on the platform and the Cisco IOS software release. The IDB limit now indicates the maximum number of interfaces a router can handle, if you assume that other resources, such as memory, CPU, and so forth, are available.
In order to see the maximum number of IDBs, and the number of IDBs currently in use, along with their memory consumption, use the show idb IOS command. This command is available in Cisco IOS Software Releases 12.1(9), 12.1(9)E, 12.1(9)EC, 12.0(18)S/ST, 12.2(x), 12.2(x)T, and 12.2(2)B.
If you monitor the number of IDBs currently in use, you can re-configure or add capacity as the IDB limit is approached for dial and aggregation purposes.
The output of the show idb command looks similar to this: 
Router#show idb

Maximum number of IDBs 4096

42 SW IDBs allocated (2440 bytes each)

40 HW IDBs allocated (5760 bytes each)
HWIDB#1   1   SRP0/0 (HW IFINDEX, SRP)
HWIDB#2   2   POS1/0 (HW IFINDEX, SONET, Serial)
HWIDB#3   7   FastEthernet3/0 (HW IFINDEX, Ether)
HWIDB#4   8   FastEthernet3/1 (HW IFINDEX, Ether)
HWIDB#5   9   FastEthernet3/2 (HW IFINDEX, Ether)
HWIDB#6   10  FastEthernet3/3 (HW IFINDEX, Ether)
HWIDB#7   11  FastEthernet3/4 (HW IFINDEX, Ether)
HWIDB#8   12  FastEthernet3/5 (HW IFINDEX, Ether)
HWIDB#9   13  FastEthernet3/6 (HW IFINDEX, Ether)
HWIDB#10  14  FastEthernet3/7 (HW IFINDEX, Ether)
HWIDB#11  15  POS4/0 (HW IFINDEX, SONET, Serial)
HWIDB#12  16  POS4/1 (HW IFINDEX, SONET, Serial)
HWIDB#13  17  POS4/2 (HW IFINDEX, SONET, Serial)
HWIDB#14  18  POS4/3 (HW IFINDEX, SONET, Serial)
HWIDB#15  19  GigabitEthernet6/0 (HW IFINDEX, Ether)
HWIDB#16  21  POS10/0 (HW IFINDEX, SONET, Serial)
HWIDB#17  22  POS11/0 (HW IFINDEX, SONET, Serial)
HWIDB#18  23  Loopback0 (HW IFINDEX)
HWIDB#19  24  Loopback1 (HW IFINDEX)
HWIDB#20  25  Tunnel100 (HW IFINDEX)
HWIDB#21  26  Tunnel909 (HW IFINDEX)
HWIDB#22  27  Ethernet0 (HW IFINDEX, Ether)

Maximum Number of Interfaces

Every interface uses an IDB. Therefore, the IDB limit indicates the maximum number of interfaces a router can handle.
The IDB limit is, therefore, the answer to the common question "How many (sub)interfaces can be configured on this platform?"

Maximum Number of VLANs

Each Virtual LAN (VLAN) requires one IDB. Any Cisco IOS software release can support up to 4096 VLANs (0-4095, where the number range is 1 to 4094 and in which 0, 4095 are reserved), if the platform supports at least 4000 IDBs
There is a limitation of 256 bridge groups in the Cisco IOS software release if you use VLAN bridging.


IDB Limits Per Platform

Table 1 lists the IDB limit for the different Cisco IOS software-supported platforms and Cisco IOS Software Releases 11.3T and later:
Table 1 – IDB Limits
Platform/IOS Cisco IOS Software Release 11.3T Cisco IOS Software Release 11.3AA Cisco IOS Software Release 12.0 Cisco IOS Software Release 12.0S Cisco IOS Software Release 12.0T Cisco IOS Software Release 12.1 Cisco IOS Software Release 12.1T Cisco IOS Software Release 12.2 Cisco IOS Software Release 12.2T Cisco IOS Software Release 12.3 Cisco IOS Software Release 12.3T
as5200 300 300 300 n/a 300 300 300 300 300 n/a n/a
as5300 700 700 700 n/a 800 800 800 800 800 800 800
as5400 n/a n/a n/a n/a n/a n/a 2000 3000 3000 3000 3000
as5800 n/a 2048 2048 n/a 2048 2048 2048 2048 2048 2048 2048
800 n/a n/a n/a n/a 300 300 300 300 300 300 300
ubr900 n/a n/a n/a n/a 300 300 300 300 300 300 300
1000 300 300 300 n/a 300 300 300 300 300 n/a n/a
1700/c1600 300 300 n/a n/a 300 300 300 300 300 300 300
2500 300 300 300 n/a 300 300 300 300 300 300 300
2600/2600XM 300 300 300 n/a 300 300 300 300 800 800 800
3600 800 800 800 n/a 800 800 800 800 800 800 800
3660 n/a n/a n/a n/a 1400 1400 1400 1400 1400 1400 1400
3725 n/a n/a n/a n/a n/a n/a n/a n/a 800 800 800
3745 n/a n/a n/a n/a n/a n/a n/a n/a 1400 1400 1400
3800 300 300 300 n/a 300 300 300 300 300 n/a n/a
mc3810 n/a n/a 300 n/a 300 300 300 300 300 300 300
4000 300 300 300 n/a 300 300 300 300 300 n/a 300
4500/4700 300 300 300 n/a 300 300 300 300 300 300 300
7100 300 300 3000 3000 3000 3000 10000 10000 10000 20000 20000
7200 300 300 3000 3000 3000 3000 10000 10000 10000 20000 20000
MSFC n/a n/a n/a n/a 3000 3000 3000 3000 3000 n/a n/a
ls1010 300 300 300 n/a 300 300 300 300 300 n/a n/a
6400 (nrp) n/a n/a n/a n/a 3000 4500 4500 4500 4500 4500 4500
7500 (rsp/vip) 300 1000 1000 2048 2048 2048 2048 2048 2048 2048 2048
12000 (grp/lc) n/a n/a n/a 4096 n/a n/a n/a n/a n/a n/a n/a

Note: 
  • Limits in bold denote value changes.
  • The numbers in this table are nominal values. Real values might vary. Consult your Cisco Sales Engineer (SE) for details.
Table 2 – ESR 10000 and ESR 10700 IDB Limits and the Supported Cisco IOS Software Releases
Platform/ IOS Cisco IOS Software Release 12.0.28.S Cisco IOS Software Release 12.2 Cisco IOS Software Release 12.3(7)X12
ESR 10000 Yes (Can have up to16383) Yes Yes (Can have up to 65530)
ESR 10700 Yes (12.0SP) No No

Additional IDB Limits for All Platforms

Table 3 indicates the IDB limit for the different Cisco IOS software-supported platforms and Cisco IOS software releases (earlier than 11.3T):
Table 3 – IDB Limit for Cisco IOS Software-Supported Platforms and Releases (11.3T and Earlier)
Platform/IOS Cisco IOS Software Release 11.3 Cisco IOS Software Release 11.2 Cisco IOS Software Release 11.2P Cisco IOS Software Release 11.1 Cisco IOS Software Release 11.1CC Cisco IOS Software Release 11.1CA Cisco IOS Software Release 11.0
All platforms 300 300 300 300 1024 1024 256

IDB limits for various ISR platforms

Table 4 – IDB Limits
Platform/IOS Cisco IOS Software Release 12.3T
1841 700
2801 800
2811 800
2821 900
2851 1000
3825 1200
3845 1400

Ref: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080094322.shtml
Posted by at No comments:
Labels:

Monday, August 29, 2011

export map examples


Usage Guidelines


The export map command is used to associate a route map with the specified VRF. The export map is used to filter routes that are eligible for export out of a VRF, based on the route target extended community attributes of the route. Only one export route map can be configured for a VRF.

An export route map can be used when an application requires finer control over the routes that are exported out of a VRF than the control that is provided by import and export extended communities configured for the importing and exporting VRFs.

Examples


In the following example, an export is configured under the VRF and an access list and route map are configured to specify which prefixes are exported: 

Router(config)# ip vrf RED 


Router(config-vrf)# rd 1:1 


Router(config-vrf)# export map BLUE 


Router(config-vrf)# route-target import 2:1 


Router(config-vrf)# exit 


Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255


Router(config)# route-map BLUE permit 10 


Router(config-route-map)# match ip address 1 


Router(config-route-map)# set extcommunity rt 2:1 


Router(config-route-map)# end 
 
Ref: http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_e1.html#wp1012602
 
 
Posted by at No comments:
Labels:

Sunday, August 28, 2011

AAA Best Practices

Below is copied from - http://www.routerfreak.com/aaa-best-practices/

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Some router configurations look more intimidating than others and AAA is always one them.  Don't worry, we'll break this down and you will see its not so bad after all.
So lets take a look at it one line at a time...
aaa new-model
This basically turns on aaa on the router.
aaa authentication login default group tacacs+ local
Here we are saying that to authenticate to this router for logins use the default group which is tacacs+.  If tacacs+ fails then use the local user account configured on the router. (This is why you always want to make sure you have a local user configured on your router)
aaa authentication enable default group tacacs+ enable
Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used.  This is because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable mode)

aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.
aaa authorization exec default group tacacs+ local if-authenticated
Notice the "if-authenticated" keyword at the end of this line.  This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.
aaa authorization commands 1 default group tacacs+ if-authenticated
For best practices Cisco recommends that authorization be configured to each level of user access to network devices. In this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user.  This also requires the use of tacacs+.
aaa authorization commands 15 default group tacacs+ local if-authenticated
Here we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is used.  If authenticated the user will immediately be dropped into exec/enable mode.
aaa accounting exec default start-stop group tacacs+
AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router.  Privilege levels range from 1 to 15, with 15 being the highest level.  Some organizations may want to implement additional levels of commands where 1 might be a help desk and 15 are network administrators.
aaa accounting commands 1 default start-stop group tacacs+
This is an optional command as far as best practices go... but this provides accountability or tracking of user activity even they thay have only logged in (not exec/enable)
aaa accounting commands 15 default start-stop group tacacs+
This command will provide for accounting of adminsitrators or priveledge level 15


Posted by at No comments:
Labels:

Friday, August 26, 2011

Howto check equipment's multiple logs on the log server

logs are stored onto server as .log or .gz

Go to the folder of the device that you want to check:

For .log files, do 'grep -r "keywords that you are interested" *.log' or 
                          'grep -r -v "keywords that you are NOT interested" *.log';

For .gz files, do 'zgrep -E "keywords that you are interested" *.gz' or
                        'zgrep -E -v "keywords that you are NOT interested" *.gz'





Posted by at No comments:
Labels:

Thursday, August 25, 2011

Troubleshooting Oversubscription on the Cisco 7600 SIP-400


Troubleshooting Oversubscription on the Cisco 7600 SIP-400


As of Cisco IOS Release 12.2(18)SXF, when using the Cisco 7600 SIP-400 with the 2-Port Gigabit Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription guidelines:

The Cisco 7600 SIP-400 only supports installation of one 1-Port OC-48c/STM-16 ATM SPA without any other SPAs installed in the SIP.

The Cisco 7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without any other SPAs installed in the SIP.

The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs, up to a combined ingress bandwidth of OC-48 rates.

The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 2-Port Gigabit Ethernet SPA.

Configurations on the Cisco 7600 SIP-400 with an unsupported aggregate SPA bandwidth greater than OC-48 rates generates the following error message: 

SLOT 3: 00:00:05: %SIPSPA-4-MAX_BANDWIDTH: Total SPA bandwidth exceeds line card capacity 
of 2488 Mbps
 
Reference: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76tblsip.html#wp1045445










Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)