Notes: March 2012

Thursday, March 29, 2012

EEM and AAA Command Authorization

By default, if a device is configured for AAA command authorization, EEM will use it. However, EEM does not send a username to the AAA server by default. This will result in "Command authorization failed" errors when your EEM policies execute CLI commands. For EEM to play nicely with AAA command authorization, configure the following.

Router(config)#event manager session cli username USER

Where USER is a username authorized to run all CLI commands in all of your EEM policies.

Even though it is possible to configure EEM to work with AAA command authorization, it may be desirable to allow your EEM policies to bypass authorization. This is especially true if it takes a bit of time to authorize each command. In that case, the EEM maxrun timer may be reached causing policies to terminate. If you will only have one EEM policy running at a time (that executes CLI commands), configure the following AAA commands to dedicate line vty 0 for EEM.

aaa authentication login EEMScript none
aaa authentication login default group tacacs+ local
aaa authorization exec EEMScript none
!
aaa authorization command 0 EEMScript none
aaa authorization commands 1 EEMScript none
aaa authorization commands 15 EEMScript none
!
line vty 0
 login authentication EEMScript
 authorization exec EEMScript
 authorization commands 0 EEMScript
 authorization commands 1 EEMScript
 authorization commands 15 EEMScript
 transport input none
 length 0
!

Because "transport input none" is configured on this line, it will not be accessible for telnet or SSH sessions. However, EEM policies will be able to use this VTY to execute CLI commands without going through AAA command authorization.

Beginning with EEM 3.1, AAA command authorization can be bypassed on a per-policy basis. The following are examples for registering applet, Tcl, and IOS.sh policies that bypass AAA command authorization.

Applet:

event manager applet myapplet authorization bypass

Tcl:

event manager policy mypol.tcl authorization bypass type user

IOS.sh:

event manager policy mypol.sh authorization bypass type user

Ref:Cisco EEM Best Practices

ADSL: Understanding Line Loss and Measurements

This tutorial will hopefully give you an insight into what causes loss on your line, how it is measured, what the figures you see mean and the maximim loss acceptable for ADSL products.
Also steps you can take to try to minimise the loss on your line.

What causes line loss?

The telephone line from your local Telephone Exchange to your house is made up of a twisted pair of wires within a cable

Everything that carries electricity has what is known as "Resistance". This is measured in "Ohms" and resistance impedes the flow of current in a conductor.

Because your connection is two wires twisted together it also has some "Capacitance" between the wires. A capacitor is an electrical component and there is more current passed through it as the frequency gets higher.

Also your pair of wires has yet another characteristic called "Inductance" and inductance allows less current to flow through it as the frequency gets higher.

So as you can see from the above the electrical characteristics of your phone line are quite complex.

To sum up:

Resistance reduces the current so increases the loss.
Capacitance effectivly short circuits the line more as frequencies increase so increasing loss.
Inductance resists current flow more as frequencies get higher thus increasing the loss.

Obviously the longer your line then the greater the effect of the above characteristics and the greater the loss.

How is line loss measured?

Loss is measured by comparing the power level of the signal sent from one end of the line with that received at the other end. The difference between these levels is expressed in Decibels (dB).
The decibel scale is logarithmic and works as follows.

If the power received was 1/2 the power sent, then that would calculate as
10 x log base10 of 0.5 = -3.010

So a loss of 3 dB is equal to almost exactly half the power being received.
Similarly, if you were to look at log tables and calculate other figures you would find that losses of:10 dB = 1/10th of the power
20 dB = 1/100th of the power
30 dB = 1/1000th of the power.If you were to carry on until you got to 60 dB loss you would find you are only receiving one millionth of the power that was originally sent out.

How do you find out what your line figures are?

Many ADSL Modems and Routers have a function in the set-up options that will actually measure the losses for you and give you an on-screen display.

If you have one that doesn't give you this feature then you could contact Customer Support and ask to be told the figures for a "Whoosh" test on your line .

One point to bear in mind with the Whoosh test is that the activation of your line actually adds about another 4 dB to the original loss. BT take this view when doing a test so if a loss figure of say 64 dB is produced from the test you will still be just within the limit of 60 dB (for 1meg service).

What do the figures mean?

Let's look at some typical figures, and here I will use the ones shown by my own equipment a D-link DSL-504 Router using 512K 50:1 ADSL.

These are as follows:[*]Attenuation Downstream: 28dB. This means I am receiving just under 1/500th of the signal sent from the exchange.

[*]Attenuation Upstream: 31dB. This means the Exchange is receiving just less than 1/1000th of the signal sent from my modem.

[*]SNR: 19dB. SNR stands for Signal to Noise Ratio and is basically the difference between the level of the signal being received compared with the natural noise level on the line.

Here, the higher the figure the better. In my case 19dB means that the signal I am receiving is almost 100 times stronger than the noise level.

Noise on your line is caused by many things. Some examples are other wires in the cable running alongside your wires, interference from power cables, radio signals, higher than normal resistance joints in the telephone wires and damp in the wires or cables.[/list]
Other figures you may see.

Upstream power 10 dBm
Downstream power 12 dBm

These relate to the output power from the transmitters at your modem and the exchange.

The dBm notation means decibels relative to one milliwatt (the "m" in the figure) so in the above case the powers are 10 milliwatts and approx 18 milliwatts (13 dBm would be 20 milliwatts).

What levels are acceptable for ADSL service?

Now you know what the figures above mean, you may be amazed that ADSL works at all!!

To get a reliable service your line needs to meet the following criteria:[list=1][*]512K Service. There is now no upper limit and BT will attempt than make it work on any line if possible.

[*]1 Meg Services. You need a line loss of less than 60 dB, and so, typically, will be no more than 6.0 kilometres from the exchange.

[*] 2 Meg Service. You need a line loss of less than 45 dB which means you will be 3.5 Kilometres or less from the exchange.
[/list:o]The distances from the exchange are based on the average signal losses versus line lengths and you may find that even if you are under the distance you may still have too much loss for the chosen service.

Conversely you may also find that even if you are outside the distance you may still get the product.

At the end of the day, it is the important line tests that are done after you apply for ADSL that matter.

Effects of too high a line loss.

Line losses can alter over a period due to factors such as temperature, rainfall, corrosion in cable joints, etc.

If you have had a good ADSL service but find you start getting frequent disconnections, you need to check your line is still within the limits above to meet the type of service you have.

So, if you have the original figures, keep a note of them so you can make a comparison later if you start getting problems.

Remember from the above dB notation, an increase of 3dB in the loss figure means that you are only getting 1/2 of the signal you had when it was working fine.

Also very important is the Signal to Noise Ratio. Remember that higher figures are better here.

I have not as yet found any article that determines the minimum Signal to Noise Ratio as acceptable for your ADSL to work correctly. However it is generally accepted that anything less than 10 -12 dB will cause problems and I would worry if my line had a figure of, say, 10dB and normally I would expect 15 dB or better.

Improving your loss figures.

Unfortunately there is little you can do about the actual line itself other than get it maintained by BT. But you can take some steps to ensure that you are not adding more than the minimum loss yourself:[list=1][*]Use good quality Splitter / Filters.
[*]Use good quality extension cables.
[*]Ensure that where you plug into cable sockets that the pins are clean and bright.
It has been known for the connections here to corrode with time and you could try pulling out and re-inserting the plug into the BT socket several times to polish the connections.[/list:o]Hopefully the above information will have been useful to those who wanted to know more about their ADSL connection.

Edited to reflect the limit changes introduced by BT

Ref: ADSL: Understanding Line Loss and Measurements
Decibels
Power meter measurements

Monday, March 26, 2012

Site of Origin BGP Community Attribute

The site-of-origin (SoO) extended community is a BGP extended community attribute that is used to identify routes that have originated from a site so that the readvertisement of that prefix back to the source site can be prevented. The SoO extended community uniquely identifies the site from which a router has learned a route. BGP can use the SoO value associated with a route to prevent routing loops.

BGP per Neighbor Site of Origin Configuration

There are three ways to configure an SoO value for a BGP neighbor:

•

BGP peer policy template—A peer policy template is created, and an SoO value is configured as part of the peer policy. Under address family IPv4 VRF, a neighbor is identified and is configured to inherit the peer policy that contains the SoO value.

•

BGP neighbor command—Under address family IPv4 VRF, a neighbor is identified, and an SoO value is configured for the neighbor.

•

BGP peer group—Under address family IPv4 VRF, a BGP peer group is configured, an SoO value is configured for the peer group, a neighbor is identified, and the neighbor is configured as a member of the peer group.

The configuration of SoO values for BGP neighbors is performed on a provider edge (PE) router, which is the VPN entry point. When SoO is enabled, the PE router forwards prefixes to the customer premises equipment (CPE) only when the SoO tag of the prefix does not match the SoO tag configured for the CPE. For example, in Figure 1, an SoO tag is set as 65000:1 for the customer site that includes routers CPE1 and CPE2 with an autonomous system number of 65000. When CPE1 sends prefixes to PE1, PE1 tags the prefixes with 65000:1, which is the SoO tag for CPE1 and CPE2. When PE1 sends the tagged prefixes to PE2, PE2 performs a match against the SoO tag from CPE2. Any prefixes with the tag value of 65000:1 are not sent to CPE2 because the SoO tag matches the SoO tag of CPE2, and a routing loop is avoided.

Figure 1:

PE1 - MP/BGP - PE2

| |

eBGP eBGP

| |

CPE1 - iBGP - CPE2

BGP per Neighbor SoO Configuration

"bandwidth" command under an interface

"Bandwidth" command under an interface is used to influnce the routing protocol decisions.

Interface "bandwidth" is also used in many cases for QoS. (Volume 1 QoS) For example:WFQ uses interface bandwidth to calculate the number of dynamic flows, MLP fragment size is based on interface level bandwidth, CBWFQ uses interface bandwidth for correct share of it between defined classes, RSVP reservation will take if no specific configurtion maximum 75% of the interface bandwidth, etc.

Bandwidth command under a interface

Sunday, March 25, 2012

priority police bandwidth

Policing (with drop) is to cap the maximum rate;
Priority/Bandwidth will guarantee minmun rate during the congestion;
Priority/Bandwidth will allocate unused bandwidth when Non-Congestion

If a bandwidth or priority class should not exceed its allocated bandwidth during periods of no congestion, you can combine the priority command with the police command. This configuration imposes a maximum rate that is always active on the class. Choosing to configure a police statement in this configuration depends on the policy's objective.

Comparing the bandwidth and priority Commands of a QoS Service Policy

Saturday, March 24, 2012

Cisco EEM script

An EEM script to capture which process is causing CPU spike when CPU usage reach 75% and email noc with the result - this is for 7600

service internal
event manager applet High_CPU
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.6 get-type next entry-op ge entry-val 75 exit-time 10 poll-interval 60
action 0.1 syslog msg "CPU Utilization is high"
action 0.2 cli command "enable"
action 0.4 cli command "show log | append sup-bootdisk:CPU_Profile.txt"
action 0.5 cli command "show process cpu sorted | append sup-bootdisk:CPU_Profile.txt"
action 0.6 cli command "show interfaces | append sup-bootdisk:CPU_Profile.txt"
action 1.1 cli command "configure terminal"
action 1.2 cli command "profile 40100FB0 443F7FFF 10"
action 1.3 cli command "profile start"
action 2.3 syslog msg "Entering TCLSH"
action 2.4 cli command "tclsh"
action 2.5 cli command "after 240000"
action 2.6 cli command "exit"
action 2.9 syslog msg "Exiting TCLSH"
action 3.0 cli command "profile stop"
action 3.1 cli command "show profile terse | append sup-bootdisk:CPU_Profile.txt"
action 3.2 cli command "clear profile"
action 3.3 cli command "unprofile all"
action 3.4 cli command "more sup-bootdisk:CPU_Profile.txt"
action 3.5 mail server "IP of SMTP server" to "noc@xxx.com" from "noc@xxx.com" subject "CPU Utilization is high" body "$_cli_result"
action 4.1 syslog msg "Finished logging information to sup-bootdisk:CPU_Profile.txt..."
action 4.2 cli command "end"

Reference:
Troubleshooting High CPU Utilization Due to Interrupts
Embedded Event Manager 1.0
EEM scripts examples
Cisco IOS Embedded Event Manager Version 2.4 Expanded Capabilities and New Interfaces
Writing Your First EEM Applet
Writing Embedded Event Manager Policies Using Tcl

Wednesday, March 14, 2012

Cisco Zone-Based Policy Firewall

Customer complain HTTPS dosen't work

show policy-map type inspect zone-pair

you did not see drop outbound but seeing drop inbound

class-map type inspect match-all https-class
 match protocol https
!
policy-map type inspect outside-to-inside
 class type inspect https-class
  pass

policy-map type inspect inside-to-outside
 class type inspect https-class
  pass

This might due to "match protocol https" can not match the return traffic,

the work around is to map https traffic with access list

access-list https extend permit tcp any eq 443 any gt 1024

class-map type inspect match-all https-class
 match access-group https

The Relationship of Bandwidth and Packet Forwarding Rate

Network devices receive and forward packets through physical interfaces that employ Layer 2 technologies, such as Ethernet and Packet Over SONET (POS) framing. The description for these network links always includes bandwidth that is expressed in terms of b/s. By performing simple mathematical manipulations, it is possible to determine the potential range of p/s, or more correctly, frames per second (f/s) that a network link can support.
For example, the very common 1-Gb/s Ethernet interface is capable of transmitting up to 1,000,000,000 b/s. To determine p/s, first convert bits to bytes. (There are eight bits in one byte.) Then consider how many bytes exist in each packet. The size of the packet does not have to be a fixed value, but administrators can bound the problem by recognizing that there are both minimum and maximum packet sizes. The minimum size is based on both the IP-defined minimum IP packet size and the Layer 2-defined minimum frame size. The maximum IP packet size is based on the link maximum transmission unit (MTU) for the Layer 2 technology. Based on these factors, and using Ethernet as an example, the following two calculations can be considered:

Maximum Frame Rate (Minimum Frame Size)
Maximum Throughput (Maximum Frame Size)

Table 1. Maximum Frame Rate and Throughput Calculations For a 1-Gb/s Ethernet Link

Frame Part	Minimum Frame Size	Maximum Frame Size
Inter Frame Gap (9.6 ms)	12 bytes	12 bytes
MAC Preamble (+ SFD)	8 bytes	8 bytes
MAC Destination Address	6 bytes	6 bytes
MAC Source Address	6 bytes	6 bytes
MAC Type (or length)	2 bytes	2 bytes
Payload (Network PDU)	46 bytes	1,500 bytes
Check Sequence (CRC)	4 bytes	4 bytes
Total Frame Physical Size	84 bytes	1, 538 bytes

[1,000,000,000 b/s / (84 B * 8 b/B)] == 1,488,096 f/s (maximum rate)
[1,000,000,000 b/s / (1,538 B * 8 b/B)] == 81,274 f/s (minimum rate)
Using the computed maximum and minimum frame rate values above of 1,488,096 f/s and 81,274 f/s for a 1 Gb/s Ethernet link, the computed maximum and minimum frame rate values of 1,488,096 f/s and 81,274 f/s for a 1-Gb/s Ethernet link can be plotted as shown in Figure 1. Figure 1 also displays other common link speeds, such as 10 Mb/s, 100 Mb/s, and 10 Gb/s Ethernet, for comparison purposes. A constant rate line is also shown at 100 Kp/s. Whether hardware- or software-based, network devices have a maximum rate at which they can forward packets. Thus, graphing this maximum forwarding rate can provide an indication of the equivalent bandwidths that a device may be capable of handling for various packet sizes.

Ref: Bandwidth, Packets Per Second, and Other Network Performance Metrics

Virtual Access PPP Features in Cisco IOS

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a0080094862.shtml

Tuesday, March 13, 2012

Default route

Default route:

ip default-gateway [no ip routing]

ip default-network [ip routing]

Static - ip route 0.0.0.0 0.0.0.0 interface nexthop

RIP - default-information originate

EIGRP - redistribute a static route or summarize to 0.0.0.0/0

ip route 0.0.0.0 0.0.0.0 x.x.x.x (next hop to the internet)
!
router eigrp 100
 redistribute static
 default-metric 10000 1 255 1 1500

-----------------------------------------------------------------------------------

router eigrp 100
 network 10.0.0.0
!
interface serial 0.1 point-to-point

frame-relay interface-dlci 10
ip summary-address eigrp 100 0.0.0.0 0.0.0.0

OSPF

There are two ways to inject a default route into a normal OSPFarea.

If the ASBR already has the default route in its routing table, you can advertise the existing 0.0.0.0/0 into the OSPF domain with the default-information originate router configuration command.
If the ASBR doesn't have a default route, you can add the keyword always to the default-information originate command (default-information originate always).

ref:How Does OSPF Generate Default Routes?
OSPF default route: design scenarios
OSPF Design Guide

  EIGRP ways to advertise a default route
          Configuring a Gateway of Last Resort Using IP Commands
  rip-default-routes

Monday, March 12, 2012

Learning VLOOKUP in Excel

=VLOOKUP(E1,unvalidroutes!$A$1:$A$8,1,FALSE)

E1 is the field that you want to do the search/filtering

unvalidroutes!$A$1:$A$8 - this is the filtering table, that you want to match against

use $ sign to "lock" the filtering table

1 is the index number that you want to have once there is a match

False means exact match

Reference: http://www.timeatlas.com/5_minute_tips/general/learning_vlookup_in_excel

Configuring a Route Switch Processor 720

Configuring a Route Switch Processor 720
https://supportforums.cisco.com/thread/149989

Saturday, March 10, 2012

TCP Sequencing and Sliding Windows

Sequence Number In + Bytes of Data Received = Acknowledgment Number Out

Note. During the TCP startup and teardown sequence, a "phantom byte" causes the sequence number and acknowledgment number fields to increment by 1 even though no data is exchanged. This phantom byte can be confusing when you have just learned that the sequence number field increments only when data is sent.

Ref:http://support.novell.com/techcenter/articles/nc2001_05e.html
http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

Thursday, March 8, 2012

Criteria for Naming Multilink PPP Bundles

Multilink PPP allows devices to send data over multiple point-to-point data links to the same destination by implementing a named virtual link. The MP connection has a maximum bandwidth equal to the sum of the component links bandwidth. MP can be configured for all interfaces that support PPP. Refer to RFC 1990

for more information on MP.
Cisco IOS software builds a multilink bundle name based on the PPP authenticated name first, then based on the endpoint discriminator. With Cisco IOS in its default state, all client links that use the same username are bundled together into the same MP virtual connection. For a client using MP, each connection is authenticated by the access server using the same username and added to the same MP bundle. This setup works well when every client uses a unique username to connect to the access server. However, if multiple clients use the same username with MP, some of them are incorrectly added to a bundle initiated by a different client. Another problem occurs when interoperating with non-Cisco routers in a bi-directional dial environment. If the non-Cisco router does not use the authenticated name as a name for the bundle, but the Cisco router does, two different bundles are created.
In situations in which many clients use the same username to initiate an MP connection, or when interoperating with non-Cisco routers, you need to control the order in which the bundle name is created. It is necessary to configure the access server to create a bundle name based on the endpoint discriminator first, the username second, or both. The endpoint discriminator identifies the system transmitting the packet and advises the network access server (NAS) that the peer on this link could be the same as the peer on another existing link. Because every client has a unique endpoint discriminator, only multiple links from the same client are bundled into a single unique MP connection. For example, consider when two PC clients initiate a multilink connection to an access server using the same username. If the multilink bundle name is established based on the endpoint discriminator first, then on the username or on both, the NAS can accurately bundle the links from each client using the endpoint discriminator as a bundle name. This bundle name is unique to the peer system transmitting the packet.
Note: When the authentication on a link is done in one direction only, without the authentication of the peer but with the requirement that the local host authenticate itself with use of the Challenge Handshake Authentication Protocol (CHAP), the username supplied by the peer in its CHAP challenge is treated as the peer authenticated name in order to determine the bundle name.

Ref: Criteria for Naming Multilink PPP Bundles

Remote Triggered Black Hole (RTBH)

Some references:

http://www.faqs.org/rfcs/rfc5635.html

http://www.linux.it/~md/text/blackholing.html

http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

Cisco CLI hot keys

Cisco CLI hot keys
from:http://www.cisco.com/warp/cpropub/45/tutorial.htm
Table 3 - Summary Of Hot Keys

Delete	- Removes one character to the right of the cursor.
Backspace	- Removes one character to the left of the cursor.
TAB	- Finishes a partial command.
Ctrl-A	- Moves the cursor to the beginning of the current line.
Ctrl-R	- Redisplays a line.
Ctrl-U	- Erases a line.
Ctrl-W	- Erases a word.
Ctrl-Z	- Ends configuration mode and returns to the EXEC.
Up Arrow	- Allows user to scroll forward through former commands.
Down Arrow	- Allows user to scroll backward through former commands.

Troubleshooting Router Crashes

show version
show stacks
show context
show tech-support

http://www.cisco.com/en/US/products/hw/iad/ps397/products_tech_note09186a00800b4447.shtml

Wednesday, March 7, 2012

High-Availability (HA) technologies - NSR (GR)

BGP Nonstop Routing

BGP NSR is a unique, self-contained routing high-availability solution that extends IP high-availability deployments and benefits to the entire
edge. Currently BGP supports NSF (through BGP Graceful Restart) as part of the NSF/SSO high-availability offering in Cisco IOS Software.
BGP NSR extends the routing high-availability capabilities to the next level by “maintaining all necessary” BGP routing and session
information across a route-processor switchover.

Cisco support for BGP Nonstop Forwarding (also called Graceful Restart) follows the implementation specification described in the IETF proposed standard. According to this implementation, to achieve continuous packet forwarding the following conditions must be met:

• The NSF-capable router and the peer router must each agree to support BGP Graceful Restart.

• The peer router must not prematurely declare the NSF-capable router as unavailable.

• The peer router must not communicate any state change in the NSF-capable router to any of its peers. This avoids the networkwide detrimental effect on performance associated with the sudden failure of a router.

• The peer router must send BGP updates to help the restarting NSF-capable router to reacquire its BGP RIB.

• The peer router must signal the completion of the initial routing update by sending the End-of-RIB marker.

• In the interim (before the restarting NSF-capable router has reacquired the routing information), the peer router must mark any routes associated with the restarting router as "stale", but continue to use those routes for packet forwarding.

From:Cisco IOS Software High-Availability Enhancements for IP/MPLS Provider Edge
Cisco Nonstop Forwarding with Stateful Switchover Deployment Guide

HIGH AVAILABILITY (HA) technologies - Cisco NSF

Cisco NSF and Timer Manipulation for Fast Convergence

Cisco NSF with SSO is a Cisco innovation for systems with dual route processors. Cisco NSF with SSO allows a router that has experienced a hardware or software failure of an active route processor to maintain data link layer connections and to continue forwarding packets during the switchover to the standby route processor. This forwarding can continue despite the loss of routing protocol peering arrangements with other routers. Routing information is recovered dynamically in the background, while packet forwarding proceeds uninterrupted.

Initially, it appears that Cisco NSF and OSPF/ISIS/EIGRP timer manipulation have complimentary objectives. Each feature is dedicated to achieving the fastest possible convergence in the event of a failure on a router. However, more careful analysis reveals that these technologies also have conflicting goals. Cisco NSF attempts to maintain the flow of traffic through a router that has experienced a failure; conversely, OSPF/ISIS/EIGRP timer manipulation tries to quickly redirect the flow of traffic away from a router that has experienced a failure towards an alternate path. While not mutually exclusive, the two technologies try to address different aspects of the same problem in disparate ways. It is therefore important to carefully consider the network design goals and establish precedence for redundancy.

The network designer has three alternatives

1. Raise the IGP hold-timers to seven seconds to accommodate all failure scenarios. Setting the timer to this value would account for the situation in which the route processor has to be detected via IPC keep-alive failure (3 seconds) plus the safe value for post-switchover behavior (4 seconds for the Cisco 10000 and 12000 Series Internet Routers).

2. Leave the IGP hold-timers at 4 seconds. This will allow Cisco NSF with SSO to operate as expected in the majority of failure scenarios. In the exception cases, where the route processor needs to use IPC keep-alive to determine the need to switchover to the redundant route processor, the traffic will failover to a redundant path on a different system. Remember, the keep-alive procedure is a "failsafe" mechanism while the internal switchover signaling procedures are expected to cover most failures.

3. Lower the IPC keep-alive timer. This can be achieved with the command "redundancy/main-cpu/switchover timeout <milliseconds>". By default, this timer is set for 3 seconds, and can be lowered with the preceding command. It should be strongly emphasized that there is an element of risk to lowering this timer. If the standby route processor does not hear from the active route processor within the timeout period, an route processor switchover will be initiated. Thus, if this timer is set to a very low value, there is the danger of false alarms-causing an route processor switchover when one is not required. In addition, there will be increased CPU and IPC bandwidth usage associated with setting this timer to a very low value.

From:Cisco NSF and Timer Manipulation for Fast Convergence

Friday, March 2, 2012

Tuning for input and output drops

SPD and Input-queue tuning for input drops and flushes
http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a008012fb87.shtml
http://www.cisco.com/web/about/security/intelligence/spd.html

Queue-limit tuning for output drops

http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a0080af893d.shtml
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12simql.html

service compress-config

Usage Guidelines

After you configure the service compress-config command, the router will compress configuration files every time you save a configuration to the startup configuration. For example, when you enter the copy system:running-config nvram:startup-config command, the running configuration will be compressed before storage in NVRAM.

Ref:Configuration File Management Commands

http://www.davidsudjiman.info/2008/10/20/service-compress-config/

Configuration Generation Performance Enhancement

The Configuration Generation Performance Enhancement feature assists configuration management by enabling faster collection of running configuration file information. This feature is especially useful in managing large networks with numerous interfaces configured.

Cisco IOS Software Configuration Storage

In the Cisco IOS software configuration model, the configuration state is maintained in a distributed manner, with each component storing its own configuration state. To retrieve configuration information, the software must poll every component to collect the distributed information. This configuration state retrieval operation is performed by a process known as nonvolatile generation (NVGEN), and it is used by command-line interface (CLI) commands such as show running-config, write memory, and copy system:running-configuration to display or copy the running system configuration. When invoked, NVGEN queries each system component and each instance of interface or other configuration objects. A running configuration file is constructed as NVGEN traverses the system performing these queries.

Note If you try to configure the write memory command when a router is low on memory and the backup buffer cannot be allocated, then the command will fail with the error message, "Not enough space." When the write memory command fails to apply the new configuration, the backup configuration is used to restore the original configuration.

Benefits of the Configuration Generation Performance Enhancement

Before the Configuration Generation Performance Enhancement feature was introduced, NVGEN always had to query the entire system and could generate only a total configuration. The time required to process the running configuration creates performance problems for configuration management, because completion of the NVGEN operation can take many minutes.

The Configuration Generation Performance Enhancement feature reduces the execution time for NVGEN processes and is especially useful for managing large configuration files that contain numerous interface configurations. This feature provides faster execution of commands that process the running system configuration by caching interface configuration information in system memory, and by retrieving only configuration information that has changed.

Configuring the Configuration Generation Performance Enhancement

Perform this task to enable the Configuration Generation Performance Enhancement.

SUMMARY STEPS

1. enable

2. configure terminal

3. parser config cache interface

4. end

Ref: http://www.cisco.com/en/US/partner/docs/ios/fundamentals/configuration/guide/config_cache_ps6922_TSD_Products_Configuration_Guide_Chapter.html

Thursday, March 1, 2012

IPERF traffic direction

IPERF

Normally, the iperf client will send traffic to the server.

e.g. in UDP mode, the client will send almost 100% traffic to server side.

In TCP mode, the client will send two times of traffic than other way around.

The show processes Command

router#show processes 
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%

CPU utilization for the last five seconds.

The second number indicates the percent of CPU time spent at the interrupt level.

The show processes Command