I have a customer that would like a L2 VPN pseudowire between his two sites. He also states that jumbo frames are a requirement as well and I expect to receive jumbo frames from the customer attachment circuit. However, all of my MPLS backbone circuits were designed for a three label deep system mtu = 1534. It is my understanding that if I enable jumbo frames on the attachment circuit to my customer and indeed receive a jumbo frame, when the PE routers tries to label switch it out across its back bone link(s) towards the remote site, given the back bone link system mtu= 1534, the ethernet frame cannot be fragmented and will be dropped as a result. Q1: Is this correct?
Q2: If all of the devices in the MPLS network CAN support jumbo frames, is there *** ANY *** disadvantage (or any reason NOT) to enable jumbo frames throughout the MPLS network as a general rule? The only thing that I can come up with is the possibility of buffer exhaustion or having to tune buffers given all the frames are now 9k+ in size vice the default 1518 bytes. Any insights, comments or recommendations would be much appreciated.
... View more
I need some additional clarification please. I suspect I am in the same boat as Syjeon (original post) whereby I have a customer that would like a L2 VPN pseudowire between his two sites. He also states that jumbo frames are a requirement as well and I expect to receive jumbo frames from the customer attachment circuit. However, all of my MPLS backbone circuits were designed for a three label deep system mtu = 1534. It is my understanding that if I enable jumbo frames on the attachment circuit to my customer and indeed receive a jumbo frame, when the PE routers tries to label switch it out across its back bone link(s) towards the remote site, given the back bone link system mtu= 1534, the ethernet frame cannot be fragmented and will be dropped as a result. Is this correct?
And to follow the question up with another question (last one I promise), this is more of a general design guidance: "If all of the devices in the MPLS network CAN support jumbo frames, is there *** ANY *** disadvantage (or any reason NOT) to enable jumbo frames throughout the MPLS network as a general rule? The only thing that I can come up with is the possibility of buffer exhaustion or having to tune buffers given all the frames are now 9k+ in size vice the default 1518 bytes. Any insights, comments or recommendations would be much appreciated.
... View more
I have a situation where my customer is hosting multiple tenants by means of virtual contexts. We recently upgraded our Prime Infrastructure to version 3.1 to enable us to apply alarm policies to filter down on both the number and type of events that were triggering alarm email notifications. We would like for each organization to customize or tailor their alarm filters within their respective virtual context, but whenever they attempt to modify the default alarm policies when they attempt to save and activate them, the following error is always displayed: (see attached: pi31_alarm_policies_virtual_context.pdf)
However, if i change context to the ROOT-DOMAIN and apply the very same alarm policies from that context, the policies activate and are saved successfully. (see attached: pi31_root-domain_alarm_policies_successful.pdf) Obviously, we would prefer for each organization to be able to administer their respective virtual contexts (and alarm policies) on their own without requiring outside assistance. I cant find anywhere in the documentation that states alarm policies can only be configured from the ROOT-DOMAIN, but have yet to get the policies applied from within a virtual context. I am hoping someone can point me in the right direction.
Cisco Prime Infrastructure 3.1 versioning information is provided below:
CWALNMPRIRCCK01/admin# show version
Cisco Application Deployment Engine OS Release: 3.1
ADE-OS Build Version: 3.1.0.001
ADE-OS System Architecture: x86_64
Copyright (c) 2009-2016 by Cisco Systems, Inc.
All rights reserved.
Version information of installed applications
Cisco Prime Infrastructure
Version : 3.1.0
Build : 18.104.22.168.132
PI 3.1.1 ( 1.0.0 )
Prime Infrastructure 3.1 Device Pack 2 ( 2.0 )
... View more
<snippet> " I have not come up with a positive reason that I need it"
In the past I have needed access to install VMWare Tools in the virtual machine. I have searched the Prime Infrastructure 3.1 documentation and see no references to installing VMWare tools so I assume this is still the case. I would be interested in hearing if there is an alternate workaround or method to getting the tools installed.
I too am able to access the OS shell, but when trying to "su" get prompted for a password. I enter the password that was used to change to root on the Prime 3.0 install (before the upgrade) but this password no longer works.
*** Update: running the command as super user (sudo) does work and no password is required. This was enough to get the cdrom mounted and the process started. ***
... View more
I have a Cisco Prime Infrastructure 3.0 system that I am setting up email notifications for alarms that get registered. It appears the email notifications for alarms can only be set for both alarm severity level and the "Category" in which the alarm is registered. In my case, I would like to send an email notification for a switches CPU exceeding a predefined threshold (alarm severity = critical; alarm category = "switches and hubs") but I would like to filter (not send email notifications) for any alarms that get registered for a physical link up/down notification (alarm severity = critical; alarm category = "switches and hubs" as well).
Under Monitor / Monitoring Tools / Alarms and Events / Email Notification
We are able to select each of the alarm categories, and within each alarm category we can select the severity of alarm that are to trigger an email notification. What I don't see is how to be more granular and only trigger email notifications on a specific or subset of severity level messages within each category. Is there a way to accomplish this?
As I understand it, we can not fire off email notifications based on snmp traps or syslogs directly, but we can configure customized syslog and trap messages that directly correlate to a generated alarm However it appears the lack in granularity of matching on the alarm attributes prevents us from selectively triggering email notifications on a subset of alarms within the save severity/category. Is my understanding correct?
... View more
Thank you much for your reply. As suspected, traffic coming across the SSLVPN was not being processed bypassing the NAT (via PBR) hairpinning function. Your recommendation on deploying virtual templates got me digging in the right direction. Entering the single command: " webvpn sslvpn-vif nat inside" was the missing key - everything is good to go now, thank you! Details below for others that may benefit. There are some major changes that have taken place with respect to ip
features from this bug:
CSCsr41631 SSLVPN does not interoperate with IP features - FW, NAT and PBR
This is not yet integrated in to 12.4(22)T train.
Before the fix, what you can do the following command:
webvpn sslvpn-vif nat inside <--- this can be inside or outside, but
generally when going to internet it will be inside
webvpn sslvpn-vif nat enable
You have to make sure that your NAT access-list exclude traffic that should
not be NATed (ie. to the anyconnect to inside networks), and
should include traffic to be NATed (anyconnect pool to internet).
Let me know if this works.
With the fix for the above bug, you can do more features like fw,pbr etc and
will use a virtual-template:
... View more
[OK] Site to Site IPSec + GRE = success, no problems. [OK] IPSec remote access = success, no problems. [NO] SSLVPN = remote users can successfully connect to all internal systems. Cannot pass traffic to the Internet. Hardware: Cisco 2811, Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3) Software: Cisco AnyConnect Secure Mobility Version 3.1.01065 Single hub router terminating IPSec+GRE site to site, IPSec remote access, and SSLVPN remote access VPN services. All services currently configured and running successfully with the exception of the SSLVPN service. Remote users can initate and successfully establish SSLVPN sessions. While established, connectivity to all internal systems/resources are successful. Only when the remote access client tries to connect to "Outside" Internet resources does traffic not pass successfully. Troubleshooting has pointed to a NAT related issue (I believe). When connecting from a remote acess workstation, utilizing IPSec remote access client (built-in Cisco IPSec client from Mac OS), the session establishes and the client works flawlessly. Examining the Cisco 2811 router, you see the /32 host route from the remote access session get installed, and you see the corresponding NAT translation entries created when the client accesses outside (Internet) resources. Appropriate configuration to implement "hairpinning" have been included to handle the in and right back out (with NAT translation) needed for remote clients to access the Internet. Configured the 2811 for SSLVPN, and remote access clients can successfully connect and access all internal network resources. Examining the Cisco 2811, the /32 host route for the remote access client is installed, pointing to SSLVPN-VIF0 interface with a next hop of 0.0.0.0 When checking the NAT translation table, there are NO entries for the remote access client address created which leads me to believe the hairpinning/NAT function is not being invoked for SSLVPN clients. Originally, the IPSec remote access VPN local pool was 10.0.100.0 /24. To keep from having to adjust the existing NAT translation, PBR Route-MAP for the hairpinning function - I took the 10.0.100./24 and broke it into a pair of /25 networks. Bottom half for the IPSec remote access VPN pool (10.0.100.0 /25); upper half for the SSLVPN pool (10.0.100.128 /25) By utilizing SSLVPN, is the traffic somehow bypassing the DIALER1 interface where both the crypto map (and more importantly: IP NAT OUTSIDE, and PBR configuration for the hairpinning function)? I cant explain why NAT translation entries are not being created for SSLVPN client sessions. Cisco 2811 Configuration has been included. IPSec & SSLVPN Remote Access Sessions Captures (performed from same remote client) have been included.
... View more