All, I can successfully reload all my Cisco 3650/2960 switches using SNMP, but I cannot use the same method with the ASR920   snmpset -c rwcomm -v 2c x.x.x.x .1.3.6.1.4.1.9.2.9.9.0 i 2   On the ASR920, I get a "Reason: notWritable (That object does not support modification)" error. Is this not supported on the ASR920? If not, any other way or OID? PS: I do have "snmp-server system-shutdown" configured on the routers. ... View more

Team,   My router has a hostname and ip-domain configured. If I use the following command manually on the router in config mode, I am able to generate the crypto key and enable SSH.   crypto key generate rsa modulus 4096   However, if I load a new startup-config remotely via tftp, the same command in the config fails to generate a crypto key. This is a problem, because we frequently load the configurations on our routers remotely (First wr erase, then copy from tftp, then reload). The "wr erase" part is necessary, otherwise some changes are overlapped.   1. Is there a way to automatically generate the crypto key as part of the startup config? 2. Is there any other (better) way to load the configs and not lose the existing crypto key?   Attached is a sample config PS: The passwords are all generic and are used in the lab ... View more

I have fully functioning Layer 2 MPLS running over my network on Cisco ASR 920 routers. One of the links between 2 routers is provided via a 3rd party service provider, though, which requires us to use encryption on this link to protect our data.   I configured a simple site-to-site VPN between these 2 routers by configuring a crypto-map on the interface between them with the crypto ACL matching interesting traffic between the loopbacks (the loopbacks which are used to create the Pseudowires).   The Crypto SA and IPSEC are up, OSPF is up, LDP is up, looks like everything is working, but if I do a "show crypto IPsec sa", the number of matches for encrypted/decrypted packets is too low, considering the Layer 2 traffic I am pushing through this link.   It looks like only LDP packets are being encrypted, not the actual encapsulated MPLS packets.   Am I doing something wrong, is this even supposed to work? ... View more

Hi, I have VPLS between 2 ASR920 routers running fine, can ping across the same Vlan from one Laptop to another.   When I turn off VPLS on the physical interface, instead bring up a GRE tunnel and configure VPLS on the GRE tunnel, I am unable to ping across the switches in the same Vlan.   1. Can ping Tunnel source to destination 2. Can ping between Tunnel IPs  3. OSPF is up between routers, advertising the Loopbacks (Via the Tunnel) 4. LDP is up between both routers   Is there something that I am missing? I am using Firmware asr920-universalk9_npe.16.07.01.SPA.bin but I have also tried asr920-universalk9_npe.16.06.02.SPA.bin and asr920-universalk9_npe.03.18.03.SP.156-2.SP3-ext.bin with same results   Am I doing something wrong? Would appreciate some help with this.   Configs attached     ... View more

Hi Team,   I have noticed a weird behaviour on my ASR920 routers trying to configure VPLS   l2 vfi TWC manual  vpn id x  bridge-domain x ! interface GigabitEthernet0/0/10  description Test  no ip address  negotiation auto  no keepalive  service instance x ethernet   encapsulation untagged   rewrite ingress tag pop 1 symmetric   bridge-domain x  !   If I have Vlan x trunked via a Pseudowire and also on an access port (service-instance), unless the access port is physically up, the "interface BDI" stays down even if the Pseudowire is up.   I would expect the BDI interface to be up as long as a Pseudowire in that BDI is up. I tried things like "no autostate" and "no keepalive", but these commands are not supported on BDI interfaces on ASR 920.   One other thing I noticed is that if I shut down the affected bridge-domain and no shut it, the BDI comes up and stays up indefinitely. ... View more

Hi,   I am new to VPLS, so forgive me if I have done something obviously wrong.   I am setting up a VPLS design in my lab using ASR920 routers. A physical topology with logical ldp neighbourships is depicted in the diagram below.   All OSPF neighbourships and LDP neighbourships shown above are up.   I have most of the things working already, but am facing an odd issue; I will focus on Vlan 150 (10.241.0.0/16), where I observed this problem.   I have a 2xRadios connected to Port Gi0/0/3 (trunk) on SW2.R1.S01.ASR920 with IPs 10.241.1.31/16 and 10.241.2.31/16. I have PC-1 connected to Port Gi0/0/8 (Access) on SW1.R1.S01.ASR920 with IP 10.241.1.11/16 I have PC-2 connected to Port Gi0/0/6 (Access) on SW1.R3.S04.ASR920 with IP 10.241.3.99/16   As you can see, all three devices above are in the same /16 Vlan. Observations   1. The Radios can ping PC-1; PC-1 can ping the Radios 2. PC-2 can ping PC-1, PC-1 can ping PC-2 3. PC-2 cannot ping the Radios, the Radios cannot ping PC-2. There's no ARP on either devices.   I believe I have made a silly mistake somewhere in my config, would be glad if someone can help me out with this.       ... View more

Hi All, We are planning to have our traffic through a 6500 switch pass through an ASA-SM firewall. The IP addressing etc is controlled by the customer and cannot be changed to include extra networks, so we have decided to use transparent mode. I am pretty familiar with ASA-SM being used in routed mode on 6500 switches and understand how the Vlans/Layer 3 hops work, I cannot figure it out for the ASA-SM in transparent mode Here's the current setup Here's what I am trying to achieve. Do I pass either Vlan 100 or Vlan 200 to the firewall, or both? ... View more

We have a specific requirement in our railway network implementation to have a long Layer 2 network, 40 stations in a row, 2 switches per station. All these stations have multiple specific use case wireless access points hanging between them, in series. Now the train must keep the same IP address while moving across the network, hence the need for a Layer 2 network. We have been thinking of using RPVST+, with IE4010 switches but looks like it might not scale well across so many switches (40 hops from left to right), especially as we need very fast failover times (ideally within 3 seconds). VPLS tunnels over MPLS seems like an option, but would raise the cost of equipment and make the config more complicated, not to mention we would need to build specific one to one tunnels depending on who wants to talk to what. REP was considered, but the wireless access points do not support that, only support RSTP. Any suggestions to build a scalable, resilient network without the additional costs and complexity of using VPLS? Is it a good idea to run RPVST+ on this network? ... View more

Hi, Is it not possible to do outbound queuing and shaping on an interface of the 6500 (Supervisor or 1G linecard), if there's a Priority queue? I don't want to shape the priority queue, but a different queue. I tried using 2 policy-maps, it takes the police statement, but not the shape statement. class-map type lan-queuing PQ match cos 5 4 ! class-map type lan-queuing BW1 match cos 6 3 ! class-map type lan-queuing BW2 match cos 2 ! ! policy-map type lan-queuing 10gegress class PQ   priority  ! class BW1   bandwidth remaining percent 5 ! class BW2   bandwidth remaining percent 10   random-detect cos-based aggregate   random-detect cos values 2 percent 40 80 ! class class-default   random-detect cos-based aggregate ! interface TenGigabitEthernet1/4   service-policy type lan-queuing output 10gegress Second Policy class-map PQpolice match dscp ef af41 ! class-map BW2shape match dscp af21 ! policy-map 10gshape class PQpolice   police 500000000  ! class BW2shape   shape average 1000000000 ! interface TenGigabitEthernet1/4   service-policy output 10gshape ... View more