How many licenses do we need for two 6500 with supT2s running VSS?

 Also what does the license state active, not in use mean? It seems contradictory.

show license feature shows enabled no. What does that mean? What features are turned on using  MACSec_Encryption.

Router#sh license all
License Store: Primary License Storage
StoreIndex: 0   Feature: MACSec_Encryption                 Version: 1.0
        License Type: Permanent
        License State: Active, Not in Use
        License Count: Non-Counted
        License Priority: Medium
Router#sh license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled
MACSec_Encryption        yes          no          no             no 
Router#
No license is required for running VSS with sup2T and IOS 15.0SY.

MACSec License is only needed if you are doing encryption for VSL.

License State: Active, Not in Use
AND
show license feature shows enabled no.
This means is MACSec is not configured so license was not activated.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

"Show logging" clock 1 hour out in the routers

Why would our routers clock be fine (NTP), but if we do a show logging the logs time stamp it 1 hour back?

Clock is 4pm

Show logging is 3pm

If a router is configured to get the time from a Network Time Protocol (NTP) server, the times in the router's log entries may be different from the time on the system clock if the [localtime] option is not in the service timestamps log command. In the example below, the router gets its time from an NTP server and theservice timestamps log datetime command is issued. The show clockcommand displays a time of 14:12:26, yet when a configuration change is made immediately after the show clock command, the log message shows a time of 21:12:28, as shown in this example:

clock timezone PST -8
clock summer-time PDT recurring
service timestamps debug datetime
service timestamps log datetime
logging buffered 16000 debugging
ntp clock-period 17179272
ntp server 161.181.92.152

router#show clock
14:12:26.312 PDT Thu Apr 27 2000
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#exit
router#
Apr 27 21:12:28: %SYS-5-CONFIG_I: Configured from console by vty0

Resolution
Add the [localtime] option to the service timestamps log command. For example, if the current configuration is service timestamps log datetime, issue this global configuration command:
router(config)#service timestamps log datetime localtime
router(config)#^Z (ctrl z to exit)
router#write mem

The times should now be synchronized between the system clock and the log message timestamps. 

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Top 5 Tech Support questions for Cisco System's products - Weekly Update May 29th

The most actively discussed Tech Support questions on the web for Cisco System's products (Week of May 29th 2013)
 

1. Cisco Configuration Professional 2.6 viewing problem in IE 10 
2. Memory Allocation Error with IOS 15.0(2)
3. Cisco Catalyst WS-C2960S-48TD-L + SFP-10G-SR-AX issues 
4. Nexus 5010 outage after enabling jumbo frames (mtu 9216) 
5. "Cisco Virtual Comm Port00 X failed". Windows 7 64-bit and the USB driver install is failing

MPLS Route Distinquisher l2vpn in comparison to l3vpn connections.

With l3vpn we have 2 mpls label the top label for communicating between the PE and the PE (most likely loopback ip’s of these routers) and we have the mpls vpn (inner) label with consists of the ip prefix + the route distinquisher so mpls know how to differentiate same routes from multiple customers.

Unfortunately now our confusion starts, with l2vpn connections you also have route distinquishers, but why do we have them there? For instance with Juniper you have a remote site ID 1 which is communicating with remote site ID 2 and we do nothing with prefixes at all. So if i say this RD is used for making every l2vpn connection in the cloud unique, is this a correct way of saying it?

The inner label in L3 VPN is not related to the route distinguisher

The VPNv4 prefix is formed by prepending the RD to the original 32 bit IPv4 prefix.

the route distinguisher makes the prefix unique in the signalling plane allowing to discriminate between overlapping prefixes in different VRFs /VPNs.

The inner label is an attribute of the VPNv4 NLRI and is part of the forwarding plane, the sending PE node tells to all the potential peers what inner label it expects to receive when traffic is sent to this specific NLRI.

In Juniper L2VPN signalling is made with MP BGP using a different address family the l2vpn address family.
This is called Kompella L2VPN from the name of its inventor.

As you have guessed also in this case the RD assumes the role of identifying the site. If you can look at the l2vpn MP BGP route you will see the site-id at the end of the composite prefix.

We could say that in L2VPN the prefix is indeed the site id prepended by some other information including the RD.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How to configure C3560 dhcp server for Nortel ip phones

We are just trying to setup a dhcp server in my catalyst 3560 switch for a nortel ip phones.   
We would like to setup the dhcp server on our c3560.
!
ip dhcp pool voice
   network 10.2.110.0 255.255.255.0
    default-router 10.2.110.200
   option 191 ascii "VLAN-A:3"
    option 128 ascii "Nortel-i2004-A,10.2.100.200:4100,1,5."
   lease 0 2
!

The same switch will be the dhcp server

interface Vlan3
ip address 10.2.110.1 255.255.255.0

Can you please help?

VOICE VLAN: 3
DATA VLAN: 1

S1:10.2.110.200
port:4100
Nortel IP Phones: IP 2002 (Firmware Version 0604D9H)  & IP 1110 (Firmware Version 0623C7)

 
You don't need an IP helper address on the switch.

A IP phone send out a dhcp discover on the DATA vlan first.
So you have to move the vlan option, in your case option 191, to the DATA scope. The IP phone will see this option when it get's an IP address of the DATA scope. Then it will release the IP address and sends out a discover in the VOICE LAN. Then it will get an IP address of the VOICE scope and will recognize option 128 to find out where the nortel systems are.

This is normal behaviour of an IP phone.
There are other techniques to implement IP phones on the network,Like LLDP-MEDfor example.
The IP  phone has to support these techniques
 

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

How do you setup Wan limit with QoS

We need to limit the HTTP trafic from a WAN link (10mbps) to no more than 5mbps to a specific network.

We made this script and i would like to know if is correct.

ip access-list ext Traffic_QoS
permit ip 105.113.54.0 0.0.0.255 any eq http
!
class-map match-any QoS_HTTP
match access-group Traffic_QoS
!
policy-map Filter_HTTP
class QoS_HTTP
bandwidth percent 50
!
interface GigabitEthernet0/1
service-policy in Filter_HTTP

The interface G0/1 have this configuration:

interface GigabitEthernet0/1
description [ SELA Costa Rica L2  ]
ip address 105.113.52.1 255.255.255.0 secondary
ip address 105.113.53.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip id XGK1 ipaddr 10.254.10.15 1719
h323-gateway voip h323-id D300807987_001
h323-gateway voip bind srcaddr 105.113.53.1
 
Over G0/0 we have the internet link (10mbps) and G0/1 is the Lan interface (1gb)
The bandwidth of your gig interface is 1000mb. 50% of this will be 500mb. So your policy will not work how you want it to work at 10mb instead of bandwidth percent 50 you may need to shape.

policy-map Filter_HTTP
class QoS_HTTP
shape average 10000

This will only shape your http outbound traffic. you want to half it. You will use 5000 to limit http traffic at 5mbps.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

What is the number of users supported on ISRs G2

This is a feature that we have researched for by looking at ISRs G2 data sheets and cisco.com website.
The number of users that can be supported or the recommended number of users per router chassis/model is not mentioned anywhere.
However this is mentioned in the Cisco 880 ISR data sheet.

Can someone please shed some light on the number of users that can be supported or the recommended number of users on Cisco 1900/2900/3900 ISRs?


There is no recommended limit on ISR G2s, there's limit to the number of packets/second that can be switched through the router or some specific recommendations for advanced features - like firewall sessions/second, VPN sessions and things like that.

There are thus bandwidth recommendations not user recommendations.

Small ASA (5505) was limited to the number of users (10/50/unlimited) using license.

Please click here for details on "Portable Product Sheets – Routing Performance".
 

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.