DMVPN in Cisco 3945 output drop in tunnel interface

Similar Messages

• Could high "Total Output Drops" on one interface on a 3560G, be caused by faulty hardware on another interface?

  Hi All,
  I have been trying to diagnose a issue we have been having with packet loss on video calls (which I think we may have now resolved as the problem lay elsewhere), but in the process we have trailed some equipment from PathView and this seems to have created a new problem.
  We have a standalone 3560G switch which connects into a providers 3750G as part of an MPLS network. There is a single uplink to the 3750 from the 3560 (@ 1Gbps) and whilst I can  manage the 3560, I have no access to the providers switch. Our 3560 has a fairly vanilla config on it with no QoS enabled.
  There are only a few ports used on the 3560, mainly for Cisco VCS (Video Conferencing Servers) and a PathView traffic analysis device.The VCS devices are used to funnel videoconferencing traffic across the MPLS network into another institutions network.The PathView device can be used to send traffic bursts (albeit relatively small compared with the Bandwidth that is available) across the same route as the VC traffic to an opposing device, however, I have also disabled all of these paths for the moment.
  I can run multiple VC calls which utilise the VCS devices so traffic is routing into the relevant organisations and everything is good. In fact, I have 5 x 2Mb calls in progress now and there are 0 (or very, very few) errors.
  However, I have actually shut-down the port (Gi0/3) connected to the PathView device for the moment. If I re-enable it I start to see a lot of errors on the VC calls, and the Total Output Drops on the UPLINK interface (Gi0/23) starts rising rapidly. As soon as I shut-down the PathView port again (Gi0/3), the error stop and all returns to normal.
  I have read that issues on the Output queue are often attributed to a congested network/interface, but I don't believe that this is the case in this instance. My 5 VC calls would only come in at 10Mbps so is a way short of the 1000Mpbs available. Even the PathView device only issue burst up to 2Mbps, and with the Paths actually disabled even this shouldn't be happening, so only a small amount of management traffic should be flowing. Still, as soon as I enable the port, problems start.
  So, is it possible that either the port on the switch, cable or PathView device is actually faulty and cause such errors? Has anyone seen anything like this?
  Cheers
  Chris

  "As far as I know, such drops shouldn't be caused by faulty hardware, but if the hardware is really faulty, you would need to involve TAC."
  Ok, thanks.
  "BTW, all the other interfaces, which have the low bandwidth rates you describe, are physically running at low bandwidth settings on the interface, e.g. 10 Mbps?  If not, you can have short transient micros bursts which can cause drops.  This can happen even when average bandwidth utilization is low.  (NB: if these other ports average utilization is so low, if not already doing so, you could run the ports at 10 Mbps too.)"
  No. All ports on the switch connect to devices with 1Gb capable interfaces. They have been left to auto negotiate and have negotiated at 1000/full. The bandwidth described is more with regard to the actual data throughput of a call. Technically, the VCS devices are licence to handle 50 simultaneous call of up to 4Mbps so potentially could require a bandwidth of 200Mbps, although it is unlikely that we will see this amount of traffic.
  "Also, even if you have physically low bandwidth ingress, with a high bandwidth egress, and even if the egress's bandwidth is more than the aggregate of all the ingress, you can still have drops caused by concurrent arrivals."
  In general, the ingress and the egress should be similar. Think of this as a stub network - one path in and out (via Gi0/23). The VCS act as a kind or proxy/router for video traffic, simply terminating inbound legs, and generating a next hop outbound leg. The traffic coming in  to the VCS should be the same as the traffic go out.
  There will of course be certain management traffic, but this will be relatively low volume, and of course the PathView traffic analyser can generate a burst of UDP packets to simulate voice traffic.
  "Some other "gotchas" include, you mention you don't have QoS configured, but you're sure QoS is disabled too?"
  Yes.
  switch#show mls qos
  QoS is disabled
  QoS ip packet dscp rewrite is enabled
  I can't see a lot of point enabling QoS on this particular switch. Pretty much all of the traffic passing through it will be QoS tagged at the same level. Therefore it ALL prioritised.
  Indeed running a test overnight with these multiple calls live and the PathView port shutdown, resulted in 0 Total Output Drops.Each leg did suffer a handful of dropped packets end-to-end, but I think I can live with 100 packets dropped in 10 million during a 12 hour period (and this, I suspect, will be somewhere else on the network).
  "Lastly, Cisco has documented, at least for the 3750X, that uplink ports have the same buffer RAM resources as 24 copper edge ports.  Assuming the earlier series are similar, there might be benefit to moving your uplink, now on g0/23, to an uplink port (if your 3650G has them)."
  Unfortunately, no can do. we are limited to the built in ports on the switch as we have no SFP modules installed.
  Apologies about the formatting - this is yet another thing that has been broken in these new forums. I looks a lok better in the Reply window than it looks in this normal view.

• DMVPN + IPSec protected VRFs; IPSec SAs established only on one tunnel interface

  Hello folks!
  I have a setup between two Cisco ISR routers, running IOS 15.1(4)M3. I have tried to establish DMVPN connectivity with two VRFs (ie. two tunnel interfaces per router) between the routers and it mostly seems to be working as I expected. But... IPSec SAs seem to get tied to only one of the tunnel interface, not two (one per direction) per tunnel interface as they should. There's no MPLS backbone in between the routers, only "global VRF", routed IP network.
  Command "show crypto ipsec sa" or indirectly a missing OSPF neighborhood between the routers verifies the erroneuous situation. Occasionally, after an "interface tunnel[ 0 or 1] shut, no shut" or "clear crypto sa" command I seem to get it up and running, two SAs per tunnel interface, but if I reboot either one of the routers or just clear the IPSec SA, they most likely will appear under either one of two tunnel interfaces. So, what should I change to instruct the router setup SAs correctly, two SAs (one per direction) per tunnel interface?
  I'll enclose appropriate parts of the configurations and output of command "show crypto ipsec sa".

  I think I figured it out, for anyone who might stumble across this post in the future. It looks like you need to add the shared keyword to the tunnel protection command. ie...
  interface tunnel 0
   tunnel protection ipsec profile MyProfile shared
  end
  I should note that one of the first things I tried was to created a separate IPSec profile for each unique tunnel interface. It ended up not fixing the problem and I had to go with the solution above. 

• ME 3800 output drops with Copper SFP

  We have installed a copper SFP (GCL-T) in a access port on an ME-3800 running 12.2(52r)EY2.  The port connects to an ONS-CE-100 copper line card on an FE Port.  Both ports are set to auto-negotiate.  We see output drops on the interface.  We tried hard setting the speed on both sides, but the drops persisted.  We tried hard setting the duplex to full, but that made things worse.  On ports where we use the optical SFPs we do not see these issues.  
  Has anybody else run into this issue? Does the ME 3800 support auto-negotiation with the copper SFPs?  Any thoughts on this would be appreciated. 

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  I'm not familiar with the ME series, but if you can "tune" interface egress buffer/queue sizes, increasing resources for bursts can often mitigate and/or eliminate egress drops.  Of course, this also can increase latency.

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• Output drops on cisco link connecting to F5 Loadbalancer's management port

  On a connection like below:
  Cisco 6509: gi x/y <<-->> F5 BIGIP LTM: mgmt (Management Port)
  We observed incrementing packet drops on the F5 BIGIP mgmt interface.
  Also, at the cisco end, incrementing output drops were observed.
  tcpdump (packet capture) on the F5 BIGIP's mgmt port show brodcast packets/ multicast including the HSRP hellos being received from the cisco device. It is an expected behaviour that, F5 will reject any packets it cant understand (including the cdp, hsrp and other broadcast), and this will cause the packet drop counter of F5 BIGIP's mgmt port to increase. (F5 TAC acknowledged this behaviour)
  Will this cause the output drop counter at the cisco interface to roll up?
  Note: On the cisco interface, i do not see any other errors, also utilisation on the link is very minimal.
  Thanks
  Sudheer Nair

  Hi, this is probably late, but the software counters for output drops on these types of switches (3750's, blade switches) are not reliable.
  What you need to check is "show platform port-asic statistics drop" for a reliable drop counter on an interface. This will give you the hardware counters
  https://tools.cisco.com/bugsearch/bug/CSCtq86186/?reffering_site=dumpcr
  Switch stack shows incorrect values for output drops/discards
  on show interfaces. For e.g.,
  --- show interfaces ---
  GigabitEthernet2/0/5 is up, line protocol is up (connected)
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294967163
  Conditions:
  This is seen on Stackable switches running 12.2(58)SE or later.
  Workaround:
  None.

• Increasing Total Output Drops number

  I have an autonomous Cisco AP1242 running on channel 11 (best channel avail) with only one client associated.
  Signal Strength and Channel Utilization look good.
  By design this client is constantly sending UDP/Multicast packets, so I had to disable IGMP Snooping on the AP. However, I have noticed data dropout and have been able to correlate it by running the command:
  show interface dot11radio 0
  Every-time I run the above command the Total Output Drops increases:
  Dot11Radio0 is up, line protocol is up
    Hardware is 802.11G Radio, address is 001c.b0eb.eb70 (bia 001c.b0eb.eb70)
    MTU 1500 bytes, BW 54000 Kbit, DLY 1000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:00:00, output hang never
    Last clearing of "show interface" counters 00:37:46
    Input queue: 0/1127/0/0 (size/max/drops/flushes); Total output drops: 3178
    Queueing strategy: fifo
    Output queue: 0/30 (size/max)
    5 minute input rate 43000 bits/sec, 14 packets/sec
    5 minute output rate 92000 bits/sec, 17 packets/sec
       29799 packets input, 12551639 bytes, 0 no buffer
       Received 17376 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 input packets with dribble condition detected
       41308 packets output, 25121942 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier
       0 output buffer failures, 0 output buffers swapped out
  I cleared the statistics and ran the command after a few minutes.
  Any ideas what could be causing packets to be dropped?
  QOS is disabled on the AP.
  Thanks

  Hi,
  There is only one wireless client.
  Just took a 5 min Wireshark reading and it giving the following:
  Packets: 2286
  Avg. packets/sec: 7.729
  Avg packet size: 671.527 bytes
  Avg bytes/sec: 5190.457
  I am new to this. Is the above considered high volume for one client?
  I just compared a wired vs wireless captures... I am only losing packets on the wireless medium.
  When you say that the radio may not have enough buffer... are you reffering to wireless adapater or the Acess Point?
  Thanks

• Output Drop by RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT

  Hello!
  How i can determine a reason of output drops?
  >sh inter tenGigE 0/0/0/6              
  Fri Nov  2 15:26:05.358 MSK
  TenGigE0/0/0/6 is up, line protocol is up
    Interface state transitions: 11
    Hardware is TenGigE, address is 108c.cf1d.f326 (bia 108c.cf1d.f326)
    Layer 1 Transport Mode is LAN
    Description: To_XXX
    Internet address is 10.1.11.77/30
    MTU 9194 bytes, BW 10000000 Kbit (Max: 10000000 Kbit)
       reliability 255/255, txload 2/255, rxload 5/255
    Encapsulation ARPA,
    Full-duplex, 10000Mb/s, LR, link type is force-up
    output flow control is off, input flow control is off
    loopback not set,
    ARP type ARPA, ARP timeout 04:00:00
    Last input 00:00:00, output 00:00:00
    Last clearing of "show interface" counters 50w1d
    30 second input rate 218575000 bits/sec, 41199 packets/sec
    30 second output rate 115545000 bits/sec, 30555 packets/sec
       481020016118 packets input, 287815762466192 bytes, 876403 total input drops
       0 drops for unrecognized upper-level protocol
       Received 29 broadcast packets, 39255653 multicast packets
                0 runts, 17 giants, 0 throttles, 0 parity
       17 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       368901547057 packets output, 180820085800502 bytes, 28931652 total output drops
       Output 5 broadcast packets, 39284266 multicast packets
       0 output errors, 0 underruns, 0 applique, 0 resets
       0 output buffer failures, 0 output buffers swapped out
       10 carrier transitions
  >show controllers np counters np7  location 0/0/CPU0 | i DROP
  Fri Nov  2 15:27:03.815 MSK
    31  PARSE_INGRESS_DROP_CNT                                849353           0
    32  PARSE_EGRESS_DROP_CNT                                1236171           0
    33  RESOLVE_INGRESS_DROP_CNT                              868559           0
    34  RESOLVE_EGRESS_DROP_CNT                           3636654813         293
    37  MODIFY_EGRESS_DROP_CNT                                   669           0
    84  RESOLVE_AGE_NOMAC_DROP_CNT                                 1           0
    85  RESOLVE_AGE_MAC_STATIC_DROP_CNT                    187392316           8
  371  MPLS_PLU_DROP_PKT                                          1           0
  468  RESOLVE_VPLS_SPLIT_HORIZON_DROP_CNT                 28931887           6
  469  RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT           3293536501         272
  481  RESOLVE_L2_EGR_PW_UIDB_MISS_DROP_CNT                       4           0
  491  RESOLVE_VPLS_EGR_PW_FLOOD_UIDB_DOWN_DROP_CNT                 1           0
  499  RESOLVE_MAC_NOTIFY_CTRL_DROP_CNT                   313463638          16
  500  RESOLVE_MAC_DELETE_CTRL_DROP_CNT                     1591242           0
  622  EGR_DHCP_PW_UNTRUSTED_DROP                           1236171           0
  Input drops by RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT was considered at https://supportforums.cisco.com/thread/2099283
  But how we can apply it for output?

  Last column at "show controllers np counters np7  location 0/0/CPU0 | i DROP" is a pps. So we see 293pps
  RESOLVE_EGRESS_DROP_CNT and 0pps RESOLVE_INGRESS_DROP_CNT. Therefore RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT is a part of RESOLVE_EGRESS_DROP_CNT, aren't it?
  Also, counters egress_drop are increases, but ingress_drop are not:
    33  RESOLVE_INGRESS_DROP_CNT                              868559           0
    34  RESOLVE_EGRESS_DROP_CNT                           3637707596         149
  469  RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT           3294483194         129
  And one minute later:
    33  RESOLVE_INGRESS_DROP_CNT                              868559           0
    34  RESOLVE_EGRESS_DROP_CNT                           3637718845         156
  469  RESOLVE_VPLS_REFLECTION_FILTER_DROP_CNT           3294492975         135
  Also no new input drops at "sh inter":
  sh inter tenGigE 0/0/0/6 | i drops
  Fri Nov  2 16:57:39.828 MSK
       481200652943 packets input, 287931866783215 bytes, 876403 total input drops
       0 drops for unrecognized upper-level protocol
       369034005321 packets output, 180881208804090 bytes, 28963679 total output drops
  One minute later:
  sh inter tenGigE 0/0/0/6 | i drops
  Fri Nov  2 16:59:23.441 MSK
       481203274011 packets input, 287933491017363 bytes, 876403 total input drops
       0 drops for unrecognized upper-level protocol
       369035900847 packets output, 180882007120600 bytes, 28964280 total output drops

• SRST in router Cisco 3945

  Hi,
  I am having Cisco 3945 router and is having image "c3900-universalk9-mz.SPA.150-1.M1.bin" , and now want to check if SRST can be enabled on the same or not.
  I have checked it with command output "show callmanager fallback" and "show call-manager fallback all", attaching the output of the same. Please confirm id SRST already configured on it or not?
  And if not configured how to configure it.

  Hi Chris,
  Thank you for your reply. I have one more query on this.
  After creating new Device Pool for SRST, we need to move remote Ip phones from their original Device Pool and map them into newly created Device pool. So in the scenario of calls working through WAN link,will those phones work? as we have removed them from their original Device Pool.

• Cisco 3945 Policy Base Routing

  I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
  I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet.  but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
  Any help would be greatly appreciated
  This is my current config:
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname MOVLABT3-CA-ES
  boot-start-marker
  boot-end-marker
  card type t3 1
  card type t3 2
  enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1015775704
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1015775704
  revocation-check none
  rsakeypair TP-self-signed-1015775704
  crypto pki certificate chain TP-self-signed-1015775704
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
    37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
    E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
    F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
    E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
    73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
    03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
    2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
    0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
    297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
    A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
    6E67990A 9A7B49F9 8D1A8CA0 51AAF2
          quit
  license udi pid C3900-SPE150/K9 sn FOC16313DE8
  hw-module sm 1
  hw-module sm 2
  controller T3 1/0
  cablelength 75
  controller T3 2/0
  cablelength 75
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 207.168.4.49 255.255.255.240
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  ip address 206.135.120.114 255.255.255.240
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial1/0
  ip address 206.135.100.202 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  dsu bandwidth 44210
  interface Serial2/0
  ip address 205.214.40.6 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dsu bandwidth 44210
  no ip classless
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 206.135.100.201
  access-list 1 permit 10.0.0.0 0.0.0.255
  snmp-server community RO-N1mS0ft RO
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

  This is what it looks like now, and I still can't ping gig 0/1 from the internet
  interface GigabitEthernet0/0
  ip address 207.168.4.49 255.255.255.240
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  ip address 206.135.120.114 255.255.255.240
  ip virtual-reassembly in
  ip policy route-map pbr
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial1/0
  ip address 206.135.100.202 255.255.255.252
  ip virtual-reassembly in
  dsu bandwidth 44210
  interface Serial2/0
  ip address 205.214.40.6 255.255.255.252
  ip virtual-reassembly in
  encapsulation ppp
  dsu bandwidth 44210
  ip local policy route-map PBR
  no ip classless
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 206.135.100.201
  access-list 1 permit 10.0.0.0 0.0.0.255
  access-list 101 permit ip 206.135.120.112 0.0.0.15 any
  route-map pbr permit 10
  match ip address 101
  set ip next-hop 205.214.40.5
  snmp-server community RO-N1mS0ft RO
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

• OIB value for Total output drops

  Hi, we have a Cisco C7200P router at work running IOS 12.4(12.2r)T, and we monitor it using Zenoss 3.1. We want to be able to capture the total output drops for a Gigabit Ethernet interface. I created a custom monitoring template and I added the following data source:
  Name: cieIfOutputQueueDrops
  OIB: 1.3.6.1.4.1.9.9.276.1.1.1.1.11
  The total output drops as viewed via the CLI are as follows:
  Input queue: 0/75/1335749/399902 (size/max/drops/flushes); Total output drops: 53882894
  However the graph on Zenoss reports a completely different value of ~360M. Here is the output of snmpwalk:
  SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.1 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.2 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.3 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.4 = Counter32: 363270064 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.5 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.6 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.7 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.12 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.13 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.14 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.15 = Counter32: 653008 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.26 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.125 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.139 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.140 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.194 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.196 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.254 = Counter32: 0 SNMPv2-SMI::enterprises.9.9.276.1.1.1.1.11.288 = Counter32: 0
  The value it retunrs is incorrect. I would appreciate some assistance.

  Did you tried using ifOutDiscards (.1.3.6.1.2.1.2.2.1.19). These are counted as output drops as shown in the show interfaces command.
  It shows the number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
  For more details on interface couter please check following document :
  SNMP Counters: Frequently Asked Questions
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• 3750ME Total output drops, OutDiscards

  Hi,
  I am testing a 3750ME switch as L2 device with iperf and Agilent router tester. I have a physical loop on 2 fastethernet ports - one port is access in vlan A and the other is access in vlan B. On the switch uplink both vlans are allowed. The test traffic comes from the uplink via vlan A, loops to vlan B via the physical loop and then goes back via vlan B through the uplink.
  I have tested a lot of Cisco switches in this way and had no issues until now. Now I have 18 OutDiscards (Total output drops) on one of the fastethernet interfaces, connected via the physical loop.
  The IOS is 12.2(44)SE1. I've read the release notes for this IOS, aka
  http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_44_se/release/notes/OL14631.html
  where it says:
  CSCsj53001
  The Total- output-drops field in the show interfaces privileged EXEC command output now displays accurate ASIC drops.
  so the counters are correct.
  I generate less then 5Mbps duplex traffic, so the switch must not be overloaded.
  Do you have any idea why I get these 18 output errors?
  Regards,
  Mladen

  Please generate more definitive test - clear the counters and generate much more traffic - like 100 Mbps (full port speed if you're not using the uplinks on 3750ME).
  Also, be sure the port is in "switchport" mode, because there could be an issue with mac addresses when switch is routing.
  Is your test setup in pure L2? without L3?

• Total output drops & dot1dBridgeEventsV2

  I am seen a lot of "Total output drops: " in the LAN/WAN Router, does any one have any documents that plains the cause of "Total output drops" and what it it's?
  Also I am getting a lot of traps in the LAN, but I can't find documents that explains the event, "dot1dBridgeEventsV2" Can you guys guide me to a document where it explains the events?
  Thanks

  Total output drops is the number of packets in the output queue that have been dropped because of a full queue. Check out the following link for troubleshooting input queue drops and output queue drops :
  http://www.cisco.com/warp/public/63/queue_drops.html

• Cisco 3945- boot up fails with no error

  Greetings,
  Just throwing it out there to see if anyone throw some ideas my way.  I recently sent a working/tested Cisco 3945 ISR router out to a office for redundancy.  Before I did that, I removed WLAN controller and slot module, 1xVWIC2 T1 and 1xVIC2 FX0 modules.  I did however leave the PVDM3 64ch and 1x VWIC t1 modules and flash card, which had a v15 IOS loaded and basic config.  Upon delivery they said it doesn't work, "it hangs" and no damage externally or failed hardware (power supplies/fans).  These things always make me wonder, cause hangs is so vague and do not really see Cisco routers do this unless they are taking larger than normal packets or someone turned on debugging without turning it off.  
  Here's my thinking and hope someone can chime in and throw some ideas at me before I get on a call with them on Monday.  I attached a screen shot they sent of the boot up and looks to me that its trying to initialize the current config file which which may be trying to initialize the voice channels.  Could this be as easy as killing the current config loaded, going into rommon and setting it back to default maybe?  Or just removing the PVDM card maybe?  
  I hate to say something is just broke, I rarely see this and being I powered it up and tested the hardware, I don't want to involve tac until I can rule out the obvious.  I did, however, test and powered down the router before removing the additional hardware.  Would this current config on the router that may have lingering hardware (which I removed) in the config cause this to happen as well?  
  Side note: The flash cleared and below were the contents of the flash before sending out the router.
  Router#sho flash
  -#- --length-- -----date/time------ path
  1     55277232 Jul 07 2014 07:51:20 c3900-universalk9-mz.SPA.150-1.M3.bin
  201228288 bytes available (55279616 bytes used)
  Thanks in advance

  Remove all modules and boot.
  Another thing, your IOS is very old.  VERY. 
  If you want to stick with 15.0(1)M-series then go to M10 but don't just "sit" in an old M3.

• Cisco Prime Infrastructure deployment through Cisco 3945 ISR

  Dears,
  I have Cisco 3945 ISR include module for the Cisco prime infrastructure.
  I need to deploy the prime but when I connected monitor on the module I saw that it is looking for DHCP only.
  Please can anyone support me with procedure to install the prime?
  Should I install the ESXi on this module by make it boot from external device (USB, or CD drive)?
  Your support is highly appreciated,
  Regards,

  Duplicate post. 
  Go HERE.