[c-nsp] ARP timeout command
Is there a command to change the ARP timeout in IOS globally or do I need to change it in every single interface/sub-interface? I can't seem to find any reference to it but I wanted to confirm it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA VPN - DMZ
So, the set up is, ASA has inside and DMZ interface. DMZ being the lower security level than the inside interface for obvious reasons. From the ASA, L2L IPSec tunnel to another location, where crypto map ACL covers the subnet for inside and DMZ interface IP subnets. As far as I know, this automatically lets remote VPN site to communicate with Inside and DMZ hosts and Inside/DMZ hosts can communicate with remote VPN site without any firewalling. Is there any way to let remote VPN site to initiate traffic to DMZ but not let DMZ initiate traffic to the remote VPN? I know I can apply a VPN filter to the L2L tunnel but that's not stateful inspection. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fwd: Cisco Smart Care Service Downtime- 03/01/2012
I am not sure how many people on this list sell this service to customers but having a 3 day maintenance window to a service that customers pay for seems well... is this 1995? Cisco of all people can't do incremental service non-impacting update to their service? Sorry for the venting. -- Forwarded message -- From: Cisco Smart Care Program Team abhde...@cisco.com Date: Mon, Feb 27, 2012 at 7:16 PM Subject: Cisco Smart Care Service Downtime- 03/01/2012 To: Jay Nakamura zeusda...@gmail.com Click herehttp://www.actonsoftware.com/acton/ct/185/s-01b0-1202/Bct/l-005b/l-005b:930/ct2_0/1to view this message in a browser window. *February 27, 2012* -- *Smart Care Topics:* - *Smart Care Service Major Downtime Between March 01 20:00 - March 04 19:00, PST* -- *Cisco Smart Care Service Major Downtime scheduled from Thursday March 01, 20:00 – Sunday March 04, 19:00 PST* * *Smart Care will undergo a major upgrade of the infrastructure used to host Smart Care service. This infrastructure upgrade shall provide the platform with much required scalability and flexibility enabling the service to scale to future demands. *Scheduled system maintenance downtime* Please note: You will experience a total downtime of the Cisco Smart Care portal during this maintenance window:** *Begin*: March 01, 20:00 - America/San Francisco (PST) ***End*: March 04, 19:00 - America/San Francisco (PST) *Duration*: 71 Hours *Impacts:* The Smart Care Portal will have a complete service downtime causing the portal and the quoting and ordering functions to be unavailable. *Recommended Action*** During this period, please refrain from using the portal and access the application after the communicated downtime window. -- *Questions* If you have any further questions, please contact Abhijit Desai ( abhde...@cisco.com), Smart Care Product Manager. Thank you for your support, Cisco Smart Care Product Management * Visit the Cisco Smart Care Servicehttp://www.actonsoftware.com/acton/ct/185/s-01b0-1202/Bct/l-005b/l-005b:930/ct0_0/1website at www.cisco.com/go/smartcarehttp://www.actonsoftware.com/acton/ct/185/s-01b0-1202/Bct/l-005b/l-005b:930/ct1_0/1. * To unsubscribe from this list, please send an email to Unsubscribe Meabhde...@cisco.com . Copyright © 2012 Cisco Systems, Inc. Our address is 170 West Tasman Drive., San Jose, CA, 95134, U.S. If you do not wish to receive future e-mail, click herehttp://www.actonsoftware.com/acton/rif/185/s-01b0-1202/-/l-005b:930/l-005b/zout . (You can also send your request to *Customer Care* at the street address above.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP AS Path manipulation
I was trying to simulate customer's network on Qwest MPLS and ran into a problem duplicating how Qwest BGP behaves with IOS. With Qwest, If each branch is using BGP, say something like this Location A -- Qwest MPLS -- Location B Location A and Location B router are using 65512 as AS#. Location A and B sees the other side's route with AS path of 209 209 Where Qwest is taking 209 65512 and replacing the 65512 with 209. If I try to do remove-private-as on the router, location A still sees 209 65512 since remove-private-as tag won't remove private AS# to a peer with the same AS#. Is there any other configuration I don't know about that I can use on IOS that could simulate what Qwest is doing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Deploying MSTP
Are there anything special with MSTP that I should consider in deploying in a network? Only thing I can think of is to pre-configure VLANs for future use since topology will re-converge every time you add a VLAN to the MSTP instance. Any other special issues I should be looking out for? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Deploying MSTP
We have made a pretty clear decision on sticking with one vendor and not inter-operate on MSTP level. So we are safe on that front. Our long term goal is to move to some kind of MPLS Ethernet tunneling at some point and not rely on STP as much as possible but our budget does not allow it yet. In the mean time we have to use STP to achieve redundancy. On Tue, Dec 27, 2011 at 5:00 PM, Mack McBride mack.mcbr...@viawest.com wrote: Interactions with legacy gear that does not support MSTP or does not support it the same way. That is the biggest headache during transition. After transition the biggest headache is making vlan changes as you noted. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Tuesday, December 27, 2011 2:16 PM To: cisco-nsp Subject: [c-nsp] Deploying MSTP Are there anything special with MSTP that I should consider in deploying in a network? Only thing I can think of is to pre-configure VLANs for future use since topology will re-converge every time you add a VLAN to the MSTP instance. Any other special issues I should be looking out for? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Packet Shaper
Does Cisco make any dedicated packet shaper? Does anyone recommend any other vendors for 100~200mbps bandwidth and deep packet inspection? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HSRP and removing connected route
So, the situation is this. Let's say I have a topology where there are two routers, each router connected to separate switches, and the two switches are connected to a gigabit ethernet WAN. One router and switch is in one city, other router and switch is in another city. There is a VLAN that spans the two routers, two switches and servers hosted in one city. I have the VLAN on HSRP between the two routers. The problem is this. When the gigabit WAN goes down, the one end of the router without the host will still try to route that traffic out it's VLAN. Is there a way to prevent that by using IP SLA or track command or some other trick? Perhaps shutdown the subinterface auto magically? (Although, if it shuts it down, I am not sure how it will detect that the service is back up) Or is there something I am not thinking of I should be doing other than HSRP? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP and removing connected route
On Thu, Dec 8, 2011 at 5:30 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 12/08/2011 08:23 PM, Jay Nakamura wrote: This is such an odd setup, I feel sure there is more to it than described. Question: why are you using HSRP at all? Why not just route from city 1 to city 2? There is a long history where the condition and requirement has changed repeatedly to end in this configuration. I was trying to figure out if there is a way to work around it or just have to redesign it from bottom up. I feel that it needs to be redesigned but right now, not sure if that's feasible equipment and effort wise. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] USB Serial adapter and ASA 5510
This is just a curiosity question, I have a pretty generic USB serial adapter (CPTech CP-US-03) to console into network gear. For some reason, I can console into anything except ASA 5510. When connected to ASA 5510, the output is mangled like the console serial parameter is off. But it works fine with the same setting on an older laptop with builtin serial port. I have used this USB adapter for ASA5505, ISRs, 7500, Dell switches, Netgear, Adtran, HP, damn near any other gear and it works perfectly. I have couple of the same model adapter and they all do the same thing only on ASA5510. (Haven't had the opportunity to touch a bigger ASA) Anyone else run into something like this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subnetting problem
216.24.2.4/28 should be 216.24.2.0/28 but that would include .0/30 and .12/30 On Thu, Oct 6, 2011 at 3:22 PM, Joseph Mays m...@win.net wrote: It feels strange to be asking a question about something as simple as a subnet here, but I'm honestly not sure what's going on in this case. Probably something simple. As you can see from the following set of commands, the router is fine with breaking the following addresses up into /30's, but not fine with the aggregate of the two routes into a /29. gw1.armplc(config)#ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.4 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#no ip route 216.24.2.8 255.255.255.252 216.24.0.54 gw1.armplc(config)#ip route 216.24.2.4 255.255.255.248 216.24.0.54 %Inconsistent address and mask ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subnetting problem
On Thu, Oct 6, 2011 at 4:41 PM, -Hammer- bhmc...@gmail.com wrote: Not to stir up any emotions here but it would be convenient if IOS would recognize .4 (based on the /29 mask) as part of the subnet starting with .0 and just throw it in for you. But I guess we don't want to dumb ourselves down to much I feel like some IOS has done that to me before. Distinctly remember putting the wrong net address in and reviewing the config, found that it changed it to the correct one. Hmmm... May be it wasn't IOS. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Subnetting problem
That may be what I am remembering... thanks! On Oct 6, 2011 5:30 PM, Chuck Church chuckchu...@gmail.com wrote: Won't it do that for ACLs? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Thursday, October 06, 2011 5:07 PM To: -Hammer- Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Subnetting problem On Thu, Oct 6, 2011 at 4:41 PM, -Hammer- bhmc...@gmail.com wrote: Not to stir up any emotions here but it would be convenient if IOS would recognize .4 (based on the /29 mask) as part of the subnet starting with .0 and just throw it in for you. But I guess we don't want to dumb ourselves down to much I feel like some IOS has done that to me before. Distinctly remember putting the wrong net address in and reviewing the config, found that it changed it to the correct one. Hmmm... May be it wasn't IOS. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PA-MC-T3 trouble with individual T1 channels
Could the incoming signal gain be too strong? I had similar problem with an ds3 card before and putting attenuators fixed the issue. On Sep 15, 2011 6:00 PM, Nick Voth nv...@estreet.com wrote: Folks, I've been having about 1 T1 per month go down on a specific slot in a 7206 VXR. It's slot 4. I have replaced the PA-MC-T3 that is in there, but I still keep getting individual T1 circuits go down. Each time, it's a different channel on the DS3 card that is down. We have opened tickets with the telco and say everything looks clean on the DS3, but when a T1 is down, they can't loop up that individual channel on the DS3 card. We have been assuming the card was bad so we've just replaced it a couple of times, BUT today we just pulled the existing one out and reseated it. The down T1 came back up and runs clean now I know this is old equipment, but anyone have similar issues? The cards are cheap enough that we can replace them, but having to do that every month or two seems really odd. Especially now that just reseating the DS3 card seems to have worked. I'm worried there might be something more sinister going on. Thanks in advance, -Nick Voth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging T1s together on PA-MC-T3
Are you actually Ethernet bridging or just want to TDM cross connect? I don't think you can cross connect it but perhaps you can create a VRF and route IP? On Sep 13, 2011 11:47 AM, Nick Voth nv...@estreet.com wrote: Folks, I'm hoping this is easy/obvious question, but I've looked around and can't find the config I'm looking for. I have several channelized DS3s coming in and terminating on PA-MC-T3 cards. I use those for regular ppp T1 circuits out to client sites. I now have the need to bridge 2 client sites together, and am wondering if there's a way to bridge 2 individual T1 circuits together on one DS3 card. The 2 client sites don't need access to our LAN or Internet. This would literally be a private line connection between the 2 sites, with us in the middle bridging them together. The client's Internet access is totally separate from this proposed solution. I know I can have the local telco just do a point-to-point circuit between the 2 client sites, but then we wouldn't have any visibility for up/down monitoring, etc. Any advice would really help. Thanks, -Nick Voth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router performance PDF
The last update to the Cisco router performance PDF seems to be November 2009. Has Cisco released any new sheet since then? There are couple routers missing and it's always a nice guide to compare performance. I can't seem to find anything useful. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA vs ISR ZBFW
I have been wondering lately, what advantages do ASA have over ISR as a firewall on the low end? As just one stand alone firewall, what features are there for ASA that distinguishes itself? Often, I rather have an ISR over an ASA so I have more flexibility in a budget environment. ASA5505-SEC-BUN-K9 is about the same price range as CISCO1921-SEC/K9 I believe. Which would you choose? What am I missing that I should be using ASA instead of ISR? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA AIP-SSM-20 License
Ha! I am going through service contract hell for AIP-SSM-10 myself. Best thing to do is to ask your account manager. I can't get a straight answer out of our distributor. So, if you bought the ASA and IPS card bundled, it's one CON-SUx- SKU, (x will depend on the service level and being some # for the particular bundle.) if you bought it separate, you have to get standard CON-SNT- for the ASA and CON-SUx- for the IPS card. At least that's what I have been told so far. But the SCC quote tool won't accept any of the serial for me and Cisco SCC help is less than helpful and slow. It's been 5 weeks since I started looking into it and I can't seem to get to the bottom. (There are other circumstances for my case though) On Wed, Aug 24, 2011 at 10:01 PM, Joseph Hardeman jwharde...@gmail.com wrote: Hi Everyone, Can someone point me to the correct license I need to be able to download the updates from Cisco for this SSM? Do I need to have a smartnet account to do it or is there a separate license I can use? Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan
This list is for Cisco related discussion and not PC. You may want to search for forum related to the OS you are using. On Wed, Aug 24, 2011 at 10:38 PM, ujjwal maghaiya ujjwal...@hotmail.com wrote: Could somebody point me out how to define vlan on NIC of our PC. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP question : What's the best way for filtering outgoing prefixes?
While testing, I am wondering, is it standard practice to clear my community strings from routes before going to peer/transit? On Thu, Aug 18, 2011 at 4:00 PM, Jay Nakamura zeusda...@gmail.com wrote: This is a bit complicated. Let's say we are provider X. X is connected to transit provider A and B. X currently uses prefix-list to filter outgoing BGP announcement. We are now getting a customer that wants to multi-home, so their transit provider is X and C. We gave them a /24 from our block, let's call it IP1. I was simulating how I should configure our routers so it was secure and did all the right things when I noticed IP1 route coming in from provider A is getting advertised to provider B through us. It makes sense since it passes our outgoing prefix list. (So, AS path was AS_X AS_A AS_Customer into provider B) What's the best way to prevent this? Here are the two options I was thinking of doing Option 1 Set all routes learned from A and B with unique community, and filter out any routes with that community for outgoing routes to A and B. Option 2 Filter on AS-Path for routes going out A and B with AS-X$ AS-X_(AS_CUSTOMER)+_$ (I think, I haven't looked closely at AS path syntax) With Option 1, I don't have to do anything when we add another BGP customer but not sure what the overhead of tagging all routes coming in with community is. With Option 2, I have to edit the AS-path every time we add a customer. Is there a better option? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ARP oddness
Is it broadcasting because the destination is not in the FDB? On Aug 19, 2011 4:49 PM, Chuck Church chuckchu...@gmail.com wrote: Anyone, Researching some issues at a remote site, seeing something I don't think should happen. A packet capture on this remote server using wireshark and focusing in on ARP is seeing all the requests (as I'd expect), but I'm also seeing unicast replies that I shouldn't. The MAC address table on the switch I'm attached to shows only the MAC of this remote server on that port. There are no SPAN sessions on the switch either. The destination addresses aren't multicast, they're true unicast. Yet I'm seeing all these unicasts that aren't my mac address. Is there some function built into a Cisco switch that broadcasts these to make them act like gratuitous ARPs, or am I really seeing something that shouldn't happen? It's on a Sup2+ 4500, running 12.2(25)EWA10 (I know it's ancient, vendor owns it...) Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP question : What's the best way for filtering outgoing prefixes?
This is a bit complicated. Let's say we are provider X. X is connected to transit provider A and B. X currently uses prefix-list to filter outgoing BGP announcement. We are now getting a customer that wants to multi-home, so their transit provider is X and C. We gave them a /24 from our block, let's call it IP1. I was simulating how I should configure our routers so it was secure and did all the right things when I noticed IP1 route coming in from provider A is getting advertised to provider B through us. It makes sense since it passes our outgoing prefix list. (So, AS path was AS_X AS_A AS_Customer into provider B) What's the best way to prevent this? Here are the two options I was thinking of doing Option 1 Set all routes learned from A and B with unique community, and filter out any routes with that community for outgoing routes to A and B. Option 2 Filter on AS-Path for routes going out A and B with AS-X$ AS-X_(AS_CUSTOMER)+_$ (I think, I haven't looked closely at AS path syntax) With Option 1, I don't have to do anything when we add another BGP customer but not sure what the overhead of tagging all routes coming in with community is. With Option 2, I have to edit the AS-path every time we add a customer. Is there a better option? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP question : What's the best way for filtering outgoing prefixes?
Excellent. Thanks Gert and Chip! On Thu, Aug 18, 2011 at 4:25 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Aug 18, 2011 at 04:00:52PM -0400, Jay Nakamura wrote: Option 1 Set all routes learned from A and B with unique community, and filter out any routes with that community for outgoing routes to A and B. Option 2 Filter on AS-Path for routes going out A and B with AS-X$ AS-X_(AS_CUSTOMER)+_$ (I think, I haven't looked closely at AS path syntax) Both will work, but option 1 is what everybody else does because it's much less effort in the long run. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CISCO special offer products / Good discount off the GPL and flexible payment and shipment./ providing the best quality and service.
Mod, please remove this user from the list. Is there a better way to report someone removed for spamming than posting to list? On Thu, Aug 11, 2011 at 3:56 AM, Melody importg...@hotmail.com wrote: Hey friend, I am Melody from Importgm International Limited. We supply newused CISCO Networking Equipment with high qualitity and competitive price. Such as CISCO Router ,Switch, Firewall, IP Phone ect. Good discount off the GPL and flexible payment and shipment. And providing the best quality and service. Email me, let's talk details.Hope to cooperating with you! Rgds, Melody 2011-08-11 Melody | Importgm International limited Direct 86-0755-28447806 | Fax 86-0755-28447806 WEB: www.importgm.com Email: importg...@hotmail.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA failover
Thanks Joerg, I am not sure how I missed that. For those who are curious or googling, this is what I found 1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the ASA performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used. 2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. 3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins. 4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. On Thu, Aug 11, 2011 at 11:16 AM, Joerg Mayer jma...@loplof.de wrote: On Thu, Aug 11, 2011 at 10:28:37AM -0400, Jay Nakamura wrote: I can't seem to find any information on what the ASA tests when it's configured for failover configuration and it detects a problem. This is the log entry I am talking about. Yes, searching information at the cisco web site can be intimidating :-) The information you need can be found in the cli config guide for the ASA. For software 8.4, it is the section [Configuring High Availability] - [Failover Health Monitoring] (in my edition that would be page 1259). Ciao Joerg -- Joerg Mayer jma...@loplof.de We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PBR on traffic originating from the router
Let's say a router is setup with connection to ISP 1 and ISP 2, which are both non-BGP connection and traffic coming in from ISP 1 can't go out ISP 2 and visa versa. Default route is set on ISP 1, with IP SLA, failover to ISP 2. I can configure NAT so it will NAT on the correct IP for each egress connection. This is not the issue. Is there a way, for example, a ping to the router coming into ISP2 can be sent back out ISP2 when ISP2 is not the default route? Normal PBR applied to ingress traffic on the interface so I wasn't sure what could be done with traffic originating on the router. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR on traffic originating from the router
Thanks everyone! I got it working with the ip local policy. On Thu, Jul 28, 2011 at 6:08 AM, Pavel Skovajsa pavel.skova...@gmail.com wrote: Hello Jay, you can a apply a route-map that would do PBR on the traffic generated by the router like this: route-map LocalPolicy permit 10 match ip address PingISP_A set interface Serial0/0/0 ip local policy route-map LocalPolicy Seems like your scenario perfectly matches the one described by Ivan on http://www.nil.com/ipcorner/RedundantMultiHoming/ -pavel On Thu, Jul 28, 2011 at 8:29 AM, Jay Nakamura zeusda...@gmail.com wrote: Let's say a router is setup with connection to ISP 1 and ISP 2, which are both non-BGP connection and traffic coming in from ISP 1 can't go out ISP 2 and visa versa. Default route is set on ISP 1, with IP SLA, failover to ISP 2. I can configure NAT so it will NAT on the correct IP for each egress connection. This is not the issue. Is there a way, for example, a ping to the router coming into ISP2 can be sent back out ISP2 when ISP2 is not the default route? Normal PBR applied to ingress traffic on the interface so I wasn't sure what could be done with traffic originating on the router. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 to Pix sudden loss of tunnel
Now that I think about it, I had a similar issue with active/backup ASA where when you flip the active unit, traffic will go only one direction. Clearing the ipsec SA fixes the issue but it would never fix it on their own. Since it doesn't happen every time, and the vendor for the ASA side didn't seem interested in troubleshooting further, I could never get to the bottom of it. If it happens again, clear ipsec sa instead and see if it fixes it. Much better than rebooting. On Thu, Mar 10, 2011 at 3:24 PM, Scott Granados sc...@granados-llc.net wrote: This is what I thought as well but rebooting the ASA pair did the trick and everything worked. I also confirmed my routing was working to the ASA pair because other devices attached could reach the network. I'm thinking wacky interactions of pre 7.2.4 Pix and ASA but not 100% certain. Since rebooting cleared it I was leaning in that direction. Thanks Scott On Mar 10, 2011, at 11:38 AM, Christopher J. Wargaski wrote: Scott-- One way traffic like this is usually caused by one of three things: 1) The interesting traffic ACLs not being mirror images of each other. 2) An outbound ACL is denying traffic across the IPsec tunnel 3) Routing is not sending the traffic for the remote subnet to the PIX/ASA cjw Date: Wed, 9 Mar 2011 21:11:51 -0800 From: Scott Granados sc...@granados-llc.net To: cisco-nsp cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5520 to Pix sudden loss of tunnel Message-ID: 9b70e992-15db-44a5-8019-3c170402a...@granados-llc.net Content-Type: text/plain; charset=us-ascii Hi, I'm having an odd problem and wonder if anyone has some pointers. I looked for the Cisco IPSEC solutions document but the things suggested didn't work. (this VPN document covered both IOS and security appliances) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Black hole
On Thu, Mar 3, 2011 at 2:22 AM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: You can also disable the check using neighbor x.x.x.x disable-connected-check.. Is it safer to do ebgp-multihop 2 since it will at least limit it to 2 hops instead of disabling it will not do any check at all? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Black hole
I am testing BGP black hole setup in my GNS3. One AS announcing to the other AS to black hole a prefix. I am hitting a wall where the receiving AS shows the prefix I am trying to black hole as inaccessible and packets gets through. I thought the basic principle was to match routes based on community and set the next hop to an IP that is pointed to null. ISP2#sh ip bgp 1.0.0.1 BGP routing table entry for 1.0.0.1/32, version 9 Paths: (1 available, no best path) Not advertised to any peer 1 192.168.255.1 (inaccessible) from 3.0.0.1 (1.0.0.1) Origin IGP, metric 0, localpref 100, valid, external Community: 1:666 Here is my config. The side sending the prefix hostname ISP1 interface Loopback0 ip address 1.0.0.1 255.255.255.255 ! interface FastEthernet1/0 ip address 3.0.0.1 255.255.255.0 duplex auto speed auto router bgp 1 no synchronization bgp log-neighbor-changes network 1.0.0.0 network 1.0.0.1 mask 255.255.255.255 neighbor 3.0.0.2 remote-as 2 neighbor 3.0.0.2 send-community both neighbor 3.0.0.2 route-map ISP2Out out no auto-summary ! ip route 1.0.0.0 255.0.0.0 Null0 200 ! ip bgp-community new-format ! ip prefix-list BlackHole seq 5 permit 1.0.0.1/32 ! route-map ISP2Out permit 10 match ip address prefix-list BlackHole set community 1:666 ! route-map ISP2Out permit 20 The receiving side router hostname ISP2 interface Loopback0 ip address 2.0.0.1 255.255.255.255 ! interface FastEthernet1/0 ip address 3.0.0.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 192.168.52.3 255.255.255.0 duplex auto speed auto ! router bgp 2 no synchronization bgp log-neighbor-changes network 2.0.0.0 network 192.168.52.0 neighbor 3.0.0.1 remote-as 1 neighbor 3.0.0.1 route-map ISP1In in no auto-summary ip route 192.168.255.1 255.255.255.255 Null0 ! ip bgp-community new-format ip community-list 1 permit 1:666 ! route-map ISP1In permit 10 match community 1 set ip next-hop 192.168.255.1 ! route-map ISP1In permit 20 What am I missing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Black hole
That made it work. Why does that make it work? I thought ebgp-multihop was used when the peer was not directly connected. I will go look up the command On Wed, Mar 2, 2011 at 3:56 PM, Anton Turygin pa...@tsua.net wrote: Hello, neighbor 3.0.0.1 ebgp-multihop 2 on the receiving router will help. On Wed, 2 Mar 2011, Jay Nakamura wrote: I am testing BGP black hole setup in my GNS3. One AS announcing to the other AS to black hole a prefix. I am hitting a wall where the receiving AS shows the prefix I am trying to black hole as inaccessible and packets gets through. I thought the basic principle was to match routes based on community and set the next hop to an IP that is pointed to null. ISP2#sh ip bgp 1.0.0.1 BGP routing table entry for 1.0.0.1/32, version 9 Paths: (1 available, no best path) Not advertised to any peer 1 192.168.255.1 (inaccessible) from 3.0.0.1 (1.0.0.1) Origin IGP, metric 0, localpref 100, valid, external Community: 1:666 Here is my config. The side sending the prefix hostname ISP1 interface Loopback0 ip address 1.0.0.1 255.255.255.255 ! interface FastEthernet1/0 ip address 3.0.0.1 255.255.255.0 duplex auto speed auto router bgp 1 no synchronization bgp log-neighbor-changes network 1.0.0.0 network 1.0.0.1 mask 255.255.255.255 neighbor 3.0.0.2 remote-as 2 neighbor 3.0.0.2 send-community both neighbor 3.0.0.2 route-map ISP2Out out no auto-summary ! ip route 1.0.0.0 255.0.0.0 Null0 200 ! ip bgp-community new-format ! ip prefix-list BlackHole seq 5 permit 1.0.0.1/32 ! route-map ISP2Out permit 10 match ip address prefix-list BlackHole set community 1:666 ! route-map ISP2Out permit 20 The receiving side router hostname ISP2 interface Loopback0 ip address 2.0.0.1 255.255.255.255 ! interface FastEthernet1/0 ip address 3.0.0.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 ip address 192.168.52.3 255.255.255.0 duplex auto speed auto ! router bgp 2 no synchronization bgp log-neighbor-changes network 2.0.0.0 network 192.168.52.0 neighbor 3.0.0.1 remote-as 1 neighbor 3.0.0.1 route-map ISP1In in no auto-summary ip route 192.168.255.1 255.255.255.255 Null0 ! ip bgp-community new-format ip community-list 1 permit 1:666 ! route-map ISP1In permit 10 match community 1 set ip next-hop 192.168.255.1 ! route-map ISP1In permit 20 What am I missing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- RAZ-RIPE Technological Systems CJSC Senior Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enabling IPv6 on 2951 with VRF consumed 240MB of RAM. Why?
How exactly did you enable IPv6? So, I did ipv6 unicast-routing ipv6 cef router bgp as# address-family ipv6 vrf core no synchronization network ::/48 neighbor y::1 remote-as other as neighbor y::1 shutdown I think the BGP config is where the RAM use went up, although no peer is running and taking no routes. The other router does have ipv6 unicast-routing and ipv6 cef and RAM usage didn't change or barely changed. I have no box with 15.0 + BGP + IPv6 right now, so I can't check - but for older IOSes, IPv6 has fairly small impact on memory consumption. Ciscosh bgp ipv6 su 4374 network entries using 581742 bytes of memory 38490 path entries using 2771280 bytes of memory ... Ciscosh proc mem sort Total: 39237408, Used: 22215864, Free: 17021544 PID TTY Allocated Freed Holding Getbufs Retbufs Process 91 0 51770188 7991604 10075460 0 0 BGP Router Ciscosh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 61A948E0 39237408 22217656 17019752 15261448 16350452 this is a 4700M with a 12.3-ish IOS, having 6 full IPv6 BGP peers and a number of partial IPv6 BGP peers. 64Mb RAM, 17Mb free. No IPv4 BGP and no VRFs, though. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Enabling IPv6 on 2951 with VRF consumed 240MB of RAM. Why?
We have a 2951 router where there are couple VRF and one of the VRF is running BGP taking quite a bit of IPv4 routes. The router is running 15.0(1)M with 1GB RAM. This is the memory usage before. HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 117804CC 793246516 452414252 340832264 338971080 333277968 I/O 3DC03774873618709680190390561898611219000860 I am in the process of implementing IPv6 so I enabled IPv6 on the router on that one VRF and BGP. Now just enabling it consumed 260MB of RAM HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 117804CC 793246516 716103208771433087680045676068796 This is without taking any routes or putting any IPv6 IP on the interfaces. Is this normal? Is it pre-allocating something? Is there a way to some how reduce the usage? We are in the process of adding memory but I will feel more comfortable knowing what ate up that much memory. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enabling IPv6 on 2951 with VRF consumed 240MB of RAM. Why?
So, here is top part of sh proc mem sorted PID TTY Allocated FreedHoldingGetbufsRetbufs Process 310 0 1746803856 971712708 450082968 0 0 BGP Router 158 0 212638192 94411816 121685252 0 0 IP RIB Update 83 0 736073272 4103108932 79536900 0 0 BGP Scanner 0 0 189564756 98708008 73904172 0 0 *Init* And here is one from a very similarly configured router without IPv6 configured 304 0 2261872496 1184611460 322133152 0 0 BGP Router 0 0 203197580 101370688 74960344 0 0 *Init* 158 0 129733184 67410676 61083004 0 0 IP RIB Update 194 08627476 21684029882941908 0 0 BGP Scanner 1 0 66030312 641667281936852 0 0 Chunk Manager 0 0 2118799528 2123952492 6888403534604 0 *Dead* 253 0 975796720 915434860 547712 0 0 OSPF-1 Router 2011/1/25 Łukasz Bromirski luk...@bromirski.net: On 2011-01-25 20:52, Jay Nakamura wrote: Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 117804CC 793246516 716103208 77143308 76800456 76068796 This is without taking any routes or putting any IPv6 IP on the interfaces. Is this normal? Is it pre-allocating something? Is there a way to some how reduce the usage? We are in the process of adding memory but I will feel more comfortable knowing what ate up that much memory. Show the 'show proc mem sorted'. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] STP and customer ports
Is there any good reason to turn on STP on a switch port to a customer? It seems like it could cause more trouble than preventing a loop. What's your common practice? What if you hand off two connection for redundancy? I am in the middle of converting to MSTP from a network that didn't really have any STP design or goals. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
I remember using something faster than 2500 with SSH and it was painfully slow. So, I can't imagine how slow it will be with a 2500. And with the whole, Cisco is going to prevent you from downloading software not covered by your contract thing, I don't really want to go in that direction. On Sun, Jan 2, 2011 at 12:51 AM, Ian Henderson i...@ianh.net.au wrote: On 02/01/2011, at 2:58 PM, Aaron wrote: You can get SSH for 2511. Use 12.0s. And be prepared to wait a day or two for your session to connect. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
Can you still get smartnets for 2511? I didn't even consider that may be possible. On Sun, Jan 2, 2011 at 1:46 AM, Seth Mattinen se...@rollernet.us wrote: On 1/1/11 10:01 PM, Jay Nakamura wrote: I remember using something faster than 2500 with SSH and it was painfully slow. So, I can't imagine how slow it will be with a 2500. And with the whole, Cisco is going to prevent you from downloading software not covered by your contract thing, I don't really want to go in that direction. Ask them for a contract on it. ;) ~Seth ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Console server
Do anyone have recommendation on console server? I have about 10 devices per location I want console port connected for remote access in case of emergency. I don't need a modem or cell card or anything. IP/Ethernet access, preferably able to ssh into it plus web access will be nice.(Web access that doesn't lock you down to IE) I was looking at Avocent but getting feedbak on actual field experience is so much more reliable than reading through specs and marketing garbage. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader
Just a side note so I can vent, just talked to TAC and the lady suggested to boot with the old RAM and swap it while the router was powered on On Mon, Dec 13, 2010 at 11:38 PM, Jay Nakamura zeusda...@gmail.com wrote: I was having problems upgrading memory in a ISR G2 2951 from two 512M DIMMs to one 2GB DIMM. Neither of the DIMM I had worked so I started to think I may need to upgrade ROMMON/boot loader. But for the life of me, I could not find any release notes on cisco.com for it anywhere. There is newer release of boot loader than what's on the router but could not find any release notes. Anyone know where I could find it or if a new boot loader is required for 2GB DIMM? With the new RAM, the router keeps repeating this Check stop condition detected, resetting the system System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2009 by cisco Systems, Inc. It's possible both DIMMs were bad but it seems unlikely. It's also possible the vendor sent me the wrong type. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader
Just wanted to mention that someone at Cisco saw my post and gotten it taken care of pretty quickly. Conclusion, - One 2GB DIMM in slot 0 is supported on 2951. - ROMMON upgrade is not necessary. Which leaves me with bad batch of DIMM. Thanks! On Tue, Dec 14, 2010 at 1:59 PM, Jaquish, Bret bret.jaqu...@navistar.com wrote: This might help you: The default Cisco 2951 has a unique memory configuration, whereby a 512 MB DIMM is installed in one of the two memory slots on the Cisco 2951. Memory upgrades on the Cisco 2951 can involve the increase in the density of that single DIMM or a combination of DIMMs with BOTH slots populated. The Cisco 2951 allows the use of asymmetric densities of DRAM in both slots. http://www.cisco.com/en/US/prod/collateral/modules/ps10598/ordering_guide_c07_557736_ps10537_Products_Data_Sheet.html It looks like both slots need to be populated. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Rothera Sent: Tuesday, December 14, 2010 12:26 PM To: Jay Nakamura Cc: cisco-nsp Subject: Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader Hope you got her name to use when you have to raise a case for a dead 2951 :P On 14 Dec 2010, at 18:09, Jay Nakamura wrote: Just a side note so I can vent, just talked to TAC and the lady suggested to boot with the old RAM and swap it while the router was powered on On Mon, Dec 13, 2010 at 11:38 PM, Jay Nakamura zeusda...@gmail.com wrote: I was having problems upgrading memory in a ISR G2 2951 from two 512M DIMMs to one 2GB DIMM. Neither of the DIMM I had worked so I started to think I may need to upgrade ROMMON/boot loader. But for the life of me, I could not find any release notes on cisco.com for it anywhere. There is newer release of boot loader than what's on the router but could not find any release notes. Anyone know where I could find it or if a new boot loader is required for 2GB DIMM? With the new RAM, the router keeps repeating this Check stop condition detected, resetting the system System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2009 by cisco Systems, Inc. It's possible both DIMMs were bad but it seems unlikely. It's also possible the vendor sent me the wrong type. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Disclaimer Confidentiality Notice: This e-mail, and any attachments and/or documents linked to this email, are intended for the addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any dissemination, distribution, or copying is prohibited. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If you have received this communication in error, please contact the original sender. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2951 memory upgrade to 2GB/Boot loader
I was having problems upgrading memory in a ISR G2 2951 from two 512M DIMMs to one 2GB DIMM. Neither of the DIMM I had worked so I started to think I may need to upgrade ROMMON/boot loader. But for the life of me, I could not find any release notes on cisco.com for it anywhere. There is newer release of boot loader than what's on the router but could not find any release notes. Anyone know where I could find it or if a new boot loader is required for 2GB DIMM? With the new RAM, the router keeps repeating this Check stop condition detected, resetting the system System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2009 by cisco Systems, Inc. It's possible both DIMMs were bad but it seems unlikely. It's also possible the vendor sent me the wrong type. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Blackhole Inbound Traffic
uRPF? On Wed, Nov 17, 2010 at 10:35 AM, Peder pe...@networkoblivion.com wrote: I have several border routers connected to different Internet providers. I want to be able to blackhole inbound traffic from certain IPs. My hope is that there is a way that I can set it in one spot and then have to duplicate to the other routers. My initial thought was a local BGP router and I can add the route and have each peer neighbor with it, but that will only work for outbound traffic, or traffic into one of my IPs. For example, if I find someone trying to brute force an ssh login, I want to be able to block that IP specifically at the border routers on ingress into my network, without having to add an ACL entry to each box. I suppose I could write a script to ssh to each box and add the acl entry, but I was looking for something a little easier to manage. Any ideas on how to do this? Thanks. Peder ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Which ISR?
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf On Wed, Nov 17, 2010 at 6:41 PM, Paul Wozney p...@wozney.ca wrote: I have been searching the cisco website for a while now but can't find actual data throughput figures for the latest ISR range. There has always been a big difference in the interface data rate and the actual throughput achievable. Hi James, I would google cisco router performance and there is a PDF that shows the PS data rates and CEF switched data rates for most of the routing line of devices - including the ISR G2s. Paul ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Running two VPN clients on PC
I have been running Cisco IPSec client and Anyconnect client at the same time on XP lately so I can connect back to the office and connect to customer network at the same time and it works great. However, once I went to Win7, I noticed that if you are already connected via Anyconnect, and connect via IPSec client, IPSec client doesn't work. Once you disconnect Anyconnect, and recoonect the Anyconnect, both connection works. Anyone else seen this symptom? Any possible fix? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Running two VPN clients on PC
No, both have split tunnel, no default route. The IPSec tunnel that is established after Anyconnect shows the routes that should be tunneling in the client but route print doesn't show anything except the assigned IP route. If I disconnect Anyconnect, route for IPSec appears in route print, then when I reconnect with Anyconnect, both routes are in the route print. On Fri, Nov 5, 2010 at 5:11 PM, Michael Loftis mlof...@wgops.com wrote: On Fri, Nov 5, 2010 at 1:30 PM, Jay Nakamura zeusda...@gmail.com wrote: I have been running Cisco IPSec client and Anyconnect client at the same time on XP lately so I can connect back to the office and connect to customer network at the same time and it works great. However, once I went to Win7, I noticed that if you are already connected via Anyconnect, and connect via IPSec client, IPSec client doesn't work. Once you disconnect Anyconnect, and recoonect the Anyconnect, both connection works. Anyone else seen this symptom? Any possible fix? My guess is that your Anyconnect VPN wasn't getting set as a default route, but now is. Or something similar to that. IE you're ending up with a VPN-inside-a-VPN where you (somehow) weren't before. Probably not really a Win7 issue but my experience with Win7 is that it is really good at hiding the ball when it comes to networking and making it really difficult to get anything more complicated than 'plug in the wire' to work correctly. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Flash on 7500
I remember someone posting about using some PCMCIA adapter to use CF card or some other commonly available flash on a 7500 RSP4 but my google skill has failed me and can't find it. If anyone knows what I am talking about, can you share details? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flash on 7500
Couple people responded off-list that any PCMCIA-CF adapter will work. Thanks! Was there any CF size limitation or something about boot ROM update I needed or something? Would any CF work? On Fri, Oct 29, 2010 at 1:49 PM, Jay Nakamura zeusda...@gmail.com wrote: I remember someone posting about using some PCMCIA adapter to use CF card or some other commonly available flash on a 7500 RSP4 but my google skill has failed me and can't find it. If anyone knows what I am talking about, can you share details? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTY access through VRF interface
Just to follow up to this issue, TAC decided this is a bug. I will post back when I get details on bug ID and any other info. On Mon, Oct 11, 2010 at 10:31 PM, Jay Nakamura zeusda...@gmail.com wrote: New discovery, no matter what, the router will not let me login to the IP on the serial interface if it's on a VRF. I can login to an Ethernet interface on the same VRF going through the serial interface. This seems to be what was tripping me up. Is this a bug? It sure feels like one. On Fri, Oct 8, 2010 at 3:45 PM, Jay Nakamura zeusda...@gmail.com wrote: Found out that this was because I didn't have the data license enabled yet. As soon as I enabled the data license, (I did have to reboot. Grumble...) it started working. On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura zeusda...@gmail.com wrote: I am trying to configure a router with couple VRF and I need to be able to ssh/telnet to vty through VRF interface. I haven't had this problem with other routers prior to 15.0M. Am I missing a command I don't know about to enable this? With 12.4x, I used access-class vrf-also and that seems to have done it. The router I am working with is a 1941 with 15.0(1)M3 I don't have any firewall or anything else that could prevent logging in (That I can see) I can login through the interface on the global table, trying to get on the VRF interface gets me connection refused Here is the redacted config version 15.0 no ip source-route ip cef ! ! ip vrf Inside rd 64512:3 import map VRFDefaultMap route-target export 64512:3 route-target import 64512:2 ! ip vrf Outside rd 64512:2 route-target export 64512:2 route-target import 64512:3 ! ! ! interface GigabitEthernet0/0 ip address x.x.x.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface GigabitEthernet0/1 ip vrf forwarding Inside ip address 172.17.0.1 255.255.252.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 ip vrf forwarding Outside ip address y.y.y.2 255.255.255.248 ip nat outside ip virtual-reassembly no clock rate 200 ! ! router bgp 64512 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Inside no synchronization redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf Outside no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route 0.0.0.0 0.0.0.0 x.x.x.1 ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ! route-map VRFDefaultMap permit 10 match ip address prefix-list DefaultOnly line vty 0 4 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh line vty 5 15 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SLA tracking, what do you ping?
On a side note, is there a way to ping several IPs and declare it down if, for example, 2 out of 3 is down? I am mostly interested in removing default route via track command. I read the documentation and couldn't find how you could do that but sometimes I just have one of those days. 2010/10/20 Ziv Leyes z...@gilat.net: Yeah, something like traceroute.org which is always answering But you better try to get a closer IP to ping, one that is reliable and gives you indication of what should be working fine, something like the provider's LNS you're connecting to, or the like -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones Sent: Wednesday, October 20, 2010 10:23 AM To: Jay Nakamura Cc: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? Just ping 'the internet'... :) On 20 October 2010 02:35, Jay Nakamura zeusda...@gmail.com wrote: When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Thanks, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SLA tracking, what do you ping?
When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTY access through VRF interface
New discovery, no matter what, the router will not let me login to the IP on the serial interface if it's on a VRF. I can login to an Ethernet interface on the same VRF going through the serial interface. This seems to be what was tripping me up. Is this a bug? It sure feels like one. On Fri, Oct 8, 2010 at 3:45 PM, Jay Nakamura zeusda...@gmail.com wrote: Found out that this was because I didn't have the data license enabled yet. As soon as I enabled the data license, (I did have to reboot. Grumble...) it started working. On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura zeusda...@gmail.com wrote: I am trying to configure a router with couple VRF and I need to be able to ssh/telnet to vty through VRF interface. I haven't had this problem with other routers prior to 15.0M. Am I missing a command I don't know about to enable this? With 12.4x, I used access-class vrf-also and that seems to have done it. The router I am working with is a 1941 with 15.0(1)M3 I don't have any firewall or anything else that could prevent logging in (That I can see) I can login through the interface on the global table, trying to get on the VRF interface gets me connection refused Here is the redacted config version 15.0 no ip source-route ip cef ! ! ip vrf Inside rd 64512:3 import map VRFDefaultMap route-target export 64512:3 route-target import 64512:2 ! ip vrf Outside rd 64512:2 route-target export 64512:2 route-target import 64512:3 ! ! ! interface GigabitEthernet0/0 ip address x.x.x.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface GigabitEthernet0/1 ip vrf forwarding Inside ip address 172.17.0.1 255.255.252.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 ip vrf forwarding Outside ip address y.y.y.2 255.255.255.248 ip nat outside ip virtual-reassembly no clock rate 200 ! ! router bgp 64512 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Inside no synchronization redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf Outside no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route 0.0.0.0 0.0.0.0 x.x.x.1 ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ! route-map VRFDefaultMap permit 10 match ip address prefix-list DefaultOnly line vty 0 4 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh line vty 5 15 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTY access through VRF interface
Found out that this was because I didn't have the data license enabled yet. As soon as I enabled the data license, (I did have to reboot. Grumble...) it started working. On Thu, Oct 7, 2010 at 3:15 PM, Jay Nakamura zeusda...@gmail.com wrote: I am trying to configure a router with couple VRF and I need to be able to ssh/telnet to vty through VRF interface. I haven't had this problem with other routers prior to 15.0M. Am I missing a command I don't know about to enable this? With 12.4x, I used access-class vrf-also and that seems to have done it. The router I am working with is a 1941 with 15.0(1)M3 I don't have any firewall or anything else that could prevent logging in (That I can see) I can login through the interface on the global table, trying to get on the VRF interface gets me connection refused Here is the redacted config version 15.0 no ip source-route ip cef ! ! ip vrf Inside rd 64512:3 import map VRFDefaultMap route-target export 64512:3 route-target import 64512:2 ! ip vrf Outside rd 64512:2 route-target export 64512:2 route-target import 64512:3 ! ! ! interface GigabitEthernet0/0 ip address x.x.x.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface GigabitEthernet0/1 ip vrf forwarding Inside ip address 172.17.0.1 255.255.252.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 ip vrf forwarding Outside ip address y.y.y.2 255.255.255.248 ip nat outside ip virtual-reassembly no clock rate 200 ! ! router bgp 64512 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Inside no synchronization redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf Outside no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route 0.0.0.0 0.0.0.0 x.x.x.1 ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ! route-map VRFDefaultMap permit 10 match ip address prefix-list DefaultOnly line vty 0 4 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh line vty 5 15 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VTY access through VRF interface
I am trying to configure a router with couple VRF and I need to be able to ssh/telnet to vty through VRF interface. I haven't had this problem with other routers prior to 15.0M. Am I missing a command I don't know about to enable this? With 12.4x, I used access-class vrf-also and that seems to have done it. The router I am working with is a 1941 with 15.0(1)M3 I don't have any firewall or anything else that could prevent logging in (That I can see) I can login through the interface on the global table, trying to get on the VRF interface gets me connection refused Here is the redacted config version 15.0 no ip source-route ip cef ! ! ip vrf Inside rd 64512:3 import map VRFDefaultMap route-target export 64512:3 route-target import 64512:2 ! ip vrf Outside rd 64512:2 route-target export 64512:2 route-target import 64512:3 ! ! ! interface GigabitEthernet0/0 ip address x.x.x.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! interface GigabitEthernet0/1 ip vrf forwarding Inside ip address 172.17.0.1 255.255.252.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 ip vrf forwarding Outside ip address y.y.y.2 255.255.255.248 ip nat outside ip virtual-reassembly no clock rate 200 ! ! router bgp 64512 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Inside no synchronization redistribute connected redistribute static exit-address-family ! address-family ipv4 vrf Outside no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route 0.0.0.0 0.0.0.0 x.x.x.1 ip route vrf Outside 0.0.0.0 0.0.0.0 y.y.y.1 ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ! route-map VRFDefaultMap permit 10 match ip address prefix-list DefaultOnly line vty 0 4 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh line vty 5 15 access-class MgmntACL in vrf-also exec-timeout 120 0 privilege level 15 password 7 login local transport input telnet ssh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 Nubie
One time I ordered a internet DS3 from ATT (prior to merger with SBC), I asked the rep about the order confirmation because it said ATM and I specifically said no ATM when we signed the contract. Rep said it's not ATM and don't worry. It got installed and it was ATM circuit. I complained and they gave us a free router and ATM DS3 card. (I forgot what router it was but it was probably pretty expensive back then) I never had problems with other carriers like that though. If you don't make DS3 cable often, I will recommend have a vendor make one for you. You may also want to buy or be ready to buy couple attenuators. At one location, the Telco equipment was sending out signal that was too hot for the DS3 interface and I had to attenuate it quite a bit. Telco would not lower the output for us. On Fri, Sep 24, 2010 at 2:56 PM, Jeff Wojciechowski jeff.wojciechow...@midlandpaper.com wrote: All: We are considering upgrading one of our circuits to a fractional DS3 and would just like query the experts on the list to make sure that I have all my bases covered here if we go down the DS3 route as I have never touched DS3 before... I am considering using the following equipment: 3925 Router + NM-1T3/E3 + SM-NM-ADPTR (per http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps4909/product_data_sheet09186a008010fba2_ps282_Products_Data_Sheet.html) That part seems pretty straightforward (but please correct me if I am wrong). Can I safely assume that since the carriers proposal doesn't mention ATM that I don't need NM-1A-T3/E3? Then from DMARC to my router I need to use 734 type cable with 75 Ohm BNC connectors (per tread from yesterday). Am I missing anything? Thanks in advance, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 * fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechow...@midlandpaper.com http://www.midlandpaper.com This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 Nubie
On Fri, Sep 24, 2010 at 3:48 PM, Jeff Wojciechowski jeff.wojciechow...@midlandpaper.com wrote: Definitely planning on having the cable guys extend our dmarc with pre-made cables. How do you know if the DS3 signal is too hot? Thanks, Jeff Unless you have fancy DS3 test set, only way to find out is start using it. We saw bunch of errors but telco swore up and down that line was clear. This list clued me into possible hot circuit. Stuck a attenuator in the Rx side and error disappeared. We were using an old 7500 series DS3 card. Newer cards may be more tolerant. We no longer have any DS3s other than muxed T1 and I haven't deployed any at customer sites in 5 years so I don't know how newer cards handle it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] General switching question regarding load balancing host
Some hosts/OS can do load balancing between NICs. If a host has two NICs connected to two switches,(the two switches are connected together) and load balancing between them, switch will see the same source MAC from two ports. How does a switch decide which ports to put in the forwarding table? Would it switch back and forth every time there is a packet? Is there any negative effect on the switch when that happens? Is this platform dependent? Sorry for the generalized question. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] General switching question regarding load balancing host
I am glad I asked. Something wasn't sitting right in my gut. It's nice to see real life example to verify my concern. On Fri, Sep 17, 2010 at 12:12 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Fri, Sep 17, 2010 at 11:52:41AM -0400, Jay Nakamura wrote: Some hosts/OS can do load balancing between NICs. If a host has two NICs connected to two switches,(the two switches are connected together) and load balancing between them, switch will see the same source MAC from two ports. Don't do this. If the ports go to two different switches (that cannot do cross-chassis etherchannel), use active/passive bundling, not load-sharing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] General switching question regarding load balancing host
In this specific case, it started with HP/Lefthand iSCSI SAN Adaptive Load Balancing but the question was more general. On Fri, Sep 17, 2010 at 12:17 PM, Nick Hilliard n...@foobar.org wrote: On 17/09/2010 16:52, Jay Nakamura wrote: Some hosts/OS can do load balancing between NICs. If a host has two NICs connected to two switches,(the two switches are connected together) and load balancing between them, switch will see the same source MAC from two ports. How does a switch decide which ports to put in the forwarding table? Would it switch back and forth every time there is a packet? Is there any negative effect on the switch when that happens? Is this platform dependent? Are you talking about Network Load Balancing (NLB) here? This is very hacky stuff which depends on switch port flooding and MAC address spoofing to operate correctly. I wouldn't be the world's greatest fan of this approach, to be honest. http://blogs.technet.com/b/networking/archive/2008/05/15/preparing-the-network-for-nlb-2008.aspx On switches, it's generally not hardware dependent. Nick ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS on ingress
I can't seem to figure out what to do with my situation, wondering if anyone had encountered this. Situation : Router : 1841 IOS 12.4T or 15.0M Internet T1, two eth Interfaces There are VoIP traffic (SIP RTP) and general internet traffic VoIP provider does not tag SIP/RTP with any kind of QoS in IP header. (DSCP/IPP) Internet provider can do QoS based on IPP but since VoIP traffic is not marked, it's not useful. Problem to solve : how to not drop ingress VoIP traffic when internet traffic is high as much as possible without capping the non-VoIP traffic to less than T1 bandwidth. Caveat : I understand that since it's not getting policed at the egress from the provider, any solution is not going to be perfect I can't limit the traffic on the Eth interface egress because traffic can go to either eth interface. Any thoughts? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on ingress
Well, I don't think another T1 will solve the problem. Someone watching Hulu or something will just suck the bandwidth down. I think what I am hearing is, I just need to suck it up and rate limit non-VoIP traffic to 1.2mbps or something on ingress and hope that's enough head room for VoIP to get through while TCP traffic slows down from the rate-limit. Of course, if all other traffic is UDP, it may not do any good. On Fri, Sep 10, 2010 at 3:14 PM, Heath Jones hj1...@gmail.com wrote: Jay I know it might sound ridiculously obvious, but is another T1 out of the question? On 10 September 2010 19:44, Jay Nakamura zeusda...@gmail.com wrote: I can't seem to figure out what to do with my situation, wondering if anyone had encountered this. Situation : Router : 1841 IOS 12.4T or 15.0M Internet T1, two eth Interfaces There are VoIP traffic (SIP RTP) and general internet traffic VoIP provider does not tag SIP/RTP with any kind of QoS in IP header. (DSCP/IPP) Internet provider can do QoS based on IPP but since VoIP traffic is not marked, it's not useful. Problem to solve : how to not drop ingress VoIP traffic when internet traffic is high as much as possible without capping the non-VoIP traffic to less than T1 bandwidth. Caveat : I understand that since it's not getting policed at the egress from the provider, any solution is not going to be perfect I can't limit the traffic on the Eth interface egress because traffic can go to either eth interface. Any thoughts? ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mysterious tunnel interfaces
list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector VPN Routing/Forwarding tunnel-group-ivrf Downstream VPN Routing/Forwarding IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: MCI Check Output features: CCE Post NAT Classification, Firewall (firewall component) WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled Router#sh ip int tun2 Tunnel2 is up, line protocol is up Internet address is 172.16.0.1/16 Broadcast address is 255.255.255.255 Address determined by unknown means MTU is 1476 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector VPN Routing/Forwarding tunnel-group-ivrf Downstream VPN Routing/Forwarding Tunnel VPN Routing/Forwarding tunnel-group-ivrf IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: MCI Check Output features: CCE Post NAT Classification, Firewall (firewall component) WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled Router#sh ip int tun3 Tunnel3 is up, line protocol is up Interface is unnumbered. Using address of Tunnel2 (172.16.0.1) Broadcast address is 255.255.255.255 MTU is 17856 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP Null turbo vector VPN Routing/Forwarding tunnel-group-ivrf Downstream VPN Routing/Forwarding IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: MCI Check Output features: CCE Post NAT Classification, Firewall (firewall component) WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled On Thu, Aug 12, 2010 at 9:39 AM, Luan Nguyen l...@netcraftsmen.net wrote: I have those ISR2 (M1) as well as ASR1002 running DMVPN and don't have those ghost tunnels. Must be for some other services such as multicast. Try to remove them with no interface tunnel 0, and I think the router will tell you why you couldn't. Regards, -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Wednesday, August 11, 2010 8:53 PM To: cisco-nsp Subject: [c-nsp] Mysterious tunnel interfaces I was working on a ISR 1941 with 15.0(1)M2. I am running DMVPN on it and using one tunnel interface. (Tunnel 1). No other tunnel interfaces are configured on the router. However when I do show int summary I get this; #sh int summary *: interface is up
Re: [c-nsp] Mysterious tunnel interfaces
No HIMI. Other than DMVPN, ZBFW, IOS content filtering, there is nothing special going on here. One T1 WIC, that's about it. On Thu, Aug 12, 2010 at 1:48 PM, Matlock, Kenneth L matlo...@exempla.org wrote: Do you have any HIMI connections between the router, and a switchblade? Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Thursday, August 12, 2010 11:35 AM To: cisco-nsp Subject: Re: [c-nsp] Mysterious tunnel interfaces Mystery deepens. Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int tun0 % This interface cannot be modified Router(config)#no int tun0 % This interface cannot be modified Router(config)#int tun2 % This interface cannot be modified Router(config)#int tun3 % This interface cannot be modified Router(config)#^Z Router#sh ip pim tunnel Router# Nothing in show run all for these interfaces. I don't have multicast configured, or at least I haven't actively configured anything for it. I haven't really had to do anything with Multicast so I am not familiar with it. I do have IOS content filtering installed/configured but I don't think that will do this. I do have ZBFW configured. I do not have VRF on this router. Here are some outputs of the interfaces Router#sh int tunn0 Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Tunnel2 (172.16.0.1) MTU 17912 bytes, BW 100 Kbit/sec, DLY 5 usec, reliability 255/255, txload 81/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 172.19.128.31 Tunnel protocol/transport multi-GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1472 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output 17:22:42, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 32000 bits/sec, 2 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 95997 packets output, 26708838 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router#sh int tunn2 Tunnel2 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.0.1/16 MTU 17916 bytes, BW 100 Kbit/sec, DLY 5 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 172.16.0.1 Tunnel protocol/transport multi-GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output never, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out Router#sh int tunn3 Tunnel3 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Tunnel2 (172.16.0.1) MTU 17912 bytes, BW 100 Kbit/sec, DLY 5 usec, reliability 255/255, txload 7/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 172.19.128.31 Tunnel protocol/transport multi-GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1472 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output 05:17:13, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 3000 bits/sec, 2 packets/sec 0 packets input, 0
[c-nsp] App to manage pushing out changes
Anyone have recommendation on any application that can push out config changes to many many routers? Mostly interested in keeping ACL consistent between about 50 ~ 100 routers. My google skill has failed me on this one. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Zone Based Firewall default-class
I have a strange problem with ZBFW or I am just missing something obvious. 3845 running 12.4(24)T advipservices I am trying to apply a firewall rule between two entities. Since I am not 100% sure what all traffic is passing through the two, I wanted to write rules for what I know and pass anything I don't know but log it so I can find out if that's suppose to be there or not. policy-map type inspect InPMAP class type inspect GeneralInCMAP inspect class class-default pass log policy-map type inspect OutPMAP class type inspect GeneralOutCMAP inspect class class-default pass log zone security Inside zone security Other zone-pair security Other-to-Inside source Other destination Inside service-policy type inspect InPMAP zone-pair security Inside-to-Other source Inside destination Other service-policy type inspect OutPMAP However, once I apply the zone, I get this Jul 9 15:04:51 192.168.1.253 266: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 = 172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default) Jul 9 15:04:51 192.168.1.253 267: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 = 192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default) So, one direction, it's passing traffic as intended but the other direction it's dropping it on class-default What am I doing wrong? Or do I need to create a class-map that allows everything and pass it in that class? Is this a bug? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transfer speed issues on 3560G
I wonder what kind of speed you will get if you connected the two server's NIC directly to each other and did the test so you can take the switch out of the equation. On Thu, Jun 24, 2010 at 10:00 PM, Bill Blackford bblackf...@nwresd.k12.or.us wrote: Sorry about top posting. Try to transfer a large file via ftp between the two hosts using the hash '-h' switch. If the hashes are choppy, then that would be indicative of a dup mis-match. -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Thursday, June 24, 2010 6:50 PM To: Brandon Ewing Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transfer speed issues on 3560G Duplex mis-match? Have you checked the interface stats on both ends? Have you tried to force 1000/full on all interfaces concerned? -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jon Lewis Sent: Thursday, June 24, 2010 5:55 PM To: Brandon Ewing Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transfer speed issues on 3560G On Thu, 24 Jun 2010, Brandon Ewing wrote: This is a strange issue that I have noticed on a 3560G that we have deployed. We have two servers, on different ports, controlled by different ASICs. Each port negotiates a 1000mb/s link, but I cannot get more than 11MB/s (88mb/s) of traffic between the two ports. I conducted the following tests: Transferring a 1GB file from one server to the other, written to /dev/null Single transfer averaged 11.2MB/s ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console problems
I have some strange problem with my USB-serial adapter on only certain ASA/PIX chassis. (not specific model, just some work some don't) It works with other brand of USB adapter. I say get another USB-Serial adapter. I usually keep two different models in my bag. On Wed, Jun 16, 2010 at 11:04 PM, Richey myli...@battleop.com wrote: I can't seem to come up with the right keyword combination to google this. I've got a 7206VXR with an NPE-400 and an I/O 2FE/E card. Using a Belkin USB to Serial adaptor I can watch the router boot and get to the Press Return to get Started prompt. After I hit return the interfaces go up and then admin down. After that I can't get anything out of the console. I can insert and remove a DS3 card and I will see a message saying the card was inserted and removed but I can't interact with the box. I've connected to a 3550 I have laying here and I am able to get a console session going with it. Does anyone have any ideas on this one? Everything I am googleing relates to the router crashing or hanging which this one does not seem to do. Richey ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redundant VPN w/ Cisco Routers
Try DMVPN. On 5/29/10, Garry g...@gmx.de wrote: Hi, I've received a request about setting up a redundant VPN between two sites ... remote site has two routers connected to two separate lines, one with static IP, the other dynamic. Local site has a single router with two links, both static IPs. HW used is a 1841 locally, remote has an 887 and 878 ... As I can't use the same internal IP ranges for both VPNs, I was thinking about setting up something along this idea: - put in some loopback IP, e.g.: 10.0.0.1 for local site, 10.0.1.1 for remote router 1, 10.0.1.2 for remote router 2 - set up IPSEC VPNs for 10.0.0.1-10.0.1.1 and 10.0.0.1-10.0.1.2 - run GRE tunnels over those IPSEC tunnels - use some IGP over the tunnel (and between the two remote routers) to route the actual LANs Does this sound like a feasible solution, or is there a better way to set this up? I've looked around a bit on the 'net, but apart from some people asking for similar solutions (and usually not getting an answer) I couldn't find anything ... Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Sent from my mobile device ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco x64 IPSec VPN client
I don't think I saw anyone post this on the list but it looks like Cisco released 64bit version of IPSec VPN client that's not beta. vpnclient-winx64-msi-5.0.07.0290-k9.exe I think all of my clients who was forced to upgrade so they can use Anyconnect with their 64bit OS is going to be pissed. I am glad it came out, but why couldn't Cisco do this to begin with??? Grumble... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6 T1s in a 2851
What about VWIC2-2MFT-T1/E1 ? On Wed, May 12, 2010 at 5:15 PM, Richey myli...@battleop.com wrote: I am trying to populate a 2851 with 6 WIC-1DSU-T1v2 Cards. The first 4 cards can fit into the WIC slots on the 2851 but I am at a loss as to how to get the 5th and 6th card in the box. One page on the Cisco site recommends using the 2851 when terminating 6 T1s. That same page also says the NM-2W will not work in a 2851. Is there a replacement for the NM-2W or is there something like a WIC-2DSU-T1v2 card available? I assume that by saying not supported that means it won't work at all, or maybe it's It will work but don't ask us for support. http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80 169bd6.html Richey ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp maximum-paths
On Thu, Apr 15, 2010 at 10:50 AM, Michael K. Smith mksm...@adhost.com wrote: On 4/14/10 8:15 PM, Jay Nakamura zeusda...@gmail.com wrote: If you're email is your AS, then it looks like you have Qwest and a more local provider. I love how people on these lists casually deduces someone's AS and upstream from the mail header and gives more specific advice. Love it. :) Nice edit for effect. The advice still stands regardless of peers. Look to use your upstreams' communities to help affect inbound traffic. And, I see you're coming from Google... :P Just for clarity, I was really saying that I love it, I was not trying to be snarky. If it came across wrong, I apologize. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp maximum-paths
If you're email is your AS, then it looks like you have Qwest and a more local provider. I love how people on these lists casually deduces someone's AS and upstream from the mail header and gives more specific advice. Love it. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and dual internet connection
5 ! ! crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile IpsecProf1 set transform-set AES256SHA ! track 10 ip sla 1 reachability delay down 1 up 1 ! track 20 ip sla 2 reachability delay down 1 up 1 ! interface Tunnel1 bandwidth 1000 ip vrf forwarding inside ip address 10.120.0.3 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication nhrpauth ip nhrp map multicast 10.100.0.2 ip nhrp map 10.120.0.1 10.100.0.2 ip nhrp network-id 53 ip nhrp holdtime 450 ip nhrp nhs 10.120.0.1 ip virtual-reassembly ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 0 delay 1000 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel vrf isp1 tunnel protection ipsec profile IpsecProf1 ! interface Tunnel2 bandwidth 500 ip vrf forwarding inside ip address 10.121.0.3 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication nhrpaut2 ip nhrp map multicast 10.103.0.2 ip nhrp map 10.121.0.1 10.103.0.2 ip nhrp network-id 54 ip nhrp holdtime 450 ip nhrp nhs 10.121.0.1 ip virtual-reassembly ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 0 delay 1000 tunnel source FastEthernet8 tunnel mode gre multipoint tunnel vrf isp2 tunnel protection ipsec profile IpsecProf1 ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ip vrf forwarding isp2 ip address 10.104.0.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0 ip vrf forwarding isp1 ip address 10.100.0.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Vlan1 ip vrf forwarding inside ip address 10.105.0.2 255.255.255.0 ip nat inside ip virtual-reassembly ! router ospf 1 vrf inside router-id 10.105.0.2 log-adjacency-changes network 10.105.0.0 0.0.0.255 area 0 network 10.120.0.0 0.0.0.255 area 0 network 10.121.0.0 0.0.0.255 area 0 ! router bgp 100 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf isp2 redistribute static default-information originate no synchronization exit-address-family ! address-family ipv4 vrf isp1 redistribute static default-information originate no synchronization exit-address-family ! ip route vrf isp1 0.0.0.0 0.0.0.0 10.101.0.1 track 10 ip route vrf isp2 0.0.0.0 0.0.0.0 10.104.0.1 track 20 ! ip extcommunity-list 1 permit rt 100:1 ip extcommunity-list 2 permit rt 100:2 ! ip nat inside source route-map Isp1NatMap interface GigabitEthernet0 vrf inside overload ip nat inside source route-map Isp2NatMap interface FastEthernet8 vrf inside overload ! ip access-list extended NATIP deny ip 10.106.0.0 0.0.0.255 10.105.0.0 0.0.0.255 deny ip 10.106.0.0 0.0.0.255 10.107.0.0 0.0.0.255 deny ip 10.106.0.0 0.0.0.255 10.120.0.0 0.0.0.255 deny ip 10.106.0.0 0.0.0.255 10.121.0.0 0.0.0.255 permit ip 10.106.0.0 0.0.0.255 any ! ! ip prefix-list DefaultOnly seq 5 permit 0.0.0.0/0 ip sla 1 icmp-echo 10.100.0.1 timeout 500 vrf isp1 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 10.103.0.1 timeout 500 vrf isp2 ip sla schedule 2 life forever start-time now ! route-map VRFDefaultOnlyMap permit 10 match ip address prefix-list DefaultOnly match extcommunity 1 ! route-map VRFDefaultOnlyMap permit 20 match ip address prefix-list DefaultOnly match extcommunity 2 set metric +5 ! route-map Isp1NatMap permit 10 match ip address NATIP match interface GigabitEthernet0 ! route-map Isp2NatMap permit 10 match ip address NATIP match interface FastEthernet8 ! On Tue, Mar 2, 2010 at 4:55 PM, Jay Nakamura zeusda...@gmail.com wrote: I have considered that but that would involved re-designing the second hub/rest of the DMVPN cloud so I was hoping there was another solution... I found a config where you can put each ISP on a VRF and do fancy route redistribution, which could work. It seemed a little too complicated than it should be but that may be where I need to go. On Tue, Mar 2, 2010 at 2:52 PM, Rodney Dunn rod...@cisco.com wrote: Most people run dual DMVPN clouds with two tunnels on the spoke. One primary cloud for CM and one for the T1 side. Your failover comes from the dyanmic routing protocol running over the clouds (ie: eigrp). On the spoke you put a /32 route for the two hub ip's out each respective internet link. Rodney On 3/1/10 3:08 PM, Jay Nakamura wrote: All, I have a site that has a cable modem and a T1. I was able to configure internet access redundancy using IP SLA/track. This site is also spoke side of a DMVPN mesh. Is there anyway I can make DMVPN to failover to the other connection? I can't find any reference to it so far. I am not sure
Re: [c-nsp] ASR 1002 vs ISR 3945
Our 2851 is doing about 27% CPU for 11kpps, 50mbps. But it's really not doing anything extra other than routing and two full BGP peers. On Wed, Apr 7, 2010 at 10:37 PM, Bill Blackford bblackf...@nwresd.k12.or.us wrote: I'm not familiar with the 3945. Does it ship with the NPE G1? I turned off as many features as I could on my 7301 (NPE-G1) and it fell over at 60kpps. As it sits right now, at 15kpps the 7301 is at 27% CPU. My ASR1002 is at 0% with 25kpps. I suspect this would still be 0% when I occasionally micro burst to 300kpps. This ISR must be much more robust than I'd ever give it credit. -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brad Henshaw Sent: Wednesday, April 07, 2010 6:50 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR 1002 vs ISR 3945 Clue Store wrote: Between the 2 sites will be a 200mb (1 Gigabit burstable) link. How far will the 3945 take me... 200mb non-encrypted traffic to start (possibly ramped up to 1gb over the next 12 months) QoS BGP (Non internet tables) IGP I'm not running any ASR's yet (but will be soon) however: Raw PPS figures: 3945: 982kpps ASR1002-F: 4.42Mpps They're best case, with features off. It's incredibly easy to knock ISR G1 performance down by 80-95% by turning on QoS, tunnelling and other features. Not sure about the ISR G2's but I would guess it's the same (anyone else care to comment?) ASR should maintain performance with QoS and possibly other features on (not crypto) as these are implemented in hardware. Some imaginary figures: 3945 with features enabled, 80% [optimistic] performance hit, 200B paks: 314Mbps aggregate (or 157Mbps full duplex) ASR1002-F with features enabled, 0% performance hit, 200B paks: 2.5Gbps aggregate (limited by ESP bandwidth) Adjust the sums as you see fit, but the ASR seems the better fit. If the majority of traffic is based on large packets you might be able to get away with the 3945 for a while, if you absolutely had to. Regards, Brad ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco SSL VPN Client (Java-thin client)
Anyone know what Cisco's plan for thin IOS SSL VPN client is? (The Java one that doesn't require software install on client side.) It hasn't been updated in 2 years and I am running into problems with newer updates to Java. I really need a solution for customer's software vendor to be able to securely access inside server that doesn't require installing a thick client. Thin client used to work fine since we only needed the vendor to RDP into the server. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] www.cisco.com Login Woes
I've had a lot of this happening lately too. Are people having problems using Firefox or IE or other browsers? (I'm asking because I seem to have a lot of problems with Firefox and cisco.com, and I haven't been able to work out why, the same pages that give a gateway timeout work fine at the same with IE, so maybe it's an encoding problem or something...?) I had strange problems with FF today on cisco.com but loaded fine with Chrome. I thought it was FF being flaky but now I am not too sure. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OID that measures total traffic?
Doh! I was looking through Cisco MIBs... Thanks. On Wed, Mar 24, 2010 at 9:01 AM, Per Carlson per...@gmail.com wrote: Is there an SNMP OID that reports total traffic that passes through a router? From RFC1213-MIB: ipForwDatagrams OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity, and the Source- Route option processing was successful. ::= { ip 6 } -- Pelle A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OID that measures total traffic?
Is there an SNMP OID that reports total traffic that passes through a router? (for ISRs) With many interfaces, sometimes it's hard to measure what kind of pps is traveling through an router. I tried to go through MIBs but couldn't find one. -Jay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast traffic being sent to every port? Aging issue?
Long ago, I had this problem but the zfs1 in this case was a syslog server. What was happening was, all the hosts were sending traffic to the server but since it was just receiving syslog/UDP, that host rarely ever sent any traffic back out. So switches didn't know where it was once the forwarding table expired the MAC and flooded all ports. We just setup a cron job every 10 minutes (or something. It was 13 years ago.) to send out a ping to the host connected to the farthest switch. So, I guess it kind of depends on what traffic is going/coming from zfs1. If it's like syslog, it may be the same as what I went through. On Mon, Mar 22, 2010 at 11:14 PM, Ray Van Dolson rvandol...@esri.com wrote: On Mon, Mar 22, 2010 at 08:04:10PM -0700, Jay Hennigan wrote: On 3/22/10 7:03 PM, Ray Van Dolson wrote: We have two Dell PowerConnect M6220 switches (A1 and B1). They are not cross-connected, but both have uplinks to the same subnet: zfs1 / ++ | A1 |-| ++ +---+ | Cisco |--- linux1 ++ +---+ | B1 |-| ++ / \ esx1 esx2 There's a host hanging off of A1 (zfs1) and several ESX hosts hanging off of B1 (esx1, esx2, etc). There's a host linux1 hanging off the Cisco as well (actually many hosts, but for the sake of description What's happening is, esx1/2 beging talking to zfs1. All is well for a while... but at some point, zfs1's MAC address expires from the CAM on the switch (I guess that is what is happening). At that point, the Cisco begins forwarding the unicast packets to all its ports. The result -- linux1, and all other hosts see the packets. Occasionally, when we're dealing with a lot of traffic, this seriously impacts performance. Is the Cisco a router or a layer 2 switch? All hosts in the same IP subnet? Subnet masks all match? Nothing doing proxy-arp? My question here is.. what is the _right_ way to deal with this? This flooding can continue for many minutes at a time.. it isn't until an ARP reply eminates from zfs1 that the CAM table is populated again and the broadcasting stops. If these are layer 2 switches, ARP won't have anything to do with it. If zfs1's MAC expires from the MAC address table on the cisco, it will flood the next packet for that MAC. A1 will forward it to zfs1 or flood if it too has expired the MAC. When zfs1 replies, A1 forwards the reply to the cisco. At that point, the cisco should re-install the MAC into its address table and the flooding cease. This should happen with a single packet. Does this happen with any other hosts behind A1? Any interface errors on any of the devices? I wonder if zfs1 would send back an ARP response quicker were it not behind an additional switch (the PowerConnect)... If layer 2 switches, ARP doesn't have anything to do with it. I'll have to find out how the Cisco's are configured. I wouldn't be surprised if they're doing some Layer 3 though as I know some VLAN routing is going on... The Dell switches both seem to have Routing Mode enabled as well (but proxy arp disabled). There currently aren't any other hosts behind A1, but that would be a good test. No interface errors currently. Firmware is old on A1, so at this point I'm a little suspicious it's to blame. Just wanted to try and wrap my head around this first. Thanks, Ray ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Balancing
Yup, AS prepend and BGP communities. Don't forget that you can selectively adjust those per net blocks you are advertising so net A comes in mostly in provider 1 and net B comes in provider 2 or some other variation. I didn't realize that when I first started doing BGP 15 years ago until someone mentioned it. On Mon, Mar 22, 2010 at 1:29 AM, Muhammad Jawwad Paracha jawwa...@gmail.com wrote: Hi, Agree with Jay, AS path prepending is one good option to influence inbound traffic to load balance. Though you have to be precise with how many AS you are prepending to exactly load balance. But I have seen in web hosting environment that it sometime causes website user with problem of page not loading properly. These things need to be planned,and slowly implemented. Regards, Jawwad Paracha IBM On Mon, Mar 22, 2010 at 10:09 AM, Jay Hennigan j...@west.net wrote: On 3/21/10 9:53 PM, Chris Gotstein wrote: It's actually both, but i'm mostly concerned with inbound traffic. Inbound is trickier than out ound. Many carriers offer a list of BGP communities which can be used to influence how they treat your advertisements, either by manipulating local preference, prepending, or both. Many are listed here: http://onesc.net/communities/ but ask your upstreams to be sure. Make small changes slowly. Verify with external looking-glass sites to ensure that you're getting the results you want. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Same MAC addresses from two ports on different VLAN
I don't understand; you are running netlogin? In which case yes, this is a feature, not a bug? Sorry, had to look up what netlogin for Extreme was. No, I am not using it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Same MAC addresses from two ports on different VLAN
On Sun, Mar 14, 2010 at 8:51 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/12/2010 07:21 PM, Jay Nakamura wrote: We have an Extreme Summit switch where I found that if you have two separate ports on different VLANs, and the same MAC address enters the switch on those two completely different VLANs, the switch will start having problems forwarding traffic. (Or only use the first entry in the FDB, I am not sure what it actually does other than half of the traffic drops.) Extreme support has confirmed that this is by design. Which model? We've run several. Summit X350 XOS 12.0.4.5 Yes, XOS is a little old. But I don't want to go through maintenance and upgrade if it won't fix the problem. The only time I've ever seen this is when netlogin is enabled; you can't have a mac which is inserted into the FDB via netlogin on two ports. It certainly doesn't happen with ordinary configs. Yet the extreme support people are saying that this is how it is. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Same MAC addresses from two ports on different VLAN
We have an Extreme Summit switch where I found that if you have two separate ports on different VLANs, and the same MAC address enters the switch on those two completely different VLANs, the switch will start having problems forwarding traffic. (Or only use the first entry in the FDB, I am not sure what it actually does other than half of the traffic drops.) Extreme support has confirmed that this is by design. The reason I am posting this here is simple, does Cisco switches do the same thing? Or if MAC address comes from two ports on different VLAN, would it just forward per VLAN? Or would it depend on the model? I can think of so many possible problems with this that I want to see if this is common design of switches or just Extreme and I need to start using different L2 switches. Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and dual internet connection
I have considered that but that would involved re-designing the second hub/rest of the DMVPN cloud so I was hoping there was another solution... I found a config where you can put each ISP on a VRF and do fancy route redistribution, which could work. It seemed a little too complicated than it should be but that may be where I need to go. On Tue, Mar 2, 2010 at 2:52 PM, Rodney Dunn rod...@cisco.com wrote: Most people run dual DMVPN clouds with two tunnels on the spoke. One primary cloud for CM and one for the T1 side. Your failover comes from the dyanmic routing protocol running over the clouds (ie: eigrp). On the spoke you put a /32 route for the two hub ip's out each respective internet link. Rodney On 3/1/10 3:08 PM, Jay Nakamura wrote: All, I have a site that has a cable modem and a T1. I was able to configure internet access redundancy using IP SLA/track. This site is also spoke side of a DMVPN mesh. Is there anyway I can make DMVPN to failover to the other connection? I can't find any reference to it so far. I am not sure what you can do when the tunnel interface for DMVPN you have to specify tunnel source and that will be different depending on which link is up and running. Thanks, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DMVPN and dual internet connection
All, I have a site that has a cable modem and a T1. I was able to configure internet access redundancy using IP SLA/track. This site is also spoke side of a DMVPN mesh. Is there anyway I can make DMVPN to failover to the other connection? I can't find any reference to it so far. I am not sure what you can do when the tunnel interface for DMVPN you have to specify tunnel source and that will be different depending on which link is up and running. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF aware IPSec for remote access without xauth
I have fixed this issue with TAC help. To help those that may encounter this issue later, here is the changes, crypto isakmp profile CustomerVPN ! Remove this line for Authentication. You have to keep authorization line. no client authentication list CustomerVPNCliAuth Then, I forgot to add crypto-map on the two interfaces that the traffic actually came in on. (I was under the mistaken understanding that you can only put crypto-map on one interface.) On Tue, Feb 9, 2010 at 2:41 PM, Jay Nakamura zeusda...@gmail.com wrote: I have not explained my situation very well so let me restart. VPN is client VPN, not LAN to LAN. The old style IPsec Cisco VPN client, not Anyconnect client. Internet access on the router is on one VRF. Network we want to access via VPN is on another VRF. See below config. I have gotten it to work so far where it will connect, do Xauth, and establish connection. You can see the VPN client IP in the routing table of the Customer VRF. Traffic gets sent to the VPN from the client but nothing from the Customer VRF comes back out to the VPN. I do want to do this without XAuth if possible. Also, I used the loopback interface as the destination of the VPN so it could fail over if one link goes down. aaa new-model ! aaa authentication login CustomerVPNCliAuth local aaa authorization network CustomerVPNNetAuth local ! ip cef ! ip vrf Customer rd 12345:1100 import map internetVRFDefaultMap route-target export 12345:1100 route-target import 12345:1100 route-target import 12345:1 ! ip vrf internet rd 12345:1 route-target export 12345:1 route-target import 12345:1 ! crypto keyring CustomerVPNKey vrf internet local-address Loopback1 pre-shared-key address 0.0.0.0 0.0.0.0 key testtest no crypto xauth Loopback1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group CustomerVPNGroup key testtest pool CustomerVPNPool acl CustomerVPNSplitTunnel crypto isakmp profile CustomerVPN vrf Customer keyring CustomerVPNKey self-identity address match identity group CustomerVPNGroup client authentication list CustomerVPNCliAuth isakmp authorization list CustomerVPNNetAuth client configuration address initiate client configuration address respond client configuration group CustomerVPNGroup local-address Loopback1 ! ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac ! crypto dynamic-map CustomerVPNDynMap 1 set transform-set AES256 set isakmp-profile CustomerVPN reverse-route ! ! crypto map CustomerVPN local-address Loopback1 crypto map CustomerVPN 10 ipsec-isakmp dynamic CustomerVPNDynMap ! ! ! ! ! ! interface Loopback0 ip vrf forwarding internet ip address a.a.a.1 255.255.255.255 ! ! interface Loopback1 ip vrf forwarding internet ip address a.a.a.2 255.255.255.255 crypto map CustomerVPN ! ! interface Loopback2 ip vrf forwarding internet ip address a.a.a.3 255.255.255.255 ip nat outside ip virtual-reassembly ! ! interface GigabitEthernet0/0 ip address m.m.m.x 255.255.255.0 duplex auto speed auto ! ! interface GigabitEthernet0/0.802 encapsulation dot1Q 802 ip vrf forwarding internet ip address b.b.b.b 255.255.255.240 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/1.803 encapsulation dot1Q 803 ip vrf forwarding internet ip address c.c.c.c 255.255.255.240 ip nat outside ip virtual-reassembly ip ospf cost 15 ! interface GigabitEthernet0/1.811 encapsulation dot1Q 811 ip address n.n.n.n.x 255.255.255.0 ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! ! interface GigabitEthernet0/2.1100 encapsulation dot1Q 1100 ip vrf forwarding Customer ip address 10.0.244.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/2.1101 encapsulation dot1Q 1101 ip vrf forwarding Customer ip address 10.0.245.1 255.255.255.0 ip nat inside ip virtual-reassembly ! router ospf 1 vrf internet log-adjacency-changes redistribute static metric-type 1 subnets passive-interface default no passive-interface GigabitEthernet0/0.802 no passive-interface GigabitEthernet0/1.803 network a.a.a.1 0.0.0.0 area 0 network b.b.b.b 0.0.0.15 area 0 network c.c.c.c 0.0.0.15 area 0 ! router bgp 12345 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf Customer no synchronization redistribute static default-information originate exit-address-family ! address-family ipv4 vrf internet no synchronization redistribute ospf 1 vrf internet match internal external 1 external 2 default-information originate exit-address-family ! ip local pool CustomerVPNPool 192.168.254.1 192.168.254.254 recycle delay 10 ip forward-protocol nd ! ip extcommunity-list
[c-nsp] ISR IPS module
Has anyone used these cards on ISRs? https://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html Any opinions? How effective is it? Is it worth using? Also, what is your opinion on doing IPS without the hardware card on an ISR? My experience is it boggs down the router too much and you have to be so careful about what to include in scanning that it wasn't worth the effort. But that was before Cisco changed the signature format and how it scanned traffic at around 12.4(11)T. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] find window's machine from Cisco Router
in show arp we are getting bunch of ip and MAC , how to verify from them which is linux machine ip and which windows machine ip ,, No, there is no way to find what OS a host is running from MAC and IP. There may be other ways to try to guess what the host is running like using nmap or looking for ports it's listening but that's getting into things that have nothing to do with this Cisco list. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF aware IPSec for remote access without xauth
I am trying to configure vrf aware IPSec VPN for remote access, coming into one VRF and tunneling into another VRF. Can I do that without XAUTH? I can't seem to find any reference to doing it without xauth. If it's possible and someone has done this, can you please post a sample config? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Client VPN issue with PIX v6.3
I think pix can't send traffic out the same interface it came in. On 11/29/09, Graham Wooden gra...@g-rock.net wrote: Hi all, One of my VPN devices is a 525 running v6.3.5. I am having an issue with Client VPN sessions coming in on the outside interface while accessing subnets that are reached by outside interface. I can access the inside interface addresses just fine. Is there some sort of limitation that I can't access subnets out past the outside interface while having VPN sessions terminating on the same interface? I tried to add these subnets to the split-tunnel acl with no love either. Thoughts? I have a v7.0.2 525 that is being tied up with another setup, so I can't test on 7.x code - but if if an upgrade is needed to solve this, let me know... Thanks! -graham ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco vs. Juniper
All, For various reasons, I have never really gotten into researching Juniper products. It seems time for me to start looking into it but it seems daunting because their products are as vast as Cisco. Knowing Cisco products and those little caveats, I am sure Juniper has the same things with various products that you won't find until you either start using it or read mailing lists for 3 years. Anyway, the reason for posting to Cisco-NSP list is, not so much about asking about Juniper products but those who have looked at both and decided to go with Cisco, what made you go with Cisco? We are not at the level to use 7600/NX/CSR yet and more interested in ASA/ISR equivalent for customer side use. I know this is kind of general question but it would be helpful. Thanks! Jay Nakamura ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 7206 VXR router
Is there an 8 port FE card? There is an 8 port 10BT card but I don't know that there is an 8 port FE card... This may help. http://www.cisco.com/en/US/docs/routers/7200/configuration/7200_port_adapter_config_guidelines/3875In.html On Tue, Sep 29, 2009 at 7:46 AM, jack daniels jckdaniel...@gmail.com wrote: Dear group, Please help me to identify 8 port Fast Ethernet Card for Cisco 7206 VXR Router and how much Bandwidth points it will be occupy, Cisco 7206 VXR (NPE-G1) 6 Slots VXR Regards J.Daniels ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AnyConnect VPN client, IOS, and Vista
Has anyone gotten AnyConnect client to work with IOS router and Vista? (With self signed cert?) I got it to work with XP but not Vista. Can someone share their config or some pointers? With Vista, it gets to the cert warning part, then dies. aaa authentication login ciscocp_vpn_xauth_ml_1 group radius crypto pki trustpoint someVPN enrollment selfsigned serial-number none ip-address none subject-name CN=vpn, O=somedomain.com, ST=IN, C=US revocation-check crl rsakeypair someVPN_RSAKey 1024 ! ! crypto pki certificate chain FirstCapitalVPN certificate self-signed 01 SNIP quit ! ! interface FastEthernet0/0 ip address w.x.y.z 255.255.255.240 ip nat outside ! interface FastEthernet0/1 ip address 10.0.0.254 255.255.255.0 ip nat inside ! ip local pool VPNPOOL 192.168.100.1 192.168.100.254 ip route 0.0.0.0 0.0.0.0 w.x.y.z1 ! radius-server host 10.0.0.26 auth-port 1645 acct-port 1646 key 7 03051418135F724216051C171C005F180C333970 ! webvpn gateway gateway_1 ip address w.x.y.z port 443 http-redirect port 80 ssl trustpoint someVPN inservice ! webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1 ! webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg sequence 2 ! webvpn install svc flash:/webvpn/anyconnect-macosx-powerpc-2.3.2016-k9.pkg sequence 3 ! webvpn install svc flash:/webvpn/anyconnect-wince-ARMv4I-2.3.2016-k9.pkg sequence 4 ! webvpn context webvpn secondary-color white title-color #66 text-color black ssl authenticate verify all ! ! policy group policy_1 functions svc-enabled svc address-pool VPNPOOL svc default-domain somedomain.com svc keep-client-installed svc split dns somedomain.com svc split include 10.0.0.0 255.255.255.0 svc dns-server primary 10.0.0.26 svc dns-server secondary 10.0.0.6 svc wins-server primary 10.0.0.26 svc wins-server secondary 10.0.0.6 default-group-policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_1 gateway gateway_1 inservice ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and OSPF
To follow up, I have tried 12.4(20)T3, 12.4(24)T, 12.4(24)T1, all of them have the same symptom. I have downgraded back to 12.4(15)T9 and the network is stable again. I need at least 12.4(20)T because we want to implement IOS content filtering. TAC case is pending. I will post again when the situation is resolved. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended IOS for 7500
Speaking of scrapping it, what router or L3 switch would you recommend to - Connect legacy T1 users (1 or 2 DS3s) - Connect direct Ethernet users (Colo or Eth WAN 40~50mbps aggragate) that's cheap and reliable, new or used? Again, QoS and rate limiting is most we would use over simple L3 forwarding. Doesn't have to carry full BGP routes. The two function can be on separate devices. On Fri, Jul 31, 2009 at 4:39 PM, Richard A Steenbergenr...@e-gerbil.net wrote: On Fri, Jul 31, 2009 at 04:12:10PM -0400, Jay Nakamura wrote: Not sure many people are still using 7500 but was wondering what IOS people are using that's stable these days. I googled the archive but couldn't find anything past 2005. RSP4/VIP2-50/ 1~2 MC-DS3 PA and 2 FE ports Not much fancy feature needed. Rate limiting and some class based QoS capability. I recommend you find a good scrap metal dealer, the price of copper is going back up. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and OSPF
Looking back on tickets, it seems like this problem started happening after upgrading from 12.4(15)T5 to 12.4(24)T. Before the upgrade, it was running solid for a year. I have tried 12.4(24)T1 but that doesn't seem to have any effect. I can't go below 12.4(20)T because we want to deploy IOS content filtering. On Thu, Jul 30, 2009 at 7:48 AM, Rodney Dunnrod...@cisco.com wrote: Jay Nakamura wrote: Did you force the DR to be the hub by setting the priority? Yes. And confirmed. I forgot, did you set it to broadcast or multipoint? broadcast I'd suggest you look at the packet capture feature and get a trace when it's down. Is this what you are referring to? http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1049404 No this one: http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Utilizing_the_New_Packet_Capture_Feature There is no tech onsite and it's a little far so I can't do it at the moment but if I can't figure out anything else, that will be the next step. Do you see the LSA's in the database? I believe it was blank. It's working now after a reboot so I can't check but I will check next time it happens. Ok. That is the starting point if the neigbors are not flapping. Can you ping 224.0.0.5 and get a response? Are the neighbors flapping? It didn't flap at all. Routes just disappeared. Well, that's not 100% true. The backup hub VPN connection went down and it wouldn't come up. I could ping the primary hub tunnel IP when the routes were gone but none of the other DMVPN peer IP. Almost always issues like this are with packet loss. You have to make sure the multicast traffic can traverse the cloud and that requires replication at the hub..and the spoke if you are doing a single spoke tunnel with dual hubs. Jay Nakamura wrote: Has anyone seen this symptom? 1841, advanced IP feature set DMVPN spoke and OSPF over the DMVPN Running 12.4(24)T Periodically, the router looses all it's OSPF routes and stays that way. Clearing the DMVPN or OSPF process does nothing. It recreates the OSPF session with neighbor but it still has no routes. It can't seem to re-connect to the backup DMVPN hub either. Router still routes to the static default route for internet traffic and everything else seems normal. Just can't get to the VPN network. It's really not doing anything fancy other than DMVPN and OSPF. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and OSPF
Here is the config (edited for real IP info, passwords, etc)... Hub - Main aaa new-model ! ip cef ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac mode transport crypto ipsec transform-set AES128SHAComp esp-aes esp-sha-hmac comp-lzs mode transport ! crypto ipsec profile IPSECPROFILE1 set transform-set AES128SHA AES128SHAComp ! ! ! interface Loopback0 ip address 172.19.3.253 255.255.255.255 ip nat inside ip virtual-reassembly ! interface Tunnel1 bandwidth 8000 ip address 172.19.128.1 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication nhrpauth ip nhrp map multicast dynamic ip nhrp map multicast b.b.b.b ip nhrp map 172.19.128.2 b.b.b.b ip nhrp network-id 42 ip nhrp holdtime 450 ip virtual-reassembly ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf hello-interval 30 ip ospf priority 200 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key tunnel protection ipsec profile IPSECPROFILE1 ! interface GigabitEthernet0/0 ip address a.a.a.a 255.255.255.240 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/1 ip address 172.19.0.2 255.255.255.0 ip nat inside ip virtual-reassembly duplex full speed 1000 mpls mtu 1508 mpls ip standby 0 ip 172.19.0.1 standby 0 preempt service-policy output VoIPPriority5 ! interface GigabitEthernet0/1.2 encapsulation dot1Q 2 ip vrf forwarding voipout ip address v.v.v.v 255.255.255.252 ! interface GigabitEthernet0/1.200 encapsulation dot1Q 200 ip address 172.19.3.1 255.255.255.248 ip nat inside ip virtual-reassembly mpls ip ! interface GigabitEthernet0/1.201 encapsulation dot1Q 201 ip address 172.19.3.9 255.255.255.248 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/1.500 encapsulation dot1Q 500 ip vrf forwarding dmz ip address 172.19.4.2 255.255.255.0 ! router ospf 1 log-adjacency-changes passive-interface default no passive-interface GigabitEthernet0/1 no passive-interface GigabitEthernet0/1.4 no passive-interface GigabitEthernet0/1.200 no passive-interface GigabitEthernet0/1.201 no passive-interface Tunnel1 network 172.19.0.0 0.0.0.255 area 0 network 172.19.3.0 0.0.0.7 area 0 network 172.19.3.8 0.0.0.7 area 0 network 172.19.3.64 0.0.0.3 area 0 network 172.19.3.252 0.0.0.1 area 0 network 172.19.128.0 0.0.0.255 area 0 ! router bgp 100 bgp log-neighbor-changes neighbor 172.19.0.3 remote-as 100 neighbor 172.19.0.4 remote-as 100 neighbor 172.19.3.3 remote-as 100 ! address-family ipv4 neighbor 172.19.0.3 activate neighbor 172.19.0.4 activate neighbor 172.19.3.3 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 172.19.0.3 activate neighbor 172.19.0.3 send-community both neighbor 172.19.0.4 activate neighbor 172.19.0.4 send-community both neighbor 172.19.3.3 activate neighbor 172.19.3.3 send-community both exit-address-family ! address-family ipv4 vrf voipout redistribute connected redistribute static default-information originate no synchronization exit-address-family ! address-family ipv4 vrf dmz redistribute connected redistribute static default-information originate no synchronization exit-address-family ! ip forward-protocol nd static host routes to remote routers on internet side ip route vrf dmz 0.0.0.0 0.0.0.0 172.19.4.1 ip route vrf voipout 0.0.0.0 0.0.0.0 w.w.w.w ip nat inside source list NATIP interface GigabitEthernet0/0 overload ! ip access-list extended NATIP deny ip 172.19.0.0 0.0.255.255 172.19.0.0 0.0.255.255 deny ip 172.19.0.0 0.0.255.255 172.20.20.0 0.0.0.255 permit ip 172.19.0.0 0.0.255.255 any access-list 50 remark Management Access Network snip - One of the spoke version 12.4 no ip dhcp use vrf connected ip cef crypto isakmp policy 3 encr aes authentication pre-share group 2 crypto isakmp key address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 ! ! crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac ! crypto ipsec profile AES128SHAProfile set transform-set AES128SHA ! ! track 123 ip sla 2 reachability ! ! interface Tunnel0 bandwidth 1000 ip address 172.19.128.9 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication nhrpauth ip nhrp map multicast a.a.a.a ip nhrp map 172.19.128.1 a.a.a.a ip nhrp map multicast b.b.b.b ip nhrp map 172.19.128.2 b.b.b.b ip nhrp network-id 42 ip nhrp holdtime 450 ip nhrp nhs 172.19.128.1 ip nhrp nhs 172.19.128.2 no ip route-cache cef ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf cost 104 ip ospf hello-interval 30 ip ospf priority 0 delay 1000 tunnel source Serial0/0/0 tunnel mode gre multipoint tunnel key tunnel protection ipsec profile AES128SHAProfile ! interface FastEthernet0/0 ip address 172.17.28.3 255.255.252.0 ip
[c-nsp] DMVPN and OSPF
Has anyone seen this symptom? 1841, advanced IP feature set DMVPN spoke and OSPF over the DMVPN Running 12.4(24)T Periodically, the router looses all it's OSPF routes and stays that way. Clearing the DMVPN or OSPF process does nothing. It recreates the OSPF session with neighbor but it still has no routes. It can't seem to re-connect to the backup DMVPN hub either. Router still routes to the static default route for internet traffic and everything else seems normal. Just can't get to the VPN network. It's really not doing anything fancy other than DMVPN and OSPF. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and OSPF
Did you force the DR to be the hub by setting the priority? Yes. And confirmed. I forgot, did you set it to broadcast or multipoint? broadcast I'd suggest you look at the packet capture feature and get a trace when it's down. Is this what you are referring to? http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1049404 There is no tech onsite and it's a little far so I can't do it at the moment but if I can't figure out anything else, that will be the next step. Do you see the LSA's in the database? I believe it was blank. It's working now after a reboot so I can't check but I will check next time it happens. Can you ping 224.0.0.5 and get a response? Are the neighbors flapping? It didn't flap at all. Routes just disappeared. Well, that's not 100% true. The backup hub VPN connection went down and it wouldn't come up. I could ping the primary hub tunnel IP when the routes were gone but none of the other DMVPN peer IP. Jay Nakamura wrote: Has anyone seen this symptom? 1841, advanced IP feature set DMVPN spoke and OSPF over the DMVPN Running 12.4(24)T Periodically, the router looses all it's OSPF routes and stays that way. Clearing the DMVPN or OSPF process does nothing. It recreates the OSPF session with neighbor but it still has no routes. It can't seem to re-connect to the backup DMVPN hub either. Router still routes to the static default route for internet traffic and everything else seems normal. Just can't get to the VPN network. It's really not doing anything fancy other than DMVPN and OSPF. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS content filtering
I am trying out for the first time the IOS content filtering feature. Detail documentation seems little lacking. One thing I can't find references to is what exactly does each security categories and productivity categories includes. For example, UNBLEMISHED, what web sites does that include? Anyone have any info on this? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS and VLAN
We have several customers coming in on Ethernet. They are connected to L2 switch and trunked into a 7500 router via VLAN. This has worked fine so far with the use of rate-limit on the sub-interface. Most customers have 5~10mbps. However, we are increasingly needing QoS so VoIP traffic does not drop when data traffic bursts. Only work around I know how to do is to give separate rate-limit based on IP address since most of the time VoIP has separate gateway on the customer side than the data firewall. Classification of the traffic is not a problem. The issue is, how do you give VoIP traffic priority over data traffic on a Ethernet sub-interface? Is there a good way to implement this on a 7500? If not, what Cisco hardware will work? We are on a tight budget and the number of clients are small. (dozen or so) Would going with L3 switch be better? If so, what model? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/