Re: [c-nsp] RADIUS accounting configuration
Prit, it's a pretty old feature, and should also work on all platforms running 12.2 or later. Can't comment on the other vendors' support for similar functionality. oli From: Prit Patel [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 18, 2007 7:25 AM To: Oliver Boehmer (oboehmer) Cc: NSP List Subject: Re: [c-nsp] RADIUS accounting configuration Thanks Oli. Can we use this feature on BRAS 10K ? Pl do let me know if you have any idea about this feature support in other BRAS like Juniper or Radback or huawai ? On 7/18/07, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Prit Patel wrote on Tuesday, July 17, 2007 2:11 PM: Hello All, i need to config the Cisco 10K in such a way that it should send accounting start request to Primary RADIUS server and Primary BPM server simultaneously. In case of failure of either primary server 10K should send the accounting request to respective server i.e. if primary radius fails then account record should go sec radius and primary BPM. Below is the architecture. - Cisco 10K - Pri Radius server Pri BPM Server Sec Radius Server Sec BPM server. the following config should do the trick (AAA Broadcast Accouting feature). When one of the servers fail, failover occurs within the server group. aaa group server radius radserver server 10.0.0.1 server 10.0.0.2 aaa group server radius bpmserver server 10.0.0.3 server 10.0.0.4 aaa accounting network default start-stop broadcast group radserver group bpmserver with appropriate radius-server host ... definitions. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bugs in the 12.2(33).SRA1
Hello everybody, Regarding this old thread, I've recently discovered that DOM is no longer supported for XENPAK-10GB-LR with 12.2(33)SRB. And I'm not speaking about SNMP. Not even CLI show of transceiver DOM. Fortunately, transceiver DOM is still available for XENPAK-10GB-LW: router#sh ver | i IOS Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRB1, RELEASE SOFTWARE (fc3) router#sh int status | i Gbase Te10/1 CENSORED connectedrouted full10G 10Gbase-LW Te10/3 disabled 1full10G 10Gbase-LR Te12/1 CENSORED connectedrouted full10G 10Gbase-LW router#sh int te10/1 transceiver [...] Optical Optical Temperature Voltage Current Tx Power Rx Power Port (Celsius)(Volts) (mA) (dBm) (dBm) --- --- --- Te10/1 34.8 0.00 29.2 -- -2.6 -6.2 router#sh int te10/2 transceiver Diagnostic Monitoring Data is not available. why is that DOM feature not supported anymore? there was no problem regarding DOM with CLI in SXF or SRA. regards, emanuel popa On 1/30/07, Marian Durkovic [EMAIL PROTECTED] wrote: Perhaps what I'm most annoyed is lack for DOM statics over SNMP, which used to work great in SXF. But SRA tries to check if SFP/XENPAK really is supported for DOM, and if cisco deems it is not, it happily displays DOM in CLI, but according to TAC intentionally does not export to SNMP. But at least for me, even supported XENPAKs (such as cisco DWDMs) mostly do not export DOM over SNMP in SRA. This is clearly a serious design flaw. Noone could create a complete list of supported transceivers and once some manufacturer changes the product code all users will have to upgrade their IOS just to get DOM over SNMP. And of course, this will prevent the users to use DOM in cases where Cisco does not provide DOM-capable transceivers although they are easily available on the market. There is absolutely NO reason to introduce such flawed code, since the transceivers indicate their DOM capability by setting specific bits in their EEPROM. If there's fear that someone might plug in some crappy transceiver which sets those bits incorrectly, much more apropriate solution would be to introduce per-interface command to disable DOM for this specific interface. With kind regards, M. -- Marian Durkovic network manager Slovak Technical University Tel: +421 2 524 51 301 Computer Centre, Nam. Slobody 17 Fax: +421 2 524 94 351 812 43 Bratislava, Slovak RepublicE-mail/sip: [EMAIL PROTECTED] -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP open failed...connection refused due to jitter
Hi, While configuring IBGP, I am getting Active stste in sh ip bgp summary. debug of BGP is pested below. R7-PE5#debug bgp ipv4 unicast BGP debugging is on for address family: IPv4 Unicast R7-PE5#clear ip bgp * R7-PE5# *Jul 18 09:09:00.476: BGPNSF state: 192.168.2.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Active to Idle *Jul 18 09:09:00.476: BGPNSF state: 192.168.7.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Active to Idle *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Idle to Active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Idle to Active *Jul 18 09:09:00.480: BGP: 192.168.2.254 open active delayed 27534ms (35000ms ma x, 28% jitter) *Jul 18 09:09:00.480: BGP: 192.168.7.254 open active delayed 31092ms (35000ms ma x, 28% jitter) *Jul 18 09:09:28.016: BGP: 192.168.2.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:28.072: BGP: 192.168.2.254 open failed: Connection refused by remo te host, open active delayed 28425ms (35000ms max, 28% jitter) *Jul 18 09:09:31.572: BGP: 192.168.7.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:31.592: BGP: 192.168.7.254 open failed: Connection refused by remo te host, open active delayed 32653ms (35000ms max, 28% jitter) Can some one pls help me to find out the issue Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP open failed...connection refused due to jitter
At 02:49 PM 18-07-07 +0530, Vikas Sharma wrote: See: http://www.cisco.com/warp/public/459/bgp_trouble_main.html#bgp_trouble_neighbor -Hank Hi, While configuring IBGP, I am getting Active stste in sh ip bgp summary. debug of BGP is pested below. R7-PE5#debug bgp ipv4 unicast BGP debugging is on for address family: IPv4 Unicast R7-PE5#clear ip bgp * R7-PE5# *Jul 18 09:09:00.476: BGPNSF state: 192.168.2.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Active to Idle *Jul 18 09:09:00.476: BGPNSF state: 192.168.7.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Active to Idle *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Idle to Active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Idle to Active *Jul 18 09:09:00.480: BGP: 192.168.2.254 open active delayed 27534ms (35000ms ma x, 28% jitter) *Jul 18 09:09:00.480: BGP: 192.168.7.254 open active delayed 31092ms (35000ms ma x, 28% jitter) *Jul 18 09:09:28.016: BGP: 192.168.2.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:28.072: BGP: 192.168.2.254 open failed: Connection refused by remo te host, open active delayed 28425ms (35000ms max, 28% jitter) *Jul 18 09:09:31.572: BGP: 192.168.7.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:31.592: BGP: 192.168.7.254 open failed: Connection refused by remo te host, open active delayed 32653ms (35000ms max, 28% jitter) Can some one pls help me to find out the issue Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 12.0SY on 12k
Hi All, Ive been happily running 12.0S on the 12k boxes with Eng3 linecard for a while with no major issues. Looks like for some Eng5 SIP/SPA combos, 12.0SY is required. Anyone has been running 12.0SY in production ? Any horror stories to tell, or can it be considered stable like 12.0S Thanks Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Temp sensors on 6500 48 10/100/1000 module
Can anyone tell me where the temp sensors on a WS-X6148-GE-TX board are physically located ? This is part of the env info : module 2 outlet temperature: 27C module 2 inlet temperature: 24C module 2 device-1 temperature: 25C module 2 device-2 temperature: 27C module 3 outlet temperature: 27C module 3 inlet temperature: 25C module 3 device-1 temperature: 25C module 3 device-2 temperature: 30C module 4 outlet temperature: 27C module 4 inlet temperature: 25C module 4 device-1 temperature: 25C module 4 device-2 temperature: 28C Module 2-4 are the same modules and all temp seem to be within limits but module 3 device-2 temp is rather high compared to the other temperatures. Can anyone tell me where this sensor is physical located on the board ? Front ? Back ? Left ? Right ? I also have a question about the fans : there is a command to show the fan status but what is the output if one of the fans fails ? Does it signal single fan failure or only full-fan failure ? Greetings, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.0SY on 12k
Mark Pace Balzan wrote on Wednesday, July 18, 2007 12:53 PM: Hi All, Ive been happily running 12.0S on the 12k boxes with Eng3 linecard for a while with no major issues. Looks like for some Eng5 SIP/SPA combos, 12.0SY is required. Anyone has been running 12.0SY in production ? Any horror stories to tell, or can it be considered stable like 12.0S 12.0(32)SY has been an interim 12.0S-based release between 32S and 33S, and from a deployment risk standpoint, 32SY can be considered like other 12.0(xx)S releases. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCAM carving for IPv6
Hi Mike, On 7/17/07, Michael Long [EMAIL PROTECTED] wrote: Aaron Daubman wrote: Greetings, I just received this error for the first time and was looking for pointers as to how best re-carve TCAM. What kind of sup do you have. Different sups have different memory. For 6509's anything less than 3bxl we used mls cef maximum-routes ip 230. For the 3bxl default is fine. What does show mls cef maximum-routes say? This error is actually showing up on both of my '1 port ISE OC48' LCs in a GSR12410. Would I possibly fare better if I switched to the 2-port OC48 POS SPA on my 'ISE 10G Modular Services Card'? Thanks again, ~Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5505 as VPN client to VPN 3030 concentrator
On Tue, 17 Jul 2007 17:53:21 -0500, Jerry Kemp wrote Can the ASA 5505 be configured as a VPN client to a 3030 concentrator? A Google search turns up a few links (to include one at forums.cisco.com) that suggest that this is possible, but nothing definitive. Thanks for any replies. If you mean a LAN-to-LAN tunnel between a CVPN and ASA5505, then yes. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bugs in the 12.2(33).SRA1
I can't speak to DOM support specifically. However have you tried SRB1? Lots of bug fixes there. Personally I recommend sticking to the bleeding edge of SR for a while until more of the bugs are worked out. SRA3 to SRB was a huge step as far as features go. In the event that this DOM problem is a change to not support non-Cisco optics in Cisco chassis, that would be worth contacting your account team to discuss further. Justin Emanuel Popa wrote: Hello everybody, Regarding this old thread, I've recently discovered that DOM is no longer supported for XENPAK-10GB-LR with 12.2(33)SRB. And I'm not speaking about SNMP. Not even CLI show of transceiver DOM. Fortunately, transceiver DOM is still available for XENPAK-10GB-LW: router#sh ver | i IOS Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRB1, RELEASE SOFTWARE (fc3) router#sh int status | i Gbase Te10/1 CENSORED connectedrouted full10G 10Gbase-LW Te10/3 disabled 1full10G 10Gbase-LR Te12/1 CENSORED connectedrouted full10G 10Gbase-LW router#sh int te10/1 transceiver [...] Optical Optical Temperature Voltage Current Tx Power Rx Power Port (Celsius)(Volts) (mA) (dBm) (dBm) --- --- --- Te10/1 34.8 0.00 29.2 -- -2.6 -6.2 router#sh int te10/2 transceiver Diagnostic Monitoring Data is not available. why is that DOM feature not supported anymore? there was no problem regarding DOM with CLI in SXF or SRA. regards, emanuel popa On 1/30/07, Marian Durkovic [EMAIL PROTECTED] wrote: Perhaps what I'm most annoyed is lack for DOM statics over SNMP, which used to work great in SXF. But SRA tries to check if SFP/XENPAK really is supported for DOM, and if cisco deems it is not, it happily displays DOM in CLI, but according to TAC intentionally does not export to SNMP. But at least for me, even supported XENPAKs (such as cisco DWDMs) mostly do not export DOM over SNMP in SRA. This is clearly a serious design flaw. Noone could create a complete list of supported transceivers and once some manufacturer changes the product code all users will have to upgrade their IOS just to get DOM over SNMP. And of course, this will prevent the users to use DOM in cases where Cisco does not provide DOM-capable transceivers although they are easily available on the market. There is absolutely NO reason to introduce such flawed code, since the transceivers indicate their DOM capability by setting specific bits in their EEPROM. If there's fear that someone might plug in some crappy transceiver which sets those bits incorrectly, much more apropriate solution would be to introduce per-interface command to disable DOM for this specific interface. With kind regards, M. -- Marian Durkovic network manager Slovak Technical University Tel: +421 2 524 51 301 Computer Centre, Nam. Slobody 17 Fax: +421 2 524 94 351 812 43 Bratislava, Slovak RepublicE-mail/sip: [EMAIL PROTECTED] -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] (3 more needed) Re: Testing an EFT image for the upcoming 12.5(1) release
My goal to get started was 10 people. I'm at 7. I wanted to get the process started as soon as possible. 3 more...any takers? Rodney On Tue, Jul 17, 2007 at 02:12:25PM -0400, Rodney Dunn wrote: In working with the IOS Release Operations team I think I've convinced them to try something a little different for the first release of 12.5(1). This release is a little different in that there are no new features in it. There are some infrastructure changes around the forwarding paths to improve performance and scalability. These same changes have already been implemented in the 12.2S code base that new releases today are being built from (SRA/SRB for the 76xx, the upcoming SXH for the 6500, and all of the platforms shipping on the 12.2(28)SB and 12.2(31)SB releases). If they agree here is what would happen. I would post out a pointer to an EFT image and I would like for anyone interested to test it out and report any problems found with the image. The image would be a date code image that has limited testing. The image is for testing in the lab only. Read that as don't put it anywhere that if it fails it will cause you major pain. It's not a production ready image. Only once the final image is posted to CCO should it be considered production ready with full TAC support. Support for the image will be on a best effort basis through an email alias that I will set up for us to communicate on. Do not call TAC for support on a device that is running this mage. If you are not interested in working through the bugs and trying to help identify and test solutions to them this trial isn't for you. My first step is to gauge the interest from folks on this alias that would be interested in trialing this approach with me. If so, please unicast me an email. Based on the responses we'll make a final decision on if it's someting they will do. In the email response please specific which IOS platform and feature set you need. Probably easiest to just provide a 'sh ver' from the box you will test it on. FYI: there will be no k9 images delivered so we can avoid the encryption image entitelement process. Thanks, Rodney ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Find where a 3000 concentrator is learning OSPF
The troubleshooting on the 3000 concentrators is pretty lacking for displaying routing information. I have a client running OSPF for dynamic routing and I would like to know where the device is learning these routes. Thanks for any comments, Chris Serafin [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Denial of Service Vulnerability in Cisco Wide Area Application Services (WAAS) Software
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Denial of Service Vulnerability in Cisco Wide Area Application Services (WAAS) Software Advisory ID: cisco-sa-20070718-waas http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml Revision 1.0 For Public Release 2007 July 18 1600 UTC (GMT) +-- Summary === The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic. This condition may occur if a device running WAAS software is configured for Edge Services, which utilizes Common Internet File System (CIFS) optimization and receives a flood of TCP SYN packets on port 139 or 445. Cisco has made free software available to address this vulnerability for affected customers. Workarounds are available to mitigate the effects of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml. Affected Products = Vulnerable Products +-- The vulnerability described in this document applies to both the WAE appliance and the NM-WAE-502 network module with Edge Services configured, which use CIFS optimization. Edge Services and CIFS optimization are disabled by default. CIFS functionality is only available once Edge Services are manually configured from the WAAS Central Manager. Only WAAS software versions 4.0.7 and 4.0.9 are affected by this vulnerability. In order to determine whether Edge Services are configured and to display the WAAS software version information, use the WAAS Central Manager GUI. The show version EXEC command from the CLI will also display the WAAS software version information. Determine whether Edge Services are configured and display the WAAS software version information by following the steps below. 1. Log on to WAAS Central Manager. 2. Select the Devices tab. 3. Look under the Services column. Edge will denote if Edge Services are configured. 4. Look under the Software Version column. The software version for each device is identified. The example below shows the output of the show version command from a WAE appliance CLI. In this example, the WAE is running version 4.0.9. CE-115-16#show version Cisco Wide Area Application Services Software (WAAS) Copyright (c) 1999-2007 by Cisco Systems, Inc. Cisco Wide Area Application Services Software Release 4.0.9 (build b10 Apr 6 2007) Version: fe611-4.0.9.10 Compiled 15:26:06 Apr 6 2007 by cnbuild System was restarted on Sat Jun 16 05:03:41 2007. The system has been up for 33 minutes, 40 seconds. CE-115-16# Products Confirmed Not Vulnerable + No other Cisco products or versions of WAAS software that are not explicitly identified in this advisory are currently known to be affected by this vulnerability. WAE appliances and NM-WAE-502 modules that are not configured to provide Edge Services performing CIFS optimization are not affected. The NM-WAE-302 is not susceptible to this vulnerability as it cannot be configured for CIFS optimization. Details === The Cisco Wide Area Application Services solution uses a combination of application acceleration and WAN optimization techniques to mitigate application and transport latency. WAAS software is utilized on the Wide Area Application Engine appliance and the Wide Area Application Services Network Module that are incorporated in the solution. A DoS vulnerability exists in some versions of WAAS software that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including traffic going through the device (data traffic) and traffic terminating on the device (management traffic). If the WAAS device has Edge Services, which uses CIFS optimization configured, and receives a flood of TCP SYN packets on ports 139 or 445, this vulnerability may be triggered, resulting in a DoS condition. Ports 139 and 445 are utilized by the CIFS functionality of the WAAS software. This condition may result from network traffic that is sent directly to the WAAS platform, or by automated systems such as hostscanners, portscanners, or network worms. This vulnerability is documented in Cisco Bug ID CSCsi58809. Vulnerability Scoring Details + Cisco is providing scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 1.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT
Re: [c-nsp] Bugs in the 12.2(33).SRA1
On Wed, Jul 18, 2007 at 11:02:01AM +0300, Emanuel Popa wrote: Hello everybody, Regarding this old thread, I've recently discovered that DOM is no longer supported for XENPAK-10GB-LR with 12.2(33)SRB. And I'm not speaking about SNMP. Not even CLI show of transceiver DOM. Fortunately, transceiver DOM is still available for XENPAK-10GB-LW: Try SRA4 and compare it to SRA3, I bet its the same problem I noticed and posted about a couple months back (no responses though, so don't get your hopes up). I had thought that it was related to non-Cisco branded transceivers and DOM, but they have definitely done something to break DOM on the new code (SRA4/SRB). -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] configure 876 with qos
If you are trying to reserve bandwidth or do prioritization, wouldn't you want to use an output policy vs. input? Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmad Cheikh Moussa Sent: Monday, July 16, 2007 9:13 AM To: David Granzer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] configure 876 with qos Hi! David Granzer wrote: you can not use bandwidth on input direction. I've got the same error, when I use the priority command. It doesn't matter what I configure in that policy-map, I've got this error. Regards, Ahmad -- Ahmad Cheikh-Moussa ISP-Technik NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang Aufsichtsrat: Detlev Huebner (Vorsitz) Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942 Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
I have a network with a 3550 switch behind a PIX. The PIX is acting as the DHCP server on its inside interface. We had an incident with a rogue DHCP server on the LAN. Turning on DHCP snooping on the switch causes the PIX to stop handing out leases. I'm new to DHCP snooping configs, this is probably something simple I've overlooked in the configuration, I've RTFM to no avail. Switch is Version 12.2(37)SE1, PIX is 7.2(2) Switch config: ! ip dhcp snooping vlan 1 ip dhcp snooping ! ! interface FastEthernet0/48 description PIX inside switchport mode access spanning-tree portfast ip dhcp snooping trust ! sw1#sh ip dhcp snoop Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1 DHCP snooping is configured on the following Interfaces: Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled InterfaceTrusted Rate limit (pps) --- FastEthernet0/48 yes unlimited PIX config: dhcpd dns x.x.x.x y.y.y.y dhcpd domain foo.com ! dhcpd address 192.168.100.50-192.168.100.200 inside dhcpd dns y.y.y.y z.z.z.z interface inside dhcpd domain foo.com interface inside dhcpd enable inside PIX debug shows the following on receipt of a DHCP request: DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. Turning off snooping on the switch brings it back operational. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Long life build for 65?
Hi, I've been out of the industry for a little while. Before I left, I remember that Whitney was definitely going to be a long life build for the 65, but was only Modular. Did a monolithic long life candidate emerge? I'm still seeing SXF incrementing. What's the current feeling on what to use and hopefully avoid the SXF curse of constant feature integration in supposed rebuilds? Thanks Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
The caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port: Switch(config-if)# ip dhcp relay information trusted Regards, Masood Ahmad Shah Nexlinx http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Hennigan Sent: Wednesday, July 18, 2007 11:24 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails I have a network with a 3550 switch behind a PIX. The PIX is acting as the DHCP server on its inside interface. We had an incident with a rogue DHCP server on the LAN. Turning on DHCP snooping on the switch causes the PIX to stop handing out leases. I'm new to DHCP snooping configs, this is probably something simple I've overlooked in the configuration, I've RTFM to no avail. Switch is Version 12.2(37)SE1, PIX is 7.2(2) Switch config: ! ip dhcp snooping vlan 1 ip dhcp snooping ! ! interface FastEthernet0/48 description PIX inside switchport mode access spanning-tree portfast ip dhcp snooping trust ! sw1#sh ip dhcp snoop Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1 DHCP snooping is configured on the following Interfaces: Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled InterfaceTrusted Rate limit (pps) --- FastEthernet0/48 yes unlimited PIX config: dhcpd dns x.x.x.x y.y.y.y dhcpd domain foo.com ! dhcpd address 192.168.100.50-192.168.100.200 inside dhcpd dns y.y.y.y z.z.z.z interface inside dhcpd domain foo.com interface inside dhcpd enable inside PIX debug shows the following on receipt of a DHCP request: DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. Turning off snooping on the switch brings it back operational. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
-Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Jay Hennigan Skickat: den 18 juli 2007 21:45 Till: Masood Ahmad Shah Kopia: cisco-nsp@puck.nether.net Ämne: Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails Masood Ahmad Shah wrote: The caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port: Switch(config-if)# ip dhcp relay information trusted I saw that in the docs, but there is no trunking and no downstream switch. One PIX connected to one switch port f0/48 as an access port. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV You are inserting option 82 in the DHCP request. Maybe the PIX doesn't understand this format and that's why it's not working with snooping? Try no ip dhcp snooping information option in global config mode. /Daniel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
-Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Jay Hennigan Skickat: den 18 juli 2007 20:24 Till: cisco-nsp@puck.nether.net Ämne: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails I have a network with a 3550 switch behind a PIX. The PIX is acting as the DHCP server on its inside interface. We had an incident with a rogue DHCP server on the LAN. Turning on DHCP snooping on the switch causes the PIX to stop handing out leases. I'm new to DHCP snooping configs, this is probably something simple I've overlooked in the configuration, I've RTFM to no avail. Switch is Version 12.2(37)SE1, PIX is 7.2(2) Switch config: ! ip dhcp snooping vlan 1 ip dhcp snooping ! ! interface FastEthernet0/48 description PIX inside switchport mode access spanning-tree portfast ip dhcp snooping trust ! sw1#sh ip dhcp snoop Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1 DHCP snooping is configured on the following Interfaces: Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled InterfaceTrusted Rate limit (pps) --- FastEthernet0/48 yes unlimited PIX config: dhcpd dns x.x.x.x y.y.y.y dhcpd domain foo.com ! dhcpd address 192.168.100.50-192.168.100.200 inside dhcpd dns y.y.y.y z.z.z.z interface inside dhcpd domain foo.com interface inside dhcpd enable inside PIX debug shows the following on receipt of a DHCP request: DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. Turning off snooping on the switch brings it back operational. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV You are inserting option 82 in the DHCP request. Maybe the PIX doesn't understand this format and that's why it's not working with snooping? Try no ip dhcp snooping information option in global config mode. /Daniel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
Daniel Dib wrote: You are inserting option 82 in the DHCP request. Maybe the PIX doesn't understand this format and that's why it's not working with snooping? Try no ip dhcp snooping information option in global config mode. Indeed that fixed it! Thanks for your help. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2TP tunnel drop at random
Dear All, We monitoring our vpdn session and see that the session drop suddenly. from the debug we see that the tunnel finally shutdown. any idea on how to troubleshoot this? regards Egn Jul 17 15:38:25 : Tnl 27485 L2TP: O Resend CDN, flg TLS, ver 2, len 88, tnl 83, ns 17048, nr 42056 Jul 17 15:38:25 : Tnl 27485 L2TP: O Resend CDN, flg TLS, ver 2, len 88, tnl 83, ns 17049, nr 42056 Jul 17 15:38:25 : Tnl 27485 L2TP: O Resend CDN, flg TLS, ver 2, len 88, tnl 83, ns 17050, nr 42056 Jul 17 15:38:33 : Tnl 27485 L2TP: O StopCCN to GGJKT1 tnlid 83 Jul 17 15:38:33 : Tnl 27485 L2TP: Tunnel state change from established to shutting-down Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/