[c-nsp] Bridge between Ethernet Interface and Serial Interface
Hi All, I want to establish a bridge between an ethernet interface and a serial interface. We have already find something like : Router A: interface FastEthernet1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb Router B: interface Serial1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb The problem is that the encapsulation are different, so I would like to ask if there is solution for. Thanks in advance Tojo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridge between Ethernet Interface and Serial Interface
Hi, On Fri, Aug 17, 2007 at 08:03:12AM +0200, Tojonirina RAONISOAFIANINANA wrote: I want to establish a bridge between an ethernet interface and a serial interface. I've never found myself in the situation where I *wanted* to do this... Maybe it would be more productive if you tell us what the actual problem is that you're trying to solve? With that information, we might come up with a much more elegant solution... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Default route pointed to an interface
Hi Justin, As I understand you right, you only need the default route on the border to prevent the router learning the default route from the IGP. A quick hack could be to set a Null route (ip route 0.0.0.0 0.0.0.0 null 0) on the borders. As a addition you can use different metric values (originate metric 1000) on each border. The proper way is to originate the default from the core to the edge devices and run the mesh between core and borders default-free. Regards Erich So a question would be how I remove the static default without learning the default from the IGP (distribute-list?)? What would be the proper configuration for this scenario? Besides the frequent ARPs and my uRPF desires, is this really a big problem? Or am I missing something obvious again? :-) Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- * Erich Hohermuth IP Engineer - SolNet (AS 9044) PGPKEY-46A08FCB * * phone: +41 32 517 6220 / sip:[EMAIL PROTECTED] * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridge between Ethernet Interface and Serial Interface
cisco has been pew pooing bvi's lately...I've never really heard a convincing argument as to why I shouldnt use them though -- anyone know? aside from they may stop supporting it in some distant release (sry, didnt mean to hijack...i would guess encapsulation mismatch is a showstopper tho) -G From: [EMAIL PROTECTED] on behalf of Tojonirina RAONISOAFIANINANA Sent: Thu 8/16/2007 11:03 PM To: cisco-nsp@puck.nether.net Cc: [EMAIL PROTECTED] Subject: [c-nsp] Bridge between Ethernet Interface and Serial Interface Hi All, I want to establish a bridge between an ethernet interface and a serial interface. We have already find something like : Router A: interface FastEthernet1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb Router B: interface Serial1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb The problem is that the encapsulation are different, so I would like to ask if there is solution for. Thanks in advance Tojo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Signal too hot for PA-A3-T3
Quoting Rick Kunkel [EMAIL PROTECTED]: Hello all, I just went through a 2-day troubleshooting session, due to a bunch of errors using a PA-A3-T3 and a third party's mux. In the end, upon the advice of a couple of people, we put a signal attentuator inline, and the errors have stopped. I already mentioned that the module of ours was the PA-A3-T3. I don't know who makes the mux. The coax between these devices is about 35 feet. The attenuator is supposedly around 10db. Using a testing tool, I'm told that the signal strength coming from their equipment went from about 2.4db to -7.6db. If it's 35 feet end-to-end between PAs, then I'd guess it's a bit short for a DS3 and the signal levels might be higher than expected. OTOH 35 feet from a demarc isn't too unreasonable. (Our distance from demarc is a few hundred feet.) Did you set the cablelength parameter on the interface on IOS? IIRC it helps set the signal strength range for a given build out. Cheers, Jeff C. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridge between Ethernet Interface and Serial Interface
Hi, On Fri, Aug 17, 2007 at 08:46:08AM +0200, Tojonirina RAONISOAFIANINANA wrote: The problem is shown below: |r1 s0| -- |s0 r2 eth0| -- |eth0 r3| Our goal is to make the router r2 transparent That's a *means*. What's the underlying goal? What sort of network problem do you want to solve that's requiring this? Briding over WAN lines is almost never a good idea. What sort of other interfaces does r1 have? Do you want to bridge to r1's e0? You can't bridge e0 to r1's s0 - but you could bridge r2's e0 to r1's e0. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dumb NPE-G2 SFP question
You can try show controllers gigabitethernet x/y -- Tassos Robert Boyle wrote on 17/8/2007 2:20 πμ: I have a 7206VXR with NPE-G2 with 3 SFPs at a remote location. I am trying to get info from the SFPs to make sure they are the correct type. Is there a command like: sho idprom int g2/9 which can be used on the 7200? I have tried Google and Cisco's sites without much luck. This is what I am looking for: Vendor Name : FINISAR CORP. Vendor OUI: 0x0 0x90 0x65 Vendor PN : FWDM-1519-7D-47 Vendor rev: A CC_BASE : 0xD0 Something like that anyway. Thanks! -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Well done is better than well said. - Benjamin Franklin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridge between Ethernet Interface and Serial Interface
Local-switching - Original Message - From: Tojonirina RAONISOAFIANINANA [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Cc: [EMAIL PROTECTED] Sent: Friday, August 17, 2007 1:03 AM Subject: [c-nsp] Bridge between Ethernet Interface and Serial Interface Hi All, I want to establish a bridge between an ethernet interface and a serial interface. We have already find something like : Router A: interface FastEthernet1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb Router B: interface Serial1 bridge-group 1 ! bridge 1 protocol ieee ! bridge irb The problem is that the encapsulation are different, so I would like to ask if there is solution for. Thanks in advance Tojo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.484 / Virus Database: 269.12.0/957 - Release Date: 8/16/2007 1:46 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS LDP Authentication Scaling
Hello all. I've been going over some thoughts about scaling MPLS LDP authentication in an environment where all MPLS LER's or LSR's on the same subnet require LDP authentication. I've had a look at the 'mpls ldp password option' and 'mpls ldp password required' features, but these require local ACL's be built and maintained, which also doesn't appear to scale well across several routers, at first glance. Some fora suggest LDP authentication only be enabled on untrusted LDP peerings. I'd be happy to hear the current practice most folk adopt. Cheers, Mark. pgp4rAX8eta9i.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HP/Cisco Spanning Tree
From what I've read, the Catalyst 3020 for the blade chassis is vastly, vastly superior. Money, however, is an object, so tripling the price of the module didn't sit well with the approving authorities. Oh, well...guess they'll have to live with the outages and downtime on the whole network because they didn't want to spend the money. - Aaron Conaway -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, August 16, 2007 5:27 PM To: Conaway, Aaron; Roy; cisco-nsp@puck.nether.net Subject: RE: Re: [c-nsp] HP/Cisco Spanning Tree HP does sell a Cisco built switch module for the blade chassis - might be worth the extra expense. I have had issues with the HP branded ones as well from the previous generation of blades and switching to Cisco built modules made life way easier. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Conaway, Aaron Sent: Thursday, August 16, 2007 2:47 PM To: Roy; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] HP/Cisco Spanning Tree Roy: We just turned up an HP GbE2c switch for a blade chassis on a Cisco- only LAN and saw the same thing. The fall from glory was the fact that Cisco does PVST and that the HP uses a single instance of STP for all VLANs. The solution for us was to turn up a mess of STP groups on the HP -- one for each VLAN. That fixed it right up. - Aaron Conaway -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy Sent: Thursday, August 16, 2007 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] HP/Cisco Spanning Tree I have to integrate a new Cisco 3550 into an existing network based mostly on older HP Procurve units. Multiple VLANs are involved. When I enabled spanning tree, the whole network seems to seize. I suspect some sort of problem due to the default PVST. I guess I need to switch to MST. Does anyone have any experience in this configuration? Roy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT, dual WAN and a cisco router
Hi Adrian, I don't see any problem with this configuration. Implement a different NAT pool on each WAN interface (assuming the two Internet connections are to two different providers). If you can, get at least one upstream provider to send you a default route via BGP. If that goes down, the router can fail over to a static default route (configured with a higher metric) pointing to the other provider. Note that if the LAN is running any resources to which people connect from outside the network (for example a mail server), you may need to find a way to provide redundancy (for example, primary / secondary MX records). Thanks, Adam - Original Message - From: Adrian Minta [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Thursday, August 16, 2007 2:35 AM Subject: [c-nsp] NAT, dual WAN and a cisco router Is it possible to use two Internet connection with a cisco router ? I need to have redundancy for a small NATed LAN. Does anyone have this configuration? -- Best regards, Adrian Minta ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT, dual WAN and a cisco router
It can be done, but you must use route-maps in your ip nat inside source statements instead. The following configuration uses object tracking to fail over to a backup link. Using tracking we remove or add a default route with a lower metric into the routing table upon a particular host becomming unavailable or available, respectively. Once the primary is back up, connectivity fails back to the primary, and the secondary remains idle until the primary fails again. track 1 rtr 1 reachability ! interface Dialer1 description ** Your primary Internet connection here ** ip nat outside ! interface Dialer1 description ** Your secondary Internet connection here ** ip nat outside ! ip route 0.0.0.0 0.0.0.0 Dialer1 track 1 ip route 0.0.0.0 0.0.0.0 Dialer2 10 ip route 1.2.3.4 255.255.255.255 Dialer1 ! ip nat inside source route-map pri-nat interface Dialer1 overload ip nat inside source route-map sec-nat interface Dialer2 overload ! ip sla 1 icmp-echo 1.2.3.4 source-interface Dialer1 timeout 4500 threshold 6500 frequency 30 ip sla schedule 1 life forever start-time now access-list 100 permit ip 10.10.10.0 0.0.0.7 any access-list 101 permit ip 10.10.10.0 0.0.0.7 any dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit ! route-map pri-nat permit 10 match ip address 100 match interface Dialer1 ! route-map sec-nat permit 10 match ip address 101 match interface Dialer2 ! Simply replace 1.2.3.4 with a host on the internet you would like to monitor, preferably one you wont need to actually reach when your primary link goes down, since we are explicitly routing that host via the primary ISP. Other than that, make other adjustments as required, such as interface names, subnets, etc etc. Any routes you want removed from the routing table when the primary link goes down, add track 1 after it as per my example. They'll come back when it comes up again. My example uses dialer interfaces for the WAN connectivity, but it can easily be adapted for any other type or combination of connectivity. Cheers, Tom - Original Message - From: Adrian Minta [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Thursday, August 16, 2007 4:05 PM Subject: [c-nsp] NAT, dual WAN and a cisco router Is it possible to use two Internet connection with a cisco router ? I need to have redundancy for a small NATed LAN. Does anyone have this configuration? -- Best regards, Adrian Minta ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GEIP speed vs. GEIP+ speed.
Greetings Troy, IIRC the former GEIP is VIP2-50-based and the GEIP+ is VIP4-80-based. Having similar hardware architecture and data throughput capabilities would suggest ~ 300-400 Mbps published, which I would interpret as 150-200 Mbps average depending upon your configuration (YMMV). I would also guesstimate throughput|capacity from a L3 switching perspective of approximately 100-120 Kpps for the GEIP. I think I read some caveats regarding memory and such, but I believe current code requirements have successfully mitigated these concerns. HTH, ~M Troy Beisigl [EMAIL PROTECTED] 8/16/2007 4:04 PM I know that Cisco states that the GEIP+ can do 800+Mpbs in the 7500 series but I was not able to find anything about the GEIP. Knowing the limitation of the VIP's speed, what could one expect to get out of the GEIP? Thanks. Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Heads up: sh ip bgp regexp crashing router
It seems that there is a regexp which will crash routers running IOS when executed. For details see: http://forum.cisco.com/eforum/servlet/NetProf?page=netprofforum=Network%20Infrastructuretopic=WAN%2C%20Routing%20and%20SwitchingCommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf7bc9 (german) http://www.heise.de/newsticker/meldung/94517 Please check your looking glasses for vulnerable routers. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204vxr freeze-up question
Masood, Thanks for the advice. Current IOS is 12.2(13)T16. We'll look into upgrading it. I'll have to see what will support the NPE300; we're running very few features, though, so I don't expect to have an issue... The GBIC is plugged into a Bridgewave radio; power cycling the radio does not resolve the issue, only cycling the router does, so I think the issue is on the router end. But we'll keep in mind the suggestion. Thanks again, Adam - Original Message - From: Masood Ahmad Shah [EMAIL PROTECTED] To: 'Adam Greene' [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Sent: Wednesday, August 15, 2007 9:19 PM Subject: RE: [c-nsp] 7204vxr freeze-up question Well, which IOS version you run? I know there are some issues with Intel chipset while it gets connected into cisco GBIC. I strongly suggest updating driver of NIC (if there is), upgrade IOS or change your NIC to check it out... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Wednesday, August 15, 2007 8:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7204vxr freeze-up question Hi, I'm running into an issue with a 7204VXR/NPE-300 router with 128MB RAM. A 1000Base-SX GBIC is plugged into one of the slots (not sure of the part # of the card into which the GBIC plugs). We were running some dueling gateways speed tests with the router (packet stream is sent via iPerf to router A, which forwards it to router B, which forwards it back to router A, which forwards it back to router B, until TTL is decremented to 0). Soon after I start sending 75Mbps - 80Mbps of traffic to the router's gig interface via iPerf, the gig interface stops sending / receiving any traffic whatsoever. The CLI of the router remains up, the gig interface reports it is up / up, memory and cpu utilization remain low. No logs are generated. Traffic on other interfaces is unaffected. I shut / no shut the gigabit interface, but traffic still refuses to pass. Only a reload of the router rectifies the issue. I wonder if there is a debug command that could provide some insight into the problem. At this point I am suspecting a hardware issue (GBIC, card, or backplane). Thanks for any insights Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SMTP Redirection
ip nat outside source static tcp o.o.o.o 25 xxx.xxx.xxx.xxx (mail server) 25? :: a. rahman isnaini r. sutan - Original Message - From: Stephen Kratzer [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Cc: a. rahman isnaini r. sutan [EMAIL PROTECTED] Sent: Friday, August 17, 2007 8:16 PM Subject: Re: [c-nsp] SMTP Redirection : On Thursday 16 August 2007 09:31:48 a. rahman isnaini r. sutan wrote: : what the config looks like ? : as the mail server is not located / directly connected to the router. : : tx : : :: a. rahman isnaini r. sutan : : : http://www.cisco.com/warp/public/556/12.html#topic8 : : : -- : No virus found in this incoming message. : Checked by AVG Free Edition. : Version: 7.5.484 / Virus Database: 269.11.19/956 - Release Date: 8/16/2007 9:48 AM : : ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Signal too hot for PA-A3-T3
Rick Kunkel wrote: In the interface config, there's the IOS command atm lbo short that is the default, AFAIK. Yup... just tried it... That's for anything under 225 feet. The LBO and cable-length commands affect the level of signal leaving your transmitter. The range of level tolerable by your receiver is a factor of the circuit design and not configurable. Of note, we just went through a similar issue with PA-MC-T3 cards fed on a short loop from a mux with Westell NIUs. We found that there were consistent errors of around 100 LCV and PCV per 15 minutes. A step attenuator on the receive side of the Cisco showed a narrow range of from 5dB to 9 dB where the errors diminished to near-zero but never completely disappeared. We connected to the Westell NIU with a serial cable and turned off regeneration NET - CPE. That solved the problem, and I can now go from no attenuation to over 20 dB with zero errors. I think that the Westell NIU is distorting the signal on the short loop that it has from the mux (in the same rack). Note that the wording on LBO in the Westell config is counter-intuitive. If you enable LBO this makes the signal hotter (more powerful). Disabling LBO reduces the signal level. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT, dual WAN and a cisco router - the solution
Adrian Minta wrote: Is it possible to use two Internet connection with a cisco router ? I need to have redundancy for a small NATed LAN. Does anyone have this configuration? Thank you all ! Somebody suggested the best solution: http://www.blindhog.net/cisco-dual-internet-connections-without-bgp/ -- Best regards, Adrian MintaMA3173-RIPE, MA314-ROTLD, www.minta.ro ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] About the posting entitled Heads up: sh ip bgp regexp crashing router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks: Hi there. This is Dario Ciccarone from the Cisco PSIRT (Product Security Incident Response Team). This is in response to the post entitled Heads up: sh ip bgp regexp crashing router. Based on the available information, this issue looks similar to the Cisco bug ID CSCsb08386. For those without access to the Cisco Bug Toolkit, here's the Release Note for said bug: quote Symptoms: A router crashes when you enter the show ip bgp regexp command. Conditions: This symptom is observed on a Cisco router when BGP is being updated. Workaround: Enable the new deterministic regular expression engine by entering the bgp regexp deterministic command and then enter the show ip regexp command. Note that enabling the new deterministic regular expression engine may impact the performance speed of the router. /endquote It has to be noted that in order to execute a show ip bgp regexp command, a user has to have valid credentials to the device in question. We have reports of some publicly available BGP looking glasses (which, as we all know, don't require credentials to login) being crashed due to this issue. Customers are suggested to deploy the workaround - but please note the workaround, as stated on the release note, might impact the router performance. Or deploy one of the fixed IOS versions listed on the aforementioned bug. In addition to that, any customer which might open a TAC SR for this issue is encouraged to attach the following information to the case: * show tech from the device in question * crashinfo file (if available) * traceback That would help us diagnose and troubleshoot the issue further. At the same time, customers opening a TAC SR for this issue are encouraged to request for the TAC CSE to contact the Cisco PSIRT with this information for evaluation. Once again: this issue looks similar to CSCsb08386 - but without a TAC SR and the previously requested information, it is impossible for us to diagnose and troubleshoot the issue further and decide if it is the same issue or a new one. The Cisco PSIRT Security Vulnerability Policy is available at http://www.cisco.com/en/US/products/products_security_vulnerabili ty_policy.html - for any customer, with our without a service contract, which might be interested in contacting us. Thanks, Dario Dario Ciccarone [EMAIL PROTECTED] Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBRsXUA4yVGB+6GuDwEQKGpgCeNvqg0fZI1Pn+ot9qlW/cNX3BgMwAnRq4 hmzEwBc0S/BnAPQfl4zELtvT =Q7Yp -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 57, Issue 59
Hi Do you know if there is any restriction for standard Traffic Enginnering in layer 3 etherchannel on 7609 ? I searched in Cisco and only found restriction for DS-TE. I have used the command mpls traffic-eng tunnels under layer 3 port-channel without problem. The way I see it is that on the path from head-end to tail-end some links could be POS, other GigaEthernet, other ATM...The only requirement on the PATH is enabling traffic engineering on the interfaces. And standard TE is supported on layer 3 etherchannel on 7609. There is a discussion about TE not supported in GSR bundles. In GSR case, it seems it is not supported at all. Not sure if currently this restriction is not true anymore. http://puck.nether.net/pipermail/cisco-nsp/2005-February/016887.html Tks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSM module on 7613
The Interface MTU is 1500. Maybe is there a problem with the counters? Phil Bedard [EMAIL PROTECTED] escreveu: What is the interface MTU? I think on the PFC-based MPLS the MPLS MTU needs to be lower than the MPLS MTU, but I'm not sure about the OSM. Phil On Aug 15, 2007, at 6:38 PM, Leonardo Souza wrote: Hi mates. I have one 7613 (SUP720-3BXL/MSFC3) router running with an Enhanced 4-port OC-3/STM-1 SONET/SDH SM-IR OSM, w/ 4 GE Rev. 1.0 PID: OSM-4OC3-POS-SI+. On these GE interfaces we are running MPLS and OSPF, but we are getting giant frames on them, even with mpls mtu 1516. Unfortunately, I don't have this card in my lab. There is no problem with the optical fibre. Anyone has a clue? Is this module MPLS-aware? i.e. only L2... thanks. Flickr agora em português. Você clica, todo mundo vê. Saiba mais. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Flickr agora em português. Você clica, todo mundo vê. Saiba mais. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] About the posting entitled Heads up: sh ip bgp regexp crashing router
Dario Ciccarone (dciccaro) wrote: We have reports of some publicly available BGP looking glasses (which, as we all know, don't require credentials to login) being crashed due to this issue. This is probably obvious too, you may crash a RS accessible via telnet (which is usually not passing customer traffic) but in the case of the LG server with larger providers you can usually pick which router (usually key peering or core routers) to run the command on from a drop down list and then possibly remotely crash it. The LG script is just a Web-telnet/SSH proxy faciliting the DoS in this case... i.e. filter at that level, remove this command from the allowed set in TACACS for the virtual user, etc. Nico. -- Nicolas FISCHBACH Senior Manager - Network Engineering/Security - COLT Telecom e:([EMAIL PROTECTED]) w:http://www.securite.org/nico/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SMTP Redirection
Hallo Jorge, I did, as the next hop is only ip not with the specific port. Any destination to smtp will be redirected to 192.168.20.20 which in this config should be directly connected to to gateway (router), while in many providers their smtp oftenly covered by firewall which might be 3-4 hops away from this gateway. Mail sending is stuck somewhere and I believe the router redirects the traffic (let say smtp server directly connected) to the server without having any idea to which opened / specific tcp port. :: a. rahman isnaini r. sutan - Original Message - From: Jorge Evangelista [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Saturday, August 18, 2007 4:50 AM Subject: Re: [c-nsp] SMTP Redirection :I have not tried it yet, but I think that you could try something like that : : Customers=192.168.10.0/24 : SmtpRelay=192.168.20.20 : : : ! : access-list 100 remark SMTP Redirect of Customers to smtp.providername.com : access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq smtp : ! : route-map SMTP-Redirect permit 10 : match ip address 100 : set ip next-hop 192.168.20.20 : ! : interface FastEthernet 0/0 : description connected to Internet : ip policy route-map SMTP-Redirect : ! : ! : : : : : http://www.init7.net/anti-spam/ : : : : On 8/17/07, a. rahman isnaini r. sutan [EMAIL PROTECTED] wrote: : ip nat outside source static tcp o.o.o.o 25 xxx.xxx.xxx.xxx (mail server) : 25? : :: a. rahman isnaini r. sutan : : : : - Original Message - : From: Stephen Kratzer [EMAIL PROTECTED] : To: cisco-nsp@puck.nether.net : Cc: a. rahman isnaini r. sutan [EMAIL PROTECTED] : Sent: Friday, August 17, 2007 8:16 PM : Subject: Re: [c-nsp] SMTP Redirection : : : : On Thursday 16 August 2007 09:31:48 a. rahman isnaini r. sutan wrote: : : what the config looks like ? : : as the mail server is not located / directly connected to the router. : : : : tx : : : : :: a. rahman isnaini r. sutan : : : : : : http://www.cisco.com/warp/public/556/12.html#topic8 : : : : : : -- : : No virus found in this incoming message. : : Checked by AVG Free Edition. : : Version: 7.5.484 / Virus Database: 269.11.19/956 - Release Date: 8/16/2007 : 9:48 AM : : : : : : ___ : cisco-nsp mailing list cisco-nsp@puck.nether.net : https://puck.nether.net/mailman/listinfo/cisco-nsp : archive at http://puck.nether.net/pipermail/cisco-nsp/ : : : : -- : The network is the computer : ___ : cisco-nsp mailing list cisco-nsp@puck.nether.net : https://puck.nether.net/mailman/listinfo/cisco-nsp : archive at http://puck.nether.net/pipermail/cisco-nsp/ : : : -- : No virus found in this incoming message. : Checked by AVG Free Edition. : Version: 7.5.484 / Virus Database: 269.11.19/956 - Release Date: 8/16/2007 9:48 AM : : ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/