[c-nsp] Tunneling through NAT
Hello all, It seems all the material on the subject of tunneling through NAT I can find don't have two IOS boxes with the NAT between them, so now I'm asking for guidance on this. As said, I've got two IOS routers. The first one (let's call it R1) is in the internet, with public IP's and all. The other one, R2, is behind a 1:1 NAT, so one public IP mapped staticly to a single RFC 1918 address. Now what I need, is to route the IP subnet behind R2 to the internet via R1. That subnet has public IP's, so there's no need for NAT or anything like that. Apparently I'll need some kind of a tunnel between the routers, perhaps IPSec, and then static routes over that. GRE would be nice as there's no need for encryption, but if I remember correctly, it doesn't have NAT-traversal capabilities. The problem with example material is that all I can find assumes both ends of the tunnel have public IP's and no NAT between them. Naturally if this scenario has been discussed before, any pointers to example configs etc will be appreciated. Yours, Tero ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tunneling through NAT
If it's a 1:1 NAT ie a true NAT'd IP and not PAT, then GRE will work, the NAT problem with GRE is when you are running PAT as you can't forward that protocol by itself on a Cisco via PAT, which is where IPSEC is often used instead. Having said all that I would highly recommend you run your GRE encapsulated in IPSEC anyway seeing as you are doing this over the Internet, unless you are not concerned about the privacy of your data. Ben On 08/04/2008, at 4:25 PM, TT wrote: Hello all, It seems all the material on the subject of tunneling through NAT I can find don't have two IOS boxes with the NAT between them, so now I'm asking for guidance on this. As said, I've got two IOS routers. The first one (let's call it R1) is in the internet, with public IP's and all. The other one, R2, is behind a 1:1 NAT, so one public IP mapped staticly to a single RFC 1918 address. Now what I need, is to route the IP subnet behind R2 to the internet via R1. That subnet has public IP's, so there's no need for NAT or anything like that. Apparently I'll need some kind of a tunnel between the routers, perhaps IPSec, and then static routes over that. GRE would be nice as there's no need for encryption, but if I remember correctly, it doesn't have NAT-traversal capabilities. The problem with example material is that all I can find assumes both ends of the tunnel have public IP's and no NAT between them. Naturally if this scenario has been discussed before, any pointers to example configs etc will be appreciated. Yours, Tero ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] csm Bride Mode Simple scenario. Is it Possible?
Brad, You should just make sure the virtual IP is routable on the MSFC. The best way is to use the advertise command on the virtual server. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Case Sent: Tuesday, April 08, 2008 02:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] csm Bride Mode Simple scenario. Is it Possible? Hi Guys, I have a question that I simply cannot find an answer to on the Cisco site in regards to the CSM in Bridge mode. Is it possible to have the vserver (VIP) IP in a differnt subnet range than the real IP addresses in the serverfarm that is bound to it? In other words, as an example a typical bridge configuration is like this: vlan 221 client ip address 10.20.220.2 255.255.255.0 gateway 10.20.220.1 ! vlan 220 server ip address 10.20.220.2 255.255.255.0 Two VLANs with the same IP address are bridged together. serverfarm WEBFARM nat server no nat client real 10.20.220.10 inservice real 10.20.220.20 inservice ! vserver WEB virtual 10.20.220.100 tcp www serverfarm WEBFARM persistent rebalance inservice Is it possible to do something like this: vlan 221 client ip address 10.20.220.2 255.255.255.0 gateway 10.20.220.1 ! vlan 220 server ip address 10.20.220.2 255.255.255.0 Two VLANs with the same IP address are bridged together. serverfarm WEBFARM nat server no nat client real 10.20.220.10 inservice real 10.20.220.20 inservice ! vserver WEB virtual 50.40.220.99 tcp www Place the IP address in a different subnet than the IP's in the serverfarm serverfarm WEBFARM persistent rebalance inservice On the MSFC place a static route to route the 50.40.220.99 address towards the CSM IP on vlan 221. ip route 50.40.220.99 255.255.255.255 10.20.220.2 Please if somebody knows if this is or is not possible it would be highly appreciated to hear your feedback. Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP VoIP Config
Hi Ben, Done it already. Thanks Pedro Matusse -Original Message- From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 08, 2008 3:58 AM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SIP VoIP Config If you haven't already, try posting this in the cisco-voip mailing list, they are very active, [EMAIL PROTECTED] Ben On 08/04/2008, at 6:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Trying to make calls from a POTS do VOIP in SIP setup in attach, calls from POTS are not beeing forwarded to VoIP port. Can any one help Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 config HJ3825 07 04 2008 23 00h.TXT___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS pirating requests
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Asbjorn Hojmark - Lists Sent: Sunday, April 06, 2008 1:23 PM To: 'Daniel Hooper'; 'Jon Lewis' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS pirating requests But if you send me the chassis as well as the IOS and no money changes hand's it's technically not pirating. Well, that depends on who you ask... It's pretty clear from the license that the software does *not* follow the hardware to a 3rd party. If you sell the box, you have to buy a 'transfer license'. (Wether that'll be legal in other countries is another matter). That has never been tested in a court and a Cisco buyer is not required to sign a contract that would obligate them to such an act. In fact, if anything, the courts have ruled in the few cases that have come up regarding used software being sold, that it is illegal for a software vendor to place a purchaser under such a restriction. In short, if you go buy a copy of Windows and use it for a few years then sell it, (assuming that you have not of course used the license as the basis for an upgrade, and that it's not an OEM license) that you and the buyer are perfectly legal. As for OEM software, this travels with the device. As much as Microsoft and other vendors would like to have the software license of Windows 'untied' from the hardware post-purchase, if you sell a PC you bought with Windows preloaded, the license for the preload goes with the PC. This also works for cell phones, DVD players, automobiles, microwave ovens, hybrid key phone systems, etc. all of which have embedded computers with software running. The manufacturer can only deny you new updates or cut you out of support if you get the item from the secondary market - they cannot win a suit against you for merely buying and owning the item that has the software on it that was loaded on it when it came from the factory. Cisco I am sure is perfectly aware of all of this. It is undoubtedly why they put the oldest and archaic IOS on their products possible. For example we just sold a recent 2800 to a customer - running an OLDER version of IOS (12.4.1 I believe) than what was in it's ROM - this was a brand-new, never-opened, direct from Ingram Micro router - it was an IOS image that has been deferred years ago and long since covered under Cisco's free security upgrade replacement Clearly, pulling such a stunt gives Cisco much leeway to argue in a court that someone isn't entitled to a more current IOS version because the official OEM IOS version that was shipped with the router is going to be older than -anything- that was ever available for download from the Cisco website. Thus Cisco could make the argument in a court that while a buyer of a used 2800 might have a legal right to posses the 2800 with IOS 12.4.1 loaded, (because that was what was on it when the router shipped from the factory) that is as new an IOS as they can have, simply by merely purchasing the box. You really need to be careful here. Keep in mind that for the last decade software vendors have been scruplously avoiding having shrinkwrap licenses tested in court, there's not been a single court case of a software vendor (like Microsoft or Cisco) suing anyone for violating a shrinkwrap license that they did not explicitly sign and agree to abide by. Yet there's millions of devices sold every year that have shrinkwrap licenses on them. Most of what you read from the software vendors is FUD and speculation in this area. And, I will also remind you, there is no law that states that Cisco or any other software vendor MUST tell the truth with regards to contracts or their interpretation. It is SOP for most companies to put illegal, rediculous, and unenforceable terms in their contracts, then have their sales guys claim those terms are legally binding. In writing even. Naturally, contract law being what it is, if there is ever a legal dispute, this will be held against them by the judge - but they do this because they know the vast majority of people automatically assume that just because it's written down in the contract that it must be legal. Ted ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Freezeup
Hi Ed, On Mon, Apr 07, 2008 at 12:18:37PM -0400, Ed Ravin wrote: On Mon, Apr 07, 2008 at 06:04:28PM +0200, Andre Beck wrote: OMG. Thanks for this hint - I just rolled up something with SLA, tracking and EEM that eventually might just do it. Let's see... If you get it working, please post the details! I still don't know if it would work (hasn't triggered yet) but it's essentially this: 1) Define a classic SLA ping monitor and track it: ip sla monitor 1 type echo protocol ipIcmpEcho 212.111.225.17 source-ipaddr 212.111.225.1 timeout 2000 threshold 2 frequency 10 ip sla monitor schedule 1 life forever start-time now ! track 1 rtr 1 reachability I'm not sure about the timers and threshold, but I assume it would do the job. Me noticing the box has gone (via a ping monitor run from my laptop or by getting an SMS from our Nagios), logging into the router (from the outside or using the console) and giving the clear command manually will take longer anyway. 2) Define an EEM Applet that tracks whether this tracker goes down and does the things we want it to do: event manager applet duck-reachable event track 1 state down action 1.1 cli command clear interface Fa0/0 action 1.2 syslog priority critical msg DUCK no longer reachable - Fa0/0 broken? Apparently you need somewhat current IOS for the latter, EEM was merged in a sufficiently new version to 12.2SB it seems. nexus#sh track Track 1 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 18:11:20 Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: applet duck-reachable Looks like it would work - but only time will tell. Given the Heisenbug nature of the thing, maybe just running the monitor prevents it from ever occuring again ;) HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. - Andre Beck+++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Telco courses
Hi Does anyone know of any good General Telco engineering courses. Either Cisco or any non specific technology based training. We’re looking to start work in that field but it would need some reskilling to go from ISP to include some Telco design and engineering. Courses in the US or UK is preferred. No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.9/1364 - Release Date: 4/7/2008 6:38 PM Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 - Support for MPLS and IPv6
Dean Smith wrote: We can't moan about IOS deficienciesand also moan when Cisco take the opportunity of fundamentally new hardware to fundamentally re-architect the software to fix those problems. You've completely mis-understood what I said. I like many I suspect have been suffering recently. They don't seem to be able to add a feature (or even fix a bug) without breaking 2 others. And not minor breaks but fundamental things like QoS in recent mainline 12.4 code. Its killing us in terms of testing. We cant simply do a few spot checks - we have to check every release we want to use in fine detail. I'm hoping that something like IOS XE will give a clean break with the legacy code base (at least on some platforms). Of course time will tell and I'm hopefulnot confident! On some platforms. IOS XE is, so far, for the ASR. As was debated at length, we now have a vendor (supposedly) supporting IOS basic, IOS modular, IOS XR (GSR/CRS), NX-OS on the nexus 7000, and various IOS-alike software on bought-in products like the WISM, ACE and of course, PIX-os. The issue is not an attempt to re-architect. It's 4 (ION, IOS-XR, NS-OS, IOS XE), on platforms with partially overlapping coverage. I contend that the experiences you and others are suffering are an inevitable result of Cisco diluting their software development efforts, and that it ought to be possible to maintain *TWO* trains: 1. IOS classic, which will clearly be maintained forever 2. IOS new (take your pick which of the above it should be) which runs on everything new, and would hopefully not look like something from the 1970s Zooming back out further to a point made previously in the thread; it seems readily apparent that the Cisco business units are increasingly doing their own thing, and in some cases actively competing with each other. I believe the dilution of their effort is a result of this and harms the customer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Freezeup
Re Ed, On Mon, Apr 07, 2008 at 04:10:23PM -0400, Ed Ravin wrote: 4 weeks ago, I also upgraded the 7204 to IOS 12.3(24a). No problems since. I don't know whether the bug is quenched with the new IOS - this is definitely an improvement, but we've had similar quiet periods before. If I don't see it for another 2-3 months, then I might declare victory. And sure enough, it happened again today with the 7204. Obviously the IOS upgrade was not the answer. Heisenbug. I'd postulate a new interpretation Murphy causes collapse if I were into quantum mechanics^Wmysticism.. Can anyone suggest some commands to run before the clear int FastE0/0 on the 7204 that might shed some light on what's going on? It has to get spooled out through a 9600 bps serial port so I don't want to run anything with a lot of output. I'd say show controller FastEthernet0/0 but the problem is to get somebody to read it who actually knows what the register values should be and what denotes a problem. Unless it becomes obvious like RX state: running - queuing rx frame into rx buffer changing to something easily identified as beeing wrong, or the MAC filter table getting hosed or something like that. Thanks for the info regarding 12.3(24a) - would have been a bit problematic to get the box in question doing all the required things using 12.3 mainline, so I'm glad to not have to go this route. I'm going to free a chassis with NPE400 and IO-2FE as a replacement, hopefully this will fix it... Thanks, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. - Andre Beck+++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP VoIP Config
Hi Tom Thank you. Adapted you config but still no working. Can you please have a look on the debug output in attach. Kind Regards Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 10:55 am Subject: Re: [c-nsp] SIP VoIP Config Hi. If it helps, I recently configured a 1760 to connect to my ISPs VoIP service, and this is the config I used for my sip-ua: sip-ua authentication username 08 password no remote-party-id registrar ipv4:1.2.3.4 expires 3600 sip-server ipv4:1.2.3.4:5060 ! Initially I had issues where my calls didnt appear to be dialled via the VoIP provider, but with a bit of debugging from both ends we figured out that I had to no the remote-party-id feature, hence you see no remote-party-id line in my config. The symptoms of my issue were I would dial the number, and it would sit there as if it were waiting for more characters, or it was trying to dial, and would eventually time out. It turns out it was actually dialling the number, but my VoIP provider was rejecting the call. You can use debug ccsip to see SIP messages to/from your router, this can help to get clues about what it going on (beware that SIP is quite chatty, so a lot of output can be produced at times). For reference, my dial-peers/voice-ports look like this: voice-port 3/0 cptone AU timeouts interdigit 4 timeouts call-disconnect 2 timeouts wait-release 10 description ** FXS right ** ! dial-peer voice 100 pots destination-pattern 08 port 3/0 ! dial-peer voice 200 voip destination-pattern [0,1][2-4,7,8] session protocol sipv2 session target ipv4:1.2.3.4 dtmf-relay sip-notify rtp-nte signal-type ext-signal codec g711alaw no vad ! Other than the config above, I have zero other config related to voice on this router - no translation rules, codec profiles, etc - the above two snips of config are it! My setup is working 100% fine, inbound and outbound. Hope that helps. :-) Tom On 08/04/2008, at 6:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Trying to make calls from a POTS do VOIP in SIP setup in attach, calls from POTS are not beeing forwarded to VoIP port. Can any one help Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 config HJ3825 07 04 2008 23 00h.TXT___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS pirating requests
On Apr 8, 2008, at 4:58 AM, Ted Mittelstaedt wrote: You really need to be careful here. Keep in mind that for the last decade software vendors have been scruplously avoiding having shrinkwrap licenses tested in court, there's not been a single court case of a software vendor (like Microsoft or Cisco) suing anyone for violating a shrinkwrap license that they did not explicitly sign and agree to abide by. Not withstanding the issue of first sale doctrine, I don't think this is true. In _ProCD, Inc. v. Zeidenberg_, 86 F. 3d. 1447 (7th Cir. 1996) the Seventh Circuit said that Shrinkwrap licenses are enforceable unless their terms are objectionable on grounds applicable to contracts in general (for example, if they violate a rule of positive law, or if they are unconscionable). They further extended this to terms included in the box with hardware in _Hill v. Gateway 2000_, 105 F.3d 1147 (7th Cir. 1997). The Hills received a Gateway computer with terms and conditions inside including an arbitration clause. The Hills sought to get out of the arbitration clause, but the court held that because they kept the computer more than thirty days, that they had assented to the terms in the contract contained in the computer box. Note that the Uniform Commercial Code 2-204(1) says that A contract for the sale of goods may be made in any manner sufficient to show agreement, including conduct by both parties which recognizes the existence of such a contract. The fact that you kept your Cisco router and operated it could be interpreted as acceptance of the software agreement that went with it. Ted -- Jeremy McDermond Xenotropic Systems [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP VoIP Config
Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 1:14 pm Subject: Re: [c-nsp] SIP VoIP Config Hi Tom, sending again Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 1:22 pm Subject: Re: [c-nsp] SIP VoIP Config I dont see any attached files ? On 08/04/2008, at 8:21 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Tom Thank you. Adapted you config but still no working. Can you please have a look on the debug output in attach. Kind Regards Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 10:55 am Subject: Re: [c-nsp] SIP VoIP Config Hi. If it helps, I recently configured a 1760 to connect to my ISPs VoIP service, and this is the config I used for my sip-ua: sip-ua authentication username 08 password no remote-party-id registrar ipv4:1.2.3.4 expires 3600 sip-server ipv4:1.2.3.4:5060 ! Initially I had issues where my calls didnt appear to be dialled via the VoIP provider, but with a bit of debugging from both ends we figured out that I had to no the remote-party-id feature, hence you see no remote-party-id line in my config. The symptoms of my issue were I would dial the number, and it would sit there as if it were waiting for more characters, or it was trying to dial, and would eventually time out. It turns out it was actually dialling the number, but my VoIP provider was rejecting the call. You can use debug ccsip to see SIP messages to/from your router, this can help to get clues about what it going on (beware that SIP is quite chatty, so a lot of output can be produced at times). For reference, my dial-peers/voice-ports look like this: voice-port 3/0 cptone AU timeouts interdigit 4 timeouts call-disconnect 2 timeouts wait-release 10 description ** FXS right ** ! dial-peer voice 100 pots destination-pattern 08 port 3/0 ! dial-peer voice 200 voip destination-pattern [0,1][2-4,7,8] session protocol sipv2 session target ipv4:1.2.3.4 dtmf-relay sip-notify rtp-nte signal-type ext-signal codec g711alaw no vad ! Other than the config above, I have zero other config related to voice on this router - no translation rules, codec profiles, etc - the above two snips of config are it! My setup is working 100% fine, inbound and outbound. Hope that helps. :-) Tom On 08/04/2008, at 6:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Trying to make calls from a POTS do VOIP in SIP setup in attach, calls from POTS are not beeing forwarded to VoIP port. Can any one help Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 config HJ3825 07 04 2008 23 00h.TXT___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk
Hi Chris, This is feasible if you use multiple contexts in transparent mode as described here : http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/examples.html#wp1010043 Basically you define all necessary vlan subifs into the global context, then you use them as inside/outside pairs into each context. A guy called Ge Moua here at c-nsp sent me a working configuration for this a couple of months ago, unfortunately can't get my hands on it anymore. Maybe Ge can kick-in and repost it for you. Jerome Covini Selon Chris Riling [EMAIL PROTECTED]: Hey Guys, Forgive the dumb question, I'm not much of a Cisco security guy... I have a 5510 I need to put in transparent mode and I want it to sit in the middle of a dot1q trunk and filter traffic for the 4 VLANs traversing the trunk between the two switches. What is the best way to do this? As someone on the list had pointed out to me once, you should be able to create inside and outside VLAN subinterfaces for each VLAN but I'm still a little confused... Anyone else have any input? The ASA supposedly does some tag switching and you need to have the same VLANs have one tag on the inside, and another tag on the outside, but I'm not exactly sure how you associate each inside VLAN with it's respective outside VLAN and vice versa in the config... Thanks, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DMVPN's, or another way?
Hi all, I'm currently working on a project that involves a number of sites which all have the potential to cross talk to each other. The concept of configuring dual hub - dual DMVPN layout is great, however I don't really want to mix my internal and public facing traffic on the same devices (in this case would be NPE-G2's/ 7201's without an accelerator), although I'd like to hear peoples views and experiences on this, as well as the level's of throughput they have got doing IPSec on the G2. The levels of traffic are generally sub 8Mbps, and I the busy core sites are less than 20Mbps. I'm also open to any other ways to do this whether that be using vendor X's devices or the such. All advice and experiences much appreciated! Thanks, S ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP timers
Hi When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. Thanks Tahir Uddin - The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please reply to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
Uddin, Tahir wrote on Tuesday, April 08, 2008 1:57 PM: When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. it all depends on scaling.. you can go down below 15 seconds (and even lower) with a handful of sessions, but this doesn't scale if you're talking hundreds or thousands of peers and lot of routing activity, which is why most SPs avoid using low timers.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP VoIP Config
Going to send debug ccsip messages out put. session target sip-server. Is sip-server actually what you have in there, or do you normally have an IP address? Not sure, I'm in Africa and have SIP gateway in US. In attach the updated SIP config. Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 1:35 pm Subject: Re: [c-nsp] SIP VoIP Config Can you turn off all debugging, and then turn on debug ccsip messages and forward that to me. I also notice that in your dial-peer 100 config you have session target sip-server. Is sip-server actually what you have in there, or do you normally have an IP address? Can you send through a more recent copy of your SIP configuration? On 08/04/2008, at 8:44 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Tom, sending again Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 1:22 pm Subject: Re: [c-nsp] SIP VoIP Config I dont see any attached files ? On 08/04/2008, at 8:21 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Tom Thank you. Adapted you config but still no working. Can you please have a look on the debug output in attach. Kind Regards Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 - Original Message - From: Tom Storey [EMAIL PROTECTED] Date: Tuesday, April 8, 2008 10:55 am Subject: Re: [c-nsp] SIP VoIP Config Hi. If it helps, I recently configured a 1760 to connect to my ISPs VoIP service, and this is the config I used for my sip-ua: sip-ua authentication username 08 password no remote-party-id registrar ipv4:1.2.3.4 expires 3600 sip-server ipv4:1.2.3.4:5060 ! Initially I had issues where my calls didnt appear to be dialled via the VoIP provider, but with a bit of debugging from both ends we figured out that I had to no the remote-party-id feature, hence you see no remote-party-id line in my config. The symptoms of my issue were I would dial the number, and it would sit there as if it were waiting for more characters, or it was trying to dial, and would eventually time out. It turns out it was actually dialling the number, but my VoIP provider was rejecting the call. You can use debug ccsip to see SIP messages to/from your router, this can help to get clues about what it going on (beware that SIP is quite chatty, so a lot of output can be produced at times). For reference, my dial-peers/voice-ports look like this: voice-port 3/0 cptone AU timeouts interdigit 4 timeouts call-disconnect 2 timeouts wait-release 10 description ** FXS right ** ! dial-peer voice 100 pots destination-pattern 08 port 3/0 ! dial-peer voice 200 voip destination-pattern [0,1][2-4,7,8] session protocol sipv2 session target ipv4:1.2.3.4 dtmf-relay sip-notify rtp-nte signal-type ext-signal codec g711alaw no vad ! Other than the config above, I have zero other config related to voice on this router - no translation rules, codec profiles, etc - the above two snips of config are it! My setup is working 100% fine, inbound and outbound. Hope that helps. :-) Tom On 08/04/2008, at 6:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Trying to make calls from a POTS do VOIP in SIP setup in attach, calls from POTS are not beeing forwarded to VoIP port. Can any one help Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 config HJ3825 07 04 2008 23 00h.TXT___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ SIP Call Debug.TXTSIP Call Debug 2.TXT Catembe# Catembe# Catembe# Catembe# Catembe# Catembe#sh run Building configuration... Current configuration : 4895 bytes ! version 12.4 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service udp-small-servers service tcp-small-servers service sequence-numbers ! hostname Catembe ! boot-start-marker boot-end-marker ! card type t1 1 1 logging buffered 4096 no logging console enable secret . ! aaa new-model ! ! ! ! aaa session-id common clock timezone PCTime 2 no network-clock-participate slot 1
Re: [c-nsp] BGP timers
On Tuesday 08 April 2008, Uddin, Tahir wrote: When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. We are aggressive with timers within our own core. However, we keep it simple with customers unless there is a special request. At any rate, BGP will use the smaller of the two received in the open message during setup. That said, if both sides are Cisco (and you have the requisite IOS release), you may consider testing the BGP Next Hop Address Tracking feature (enabled by default in supporting releases) and BGP Fast Peering Session Deactivation (configurable in supporting releases). Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
Mark Tinka wrote on Tuesday, April 08, 2008 2:19 PM: On Tuesday 08 April 2008, Uddin, Tahir wrote: When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. We are aggressive with timers within our own core. However, we keep it simple with customers unless there is a special request. At any rate, BGP will use the smaller of the two received in the open message during setup. That said, if both sides are Cisco (and you have the requisite IOS release), you may consider testing the BGP Next Hop Address Tracking feature (enabled by default in supporting releases) and BGP Fast Peering Session Deactivation (configurable in supporting releases). well, Fast Session Deactivation only helps you on non-directly connected eBGP sessions (i.e. multihop), possibly along with an IGP (or static routes with object tracking or something like this) to provide next-hop reachability, so it's not that useful on standard directly-connected eBGP sessions.. BFD should be evaluated instead.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
-Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Uddin, Tahir Sent: Tuesday, April 08, 2008 7:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP timers Hi When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. If your IOS supports EEM and IP SLA, you could set up object tracking for the next-hop and configure EEM to shutdown the BGP session when a failure occurs. -evt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 SVI and subinterface combination
Colleagues, is it possible to combine both SVI(for ip routing) and subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls interface Vlan 10 ip address 4.3.2.1 255.0.0.0 Thanks. -- Alex. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN's, or another way?
Look at GET VPN. http://www.cisco.com/en/US/products/ps7180/products_ios_protocol_option_home.html -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: [EMAIL PROTECTED] Hi all, I'm currently working on a project that involves a number of sites which all have the potential to cross talk to each other. The concept of configuring dual hub - dual DMVPN layout is great, however I don't really want to mix my internal and public facing traffic on the same devices (in this case would be NPE-G2's/ 7201's without an accelerator), although I'd like to hear peoples views and experiences on this, as well as the level's of throughput they have got doing IPSec on the G2. The levels of traffic are generally sub 8Mbps, and I the busy core sites are less than 20Mbps. I'm also open to any other ways to do this whether that be using vendor X's devices or the such. All advice and experiences much appreciated! Thanks, S ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
On Tue, 1 Apr 2008, Robert Hass wrote: I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) You can try some really really basic utils that I threw together a number of years ago and recently updated for IPv6. Builds for all three platforms above. ftp://ftp.lava.net/users/tony/multicast mcsend just takes text input. I usually tail/pipe an active log file into it to generate traffic. Pre-compiled windows exe are also there. Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Sounds like no one has used the ACE. I have for two customers, one in production for approx six months and the other not in production yet. Other than some issues with the new load balancing with the GSS, which hopefully has been resolved now, we haven't run into any problems. I'm not in sales, so I don't have to worry about cost ;-), but I do know there was, and still may be, a special on the appliance (not the module) where you get some large percentage off (35% or 50% or something) in addition to your normal Cisco discount. So if you are interested in an ACE, pick one up now... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Chris Riling Sent: Monday, April 07, 2008 6:24 PM To: Ross Vandegrift Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] CSM for service providers I've been running the CSM for about the year and a half I've been at the service provider I work for. I like the fact that it's pretty scalable and that you can be multiple L2 hops down the line and build it out however you like, and every port in the chassis is a load balanced capable port... I haven't been using the config sync feature since it requires a CSM software upgrade, which requires us to do an IOS upgrade; from what I can hear I haven't missed much. The fault tolerance has worked alright, I just had my first failover last night - I had some config sync related issues but that was due to our environment and not the blade... I push a fair amount of traffic through it and it doesn't skip a beat. However, other than the basic load balancing / health probes and the occasional serverfarm nat, I don't really use the CSM to it's fullest extent. I will also agree that the documentation is horrible; I learned more by running it than I ever did reading the documentation... Overall I think it's pretty decent though... I did hear it's on it's way out also, but I haven't used the ACE Chris On Mon, Apr 7, 2008 at 5:33 PM, Ross Vandegrift [EMAIL PROTECTED] wrote: On Mon, Apr 07, 2008 at 08:30:17PM +, Ramcharan, Vijay A wrote: Last I knew, the CSM was on its way out and being replaced with the ACE blade/appliance. That's not quite the answer to the question you asked but it does address the long term viability issue. I don't believe you should be looking at the CSM as a long-term solution. If it's in place and working then it may have some life left in it. If it's for a new deployment, look elsewhere. I mean seriously look at other options. You just need to look at the bug list for the ACE releases to get a teeny bit wary of the ACE in general. There is no Safe Harbor code release as yet and it's been probably over a year since the product was available. We have two existing CSM installations, and the question is going to be do we size-up these to match demand or do we start moving to another solution? As for the ACE: unless the ACE represents substantial benefits, there's no way the cost of all the license crap is going to be worth it. And if Cisco wants to hold us CSM customers hostage for working redundancy, we'll find another solution. Interesting that the safe-harbor listing is gone - CSM does receive safe-harbor qualifications, and I know that 4.2(5) was previously listed as receiving qualifications. See the stub at: http://www.cisco.com/en/US/docs/safe_harbor/enterprise/csm/4_2_5__12_2_ 18_sxf5/425.html Interesting that this isn't linked from the main safe-harbor page anymore. Moreover, CSM 3.X has announced end-of-support in 2011. While there is no comparable EOL/EOS data (that I know of) on CSM 4.2 software, I have no reason to think it's going to drop out of support soon. Ross Vijay Ramcharan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Vandegrift Sent: April 07, 2008 15:20 To: cisco-nsp@puck.nether.net Subject: [c-nsp] CSM for service providers Hello everyone, I'm looking to solicit some input from others that are using the Cisco CSM, in particular, service providers that are using it to host layer 4-7 switching for customers. The archives don't seem to have a ton of opinions on these guys. In general, I like the device's performance and scalability. I have actually seen them handle a million simultaneous sessions, and I've seen VIPs with 900+k sessions cause no impact to other VIPs. However, we're run into some issues that are a bit troublesome: 1) Fault-tolerance is a feature that was obviously tacked-on after the fact. Config sync is slow process that interacts badly with other IOS features like SNMP. We've been reduced to manually syncing all configs because of IOS crash risk
Re: [c-nsp] BGP timers
With this picture, CE1-PE1MPLS cloud-PE2-CE2 If next hop tracking is enabled on CE1, and there is a problem between PE2 and CE2 or an issue in the cloud, would it still be useful? BTW, Mark, what is the lowest you would go within the CORE and the lowest on the customer WAN link and are there any resource issues (memory, cpu) that are of concern. Thanks. Tahir -Original Message- From: Mark Tinka [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 08, 2008 8:19 AM To: cisco-nsp@puck.nether.net Cc: Uddin, Tahir Subject: Re: [c-nsp] BGP timers On Tuesday 08 April 2008, Uddin, Tahir wrote: When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. We are aggressive with timers within our own core. However, we keep it simple with customers unless there is a special request. At any rate, BGP will use the smaller of the two received in the open message during setup. That said, if both sides are Cisco (and you have the requisite IOS release), you may consider testing the BGP Next Hop Address Tracking feature (enabled by default in supporting releases) and BGP Fast Peering Session Deactivation (configurable in supporting releases). Cheers, Mark. - The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please reply to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk
On a FWSM you don't need separate contexts and can setup up to eight bridge groups. If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. Finally one thing a FWSM does better than an ASA! (feature wise) Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 08, 2008 5:11 AM To: Chris Riling Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk Hi Chris, This is feasible if you use multiple contexts in transparent mode as described here : http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ examples.html#wp1010043 Basically you define all necessary vlan subifs into the global context, then you use them as inside/outside pairs into each context. A guy called Ge Moua here at c-nsp sent me a working configuration for this a couple of months ago, unfortunately can't get my hands on it anymore. Maybe Ge can kick-in and repost it for you. Jerome Covini Selon Chris Riling [EMAIL PROTECTED]: Hey Guys, Forgive the dumb question, I'm not much of a Cisco security guy... I have a 5510 I need to put in transparent mode and I want it to sit in the middle of a dot1q trunk and filter traffic for the 4 VLANs traversing the trunk between the two switches. What is the best way to do this? As someone on the list had pointed out to me once, you should be able to create inside and outside VLAN subinterfaces for each VLAN but I'm still a little confused... Anyone else have any input? The ASA supposedly does some tag switching and you need to have the same VLANs have one tag on the inside, and another tag on the outside, but I'm not exactly sure how you associate each inside VLAN with it's respective outside VLAN and vice versa in the config... Thanks, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Hi, On Tue, Apr 08, 2008 at 09:06:44AM -0400, Fred Reimer wrote: I'm not in sales, so I don't have to worry about cost ;-), but I do know there was, and still may be, a special on the appliance (not the module) where you get some large percentage off (35% or 50% or something) in addition to your normal Cisco discount. So if you are interested in an ACE, pick one up now... I always thought the ACE has a list price of zero - all you need to buy is the license for the number of contexts and the license for the amount of gbits you want it to handle... (... which makes me unhappy to even think about 'box breaks, hardware gets replaced by Cisco in 4h, but license cookies [or however they are stored] cannot be transferred because the license server is down'...) I hate features get activated by non-transferable license $thing on the box schemes. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpdVFLrfzBg0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
Also, VLC media player is a nice client that knows to listen for video/audio multicasts. It works on Windows/Linux/Mac and it's free, can you ask for more than that??? Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Querubin Sent: Tuesday, April 08, 2008 3:26 PM To: Robert Hass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Multicast tryout On Tue, 1 Apr 2008, Robert Hass wrote: I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) You can try some really really basic utils that I threw together a number of years ago and recently updated for IPv6. Builds for all three platforms above. ftp://ftp.lava.net/users/tony/multicast mcsend just takes text input. I usually tail/pipe an active log file into it to generate traffic. Pre-compiled windows exe are also there. Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
They are definitely trying to get people to migrate towards the ACE appliance that don't have 6500's. The licensing thing I find annoying but I guess it keeps it affordable for a company that may only need 100MB of 500MB of throughput from the device. They were (as of a month or so ago) also including training in the purchase, so you could go to their local facility and one of their third party vendors would give you training on the product. That's pretty cool. Not a deal breaker by any means, but pretty cool. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Fred Reimer [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
I wouldnt say so, because of this command: switchport What would have been a layer 3 port has now become a layer 2 port, hence switchport. Thats a guess. Someone may correct or confirm my suspicion. On 08/04/2008, at 10:18 PM, Alex A. Pavlenko wrote: Colleagues, is it possible to combine both SVI(for ip routing) and subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls interface Vlan 10 ip address 4.3.2.1 255.0.0.0 Thanks. -- Alex. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
Alex A. Pavlenko wrote: Colleagues, is it possible to combine both SVI(for ip routing) and subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? In other words is following configuration ok? I believe so, it requires 12.2(33)SR-something and is referred to as mux uni in the release notes. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/pfc3mpls.html#wp1406020 interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls interface Vlan 10 ip address 4.3.2.1 255.0.0.0 Thanks. -- Alex. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN's, or another way?
Frankly we're very happy with our dual hub dmvpn thus far. We're running this on a pair of 2811s with no issues, but our bandwidth per site is small (200-500kb/s). You might look at a pool of cheap hub routers that have ipsec hw acceleration built in (2811, 2821, 37xx) and do some simple load balancing. Once our scale passes the single 2811s we have in place we'll just add more and load balance across them, adding routers to the pool as we need to. [EMAIL PROTECTED] wrote: Hi all, I'm currently working on a project that involves a number of sites which all have the potential to cross talk to each other. The concept of configuring dual hub - dual DMVPN layout is great, however I don't really want to mix my internal and public facing traffic on the same devices (in this case would be NPE-G2's/ 7201's without an accelerator), although I'd like to hear peoples views and experiences on this, as well as the level's of throughput they have got doing IPSec on the G2. The levels of traffic are generally sub 8Mbps, and I the busy core sites are less than 20Mbps. I'm also open to any other ways to do this whether that be using vendor X's devices or the such. All advice and experiences much appreciated! Thanks, S ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Gert Doering wrote: I always thought the ACE has a list price of zero - all you need to buy is the license for the number of contexts and the license for the amount of gbits you want it to handle... That's how our's were billed out. The line item with the dollar amount was ACE-04G-LIC. The ACE10-6500-K9= line item had no dollar amount and neither did the 3.0.1 software line or the Data Center Security line. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
This is called MUX-UNI and works fine, you need SR or SXH. David On 4/8/08, Tom Storey [EMAIL PROTECTED] wrote: I wouldnt say so, because of this command: switchport What would have been a layer 3 port has now become a layer 2 port, hence switchport. Thats a guess. Someone may correct or confirm my suspicion. On 08/04/2008, at 10:18 PM, Alex A. Pavlenko wrote: Colleagues, is it possible to combine both SVI(for ip routing) and subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls interface Vlan 10 ip address 4.3.2.1 255.0.0.0 Thanks. -- Alex. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
is it possible to combine both SVI(for ip routing) and a subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? Look up mux-uni. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/g uide/pfc3mpls.html#wp1406020 In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls You must use a seperate subinterface vlan than you are allowing across the trunk port. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
Ivan Pepelnjak, wrote this article on Designing Fast Converging BGP Networks that might be of some use http://www.nil.com/ipcorner/DesigningBGPNetworks/ There are a lot of BGP articles on his blog here: http://blog.ioshints.info/search/label/BGP Cheers On Tue, Apr 8, 2008 at 9:56 PM, Uddin, Tahir [EMAIL PROTECTED] wrote: Hi When connecting a CE to a PE, is there a minimum recommended BGP hold down timer. I am currently using 90 seconds with both of my carriers but it is causing applications to time out when there is a failure in one of the carriers network or if a local loop goes down. One of the carriers ruled out going down to 15 seconds, said it was too low. Thanks Tahir Uddin - The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please reply to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
If I run SXH on a 6500 platform with Sup720 can I also do MUX-UNI, or is 7600 required? Bill Murphy Senior Network Analyst University of Texas Health Science Center - Houston -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Bering Sent: Tuesday, April 08, 2008 9:07 AM To: Alex A. Pavlenko Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7600 SVI and subinterface combination is it possible to combine both SVI(for ip routing) and a subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? Look up mux-uni. http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/g uide/pfc3mpls.html#wp1406020 In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls You must use a seperate subinterface vlan than you are allowing across the trunk port. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1841 - good replacement for 2650??
Hello, We currently have many 2650 routers combined with a Netscreen 5GT for the VPN site-to-site tunnel. These connections are private line T-1s. I was hoping to switch to the 1841 as a single unit for the T-1 connectiviy and the VPN connection. Would this work? Has anyone had any experience with this model? Thanks, - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Telco courses
Mauritz, I suggest you take a look here: http://tools.cisco.com/E-Learning-IT/LPCM/pub_jsp/ll/LpcmListAllCourses. jsp Specifically, take a look at the courses with ADVANCED SERVICES in their name - these are usually more about solutions and not specific technologies. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauritz lewies Sent: Tuesday, April 08, 2008 11:18 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Telco courses Hi Does anyone know of any good General Telco engineering courses. Either Cisco or any non specific technology based training. We're looking to start work in that field but it would need some reskilling to go from ISP to include some Telco design and engineering. Courses in the US or UK is preferred. No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.9/1364 - Release Date: 4/7/2008 6:38 PM Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.h tm. Should you not have Web access, send a mail to [EMAIL PROTECTED] and a copy will be emailed to you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Freezeup
Is it possible that your interface is getting wedged? http://www.cisco.com/en/US/products/hw/iad/ps397/products_tech_note09186a0 0800a7b85.shtml Jon Hartman Network Engineering Verizon Internet Operations Hi Ed, On Mon, Apr 07, 2008 at 10:10:38AM -0400, Ed Ravin wrote: On Mon, Apr 07, 2008 at 03:28:12PM +0200, Andre Beck wrote: Sadly I've came to know this bug in the last months as well. ... I was seeing this with a 7206/IO-FE that *has* other interfaces, though what seemed to trigger it there was indeed single-armed routed traffic. ... Any thoughts about what might be going on in the innards of the IOS, and how to troubleshoot or prevent recurrence? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WCCP on 3845/3745
Hello I am trying to remove WCCP from a couple of routers a 3845 and a 3745. Both are giving me the same error to the command 'no ip wccp98' - 'The WCCP service specified does not exist.' however wccp is in the config and a sh ip wccp gives me:- Global WCCP information: Router information: Router Identifier: 172.29.157.13 Protocol Version:2.0 Service Identifier: 98 Number of Cache Engines: 0 Number of routers: 0 Total Packets Redirected:83561186 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:22 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Does anyone have any ideas on how I can remove WCCP? Thanks George __ You might be interested in this... Find out what funding is available for schools in England over the next three years: http://www.rm.com/funding __ P.S. Think Green - don't print this email unless you really need to. This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are commercially sensitive information within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so. As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications. RM Education plc Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England Registered Number: 1148594 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 1841 - good replacement for 2650??
jacob c wrote: Hello, We currently have many 2650 routers combined with a Netscreen 5GT for the VPN site-to-site tunnel. These connections are private line T-1s. I was hoping to switch to the 1841 as a single unit for the T-1 connectiviy and the VPN connection. Would this work? Has anyone had any experience with this model? The 1841 is an excellent router. It's approx 1.5-2x the speed of the 2650. I don't know what the VPN throughput is, but I imagine it would be easily sufficient to perform IPSEC VPN at T1 speeds. Though, why aren't you currently doing this with the 2650? Are there features you need which won't fit into the limited memory of the 2650 or aren't available on that platform? adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
On Tuesday 08 April 2008, Oliver Boehmer (oboehmer) wrote: well, Fast Session Deactivation only helps you on non-directly connected eBGP sessions (i.e. multihop), possibly along with an IGP (or static routes with object tracking or something like this) to provide next-hop reachability, so it's not that useful on standard directly-connected eBGP sessions.. Not necessarily, if I understand this feature well enough. A route map matching directly connected routes can be referenced with this feature on a per-eBGP-neighbor basis: router bgp 1234 neighbor 1.1.1.1 remote-as 5678 neighbor 1.1.1.1 fall-over route-map EBGP-CONNECTED route-map EBGP-CONNECTED permit 10 match source-protocol connected Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
On Tuesday 08 April 2008, Uddin, Tahir wrote: With this picture, CE1-PE1MPLS cloud-PE2-CE2 If next hop tracking is enabled on CE1, and there is a problem between PE2 and CE2 or an issue in the cloud, would it still be useful? I cannot give you an experienced response as we only use this feature with our iBGP sessions. BTW, Mark, what is the lowest you would go within the CORE and the lowest on the customer WAN link and are there any resource issues (memory, cpu) that are of concern. Justin's comments on the variables involved are worth noting. Having said that, the lowest we would go (which I'm not recommending as a best practice in any way) is 30 seconds keepalive, 90 seconds hold time. One of the vendors we use defaults to this. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WCCP on 3845/3745
A copy of your config would be useful Or at least 'sh run | inc wccp' Cheers Mark Date: Tue, 8 Apr 2008 16:15:24 +0100 From: George Horton [EMAIL PROTECTED] Subject: [c-nsp] WCCP on 3845/3745 To: cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hello I am trying to remove WCCP from a couple of routers a 3845 and a 3745. Both are giving me the same error to the command 'no ip wccp98' - 'The WCCP service specified does not exist.' however wccp is in the config and a sh ip wccp gives me:- Global WCCP information: Router information: Router Identifier: 172.29.157.13 Protocol Version:2.0 Service Identifier: 98 Number of Cache Engines: 0 Number of routers: 0 Total Packets Redirected:83561186 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:22 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Does anyone have any ideas on how I can remove WCCP? Thanks George ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2TPv3 and Filtering
I have two 2811 routers that I'm setting up to bridge a L2 VLAN across our WAN to support some POS systems that need to be on the same L2 VLAN. I've gotten a L2TPv3 tunnel set up between the routers and passing packets. However, I'd like to add an access list to prevent traffic like OSPF, PIM, and DHCP from passing across the tunnel. However, adding an ip access-group command to the interface that is connected to the tunnel doesn't seem to block anything. Here's the relevant bits from the config (the other router is identical except for IP addresses). Can anyone show me how to get this filtering working properly? Should I be using something other than L2TPv3? l2tp-class cafe-class authentication password pseudowire-class cafe-pseudowire encapsulation l2tpv3 protocol l2tpv3 cafe-class ip local interface Loopback0 interface Loopback0 ip address XXX.XXX.XXX.XXX 255.255.255.255 no ip redirects no ip unreachables no ip proxy-arp ip pim sparse-mode interface FastEthernet0/1 no ip address ip access-group keep-stuff-local in duplex auto speed auto xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire end ip access-list extended keep-stuff-local deny udp any any range bootps bootpc log deny pim any any log deny ospf any any log deny igmp any any log permit ip any any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP timers
On Tuesday 08 April 2008, Oliver Boehmer (oboehmer) wrote: well, no. For connected, you don't need any new feature, the fast-external-fallover feature causes the session to drop once the connected route goes away (i.e. the interface goes down). This has been default behaviour for years, no need for ATF or FSD. I guess the above config would also work, creative use of it :) Right - I suppose one may deploy it if they had to (for whatever reason) disable 'fast-external-fallover' at the BGP global level. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC VTIs
I don't know what code you are running, supposedly 12.4 something, but in later versions of code you can put an input and output ACL in the crypto map in addition to the match ACL. I've used this with VRF aware IPsec with failover separating out several different connections. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Behl, Jeff Sent: Tuesday, April 08, 2008 12:27 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPSEC VTIs I've switched to using VTIs (http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hi p sctm.html) where possible, both for their simplicity in configuration and (more importantly) I can put ACLs on the actual tunnel interfaces to manage incoming traffic. Where this isn't the case (there's a Juniper at the other end, so IPSEC/GRE) what or where is the best place to enforce ACLs? Applying them to the tunnel interface obviously doesn't work so it seems the other choice is to put ACLs on all non-tunnel interfaces, which isn't ideal, or to do something using VRFs? Thanks for any input. -Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and Filtering
Hi! I asked almost the same question some time ago and got this answer: Is it possible to interfere the L2TP traffic with access-lists? No. Not on the access side. A bit later I got the explanation: AFAIK no. The features applied on ingress are not evaluated on L3 info. We simply encapsulate the raw L2 frame and ship it over. Greets, Bernd Jeffrey Ollie schrieb: I have two 2811 routers that I'm setting up to bridge a L2 VLAN across our WAN to support some POS systems that need to be on the same L2 VLAN. I've gotten a L2TPv3 tunnel set up between the routers and passing packets. However, I'd like to add an access list to prevent traffic like OSPF, PIM, and DHCP from passing across the tunnel. However, adding an ip access-group command to the interface that is connected to the tunnel doesn't seem to block anything. Here's the relevant bits from the config (the other router is identical except for IP addresses). Can anyone show me how to get this filtering working properly? Should I be using something other than L2TPv3? l2tp-class cafe-class authentication password pseudowire-class cafe-pseudowire encapsulation l2tpv3 protocol l2tpv3 cafe-class ip local interface Loopback0 interface Loopback0 ip address XXX.XXX.XXX.XXX 255.255.255.255 no ip redirects no ip unreachables no ip proxy-arp ip pim sparse-mode interface FastEthernet0/1 no ip address ip access-group keep-stuff-local in duplex auto speed auto xconnect XXX.XXX.XXX.XXX 39 encapsulation l2tpv3 pw-class cafe-pseudowire end ip access-list extended keep-stuff-local deny udp any any range bootps bootpc log deny pim any any log deny ospf any any log deny igmp any any log permit ip any any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and Filtering
On Tue, Apr 8, 2008 at 12:44 PM, Bernd Ueberbacher [EMAIL PROTECTED] wrote: I asked almost the same question some time ago and got this answer: Is it possible to interfere the L2TP traffic with access-lists? No. Not on the access side. A bit later I got the explanation: AFAIK no. The features applied on ingress are not evaluated on L3 info. We simply encapsulate the raw L2 frame and ship it over. Hmm... shoot. Too bad the 3750s (non-E) that these routers plug into can't do outbound access lists and the input access lists that I tried on the switches seemed to affect ports other than the one that it was configured on. Is there any other way to do the L2 tunneling? MPLS maybe? I know nothing about MPLS and we don't run it currently. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Freezeup
On Tue, Apr 08, 2008 at 12:13:45PM +0200, Andre Beck wrote: event manager applet duck-reachable event track 1 state down action 1.1 cli command clear interface Fa0/0 action 1.2 syslog priority critical msg DUCK no longer reachable - Fa0/0 broken? Further reading reveals that something essential is missing here: action 1.0 cli command enable Seemingly the initial state of the CLI backend is unprivileged exec, which is a good thing if you only need show commands and mailing. To go privileged exec, we have to start with enable. Apparently you can go as far as conf t and rewriting your config there... Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. - Andre Beck+++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS pirating requests
SOP is buy the chassis and routing engine new from Cisco, buy the line cards used. Best of both worlds, and legal -Matt On Apr 8, 2008, at 10:47 AM, Tony Varriale wrote: I would disagree with what's mostly here. But, I'm guessing both of us aren't lawyers. I do know what IS SOP these days. Buy the gear 3rd party then either the seller or buyer downloads and loads up some later software and/or different feature set. That, I know for sure, is illegal unless Cisco offers the code fix for a security issue. And, the people that are practicing this as SOP can't spell security. tv - Original Message - From: Ted Mittelstaedt [EMAIL PROTECTED] To: Asbjorn Hojmark - Lists [EMAIL PROTECTED]; 'Daniel Hooper' [EMAIL PROTECTED]; 'Jon Lewis' [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Tuesday, April 08, 2008 3:58 AM Subject: Re: [c-nsp] IOS pirating requests -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Asbjorn Hojmark - Lists Sent: Sunday, April 06, 2008 1:23 PM To: 'Daniel Hooper'; 'Jon Lewis' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS pirating requests But if you send me the chassis as well as the IOS and no money changes hand's it's technically not pirating. Well, that depends on who you ask... It's pretty clear from the license that the software does *not* follow the hardware to a 3rd party. If you sell the box, you have to buy a 'transfer license'. (Wether that'll be legal in other countries is another matter). That has never been tested in a court and a Cisco buyer is not required to sign a contract that would obligate them to such an act. In fact, if anything, the courts have ruled in the few cases that have come up regarding used software being sold, that it is illegal for a software vendor to place a purchaser under such a restriction. In short, if you go buy a copy of Windows and use it for a few years then sell it, (assuming that you have not of course used the license as the basis for an upgrade, and that it's not an OEM license) that you and the buyer are perfectly legal. As for OEM software, this travels with the device. As much as Microsoft and other vendors would like to have the software license of Windows 'untied' from the hardware post-purchase, if you sell a PC you bought with Windows preloaded, the license for the preload goes with the PC. This also works for cell phones, DVD players, automobiles, microwave ovens, hybrid key phone systems, etc. all of which have embedded computers with software running. The manufacturer can only deny you new updates or cut you out of support if you get the item from the secondary market - they cannot win a suit against you for merely buying and owning the item that has the software on it that was loaded on it when it came from the factory. Cisco I am sure is perfectly aware of all of this. It is undoubtedly why they put the oldest and archaic IOS on their products possible. For example we just sold a recent 2800 to a customer - running an OLDER version of IOS (12.4.1 I believe) than what was in it's ROM - this was a brand-new, never-opened, direct from Ingram Micro router - it was an IOS image that has been deferred years ago and long since covered under Cisco's free security upgrade replacement Clearly, pulling such a stunt gives Cisco much leeway to argue in a court that someone isn't entitled to a more current IOS version because the official OEM IOS version that was shipped with the router is going to be older than -anything- that was ever available for download from the Cisco website. Thus Cisco could make the argument in a court that while a buyer of a used 2800 might have a legal right to posses the 2800 with IOS 12.4.1 loaded, (because that was what was on it when the router shipped from the factory) that is as new an IOS as they can have, simply by merely purchasing the box. You really need to be careful here. Keep in mind that for the last decade software vendors have been scruplously avoiding having shrinkwrap licenses tested in court, there's not been a single court case of a software vendor (like Microsoft or Cisco) suing anyone for violating a shrinkwrap license that they did not explicitly sign and agree to abide by. Yet there's millions of devices sold every year that have shrinkwrap licenses on them. Most of what you read from the software vendors is FUD and speculation in this area. And, I will also remind you, there is no law that states that Cisco or any other software vendor MUST tell the truth with regards to contracts or their interpretation. It is SOP for most companies to put illegal, rediculous, and unenforceable terms in their contracts, then have their sales guys claim those terms are legally binding. In writing even. Naturally, contract law being what it is, if there is ever a legal dispute, this will be held against them
Re: [c-nsp] Ethernet Freezeup
Hi Jon, On Tue, Apr 08, 2008 at 10:35:36AM -0500, [EMAIL PROTECTED] wrote: Is it possible that your interface is getting wedged? http://www.cisco.com/en/US/products/hw/iad/ps397/products_tech_note09186a0 0800a7b85.shtml Hard to say without having a sh int fa0/0 from when the issue hit. The description says that only a reload would clear this kind of problem, but it's old and things may have changed. My Fa0/0 input queue looks like Input queue: 0/75/0/2 (size/max/drops/flushes); Total output drops: 0 and I ponder what the two flushes may be. I did indeed have exactly two occasions of the interface hanging that could be cleaned with a clear int. Further, just giving it a clear int when it is running normally doesn't increment that counter. When it strikes again (hopefully auto-healed by my new EEM applet) and that counter increments, it's probably indeed an input queue overrun (wedged). BTW, there's also a chance of the switch beeing involved. In my case, it's a 3550-12T and it's actually seeing an occasional CRC error (and the router is counting occasional collisions) even though it's just 3m Cat5e cabling, just 100BaseTX and hardwired to full duplex (silly IO-FE and PA-FE-TX missing a decent Nway, running the Tulip without any auto negotiation). Hard to guess whether this is any problem. Seems other chassis with these interfaces count similar CRCs and collisions without any issues for years. Thanks for the hint, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. - Andre Beck+++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast tryout
Yes, you could ask for it to source/send multicast traffic as well ... which it does :). (Sorry; Yes - VLC is great ... multiplatform, sends and recvs, just about any file type supported, free ...) /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Ziv Leyes Sent: Tuesday, April 08, 2008 9:38 AM To: Antonio Querubin; Robert Hass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Multicast tryout Also, VLC media player is a nice client that knows to listen for video/audio multicasts. It works on Windows/Linux/Mac and it's free, can you ask for more than that??? Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Antonio Querubin Sent: Tuesday, April 08, 2008 3:26 PM To: Robert Hass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Multicast tryout On Tue, 1 Apr 2008, Robert Hass wrote: I'm currently looking for some software which can help us test new Multicast configuration in our network. Is any free software which can send multicast stream (video,music,whatever) and some receiver/client software ? (best if Windows/Linux/Mac based) You can try some really really basic utils that I threw together a number of years ago and recently updated for IPv6. Builds for all three platforms above. ftp://ftp.lava.net/users/tony/multicast mcsend just takes text input. I usually tail/pipe an active log file into it to generate traffic. Pre-compiled windows exe are also there. Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** * This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. *** * *** * This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. *** * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and Filtering
Jeffrey Ollie writes: I have two 2811 routers that I'm setting up to bridge a L2 VLAN across our WAN to support some POS systems that need to be on the same L2 VLAN. I've gotten a L2TPv3 tunnel set up between the routers and passing packets. However, I'd like to add an access list to prevent traffic like OSPF, PIM, and DHCP from passing across the tunnel. [...] Should I be using something other than L2TPv3? Well, no. But in addition and in-line you should be using something like a cheap 1RU server with linux installed on it. ip bridging and ebtools will allow you to create an L2-fw that can act on L3 packets. it doesn't take a powerful box at all. even a p2-300 works fine. [ VLAN i/f ] - L2fw - [ L2tpv3 ] --- wan --- [ L2tpv3 ] make sense? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
If I run SXH on a 6500 platform with Sup720 can I also do MUX-UNI, or is 7600 required? You can, and it isn't. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Moreover, CSM 3.X has announced end-of-support in 2011. While there is no comparable EOL/EOS data (that I know of) on CSM 4.2 software, I have no reason to think it's going to drop out of support soon. While the CSM may not formally be announced EoX, it's not sup- ported in recent versions of SX (since SXH) or SR (since SRA), which pretty much amounts to the same thing: R.I.P. -A PS: I liked it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] compact flash speed
Is there any advantage to buying faster compact flash for sup720s? Is there any noticable difference in boot time or copying images? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CBWFQ-LLQ on Frame Relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a class based weighted fair queue/LLQ defined and applied in a frame-relay lab environment. 1. class-map defined 2. policy-map qos-policy 3. applied to interface (see below) interface Serial0/0/0:0 no ip address encapsulation frame-relay no fair-queue frame-relay traffic-shaping ! interface Serial0/0/0:0.666 point-to-point description lab pvc bandwidth 1024 ip address 192.168.0.1 255.255.255.252 frame-relay class shaper-queue-policy frame-relay interface-dlci 666 ietf map-class frame-relay shaper-queue-policy frame-relay cir 1024000 frame-relay be 0 frame-relay mincir 1024000 service-policy output queuing-policies The question I have is when I look at Serial0/0/0:0 interface queue (see below output) it shows queuing as fifo but looking at the show queuing interface on the same interface (see below output) list queue strategy as priority. Is this correct behavior or do I need to apply service service-policy output to the main interface (Serial0/0/0:0) in order for it to be doing class-based queueing as opposed to fifo? lab-gw#sh interface Serial0/0/0:0 Serial0/0/0:0 is up, line protocol is up Hardware is GT96K Serial MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, reliability 255/255, txload 5/255, rxload 241/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10 sec) LMI enq sent 9293, LMI stat recvd 9294, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 9293/1, interface broadcasts 9293 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 1d01h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 97 bits/sec, 85 packets/sec 30 second output rate 21000 bits/sec, 58 packets/sec lab-gw#sh queueing int Serial0/0/0:0 Interface Serial0/0/0:0 queueing strategy: priority Output queue utilization (queue/count) high/0 medium/0 normal/62520 low/0 Any insight will be appreciated. regards, /virendra -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH+80qpbZvCIJx1bcRAklSAJ92lcGMpYAOkb/d7YYbo5F9D+3lpQCgrx+j 8EdrhlAmpQ495KiE8wejNEc= =zvgQ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
And if Cisco wants to hold us CSM customers hostage for working redundancy, we'll find another solution. In my experience, redundancy on CSM has worked fine. The fact that you have to more or less manually configure and maintain redundancy, which some people bitch a lot, makes me wonder... 'Yeah, but what about redundancy with HSRP? Or BGP?' CSM does receive safe-harbor qualifications I think that will stop soon, if it hasn't already. The CSM is not supported in recent IOS versions. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Hi, On Tue, Apr 08, 2008 at 09:27:00PM +0200, Asbjorn Hojmark - Lists wrote: While the CSM may not formally be announced EoX, it's not sup- ported in recent versions of SX (since SXH) or SR (since SRA), which pretty much amounts to the same thing: R.I.P. Should anyone be surprised? For me, this (and the sudden demise of the FlexWan etc) is a clear warning message: use the 6500/7600 as a switch or ethernet based router. Don't use it as a firewall, a loadbalancer, L2TP or WAN line termination device, or anything else that they are selling blades for. Because all of a sudden they will stop supporting it (and if not completely, you might end up having bought the wrong BU's ticket, and *that* BU will not support it, while the other BU will not support other parts of that hardware combination). Cisco is *not* a reliable business partner regarding 6500/7600 long-term planning. (And folks, don't tell me a few disgruntled service providers are not something Cisco cares about - discontinueing (sp?) support for existing hardware and forcing new purchases is a *very* good way to alienate enterprises as well). gert PS: I'm sorry. This was my last 6500/7600 BU politics suck big time rant. While it won't change any time soon, this is just not the topic for this mailing list, and I'll try to return to constructive postings now. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpNrVMpoKisa.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 SVI and subinterface combination
Hi Alex, On Tue, 2008-04-08 at 16:48 +0400, Alex A. Pavlenko wrote: Colleagues, is it possible to combine both SVI(for ip routing) and subinterface(for EoMPLS) upon common interface configured as a trunk on 67xx LAN card? In other words is following configuration ok? interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20 interface GigabitEthernet1/1.20 encapsulation dot1Q 20 xconnect 1.2.3.4 1 encapsulation mpls interface Vlan 10 ip address 4.3.2.1 255.0.0.0 Technically you shouldn't include VLAN 20 in your switchport trunk allowed vlan list. Using LAN cards and PFC MPLS it's probably no harm, since the VLAN will be reserved for the subinterfaced and hence cannot be switched locally. The 12.2SR configuration guide says: Avoid overlapping VLAN assigments between main and subinterfaces. VLAN assigments between the main interface and subinterfaces must be mutually exclusive. -Cisco 7600 Series Cisco IOS Software Configuration Guide, 12.2SR -Configuring Multiprotocol Label Switching on the PFC http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/pfc3mpls.html#wp1406020 http://tinyurl.com/5lhusr Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] changing from ospf to eigrp
Hi, On Mon, Apr 07, 2008 at 05:34:18PM +0100, Adam Armstrong wrote: How's V6 on EIGRP? Never tried that. When we rolled out IPv6, all that existed was OSPFv3 (actually, all there was was BGP and RIPng, but OSPFv3 came fairly soon), so we've kind of stuck to that. [..] We do ISIS for loopbacks/router links and BGP for all other prefixes. Sounds like use ISIS for loopbacks/router links and BGP for all other prefixes for IPv6 to me :-) Sadly the ISIS does lock us out of using some hardware properly (like the 3750). Yes, the wonders of Cisco BU decisions... (another BU than my usual source of joy, but nonetheless not overly customer-oriented either). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpvZKrRTJVMk.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Sounds like no one has used the ACE I have used the ACE in a critical (but simple) HTTP load balancing environment running 1Gb/s throughput. We endured 6 months of pain before we got a fully stable platform - and only then because we knocked off every L7 feature and now run in pure L4. Last Friday the Primary ACE had some sort of internal Memory issue and simply refused to talk to the backup. Only after full card reboots did we get FT back. Our next load balancing requirement is now in design...and I spent today with a Foundry SE. Dean ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CBWFQ-LLQ on Frame Relay
If i remember right, sh frame pvc xxx will show you the truth. -- Tassos virendra rode // wrote on 8/4/2008 10:56 μμ: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a class based weighted fair queue/LLQ defined and applied in a frame-relay lab environment. 1. class-map defined 2. policy-map qos-policy 3. applied to interface (see below) interface Serial0/0/0:0 no ip address encapsulation frame-relay no fair-queue frame-relay traffic-shaping ! interface Serial0/0/0:0.666 point-to-point description lab pvc bandwidth 1024 ip address 192.168.0.1 255.255.255.252 frame-relay class shaper-queue-policy frame-relay interface-dlci 666 ietf map-class frame-relay shaper-queue-policy frame-relay cir 1024000 frame-relay be 0 frame-relay mincir 1024000 service-policy output queuing-policies The question I have is when I look at Serial0/0/0:0 interface queue (see below output) it shows queuing as fifo but looking at the show queuing interface on the same interface (see below output) list queue strategy as priority. Is this correct behavior or do I need to apply service service-policy output to the main interface (Serial0/0/0:0) in order for it to be doing class-based queueing as opposed to fifo? lab-gw#sh interface Serial0/0/0:0 Serial0/0/0:0 is up, line protocol is up Hardware is GT96K Serial MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, reliability 255/255, txload 5/255, rxload 241/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10 sec) LMI enq sent 9293, LMI stat recvd 9294, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 9293/1, interface broadcasts 9293 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 1d01h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 97 bits/sec, 85 packets/sec 30 second output rate 21000 bits/sec, 58 packets/sec lab-gw#sh queueing int Serial0/0/0:0 Interface Serial0/0/0:0 queueing strategy: priority Output queue utilization (queue/count) high/0 medium/0 normal/62520 low/0 Any insight will be appreciated. regards, /virendra -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH+80qpbZvCIJx1bcRAklSAJ92lcGMpYAOkb/d7YYbo5F9D+3lpQCgrx+j 8EdrhlAmpQ495KiE8wejNEc= =zvgQ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and Filtering
On Tue, Apr 8, 2008 at 1:50 PM, Leif Sawyer [EMAIL PROTECTED] wrote: Jeffrey Ollie writes: Should I be using something other than L2TPv3? Well, no. But in addition and in-line you should be using something like a cheap 1RU server with linux installed on it. As much as I like Linux I don't think this is a route I'd take in this circumstance. Just seems a little overly complex for what I need to do here. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CBWFQ-LLQ on Frame Relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tassos Chatzithomaoglou wrote: If i remember right, sh frame pvc xxx will show you the truth. -- Tassos - It doesn't give anything related to queuing that I know of. regards, /virendra virendra rode // wrote on 8/4/2008 10:56 μμ: Hi, I have a class based weighted fair queue/LLQ defined and applied in a frame-relay lab environment. 1. class-map defined 2. policy-map qos-policy 3. applied to interface (see below) interface Serial0/0/0:0 no ip address encapsulation frame-relay no fair-queue frame-relay traffic-shaping ! interface Serial0/0/0:0.666 point-to-point description lab pvc bandwidth 1024 ip address 192.168.0.1 255.255.255.252 frame-relay class shaper-queue-policy frame-relay interface-dlci 666 ietf map-class frame-relay shaper-queue-policy frame-relay cir 1024000 frame-relay be 0 frame-relay mincir 1024000 service-policy output queuing-policies The question I have is when I look at Serial0/0/0:0 interface queue (see below output) it shows queuing as fifo but looking at the show queuing interface on the same interface (see below output) list queue strategy as priority. Is this correct behavior or do I need to apply service service-policy output to the main interface (Serial0/0/0:0) in order for it to be doing class-based queueing as opposed to fifo? lab-gw#sh interface Serial0/0/0:0 Serial0/0/0:0 is up, line protocol is up Hardware is GT96K Serial MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, reliability 255/255, txload 5/255, rxload 241/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10 sec) LMI enq sent 9293, LMI stat recvd 9294, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 9293/1, interface broadcasts 9293 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 1d01h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 97 bits/sec, 85 packets/sec 30 second output rate 21000 bits/sec, 58 packets/sec lab-gw#sh queueing int Serial0/0/0:0 Interface Serial0/0/0:0 queueing strategy: priority Output queue utilization (queue/count) high/0 medium/0 normal/62520 low/0 Any insight will be appreciated. regards, /virendra ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH++UGpbZvCIJx1bcRAm5xAKCtoPyI6CLUZSVkzQ4jXivD8bpXUgCdEa6+ s10f28NwWiixrgnuJ6YSm+I= =WoDM -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] compact flash speed
On Tue, 8 Apr 2008, Mark Boolootian wrote: Is there any advantage to buying faster compact flash for sup720s? Is there any noticable difference in boot time or copying images? No. I have complained about the ~1 megabyte/s limit on flash access, but I get no understanding from account team or BU. So don't expect this to get any better soon. -- Mikael Abrahamssonemail: [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 5000
Wasn't expecting this, particularly. http://www.xchangemag.com/hotnews/cisco-unveils-nexus-5000-series.html Does anyone have hot gossip, pictures or further information? A few of the other rags like El Register have picked up the news already but seem to be working from a very limited amount of information themselves. A datasheet might be nice, how big is it? I'm guessing 1RU :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5000
Did you try www.cisco.com? http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/data_sheet_c78-461802.html -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Alex Howells [EMAIL PROTECTED] Wasn't expecting this, particularly. http://www.xchangemag.com/hotnews/cisco-unveils-nexus-5000-series.html Does anyone have hot gossip, pictures or further information? A few of the other rags like El Register have picked up the news already but seem to be working from a very limited amount of information themselves. A datasheet might be nice, how big is it? I'm guessing 1RU :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switch that can shape traffic per VLAN and re-writeVLAN ID?
Jeff Cartier wrote: I can confirm that a Cisco 3750 Metro can do these features, but only on the two ES (Enhanced Services) ports. An important caveat - I should have mentioned that. The 3750ME can do ingress per-VLAN policing on any port but only supports the funky output features on the ES ports. Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/