Re: [c-nsp] router as bridge for netflow exports
Setup a sniffer and use netflow export on it. See f.ex. http://www.ntop.com/nProbe.html Best regards, Stig Meireles Johansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman Sent: 3. august 2008 18:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] router as bridge for netflow exports Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NPE-G2 Adjustable MTU
Hi Guys, Has anyone successfully increase the interface MTU on the tunnel with MPLS VPN Inter-AS command mpls bgp forwarding configured at the same time ? So far I have tried several IOS feature, they can only support either but not both commands @ the same time. We are trying to establish Option'B NNI VPN using tunnel for backup purpose. Thanks in advance Cheers Soon Kian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I think if I loosen the definition of telnet I can win here. no transport input telnet on the VTYs. Then connect your console/aux into your terminal server / DCN and access it via telnet. Dave. Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 ACE/FWSM Modules??????????
I would say for Design reference this is really good and informativeyou might wana take a look at it http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmig ration_09186a008078de90.pdf your first puzzle will be the logical placement of the module and the devices and the modes they are to operate, as the case is always : it depends but take a look at the file above. HTH Hash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nihar Mehta Sent: Monday, August 04, 2008 8:22 AM To: Teller, Robert Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6509 ACE/FWSM Modules?? Cisco has published the following for design with ACE and FWSM. http://www.cisco.com/univercd/cc/td/doc/solution/*ace*_*fwsm*.pdf - Nihar On Tue, Jul 29, 2008 at 3:49 PM, Teller, Robert [EMAIL PROTECTED]wrote: I am working on implementing two 6509 chassis setup using vss and ace/fwsm modules. Anyone know of any good books for the ACE and FWSM modules? # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LDP Graceful restart
Your answer is Yes, logically you can have graceful restart on a router that does not have multiple RSP, but you will need to have the neighboring router to at least have the NSF/SSO feature Take a look at this link. http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_ldp_grac e_rstrt_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1088518 HTH Hash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: Monday, August 04, 2008 2:05 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LDP Graceful restart On Thursday 31 July 2008 20:25:15 Monika M wrote: Does the graceful restart feature for LDP works in a single route processor configuration? (similar to Routing protocols?) We have seen it work as desired between multiple 7206-VXR units (which are, by no means, hardware/distributed routing platforms, but for all intents and purposes, have a single control plane). Here's some log output: Jul 27 00:26:41.874 MYT: %LDP-5-GR: GR session 192.168.0.1:0 (inst. 13): interrupted--recovery pending We have a couple of Junipers (M-series) that have LDP configured for GR, but those have been stable so I have no logs to offer :-). Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS PE Routers for a Mobile Carrier?
WAN being SIP (be careful with ES20). Would you mind elaborating on that? I'm leaning toward the ES20 at the moment for our needs.. -- Stephen Saku Ytti wrote: On (2008-08-02 17:52 -0300), Rubens Kuhl Jr. wrote: AFAIK, ASR 1000 or 4500/Sup6-E don't support MPLS in current software releases, so your Cisco-land options are ISR 38x5, 6500, 7600 and I believe ASR1k did MPLS and L3 MPLS VPN in FCS. Only large bit missing was L2 MPLS VPN's which is coming in release3 iirc. 12000. ME6524 seems a good fit for this environment, J-2320/6350 could be the J-land options to explore (although ISR 38x5 are their counterparts at C-land, not the ME6524). QoS in PE and catalyst doesn't seem good fit to me. Unless you have dedicated port to each customer. But in view most all PE usages include customers in VLAN, in which case, to do any QoS, you need HQoS, which LAN cards can not do. They are cheap for a reason. While in LSR/P role, LAN cards are perfect fit. It's quite backwards really, you want 'WAN' cards to face your distribution and LAN cards are fine in all core, except if you want to do VPLS, in which case LER/PE needs WAN card to core too. WAN being SIP (be careful with ES20). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] buffer leak in 12.4(19)?
Hi, I have a 2811 router running Advanced IP Services 12.4(19) which has been acting funny. First issue I had was after inserting (2) WIC-1ADSL cards the processor jumped to 99%. After shutting down the interfaces and rebooting, the router went back to normal. Now the router is becoming intermittently inaccessible via telnet, while still passing traffic through its interfaces. Total interfaces on unit: (2) WIC-1DSU-T1-V2 (2) WIC-1ADSL (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards The other thing we did recently is add the NM-HDV2-1T1/E1. Before adding these cards, we never had an issue. Running a show controller serial x/x/x and a show buffer through the Output Interpreter, I am told: WARNING: The interface Serial0/0/0 has reported 449 'overruns'. This is because, the input rate exceeds the ability of the receiver to handle data Paste the output of the show buffer command output into the Output Interpreter to check whether the buffers can be tuned. ERROR: Since its last reload, this router has created or maintained a relatively large number of 'h2p1 buffers' yet still has very few free buffers. The above symptoms suggest that a buffer leak has occurred. I'm wondering if a buffer leak could be the source of the issue. Maybe this wasn't a problem before the router had the new DSL cards and T1 network module, but now the new cards are claiming too much memory and the buffer leak is causing issues. We could try down or upgrading the IOS Thanks for advice, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adding vlan 1 to vlan-group
Sure is.. it's called a cable, and runs from a port in your vlan 1 to a port in another vlan which you configure on your ACE-module. :) Best regards, Stig Meireles Johansen -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Teller, Robert Sendt: 4. august 2008 17:49 Til: cisco-nsp@puck.nether.net Emne: [c-nsp] Adding vlan 1 to vlan-group Is there a configuration option that will allow me to add vlan 1 to a vlan group to be used with an ace module? When I try to do it I am receiving the following error message. svclc vlan-group 111 1 Vlan 1 can not be a secure vlan I am doing this for a temporary migration reasons. # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] buffer leak in 12.4(19)?
Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. - Original Message - From: Alex Moya [EMAIL PROTECTED] To: Adam Greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Monday, August 04, 2008 2:28 PM Subject: Re: [c-nsp] buffer leak in 12.4(19)? How much men does the router have on it? Sent from my iPhone On Aug 4, 2008, at 1:54 PM, Adam Greene [EMAIL PROTECTED] wrote: Hi, I have a 2811 router running Advanced IP Services 12.4(19) which has been acting funny. First issue I had was after inserting (2) WIC-1ADSL cards the processor jumped to 99%. After shutting down the interfaces and rebooting, the router went back to normal. Now the router is becoming intermittently inaccessible via telnet, while still passing traffic through its interfaces. Total interfaces on unit: (2) WIC-1DSU-T1-V2 (2) WIC-1ADSL (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards The other thing we did recently is add the NM-HDV2-1T1/E1. Before adding these cards, we never had an issue. Running a show controller serial x/x/x and a show buffer through the Output Interpreter, I am told: WARNING: The interface Serial0/0/0 has reported 449 'overruns'. This is because, the input rate exceeds the ability of the receiver to handle data Paste the output of the show buffer command output into the Output Interpreter to check whether the buffers can be tuned. ERROR: Since its last reload, this router has created or maintained a relatively large number of 'h2p1 buffers' yet still has very few free buffers. The above symptoms suggest that a buffer leak has occurred. I'm wondering if a buffer leak could be the source of the issue. Maybe this wasn't a problem before the router had the new DSL cards and T1 network module, but now the new cards are claiming too much memory and the buffer leak is causing issues. We could try down or upgrading the IOS Thanks for advice, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] buffer leak in 12.4(19)?
Should work fine.You could have a bad card Sent from my iPhone On Aug 4, 2008, at 3:41 PM, Adam Greene [EMAIL PROTECTED] wrote: Cisco 2811 (revision 53.51) with 245760K/16384K bytes of memory. - Original Message - From: Alex Moya [EMAIL PROTECTED] To: Adam Greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Monday, August 04, 2008 2:28 PM Subject: Re: [c-nsp] buffer leak in 12.4(19)? How much men does the router have on it? Sent from my iPhone On Aug 4, 2008, at 1:54 PM, Adam Greene [EMAIL PROTECTED] wrote: Hi, I have a 2811 router running Advanced IP Services 12.4(19) which has been acting funny. First issue I had was after inserting (2) WIC-1ADSL cards the processor jumped to 99%. After shutting down the interfaces and rebooting, the router went back to normal. Now the router is becoming intermittently inaccessible via telnet, while still passing traffic through its interfaces. Total interfaces on unit: (2) WIC-1DSU-T1-V2 (2) WIC-1ADSL (1) NM-HDV2-1T1/E1 w/ (2) PVDM2-32 daughter cards The other thing we did recently is add the NM-HDV2-1T1/E1. Before adding these cards, we never had an issue. Running a show controller serial x/x/x and a show buffer through the Output Interpreter, I am told: WARNING: The interface Serial0/0/0 has reported 449 'overruns'. This is because, the input rate exceeds the ability of the receiver to handle data Paste the output of the show buffer command output into the Output Interpreter to check whether the buffers can be tuned. ERROR: Since its last reload, this router has created or maintained a relatively large number of 'h2p1 buffers' yet still has very few free buffers. The above symptoms suggest that a buffer leak has occurred. I'm wondering if a buffer leak could be the source of the issue. Maybe this wasn't a problem before the router had the new DSL cards and T1 network module, but now the new cards are claiming too much memory and the buffer leak is causing issues. We could try down or upgrading the IOS Thanks for advice, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CPE for IPSEC
Greetings, The auditors are trying to force me to encrypt our WAN traffic. The WAN in question is Cogent's ethernet service - built as a mesh of point-to-point VLANs. There are 3 sites, at every site I have a single port over which I receive 2 VLANs in a dot1q trunk. Aggregate bandwidth on the port is 200Mbps. Putting in encryption seems fairly straightforward - 3 static IPSEC tunnels. I am trying to figure out what kind of hardware can handle IPSEC at this bandwidth. So far I am looking at: -ASA5520. Specs say 225Mb of IPSEC - can the box actually handle that, or should I be looking at 5540? -7201 (or 7206) with NPEG2. Do I need to add a VAM, or will the NPE handle the load? Any real-world experiences will be most appreciated. Also, if there are better suggestions (including non-Cisco), please share. Thanks, Michael Malitsky ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DSCP / NAT
Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSCP / NAT
I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSCP / NAT
Correct, it should just go straight through, NAT translates the address/port only. It should not touch the rest of the packet unless otherwise configured. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Church, Charles Sent: Monday, August 04, 2008 18:06 To: Paul Stewart; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DSCP / NAT I thought that was the default action for most NATing devices? I'm pretty sure the 12.4 Cisco devices I've used all do that. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Monday, August 04, 2008 8:45 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] DSCP / NAT Hi folks. This is probably a dumb question ;) Is there any way for a packet that hits NAT to have it's DSCP bits honored? For example: Interface FastE0 - public IP - ip nat outside Interface FastE1 - private IP - ip nat inside Device attached to FastE1 sends DSCP 46 - looking for a way for that to pass through without remarking it on FastE0 - is there such a method? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/