[c-nsp] RS CCIE Lab wait times - Sydney
Does anyone have any idea on the current wait times for the Lab? I'm about to sit the written in a couple of weeks and someone mentioned to me the current wait is around a year and a half?? Is there a specific wait for each stream or is that in general, only interested in Sydney Lab dates, a year and a half seems pretty steep, i'm hoping it's not right, although I have heard of time frames like that for the Security Lab in Europe. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CoPP Service Policy
Dear All, I would like to know the difference in performance and implementation if I put the service-policy within the specified interface (e.g. gix/x) or with in the control-plane in globally. *First Option:* Router(config)# *control-plane * Router(config-cp)# *service-policy input* *service-policy-name * Router(config-cp)# *service-policy output* *service-policy-name * *Second Option:* interface GigabitEthernetxx/yy service-policy input *service-policy-name * service-policy output *service-policy-name * Note: Platform catalyst6500, 122-33.SXH2a -- Regards, Aftab A. Siddiqui ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Improved queuing in 12.4(20)T?
Hi. I'm doing some QoS-testings and notice a remarkable change in the latencies on a priority queue (as well as some improvement on other queues) in 12.4(20)T compared with 12.4M (19, 19b and 21) and 12.4(15)T7. The scenario is H-QoS with a parent doing shape average and a child with 4 queues: class-map match-any Voice match dscp cs5 ef ! class-map match-any Business match dscp cs3 af31 ! class-map match-any Network match dscp cs6 cs7 ! policy-map Child class Voice priority percent 33 class Business bandwidth percent 40 class Network bandwidth percent 2 ! policy-map Parent class class-default shape average 800 service-policy Child ! interface FastEthernet X service-policy output Parent ! end When pushing traffic through the policy (Voice and Business within contract and enough class-default traffic to trigger back-pressure) I get the following latencies: Voice Business class-default 12.4M/12.4(15)T:13 ms 14 ms 126 ms 12.4(20)T : 0.4 ms 8.5 ms 138 ms There is no drop in neither the Voice nor Business queues, and about 21% in the class-default queue. I have tried the same test on both a 871 (the WAN-port) and a 1841 with similar results. This makes me think there has been some major improvement in 12.4(20)T, but can't verify this in the RN for 12.4(20)T. There *is* a new H-QoS feature in 12.4(20)T called HQF (http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_frhqf_support.html), but I can't see that it's directly relevant. Does anyone have some knowledge or insight to enlighten me here? -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP Service Policy
Aftab Siddiqui wrote on Tuesday, August 26, 2008 10:29 AM: Dear All, I would like to know the difference in performance and implementation if I put the service-policy within the specified interface (e.g. gix/x) or with in the control-plane in globally. *First Option:* Router(config)# *control-plane * Router(config-cp)# *service-policy input* *service-policy-name * Router(config-cp)# *service-policy output* *service-policy-name * there is no outbound conrol-plane policing. *Second Option:* interface GigabitEthernetxx/yy service-policy input *service-policy-name * service-policy output *service-policy-name * What are you trying to achieve? CoPP policy (first config) is processed only for traffic terminating on the router, while the interface QoS policy is applied to all traffic entering (or leaving) the respective interface. So the semantic is quite different. CoPP ensures that the aggregate traffic (from all interfaces) does not exceed a certain rate, while the interface QoS policy is only looking at the rate of this specific interface (assuming you want to use the policy to rate-limit/police certain traffic to the box). Another advantage of CoPP is the easy filtering as it is only applied to traffic terminating on the router, so you usually don't need to match on any possible destination address in an ACL/class-map. Both policies are execued in hardware (there is an addtl. software CoPP), no performance impact. You might want to look at http://tinyurl.com/5hew55 for more info about CoPP.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ES20 crashing on bad DWDM
Hi, has anybody experienced ES20 2x10G cards crashing when DWDM link quality degrades? Usually when the error rate increases so that IGP and PIM start flapping, the card stops responding to CPU heartbeats and is rebooted. We have seen this at two customers now, TAC is failing to reproduce... I'd like to collect as many similar scenarios as possible to help them recreate the issue. Thanks for any hints -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 My hovercraft is full of eels. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Improved queuing in 12.4(20)T?
Per Carlson wrote on Tuesday, August 26, 2008 10:47 AM: Hi. I'm doing some QoS-testings and notice a remarkable change in the latencies on a priority queue (as well as some improvement on other queues) in 12.4(20)T compared with 12.4M (19, 19b and 21) and 12.4(15)T7. The scenario is H-QoS with a parent doing shape average and a child with 4 queues: [...] There *is* a new H-QoS feature in 12.4(20)T called HQF (http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_frhqf_s upport.html), but I can't see that it's directly relevant. HQF is a totally different QoS infrastructure (previously available on the 7500/7200 in 12.0S as well as some other trains), so I would assume this being the reason for the improved behavior. I haven't looked at HQF for a while, but I recall the H-QoS scenario you're using benefits especially from HQF as the parent shaper is aware of the LLQ within the child, but not entirely sure about this. It would explain the improved behaviour, though. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Web Caches
I second Alan's suggestion. I've seen this product in a POC we did and it works great. I've also seen some graphs of one of their biggest customers and the saved bandwidth rates were impressive. My bests to Aviad, the man! Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan Arolovitch Sent: Monday, August 25, 2008 9:11 PM To: Lala Lander; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Web Caches Hi, I suggest you take a look at our clustered UltraBand cache, http://www.peerapp.com/ UltraBand cache is a combined HTTP/P2P cache for service providers, supporting progressive download Flash video (e.g. YouTube) and software downloads over HTTP, among other things, as well as URL filtering Cheers, Alan -- Message: 5 Date: Sat, 23 Aug 2008 01:42:44 -0700 From: Lala Lander [EMAIL PROTECTED] Subject: [c-nsp] Web Caches To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Hi guys, I am looking for information on Web Caches. I need to find out what vendors are out there and what is your deployment and operational experience My objective is to reduce Internet bandwidth usage and some URL filtering. I am currently evaluating BlueCoat and Secure Computing but I need your opinion before I test them any further. thanks. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
On Thu, August 21, 2008 12:59 am, Brandon Price wrote: Other than just saying its bad can you give some specifics as to the problems you've run into using private addresses for PE-CE links? As long as the SP hands out unique addresses across all of the links, what does it matter whether they are private or public ? Customers using *all* of RFC1918 space (or at least claiming they do). e.g. if you have WAN links as /30s out of 10.11.12.0/24, and the customer has that range on a LAN somewhere, each site will be unable to reach the particular hosts on it's WAN /30. (At least - if you're redistributing WAN routes into BGP / MBGP, the lack of visibility gets worse). You end up wasting a lot of time negotiating with customers to try and find an acceptable range, hacking exceptions into your network and processes to get around the fact you're having to allocate WANs from something other than your normal block - assuming you can get that far at all. I've dealt with the occasional customer loudly and fairly aggressively insisting that RFC1918 space is entirely theirs, we may not use any of it, fix our service now, incoming lawyers, etc. If you then end up with public WAN addresses an exception only, you give yourself more pain in trying to document sufficiently that your support guys six months down the line don't assume that it must be an Internet service, it's public addresses and do something unpleasent to it, like remove the VRF. Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-X4506-GB-T Ports not connected
Hello, I'm having a little problem here with a new Cisco 4510R-E. It's running the following configuration: Mod Ports Card Type Model ---+-+--+- 5 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E 918 1000BaseX (GBIC) WS-X4418-GB 10 6 SFP, 10/100/1000BaseT (RJ45)V, Cisco/I WS-X4506-GB-T M MAC addressesHw Fw Sw Status --++---+++- 5 0021.d808.6a00 to 0021.d808.6a05 1.1 12.2(44r)SG 12.2(40)SG Ok 9 000c.3000.280a to 000c.3000.281b 1.1 Ok 10 001e.7ad0.f90c to 001e.7ad0.f911 1.4 Ok Mod Redundancy role Operating mode Redundancy status +---+---+-- 5 Active Supervisor RPR Active I'm tryubg to activate the ports on the WS-X4506-GB-T, but I'm unable to get any connection. I connected the first two ports on the card to create a loopback and still the ports are shown as not connected. I use RJ45 and have set the media-type of the ports to rj45 which is also stated in the log: 00:00:05: %C4K_REDUNDANCY-6-INIT: Initializing as ACTIVE supervisor 00:00:05: 512 MB of system memory installed. Do 'show platform hardware sdram spd' for details. 00:00:37: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan 00:00:38: %SYS-5-CONFIG_I: Configured from memory by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Version 12.2(40)SG, RELEASE SOFTWAR) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 07-Nov-07 19:52 by prod_rel_team 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 5 (WS-X45-SUP6-E S/N: JAE1222JOZS Hw: 1.1) is online 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 9 (WS-X4418-GB S/N: JAE07340WR1 Hw: 1.1) is online 00:00:38: %C4K_IOSMODPORTMAN-6-MODULEONLINE: Module 10 (WS-X4506-GB-T S/N: JAE1218GSWU Hw: 1.4) is online 00:21:07: %C4K_IOSINTF-5-RJ45ACTIVE: Slot= 10 Port= 1: RJ45 connector has become active 00:45:41: %C4K_IOSINTF-5-RJ45ACTIVE: Slot= 10 Port= 2: RJ45 connector has become active Here is the port configuration: interface GigabitEthernet10/1 no switchport ip address dhcp no keepalive media-type rj45 ! interface GigabitEthernet10/2 no switchport ip address dhcp no keepalive media-type rj45 ! Is there anything I'm missing? I already changed the cabling so that's not the problem. Any ideas/suggestions welcome. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Improved queuing in 12.4(20)T?
Hi Oli. I haven't looked at HQF for a while, but I recall the H-QoS scenario you're using benefits especially from HQF as the parent shaper is aware of the LLQ within the child, but not entirely sure about this. It would explain the improved behaviour, though. I have always had the impression that the parent shaper *is* aware of the child policy. Otherwise the whole H-QoS scheme is rather useless, at least with respect to LLQ/PQ. So far I haven't found any references on CCO confirming either possibility (aware/unaware). The closest match is a configuration example[1] with a priority queue in the child, but it says nothing about awareness in the parent. And there is this note about subinterfaces/PVCs... [1] http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_mqc_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1060235 -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X4506-GB-T Ports not connected
* Sebastian Wiesinger [EMAIL PROTECTED] [2008-08-26 12:30]: Hello, I'm having a little problem here with a new Cisco 4510R-E. It's running the following configuration: Problem solved. Someone hinted that I should not assume that the linecard does have auto MDI/X detection. Which apparently it hasn't. So connecting a crossover cable solved the problem. I was under the impression that auto MDI/X was a feature present on all linecards but it seems I was wrong. Or is there a way to turn this on on a port? I looked over the commands for the port but didn't see anything obvious.. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X4506-GB-T Ports not connected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sebastian, interface GigabitEthernet10/1 no switchport ip address dhcp no keepalive media-type rj45 ! interface GigabitEthernet10/2 no switchport ip address dhcp no keepalive media-type rj45 ! Is there anything I'm missing? I already changed the cabling so that's not the problem. Any ideas/suggestions welcome. I doubt it is what you are looking for, but no shutdown? - -- - -mat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIs+YkIvBv0k5esR4RAhVoAKCGLyvdSdLcAG2DbQrlH32+WhmVxgCcCKyb wwvaGvUL3veothr3CcNZTOc= =iwdW -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X4506-GB-T Ports not connected
howdy ho, * Sebastian Wiesinger [EMAIL PROTECTED] [2008-08-26 12:30]: Hello, I'm having a little problem here with a new Cisco 4510R-E. It's running the following configuration: Problem solved. Someone hinted that I should not assume that the linecard does have auto MDI/X detection. Which apparently it hasn't. So connecting a crossover cable solved the problem. I was under the impression that auto MDI/X was a feature present on all linecards but it seems I was wrong. Or is there a way to turn this on on a port? I looked over the commands for the port but didn't see anything obvious.. in my expeierence not all line cards support the auto MDI/X feature but for those taht do, add the command :- mdix auto on the interface hope this helps later Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - I'm not cheap, but I am on special this week. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Improved queuing in 12.4(20)T?
Per Carlson mailto:[EMAIL PROTECTED] wrote on Tuesday, August 26, 2008 1:16 PM: Hi Oli. I haven't looked at HQF for a while, but I recall the H-QoS scenario you're using benefits especially from HQF as the parent shaper is aware of the LLQ within the child, but not entirely sure about this. It would explain the improved behaviour, though. I have always had the impression that the parent shaper *is* aware of the child policy. Otherwise the whole H-QoS scheme is rather useless, at least with respect to LLQ/PQ. Hmm, I think I would need to do some digging here, but I was thinking about a different kind of awareness here. Obviously the shaper in the parent is aware of a child, so when the shaper has to queue a packet (i.e. signals connections), it'll use the child policy (which, as you write, is the whole point of H-QoS). Maybe Rodney can comment more, but I would still assume HQF being the reason for the different behavior in your environment. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP and Vlan 1
Hi Michel, Appologies for confusing the issue. You are of course correct about VTP, which does use vlan 1. UDLD is not sent with a dot1q tag, but is associated with vlan 1 on ISL trunks. Changing the (dot1q) native vlan on the trunk has no effect on how UDLD is sent over ISL, it is still sent on vlan 1. Paul. Michel Grossenbacher wrote: Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure still over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using the native VLAN. But after I did some more traces the VTP packets did not show any VLAN informations anymore (actually they never did I only hit the wrong line within wireshark ;) ). So Im quite sure VTP and CDP are not sent via the native VLAN, after I changed it from VLAN 1 to VLAN 10. Probably have to have a look with ISL too. Mike, I think I know what you mean, per definition (AFAIK) all VLANs get encapsulated by ISL, while with dot1Q all but the native one get a Tag. But within an ISL trunk Cisco defines a native VLAN (default is VLAN 1, same as dot1Q) and you can configure it the same way as for a dot1Q one so I'd say UDLD will use that one. I guess it will still be encapsulated but I did never check that. Do a *show interface trunk* if you configured an ISL trunk and you'll see it at the top. Michel 2008/8/25 Paul Cosgrove [EMAIL PROTECTED] Hi Michel, You may have been right the first time there. I think VTP does indeed use the native vlan, not necessarily vlan 1. DTP is also sent on the native vlan, untagged and tagged in its case. Paul. Michel Grossenbacher wrote: A little correction on my answer, VTP does not use the Native VLAN :-) Here is what I found regarding the use of VTP and VLAN1: The Case of VLAN 1 You cannot apply VTP pruning to VLANs that need to exist everywhere and that need to be allowed on all switches in the campus, in order to be able to carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control traffic. However, there is a way to limit the extent of VLAN 1. The feature is called VLAN 1 disable on trunk. The feature is available on Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software release 5.4(x) and later. The feature allows you to prune VLAN 1 from a trunk, as you do for any other VLAN. This pruning does not include all the control protocol traffic that is still allowed on the trunk (DTP, PAgP, CDP, VTP, and others). However, the pruning does block all user traffic on that trunk. With this feature, you can keep the VLAN from spanning the entire campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 to be disabled, as you would configure other VLANs to be cleared from the trunk: UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk port, the native VLAN must not be pruned in order for UDLD to work properly. http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml Sorry for the confusion. best regards Michel On 25/08/2008, Michel Grossenbacher [EMAIL PROTECTED] wrote: Hi Mike Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from a trunk. However you can remove it from the trunk. If you remove it from the trunk and change the native VLAN for the trunk, VTP will then use the new native VLAN for updates. best regards Michel On 25/08/2008, Mike Louis [EMAIL PROTECTED] wrote: List, I just read in a practice test for an upcoming cert that Vlan 1 is used to carry VTP advertisements. However, it is possible to prune vlan 1 from trunk links. Will VTP continue to function without Vlan 1 being enabled on the link? Has this changed in more recent IOS releases? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please
Re: [c-nsp] IOS VPN Client Group Issue
You're spot on. I came across that yesterday afternoon, it does require the 12.2T train. Guess I should learn to read a little better. :) Thanks to those that responded, much appreciated Tom. Ge Moua wrote: I'm doing a simlar config with IOS: 12.4(15)T6 I wonder if you need the T code train for this: Router(config)#crypto isakmp client configuration ? address-pool Set network address for client browser-proxy Set browser proxy attributes for client group Set group profile attributes for client Router(config)#crypto isakmp client configuration Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services 2218 University Ave SE | Minneapolis, MN 55414-3029 Office: 612.626.2779 | Pager: 612.648.0103 | Fax: 612.626.1818 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Beecher Sent: Monday, August 25, 2008 11:37 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IOS VPN Client Group Issue I've come across something odd. I think that this is just a simple oversight on my part, hopefully another set of eyes will catch this for me. I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN tunnels. Right now, I have three point to point tunnels up, and working without issue. This morning, I started adding the config for VPN client access, and that's where I've getting hung up. Under the crypto isakmp client configuration command, I should have a 'group' option to setup the VPN group parameters. However, I do not. The only option I have is 'address-pool' . As far as I can tell, this image should support that command. I'm fairly certain that I have the correct aaa commands in place to enable group authorization, however there are some pre-existing AAA commands on this router that could be hanging me up. Here's the aaa config: aaa new-model aaa authentication login default group tacacs+ line enable aaa authentication login rev_tel line enable aaa authentication login userauthen local aaa authorization network groupauthen local Am I missing something painfully obvious here? Thanks in advance, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP and Vlan 1
Hi Paul Dont worry, I did the same at the beginning :-) So UDLD on dot1Q uses the native VLAN while with ISL it stays within VLAN 1 no matter if we changed the native vlan or not? This means that with ISL trunks UDLD behaves similar to CDP/VTP ? Thanks best regards Michel On 26/08/2008, Paul Cosgrove [EMAIL PROTECTED] wrote: Hi Michel, Appologies for confusing the issue. You are of course correct about VTP, which does use vlan 1. UDLD is not sent with a dot1q tag, but is associated with vlan 1 on ISL trunks. Changing the (dot1q) native vlan on the trunk has no effect on how UDLD is sent over ISL, it is still sent on vlan 1. Paul. Michel Grossenbacher wrote: Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure still over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using the native VLAN. But after I did some more traces the VTP packets did not show any VLAN informations anymore (actually they never did I only hit the wrong line within wireshark ;) ). So Im quite sure VTP and CDP are not sent via the native VLAN, after I changed it from VLAN 1 to VLAN 10. Probably have to have a look with ISL too. Mike, I think I know what you mean, per definition (AFAIK) all VLANs get encapsulated by ISL, while with dot1Q all but the native one get a Tag. But within an ISL trunk Cisco defines a native VLAN (default is VLAN 1, same as dot1Q) and you can configure it the same way as for a dot1Q one so I'd say UDLD will use that one. I guess it will still be encapsulated but I did never check that. Do a *show interface trunk* if you configured an ISL trunk and you'll see it at the top. Michel 2008/8/25 Paul Cosgrove [EMAIL PROTECTED] Hi Michel, You may have been right the first time there. I think VTP does indeed use the native vlan, not necessarily vlan 1. DTP is also sent on the native vlan, untagged and tagged in its case. Paul. Michel Grossenbacher wrote: A little correction on my answer, VTP does not use the Native VLAN :-) Here is what I found regarding the use of VTP and VLAN1: The Case of VLAN 1 You cannot apply VTP pruning to VLANs that need to exist everywhere and that need to be allowed on all switches in the campus, in order to be able to carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control traffic. However, there is a way to limit the extent of VLAN 1. The feature is called VLAN 1 disable on trunk. The feature is available on Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software release 5.4(x) and later. The feature allows you to prune VLAN 1 from a trunk, as you do for any other VLAN. This pruning does not include all the control protocol traffic that is still allowed on the trunk (DTP, PAgP, CDP, VTP, and others). However, the pruning does block all user traffic on that trunk. With this feature, you can keep the VLAN from spanning the entire campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 to be disabled, as you would configure other VLANs to be cleared from the trunk: UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk port, the native VLAN must not be pruned in order for UDLD to work properly. http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080890613.shtml Sorry for the confusion. best regards Michel On 25/08/2008, Michel Grossenbacher [EMAIL PROTECTED] wrote: Hi Mike Actually VLAN 1 is not pruning-eligible so you can not prune VLAN 1 from a trunk. However you can remove it from the trunk. If you remove it from the trunk and change the native VLAN for the trunk, VTP will then use the new native VLAN for updates. best regards Michel On 25/08/2008, Mike Louis [EMAIL PROTECTED] wrote: List, I just read in a practice test for an upcoming cert that Vlan 1 is used to carry VTP advertisements. However, it is possible to prune vlan 1 from trunk links. Will VTP continue to function without Vlan 1 being enabled on the link? Has this changed in more recent IOS releases? Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
[c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?
When I plug in the PA I get this: SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. a normal fast ethernet PA works fine. cisco.com says that the PA is supported even by non-enhanced FlexWANs. IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) -- ciao, Marco ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LLQ + MLPPPoE - ?
Have a scenario whereby I've an LLQ policy applied to a CE router doing MLPPPoE with following configuration: ! class-map match-any REALTIME match ip dscp ef class-map match-any CRITICAL-DATA match ip dscp cs6 ! ! policy-map LLQ class REALTIME priority percent 35 class CRITICAL-DATA bandwidth percent 40 random-detect dscp-based class class-default fair-queue random-detect dscp-based ! ! interface ATM0/0/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! ! interface ATM0/1/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! interface Dialer0 bandwidth 4608 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xx ppp chap password yy ppp ipcp route default ppp link reorders ppp multilink ppp multilink fragment disable max-reserved-bandwidth 100 service-policy output LLQ end So, the LLQ policy is only required to be applied to the VC and not the dialer, since I'm only queuing , but it is applied to both here. The ATM interface did indeed move to WFQ: #show queueing int atm0/0/0.132 Interface ATM0/0/0.132 VC 1/32 Queueing strategy: weighted fair Output queue: 0/512/64/0 (size/max total/threshold/drops) Conversations 0/6/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 1 kilobits/sec But, the output of show policy-map int a0/0/0.132 does not show anything being pushed into the PQ at all #show policy-map int a0/0/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 268/19832 0/0 0/0 20 40 1/10 #show policy-map int a0/1/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 270/19980 0/0 0/0 20 40 1/10 ( I do see class matches, omitted here, but they do not appear to be queued) What is actually observed, is that the LLQ appears to work well until more than one member joins the bundle, then the latency + jitter becomes variable, but I'm not sure that it is even working at all since the queue counters do not increment, I could just be seeing the results of the WFQ. From the PE side, ppp multilink fragment disable and ppp link reorders are applied via RADIUS but I do not really believe they are having an effect since I'm still seeing re-order counters. (vtemplate clone applies the attributes, but assume they are being ignored) CE is 12.4(15)T7 and PE is 12.4(19) Am assuming that I'm doing this correctly as there should be no need for a shaper (not that it is accepted anyway) since we can create ATM backpressure from the ATM interfaces when I reduce the TX ring size. Any suggestions appreciated. Regards, David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?
On Tue, 26 Aug 2008, Marco d'Itri wrote: Works for me on 12.2(18)SXE6b but all are eFlexwans: Slot 4: Logical_index 9 2 port adapter Enhanced FlexWAN controller Board is analyzed ipc ready HW rev 0.1, board revision A01 Serial Number: Part number: 73-6348-01 Slot database information: Flags: 0x2004 Insertion time: 0x22C08 (6w5d ago) Controller Memory Size: 192 MBytes CPU Memory 63 MBytes Packet Memory 255 MBytes Total on Board SDRAM IOS (tm) cwlc Software (cwpa2-DW-M), Version 12.2(18)SXE6b, RELEASE SOFTWARE (fc2) PA Bay 1 Information: POS PA, 2 port, PA-POS-2OC3 EEPROM format version 4 HW rev 1.00, Board revision A0 Serial number: JAE09044GVG Part number: 73-8220-05 -Hank When I plug in the PA I get this: SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. a normal fast ethernet PA works fine. cisco.com says that the PA is supported even by non-enhanced FlexWANs. IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) -- ciao, Marco ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Sounds like a routing issue, is your ippool handling out IP addr to the clients. I recently set a similar config on a 1811 and this works fine. I can send you the working config if you're intersted. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber Sent: Tuesday, August 26, 2008 9:01 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN Client to 1841,default route into tunnel with exceptions Hi, this is strictly a client issue and not appropriate for cisco-nsp, but I haven't found any mailing list with this clue level for other cisco-related aspects. If there is one, I'd like to learn about it. I have a bunch of Windows clients with the Cisco VPN Client 5.0.01.0600 and an 1841 running IOS 12.4(9)T4. My configuration is as follows: aaa new-model ! aaa authentication login default local aaa authentication login userauthen local aaa authentication login localauth local aaa authorization exec default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip cef ! username marc.haber privilege 15 secret 5 snip ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group InternClient key onsh4OcyivOafmyodzet dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 domain example.com pool ippool acl DefaultrouteTunnel ! ! crypto ipsec transform-set InternTransformSet esp-aes 256 esp-sha-hmac ! crypto dynamic-map InternDynmap 10 set transform-set InternTransformSet reverse-route ! ! crypto map InternClientMap client authentication list userauthen crypto map InternClientMap isakmp authorization list groupauthor crypto map InternClientMap client configuration address respond crypto map InternClientMap 10 ipsec-isakmp dynamic InternDynmap ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 172.26.248.10 255.255.255.248 duplex auto speed auto crypto map InternClientMap ! ip access-list extended DefaultrouteTunnel permit ip any any ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 any permit ip any any ! With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. I have received the advice of adding the local networks of all teleworkers to an access list, which has resulted in the DefaultrouteWithoutListedNetsTunnel ACL. But this does not seem to work, traffic for 192.168.8.3 still goes into the tunnel after I changed the acl reference in the crypto isakmp client configuration group InternClient. Also, I do not see any changes in the Windows client's routing tables. Can someone advice what I am doing wrong here? Additionally, do I really need to exclude all local networks of all teleworkers in the global configuration, or is it possible to control this on a per-client basis? All web-based documentation I have found deals with the VPN Concentrator series which do not seem to use IOS - at least I cannot make sense of the advice found there in my configuration. Any hints will be appreciated. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
How about putting on the outbound to make sure that you are sending it the
the hub?
On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli
[EMAIL PROTECTED] wrote:
Howdy ho,
Maybe try to put in an ACL or could use netflow for this as well...
ip access-list extend check_packets_in
permit esp any any
permit udp any eq isakmp any eq isakmp
permit ip any any
interface dialer 1
ip access-group check_packets_in in
To see if ESP coming in to your spoke router.
good suggestion but now I am even more c0onfused
created acl as follows and applied to dialer 1 in :-
interface Dialer1
ip access-group check_packets_in in
but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists
check_packets_in
Extended IP access list check_packets_in
10 permit ahp any any
20 permit esp any any
30 permit udp any eq isakmp any eq isakmp
40 permit ip any any
`:wq``
-Luan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nic Tjirkalli
Sent: Monday, August 25, 2008 3:40 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to
tunnels
howdy ho all,
thanx to thise who sent through suggestions to how to get the IPSEC to
work
- the ideas were :- try mode transport
:- dont use wilcard for the secret
so i changed the hub and spoke as follows :-
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
mode transport
crypto isakmp key CISCO address 41.195.37.0 255.255.255.0
crypto isakmp key CISCO address 196.47.0.204 255.255.255.0
alss same symptons
- crypto comes up
- hub reports IPSEC encaps and decaps
- spoke sites report 0 decaps for IPSEC and no errors
any other ideas?
thanx
howdy ho all,
Was hoping I could use this forum to get some direction on resolving a
strange issue I have with a DMVPN setup.
All works 100% if I do not protect the tunnels with IPSEC. As soon as I
enable IPSEC the tunnels stop passing traffic.
The setup :-
All routers are CISCO 1841 platforms. the IOS image is :-
C1841-ADVIPSERVICESK9-M
c1841-advipservicesk9-mz.124-21.bin
HUB Router
--
HUB router connects via ADSL (a PPPOE session over ethernet) and then
fires
up an L2TP tunnel to obtain a static IP address.
The IP address allocated to the L2TP interface is 196.47.0.204
(Virtual-PPP1)
This IP address is the NHS. All connections to/from the hub
use the address of 196.47.0.204.
Tunnel interface on the hub router is 10.0.0.1
Spoke Router
the Spoke router (there are 2 I am just showing one) connects via ADSL
(a PPPOE session over ethernet) and obtains a dynamic IP address. the
spoke
routers use Dialer1 as their interface into the NHRP cloud.
NHRP comes up and if I do not use IPSEC encryption on the Tunnel
interface
ie do not add the command tunnel protection ipsec profile DMVPN
on Tunnel0
Tunnel interface on the hub router is 10.0.0.3
all works perfectly.
The Problem
===
When I enable IPSEC encryption on the tunnel interfaces on all routers
then things break. I have tried with both 3DES and AES and same issue.
All the crypto sessions seem correct - correct SAs come up. The
dynamically
created crypto-maps seem correct.
BUT. on the spoke routers, IPSEC reports that no packets are being
de-encapsulated but no errors are reported.
nhrp-spoke-2#show crypto ipsec sa
interface: Tunnel0
local ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
)
remote ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
current_peer 196.47.0.204 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13410, #pkts encrypt: 13410, #pkts digest: 13410
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
But on the HUB. all is well
protected vrf: (none)
local ident (addr/mask/prot/port): (196.47.0.204/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (41.195.37.191/255.255.255.255/47/0
)
current_peer 41.195.37.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 153, #pkts encrypt: 153, #pkts digest: 153
#pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
Any ideas/thoughts would be greatly appreciated.
The configuration's and some useful output are below
HUB Configuration
=
hostname adsl-nhrp-hub
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
[c-nsp] Configuring VWIC-1MFT-E1 for Data
HI, I would like a reference to an online documentation that explains the configuration of the data features of a cisco VWIC-1MFT-E1 card. Any references would be deeply appreciated. Regards, Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?
PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe that particular PA has the idprom messed up. Try doing a sh diagbus with it inserted and see what the PA idprom is telling the system. bourke#sh diagbus ... Slot 8: Logical_index 16 2 port adapter Enhanced FlexWAN controller Board is analyzed ipc ready HW rev 1.5, board revision A0 Serial Number: JABxx Part number: 73-8273-09 Slot database information: Flags: 0x2004 Insertion time: 0x2CE0C (00:00:11 ago) CWAN Controller Memory Size: Unknown PA Bay 0 Information: 2CT3+ single wide PA, 2 ports EEPROM format version 1 HW rev 1.00, Board revision A0 Serial number: Part number: 73-3388-03 Ian Marco d'Itri wrote: When I plug in the PA I get this: SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. a normal fast ethernet PA works fine. cisco.com says that the PA is supported even by non-enhanced FlexWANs. IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Improved queuing in 12.4(20)T?
On Tue, Aug 26, 2008 at 16:28, Rodney Dunn [EMAIL PROTECTED] wrote: The difference I suspect is how the time intervals are handled. I worked on an issue once where we actually would slightly burst above the configured shape rate and it got worse the smaller the Tc was. With HQF the excess is handled different and resulted in more accurate shaping rates. I forgot all the nitty gritty details of how we did it. Hmm, that's a good thing and a bad. The good thing is that HQF have improved something that was suboptimal, the bad thing is that you need HQF (read: it's not a bug). The most worrying aspect is that you do use a shaper to handle excess traffic, and when the shaper kicks in, the latencies increases a magnitude (from 1 millisec to over 10 millisec). Not very nice to real time traffic. Will probably have to stick up with 12.4(20)T were we must, despite the bleeding-edge nature. -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SNMP auth failure and malloc issues
I was wondering if anyone has seen a similar issue. 7609 Sup720 running 7600s72033-advipservicesk9-mz.122-33.SRB3.bin I am seeing lots of malloc errors after seeing a long running SNMP querier who is unable to query my router. Aug 26 12:00:38.136 EST5EDT: %SYS-2-MALLOCFAIL: Memory allocation of 332 bytes failed from 0x42081CA8, alignment 32 Pool: I/O Free: 123760 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= IP Input, ipl= 0, pid= 191 -Traceback= 405BBFD0 405BC514 412630F8 41269850 42081CB0 42082188 420860A8 42080ED0 40951738 40952538 40951CF8 40951F08 409520D8 40948C74 41C112C4 4226E290 Aug 26 12:00:53.072 EST5EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host X.Y.Z.21 I notice this on another box I was running a few months ago but didn't get any resolution just got the offending host to stop and reloaded the router. I didn't see anything in the bug tookkit and we have a case open. Thanks, Jay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?
On Aug 26, Ian Cox [EMAIL PROTECTED] wrote: PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe that particular PA has the idprom messed up. Try doing a sh diagbus with it inserted and see what the PA idprom is telling the system. This is the output for card back in the 7200 where it has been in use so far: picard.mil#show diag 3 Slot 3: POS Single Width, Single Mode Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 13:18:33 ago EEPROM contents at hardware discovery: Hardware revision 2.0 Board revision A0 Serial number 1xx6 Part number73-3193-02 FRU Part Number: PA-POS-OC3SMI= Test history 0x0 RMA number 00-00-00 EEPROM format version 1 EEPROM contents (hex): 0x20: 01 95 02 00 00 E8 71 06 49 0C 79 02 00 00 00 00 0x30: 50 00 00 00 99 08 27 00 00 00 FF FF FF FF FF FF Marco d'Itri wrote: When I plug in the PA I get this: SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in I/O Bay. The I/O Controller network interfaces will be unavailable. a normal fast ethernet PA works fine. cisco.com says that the PA is supported even by non-enhanced FlexWANs. IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF13, RELEASE SOFTWARE (fc1) -- ciao, Marco ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Question about PE-CE - Private or Public IP?
Tim Franklin wrote: On Thu, August 21, 2008 12:59 am, Brandon Price wrote: Other than just saying its bad can you give some specifics as to the problems you've run into using private addresses for PE-CE links? As long as the SP hands out unique addresses across all of the links, what does it matter whether they are private or public ? Customers using *all* of RFC1918 space (or at least claiming they do). e.g. if you have WAN links as /30s out of 10.11.12.0/24, and the customer has that range on a LAN somewhere, each site will be unable to reach the particular hosts on it's WAN /30. (At least - if you're redistributing WAN routes into BGP / MBGP, the lack of visibility gets worse). Most[1] large telcos I've seen[2] offering IP-VPN services tend to use RFC1918 addressing for CE-PE infrastructure. Using public addressing for much of this just often doesn't scale - thinking of some IP-VPNs which have thousands of CE elements. Most of them make this clear when doing the pre-sales design work, and have very clear exclusion lists for prefixes that *will not* be accepted into the IP-VPN under any circumstances. The majority of customers I've worked with have been comfortable with this, given that it's generally a small number of /30s or /31s and very rarely (in fact, I can't think of a time) is there a conflict. In the odd case, if the customer refuses to work with the telco the telco will just not accept the customer without doing some form of Network Special Deal which results in the customer paying a whole bunch more for the service to cover the deviation costs.[3] My own employer, a multinational in 100+ countries, uses RFC1918 extensively but our WAN group has managed to work around conflicts with the multitude of IP-VPN services that use RFC1918 on the WAN. aj [1] Obviously this doesn't include all of them. I have a couple of IP-VPNs which do make use of public /31 infrastructure but this is rare. I have a feeling that these /31s may be re-used across multiple IP-VPN services. [2] I tend to have a slightly incumbent/tier 1 view of the world. [3] This is usually *very* expensive for the customer. If the customer wants it bad enough... they'll pay but see [2]. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configuring VWIC-1MFT-E1 for Data
I would like a reference to an online documentation that explains the configuration of the data features of a cisco VWIC-1MFT-E1 card. Ok then: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/intserv.html B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
With this configuration, a client cannot communicate at all outside the tunnel, which is a desired feature in this setup. OTOH, some teleworkers would appreciate to be able to talk to their networked printers on the local LANs. It's been a while but from memory you need to put the include-local-lan setting into the client configuration group to do this. HTH. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 Also given you are running pppoe, you should be setting your MTU correctly (ip mtu 1492, if it's a 1500 byte path) and an ip tcp-adjust mss 1452 wouldn't do any harm either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Tuesday, 26 August 2008 11:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] LLQ + MLPPPoE - ? Have a scenario whereby I've an LLQ policy applied to a CE router doing MLPPPoE with following configuration: ! class-map match-any REALTIME match ip dscp ef class-map match-any CRITICAL-DATA match ip dscp cs6 ! ! policy-map LLQ class REALTIME priority percent 35 class CRITICAL-DATA bandwidth percent 40 random-detect dscp-based class class-default fair-queue random-detect dscp-based ! ! interface ATM0/0/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! ! interface ATM0/1/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! interface Dialer0 bandwidth 4608 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xx ppp chap password yy ppp ipcp route default ppp link reorders ppp multilink ppp multilink fragment disable max-reserved-bandwidth 100 service-policy output LLQ end So, the LLQ policy is only required to be applied to the VC and not the dialer, since I'm only queuing , but it is applied to both here. The ATM interface did indeed move to WFQ: #show queueing int atm0/0/0.132 Interface ATM0/0/0.132 VC 1/32 Queueing strategy: weighted fair Output queue: 0/512/64/0 (size/max total/threshold/drops) Conversations 0/6/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 1 kilobits/sec But, the output of show policy-map int a0/0/0.132 does not show anything being pushed into the PQ at all #show policy-map int a0/0/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 268/19832 0/0 0/0 20 40 1/10 #show policy-map int a0/1/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 270/19980 0/0 0/0 20 40 1/10 ( I do see class matches, omitted here, but they do not appear to be queued) What is actually observed, is that the LLQ appears to work well until more than one member joins the bundle, then the latency + jitter becomes variable, but I'm not sure that it is even working at all since the queue counters do not increment, I could just be seeing the results of the WFQ. From the PE side, ppp multilink fragment disable and ppp link reorders are applied via RADIUS but I do not really believe they are having an effect since I'm still seeing re-order counters. (vtemplate clone applies the attributes, but assume they are being ignored) CE is 12.4(15)T7 and PE is 12.4(19) Am assuming that I'm doing this correctly as there should be no need for a shaper (not that it is accepted anyway) since we can create ATM backpressure from the ATM interfaces when I reduce the TX ring size. Any suggestions appreciated. Regards, David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT/ACL options in a PIX
Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT/ACL options in a PIX
--CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip address(Q.Q.Q.11)... Thanks --- On Tue, 8/26/08, John Ramz [EMAIL PROTECTED] wrote: From: John Ramz [EMAIL PROTECTED] Subject: NAT/ACL options in a PIX To: cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 9:21 PM Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want to administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT/ACL options in a PIX
Correct, you are doing NAT as a straight 1 to 1 translation for traffic. Using PAT, you can specify either TCP or UDP traffic and the outside and inside port numbers. This is still accomplished with the static statement. You'll still need the access-list entry as well unless you have another rule already covering it. I'm confused though... If you need a different external host to access an internal server, why can't use reuse the same outside address in the translation? The PIX does extended translation automatically. Just add it to the access-list, or did I misunderstand? If you are doing this on a different port and want to map various ports on one external IP to different internal hosts or ports, you can do this as well with the static statement: static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081 netmask 255.255.255.255 0 0 This maps traffic that matches TCP port 8080 hitting the outside address of 1.2.3.4 to port 8081 on internal IP 10.10.10.110. I wasn't quite clear with your alphanumeric examples, but I hope this helps. I believe you truly just want to keep adding more entries to your access-list. Once you have a translation be it NAT or PAT defined, the access control is done through the access-list at that point. -Vinny -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of John Ramz Sent: Tuesday, August 26, 2008 10:32 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT/ACL options in a PIX --CORRECTION--- As a part of my 2nd question I made a mistake on the internal host IP. This is the correction: I need to allow P.P.P.3 to access the same internal host (10.10.10.110). I tried to assigned a different Public ip address(Q.Q.Q.11)... Thanks --- On Tue, 8/26/08, John Ramz [EMAIL PROTECTED] wrote: From: John Ramz [EMAIL PROTECTED] Subject: NAT/ACL options in a PIX To: cisco-nsp@puck.nether.net Date: Tuesday, August 26, 2008, 9:21 PM Version 6.3.5 PIX 515 We have been assigned 25 Public IP addresses by our ISP and I want to administer them in the most efficient way. We get a lot of requests for external access to different hosts in our private network. For example: Public trusted IP address requesting access: P.P.P.2 Public IP address assigned by ISP: Q.Q.Q.10 Internal host IP: 10.10.10.111 port 80 or 8080 (http://10.10.10.111/site:8080 So far every time we get a request we do this: static (inside,outside) Q.Q.Q.10 10.10.10.111 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.2 host Q.Q.Q.10 eq 8080 QUESTION 1- Is it possible to do what I believe is called PAT and reuse the same public ip address(Q.Q.Q.10) when I get a second request to access a DIFFERENT host(10.10.10.112) and redirect them to port 8081 for example? If possible, how? Today I got a request to allow access to an internal host(10.10.10.110) that I have already mapped with this public IP: Q.Q.Q.9 . The source ip address is: P.P.P.3 . These are the statements already in the PIX: static (inside,outside) Q.Q.Q.9 10.10.10.110 netmask 255.255.255.255 0 0 access-list ACL_NAME permit tcp host P.P.P.1 host Q.Q.Q.9 eq 8080 I need to allow P.P.P.3 to access the same internal host (Q.Q.Q.9). I tried to assigned a different Public ip address(Q.Q.Q.11) but I got this message: ERROR: duplicate of existing static QUESTION 2- Is there anyway to allow 2 IP addresses to access the same host on the same port-it could be different-? I appreciate any help since I am a beginner on this subject Thanks John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels
Howdy ho, How about putting on the outbound to make sure that you are sending it the the hub? good idea - add this to the hub router :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any interface Virtual-PPP1 ip access-group check_packets_in out just to make sure all was reset and applied, I reloaded the hub router and both spoke routers and looking at the ACL after a few minutes of all the routers coming up :- adsl-nhrp-hub#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any no matches . I doubut this can be accurate - at least there should be IP matches as NHRP is up :- 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 00:01:15, expire 00:00:44 Type: dynamic, Flags: authoritative unique registered used NBMA address: 41.195.37.174 10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:05:20, expire 00:00:45 Type: dynamic, Flags: authoritative unique registered NBMA address: 41.195.37.191 from routing table on hub, traffic to NHRP neihbours should be going out of Virtual-PPP1 adsl-nhrp-hub#show ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 196.30.121.0/32 is subnetted, 1 subnets S 196.30.121.42 is directly connected, Dialer1 172.16.0.0/32 is subnetted, 1 subnets C 172.16.1.1 is directly connected, Loopback0 196.47.0.0/32 is subnetted, 1 subnets C 196.47.0.204 is directly connected, Virtual-PPP1 10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, Tunnel0 41.0.0.0/32 is subnetted, 2 subnets C 41.195.37.199 is directly connected, Dialer1 C 41.195.37.129 is directly connected, Dialer1 S* 0.0.0.0/0 is directly connected, Virtual-PPP1 thanx On Tue, Aug 26, 2008 at 1:37 AM, Nic Tjirkalli [EMAIL PROTECTED] wrote: Howdy ho, Maybe try to put in an ACL or could use netflow for this as well... ip access-list extend check_packets_in permit esp any any permit udp any eq isakmp any eq isakmp permit ip any any interface dialer 1 ip access-group check_packets_in in To see if ESP coming in to your spoke router. good suggestion but now I am even more c0onfused created acl as follows and applied to dialer 1 in :- interface Dialer1 ip access-group check_packets_in in but there ar no matches at all - not even IP nhrp-spoke-2#show access-lists check_packets_in Extended IP access list check_packets_in 10 permit ahp any any 20 permit esp any any 30 permit udp any eq isakmp any eq isakmp 40 permit ip any any `:wq`` -Luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nic Tjirkalli Sent: Monday, August 25, 2008 3:40 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN breaks when IPSEC protection is applied to tunnels howdy ho all, thanx to thise who sent through suggestions to how to get the IPSEC to work - the ideas were :- try mode transport :- dont use wilcard for the secret so i changed the hub and spoke as follows :- crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac mode transport crypto isakmp key CISCO address 41.195.37.0 255.255.255.0 crypto isakmp key CISCO address 196.47.0.204 255.255.255.0 alss same symptons - crypto comes up - hub reports IPSEC encaps and decaps - spoke sites report 0 decaps for IPSEC and no errors any other ideas? thanx howdy ho all, Was hoping I could use this forum to get some direction on resolving a strange issue I have with a DMVPN setup. All works 100% if I do not protect the tunnels with IPSEC. As soon as I enable IPSEC the tunnels stop passing traffic. The setup :- All routers are CISCO 1841 platforms. the IOS image is :- C1841-ADVIPSERVICESK9-M c1841-advipservicesk9-mz.124-21.bin HUB Router -- HUB router connects via ADSL (a PPPOE session over ethernet) and then fires up an L2TP tunnel to obtain a static IP address. The IP address allocated to the L2TP interface is 196.47.0.204 (Virtual-PPP1) This IP address is the NHS. All connections to/from the hub use the address of 196.47.0.204. Tunnel interface on the hub router is 10.0.0.1 Spoke Router the Spoke router (there are 2 I am just showing one) connects via ADSL (a PPPOE session over ethernet) and obtains a dynamic IP address. the spoke routers use Dialer1 as their interface into the NHRP cloud. NHRP comes up and if I do not use IPSEC encryption on the Tunnel interface ie do not add the command tunnel protection ipsec profile DMVPN on Tunnel0 Tunnel interface on the hub router is 10.0.0.3 all works perfectly. The Problem === When I enable IPSEC encryption on the tunnel interfaces on all routers then things break. I have tried with both 3DES
