[c-nsp] Allow VTY access by telnet and ssh
Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. Regards, Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
oh yes most defiantly. If it's too rough as well, check out zabbix and there is one more I can't remember(let me google this) ah yes Zenoss which can integrate with google maps Cheers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 2:33 p.m. To: James Baker Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Hi James, Yes I thought about nagios. Is it possible to put your own background map in and then position nodes on the map? Thanks for the suggestion. Cheers, Aaron. -Original Message- From: James Baker [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 10:17 AM To: Aaron Riemer; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Dashboard Network Monitoring Software Nagios. Look at setting up the 2d Status map. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 1:00 p.m. To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. # This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal # LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ # This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
tony kam wrote: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. What do you mean by right into? -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VoIP classifying and queuing in an access switch -- core Layer 2 network
If the switch is purely Layer 2, it would be difficult to classify VoIP traffic ipso facto, as the factors that differentiate it from other kinds of traffic are, by definition, = Layer 3. About the only thing you can do there is use segregated VLANs, and/or take advantage of the native voice VLAN feature of certain Catalysts: http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swvoip.html Grant Moerschel wrote: In an access switch to core where the connections are Layer 2, what is the best method to a) classify voip traffic as it enters the access switch and b) prioritize it via some queuing mechanism as it traverses the trunk going to the core? Does anyone have sample configs for something like this? Pc - phone - access switch - core switch. Priority to VoIP traffic on trunks. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
Jay Nakamura wrote: What about going with an ASA? Much more performance for the money. But it depends on what all you want to do on the router. IOS is a lot more flexible on what you can do. But, an ASA or PIX is far more optimised for NAT and ACL duty. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Try Opsview. Very nice clean GUI for nagios, nagiosgraph, and MRTG. Aaron Riemer wrote: Hi James, Yes I thought about nagios. Is it possible to put your own background map in and then position nodes on the map? Thanks for the suggestion. Cheers, Aaron. -Original Message- From: James Baker [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 10:17 AM To: Aaron Riemer; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Dashboard Network Monitoring Software Nagios. Look at setting up the 2d Status map. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 1:00 p.m. To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. # This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal # LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RTP port
Tseveendorj Ochirlantuu wrote: If is it possible to choose RTP port on AS5350XM? for example: don't use all ports 16000-6 on gateway. Only use between 16000-17000. Not natively, but you could probably do this using NAT on the outgoing interfaces. Although, for various performance reasons, I think you would not want to. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
It meant users can use either telnet or ssh client to log into router VTY lines. Besides, I think it is possible to use ACL to control which user group can use telnet and which user group can use ssh. Please advise if you have such sample configuration. Date: Fri, 5 Sep 2008 02:25:18 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Allow VTY access by telnet and ssh tony kam wrote: Dear all,Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. What do you mean by right into? -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
All logins are on VTYs, so that qualification is not needed. Check out: http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/mgaccess.html tony kam wrote: It meant users can use either telnet or ssh client to log into router VTY lines. Besides, I think it is possible to use ACL to control which user group can use telnet and which user group can use ssh. Please advise if you have such sample configuration. Date: Fri, 5 Sep 2008 02:25:18 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Allow VTY access by telnet and ssh tony kam wrote: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. What do you mean by right into? -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WebVPN via RADIUS - how to identify by group?
Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
Whoops, that was for ASAs. Try: http://articles.techrepublic.com.com/5100-10878_11-5875046.html http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml Alex Balashov wrote: All logins are on VTYs, so that qualification is not needed. Check out: http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/mgaccess.html tony kam wrote: It meant users can use either telnet or ssh client to log into router VTY lines. Besides, I think it is possible to use ACL to control which user group can use telnet and which user group can use ssh. Please advise if you have such sample configuration. Date: Fri, 5 Sep 2008 02:25:18 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Allow VTY access by telnet and ssh tony kam wrote: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. What do you mean by right into? -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CF format problems on 6500/7600 SUP720-3BXL
hi all, firstly i've read the threads about monlib etc, i tend to make it standard practice to format the flash card in whatever chassis it is currently in before use, however in this case, i cant even format the flash cards. we are talking about genuine sandisk 1GB which seem to work ok elsewhere but in the 6500 7600 SUP720-3BXL based platforms everything appears fine until you go to format the card and then you get this Router#format disk1: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in disk1:. Continue? [confirm] %Error formatting disk1 (Format failure - Drive Communication) and then the CF card promptly disappears Router#dir disk1: %Error opening disk1:/ (No such device) Router#sh plat hard cap | i disk 1 SP disk0: 128151552 78741504 61% i have tried formatting these CF cards on other routers eg 7301, 1841, bring them over to the SUP720, they look fine, but the moment you go to re-format - splat. i have tried formatting these CF cards on a PC using a CF card reader, again they look fine, but again splat. now, what is REALLY wierd i format these CF card on a Canon EOS 400D digital SLR and they work just fine in the SUP720 Router#sh disk1: -#- --length-- -date/time-- path 10 Sep 02 2008 15:43:54 DCIM 20 Sep 02 2008 15:43:54 DCIM/217CANON 260796416 bytes available (8192 bytes used) Router#dir disk1:/DCIM/217CANON/ Directory of disk1:/DCIM/217CANON/ No files in directory 260804608 bytes total (260796416 bytes free) Router#format disk1: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in disk1:. Continue? [confirm] Format: Drive communication 1st Sector Write OK... Writing Monlib sectors. Monlib Version= 2(0.2) ... Monlib write complete . Format: All system sectors written. OK... Format: Total sectors in formatted partition: 510281 Format: Total bytes in formatted partition: 261263872 Format: Operation completed successfully. Format of disk1 complete very confused... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
On Fri, 2008-09-05 at 14:08 +0800, tony kam wrote: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. ... line vty x y transport input telnet ssh ... hth, roy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VoIP classifying and queuing in an access switch -- core Layer 2 network
Alex Balashov wrote on Friday, September 05, 2008 8:28 AM: If the switch is purely Layer 2, it would be difficult to classify VoIP traffic ipso facto, as the factors that differentiate it from other kinds of traffic are, by definition, = Layer 3. Well, even a Layer 2 switch can classify based on L3 information, most of today's (and yesterday's) Cat2xxx/3xxx support this. I would recommend looking at the Enterprise QoS solution reference at www.cisco.com/go/srnd for plenty of examples for various access switch platforms. oli About the only thing you can do there is use segregated VLANs, and/or take advantage of the native voice VLAN feature of certain Catalysts: http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/relea se/12.1_19_ea1/configuration/guide/swvoip.html Grant Moerschel wrote: In an access switch to core where the connections are Layer 2, what is the best method to a) classify voip traffic as it enters the access switch and b) prioritize it via some queuing mechanism as it traverses the trunk going to the core? Does anyone have sample configs for something like this? Pc - phone - access switch - core switch. Priority to VoIP traffic on trunks. -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Also take a look at Zenoss www.zenoss.org Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Daniel Hooper Sent: Friday, 5 September 2008 12:55 PM To: Aaron Riemer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software www.nagios.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 9:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c7604 starter kit
MPLE TE should be in RLS3; probably EoMPLS too. -- Tassos Ben Steele wrote on 05/09/2008 07:45: I'm pretty sure it is scheduled for release in an upcoming update, I know there was lots of hmmm's when I saw the list of current unsupported technologies during our companies presentation, but I seem to recall most of them set for release in the future, I mean it would be ridiculous to never support mpls-te on the ASR. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: Friday, 5 September 2008 11:45 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] c7604 starter kit On Friday 05 September 2008 01:09:28 Saku Ytti wrote: L3 VPN yes, TE no sure. According to FN, MPLS-TE is unsupported. Quite surprising, actually... Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VoIP classifying and queuing in an access switch -- core Layer 2 network
Oliver Boehmer (oboehmer) wrote: Alex Balashov wrote on Friday, September 05, 2008 8:28 AM: If the switch is purely Layer 2, it would be difficult to classify VoIP traffic ipso facto, as the factors that differentiate it from other kinds of traffic are, by definition, = Layer 3. Well, even a Layer 2 switch can classify based on L3 information, most of today's (and yesterday's) Cat2xxx/3xxx support this. I would recommend looking at the Enterprise QoS solution reference at www.cisco.com/go/srnd for plenty of examples for various access switch platforms. Really... I wasn't aware Layer 2 devices had DiffServ/DSCP awareness. I stand corrected, then! -- Alex Balashov Evariste Systems Web: http://www.evaristesys.com/ Tel: (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
Hi, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. Do you mean like this, or are you talking about something else? ! line vty 0 4 transport input telnet ssh ! crypto key generate rsa general-keys modulus 2048 ! -- Regards Christian Bering ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM failover transparent mode
Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] disabling 3750 mac address learning
Noticed that the 3750 ios 12.2(46)SE release supports the disabling of mac address learning per vlan. Does anyone have any experience with this release yet? The feature seems to have been introduced earlier in the 3650s and has obviously been in ME switches for a while. http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/command/reference/cli1.html#wp10289393 Paul. -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
I think more specifically, he wanted to be able to permit a particular group of users to use telnet and another to use ssh. While I'm not sure why it'd be good to use telnet when ssh is available, I suppose it would be possible to apply an ACL on the VTYs to deny access to telnet/ssh as required. On Fri, Sep 5, 2008 at 3:20 PM, Jay Hennigan [EMAIL PROTECTED] wrote: tony kam wrote: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. Did you try: line vty 0 4 transport input telnet ssh The number of vty lines may be different depending on platform and IOS, for example, line vty 0 15. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Ang Kah Yik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
Ang Kah Yik wrote: I think more specifically, he wanted to be able to permit a particular group of users to use telnet and another to use ssh. While I'm not sure why it'd be good to use telnet when ssh is available, I suppose it would be possible to apply an ACL on the VTYs to deny access to telnet/ssh as required. I haven't tried it, but it might be possible to use an extended ACL for this. ip access-list extended vty-list permit tcp 1.1.1.0 0.0.0.255 any eq 22 permit tcp 2.2.2.0 0.0.0.255 any eq 23 line vty 0 4 transport input telnet ssh access-class vty-list in -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
I can't see why you should use an extended acl to do that. transport input telnet ssh should allow access only through those two protocols, so filtering that through an ACL is a bit redundant in my opinion. You should be able to use a standard acl like: ip access-list standard vty permit 10.0.0.0 0.0.0.255 permit 10.1.0.0 0.0.0.255 deny any log ! line vty 0 4 transport input telnet ssh access-class vty in ! That should do it. Best regards, Allan Eising On Fri, Sep 5, 2008 at 12:27 PM, Jay Hennigan [EMAIL PROTECTED] wrote: Ang Kah Yik wrote: I think more specifically, he wanted to be able to permit a particular group of users to use telnet and another to use ssh. While I'm not sure why it'd be good to use telnet when ssh is available, I suppose it would be possible to apply an ACL on the VTYs to deny access to telnet/ssh as required. I haven't tried it, but it might be possible to use an extended ACL for this. ip access-list extended vty-list permit tcp 1.1.1.0 0.0.0.255 any eq 22 permit tcp 2.2.2.0 0.0.0.255 any eq 23 line vty 0 4 transport input telnet ssh access-class vty-list in -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Allow VTY access by telnet and ssh
Allan Eising wrote: I can't see why you should use an extended acl to do that. transport input telnet ssh should allow access only through those two protocols, so filtering that through an ACL is a bit redundant in my opinion. You should be able to use a standard acl like: ip access-list standard vty permit 10.0.0.0 0.0.0.255 permit 10.1.0.0 0.0.0.255 deny any log ! line vty 0 4 transport input telnet ssh access-class vty in ! The objective was to allow one group to use telnet and another to use ssh. This would require an extended ACL. Ang Kah Yik wrote: I think more specifically, he wanted to be able to permit a particular group of users to use telnet and another to use ssh. While I'm not sure why it'd be good to use telnet when ssh is available, I suppose it would be possible to apply an ACL on the VTYs to deny access to telnet/ssh as required. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disabling 3750 mac address learning
Noticed that the 3750 ios 12.2(46)SE release supports the disabling of mac address learning per vlan. Does anyone have any experience with this release yet? The feature seems to have been introduced earlier in the 3650s and has obviously been in ME switches for a while. The feature has been there longer, in the form of an RSPAN-enabled VLAN. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
On Fri, 5 Sep 2008, Holemans Wim wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? FWSM failover in transparent mode does work in 3.2. Specifically, 3.2(4) and above. Right now we're running 3.2(6) and 3.2(7) in production. I want to give the 4.x code more time to 'bake' before I put it in production here. I may try it out in our development lab soon. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
But make sure you do: config t int null 0 no ip unreachables The ACL drops are, last I checked, rate limit punts. If it's high CPU at IP Input really need 12.4(20)T and get a sniffer trace in the punt path to see what traffic it really is. Rodney On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: 2008/9/4 Stephen Kratzer : The 'log' keyword will cause matching packets to not be CEF switched. nope, log is not present. Also, if you're denying a lot of traffic from a certain source, you might want to just bit-bucket it rather than sending ICMP responses. you mean - no ip unreachables? You could match the access list in a route map and set the outbound interface to Null0. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems --- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492]
Hi, On Fri, Sep 05, 2008 at 09:52:05AM +1000, Brett Clausenhauf wrote: I've since tried other ports (Port 23 for example) it still does the same thing. This has got me stumped... I cannot figure out why it needs the group command to stay working. telnet (xinetd/tcpd) usually does a DNS lookup as well. As I said: run tcpdump/wireshark to see what sort of outbound connection your machines do. The CSS doesn't need the group section for itself. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpTF4LiXPZ1s.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
I'm running 3.2(6) fairly well in production. I would go up to 3.2(4) or better. tv - Original Message - From: Holemans Wim [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Friday, September 05, 2008 3:35 AM Subject: [c-nsp] FWSM failover transparent mode Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] free WAN emulation software
Hi guys, Could anyone advise free WAN (wide area network) emulator software. I need to find solution for the following reason. We have some network application and we want to know how good this applications work over the WAN with predefined parameters. The better emulator must support operations with more parameters. The main parameters is delay, jitter, throughput, bit errors, packets lost, resequencing etc. I think that this should be server with two NIC and installed soft, so such soft I'm looking for. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
Cisco actually is pretty honest about the performance of the routers with most/all security features enabled if you go to the QA section of the product pages and click on router model and look for the question What is the performance of router XX?. At which point, they'll state that a Cisco 3845 can process a single T3 and that the 28xx's performance is measured in multiples of T-1's (with 2851 being 6xT1 and 2801 being 1xT1). I've done some measuring of 2800/3800 series performance and the statements seem to be born out. If you have the acl's/inspection/ips enabled, a 3845 really will give out around 50Mbps, even though the router is rated with a raw capacity of ~250Mbps. If you just have reasonable acl's and stateful firewall/inspection features, performance seems to double and you might get ~100Mbps on a 3845 imho, I'd think the ratio would be about the same on a 28xx(2851 - 18Mbps?). Your mileage may vary. The recommendation to look at ASA's is pretty good and would be cheaper. Otherwise, among the ISR's, a 3825 would be the safe bet. Regards, Matt -- Matthew Marlowe [EMAIL PROTECTED] DeployLinux Consulting, Inc Direct: 858-217-5730 Senior Infrastructure Consultant Office: 888-459-0515 Cell: 805-857-9144 Fax: 858-876-1692 YIM:deploylinuxconsulting Designing, Securing, and Maintaining Mission Critical Linux Servers for Successful Internet Applications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Buhrmaster, Gary Sent: Thursday, September 04, 2008 8:41 PM To: Dan Letkeman; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Recommended 2800 ISR I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? With the wind behind the bits heading downhill. The first paragraph says: Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled. As you add ACL's, encryption, compression, etc - performance will decline significantly from the given numbers The moment you add (for example) NAT or Firewall features, expect significantly less performance. As always, your Mbps will vary and your situation will be unique (and almost never to your benefit). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] free WAN emulation software
The opensource options are dummynet on BSD: http://info.iet.unipi.it/~luigi/ip_dummynet/ Which is good for emulating links 100Mb or slower, I think it needs patches if you are going to emulate long fat pipes. I used the boot floppy, it is easier to use if you have some unix experience. or Nistnet on linux (the traffic shaping stuff is now in kernel). But I find it is old, and that netem is is better in linux- basically the tc commands: http://www.linuxfoundation.org/en/Net:Netem On Fri, Sep 5, 2008 at 7:38 AM, Sergey Voropaev [EMAIL PROTECTED] wrote: Hi guys, Could anyone advise free WAN (wide area network) emulator software. I need to find solution for the following reason. We have some network application and we want to know how good this applications work over the WAN with predefined parameters. The better emulator must support operations with more parameters. The main parameters is delay, jitter, throughput, bit errors, packets lost, resequencing etc. I think that this should be server with two NIC and installed soft, so such soft I'm looking for. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Zenoss has two versions, Zenoss Community (free) and Zenoss Enterprise (not free). The only notable feature, for network management, I see in Zenoss Enterprise is the RANCID ZenPack. The community version is pretty full featured, and looks very cool (I tested it out for a few days). Unfortunately, it is very robust, which translates to a lot of overhead management to get it running properly. Nagios, in comparison, just works, and can be setup relatively quickly. Is anyone out there using Zenoss for network monitoring? How do you like it? -- Eric Cables On Fri, Sep 5, 2008 at 1:50 AM, Aaron Riemer [EMAIL PROTECTED] wrote: Zenoss looks cool but it looks like you have to pay for that software :) Cheers for the ideas. Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Daniels - Lists Sent: Friday, 5 September 2008 2:45 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Also take a look at Zenoss www.zenoss.org Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Daniel Hooper Sent: Friday, 5 September 2008 12:55 PM To: Aaron Riemer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software www.nagios.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 9:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have two 2811s with a full view on each and partial for ibgp, no issues. Justin M. Streiner wrote: On Thu, 4 Sep 2008, Dan Letkeman wrote: I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? If you're not running BGP with full feeds, you *might* be able to get away with a 2811, given that you're running IOS firewall and NAT as well, but you probably wouldn't have much headroom for growth, or if you decide you need additional features in the future (Netflow, QoS, routing protocols, etc). jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwVvNw+p9Y9BHZ8kRAtBBAJ9MVa6OsKlL3fRZ73LrSGjqSMIk3QCghJBz YC6nP2buuoVWQE5H3cUJKjg= =o7vd -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
I would agree. I've actually found they are a little conversative in their numbers from their concentrators up to the routers. tv - Original Message - From: Matthew Marlowe [EMAIL PROTECTED] To: 'Buhrmaster, Gary' [EMAIL PROTECTED]; 'Dan Letkeman' [EMAIL PROTECTED]; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Sent: Friday, September 05, 2008 9:52 AM Subject: Re: [c-nsp] Recommended 2800 ISR Cisco actually is pretty honest about the performance of the routers with most/all security features enabled if you go to the QA section of the product pages and click on router model and look for the question What is the performance of router XX?. At which point, they'll state that a Cisco 3845 can process a single T3 and that the 28xx's performance is measured in multiples of T-1's (with 2851 being 6xT1 and 2801 being 1xT1). I've done some measuring of 2800/3800 series performance and the statements seem to be born out. If you have the acl's/inspection/ips enabled, a 3845 really will give out around 50Mbps, even though the router is rated with a raw capacity of ~250Mbps. If you just have reasonable acl's and stateful firewall/inspection features, performance seems to double and you might get ~100Mbps on a 3845 imho, I'd think the ratio would be about the same on a 28xx(2851 - 18Mbps?). Your mileage may vary. The recommendation to look at ASA's is pretty good and would be cheaper. Otherwise, among the ISR's, a 3825 would be the safe bet. Regards, Matt -- Matthew Marlowe [EMAIL PROTECTED] DeployLinux Consulting, Inc Direct: 858-217-5730 Senior Infrastructure Consultant Office: 888-459-0515 Cell: 805-857-9144 Fax: 858-876-1692 YIM:deploylinuxconsulting Designing, Securing, and Maintaining Mission Critical Linux Servers for Successful Internet Applications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Buhrmaster, Gary Sent: Thursday, September 04, 2008 8:41 PM To: Dan Letkeman; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Recommended 2800 ISR I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? With the wind behind the bits heading downhill. The first paragraph says: Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled. As you add ACL's, encryption, compression, etc - performance will decline significantly from the given numbers The moment you add (for example) NAT or Firewall features, expect significantly less performance. As always, your Mbps will vary and your situation will be unique (and almost never to your benefit). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disabling 3750 mac address learning
[EMAIL PROTECTED] wrote: Noticed that the 3750 ios 12.2(46)SE release supports the disabling of mac address learning per vlan. Does anyone have any experience with this release yet? The feature seems to have been introduced earlier in the 3650s and has obviously been in ME switches for a while. The feature has been there longer, in the form of an RSPAN-enabled VLAN. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] Thanks Steinar, I think there are a few differences between these. The command docs say the following about RSPAN VLANs: - All traffic in the RSPAN VLAN is always flooded. - No MAC address learning occurs on the RSPAN VLAN. - RSPAN VLAN traffic only flows on trunk ports. - RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command. - STP can run on RSPAN VLAN trunks but not on SPAN destination ports. - An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. The first and third points suggests that for RSPAN VLANs you: - cannot use static mac assignments - cannot use access ports Paul. -- HEAnet Limited Ireland's Education Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
We just moved to Zenoss Ent for server monitoring, and I think it was a great move. In my tests however, Zenoss simply didn't cut it for managing/monitoring our network devices - at least not without weeks of template customization. So my search for the ultimate NMS for network devices continues...until then I'll continue to segment NMS responsibilities into various subcategories (fault mgmt, config mgmt, security mgmt, perf mgmt, capacity mgmt, etc) and handle those with a mix of tools. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, September 05, 2008 9:17 AM To: Aaron Riemer Cc: Aaron Daniels - Lists; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Zenoss has two versions, Zenoss Community (free) and Zenoss Enterprise (not free). The only notable feature, for network management, I see in Zenoss Enterprise is the RANCID ZenPack. The community version is pretty full featured, and looks very cool (I tested it out for a few days). Unfortunately, it is very robust, which translates to a lot of overhead management to get it running properly. Nagios, in comparison, just works, and can be setup relatively quickly. Is anyone out there using Zenoss for network monitoring? How do you like it? -- Eric Cables On Fri, Sep 5, 2008 at 1:50 AM, Aaron Riemer [EMAIL PROTECTED] wrote: Zenoss looks cool but it looks like you have to pay for that software :) Cheers for the ideas. Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Daniels - Lists Sent: Friday, 5 September 2008 2:45 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Also take a look at Zenoss www.zenoss.org Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Daniel Hooper Sent: Friday, 5 September 2008 12:55 PM To: Aaron Riemer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software www.nagios.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 9:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at
Re: [c-nsp] Surge protection on leased lines
On Thursday 04 September 2008 22:52:41 Ted Mittelstaedt wrote: They need a sold ground and suppression such as varistors connected between that ground and both wires of the pair that the SHDSL line is on. If you can get the specific code requirements for your municipality you can threaten to report your national telco to both the FCC and the local municipality if they do not install surge suppression. [Previous poster] Make sure your nid, smartbox, router are all grounded together and to the electrical system ground. I suspect they are not if current is flowing in and damaging your wic. Make sure also that the grounding electrode for the telco and the grounding electrode for the electrical are properly and effectively bonded (as in the NEC Article 250 definition). I've seen numerous instances of 'properly' installed and connected lightning arrestors that were not properly bonded to the electrical service ground; if the electrodes are even a few feet apart they can, in the lightning field/current gradient of a strike, easily have 15-50 thousand volts between 'grounds'. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED] wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Hi, Is anyone out there using Zenoss for network monitoring? How do you like it? I worry that I find myself spending too long trying to get a huge variety of monitoring systems actually working - and then configured to work properly and 'look nice' or be usable by our local community (eg using AD authentication instead of a noddy local pwd file or database password system like so many want...) i feel that I am not alone in missing out on a really cool piece of software simply because of being burnt by so many other tools. - we still run some of the older hardy tools that many would recommend - NAGIOS, NetDISCO, Rancid, MRTG, RTG, + a couple of other random bits. these recent discussions are quite informative but without a nice resource or concensus I feel that many useful ones might get lost in the melee etc. I'm also after somethign that has the fancy gfx that mgmt like eg solarwinds console - but without the price tag - AND with some actually useful stuff under the hood - any further recommendations? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] disabling 3750 mac address learning
I think there are a few differences between these. The command docs say the following about RSPAN VLANs: - All traffic in the RSPAN VLAN is always flooded. - No MAC address learning occurs on the RSPAN VLAN. - RSPAN VLAN traffic only flows on trunk ports. - RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command. - STP can run on RSPAN VLAN trunks but not on SPAN destination ports. - An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. Absolutely - the commands are not equivalent. What I was trying to say was that the technical ability to disable MAC address learning has existed for a while. I am glad that it can now done explicitly instead of being hidden away in the form of RSPAN. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] can't ping from router
Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool .2 .254 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
We experienced the reboots too; there is also bugs in this revision code train for ethertype ACLs. We migrated to 3.2(4) all is fixed. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, September 05, 2008 11:59 AM To: Holemans Wim Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED] wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
48 port 10/100/1000mb EtherModule WS-X6148-GE-TX Bought them without knowing about the 8port 1Gig limit ; We plan to replace this construction next year with a VSS solution, type of 65XX not yet chosen. Wim Holemans -Original Message- From: Eric Cables [mailto:[EMAIL PROTECTED] Sent: vrijdag 5 september 2008 18:59 To: Holemans Wim Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED] wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
[EMAIL PROTECTED] wrote: Hi, Is anyone out there using Zenoss for network monitoring? How do you like it? I worry that I find myself spending too long trying to get a huge variety of monitoring systems actually working - and then configured to work properly and 'look nice' or be usable by our local community (eg using AD authentication instead of a noddy local pwd file or database password system like so many want...) i feel that I am not alone in missing out on a really cool piece of software simply because of being burnt by so many other tools. - we still run some of the older hardy tools that many would recommend - NAGIOS, NetDISCO, Rancid, MRTG, RTG, + a couple of other random bits. these recent discussions are quite informative but without a nice resource or concensus I feel that many useful ones might get lost in the melee etc. I'm also after somethign that has the fancy gfx that mgmt like eg solarwinds console - but without the price tag - AND with some actually useful stuff under the hood - any further recommendations? alan Opsview (http://www.opsview.org) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NPE G1, CEF and ACLs and high CPU
On Fri, Sep 05, 2008 at 04:36:08PM +0200, Nic Tjirkalli wrote: howdy ho, But make sure you do: config t int null 0 no ip unreachables The ACL drops are, last I checked, rate limit punts. this is interesting - there is a good article detailing cef and CPU punting at :- http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html Reading that and this posting begs the question - if there is a lrage amount of ACL drops and these packets are punted to cPU and the CPU rate-limit for punted packets has been exceeded, then possible packets that need to be CPU processed will be dropped in favour of ACL denied packets That's not true. The packets are dropped under interrupt that match the ACL deny other than punting some to generate the unreachable. You will always deny them. - this seems a bit ridiculous. Any way to get acl dropped packets not to be CPU punted or to use control-plane policing to discard them before they hit the CPU? thanx If it's high CPU at IP Input really need 12.4(20)T and get a sniffer trace in the punt path to see what traffic it really is. Rodney On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: 2008/9/4 Stephen Kratzer : The 'log' keyword will cause matching packets to not be CEF switched. nope, log is not present. Also, if you're denying a lot of traffic from a certain source, you might want to just bit-bucket it rather than sending ICMP responses. you mean - no ip unreachables? You could match the access list in a route map and set the outbound interface to Null0. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - It's hard to be nostalgic when you can't remember anything good. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM failover transparent mode
6748s here. The customer was considering VSS but it didn't/doesn't support FWSM and ACE. So, he's stuck for a bit. tv - Original Message - From: Eric Cables [EMAIL PROTECTED] To: Holemans Wim [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Friday, September 05, 2008 11:58 AM Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED] wrote: Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats CSCm73157 : Failover is not working in transparent mode... Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Service-Policy on 1800 SVI
Hey Everyone, I'm running into an issue on a 1841 router where I have an internet feed coming into one of the integrated switchportsI have the vlan that the switchport is configured in as a EtherSVI with a public IP address. I need to configure a policy-map with QoS but it appears you cannot configure a service-policy on a EtherSVI...Is this correct? After finding that heartbreaker out I then tried applying the service-policy to the switchport...it takes, but of course doesn't show any matches and rates using 'show policy-map interface Fa0/9'. So my question would be...how do I configure QoS on a 1841 Router when my interface is a EtherSVI? Sincerely, Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
you can also try a weather map like below... http://www.network-weathermap.com/ http://netmon.grnet.gr/weathermap/#docs On Thu, Sep 4, 2008 at 9:00 PM, Aaron Riemer [EMAIL PROTECTED] wrote: Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] can't ping from router
On Friday 05 September 2008 12:36:33 Paul A wrote: Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool .2 .254 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The Virtual-Template interface should be down/down. Since it's not a real interface, and it's not associated with a real interface with a real status, it won't have L1/L2 statuses. Maybe try sourcing the pings from Loop0. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] can't ping from router
Hello, Paul A wrote: Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool .2 .254 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ You've defined a helper interface for the Virtual-Template, but that interface does not have an IP address, so it's trying to send pings from an unnumbered address. If you put an address on Loopback0, pings will work. Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] can't ping from router
Gotcha, I guess the interface showing down/down was weird to me because I have used other virtual-templates that were always up, but looking back its because they were ip unnumbered from a real interface this L1/L2 stats. As for the pings I sourced them from multiple ips/interfaces and I still get no replies from within the router which is just weird maybe it's the version of IOS im using? Version 12.4(10)FC1 Paul -Original Message- From: Stephen Kratzer [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2008 3:47 PM To: cisco-nsp@puck.nether.net Cc: Paul A Subject: Re: [c-nsp] can't ping from router On Friday 05 September 2008 12:36:33 Paul A wrote: Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool .2 .254 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The Virtual-Template interface should be down/down. Since it's not a real interface, and it's not associated with a real interface with a real status, it won't have L1/L2 statuses. Maybe try sourcing the pings from Loop0. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] can't ping from router
Phil, I was thinking that might be the issue and once I assigned an ip it worked and now I can ping. I was testing from a source interface that was up with an ip and wasn't getting replies but that's because it was sending replies to the helper interface. Thanks for pointing that out to me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Davis Sent: Friday, September 05, 2008 3:05 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] can't ping from router Hello, Paul A wrote: Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool .2 .254 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ You've defined a helper interface for the Virtual-Template, but that interface does not have an IP address, so it's trying to send pings from an unnumbered address. If you put an address on Loopback0, pings will work. Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bridging over GRE tunnels.
Good afternoon. After lots of searching, I found that bridging over GRE tunnels is configurable, but unsupported. (yes, really: + cr1-5509-rsfc-1(config)#bridge 1 protocol ieee cr1-5509-rsfc-1(config)#int tu0 cr1-5509-rsfc-1(config-if)#bridge-group 1 1d04h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down % This command is an unreleased and unsupported feature cr1-5509-rsfc-1(config-if)# 1d04h: Note: A random Spanning Tree Bridge Identifier address of .0c92.7210 has been chosen for Bridge Group 1 since there is no mac address associated with the selected interface. 1d04h: Ensure that this address is unique. cr1-5509-rsfc-1(config-if)# + Anyone here have experience with this? RSFC in a Catalyst 5509, IOS 12.1 (that's the only IOS on RSFC's). Anyone have comments on stability found or not found? If this works, it means the RSFC's in my 5500's have just gained a new lease on life. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] latest stable...
Hi, On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote: Great... For the G1-- all we need is BGP and Ethernet-- Nothing special.. Metro E fiber inbound and FIBER out... I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice features, as will have 12.4/12.4T, but those usually bring some drawbacks regarding stability. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgp8sWHt98YZc.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] latest stable...
for the 7200 with just bgp why not use 12.0S? On Fri, Sep 5, 2008 at 6:01 PM, Gert Doering [EMAIL PROTECTED] wrote: Hi, On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote: Great... For the G1-- all we need is BGP and Ethernet-- Nothing special.. Metro E fiber inbound and FIBER out... I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice features, as will have 12.4/12.4T, but those usually bring some drawbacks regarding stability. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ http://www.muc.de/%7Egert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] problem with VPN3002 hardware client
Hi All. I’m I just out of luck or is there something pulling my legs. I’ve got 3 vpn3002 hardware clients, and I can’t change the password off the user on any of them. Or rather they won’t save the password for the user right. When I set them up for they connect fine and all works well, I can reboot them this works also. But if I’m pulling the power, it looses the password for the user and only that. I’ve tried to upgrade and downgrade the software whit out any luck. Is there a hidden switch or configuration function that can protect this, or I’m I just looking at 3 that has a defect in nvram. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 on the 877W
I just went back and forth with TAC regarding IPv6 support on an 877W. Ultimately, the problem was that there isn't any support for IPv6 IRB, and IRB is the only way to put the wireless radio on the same segment as the ethernet ports. Boo. I found a bug id in the c-nsp archives (CSCej50923) about this from 2005, and I was told it was closed without a fix. Also of note, I turned the 877W into a brick by doing the following (in order): * Assign IPv6 address to int vlan 1 * do no bridge-group 1 on int vlan 1 * IPv6 works! no IPv4, though * do bridge-group 1 on int vlan 1 * ipv6 and ipv4 work! however... * router locks up after a bit, then never boots again after a power cycle Seems IPv6 is pretty buggy (and lacking) on this thing. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -Original Message- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems --- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Zenoss is open source. But you are able to purchase a support contract if your organisation requires that kind of thing (ours does) Thanks, Aaron -Original Message- From: Aaron Riemer [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 6:50 PM To: Aaron Daniels - Lists; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Dashboard Network Monitoring Software Zenoss looks cool but it looks like you have to pay for that software :) Cheers for the ideas. Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Daniels - Lists Sent: Friday, 5 September 2008 2:45 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Also take a look at Zenoss www.zenoss.org Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Daniel Hooper Sent: Friday, 5 September 2008 12:55 PM To: Aaron Riemer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software www.nagios.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 9:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dashboard Network Monitoring Software
Yep weathermap looks awesome. Do you know if its possible for the map to change the icon of a site if it is down or unreachable? That would be awesome :) Aaron. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Koch Sent: Saturday, September 06, 2008 3:46 AM To: Aaron Riemer Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software you can also try a weather map like below... http://www.network-weathermap.com/ http://netmon.grnet.gr/weathermap/#docs On Thu, Sep 4, 2008 at 9:00 PM, Aaron Riemer [EMAIL PROTECTED] wrote: Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.17/1655 - Release Date: 9/5/2008 7:05 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
We're doing exactly that, although with Radiator vs IAS. Dave Ben Steele wrote: Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -Original Message- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Receiving BGP communities
Is there a reason why I would not be receiving BGP communities? Upstream says they are sending, but I don't see anything. The only communities I can see are the one from my cymru bogon route server neighbors. Upstream's end is a Juniper, if that makes a difference. I feel like I'm missing something stupid like a receive community command. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
Ben Steele wrote: Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Ben, If you have two group policies setup on your ASA, GroupPolicy1 and GroupPolicy2, you can set the RADIUS Class attribute to OU=GroupPolicy1 or OU=GroupPolicy2. In IAS setup two policies, matching AD Security Group Group1 and Group2 respectively. Members of Group1 are assigned OU=GroupPolicy1, and Group2 gets OU=GroupPolicy2. The text after OU= then matches the name of the ASA's group policy exactly and will assign that Group Policy to the VPN user's session. If you now also have two Tunnel Groups, TunnelGroup1 and TunnelGroup2 on the ASA, you can use the group-lock xxx command to lock TunnelGroup1 to GroupPolicy1 and TunnelGroup2 to GroupPolicy2. If a user who is a member of Group1 tries to use the TunnelGroup2 VPN profile, they will get rejected when the ASA compares the OU=GroupPolicy1 (assigned to user by IAS) with the GroupPolicy2 value expected by TunnelGroup2. Cheers Stuart Environmental Notice: Please consider the environment before printing this email.brbr Confidentiality Notice: The content of this message and any attachments may be privileged, in confidence or sensitive. Any unauthorised use is expressly prohibited. If you have received this email in error please notify the sender, disregard and then delete the email. This email may have been corrupted or interfered with. Coffey International Limited cannot guarantee that the message you receive is the same as the message we sent. At Coffey International Limited's discretion we may send a paper copy for confirmation. In the event of any discrepancy between paper and electronic versions the paper version is to take precedence. No warranty is made that this email and its contents are free from computer viruses or other defects. brbrCILDISCL0005 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/