Re: [c-nsp] question about service provider network design
Hi again, Since Marko says my question wasn't clear I'll try to make it better :-) - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? - In a campus scenario, Cisco recommends not using STP, instead preferring point-to-point links. I don't have enough point-to-point links, so what is better, creating an L2 square running MST, with the square's top and bottom being WAN links, or creating two L2 networks, each consisting of two switches (one at each of the two locations) connected by one WAN link, with all routers having an interface connected to both switches at its location? -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1002
Rinse Kloek (Solcon) wrote: We are looking for a replacement for our 7200 BRAS routers. The ASR1002 looks promising: - Dual IOS (Software Redundancy / Much easier upgrading) Do you trust that stuff to work properly so early? I wouldn't! - Standaard 4 GE ports - 6-8 Mpps Assuming zero feature use. The Quantumflow slows down quite a bit when you start adding more features. - Front to back airflow in stead of side air flow - Much hardware features like QOS / SBC / NBAR Be sure to test the throughput of the device with all the features you want to use enabled. Don't expect full performance with all the features! I've ordered a load of ASR1ks for peering routers, not recieved them yet though! adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
Adam Armstrong wrote: Nathan wrote: Hi again, Since Marko says my question wasn't clear I'll try to make it better :-) - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? The routers can see eachother directly at L2? Then no. It might make it easier to keep the switch's management loopback connected though. Consider switching to IS-IS, assuming your kit can do it. - In a campus scenario, Cisco recommends not using STP, instead preferring point-to-point links. I don't have enough point-to-point links, so what is better, creating an L2 square running MST, with the square's top and bottom being WAN links, or creating two L2 networks, each consisting of two switches (one at each of the two locations) connected by one WAN link, with all routers having an interface connected to both switches at its location? Do you have a diagram? When you say WAN, what do you mean? A long distance ethernet circuit? Or a Serial/Pos/etc? adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP load-sharing *and* redundancy across 2 routers
Robert Gutierrez wrote: Hi all. I have a typical BGP loopback setup to my ISP. 4 links across 2 routers. 2 links on each router. Easy -- no problemo. Now, how can I get loopback address redundancy? I'm currently using Router A as my loopback address, with an iBGP to Router B, and multihop and maximum-paths set up. So Router A knows about all 4 links outbound. Now, if I lose Router A (crash, power-off, etc), I want Router B to pick up the peering of it's 2 links, and bring the BGP session back up. The only way that I can figure out is (1) Make the loopback address an HSRP across both routers (is that even possible or been done?), or (2) Just bring up sessions on both routers using the same Loopback address. You don't really want to do this. It'd only cause your links to flap a second time when the router came back up. What are the links? Ethernet? Serial? If you're taking ethernet from the provider, why not just use switches so that both routers can talk across all of the links? It would mean 8 sessions though. I guess the right way is to use 2 different loopback addresses, one for each router, and bring up peers for both, and use MEDs or their community map to make them pref one way or another across each loopback peer (with myself using local-pref). Do you know of any Tier-1's that let you do this? adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NMS for l2vpn service instance
piotr/sawicki wrote: Hi experts !!! I'd like to ask you for help / advice on cisco 7600 l2 vpn's management Can you recommend any system for as much as monitoring and gathering statistics on l2 vpns? Do you know the software capable of discovering service instances on physical interface ? Service instance don't have ip address on them , nor they are subinterface but may contain connect/xconnect to another mpls router - and the role of this c7600 ends . L2 vfi ? I see Cisco Metro Ethernet Solution Center is the first choice but if it does a lot more - provisioning , but are there any opensource nms capable of doing this, out of the box ? Hi Peter, I'm planning to add this to Observer in the near future. We're using the Cisco commercial solution here, but I still think it's a useful feature. I'll see how quickly I can get it in! adma. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
On Tue, Oct 21, 2008, Adam Armstrong [EMAIL PROTECTED] wrote: Nathan wrote: - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? The routers can see each other directly at L2? Then no. It might make it easier to keep the switch's management loopback connected though. Well I don't see how the LDP would keep running if the switch cut off L2. The switch would need to speak LDP . . . which would make it an MPLS P router, which would be cool but I'm quite sure neither 2960s or even 3550s can do that :-) P router with eight gigabit ethernet ports running at line speed for the price of a 2960 anyone? Seriously, what kind of beast does that? A 7600 or 6500 I suppose, anything smaller? Good point about the management loopback. Consider switching to IS-IS, assuming your kit can do it. The switches can't, but I do think the routers can. What would the benefits be? If I change to IS-IS, now's the time. Do you have a diagram? I'm not sure that ASCII art will cut it, but I'll try . . . First option: /--SW--WAN-SW---\ | | | | | | | PE PE PE | |PE PE PE | | | | | | | \--SW--WAN-SW---/ This way I don't have to have each PE connected to both switches in order to communicate directly, it's only when a switch goes down that PEs only connected to that single switch will have a problem. I'll have to place different VLANs on top and bottom and use MST so that both links are used. If I lose the ethernet link on a WAN link, MST notices immediately and reroutes traffic. Second option: /--SW--WAN-SW---\ | | | | | | PE PE PE PE PE PE | | | | | | \--SW--WAN-SW---/ When you say WAN, what do you mean? A long distance ethernet circuit? Or a Serial/Pos/etc? Thay are seen as gigabit ethernet (copper or fiber), but they run over the national backbone of bigger fish than I. They are probably AToM pseudowires. Unfortunately that means that when one goes down (not often, maybe once or at most twice a year) I don't always lose the ethernet link (and I suppose I might get one-way communication only). -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
Nathan wrote: On Tue, Oct 21, 2008, Adam Armstrong [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nathan wrote: - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? The routers can see each other directly at L2? Then no. It might make it easier to keep the switch's management loopback connected though. Well I don't see how the LDP would keep running if the switch cut off L2. The switch would need to speak LDP . . . which would make it an MPLS P router, which would be cool but I'm quite sure neither 2960s or even 3550s can do that :-) P router with eight gigabit ethernet ports running at line speed for the price of a 2960 anyone? Seriously, what kind of beast does that? A 7600 or 6500 I suppose, anything smaller? Umm. I've no idea what you're talking about now... The switch doesn't speak LDP. It can merely participate in your IGP for its loopback address. Just give the switches an IP in the subnet that exists on their layer 2 domain and point their default route at one of the PEs (or do hsrp between a couple of them). Consider switching to IS-IS, assuming your kit can do it. The switches can't, but I do think the routers can. What would the benefits be? If I change to IS-IS, now's the time. Well, the switches aren't important here, so if you plan to do ipv6 in the future and aren't a huge ospf fan, have a look at isis now and switch if you like it. It's definitely a lot easier to manage and troubleshoot. Not to mention not having to run two versions of ospf when you want to do ipv6! Do you have a diagram? I'm not sure that ASCII art will cut it, but I'll try . . . First option: /--SW--WAN-SW---\ | | | | | | | PE PE PE | |PE PE PE | | | | | | | \--SW--WAN-SW---/ This way I don't have to have each PE connected to both switches in order to communicate directly, it's only when a switch goes down that PEs only connected to that single switch will have a problem. I'll have to place different VLANs on top and bottom and use MST so that both links are used. If I lose the ethernet link on a WAN link, MST notices immediately and reroutes traffic. Second option: /--SW--WAN-SW---\ | | | | | | PE PE PE PE PE PE | | | | | | \--SW--WAN-SW---/ Second option is the sensible one. Think of it as building 2 core layer 2 domains across witch all of the PEs can talk to eachother. During normal operation, they balance across the two domains, when a switch or link dies, the traffic goes across the other. It's a relatively standard design. http://alpha.memetic.org/basic.jpg is how i would draw it. When you say WAN, what do you mean? A long distance ethernet circuit? Or a Serial/Pos/etc? Thay are seen as gigabit ethernet (copper or fiber), but they run over the national backbone of bigger fish than I. They are probably AToM pseudowires. Unfortunately that means that when one goes down (not often, maybe once or at most twice a year) I don't always lose the ethernet link (and I suppose I might get one-way communication only). Well, tune your IGP so that it notices as quickly as possible and pulls down the link. You want as few routes as possible in IGP (so just links and loopbacks), but i guess you already knew that! :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How to match local IP address?
Is there a way to automatically match local (static, connected) IP subnets and deny ospf/bgp routes? Something like: route-map name permit 10 match connected I use soft SHX or SXF. We tried something like: 1. match route-type external 2. permit any but it did not work. Thanks in advance for your help. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
On Tue, Oct 21, 2008 at 2:59 PM, Adam Armstrong [EMAIL PROTECTED] wrote: Well, the switches aren't important here, so if you plan to do ipv6 in the future and aren't a huge ospf fan, have a look at isis now and switch if you like it. It's definitely a lot easier to manage and troubleshoot. Not to mention not having to run two versions of ospf when you want to do ipv6! OK noted, that could be important. Second option is the sensible one. Think of it as building 2 core layer 2 domains across witch all of the PEs can talk to eachother. During normal operation, they balance across the two domains, when a switch or link dies, the traffic goes across the other. It's a relatively standard design. The relatively standard was what I was looking for :-) Well, tune your IGP so that it notices as quickly as possible and pulls down the link. You want as few routes as possible in IGP (so just links and loopbacks), but i guess you already knew that! :) It's not stressed enough in docs about setting up iBGP and MP-BGP, unfortunately, but yes I did learn that later on :-/ Thanks, -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
What exactly are you trying to do? Redistribute connected and redistribute static only match those, no need for a route-map. Or are you attempting to advertise these to a particular BGP peer? David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Grzegorz Janoszka Sent: Tuesday, October 21, 2008 9:29 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] How to match local IP address? Is there a way to automatically match local (static, connected) IP subnets and deny ospf/bgp routes? Something like: route-map name permit 10 match connected I use soft SHX or SXF. We tried something like: 1. match route-type external 2. permit any but it did not work. Thanks in advance for your help. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Network Management System
hello Guys, could please help me to choose which Cisco Network Management software, Cuz I have a network include LAN, WAN, ASA Firewalls Voice Equipments so I need Management Software for these equipments thank you, __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720, SXH or SXF?
Sometimes the infrastructure changes to do it override the decision to back port. That's one of the biggest dangers with long lived throttles. I was part of those dicussions on the topic. It wasn't a decision made lightly but they made the best, note I didn't say right, choice. Rodney On Mon, Oct 20, 2008 at 11:56:55AM +0100, Zoe O'Connell wrote: On 17/10/2008 09:09, Peter Taphouse wrote: * SXF15 which has a bug in BFD that caused a router to reload when it detects a link flap, turning a sub-second blip into a 10 minute brown out whilst the router reloaded. We're now still running SXF15, and we've not had any problems since we disabled bfd everywhere. Unfortunately, despite repeated prodding, Cisco have flatly refused to fix BFD in SXF - we ended up jumping to SRC1 on our 7600s, which was a shame as we were otherwise happy with SXF. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
David Prall wrote: What exactly are you trying to do? Redistribute connected and redistribute static only match those, no need for a route-map. Or are you attempting to advertise these to a particular BGP peer? Announce connected network with no-export community - it may be lot of smaller prefixes. The big aggregate prefixes will be announced statically in other places. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
Marko Milivojevic wrote: How about something like this? route-map Connected-Routes set community no-export ! router bgp XXX address-family ipv4 redistribute connected route-map Connected-Routes ! If you wish to assign community for only specific interfaces only, you can do something like: route-map Connected-Routes permit 10 match interface XXX match interface YYY set community no-export ! route-map Connected-Routes permit 999 It is a kind of idea, however it is rather complicated setup. The biggest disadvantage is that the interface list has to be updated. Let's say I insert a new blade to a free slot, then I have to update the route-map. Another disadvantage may be length of the route-map - if I have 4x48 ports, then it has almost 200 match entries - I do not know if Cisco allows for so many match entries. However it is a way to do it. I think I would slightly modify it and use, thanks. If you have another idea I will appreciate it. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
We have a fairly similar design for our Metro Ethernet network. Our primary method of protection is STP(MST). I've been thinking about this, and I can't come up with a reason why we even really need an IGP down to the edge PE devices? Since it's all layer2 - the core switch/routers see all of the PEcore links as Connected routes anyway - what's the point of bother pushing your IGP down there? It's just more needless routes. That leaves you with a very small IGP in your core. Adam Armstrong wrote: Nathan wrote: On Tue, Oct 21, 2008, Adam Armstrong [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Nathan wrote: - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? The routers can see each other directly at L2? Then no. It might make it easier to keep the switch's management loopback connected though. Well I don't see how the LDP would keep running if the switch cut off L2. The switch would need to speak LDP . . . which would make it an MPLS P router, which would be cool but I'm quite sure neither 2960s or even 3550s can do that :-) P router with eight gigabit ethernet ports running at line speed for the price of a 2960 anyone? Seriously, what kind of beast does that? A 7600 or 6500 I suppose, anything smaller? Umm. I've no idea what you're talking about now... The switch doesn't speak LDP. It can merely participate in your IGP for its loopback address. Just give the switches an IP in the subnet that exists on their layer 2 domain and point their default route at one of the PEs (or do hsrp between a couple of them). Consider switching to IS-IS, assuming your kit can do it. The switches can't, but I do think the routers can. What would the benefits be? If I change to IS-IS, now's the time. Well, the switches aren't important here, so if you plan to do ipv6 in the future and aren't a huge ospf fan, have a look at isis now and switch if you like it. It's definitely a lot easier to manage and troubleshoot. Not to mention not having to run two versions of ospf when you want to do ipv6! Do you have a diagram? I'm not sure that ASCII art will cut it, but I'll try . . . First option: /--SW--WAN-SW---\ | | | | | | | PE PE PE | |PE PE PE | | | | | | | \--SW--WAN-SW---/ This way I don't have to have each PE connected to both switches in order to communicate directly, it's only when a switch goes down that PEs only connected to that single switch will have a problem. I'll have to place different VLANs on top and bottom and use MST so that both links are used. If I lose the ethernet link on a WAN link, MST notices immediately and reroutes traffic. Second option: /--SW--WAN-SW---\ | | | | | | PE PE PE PE PE PE | | | | | | \--SW--WAN-SW---/ Second option is the sensible one. Think of it as building 2 core layer 2 domains across witch all of the PEs can talk to eachother. During normal operation, they balance across the two domains, when a switch or link dies, the traffic goes across the other. It's a relatively standard design. http://alpha.memetic.org/basic.jpg is how i would draw it. When you say WAN, what do you mean? A long distance ethernet circuit? Or a Serial/Pos/etc? Thay are seen as gigabit ethernet (copper or fiber), but they run over the national backbone of bigger fish than I. They are probably AToM pseudowires. Unfortunately that means that when one goes down (not often, maybe once or at most twice a year) I don't always lose the ethernet link (and I suppose I might get one-way communication only). Well, tune your IGP so that it notices as quickly as possible and pulls down the link. You want as few routes as possible in IGP (so just links and loopbacks), but i guess you already knew that! :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM Static NAT gets stuck..
If clear local fixes it - then most probably there's another xlate that stands in the way, should not be related to arp. Watch out for the identity statics that are supersets of this host static, i.e. something like this is not good: static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.0 if your first packet on the outside is destined to the 1.1.1.1 - all good. But if your first packet is destined to 2.2.2.2 - then the first static won't match, and it will create the xlate based on the second one. if you have such a config, blocking the destination of 2.2.2.2 by the inbound ACL on the outside should help (and as well identify who sends such a packet). in any case, show local x.x.x.x along with show xlate debug local x.x.x.x should shed some more light on this. thanks, andrew On Mon, 20 Oct 2008, Christian Koch wrote: i checked this when it happened the first time but i forgot what the ouput was...thanks for the suggestion, i'll have to check it again next time it pops up christian On Mon, Oct 20, 2008 at 10:58 AM, Ozgur Guler [EMAIL PROTECTED] wrote: Do you see the correct arp for the translation when it stops working? You might need to define a static arp with alias to fix it. --- On Mon, 20/10/08, Christian Koch [EMAIL PROTECTED] wrote: From: Christian Koch [EMAIL PROTECTED] Subject: [c-nsp] FWSM Static NAT gets stuck.. To: Cisco-nsp cisco-nsp@puck.nether.net Date: Monday, 20 October, 2008, 3:38 PM Hello All - Seeing an issue on FWSM running 3.2(4) code.. Where a static nat gets stuck, and the host becomes unreachable via both ingress/egress If i issue a clear xlate local x.x.x.x, this clears things up and connectivity is restored there are currently 2 hosts on the same network, yet this problem only occurs with one of them static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255 static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255 .24 is the one that becomes stuck, .25 is fine and never has a problem.. any ideas/possible bugs? thanks christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
If you need to cover all ports, just apply the first route-map I listed. That one will cover all connected routes... Another approach, if your connected routes can be summarized is to match based on that (prefix-lists, for example). On Tue, Oct 21, 2008 at 15:14, Grzegorz Janoszka [EMAIL PROTECTED] wrote: Marko Milivojevic wrote: How about something like this? route-map Connected-Routes set community no-export ! router bgp XXX address-family ipv4 redistribute connected route-map Connected-Routes ! If you wish to assign community for only specific interfaces only, you can do something like: route-map Connected-Routes permit 10 match interface XXX match interface YYY set community no-export ! route-map Connected-Routes permit 999 It is a kind of idea, however it is rather complicated setup. The biggest disadvantage is that the interface list has to be updated. Let's say I insert a new blade to a free slot, then I have to update the route-map. Another disadvantage may be length of the route-map - if I have 4x48 ports, then it has almost 200 match entries - I do not know if Cisco allows for so many match entries. However it is a way to do it. I think I would slightly modify it and use, thanks. If you have another idea I will appreciate it. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Management System
Hi, Cacti would be great for yourcase .. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibrahim Alsharif Sent: 21 October 2008 16:25 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Network Management System hello Guys, could please help me to choose which Cisco Network Management software, Cuz I have a network include LAN, WAN, ASA Firewalls Voice Equipments so I need Management Software for these equipments thank you, __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Management System
Dunno but I'd suggest to first define what you want to achieve with your NMS before you look for applications. There are so much applications and solutions around that it is hard to suggest something :-) best regards Michel 2008/10/21 Mohammed Dado [EMAIL PROTECTED] Hi, Cacti would be great for yourcase .. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Ibrahim Alsharif Sent: 21 October 2008 16:25 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Network Management System hello Guys, could please help me to choose which Cisco Network Management software, Cuz I have a network include LAN, WAN, ASA Firewalls Voice Equipments so I need Management Software for these equipments thank you, __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hash, Please can someone explain to be the following outputs when seen on an MST device Te9/1 Mstr FWD 2000 128.2049 P2p Bound(PVST) I am reffering to the Mstr and the Bound (PVST) there The port is boundary port connected to another stp domain where the root is (master for multiple region mstp). the other switch is running PVST (non mstp speaking device). please correct me if I am wrong do you use regions with MSTP? - -- - -mat pgp-key 0x1C655CAB -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI/fZbIvBv0k5esR4RAhPzAJ9CTeCH3cvzDywzFxll0+GZb/ixfQCgkbn3 TS11eO0GbhN5PDhi7Tc8l74= =VwEL -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
On Tue, Oct 21, 2008 at 4:16 PM, Dan Armstrong [EMAIL PROTECTED] wrote: We have a fairly similar design for our Metro Ethernet network. Our primary method of protection is STP(MST). I've been thinking about this, and I can't come up with a reason why we even really need an IGP down to the edge PE devices? Since it's all layer2 - the core switch/routers see all of the PEcore links as Connected routes anyway - what's the point of bother pushing your IGP down there? It's just more needless routes. That leaves you with a very small IGP in your core. The problem is that you are supposed to have redundant links between routers. The way to have permanent links between routeurs in spite of changing routes and falling interfaces is to establish communication between loopbacks, and that is what LDP and iBGP - MPBGP do. Therefore you need unfettered communication between the loopbacks of your routers, PE routers included, therefore you need your loopbacks in your IGP, therefore you need IGP on your PE routers. I suppose you could somehow make the network function without it, but you'd lose redundancy at the very least. -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NM-WLC Multicast, not working
I'm stuck - I have a lot of Mac OSX users. Services that depend on multicast appear broken when going between wired and wireless (or even across WLCs or APs). I blogged about this yesterday @ http://blog.mozilla.com/mrz/ with the hopes someone would have solved this. Cisco apparently can't figure it out. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
So say I have an SVI on a PE switch which in turn has 2 layer2 links back to 2 core boxes, the core boxes protected again by a 3rd layer2 link. MST will protect me and make sure I always have link to the PE routers core routers. What's wrong with using that SVI address in your PE router as a reference, no need for an IGP down there? Nathan wrote: On Tue, Oct 21, 2008 at 4:16 PM, Dan Armstrong [EMAIL PROTECTED] wrote: We have a fairly similar design for our Metro Ethernet network. Our primary method of protection is STP(MST). I've been thinking about this, and I can't come up with a reason why we even really need an IGP down to the edge PE devices? Since it's all layer2 - the core switch/routers see all of the PEcore links as Connected routes anyway - what's the point of bother pushing your IGP down there? It's just more needless routes. That leaves you with a very small IGP in your core. The problem is that you are supposed to have redundant links between routers. The way to have permanent links between routeurs in spite of changing routes and falling interfaces is to establish communication between loopbacks, and that is what LDP and iBGP - MPBGP do. Therefore you need unfettered communication between the loopbacks of your routers, PE routers included, therefore you need your loopbacks in your IGP, therefore you need IGP on your PE routers. I suppose you could somehow make the network function without it, but you'd lose redundancy at the very least. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about service provider network design
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 2008/10/21 Dan Armstrong : So say I have an SVI on a PE switch which in turn has 2 layer2 links back to 2 core boxes, the core boxes protected again by a 3rd layer2 link. MST will protect me and make sure I always have link to the PE routers core routers. What's wrong with using that SVI address in your PE router as a reference, no need for an IGP down there? In such a scenario you will always get a suboptimized traffic flow as 1 of the links will be blocked by stp. On the other hand you can create 2 vlans - 1st for coreA 2nd for coreB and load balance the traffic by way of 2 regions... (remember that ptp vlans are not supported by mst) - -- - -mat pgp-key 0x1C655CAB -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI/hUS+BuaDRxlXKsRAn7RAJ4iPXbnGrp+5pHw2StxGG58jTqJEACgk0bP 0PJOQFemLW6K2PsH8zXzelc= =BUOf -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
If you are not going to send connected routes out of you AS then do not distribute them. I'm assuming you are using an IGP. -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Grzegorz Janoszka Sent: Tuesday, October 21, 2008 12:26 PM To: David Prall Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] How to match local IP address? David Prall wrote: What exactly are you trying to do? Redistribute connected and redistribute static only match those, no need for a route-map. Or are you attempting to advertise these to a particular BGP peer? Announce connected network with no-export community - it may be lot of smaller prefixes. The big aggregate prefixes will be announced statically in other places. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP routing failure
What do you mean? The giant counter is incrementing or not? We ran into an issue where the MTUs were not equal and this was causing EIGRP to bounce. The router with the higher MTU was running 12.4 and the router with the lower MTU was running 12.2, and this was causing the router on 12.2 to discard the EIGRP packets as giants. In the logs it looked as though they are bouncing... Mohammed Dado wrote: It's not that giant , but counters are incrementing .. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derick Winkworth Sent: 19 October 2008 15:29 Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] EIGRP routing failure Do you see giants incrementing on either interface? Mohammed Dado wrote: Dears, We're configuring EIGRP on both sides, customer and ISP. The customer router are dumping the following logs. Here's an example of some logs .. 128326: Oct 6 02:48:05.387 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128327: Oct 6 02:48:05.435 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128328: Oct 6 02:48:19.519 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128329: Oct 6 02:57:37.414 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128330: Oct 6 02:57:41.210 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128331: Oct 6 02:58:46.495 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128332: Oct 6 02:58:50.655 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128333: Oct 6 02:58:52.699 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128334: Oct 6 02:58:57.623 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128335: Oct 6 02:59:36.491 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128336: Oct 6 02:59:44.327 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency Can anybody assist ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd [cid:identifierFooterImage] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.1/1732 - Release Date: 10/18/2008 6:01 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.2/1735 - Release Date: 10/20/2008 2:52 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
David Prall wrote: How are the connected prefixes getting into BGP? Is it redis connected, network statements, or redis of IGP? Should be able to set a community via route-map on a redistribution, I've never tried NO-EXPORT though. Is the below possible? route-map redistribute-connected permit 10 match ip address prefix-list ABC set community no-export ! router bgp XYZ redistribute connected subnets route-map redistribute-connected Is it possible to set the bgp community in the redistribute route-map? Will this community be sent to the transit (of course if not overwritten by peer outgoing route-map)? Someone tried such setup? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
Is the below possible? route-map redistribute-connected permit 10 match ip address prefix-list ABC set community no-export ! router bgp XYZ redistribute connected subnets route-map redistribute-connected Is it possible to set the bgp community in the redistribute route-map? It is absolutely possible to set community in redistribute route-map - I would have not otherwise suggest it as a solution for your problem :-) However, you BGP syntax is a bit off. BGP doesn't have subnets keyword. Will this community be sent to the transit (of course if not overwritten by peer outgoing route-map)? Someone tried such setup? Communities will be sent to eBGP neighbors if you have send-community configured for that neighbor (except for no-export, which will not be sent). Note that the same applies for iBGP neighbors. And finally, yes, there are probably quite a few of us who use this setup :-) -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to match local IP address?
Here, I had a few minutes to play in the lab: interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface Loopback1 ip address 10.1.0.1 255.255.255.0 ! interface Loopback2 ip address 10.2.0.1 255.255.255.0 ! interface Loopback3 ip address 10.3.0.1 255.255.255.0 ! router bgp 100 bgp log-neighbor-changes ! address-family ipv4 redistribute connected route-map rc no auto-summary no synchronization exit-address-family ! ip prefix-list AAA seq 5 permit 10.0.0.0/8 ge 24 le 24 ! route-map rc permit 10 match ip address prefix-list AAA set community no-export ! R1#sh ip bgp BGP table version is 9, local router ID is 10.3.0.1 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * 10.0.0.0/24 0.0.0.0 0 32768 ? * 10.1.0.0/24 0.0.0.0 0 32768 ? * 10.2.0.0/24 0.0.0.0 0 32768 ? * 10.3.0.0/24 0.0.0.0 0 32768 ? R1#sh ip bgp 10.0.0.0 BGP routing table entry for 10.0.0.0/24, version 8 Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer) Flag: 0x8A0 Not advertised to any peer Local 0.0.0.0 from 0.0.0.0 (10.3.0.1) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Community: no-export -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Management System
Hello Michel thanks for ur reply what I want is to draw full topology for the network, manage, monitor configure all devices so what do u think ? - Original Message From: Michel Grossenbacher [EMAIL PROTECTED] To: Mohammed Dado [EMAIL PROTECTED] Cc: Ibrahim Alsharif [EMAIL PROTECTED]; cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Tuesday, October 21, 2008 6:32:36 PM Subject: Re: [c-nsp] Network Management System Dunno but I'd suggest to first define what you want to achieve with your NMS before you look for applications. There are so much applications and solutions around that it is hard to suggest something :-) best regards Michel 2008/10/21 Mohammed Dado [EMAIL PROTECTED] Hi, Cacti would be great for yourcase .. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibrahim Alsharif Sent: 21 October 2008 16:25 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Network Management System hello Guys, could please help me to choose which Cisco Network Management software, Cuz I have a network include LAN, WAN, ASA Firewalls Voice Equipments so I need Management Software for these equipments thank you, __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WCS on CentOS?
Jeffrey Ollie wrote: Currently, my Wireless Control System is running on an upgraded WLSE box that runs RHEL 4 (which came with the WLSE-WCS conversion) and version 5.0.56 of the WCS software. I'd like to move to the latest version but it requires RHEL 5. I don't have any RHEL licenses otherwise as I use CentOS for my server OS. WCS detects that I'm running CentOS and not RHEL and won't install. Is there any way that I can work around that? Failing that is there a way that I can upgrade the old RHEL 4 install? You can also install using the following, but keep in mind Cisco will tell you that your installation is not supported if you ever have troubles: ./installer.bin -DCHECK_OS=false We have a still open TAC case with them trying to define what a RH ES 5.0 system is by their standards as if you update the box it upgrades to 5.2 (which is unsupported). Naturally we want to update, but policies here say we can't negate support. We know which package will prevent the text files from updating this information, but we would only technically have a 5.0 box then as all the binaries are still the same as a 5.2 box. David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco CDS (content delivery system)
Anyone had much experience with one? We are looking at deploying one on a national level and while it sounds great and seems to do what we are after i'm curious as to anyones real world experience with one. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cannot initiate tunnel (ASA to PIX )
On a L2L tunnel CompanyA can initiate the tunnel but CompanyB cannot. Company A's ASA 5505 config ASA Version 7.2(4) ! hostname CompanyA domain-name default.domain.invalid names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.103.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 83.192.239.71 255.255.255.192 dns server-group DefaultDNS domain-name default.domain.invalid access-list nonat1 extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list CompanyB_cryptomap extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0 global (outside) 1 interface nat (inside) 0 access-list nonat1 nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map Outside_dyn_map 20 set pfs crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA crypto map Outside_map 2 match address CompanyB_cryptomap crypto map Outside_map 2 set peer 209.5.217.130 crypto map Outside_map 2 set transform-set ESP-AES-256-SHA crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map crypto map Outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 1 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 1 lifetime 86400 crypto isakmp policy 15 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 no vpn-addr-assign aaa no vpn-addr-assign dhcp tunnel-group 209.5.217.130 type ipsec-l2l tunnel-group 209.5.217.130 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp Company B's Pix 506e config PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password Str/GbGlphzdplIj encrypted passwd Str/GbGlphzdplIj encrypted hostname CompanyB domain-name domain.com clock timezone CST -6 clock summer-time CDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.10.10.253 server access-list 90 permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0 access-list outside_access_in permit tcp any host 209.5.217.131 eq 3389 access-list outside_access_in permit tcp any host 209.5.217.131 eq www access-list outside_access_in permit tcp any host 209.5.217.131 eq https access-list outside_access_in permit tcp any host 209.5.217.131 eq pop3 access-list outside_access_in permit tcp any host 209.5.217.131 eq smtp access-list Store10 permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0 access-list CompanyA permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0 pager lines 24 icmp deny any outside mtu outside 1500 mtu inside 1500 ip address outside 209.5.217.130 255.255.255.240 ip address inside 10.10.10.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name ids-attack attack action alarm drop reset ip audit name ids-info info action alarm ip audit interface outside ids-info ip audit interface outside ids-attack ip audit interface inside ids-info ip audit interface inside ids-attack ip audit info action alarm ip audit attack action alarm ip local pool roamer 192.168.10.1-192.168.10.15 ip local pool vpn-users 10.10.10.175-10.10.10.199 pdm location 10.10.10.0