Re: [c-nsp] Bridging ATM on 7206? (Getting really frustrated here)
On Fri, Oct 24, 2008 at 8:43 AM, a nice guy wrote in private mail: I can't believe this isn't simple! I just want to change the PVC on the [expletive] ATM cells and push them back the same way they came, how can that be so difficult? at the risk of sounding stupid - isn't that what an ATM switch is for ? ie, if you had an ATM switch at the head end you could just PVC switch? I think so, yes. I suppose an ATM switch can deal with sending cells out the same physical interface that they came in on, at least I hope so. The problem is that I do not have an ATM switch :-( If I'd known there would be a problem five months ago, I could *maybe* have bought one and set it up :-( Even if I did buy one now (how much could one ATM switch with at least two STM SMI interfaces cost?) I'd have to wait a week or so to set up a planned service disruption for all those *other* clients who are happily using L3 services over that ATM link. Getting the operator of the ATM switch on the other end to bridge will be extremely difficult, lengthy, and expensive (at least a thousand dollars for something that has to be a ten-line config change, yes, I know, but they're the only game in town and not expensive as long as you don't deviate from the norm). I just can't believe a 7200 can't do this. I can't get a definitive response either way from the Cisco docs. Anyone? Please? -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (Getting really frustrated here)
Nathan wrote: On Wed, Oct 22, 2008 at 3:04 PM, Nathan [EMAIL PROTECTED] wrote: I can't believe this isn't simple! I just want to change the PVC on the [expletive] ATM cells and push them back the same way they came, how can that be so difficult? Are you looking for the local switching feature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract
I believe the Cisco 7300 series is completely different. The basic architecture of the Cisco 7200 series is really old (but good like a swiss-army-knife) and I assume they are not able to change anything. maybe a little bit like the A20-Gate :) 2008/10/23 Elmar K. Bins [EMAIL PROTECTED] [EMAIL PROTECTED] (Stephan Lochner) wrote: Yes, the G1 is having the same problem. Interesting enough, 7301 (which should be a G1 in a 1RU chassis) doesn't seem to fail there. Elmar. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (Getting really frustrated here)
On Fri, Oct 24, 2008 at 10:10 AM, Joe Maimon [EMAIL PROTECTED] wrote: Nathan wrote: I can't believe this isn't simple! I just want to change the PVC on the [expletive] ATM cells and push them back the same way they came, how can that be so difficult? Are you looking for the local switching feature Well, yes, why not, anything goes . . . Currently it's configured using http://www.cisco.com/en/US/tech/tk39/tk48/technologies_configuration_example09186a008009455f.shtml I've tried with and without atm route-bridged ip (both seem to work now, go figure). And vlan 1 (untagged packets) go through without a problem. I get no ARP for packets in an other VLAN than 1. I've changed bridge 1 protocol to vlan-bridge, no luck. Going through Troubleshooting Bridging and IRB over ATM PVCs at http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a0080093d63.shtml I think I've found a problem, I don't seem to receive BPDUs, even on VLAN1, and each router thinks it's the root for each VLAN. Maybe the ATM/Ethernet converter on the CPE side is filtering out the BPDUs, which it shouldn't. But VLAN1 works... do I really need BPDUs? There is zero chance of a loop between the CPEs, so... -- Thanks, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (anything goes)
On Fri, Oct 24, 2008 at 11:00 AM, I wrote: Well, yes, why not, anything goes . . . As far as anything goes, shouldn't it be possible to tunnel L2 packets over L2TP between two 871s, ARPs and all? It will kill MTU, but I'm past caring. Do I have to set up IPSEC? Can I set up several tunnels (one for each VLAN), or just one tunnel with 802.1q tags, or even just one tunnel for one VLAN and another VLAN as default VLAN? -- Thanks, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS terminating on PE?
On Wed, 22 Oct 2008 22:19:40 +0200 Nathan [EMAIL PROTECTED] wrote: On Mon, Oct 20, 2008 at 12:54 PM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Nathan wrote on Monday, October 20, 2008 10:29 AM: In effect, I want to extend the VC coming in on one PE so that it (L3) terminates on another PE. you need the routed pseudowire feature, but this is currently only supported on the 7600 I decided to xconnect the physical edge router's ATm interface to a third router that has L2 connectivity to the router I want the L3 to terminate on. Should work, right ? My problem is now that the ATM subinterface does not recognize the xconnect command at all :-( (On Fa and Gi subinterfaces no problem). I've tried with and without atm route-bridged ip, on the off-chance that the command might reappear, but no such luck. Is this a limitation of the interface type or a lack that is corrected in some more recent IOS? What would the Cisco feature be? This is a 7206 G1 running c7200-js-mz.123-21.bin. Thanks, -- Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Maybe this will help? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsaal22.html -- Alex Wågberg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS terminating on PE?
On Fri, Oct 24, 2008 at 11:16 AM, Alex Wågberg [EMAIL PROTECTED] wrote: Maybe this will help? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsaal22.html At first glance it probably would, but I'd have a hard time justifying the exchange of a 7206 G1 running nicely at about 30-40% capacity for a Cisco 12000 :-) Not that I've got the list price for a 12000 with ATM SMI and GBE cards in front of me, but something tells me it isn't going to happen. -- Thanks, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restric access in a VPN tunnel
Very appreciated Ryan. Thanks for your reply --- On Wed, 10/22/08, Ryan Bradley [EMAIL PROTECTED] wrote: From: Ryan Bradley [EMAIL PROTECTED] Subject: RE: [c-nsp] Restric access in a VPN tunnel To: [EMAIL PROTECTED] Date: Wednesday, October 22, 2008, 9:46 AM Define each protocol and port number per host access-list nonat permit tcp host 10.10.20.1 eq 1433 host 192.168.16.2 eq 1433 access-list nonat permit tcp host 10.10.20.1 eq 1433 host 192.168.16.3 eq 1433 This should solve your second issue by restricting who is allowed over the tunnel and on what port number and protocol. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JR Colmenares Sent: Friday, October 17, 2008 11:54 PM To: Cisco NSP Forum Subject: [c-nsp] Restric access in a VPN tunnel Cisco 506e 6.3.4 I am configuring a tunnel and I have this access list that allows traffic from the remote site to our whole subnet access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 access-list remote_site permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 sysopt connection permit-ipsec Our users are going to access an database server on the remote site 1- How can I restrict the access to particular hosts in our network? 2- Is it possible to configure the tunnel so the IP traffic goes just in one direction? It seems to me that if our users need to access their servers, they should not need to access any hosts on our side? Or if it is done this way, our users would not be able to pull any data from those servers because the traffic just goes in one direction. Please provide some insight here. I am a little paranoid with this company wanting to establish this kind of open access __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
We use them as a sort of ³port replicator² for routers like the 7206 where we need a few more ethernet ports. Rock solid little box. The UNI/NNI port configuration is slightly odd but I can see the benefit in a metro application. We¹re using the ME6524 for our metro stuff though. Doesn¹t have the same restrictions as the ME-3400. -d From: Jeff Cartier [EMAIL PROTECTED] Date: Thu, 23 Oct 2008 11:58:00 -0400 To: Marko Milivojevic [EMAIL PROTECTED], MKS [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ME3400 Bell Canada seems to prefer these devices for edge NNI devices. Jeff Cartier Applied Computer Solutions (519) 944-4300 ext. 233 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Milivojevic Sent: Thursday, October 23, 2008 11:54 AM To: MKS Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ME3400 On Thu, Oct 23, 2008 at 15:44, MKS [EMAIL PROTECTED] wrote: Hi does anyone have experience with ME3400 switches. How are the performing? What about the stability We have a dozen or so in production. So far, rock solid and no major issues with them. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any attachments (Message) may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
On Fri, Oct 24, 2008 at 11:31, David Curran [EMAIL PROTECTED] wrote: We use them as a sort of port replicator for routers like the 7206 where we need a few more ethernet ports. Rock solid little box. The UNI/NNI port configuration is slightly odd but I can see the benefit in a metro application. We're using the ME6524 for our metro stuff though. Doesn't have the same restrictions as the ME-3400. Speaking of ME-6500. Does it have LAN or WAN ports? In other words, does it have decent QoS? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restric access in a VPN tunnel
You'll have to take off sysopt connection permit-ipsec before those ACLs take effect. Note that this may affect other VPNs if you have them. tv - Original Message - From: JR Colmenares [EMAIL PROTECTED] To: Ryan Bradley [EMAIL PROTECTED]; Cisco NSP Forum cisco-nsp@puck.nether.net Sent: Friday, October 24, 2008 6:23 AM Subject: Re: [c-nsp] Restric access in a VPN tunnel Very appreciated Ryan. Thanks for your reply --- On Wed, 10/22/08, Ryan Bradley [EMAIL PROTECTED] wrote: From: Ryan Bradley [EMAIL PROTECTED] Subject: RE: [c-nsp] Restric access in a VPN tunnel To: [EMAIL PROTECTED] Date: Wednesday, October 22, 2008, 9:46 AM Define each protocol and port number per host access-list nonat permit tcp host 10.10.20.1 eq 1433 host 192.168.16.2 eq 1433 access-list nonat permit tcp host 10.10.20.1 eq 1433 host 192.168.16.3 eq 1433 This should solve your second issue by restricting who is allowed over the tunnel and on what port number and protocol. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JR Colmenares Sent: Friday, October 17, 2008 11:54 PM To: Cisco NSP Forum Subject: [c-nsp] Restric access in a VPN tunnel Cisco 506e 6.3.4 I am configuring a tunnel and I have this access list that allows traffic from the remote site to our whole subnet access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 access-list remote_site permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 sysopt connection permit-ipsec Our users are going to access an database server on the remote site 1- How can I restrict the access to particular hosts in our network? 2- Is it possible to configure the tunnel so the IP traffic goes just in one direction? It seems to me that if our users need to access their servers, they should not need to access any hosts on our side? Or if it is done this way, our users would not be able to pull any data from those servers because the traffic just goes in one direction. Please provide some insight here. I am a little paranoid with this company wanting to establish this kind of open access __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (anything goes)
On Fri, Oct 24, 2008 at 5:24 PM, Bruce Robertson [EMAIL PROTECTED] wrote: If I remember correctly, the 1751 supports L2TPv3. You could add another Ethernet interface to the 1751 (the WIC-4ESW is handy for that, or WIC-1ENET), insert it between the 871 and customer, and bridge the Ethernets through, without killing MTU. Sounds doable. So with a 1751, I should be able to do an xconnect on each of my two interfaces, and thereby string two L2TPv3 pseudowires beteen my sites? With two 1751s I don't suppose I'll need the 871s though (my need is connecting LANs site A - my871 - ethernet - ethernet2ATMconverter - ATM - 7200 - ATM - ethernet2ATMconverter - ethernet - my871 - LANs site B, where the LANs are currently two untagged RJ45s on each side but could be a single RJ45 with a dot1q trunk). In your opinion, no way of doing it with L2TP on my 871s? -- Thanks for your help, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (anything goes)
Nathan wrote: On Fri, Oct 24, 2008 at 5:24 PM, Bruce Robertson [EMAIL PROTECTED] wrote: If I remember correctly, the 1751 supports L2TPv3. You could add another Ethernet interface to the 1751 (the WIC-4ESW is handy for that, or WIC-1ENET), insert it between the 871 and customer, and bridge the Ethernets through, without killing MTU. Sounds doable. So with a 1751, I should be able to do an xconnect on each of my two interfaces, and thereby string two L2TPv3 pseudowires beteen my sites? That's correct. It gets messier if you need to tie multiple sites into one broadcast domain, but it's still doable. The only difference there is that you need to terminate all the L2TPv3 pseudowires at your central site, burning a router Ethernet interface for each one, and then tie them all together with a switch. It doesn't scale well. If there's a simpler way, hopefully someone on the list will point it out. With two 1751s I don't suppose I'll need the 871s though (my need is connecting LANs site A - my871 - ethernet - ethernet2ATMconverter - ATM - 7200 - ATM - ethernet2ATMconverter - ethernet - my871 - LANs site B, where the LANs are currently two untagged RJ45s on each side but could be a single RJ45 with a dot1q trunk). Yes, assuming the ATM is DSL, the 1751 can do the DSL directly. You wouldn't need the extra Ethernet interface in that case. I don't know anything about 871s; are you using any special features that the 1751 can't do? BTW, you'll need IOS 12.4 on the 1751 to do the L2TPv3. In your opinion, no way of doing it with L2TP on my 871s? Dunno, I tend to avoid L2TP non-v3. v3 has worked very well for us. -- Thanks for your help, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (anything goes)
Of course the 1751 will support the DSL too... Bruce Robertson, President/CEO +1-775-348-7299 Great Basin Internet Services, Inc.company-wide fax: +1-775-348-9412 http://www.greatbasin.net my efax: +1-775-201-1553 Nathan wrote: On Fri, Oct 24, 2008 at 11:00 AM, I wrote: Well, yes, why not, anything goes . . . As far as anything goes, shouldn't it be possible to tunnel L2 packets over L2TP between two 871s, ARPs and all? It will kill MTU, but I'm past caring. Do I have to set up IPSEC? Can I set up several tunnels (one for each VLAN), or just one tunnel with 802.1q tags, or even just one tunnel for one VLAN and another VLAN as default VLAN? -- Thanks, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] time setting / dns and secure vertual ip
Hi thank you for your help I still have questions 1/ I follow your instruction config#clock calendar-valid the command: show clock is 17:34 xx UTC Now my time is 14:11. why there is still 3 hours ahead? 2/ I don't have this command name-server but I check there looks like command name-connection. how can I know they are same command? i am using 6513 and how can I know command in different IOS in cisco website? Thank you for your help --- Peter Rathlev [EMAIL PROTECTED] wrote: Hi Adrian, On Thu, 2008-10-23 at 19:10 +0800, adrian kok wrote: how can I set up the clock / dns and virtual ip following is my setting the clock. now it is 11:20. but it shows 15:01 router#show clock *15:00:16.743 UTC Wed Oct 22 2008 router#calendar set 11:20:00 22 Oct 2008 router#show clock *15:01:38.215 UTC Wed Oct 22 2008 The calendar set command manages the hardware clock of the device. Use show calendar to see what the hardware clock is right now. Use clock read-calendar to copy the time from the hardware clock to the software clock, which will make show clock display what you expect. Think of using NTP if you use the clock for anything serious. 2/ how can I set up the dns? I can't get the command! If you need to make the router do DNS resolving, you can use ip name-server A.B.C.D combined with ip domain-lookup. Consider the implications though. 3/ how can I secure the vertual ip for farm in 6513? When I set up it, that ip should be accessed from outside by telnet? If I have many virtual ips in farm setting, what is easy way to do it? Assuming you mean how to make sure administration via telnet/SSH is only allowed from certain sources, you could use an access-class statement on your VTY lines: access-list 10 permit 10.0.0.0 0.0.0.255 ! line vty 0 15 access-class 10 in ! This would permit 10.0.0.0/24, refusing everyone else with TCP RST. Regards, Peter Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract
Hi, On Fri, Oct 24, 2008 at 10:19:10AM +0200, Stephan Lochner wrote: I believe the Cisco 7300 series is completely different. The basic architecture of the Cisco 7200 series is really old (but good like a swiss-army-knife) and I assume they are not able to change anything. maybe a little bit like the A20-Gate :) The 7301 effectively is a 1RU 7200 with built-in NPE-G1. There is *no* similarity between 7301 and 7304. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] pgpYFD5ncoN9Q.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging ATM on 7206? (anything goes)
If I remember correctly, the 1751 supports L2TPv3. You could add another Ethernet interface to the 1751 (the WIC-4ESW is handy for that, or WIC-1ENET), insert it between the 871 and customer, and bridge the Ethernets through, without killing MTU. Bruce Robertson, President/CEO +1-775-348-7299 Great Basin Internet Services, Inc.company-wide fax: +1-775-348-9412 http://www.greatbasin.net my efax: +1-775-201-1553 Nathan wrote: On Fri, Oct 24, 2008 at 11:00 AM, I wrote: Well, yes, why not, anything goes . . . As far as anything goes, shouldn't it be possible to tunnel L2 packets over L2TP between two 871s, ARPs and all? It will kill MTU, but I'm past caring. Do I have to set up IPSEC? Can I set up several tunnels (one for each VLAN), or just one tunnel with 802.1q tags, or even just one tunnel for one VLAN and another VLAN as default VLAN? -- Thanks, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restric access in a VPN tunnel
Why cant he leave his acl for the crypto map alone and simply apply the relevant access list on the interface to restrict specific entries? Will this affect his vpn (don't think so) ? Regards, Mario ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Multihomed Selective/Conditional Advertisement
I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzyński Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restric access in a VPN tunnel
That's where he needs to apply it. Once the sysopt has been removed, the VPN traffic will get checked against the outside inteface ACL. The crypto map ACL is for the proxies to define which traffic traverses the VPN. - Original Message - From: Mario Spinthiras To: Tony Varriale Cc: [EMAIL PROTECTED] ; Ryan Bradley ; Cisco NSP Forum Sent: Friday, October 24, 2008 3:41 PM Subject: Re: [c-nsp] Restric access in a VPN tunnel Why cant he leave his acl for the crypto map alone and simply apply the relevant access list on the interface to restrict specific entries? Will this affect his vpn (don't think so) ? Regards, Mario ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Double Conditional BGP Advertisement
Hi Does anyone know what is wrong with these commands (or how this could be accomplished)?: neighbor 11.0.0.1 advertise-map OUT-BGP-ISP_B-RMAP exist-map DEFAULT-ROUTE-ISP_A neighbor 11.0.0.1 advertise-map OUT-ISP_B-BGP-FAILOVER-RMAP not-exist-map DEFAULT-ROUTE-ISP_A I'm just trying to send OUT-BGP-ISP_B-RMAP if DEFAULT-ROUTE-ISP_A exists and if DEFAULT-ROUTE-ISP_A does not exist send out OUT-ISP_B-BGP-FAILOVER-RMAP. My route maps have different communities associated with them and I want to send a different one to the ISP to control its distribution. Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzyński Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzynski Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
On Fri, Oct 24, 2008 at 11:18 AM, Marko Milivojevic [EMAIL PROTECTED] wrote: On Fri, Oct 24, 2008 at 11:31, David Curran [EMAIL PROTECTED] wrote: We use them as a sort of port replicator for routers like the 7206 where we need a few more ethernet ports. Rock solid little box. The UNI/NNI port configuration is slightly odd but I can see the benefit in a metro application. We're using the ME6524 for our metro stuff though. Doesn't have the same restrictions as the ME-3400. Speaking of ME-6500. Does it have LAN or WAN ports? In other words, does it have decent QoS? All LAN ports. 8 of the ports, the backbone ports, have no oversubscription and more queues, but it's not like OSM, ES-20 or similar WAN ports. VLAN significance is global among all ports, but VLAN translation can do some tricks to improve that. Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
If it's purely just for failover (ie you don't want to get billed for traffic down your failover link while your active is up) then why not just send the community: 174:70 70 Set customer route local preference to 70 This will make them use ATT's path until the ATT link goes down. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 25 October 2008 9:48 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzynski Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.2/1742 - Release Date: 24/10/2008 6:08 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 stack vs 4507R-E?
Hello Chris: On 10/23/08 3:50 PM, Chris Gauthier [EMAIL PROTECTED] wrote: Hi, That's where part of my difficulty lies. Our SAN traffic is going to be increasing over time, currently using 4 individual 1GB Copper links, not including the 2x1GB links each server requires. Additionally, we have VoIP phones to consider (ShoreTel) and lots of SMB/HTTP/SQL traffic. Since I work in more of a financial-type organization, multimedia is not really a priority at this time. We also are going paperless by using a SQL-based document imaging/management system. Finally, we have a few (12) office workstations and a printer for the IT Staff in the Data Center. So, I'm not exactly sure how to answer your question and Cisco has a dizzying array of switches for a multitude of purposes. Choosing the right one is very difficult. I hope this information helps. I would really recommend getting in touch with someone working in sales in the Data Center group in Cisco (that's not the exact name, but it's close). They have some newer stuff coming out now that might be a perfect fit for you with the SAN and other traffic. I know talking to the sales folks can be painful, but they do have an eye into the new stuff and will bring forces to bear from an engineering perspective to help you get it right. Granted, they will also sell you 1.5 times what you need, but you can always scale down whatever they recommend. :-) Regards, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
Ah my apologies I should have read your original email, your problem is a little more trickier than that. After having read your original one though I believe you could probably do this with an event manager task used to watch logging for bgp neighbour failure you could trigger it to modify your export community and do a clear ip bgp x.x.x.x out Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Steele Sent: Saturday, 25 October 2008 10:44 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement If it's purely just for failover (ie you don't want to get billed for traffic down your failover link while your active is up) then why not just send the community: 174:70 70 Set customer route local preference to 70 This will make them use ATT's path until the ATT link goes down. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 25 October 2008 9:48 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzynski Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at