Re: [c-nsp] 12000 SIP-401: datasheet typo?
On Wed, Oct 29, 2008 at 19:56, Pete Templin [EMAIL PROTECTED] wrote: The datasheet says the 401 is compatible with 120xx, 124xx, and 128xx. The datasheet says the 501 and 601 are OK with 124xx and 128xx. Does the 401 work in a 120xx as an Engine 5? Yes, a 401 can be used in a 120xx. 501 and 601 requires a 10G (or better) fabric, i.e. are only supported in a 124xx or a 128xx. -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] acess-list
I think that what Adrian was asking, and it's something I would also like to know is let's suppose I have an acl for vty 0 4 and another acl for vty 5 15 acl for 0 4 allows access to x.x.x.x acl for 5 15 allows access to y.y.y.y How can I as a y.y.y.y client, be sure I connect to a vty between 5 and 15 and not fall into a denied 0 to 4? If I'm the only one that tries to connect, by default I'll fall in vty 0, if I'm denied there but allowed in 5 to 15, will I be derived to there as a fallback? Or there is a way I can force my connection to fall in vty 5 and up? Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Valentin Stoicescu Sent: Wednesday, October 29, 2008 11:27 PM To: adrian kok Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] acess-list Hi, There's no difference ,just that you can configure different lines with different passwords. For your access-class put in your access list the ips you want to grant access to vty and everything else is denied. Ex: access-list 10 permit your ip line vty 0 15 access-class 10 in adrian kok wrote: Hi 1/ What is the different between line vty 0 4 and line vty 5 15 how can I deny one ip to access vty? I tried both but all are not working. and deny all ip to access access-list 10 deny 192.168.0.10 0.0.0.0 or access-list 10 deny 192.168.0.10 255.255.255.255 router(config)#line vty 0 4 router(config-line)#access-class 10 in router(config-line)# Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reflexive ACL on 6500
We've been using reflexive ACLs on the 6500s for many years, in my own experience I'd recommend against it, unless it's absolutely your only choice. We use reflexive ACLs on the SVIs and it just doesn't scale very well. You're better off purchasing a couple FWSMs or some real firewalls to get the job done. Cisco announced the end of support for the IOS Firewall feature set for the 6500 over a year ago. 12.2SXF is the last release that supports it according to the announcement. The FWSM is the recommended alternative: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd8067a132.html (and as far as I ever figured out this and one other document was the only place the additional license feature code was documented as being necessary to legally run the IOS firewall on the 6500 in the first place.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Client DHCP Server
Gents, I have a customer facing a problem that his end-user WiFi router's are issuing IP addresses ! I'm under the impression that this could be stopped by the DHCP snooping binding configurations in the ISP end. Any ideas ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd [cid:identifierFooterImage] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bulk Cisco Device Prep
I didn't make an script for that, just several templates with some fields at the top with some keyworks to be replaced with the proper value (ip, mask, hostname, vlan...) and a simple search and replace. simple to use with any text editor. But anyway, I would like to try your script too :D El mié, 29-10-2008 a las 16:23 +, Rupert Finnigan escribió: Hi All, I'm looking into various ways to prep Cisco devices, based on an existing template, so they can be configured and deployed by technical, but non-cisco people. I'm either thinking about a Perl script that generates a file based on a couple of fill in the blanks, that can be accessed via TFTP when the vanilla device firstboots, or a .NET app that talks directly to the console port and applies the config as if it were typed. There must be a number of guys on this list that have to deploy a large number devices, Routers or Switches, that follow a core config with only a minor change here for there (ie, VTP Domain, or Management IP).. I'd be very interested to hear how you do this, or is you've got any pointers. And, if the finished product would be of any use to someone, I'll gladly send the source over! Thanks, Rupert Please consider the environment before printing this email. CONFIDENTIALITY: This email (and any attachments) is confidential and is intended only for the attention of the addressee(s). Its unauthorised use, disclosure, storage or copying is not permitted. The material may also be the subject of copyright protection. If you are not the named recipient, please notify the sender immediately and delete the message from your computer. Do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Disclosure to anyone other than the named recipient, whether inadvertent or otherwise is not intended to waive privilege or confidentiality. If this message is encrypted only the named recipient is authorised to decrypt the message. Unauthorised decryption is prohibited and may be unlawful. Unauthorised decryption will not waive privilege or confidentiality. DISCLAIMER: The views expressed in this email are those of the originator and do not necessarily represent the views of Horsatack Saddlery Limited. Internet communications are not secure. Any reply to this message could be intercepted and read by someone else. Please bear that in mind when deciding whether to send material in response to this message by email. We do not accept responsibility for any changes made to this message after it was sent. We cannot accept any liability for any loss or damage sustained as a result of software viruses. Horsatack Saddlery Limited - Registered in England Wales No. 6393070. Registered Office: Greenway House, Sugarswell Business Park, Shenington, Banbury, Oxon, OX15 6HW, UK. VAT No. GB 929699352. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Restricting VLANs on 802.1q Tunnel Port
Guys Consider a scenario, if im using 802.1q tunnel service to carry customer VLANs and want to allow only 10, 11 12 VLANs from CE (by restricting it on UPE port). Is this possible on ME3400 with Merto Access IOS? While there is a command available (that we usually used on trunk port) i.e. interface FastEthernet0/5 switchport access vlan 264 switchport mode dot1q-tunnel * switchport trunk allowed vlan 10-12* But this doesnt work. Is there any workarround available? Regards Fahad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] std acl funnies
I just had to share this. q: can host 42.42.42.42 telnet to the router? #conf term ip access-list standard foo permit 10.0.0.0 0.255.255.255 deny any log line vty 0 15 access-class foo in end ip access-list standard foo permit host 42.42.42.42 end #sh ip access-list foo Standard IP access list foo 30 permit 42.42.42.42 10 permit 10.0.0.0, wildcard bits 0.255.255.255 20 deny any log Answer is yes, 42.42.42.42 can telnet to the router and it's expected and documented[0]. IOS still manages to surprise me on issues I thought to be trivial and thoroughly understood :). [0] http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#editacls 'The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.' -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP flapping
Hi Guys, This is our setup. We have two 6500 series with Sup2's with 4 1gig bundled links in an etherchannel trunk configuration. Both have the same VLAN interfaces with HSRP configured for the various VLAN's. EIGRP is configured and is establishing neighbours on each VLAN. We are having a weird problem where the CPU will jump to 100% only briefly and EIGRP will flap every 5 seconds for these connected routes. We suspected that there might be something flakey about the etherchannel configuration but no errors or transitions are noticeable with the etherchannel bundle or any of the physical interfaces. What is confusing is why the EIGRP routes are flapping every 5 seconds.. Isnt the normal hello timer meant to be 5 seconds and shouldn't the switches wait 3x Hello before declaring the EIGRP neighbours down? Maybe the multicasts are causing the CPU spikes?? Anyone experienced similar issues? Cheers, Aaron. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] acess-list
On Thu, 2008-10-30 at 10:36 +0200, Ziv Leyes wrote: I think that what Adrian was asking, and it's something I would also like to know is let's suppose I have an acl for vty 0 4 and another acl for vty 5 15 acl for 0 4 allows access to x.x.x.x acl for 5 15 allows access to y.y.y.y How can I as a y.y.y.y client, be sure I connect to a vty between 5 and 15 and not fall into a denied 0 to 4? If I'm the only one that tries to connect, by default I'll fall in vty 0, if I'm denied there but allowed in 5 to 15, will I be derived to there as a fallback? The router allocates the VTY from 0 an onwards, so the first person connecting gets VTY 0, next one VTY 1 and so on. There is practically no security benifits in having different ACLs on different VTYs. It is trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to VTY 5. In my eyes: Always treat every VTY the same. Or there is a way I can force my connection to fall in vty 5 and up? There's a trick with rotary-groups you might find useful. If you assign a line to a rotary group, this line is accessible on port (3000 +group). This way you can reach a specific VTY by using another port. line vty 6 rotary 3010 ! You can assign several lines to the same rotary group and they will be allocated serially. (Unless you choose them to be round robin selected.) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] acess-list
Peter Rathlev wrote: The router allocates the VTY from 0 an onwards, so the first person connecting gets VTY 0, next one VTY 1 and so on. There is practically no security benifits in having different ACLs on different VTYs. It is trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to VTY 5. In my eyes: Always treat every VTY the same. What about the reverse logic, putting a tighter ACL on higher VTYs? I've heard of this as a safety valve: if too many connections are open to a router, the last few connections have to come from a key point. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VLANs on 802.1q Tunnel Port
You cannot control what vlans are allowed on a QinQ interface as the dot1q-tunnel port does not see those vlans. It only pushes a vlan tag on the outside of the ethernet frame, with no regard to the already existing vlan tags. It can be considered an access port that does not override the existing vlan tags. You would have to do that filtering on the trunk port on the other side of the QinQ tunnel. Regards Allan On Thu, Oct 30, 2008 at 10:47 AM, FAHAD ALI KHAN [EMAIL PROTECTED] wrote: Guys Consider a scenario, if im using 802.1q tunnel service to carry customer VLANs and want to allow only 10, 11 12 VLANs from CE (by restricting it on UPE port). Is this possible on ME3400 with Merto Access IOS? While there is a command available (that we usually used on trunk port) i.e. interface FastEthernet0/5 switchport access vlan 264 switchport mode dot1q-tunnel * switchport trunk allowed vlan 10-12* But this doesnt work. Is there any workarround available? Regards Fahad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Management
Zenoss by far! You can also read my own pain on systems like this at : http://www.spinthiras.net/2008/07/17/network-monitoring/ Hope zenoss fit's your setup. Regards, Mario ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] acess-list
On Thu, 2008-10-30 at 07:31 -0500, Pete Templin wrote: What about the reverse logic, putting a tighter ACL on higher VTYs? I've heard of this as a safety valve: if too many connections are open to a router, the last few connections have to come from a key point. Agreed, that's not a bad idea. We had a range of 7304s that had problems with VTY lines getting stuck, and had reserved 14-15 to only be reachable from a workstation not normally used for administration, thus being able to clear the lower lines once in a while. (We ended up using SNMP for the clearing though.) You would still keep the base line access rather tight I assume. The access security of the box is equal to the security of the most insecure access method. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EARL_L2_ASIC-SP-4-DBUS_HDR_ERR
Hi, Any idea if this is a bad thing? We've seen it three times on a 7600 just just upgraded from SUP720 to RSP720. Oct 29 02:12:24.672 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Oct 29 02:18:32.549 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Oct 30 02:20:54.044 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Thanks, -- Regards Christian Bering ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EARL_L2_ASIC-SP-4-DBUS_HDR_ERR
Hi We had a similar error in conjunction with an es20 and a RSP720. We had to replace the ES20 card because it suddenly stopped to forward L2 traffic. Jul 11 17:08:17.212: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Jul 12 10:47:29.625: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Jul 12 16:11:52.394: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Jul 12 20:56:26.952: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Jul 13 06:08:40.319: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Jul 13 13:05:10.710: %FABRIC_INTF_ASIC-DFC1-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 1: Fabric sync done. Jul 13 13:05:10.520: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 5 reported timeout error for channel 0 (Module 1, fabric connection 0) Jul 13 20:39:35.491: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Regards Benjamin Conconi Telekom-Ingenieur Nordostschweizerische Kraftwerke AG (NOK) Netz - Nachrichtenwege/Telefon - Parkstrasse 23 - 5401 Baden 056/200 36 31 (intern 933 36 31) F 056/200 38 10 www.axpo.ch - [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Bering Sent: Thursday, October 30, 2008 2:52 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EARL_L2_ASIC-SP-4-DBUS_HDR_ERR Hi, Any idea if this is a bad thing? We've seen it three times on a 7600 just just upgraded from SUP720 to RSP720. Oct 29 02:12:24.672 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Oct 29 02:18:32.549 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Oct 30 02:20:54.044 MET: %EARL_L2_ASIC-SP-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB88D0E3D Thanks, -- Regards Christian Bering ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EARL_L2_ASIC-SP-4-DBUS_HDR_ERR
Same here, we have had several rma's due to this. One thing I've noticed that HW revision 1.2 card have never developed this problem. TAC has never neither confirmed nor denied any relation between the issue and HW revision. In one of the cases it was invalid ethertype on the frames IIRC - ELAM capture would help you find out what causes the issue in your case. -- deejay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RS232 to TCP/IP
Hi, we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data Cheers Anton Anton Schweitzer Senior Specialist BS Projekt Service Customer Design o2 (Germany) GmbH Co.OHG Georg Brauchle-Ring 23-25, D-80992 München Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 [EMAIL PROTECTED] Telefónica o2 Germany GmbH Co. OHG • Georg-Brauchle-Ring 23-25 • 80992 München • Deutschland • www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht München HRA 70343. Gesellschafter: Telefónica o2 Germany Management GmbH. Amtsgericht München HRB 109061 und Telefónica o2 Germany Verwaltungs GmbH. Amtsgericht München HRB 121389, beide ebenda. Geschäftsführer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. André Krause. Lutz Schüler. Carsten Wreth. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
Check this out: http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a0080160c4d.shtml 2008/10/30 [EMAIL PROTECTED] Hi, we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data Cheers Anton Anton Schweitzer Senior Specialist BS Projekt Service Customer Design o2 (Germany) GmbH Co.OHG Georg Brauchle-Ring 23-25, D-80992 München Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 [EMAIL PROTECTED] Telefónica o2 Germany GmbH Co. OHG • Georg-Brauchle-Ring 23-25 • 80992 München • Deutschland • www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht München HRA 70343. Gesellschafter: Telefónica o2 Germany Management GmbH. Amtsgericht München HRB 109061 und Telefónica o2 Germany Verwaltungs GmbH. Amtsgericht München HRB 121389, beide ebenda. Geschäftsführer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. André Krause. Lutz Schüler. Carsten Wreth. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Lightstream Alternative
Hi List, we're currently using a Cisco Lightstream ATM-Switch in one of our PoPs. We would like to replace the Lightstream. Our goal would be to get a combination of router and ATM-Switch. Is there any Cisco product which could do this? Thanks Regards Sebastian Ganschow ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
We've used a couple of these for remote microwave radio interfaces. They have a virtual serial port driver Windows/Linux or can go head-to-head and use IP transport to carry the serial data. They seem to work very well. http://www.moxa.com/product/NPort_5110.htm Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 30, 2008 8:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] RS232 to TCP/IP Hi, we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data Cheers Anton Anton Schweitzer Senior Specialist BS Projekt Service Customer Design o2 (Germany) GmbH Co.OHG Georg Brauchle-Ring 23-25, D-80992 München Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 [EMAIL PROTECTED] Telefónica o2 Germany GmbH Co. OHG • Georg-Brauchle-Ring 23-25 • 80992 München • Deutschland • www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht München HRA 70343. Gesellschafter: Telefónica o2 Germany Management GmbH. Amtsgericht München HRB 109061 und Telefónica o2 Germany Verwaltungs GmbH. Amtsgericht München HRB 121389, beide ebenda. Geschäftsführer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. André Krause. Lutz Schüler. Carsten Wreth. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF fast hellos
On Thu, Oct 30, 2008 at 08:06:36AM +1030, Ben Steele wrote: Because I couldn't see bfd support for 3750's, best it can do is UDLD, otherwise that would be my preferred method. Are you advising against fast hello's? No totally. Have you seen many issues with people using them? Yes. They have to be scheduled on the CPU as a process and that is more variable because IOS is run to completion, except for psuedo preemption added for BFD. Even that isn't 100% bullet proof but it's better than OSPF fast hellos from that perspective. -Original Message- From: Rodney Dunn [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 11:41 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF fast hellos Why don't you use BFD instead. It's designed with something called pseudo preemption from an OS scheduler perspective that helps reduce false positives and the fact that BFD frames are handled under interrupt and not process scheduled for rx/tx. Rodney On Wed, Oct 29, 2008 at 04:09:45PM +1030, Ben Steele wrote: Anyone currently using this in a fairly demanding environment? Ie 5-10Gbs+ Campus/DC model. Curious as to whether you've had any/many false dead peers with such a short interval, subsecond dead peer detection does sound very temping though. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.4/1752 - Release Date: 28/10/2008 10:04 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] single to double tag translation
Hi - we have cisco 7609 and need to map single tags into dual tags like this: tag 100 in 100:100 out tag 101 in - 100:101 out tag 102 in - 100:102 out tag 200 in 200:200 out tag 201 in - 200:201 out tag 202 in - 200:202 out So in essence we need to prepend a tag to the original tag according to the above mapping. Traffic is coming in on a single interface and going out on a single interface. This is on CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX card. Sw version is 12.2(33)SRC Is there any way to do this? Please note that we can't use EVC context in this mode as we have this older card. Thanks, Marlon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
[EMAIL PROTECTED] wrote: we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data Try a terminal server. I use them for that kind of stuff all the time. I suppose you could use a serial print server to rig up something similar, but the terminal server will be easy right out of the box. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS and Calea Feature Set
I'm working on improving my CALEA compliance here. One of the big things I need to handle is better extraction of frames out of several cisco routers we have scattered around our network. Today, we handle our CALEA requests by using a span/mirroring port on a switch plugged into a CALEA collection device which conforms to the WISPA CALEA standard. That way, we can capture all of the internet and most of the on-network traffic, but not quite 100% since traffic which never leaves the border router doesn't ever exit the border router so it can't be captured for Law Enforcement. It looks like the IP Traffic Export would allow me to basically use the tools we already have in place for this. But, I also am looking at the CALEA features in the later IOS'es. Unfortunately, the documentation is written in CALEA-speak, which makes for confusing reading, especially when you are trying to figure out what pieces you need to make this work. I'm curious if someone on-list has gotten the CALEA features to work in a Broadband provider setting, and if so, if they could perhaps point me in the right direction as far as what pieces we need (aka specific products instead of functions) other than the Cisco router w/CALEA features? -forrest ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
On Thu, 30 Oct 2008, [EMAIL PROTECTED] wrote: we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data Can't you just run PPP (without a modem) over the serial link? -- Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
On Thursday 30 October 2008 11:32:47 [EMAIL PROTECTED] wrote: Hi, we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data I use the SitePlayer Telnet device for this; less than $100 US and works both for IP-RS-232 and RS-232 - IP; a pair of them can work as a really good RS-232 extension over the LAN, too. See http://www.siteplayer.com/telnet/index.html Can use PoE, too. I've got a couple of dozen of these in production, and they work great. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Lightstream Alternative
On Thu, Oct 30, 2008 at 05:35:11PM +0100, Sebastian Ganschow wrote: we're currently using a Cisco Lightstream ATM-Switch in one of our PoPs. We would like to replace the Lightstream. Our goal would be to get a combination of router and ATM-Switch. Is there any Cisco product which could do this? No (and maybe maybe). There was the 8510. Which you don't want (because it's end-of-everything, and even before that, it was a really bad box). Or the cat5500 with the ATM card - which effectively is a LS1010 on a line card for the catalyst. But the cat5500 is end-of-everything. Yea... That was lng time ago... So - as far as I know, there is no such box from Cisco today. I am not sure but it seems to me that some fancy SPA card in c7600 would do the local switching, wouldn't it? -- -mat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Lightstream Alternative
Cisco MGX 8830/B Advanced ATM Multiservice Switch? http://www.cisco.com/en/US/prod/collateral/switches/ps2346/ps5727/ps1938 /ps3880/product_data_sheet09186a00800a18dc.html I know the MGX 8830 is EOL and this is should be the replacement (according to cisco) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sebastian Ganschow Sent: Friday, 31 October 2008 5:35 a.m. To: cisco-nsp Subject: [c-nsp] Lightstream Alternative Hi List, we're currently using a Cisco Lightstream ATM-Switch in one of our PoPs. We would like to replace the Lightstream. Our goal would be to get a combination of router and ATM-Switch. Is there any Cisco product which could do this? Thanks Regards Sebastian Ganschow ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. # This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF fast hellos
If you can get BFD support worked into the 3750ME, we wouldn't have to mess with OSPF fast hellos. =) Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Dunn Sent: Thursday, October 30, 2008 12:30 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF fast hellos On Thu, Oct 30, 2008 at 08:06:36AM +1030, Ben Steele wrote: Because I couldn't see bfd support for 3750's, best it can do is UDLD, otherwise that would be my preferred method. Are you advising against fast hello's? No totally. Have you seen many issues with people using them? Yes. They have to be scheduled on the CPU as a process and that is more variable because IOS is run to completion, except for psuedo preemption added for BFD. Even that isn't 100% bullet proof but it's better than OSPF fast hellos from that perspective. -Original Message- From: Rodney Dunn [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 11:41 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF fast hellos Why don't you use BFD instead. It's designed with something called pseudo preemption from an OS scheduler perspective that helps reduce false positives and the fact that BFD frames are handled under interrupt and not process scheduled for rx/tx. Rodney On Wed, Oct 29, 2008 at 04:09:45PM +1030, Ben Steele wrote: Anyone currently using this in a fairly demanding environment? Ie 5-10Gbs+ Campus/DC model. Curious as to whether you've had any/many false dead peers with such a short interval, subsecond dead peer detection does sound very temping though. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.4/1752 - Release Date: 28/10/2008 10:04 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
On Thu, 30 Oct 2008, Sridhar Ayengar wrote: Antonio Querubin wrote: Can't you just run PPP (without a modem) over the serial link? That requires a non-trivial amount of compute power free on the PC. Perhaps if you were using a software-driven modem or running an extremely high-speed serial (ie. T1) but he's using RS-232 and he's not using a modem. Even an old 386 can run a decent PPP link with VJ header compression on a 115kbaud serial link as long as it's got a decent UART. A lot of folks have done low-speed routing with Linux boxes that way years ago. Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
[EMAIL PROTECTED] wrote: Hi, we need to send serial data from a PC with a rs232 Interface over IP/TCP to a Server. This was done with X.25 over Sat before. Is there any Solution to use pure IP to transport this Data IOS has been able to do this for at least 10 years, probably more than 15 years. look up 'autocommand' as it relates to 'line' command, e.g. what you can put on 'line aux'. my home DSL router (an old cisco 2621) has used this to route rs232 output from my home alarm system to a linux box elsewhere in the house for literally 5+ years. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reflexive ACL on 6500 + CoPP
I would like to complicate the original question: having enabled CoPP on the same box I've run into a situation whereby several ACEs on some reflexive ACLs stopped matching/processing. I tried removing/reapplying the ACLs, recreating them, clearing mls table, no dice. As soon as I remove CoPP they start functioning normally, as soon as I apply CoPP these same ACEs stop. This affects only reflexive ACEs, as rewriting them as 'standard' ACEs also fixes the issue. For a while I thought the problem was caused by the CoPP transmit ceiling being set too low, and the flow setup packets that are punted to MSFC being dropped. However, changing the CoPP policy to transmit everything, for all classes, did not help. Only disabling the CoPP policy. Is there some interaction between the features? Also, on the subject of CoPP, can anyone suggest how to go about classifying traffic and setting limits for CoPP? I've identified obvious things like routing protocols, various management tools, etc. The catch-all class still shows quite a bit of traffic, and I am stomped on how to identify what it is. I understand some of that is packets punted to MSFC, but again, how do I identify/classify them? Thank you, Michael -Original Message- From: Michael Malitsky Sent: Wed 10/29/2008 9:07 PM To: 'cisco-nsp@puck.nether.net' Cc: Michael Malitsky Subject: reflexive ACL on 6500 Hello, Does anyone have any experience using reflexive ACLs on a 6500? I am having trouble finding definitive information as to the manner these are processed. One document indicates the first packet of a flow is punted to the MSFC, the rest are hardware-switched. Another says that the first packet of a flow is always punted to the MSFC, while for the rest of the flow to be switched in hardware, mls netflow has to be enabled, otherwise it's all software. For the time being, we don't have a huge load on the box, so software/hardware path selection isn't causing a lot of grief, but I'd rather not wait until this becomes a pain point. In addition, every so often (2-3 months) a particular ACL will stop reflecting. As in the SYN packets will go through, will show up in the reflected list, but the response packets won't be allowed through. Only one list (out of a dozen or two) at a time, and not necessarily the same list every time. The solution is to remove the list and recreate it. We are running a 6509/Sup720 with 12.2(18)SXF. Any suggestions/experiences appreciated. Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RS232 to TCP/IP
Also, checkout these from Black Box: http://www.blackbox.com/Store/Detail.aspx/10-100-Terminal-Servers-DB25-Male/LES4012A Antonio Querubin whois: AQ7-ARIN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10G 6704 and 6708
Hi, im looking at 10G cards for 7600 with SUP720-3BXL (running SXF) and wanted an opinion from the list ive seen posts in archives and cisco datasheets and im aware of the differences between the 6704 and 6708 (6708 comes with 3CXL, deeper buffers, etc...). the port density on the 6708 (though not at line rate) is attractive. no fancy features or requirements here, just plain old lan switching anyone cares to share experiences with these cards in production ? Thanks, anton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10G 6704 and 6708
Am currently using quite a few 6704's, some with DFC(at 3CXL spec), some without. Nothing fancy really going on, they just work, have some using CX4 and some using long range fibre, of course we are on xenpaks rather than X2's with the 6704. The only issue i've had is a netflow bug when exporting from the DFC's (CSCsq14299) but that got fixed in SRB4. Haven't actually had one hit 10Gb yet so can't say how well they handle congestion or really high traffic flows but certainly 5Gbs is no problem. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vince anton Sent: Friday, 31 October 2008 3:54 PM To: cisco-nsp Subject: [c-nsp] 10G 6704 and 6708 Hi, im looking at 10G cards for 7600 with SUP720-3BXL (running SXF) and wanted an opinion from the list ive seen posts in archives and cisco datasheets and im aware of the differences between the 6704 and 6708 (6708 comes with 3CXL, deeper buffers, etc...). the port density on the 6708 (though not at line rate) is attractive. no fancy features or requirements here, just plain old lan switching anyone cares to share experiences with these cards in production ? Thanks, anton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Monitoring tools for MPLS VPN customers
Hi All, We have some MPLS VPN customers waiting to come on board and have asked us about what sort of monitoring we can provide for all their sites. By monitoring I can only guess that the customer is asking us to identify when a VPN site goes down. Other desirable features might be to implement some SLA to monitor latency and round trip time for those customer's who rely heavily on VoIP. Ideally, the IT person for the organization should be doing most of this monitoring, but Management have asked me to investigate what we sort of monitring we can provide to the customer to help bring them on baord. We are currently using Cisco's MPLS Diagnostics Expert but this doesn't seem to have any proactive monitoring tool via it's SLA feature. We could set up a management station within a management VRF and run some monitoring software on it which is another option. Just curious to know what software Service Providers are using to proactively monitor their VPN customers. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/