Re: [c-nsp] Netconf (over SSHv2) in SXI
On Tue, Feb 03, 2009 at 07:11:13AM +, Jeffrey Ollie wrote: This piqued my interest, so I whipped up a quick program to do some testing. I've attached the resulting program, which when run against my 6500 running 12.2(33)SXI produces a copy of the running config. Some things I observed: Yep, those match my observations. The script is in Python, and you'll need the Paramiko (SSHv2) and lxml I used Twisted a Nevow web UI, but seems python is popular ;o) ?xml version='1.0' encoding='UTF-8'? rpc-reply xmlns=urn:ietf:params:netconf:base:1.0 message-id=101 data cli-config-data-block! Yeah - note that the cli-config-data-block element is not namespaced here. I suspect the netconf XML parser/generator is just broken in SXI. I'm going to bug TAC later today - it's either a software or docs bug. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Channelized OC3 for 7206VXR
Hi, the PA-MC-STM1 can be configured for SDH or Sonet framing on the controller, below which the TUG structure (don't know how's that called in Sonet) is configured. As far as I know (only done SDH for some time) when switching to Sonet we're in OCx world. I've no installed PA at hand without links conencted so maybe someone can simply try what can be configured when in Sonet mode ? regards, Marcus -Ursprüngliche Nachricht- Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von Gert Doering Gesendet: Montag, 2. Februar 2009 18:47 An: Justin M. Streiner Cc: cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] Channelized OC3 for 7206VXR Hi, On Mon, Feb 02, 2009 at 11:29:42AM -0500, Justin M. Streiner wrote: That particular card does not support channelized operation. It's also end-of-life. I'm not aware of a channelized OC3 port adapter for the 7200 series. For whatever reason, there is a channelized STM-1 which goes down to E1, but no channelized OC3 indeed. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Initiating Connections to VPN Clients
On Tue, Feb 3, 2009 at 3:54 AM, Aaron Riemer arie...@wesenergy.com.au wrote: Hi guys, I am trying to work out why I cannot initiate connections to our VPN clients. ICMP seems to be okay and I can see that there is nothing in the log indicating the connections are denied. What could I be missing here? Connections inbound from the VPN clients work flawlessly. Thanks for any suggestions, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ How is the server part of your vpn configured? Do you use dynamic maps? Could you post the relevant configuration here? Regards, Allan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How secure are VLANs and VRFs?
Hi, I am looking for some studies/papers to convince my customer (and myself) that VLANs can be as secure as physical segments and VRFs also provide a secure segregation of traffic. A few years back I came across a post referring to a document on the FBI or the NSA site stating that VLANs were deemed just as secure as physical wires. I am sure that there are Service Providers offering an Internet VRF over their MPLS cloud or enterprises with unfiltered Internet vrf on a campus. How do you convince a customer about the security of a vrf? Any references will be appreciated Nasir Shaikh CCIE #15845 | Senior Consultant | BT | Global Professional Services | E: nasir.sha...@bt.com | http://HYPERLINK http://www.bt.com/consultingwww.bt.com/consulting ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 5520 Remote Access VPN
Hi all, I have configured vpn on asa 5520 (software version 7.2). vpnclient connect to asa and says everything is ok. But i cannot ping any computer in inside network. asa is working in router mode, single context. No nat on inside or outside interface hostname(config)# interface ethernet0 hostname(config-if)# ip address 10.10.4.200 255.255.0.0 hostname(config-if)# nameif outside hostname(config-if)# no shutdown hostname(config)# interface ethernet1 hostname(config-if)# ip address 10.10.1.200 255.255.0.0 hostname(config-if)# nameif inside hostname(config-if)# no shutdown hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des hostname(config)# isakmp policy 1 hash sha hostname(config)# isakmp policy 1 group 2 hostname(config)# isakmp policy 1 lifetime 43200 hostname(config)# isakmp enable outside hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 hostname(config)# username testuser password 12345678 hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type ipsec-ra hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet hostname(config)# crypto dynamic-map dyn1 1 set reverse-route hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1 hostname(config)# crypto map mymap interface outside Thanks Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Peter Rathlev wrote: ... What does the log say? Where's the ACLs for the interfaces? Are you sure the firewall isn't denying the traffic as it does default? Regards, Peter Its hard to find anything in log, because this is a production firewall and there is a lot of messages in syslog. if i'm greeping on ip addresses vpnclient real address or vpn address in syslog i cant find anything wrong. on outside interface i have acl which accepts pings from any source to inside interface computers. and i can ping from any computer from outside to any computer on inside. Even in ASDM real time logging i can't see any message about dropping packets from vpn tunnel. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] A little confusion: OSPF and iBGP
Hi everyone, I've got a couple of questions regarding the use of iBGP and OSPF. I've got: rtrA - connected to Internet, and routes some prefixes of my /21 (and v6 /32) to the infrastructure/servers rtrB - private eBGP peering with another company, and connects some multihome clients with eBGP (they use space from our /21 and advertise back to us with private AS). Also has numerous prefixes from our /21 on the client facing sides. For these clients, our edge is their default gateway for the prefix rtrC - connects the multihomed clients secondary connection with a lower eBGP preference, and also has a few prefixes from the /21 for other access clients Currently, I use OSPF to share the loopback interface IPs, and use iBGP for the rest. For the prefixes at the client access edge that are put in place statically, I advertise them to the other internal peers via iBGP. Would it be best to leave it this way, or to put this address space into the IGP instead, and have BGP only announce the actual eBGP learnt routes? Also, should all of my routers have a pull-up route for the entire /21, or just for the prefixes that they house? Thanks, Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. BR, Sibbi III On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote: Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. This solved the problem, thanks! Another problem is that client sets default gateway to tunnel. How can i configure only some networks to go trough tunnel? Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast grooming
How many entries can be made with the ip igmp snooping vlan static on a 2960G? I'm thinking of bringing in two GigE's of video and then grooming them with that feature down to one GigE. Besides entries, is this feature implemented in hardware or software, such that there might be scalability concerns, too? Regards, Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] core OSPF configurations
Brian Spade wrote: What is the best way to configure OSPF to inject all 50+ SVIs into the routing domain? Would you configure network statements for all SVI networks and passive the interfaces? Would you configure OSPF on the uplink interfaces only and redistributed connected to create type-5 externals? If it were me, the SVIs would be announced into BGP, so that my OSPF world stayed small and clean. That said, remember that the network statement(s) only have to match, through wildcard math, the _IP addresses_ of the interfaces to be included in OSPF. If you run a single area, 'network 0.0.0.0 255.255.255.255 area 0' is all you need. Flipside, if you want to lock down OSPF to the point that shifting an interface within a subnet causes OSPF to drop so you can catch the culprit in the act, 'network 10.20.30.254 0.0.0.0 area 0' matches exactly that one address (but the interface's correct netmask is used when inserting the route into OSPF). pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reacheability issue in MEL link
but this is an MCS (Mission Critical Site) solution, i.e. we ordered the same circuit from the same carrier to implement the solution in aother location for resilliency , and it works fine P.S. : at some point i had 8% success rate of 100 pings , but after that all dead i told the carrier i want to have the packets transferred with dot1q encapsulation, and they replied that they are providing a transparent environment, reagardless the two ends are access or trunk On Tue, Feb 3, 2009 at 10:06 AM, Tom Storey t...@snnap.net wrote: Are you sure that the two ports that face your metro ethernet provider are actually trunks? In my experience, carriers will only present access ports to end users, where end users are yourself and your customer. This means that you do not setup trunking or sub-interfaces on any of your and your customers equipment, you configure access ports aswell. It means that you can have a lot of 1:1 patching from your ethernet provider to your aggregation switch, but it helps your carrier protect their network from certain types of misconfiguration - i.e. they cant accidentaly trunk someone elses VLAN down to you. Hello, this is a real life problem still occuring, and have no idea what may be causing it .. we are providing an internet direct service to our customer vial MEL (Metro Ethernet Link) CE (CS-7206 VXR) fe2/0.36 --Etherlink(local carrier) WS-3759G-24TS--PE(CS-7000) the solution is providied using a carrier to link the customer CE to an aggregated switch, using Metro Ethernet configuring vlan 36 and using dot1q encapsulation then from the aggregating switch to the PE router using also encapsulation dot1q for vlan36 all interfaces are up-up , and still ping fails !! i tried everything, resetting ports, switches, reconfigure interfaces ..etc. still no joy any idea what could be causing the problem ? CE: - interface FastEthernet2/0.36 bandwidth 61440 encapsulation dot1Q 36 ip address 57.78.2.6 255.255.255.252 Agg. switch: -- interface GigabitEthernet1/0/9 switchport trunk encapsulation dot1q switchport trunk native vlan 3109 switchport trunk allowed vlan 36,3109 switchport mode trunk switchport nonegotiate duplex full speed 100 mls qos trust cos spanning-tree bpdufilter enable PE: -- interface FastEthernet5/1/1.36 bandwidth 61440 encapsulation dot1Q 36 ip address 57.78.2.5 255.255.255.252 no ip redirects no ip proxy-arp no ip route-cache no cdp enable bmil305#sh int FastEthernet5/1/1.36 FastEthernet5/1/1.36 is up, line protocol is up Hardware is cyBus FastEthernet Interface, address is 0003.fe91.b8a9 (bia 0003.fe91.b8a9) Internet address is 57.78.2.5/30 MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 36. ARP type: ARPA, ARP Timeout 04:00:00 pmil2534#sh int Fa2/0.36 FastEthernet2/0.36 is up, line protocol is up Hardware is i82543 (Livengood), address is 0022.be8b.1038 (bia 0022.be8b.1038) Description: --- To bmil305 - FE5/1/1.5 Internet address is 57.78.2.6/30 MTU 1500 bytes, BW 61440 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 36. ping pe to CE fails: bmil305#ping 57.78.2.6 , Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 57.78.2.6, timeout is 2 seconds: . Success rate is 0 percent (0/5) PE to internet (google) successfully: -- bmil305#ping 216.239.59.147 source fast 5/1/1.36 repeat 100 size 500 Type escape sequence to abort. Sending 100, 500-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds: Packet sent with a source address of 57.78.2.5 !! !! Success rate is 100 percent (100/100), round-trip min/avg/max = 36/40/112 ms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Something along these lines if you wanted to just send 10.10.53.0/24 and 10.10.54.0/24 through the VPN tunnel tunnel-group testgroup general-attributes default-group-policy testpolicy group-policy testpolicy internal group-policy testpolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value TunnelList access-list TunnelList standard permit 10.10.53.0 255.255.255.0 access-list TunnelList standard permit 10.10.54.0 255.255.255.0 BR, Sibbi On 3.2.2009 15:22, Eimantas Zdanevičius eiman...@occ.lt wrote: Sigurbjörn Birkir Lárusson wrote: If you're connecting through a natted host to the VPN you might try adding crypto isakmp nat-traversal 30 I have a fairly similar setup to yours which works just fine. This solved the problem, thanks! Another problem is that client sets default gateway to tunnel. How can i configure only some networks to go trough tunnel? Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN PIX 6.x Translation issue
have you tried global (outside) 0 interface ? -Original Message- From: William wil...@gmail.com To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: [c-nsp] VPN PIX 6.x Translation issue Date: Mon, 2 Feb 2009 10:57:05 -0500 Hi folks! I currently have a PIX firewall running 6 code, the firewall has 3 interfaces, inside, outside and inside2. At the moment I can VPN and communicate to all the hosts on the inside, what I'd like to do is also be able to communicate with the hosts on inside2, the security levels are: outside: 0 inside: 100 inside2: 90 When I try to speak to inside2 hosts, I get the following error: %PIX-3-305005: No translation group found for icmp src outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0) I'm very confused as to where I should be putting global/nat statements... so far my setup consists of: nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 10.10.200.0 255.255.255.0 0 0 nat (inside2) 0 access-list office_outbound_nat0_acl nat (inside2) 1 192.168.0.0 255.255.255.0 0 0 global (outside) 1 interface This lets both inside and inside2 hosts contact the internet via int outside, and no nat stuff that needs to traverse VPN tunnels... If anyone can assist/educate me on getting this working I would appreciate it very much! Cheers, W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Alasdair Gow wrote: Hi, It looks like eth0 and eth1 are on the same network. they need to be on separate networks IIRC. Cheers, Ally sorry about my mistake. interfaces are on diferent networks maske are 255.255.255.0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netconf (over SSHv2) in SXI
On Tue, Feb 03, 2009 at 08:10:18AM +, Phil Mayers wrote: On Tue, Feb 03, 2009 at 07:11:13AM +, Jeffrey Ollie wrote: This piqued my interest, so I whipped up a quick program to do some testing. I've attached the resulting program, which when run against my 6500 running 12.2(33)SXI produces a copy of the running config. Some things I observed: Yep, those match my observations. The script is in Python, and you'll need the Paramiko (SSHv2) and lxml I used Twisted a Nevow web UI, but seems python is popular ;o) FWIW, I've been working on NETCONF software in python for JUNOS (see a recent j-nsp thread about my frustrations...) and have the beginnings of a library for generating and parsing NETCONF documents in Python with lxml. It's got all JUNOS centric stuff, so it won't be too much help as-is, but if you're interested let me know. rpc-reply xmlns=urn:ietf:params:netconf:base:1.0 message-id=101 data cli-config-data-block! Yeah - note that the cli-config-data-block element is not namespaced here. I suspect the netconf XML parser/generator is just broken in SXI. I'm going to bug TAC later today - it's either a software or docs bug. Well, in an XML sense, it's taken the default namespace provided by the rpc-reply tag. So that is urn:ietf:params:netconf:base:1.0:data. I don't know if there's a data element defined by NETCONF, so I can't speak to the well-formedness of the above XML, only its validity. Ross -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Not unless you configure RRI, see http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00809d07de.shtml BR, Sibbi On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote: Engelhard Labiro wrote: hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15 I guess this is a routing problem, since you assign 192.168.0.x to vpn client which is located on different segment with PIX's own interface. The pix must response to arp request for 192.168.0.10 to 15 on behalf of the vpn client. This is can be done with proxy arp setting on the inside interface of the PIX... I forgot the command. Or if you have a router in PIX's inside I/F, just create a route to 192.168.0.x pointing back to your PIX's inside I/F. HTH Engel When client connects to the asa, asa automaticaly adds a route: S192.168.0.10 255.255.255.255 [1/0] via default_gw, outside Eimantas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
On Tue, 2009-02-03 at 11:12 +0200, Eimantas Zdanevičius wrote: I have configured vpn on asa 5520 (software version 7.2). vpnclient connect to asa and says everything is ok. But i cannot ping any computer in inside network. asa is working in router mode, single context. No nat on inside or outside interface ... What does the log say? Where's the ACLs for the interfaces? Are you sure the firewall isn't denying the traffic as it does default? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A little confusion: OSPF and iBGP
On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand wrote: For the prefixes at the client access edge that are put in place statically, I advertise them to the other internal peers via iBGP. Would it be best to leave it this way, or to put this address space into the IGP instead, and have BGP only announce the actual eBGP learnt routes? Best to keep your IGP carrying only your Loopbacks, and iBGP handling your customer prefixes. Doing this affords you the filtering capabilities of BGP and allows you to operationalize your routing policy better. Also, should all of my routers have a pull-up route for the entire /21, or just for the prefixes that they house? Normally, I'd recommend the aggregates be originated by a very stable device in the network. We do this using our route reflectors, and change the NEXT_HOP attribute of the aggregates to point to the Null/Discard interface on all peripheral routers. These edge routers would then be configured to re-announce the aggregates to remote eBGP peers (customers, transit providers, public/private peers, e.t.c.). For customer aggregation edge routers, prefixes used to assign /30 (/126 for v6, or whatever you use for this purpose) point-to-point addresses, as well as assignments for their own use on their LAN's, from your own blocks, would be included in your iBGP running on these router. Typically, we assign whole /24's or more for this purpose, and announce a shorter block within our network; keeps our iBGP table as small as possible (can't have little /30's or /126's running around in your iBGP, now can you :-)). So far, you seem to be on the right track. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A little confusion: OSPF and iBGP
Mark Tinka wrote: On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand wrote: Thanks for the feedback Mark, For customer aggregation edge routers, prefixes used to assign /30 (/126 for v6, or whatever you use for this purpose) point-to-point addresses, as well as assignments for their own use on their LAN's, from your own blocks, would be included in your iBGP running on these router. Typically, we assign whole /24's or more for this purpose, and announce a shorter block within our network; keeps our iBGP table as small as possible (can't have little /30's or /126's running around in your iBGP, now can you :-)). So far, I seem to be doing ok then, less the ability to aggregate the /30's. At first, I allocated space for /30's from a reserved space for only that purpose, and have this reserved space on both the inside, and outside of the edge routers (and have to have the little /30's floating around). That's easy enough to rectify at this point by renumbering my intra-router links, so thank you for pointing that out :) Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
Does anyone have some input on security event correlation systems? Currently reviewing Cisco MARS vs. Q1 Labs QRadar. Environment information: Very large DMVPN, IPS's, FW's, CSM. Thanks, == Dean Perrine ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN PIX 6.x Translation issue
On Tue, 2009-02-03 at 12:30 -0500, Tom Sutherland wrote: have you tried global (outside) 0 interface ? Huh? A global-0? What does that do? Does it explicitly _not_ translate to the interface address of the outside interface? ;-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MARS vs. Q1 Qradar - and other vendors
On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote: Does anyone have some input on security event correlation systems? Currently reviewing Cisco MARS vs. Q1 Labs QRadar. We have a MARS-110 and I must frankly say I'm not impressed. The system needs a _lot_ of training to be useful and the built in templates aren't worth much in my eyes. (We've had 10 people take the MARS training course and even then only a couple of us find it at most marginally useful.) My personal conclusion is that a combination of SEC, NFsen and a few scripts parsing logfiles etc. are an easier, cheaper and better way of accomplishing event correlations. It's (relatively) easy to do the visualisations in a similar way to what MARS does by feeding GraphViz with input from either CDP (L2-topology) or your IGP or BGP (L3-topology). Of course this means you have to love using these tools and you need to have several people on staff with the relevant skills. CS-MARS could be the right thing as an almost turn key solution. Environment information: Very large DMVPN, IPS's, FW's, CSM. The integration from CS-MARS towards many other Cisco products would be the one maybe strong point. I'd say let the people having to work with it make the decision. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco switch FLP
One of my fellow engineers needs to understand auto-advertise and autoneg with regards to Cisco switches. Can anyone confirm that hard coded speed/duplex settings on a generic modern Cisco switch, will not prevent the switch port from sending fast link pulses, advertising the switch port's hardcoded speed/duplex settings so that the device at the other end, will be able to bring up a link if the remote device itself does not send out FLP? Pierre ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco switch FLP
On Tue, 3 Feb 2009, Pierre Lamy wrote: Can anyone confirm that hard coded speed/duplex settings on a generic modern Cisco switch, will not prevent the switch port from sending fast link pulses, advertising the switch port's hardcoded speed/duplex settings so that the device at the other end, will be able to bring up a link if the remote device itself does not send out FLP? Generic behaviour is that if you hard-code both speed and duplex, switch stops advertising to the other end using autoneg. So 100/full fixed at one end and other end set to auto/auto, will result in that end thinking it is speaking to a hub that doesn't do autoneg, and it'll detect the 100, but will go to 100/half. There are recent hw from the past 1-2 years that can advertise capabilities even when being fixed, but it has to be configured in another way. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Ethernet to ATM local connect
Hi there Is there a cisco platform / sw out there that can the following (the critical part being _second-dot1q_) interface gig3/1.10 encapsulation dot1q 10 second-dot1q 2 interface atm2/0/0 pvc 0/400 l2transport encapsulation aal5 connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10 interworking ethernet http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1096615 Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Ring Protocol
I am looking to deploy a Ethernet Ring topology in a campus. The ring is to connect multiple buildings via a high speed 10G backbone. Does Cisco offer any products in this area? The ONS is too expensive, looking for something smaller that is Ethernet based. mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] show dsl int atm 0
Moving the Target Noise Margin or whatever it is called in your DSLAM is a better plan. Interleaving has far more to do with sync stability, i.e. it allows the router some time to respond to changes in the line quality before loosing the sync, it also increases latency. The more interleaving time you allow, the greater the latency, but then again, better sync stability. I would use both, interleave at a low setting, and a higher target noise margin if you're running sensitive services such as IPTV over the line. 4ms interleave + 9dB target noise margin should leave the line relatively stable. If you find the maximum sync speed of the line moves below your set minimum to offer the service when you're at 9dB (the higher the target noise margin the lower the sync speed), the line probably isn't good enough to offer the service to begin with. BR, Sibbi On 2.2.2009 09:56, Tim Franklin t...@pelican.org wrote: Ziv Leyes wrote: Setting interleave in the DSLAM will do automatically what I proposed before, lowering the speed of the link in order to improve line quality. Be careful with what you mean by speed in this instance. Interleaving typically increases latency, rather than reducing bandwidth. Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco switch FLP
Hi, On Tue, Feb 03, 2009 at 04:35:26PM -0500, Pierre Lamy wrote: Can anyone confirm that hard coded speed/duplex settings on a generic modern Cisco switch, will not prevent the switch port from sending fast link pulses, advertising the switch port's hardcoded speed/duplex settings so that the device at the other end, will be able to bring up a link if the remote device itself does not send out FLP? It will autoneg 100M, but it will usually result in a duplex mismatch. Don't hardcode ports unless you know for sure that you need it (because you connect to a Cisco 7200 with PA-FE or the like). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp3YCT7r6dfq.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ring Protocol
A little bird from C whispered me the following: I'd take a look at the ME-4924-10GE device (REP Supports ~50ms failover), as well as this you have support for it on the larger devices like the 7600. 4924 support for REP started in 12.2(44)SG - http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html 7600 has supported REP since 12.2(33)SRC - http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html; I stand corrected. Rubens On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl rube...@gmail.com wrote: I don't think Cisco currently have an 10G ethernet ring offer. It might come up when REP (Resilient Ethernet Protocol) gets implemented in the 6500 IOS. It was supposed to be on SXI, but that didn't happen. If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit Etherchannel, perhaps ? Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have currently shipping solutions. Rubens On Tue, Feb 3, 2009 at 9:21 PM, harbor235 harbor...@gmail.com wrote: I am looking to deploy a Ethernet Ring topology in a campus. The ring is to connect multiple buildings via a high speed 10G backbone. Does Cisco offer any products in this area? The ONS is too expensive, looking for something smaller that is Ethernet based. mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fast UDLD timers in SXI?
Yup, that's exactly the situation. STP will work around some of the problem caused by this but if you are presenting an etherchannel over multiple xconnects you can't pick up the link failure of part of the etherchannel without UDLD. We did some initial proof of concepts with 2900s running 2 second timers and it was great. Imagine the look on my face when we found out that 6500s don't have the functionality of a $1,000 access switch . So, is the config option on SXI still 7 seconds at best? Thanks David ... On 03/02/2009, at 7:45 PM, Thomas Dupas wrote: I assume it's a L2 link (EoMPLS), so BFD won't help much. We're in the same situation, also stuck with UDLD timers and 2 parallel EoMPLS xconnects. I can't get the convergence lower then 20 seconds with the default UDLD, so I'm also hoping for fast UDLD Best Regards, Thomas Van: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net ] namens Gert Doering [g...@greenie.muc.de] Verzonden: dinsdag 3 februari 2009 8:15 Aan: David Hughes CC: Cisco NSP ((E-mail))' Onderwerp: Re: [c-nsp] Fast UDLD timers in SXI? Hi, On Tue, Feb 03, 2009 at 04:30:50PM +1000, David Hughes wrote: Can someone verify if 12.2(33)SXI offers fast UDLD timers (i.e. down to 1 second) or if we are still stuck with the old 7 sec timers. We can do 1 sec UDLD on 2900 class switches so I hope we see it in the premier switching platform some time soon. We need some way to pick up a link failure at the far end of an EoMPLS xconnect in a reasonable time. Can you use BFD? (Yes, this is not answering your question - I don't know the answer - but it might be an alternative approach if this a layer 3 link) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ring Protocol
I don't think Cisco currently have an 10G ethernet ring offer. It might come up when REP (Resilient Ethernet Protocol) gets implemented in the 6500 IOS. It was supposed to be on SXI, but that didn't happen. If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit Etherchannel, perhaps ? Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have currently shipping solutions. Rubens On Tue, Feb 3, 2009 at 9:21 PM, harbor235 harbor...@gmail.com wrote: I am looking to deploy a Ethernet Ring topology in a campus. The ring is to connect multiple buildings via a high speed 10G backbone. Does Cisco offer any products in this area? The ONS is too expensive, looking for something smaller that is Ethernet based. mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ring Protocol
Thank you for all your replies, that was exactly what I was looking for. mike On Tue, Feb 3, 2009 at 7:37 PM, Rubens Kuhl rube...@gmail.com wrote: A little bird from C whispered me the following: I'd take a look at the ME-4924-10GE device (REP Supports ~50ms failover), as well as this you have support for it on the larger devices like the 7600. 4924 support for REP started in 12.2(44)SG - http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html 7600 has supported REP since 12.2(33)SRC - http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html I stand corrected. Rubens On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl rube...@gmail.com wrote: I don't think Cisco currently have an 10G ethernet ring offer. It might come up when REP (Resilient Ethernet Protocol) gets implemented in the 6500 IOS. It was supposed to be on SXI, but that didn't happen. If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit Etherchannel, perhaps ? Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have currently shipping solutions. Rubens On Tue, Feb 3, 2009 at 9:21 PM, harbor235 harbor...@gmail.com wrote: I am looking to deploy a Ethernet Ring topology in a campus. The ring is to connect multiple buildings via a high speed 10G backbone. Does Cisco offer any products in this area? The ONS is too expensive, looking for something smaller that is Ethernet based. mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reacheability issue in MEL link
i told the carrier i want to have the packets transferred with dot1q encapsulation, and they replied that they are providing a transparent environment, reagardless the two ends are access or trunk Does your carrier support 802.1QinQ or something alike that is able to transport your dot1q tag? http://www.ippacket.org/blog/archives/2004/08/ieee_8021q-in-q.html just FYI, we have a CE router (7206VXR) with trunking port to provider's PE. This working without problem here, YMMV. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS QoS question about the HOSE model
Hi All, I'm continuing to try and understand QoS a little better in relation to applying it to our MPLS VPN network but it seems the more I read about it the more I'm confused. Not to mention the lack of configuration examples out there. I understand that we can provide two QoS solutions for MPLS VPN customers. 1/ Guaranteed BW at ingress/egress (also known as the HOSE model). 2/ Full QOS deployment with varying class of service based on IPP and/or DSCP. In relation to solution 1, I'm not really clear about guaranteeing the bandwidth at the ingress/egress. Is the bandwidth guarantee in regards to the physical link connecting the CE to the PE? Or are we giving the customer a guarantee on the PE to P link (which would make more sense to me)? [ CE ] --- 2M/2M --- [ PE ] --- [ P ] Imagine if the customer had a 2M/2M SHDSL connection into the SP's MPLS network, are we able to for example guarantee a ICR of 256K and ECR of 512K??? And why would we do this when the customer would expect to be able to send/receive up to 2M because that's what they're paying for. My thinking is probably flawed, so if anybody could clear up my misconceptions about the hose model, that would be great! Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520 Remote Access VPN
Sigurbjörn Birkir Lárusson wrote: Something along these lines if you wanted to just send 10.10.53.0/24 and 10.10.54.0/24 through the VPN tunnel tunnel-group testgroup general-attributes default-group-policy testpolicy group-policy testpolicy internal group-policy testpolicy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value TunnelList access-list TunnelList standard permit 10.10.53.0 255.255.255.0 access-list TunnelList standard permit 10.10.54.0 255.255.255.0 BR, Sibbi This perfectly sets routes for specified networks. But how to disable default gateway setting on vpn client? If i go to ASA ASDM-Configuration-VPN-Default Tunnel Gateway it says: To configure default tunnel gateway, go to Static Route. i have two static routes configured: Saaa.bbb.ccc.ddd 255.255.255.255 [1/0] via 10.10.1.2, inside S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.4.254, outside ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
