Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote: I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), Just to chime in with more non-certain knowlegde: When doing OIR the box does a bus stall AFAIK. This happens between when the pins start connecting and when all pins are connected. If this were to not cause any lost packets, the modules would have to buffer while the bus stall is in effect and retransmit whatever was on the wire when it happened. I don't think they do. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] setting source address for icmp messages
I believe that with a little bit of local PBR and NAT magic and it can be done. I'm sure i've done it in the past for traceroute time-exceeded/port-unreachable local generated massages. But, i don't know if it's worth the hassle. -- Tassos Oliver Boehmer (oboehmer) wrote on 09/02/2009 09:27: Mike wrote on Monday, February 09, 2009 00:28: No. I am trying to ensure that if the router ever emits icmp messages like 'destination host unreachable', 'icmp frag needed' and the like, that I'm using a public routed ip and not some random flavor of the week ip related to whatever interface the router thinks is closer to the problem. I don't think this can be done.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Thanks for all the replies, personally i'm thinking it will be a few second hiccup like you often get with OIR then on its way again but the fact i'm changing how the underlying switch fabric works with this makes it more interesting... i've scheduled an outage for this Sunday evening so I will let you all know how it goes. Cheers Ben On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev pe...@rathlev.dk wrote: On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote: I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), Just to chime in with more non-certain knowlegde: When doing OIR the box does a bus stall AFAIK. This happens between when the pins start connecting and when all pins are connected. If this were to not cause any lost packets, the modules would have to buffer while the bus stall is in effect and retransmit whatever was on the wire when it happened. I don't think they do. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] setting source address for icmp messages
Oliver Boehmer (oboehmer) wrote: Mike wrote on Monday, February 09, 2009 00:28: No. I am trying to ensure that if the router ever emits icmp messages like 'destination host unreachable', 'icmp frag needed' and the like, that I'm using a public routed ip and not some random flavor of the week ip related to whatever interface the router thinks is closer to the problem. I don't think this can be done.. oli Of course it can be done, its just really inelegant and requires nat, which is problematic for many. It sure would be nice were it to be a nice feature such as control-plane nat or an interface level command such as ip icmp source-interface loopback10 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] setting source address for icmp messages
Joe Maimon mailto:jmai...@ttec.com wrote on Monday, February 09, 2009 13:12: Oliver Boehmer (oboehmer) wrote: Mike wrote on Monday, February 09, 2009 00:28: No. I am trying to ensure that if the router ever emits icmp messages like 'destination host unreachable', 'icmp frag needed' and the like, that I'm using a public routed ip and not some random flavor of the week ip related to whatever interface the router thinks is closer to the problem. I don't think this can be done.. oli Of course it can be done, its just really inelegant and requires nat, which is problematic for many. Sorry, you are right of course, I was referring to a config knob instead of ugly/complicated NAT/PBR/etc. hacks.. It sure would be nice were it to be a nice feature such as control-plane nat or an interface level command such as ip icmp source-interface loopback10 that would be a nice way of doing this, a global knob sounds too scary to me.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 4900M and QinQ
Hi, has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the lab with 12.2(50)SG Enterprise Services SSH and it didn't work. Setup like this: [Node 1]---trunk---[4900M]===dot1q-tunnel===[3550]---trunk---[Node 2] l2protocol-tunnel enabled for cdp/stp/vtp The symptoms were: Node 1 has the mac-address of Node 2 in the cam table. Node 2 DOESN'T have the mac-address of Node 1. The cam table on the 4900M doesn't show any entries on the dot1q-tunnel interface to Node 1. The funny thing: Node 1 DOESN'T have a cdp neighbor entry for Node 2. Node 2 does have a cdp neighbor entry for Node 1. This is the opposite to the mac address symtoms. :) Consequently a ping between the two nodes times out. Can anyone confirm this? When I replace the 4900M with a 3550 the QinQ works instantly. Kind Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Lab setup
Hiall I want to build a lab setup for education proposes and, I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card. Is it somehow possible to cross-connect these cards or I need some active equipment for this? signature.asc Description: OpenPGP digital signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] learned routes disappear
Thanks for the reply Oli. -Original Message- From: Oliver Boehmer (oboehmer) [mailto:oboeh...@cisco.com] Sent: Monday, February 09, 2009 2:32 AM To: Paul A; Michael K. Smith - Adhost Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] learned routes disappear Paul, looks like you're preferring the route from the upstream over your customer's advertisement (for whatever reason), so it is expected that Router B is not advertising the path received from your customer/Router A. You are correct: The PfxRcd counter in show ip bgp sum only shows the best paths, you need to look at show ip bgp neighbor x.x.x.x (or show ip bgp neighbor x.x.x.x routes) to see all paths.. oli Paul A wrote on Sunday, February 08, 2009 00:50: Hi Michael, it seems as I look more and more into this, mind you I'm no bgp expert, I think what is happening might be normal iBGP behavior. Heres how the network is setup. Router A (customer) which connects to router B (my router) . Router B is connection to router C (my 2nd router) over iBGP. My BGP customer advertises 5 routes. The router directly connected to my customer's bgp router (Router A) shows all 5 routes when I do a (sh ip bgp sum). Router C (my 2nd router iBGP) only shows these 5 router when I type show ip bgp sum for about a 1:15 to 1:30 minutes then the routes disappear from State/PfxRcd. When I do a show ip bgp on router B for one of the received routes from router A (cust router) it's says: Paths: (2 available, best #1, table Default-IP-Routing-Table) Multipath: iBGP Not advertised to any peer The second best route being from my customer (router A) and the 1st best route being from Router C (my second iBGP router) Now on Router C, where I'm confused when I do show ip bgp for the same route I see. Paths: (2 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 Both routes being from my two up streams on that router. My confusion is when I do a show ip bgp sum router B's neighbor address I see 5 routes under State/PfxRcd then after a minute or two they disappear. Is this normal ibgp behavior? Are the router listed under State/PfxRcd only routes that are inserted in the routing table? From: Michael K. Smith - Adhost [mailto:mksm...@adhost.com] Sent: Friday, February 06, 2009 3:47 PM To: Paul A Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] learned routes disappear Hello Paul: Paul A wrote: Hi, I'm having a bgp issue I can't figure out and hoping someone has ran into this. I have two routers, router A and router B doing bgp. Router A is advertising 5 routes to router B, when the session 1st comes up, router B has 5 routes received from router A. After 1:15 min the learned routes on router B disappear. How are the routes getting into BGP? Are the coming in via tie-down routes in the IGP somewhere? Could it be that you have an IGP failure of some sort such that the routes are being withdrawn legitimately? Regards, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.233 / Virus Database: 270.10.19/1938 - Release Date: 02/06/09 17:28:00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
+1 I really like Opsware. Ramcharan, Vijay A wrote: We use Opsware NAS. I haven't configured it or anything but it is quite commercial and can do nice things like configuration checks against a standard policy, notifications of config changes, config automation and things like that. Vijay Ramcharan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Loiacono Sent: February 05, 2009 16:57 To: Cisco-NSP Mailing List Subject: [c-nsp] Rancid and commercial config management tools I realize RANCID is a great tool for keeping track of IOS changes, etc., but if a client was looking for a commercial tool that does this, what would you recommend? Thanks, Joe Loiacono ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
I'm a huge fan of Cirrus by Solarwinds. It works very well. They integrated it into Solarwinds.. which can be either good or bad. Depends on how you look at it :) I'm not sure if you can still get a standalone version, but since it uses a sql database it's easy to backup. On Thu, Feb 5, 2009 at 4:57 PM, Joe Loiacono jloia...@csc.com wrote: I realize RANCID is a great tool for keeping track of IOS changes, etc., but if a client was looking for a commercial tool that does this, what would you recommend? Thanks, Joe Loiacono ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- -- Jason Plank (CCIE #16560) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Lab setup
You can connect the cards back to back and they should work fine. Just a couple of notes: a) Set both POS interfaces to clock source internal because there is no network clock in a back to back configuration. b) Looks like the POM-OC3-MM and POM-OC3-SMIR optics are safe in a back to back configuration without optical pads. If you using the POM-OC3-SMLR you will need at least 10db pads on a short fiber patch. c) Make sure you to cross over the transit/receive on the back to back fibers patch cables. Clinton. Gergely Antal wrote: Hiall I want to build a lab setup for education proposes and, I have 2 7206 VXR's and each of them has a PA-POS-2OC3 card. Is it somehow possible to cross-connect these cards or I need some active equipment for this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Lab setup
On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote: a) Set both POS interfaces to clock source internal because there is no network clock in a back to back configuration. Surely if you're connecting back to back you want clock source internal on one end, and clock source network on the other end - otherwise you've got two free running clocks which might be in sync, or might not... Simon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Lab setup
Simon Lockhart wrote: On Mon Feb 09, 2009 at 10:27:25AM -0700, Clinton Work wrote: a) Set both POS interfaces to clock source internal because there is no network clock in a back to back configuration. Surely if you're connecting back to back you want clock source internal on one end, and clock source network on the other end - otherwise you've got two free running clocks which might be in sync, or might not... Au contraire. Each side of the POS path is separate, so both as 'clock source internal' is best. http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080094bb9.shtml pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
Eric Van Tol wrote: It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM. That sucks. Now it will become overpriced and bundled with bloatware vs the inexpensive sleek tool it once was. Might as well have been bought by a well-known 800lbs gorilla. J ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Manaf Al Oqlah wrote: Hi all, I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! I get them too. I never have figured out what causes them. So far it hasn't been a big deal for me. BTW, I'd recommend not using the IOS DHCP server for anything that more than convenience at a very small site. I would highly recommend deploying a server-based DHCP server like ISC DHCPd. Lots more bells a whistles to work with. Plus you can have redundancy with the server-based solution. The IOS DHCP server is a fairly stripped down implementation. I don't think it was intended to be used in large environments like a SP's broadband network. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Aren't those BOOTP clients that don't understand the concept of an expiration? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Monday, February 09, 2009 12:51 PM To: Manaf Al Oqlah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP Binding Expiration Manaf Al Oqlah wrote: Hi all, I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! I get them too. I never have figured out what causes them. So far it hasn't been a big deal for me. BTW, I'd recommend not using the IOS DHCP server for anything that more than convenience at a very small site. I would highly recommend deploying a server-based DHCP server like ISC DHCPd. Lots more bells a whistles to work with. Plus you can have redundancy with the server-based solution. The IOS DHCP server is a fairly stripped down implementation. I don't think it was intended to be used in large environments like a SP's broadband network. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Hi, BTW, I'd recommend not using the IOS DHCP server for anything that more than convenience at a very small site. I would highly recommend deploying a server-based DHCP server like ISC DHCPd. Lots more bells a agreed - DHCP brough out 2600 series routers to their knees. a quick ISC config sorted thigns out - and gave us some nice bells and whistles alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
Hi, Eric Van Tol wrote: It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM. That sucks. Now it will become overpriced and bundled with bloatware vs the inexpensive sleek tool it once was. Might as well have been bought by a well-known 800lbs gorilla. ..and thats just Kiwi - what'll happen to Solarwinds? ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IDS Recommendations - Cisco?
Thanks very much for the reply (and other replies I got to date as well) So, you are doing passive monitoring today - would that mean that when your IDP systems alarm that this generates an alert to your NOC for immediate investigation (on a serious issue)? I'm just wanting to understand your process a bit to see how it might fit into our plans here;) Cheers, Paul -Original Message- From: Ross Vandegrift [mailto:r...@kallisti.us] Sent: Saturday, February 07, 2009 10:50 AM To: Paul Stewart Cc: 'Gregori Parker'; 'Cisco-nsp' Subject: Re: [c-nsp] IDS Recommendations - Cisco? On Fri, Feb 06, 2009 at 07:24:34PM -0500, Paul Stewart wrote: A good example to paint a picture here is that some of these servers are for web hosting. If a client uploads a php script (example) that has a vulnerability we would like the IDS to trip on it - again we can't have the world but that's kind of what I have in mind. It's a good thought, but watch your session count. All of the devices have limits as to the number of sessions they can handle. When that's exhausted, expect to be offline. I also work in hosting, and I have to say, the IDP is a great tool. But there's nothing we could find that grew in performance with the size of our installation. I could think of many more scenarios but at a high level I'm looking for vendor/product recommendations based on actual usage if possible. If you know your traffic and session levels well, and you want to do inline blocking, the Juniper ISG with integrated IDP modules are pretty great tools. You use NSM to write usual firewall policy, some rules can optionally have IDP processing enabled. Very granular. Like I said - I abandoned it. Our hosting grew much faster than their performance could. Monitoring the session and traffic levels of the blades was always awkward, and we didn't have such good ideas of our traffic/session levels. Finally, remember that your IDP will be the weakest link in the network. A firewall is a bad enough single point of failure (ie, having a session table that can be attacked), the IDP is many times worse because of the level of processing it requires for each session. So more power to you - but be very careful, or be prepared for some pain. All of the IDP implementations we do today are passive. -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7200VXR for Session Border Controller
Hello, We are looking to deploy a SBC for SIP subscribers and are looking at using a 7204VXR. We are not needing transcoding facilities but simply forwarding SIP INVITES and signalling to and from a SIP server to subscribers. The documentation regarding the setup of such a system is terse, therefore any pointers to related information or example configs would be appreciated. Thanks, C. Flav ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200VXR for Session Border Controller
You need to look for unified border element , it used to be multiservice ip to ip gateway. There should be some basic examble on the site as well. Here is the configuration guide http://www.ciscosystems.com/en/US/docs/ios/voice/cube/configuration/guide/12_4t/vb_12_4t_book.html Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris.f...@yahoo.ca Sent: lunedì 9 febbraio 2009 19.02 To: Cisco NSP Subject: [c-nsp] 7200VXR for Session Border Controller Hello, We are looking to deploy a SBC for SIP subscribers and are looking at using a 7204VXR. We are not needing transcoding facilities but simply forwarding SIP INVITES and signalling to and from a SIP server to subscribers. The documentation regarding the setup of such a system is terse, therefore any pointers to related information or example configs would be appreciated. Thanks, C. Flav ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
-Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Monday, February 09, 2009 12:47 PM To: Eric Van Tol Cc: Cisco-NSP Mailing List Subject: Re: [c-nsp] Rancid and commercial config management tools Eric Van Tol wrote: It may be worth mentioning that Solarwinds recently purchased Kiwi, and their plan is to integrate some of the Kiwi-specific features into NCM. That sucks. Now it will become overpriced and bundled with bloatware vs the inexpensive sleek tool it once was. Might as well have been bought by a well-known 800lbs gorilla. J Actually, I cannot speak in certainties, but I don't believe that this is the plan. SW has a long history of purchasing other network management products and continuing development on those product lines, while also taking the backend technology and using it to improve their existing products. -evt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Church, Charles wrote: Aren't those BOOTP clients that don't understand the concept of an expiration? Once when I was curious (and very bored) I tracked a couple of them down. One was a Windows XP machine and the other was a fairly new D-Link router/firewall CPE (which we have hundreds on our network). I don't know if either of them support Bootp but I would expect this problem to come up more often if that was the case. I'm trying to think of what our customers would have on our edges that would support Bootp. Nothing comes to mind. I'm sure you can configure some older clients to do Bootp of course (Macs still support it if you intentionally configure it that way) but no major demographic comes to mind. I can certainly be missing something though. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Interesting. Might be fun (in a dorky networking kind of way) to look at a packet capture of it. Maybe the client doesn't like the lease time, or it's tied into DDNS somehow. I looked a bit, and found in the RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times: The client may ask for a permanent assignment by asking for an infinite lease. Even when assigning permanent addresses, a server may choose to give out lengthy but non-infinite leases to allow detection of the fact that the client has been retired. I've seen those infinite leases before, never cared enough to look into it. Might be interesting to find out why though... Chuck -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Monday, February 09, 2009 2:11 PM To: Church, Charles Cc: Manaf Al Oqlah; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP Binding Expiration Church, Charles wrote: Aren't those BOOTP clients that don't understand the concept of an expiration? Once when I was curious (and very bored) I tracked a couple of them down. One was a Windows XP machine and the other was a fairly new D-Link router/firewall CPE (which we have hundreds on our network). I don't know if either of them support Bootp but I would expect this problem to come up more often if that was the case. I'm trying to think of what our customers would have on our edges that would support Bootp. Nothing comes to mind. I'm sure you can configure some older clients to do Bootp of course (Macs still support it if you intentionally configure it that way) but no major demographic comes to mind. I can certainly be missing something though. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Church, Charles wrote: Interesting. Might be fun (in a dorky networking kind of way) to look at a packet capture of it. Maybe the client doesn't like the lease time, or it's tied into DDNS somehow. I looked a bit, and found in the RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times: The client may ask for a permanent assignment by asking for an infinite lease. Even when assigning permanent addresses, a server may choose to give out lengthy but non-infinite leases to allow detection of the fact that the client has been retired. I've seen those infinite leases before, never cared enough to look into it. Might be interesting to find out why though... One thing on my to do list is to figure out how to always reject lease extension requests to force the CPE to pull a new IP every time a lease expires. This would prevent many of the less technical users from trying to run a publicly-accessible server. Set the lease time to 2 hours, client tries to extend the lease at 50% of the lease (1hr) and the server NAKs. The only question is will the client continue to request the IP until the lease expires before falling back and do a DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it do a bcast DISCOVER in response to the NAK and immediately switch to the new IP once it gets an OFFER 1hr before the original lease expires, thus interrupting traffic again. I've seen systems do something similar before (or at least I thought they were). When I first got Cox CATV I could only keep my IP for about a day before it changed. One way to mitigate the flow of traffic problem would be to grant short lease extensions automatically until the wee hours of the morning and then force the change. Something to think about. It's on my list right behind setting up an OSS walled garden and convincing the boss to replace our 7 different DHCP provisioning systems with CNR. Oh, and finishing my IPv6 deployment. Thanks for the info Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Hello
Hello every one ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Hi, expires. This would prevent many of the less technical users from trying to run a publicly-accessible server. Set the lease time to 2 default TCP inbound deny works wonders for this. Or, even crueller, NAT I've seen systems do something similar before (or at least I thought they were). When I first got Cox CATV I could only keep my IP for about a day before it changed. One way to mitigate the flow of traffic problem would be to grant short lease extensions automatically until the wee hours of the morning and then force the change. Something to think about. you can flush/destroy the DHCP binding table - it'll have the same effect (good fun - all those PCs set to print to the IP address that the pritner got when it was installed then have to be reconfigured etc) systems with CNR. Oh, and finishing my IPv6 deployment. DHCPv6 or router solicited? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF and BGP ?
I am running 12.2.SXI on a 6500 with sup-720 I currently have 3 full BGP peers with two on I1 and one on I2. I now need a fourth peer with ESNet (gov ISP) but only allow two /22 net from Princeton U. access to ESNet. My dilemma is how to only let the two nets see the additional ESNet routes so that no other host on campus will try and use the ESNET routes and fail. I have not used the VRF feature yet, but it appears that it might do the trick if I can create a separate routing domain with just ESNet routes, and then point only the two nets to the VRF so they check the ESNet table first and if not present fall thru to the global table. I should be able to use a ROUTE-MAP to accomplish this. From the doc it states that I can create a VRF and import routes from the global table but that means everybody will still see the routes to ESNet ( I would guess anyway). Can I peer directly with the VRF without doing an import from the global table so only it has the ESNet routes? Does anybody have any suggestions on this issue? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cannot connect to ASA using ASDM software
For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
hi all, thank you for your help. It seems that all those hosts with infinite expiration time are devices that do not have client identifier such as D-Link, Cisco Linksys routers or Unix systems. does it make sense? Manaf -- From: a.l.m.bu...@lboro.ac.uk Sent: Monday, February 09, 2009 10:01 PM To: Justin Shore jus...@justinshore.com Cc: cisco-nsp@puck.nether.net; Church, Charles cchur...@harris.com Subject: Re: [c-nsp] DHCP Binding Expiration Hi, expires. This would prevent many of the less technical users from trying to run a publicly-accessible server. Set the lease time to 2 default TCP inbound deny works wonders for this. Or, even crueller, NAT I've seen systems do something similar before (or at least I thought they were). When I first got Cox CATV I could only keep my IP for about a day before it changed. One way to mitigate the flow of traffic problem would be to grant short lease extensions automatically until the wee hours of the morning and then force the change. Something to think about. you can flush/destroy the DHCP binding table - it'll have the same effect (good fun - all those PCs set to print to the IP address that the pritner got when it was installed then have to be reconfigured etc) systems with CNR. Oh, and finishing my IPv6 deployment. DHCPv6 or router solicited? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot connect to ASA using ASDM software
I'm guessing you've upgraded to the latest Java version. Seems like the last one broke the ASDM partially. You can https to the ASA, and then pick the 'run applet' option. On mine, that'll spawn the ASDM executable and it works. But running the executable directly ends up doing what you're seeing. It's annoying. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Aldrich Sent: Monday, February 09, 2009 4:37 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot connect to ASA using ASDM software For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
Why not a free(not open, but no cost) tool with commercial support ? http://inventory.alterpoint.com/ BTW, what are people's opinions comparing RANCID to Network Authority Inventory (formerly known as ZipTie) in the configuration management discipline ? Rubens On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono jloia...@csc.com wrote: I realize RANCID is a great tool for keeping track of IOS changes, etc., but if a client was looking for a commercial tool that does this, what would you recommend? Thanks, Joe Loiacono ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot connect to ASA using ASDM software
You need to upgrade to the latest interim release of ASDM 6.1.5(57) to fix the Java issue with JRE6update11. Brian On 2/9/09, Church, Charles cchur...@harris.com wrote: I'm guessing you've upgraded to the latest Java version. Seems like the last one broke the ASDM partially. You can https to the ASA, and then pick the 'run applet' option. On mine, that'll spawn the ASDM executable and it works. But running the executable directly ends up doing what you're seeing. It's annoying. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Aldrich Sent: Monday, February 09, 2009 4:37 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot connect to ASA using ASDM software For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
Hi, BTW, what are people's opinions comparing RANCID to Network Authority Inventory (formerly known as ZipTie) in the configuration management discipline ? ooh. well, i've only used RANCID to store the configs in nice CVS control - whereas ZipTie's main claim is the pushing of configs and updating of IOS firmware via a webby interface, non? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help adding a device to an existing vlan
interface FastEthernet0/38 description to 1230 WAP switchport access vlan 199 switchport trunk encapsulation dot1q switchport mode trunk no ip address no snmp trap link-status storm-control broadcast level 1.00 storm-control multicast level 2.00 storm-control unicast level 5.00 end This won't work. Try the following: switchport mode access no switchport trunk encap dot1q -- Håvard Staub Nyhus Atea AS +47 41 88 00 99 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot connect to ASA using ASDM software
I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late interim releases). Hoping for a newer ASDM soon. 5.2(4)50 still is broken. Chuck -Original Message- From: Brian [mailto:bms...@gmail.com] Sent: Monday, February 09, 2009 5:23 PM To: Church, Charles; John Aldrich; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cannot connect to ASA using ASDM software You need to upgrade to the latest interim release of ASDM 6.1.5(57) to fix the Java issue with JRE6update11. Brian On 2/9/09, Church, Charles cchur...@harris.com wrote: I'm guessing you've upgraded to the latest Java version. Seems like the last one broke the ASDM partially. You can https to the ASA, and then pick the 'run applet' option. On mine, that'll spawn the ASDM executable and it works. But running the executable directly ends up doing what you're seeing. It's annoying. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Aldrich Sent: Monday, February 09, 2009 4:37 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot connect to ASA using ASDM software For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and BGP ?
I use VRF's quite a bit on 7600 and other platforms with internal OSPF neighbors. So long as the interfaces you are connecting with (dot1q vlan's in my case most of the time) are associated with that vrf, you should be able to do so, although, I've never tried to leak routes from the global routing table into a VRF, or use BGP (in OSPF there is a vrf tag you must use if I remember correctly). Using VRF's will give you a seperate routing table isolated from your global routing table however. I'm not an expert on this subject so if anyone has corrections, please chime in. Jeff Fitzwater wrote: I am running 12.2.SXI on a 6500 with sup-720 I currently have 3 full BGP peers with two on I1 and one on I2. I now need a fourth peer with ESNet (gov ISP) but only allow two /22 net from Princeton U. access to ESNet. My dilemma is how to only let the two nets see the additional ESNet routes so that no other host on campus will try and use the ESNET routes and fail. I have not used the VRF feature yet, but it appears that it might do the trick if I can create a separate routing domain with just ESNet routes, and then point only the two nets to the VRF so they check the ESNet table first and if not present fall thru to the global table. I should be able to use a ROUTE-MAP to accomplish this. From the doc it states that I can create a VRF and import routes from the global table but that means everybody will still see the routes to ESNet ( I would guess anyway). Can I peer directly with the VRF without doing an import from the global table so only it has the ESNet routes? Does anybody have any suggestions on this issue? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Manaf Al Oqlah wrote: hi all, thank you for your help. It seems that all those hosts with infinite expiration time are devices that do not have client identifier such as D-Link, Cisco Linksys routers or Unix systems. does it make sense? I don't think that's the cause of the problem. We have several hundreds if not thousands of Linksys and D-Link CPEs on our assorted last-mile access mediums and only a few dozen infinite leases. I'd expect far more infinite leases if a blank client ID was the cause. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4900M and QinQ
On 2009-02-09 13:45, Sebastian Wiesinger wrote: Hi, has anyone a working QinQ tunnel on a Cisco 4900M? I tried it in the lab with 12.2(50)SG Enterprise Services SSH and it didn't work. QinQ on 4900M and Sup-6E will be supported on 12.2(52)SG. Currently it isn't: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_15594.html#wp363642 -- Don't expect me to cry for all the | Łukasz Bromirski reasons you had to die -- Kurt Cobain |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] core OSPF configurations
Thanks Pete Pete for your insight. :-) I was hoping to get more feedback from engineers, but this definitely helps. /bs On Tue, Feb 3, 2009 at 7:20 AM, Pete Templin peteli...@templin.org wrote: Brian Spade wrote: What is the best way to configure OSPF to inject all 50+ SVIs into the routing domain? Would you configure network statements for all SVI networks and passive the interfaces? Would you configure OSPF on the uplink interfaces only and redistributed connected to create type-5 externals? If it were me, the SVIs would be announced into BGP, so that my OSPF world stayed small and clean. That said, remember that the network statement(s) only have to match, through wildcard math, the _IP addresses_ of the interfaces to be included in OSPF. If you run a single area, 'network 0.0.0.0 255.255.255.255 area 0' is all you need. Flipside, if you want to lock down OSPF to the point that shifting an interface within a subnet causes OSPF to drop so you can catch the culprit in the act, 'network 10.20.30.254 0.0.0.0 area 0' matches exactly that one address (but the interface's correct netmask is used when inserting the route into OSPF). pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid and commercial config management tools
Free as in beer isn't as valuable as Free as in speech. On Mon, Feb 9, 2009 at 2:06 PM, Rubens Kuhl rube...@gmail.com wrote: Why not a free(not open, but no cost) tool with commercial support ? http://inventory.alterpoint.com/ BTW, what are people's opinions comparing RANCID to Network Authority Inventory (formerly known as ZipTie) in the configuration management discipline ? Rubens On Thu, Feb 5, 2009 at 7:57 PM, Joe Loiacono jloia...@csc.com wrote: I realize RANCID is a great tool for keeping track of IOS changes, etc., but if a client was looking for a commercial tool that does this, what would you recommend? Thanks, Joe Loiacono ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
On Monday 09 February 2009 12:50:54 Justin Shore wrote: Manaf Al Oqlah wrote: The problem is that I still can see some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! I get them too. I never have figured out what causes them. So far it hasn't been a big deal for me. BOOTP. BOOTP clients can bring any DHCP server to its knees, especially if the BOOTP client is badly coded. For instance, I run a Smoothwall Advanced Firewall here in a testing mode (I'm tech support for the local reseller), and I started noticing all of the sudden that ALL of the leases were taken, and most were clients with an UNKNOWN expiry. I looked closely, and the MAC addresses were sequential, and there were right at 100 of them. Tracked it down to, believe it or not, a Catalyst 8540MSR switch, which was requesting via BOOTP for every single one of its MACs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] core OSPF configurations
Hi, On Tue, Feb 10, 2009 at 10:50 AM, Brian Spade bitkr...@gmail.com wrote: Thanks Pete Pete for your insight. :-) I was hoping to get more feedback from engineers, but this definitely helps. Strange comment. Anyway, if it was me, I'd: router ospf processID passive-interface default no passive-interface uplink1 ... no passive-interface uplink4 ! interface VlanA ip ospf processID area n ... interface VlanZ ip ospf processID area n I like the ip ospf area interface command better than network statements. It's a personal preference as the end result is the same. Irrespective of the method you choose, it's easy to get a quick summary of what interface is in what area with show ip ospf interface brief One potential benefit of redistributing them is that you'd be able to summarise all the SVIs into that one area you mentioned. Another is that in the process of redistributing you could do some route-map voodoo to make different stuff happen. I guess whether you turn this core router into an ASBR depends on your current network design (e.g. area design, # of routes, OSPF router load) and where you see it going in the future. If it's just how would you inject these routes into OSPF?, see above. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
The ability to provide a new/different IP every time has been oft-discussed on ISC' dhcp-user listserv. IIRC, it contradicts the spec. You would have customize the code to have that functionality, or, as someone said, play with the leases file. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Monday, February 09, 2009 1:30 PM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP Binding Expiration snip One thing on my to do list is to figure out how to always reject lease extension requests to force the CPE to pull a new IP every time a lease expires. This would prevent many of the less technical users from trying to run a publicly-accessible server. Set the lease time to 2 hours, client tries to extend the lease at 50% of the lease (1hr) and the server NAKs. The only question is will the client continue to request the IP until the lease expires before falling back and do a DISCOVER at the 2hr mark (interrupting the flow of traffic) or will it do a bcast DISCOVER in response to the NAK and immediately switch to the new IP once it gets an OFFER 1hr before the original lease expires, thus interrupting traffic again. I've seen systems do something similar before (or at least I thought they were). When I first got Cox CATV I could only keep my IP for about a day before it changed. One way to mitigate the flow of traffic problem would be to grant short lease extensions automatically until the wee hours of the morning and then force the change. Something to think about. It's on my list right behind setting up an OSS walled garden and convincing the boss to replace our 7 different DHCP provisioning systems with CNR. Oh, and finishing my IPv6 deployment. Thanks for the info Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Two BGP Routers and EIGRP
Hey all, I am seeing an issue with routes dropping in our configuration and wanted to do a sanity check. We have two sup2/msfc2 w/ 512MB (router A and B) each connected to a distinct BGP peer. We are running eigrp on these routers as well to redistribute static and connected routes to two other routers (router C and D) in our network. Currently I have a default static route configured on router B to point to the BGP peer's uplink. This in turn injects a default route into eigrp which router A/C/D pick up. This is my question, is there a better way to set this up? We do not want to push all BGP routes to router C and D because they do not need all of the routes simply only a default route that is dynamic if router D dies. Second part is, we see inbound routes getting dropped and causing bouncing routes but it is only a select few. Traffic from peer comes to router D and then router D sends it back to peer then peer sends it back to router D etc etc. Is this due to the way I have the network setup up above? If I hard reset the BGP session, the problem goes away for ~3 weeks. Is this a limitation of sup2's with BGP now that we are over 256k routes? Any suggestions are more than welcomed! jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and BGP ?
Hi All, We had a similar situation where we had to create an internet vrf and leak/connect that to the global routing table. So we had a couple of interfaces belonging to the internet vrf of which one connected back to the same device on an interface in the global network. We had ospf as IGP to exchange infrastructure/loopback addresses and BGP for Internet addresses. The problem was that OSPF did come up at first, so the problem on the 6500's/7600's is that they use the same MAC address for all L3 interfaces. Change the one side's MAC to a MAC of your choice and up comes OSPF and after that BGP can do its thing. So when we implemented this on our GSRs/7206's it still didn't work... So after a bit of ol debugging I came to the conclusion that the following happens: The router (either VRF of global) wants to connect to the (OSPF) neighbor, needs to do a arp for the address but then sees it already has an attached interface with that IP/MAC pair so it never sends the arp and goes into a loop of sorts. (Maybe some real propeller head can give the real reasons..) So the OSPF never comes up. I added static arp entries (see below) and jippeee, OSPF comes up etc... - arp 10.241.0.66 001f.26e0.d419 ARPA arp vrf internet 10.241.0.65 001f.26e0.d41a ARPA - I hope this helps and gives you some idea what to look for when you need this.. Cheers JC -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Walter Keen Sent: Tuesday, February 10, 2009 12:45 AM To: Jeff Fitzwater Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VRF and BGP ? I use VRF's quite a bit on 7600 and other platforms with internal OSPF neighbors. So long as the interfaces you are connecting with (dot1q vlan's in my case most of the time) are associated with that vrf, you should be able to do so, although, I've never tried to leak routes from the global routing table into a VRF, or use BGP (in OSPF there is a vrf tag you must use if I remember correctly). Using VRF's will give you a seperate routing table isolated from your global routing table however. I'm not an expert on this subject so if anyone has corrections, please chime in. Jeff Fitzwater wrote: I am running 12.2.SXI on a 6500 with sup-720 I currently have 3 full BGP peers with two on I1 and one on I2. I now need a fourth peer with ESNet (gov ISP) but only allow two /22 net from Princeton U. access to ESNet. My dilemma is how to only let the two nets see the additional ESNet routes so that no other host on campus will try and use the ESNET routes and fail. I have not used the VRF feature yet, but it appears that it might do the trick if I can create a separate routing domain with just ESNet routes, and then point only the two nets to the VRF so they check the ESNet table first and if not present fall thru to the global table. I should be able to use a ROUTE-MAP to accomplish this. From the doc it states that I can create a VRF and import routes from the global table but that means everybody will still see the routes to ESNet ( I would guess anyway). Can I peer directly with the VRF without doing an import from the global table so only it has the ESNet routes? Does anybody have any suggestions on this issue? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Hello
On Tue, Feb 10, 2009 at 6:49 AM, Renelson Panosky panocisc...@gmail.com wrote: Hello every one *insert terrible routing protocol adjacency dad joke here* :-) cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/