Re: [c-nsp] tacacs+ an nexus 5010
No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. /Arne -Oprindelig meddelelse- Fra: ch...@lavin-llc.com [mailto:ch...@lavin-llc.com] Sendt: 30. juni 2009 23:34 Til: cisco-nsp@puck.nether.net; Arne Larsen / Region Nordjylland Emne: Re: [c-nsp] tacacs+ an nexus 5010 On Tue Jun 30 13:47 , Arne Larsen / Region Nordjylland sent: Hi all. Can someone help me out here. I'm having trouble getting tacacs+ to work an a nexus 5010. When ever I'm trying to access the nexus the debug prints.: Skipping DEAD TACACS+ server 10.0.100.233 I can ping and telnet to the tac-server from the nexus. Am I missiing somthing in my config ?? my conf. vrf context management ip name-server 10.2.4.63 10.2.4.64 10.2.4.65 ip host aasnxu1 10.2.8.14 ip host helios 10.0.100.233 tacacs-server key 7 x tacacs-server host 10.0.100.233 aaa group server tacacs+ REG_TAC server 10.0.100.233 deadtime 5 use-vrf management aaa authentication login default group REG_TAC aaa authentication login error-enable tacacs-server directed-request vrf context management ip route 0.0.0.0/0 10.2.8.1 aasnxu1# sh tacacs-server Global TACACS+ shared secret: timeout value:5 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.0.100.233: available on port:49 following TACACS+ server groups are configured: group REG_TAC: server 10.0.100.233 on port 49 deadtime is 5 vrf is management Is there a chance you have a mismatch TACACS key? -chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS rewrite global capabilities
Without a firewall proxying the tcp connection? That would depend on how many servers there are and what the firewalls can handle. The server never gets traffic from the spoofed addresses with the firewall, or from a load-balancer that multiplex's the tcp connections. There isn't a firewall made which has the capacity to handle this more efficiently than a well-configured server or server farm. That's not saying a whole lot. You could always get more bandwidth and more servers. That doesn't mean it's not helpful to have a specialized device multiplexing the connections to the servers, and doing more sophisticated analysis of the packets before sending them to the server. I wouldn't say much more efficiently, since more advanced load balancers and firewalls route via asic's and fpga's. I certainly would, and do; they none of them run into the mpps, as routers can and do. You are claiming that certain firewalls/load-balancers can't firewall and inspect packets at millions of packets per second. This claim is inconsistent with current data. If the packet is the same as a normal request but a spoofed address, you're going to have some trouble even with automated systems looking for no syn/ack, and then hunting the source down and automatically blocking the true sources at the ingress of the upstreams. Not with appropriate detection/classification/traceback tools. This isn't new technology. And blocking at the edges isn't generally accomplished automatically, but manually, upon demand. Intelligent DDoS mitigation devices can and do black automatically. These packets are the same as legit packets, I do not believe a fully effective automated system exists. While the load-balancer or advanced firewall never sent the connection to the server, and the device is designed to be able to handle allocating memory for bogus connections. They never send the legitimate traffic, either, being overwhelmed by the DDoS. Not really saying a whole lot again. My argument was not that the products you refer to aren't a part of an effective security solution. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Roland Dobbins Sent: Wednesday, July 01, 2009 1:24 AM To: Cisco-nsp Subject: Re: [c-nsp] DNS rewrite global capabilities On Jul 1, 2009, at 12:09 PM, Quinn Mahoney wrote: Without a firewall proxying the tcp connection? That would depend on how many servers there are and what the firewalls can handle. The server never gets traffic from the spoofed addresses with the firewall, or from a load-balancer that multiplex's the tcp connections. There isn't a firewall made which has the capacity to handle this more efficiently than a well-configured server or server farm. I wouldn't say much more efficiently, since more advanced load balancers and firewalls route via asic's and fpga's. I certainly would, and do; they none of them run into the mpps, as routers can and do. If the packet is the same as a normal request but a spoofed address, you're going to have some trouble even with automated systems looking for no syn/ack, and then hunting the source down and automatically blocking the true sources at the ingress of the upstreams. Not with appropriate detection/classification/traceback tools. This isn't new technology. And blocking at the edges isn't generally accomplished automatically, but manually, upon demand. Intelligent DDoS mitigation devices can and do black automatically. That's even if such an effective system actually existed. They do, see above. While the load-balancer or advanced firewall never sent the connection to the server, and the device is designed to be able to handle allocating memory for bogus connections. They never send the legitimate traffic, either, being overwhelmed by the DDoS. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
Hi, No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. or is blocked elsewhere - check the network that the TACACS+ traffic is being sent on and check ACLs etc that might be in the way on the way to the server. check firewall on server to ensure such traffic is allowed. ping and telnet are okay but they wont test the actual method used. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. or is blocked elsewhere - check the network that the TACACS+ traffic is being sent on and check ACLs etc that might be in the way on the way to the server. check firewall on server to ensure such traffic is allowed. ping and telnet are okay but they wont test the actual method used. ... and are you using the correct 'ip tacacs source-interface' to source the traffic? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
Cisco Nexus platforms make a distinction between out-of-band management access (mgmt0 interface) and inband management access. the former is in a 'management' VRF while the latter is in the 'default' VRF. make sure you've configured TACACS+ to match the appropriate VRF. cheers, lincoln. Arne Larsen / Region Nordjylland wrote: No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. /Arne -Oprindelig meddelelse- Fra: ch...@lavin-llc.com [mailto:ch...@lavin-llc.com] Sendt: 30. juni 2009 23:34 Til: cisco-nsp@puck.nether.net; Arne Larsen / Region Nordjylland Emne: Re: [c-nsp] tacacs+ an nexus 5010 On Tue Jun 30 13:47 , Arne Larsen / Region Nordjylland sent: Hi all. Can someone help me out here. I'm having trouble getting tacacs+ to work an a nexus 5010. When ever I'm trying to access the nexus the debug prints.: Skipping DEAD TACACS+ server 10.0.100.233 I can ping and telnet to the tac-server from the nexus. Am I missiing somthing in my config ?? my conf. vrf context management ip name-server 10.2.4.63 10.2.4.64 10.2.4.65 ip host aasnxu1 10.2.8.14 ip host helios 10.0.100.233 tacacs-server key 7 x tacacs-server host 10.0.100.233 aaa group server tacacs+ REG_TAC server 10.0.100.233 deadtime 5 use-vrf management aaa authentication login default group REG_TAC aaa authentication login error-enable tacacs-server directed-request vrf context management ip route 0.0.0.0/0 10.2.8.1 aasnxu1# sh tacacs-server Global TACACS+ shared secret: timeout value:5 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.0.100.233: available on port:49 following TACACS+ server groups are configured: group REG_TAC: server 10.0.100.233 on port 49 deadtime is 5 vrf is management Is there a chance you have a mismatch TACACS key? -chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Would an MTU mis-match cause one-way ICMP over EoMPLS VC?
wrong mtu setting = normal problem, normal drop ;) you must have the same mtu on a ptp link, if not fragmentation will fail On Mon, Jun 29, 2009 at 6:17 AM, Jason Lixfeld ja...@lixfeld.ca wrote: Diagram: siteA CE || +---++---+ | 7206PE | +---++---+ f2/0 (mtu 1500) || f0/1 (mtu 1504) +---++---+ | ME3400 | +---++---+ g0/1 (mtu 1504) || g1/1 (mtu 9216) +---++---+ | 7609 | +---++---+ g7/2 (mtu 9216) || g0/0 (mtu 9216) +---++---+ | 7301PE | +---++---+ || siteB CE I'm getting one-way ICMP over a VC that is terminated on the 7206PE; meaning ICMP echo requests sourced from siteA CE to siteB CE cannot be seen on the siteB CE. However, ICMP echo requests sourced from the siteB CE can be seen on the siteA CE (but the echo reply packest are not seen by siteB CE). I understand that MTU issues would most certainly cause problems if the packet size was closer to the 1500 byte mark (1474 or there about, depending, maybe), but would this particular MTU mis-match even cause issues with such small ICMP packets? If MTU wouldn't cause this, then I'm back to square one with trying to figure out this one-way traffic thing I've got going on here. Thanks in advance.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about Cisco PIX VPN
Hi Jared, On Tue, 30 Jun 2009, Jared Gillis wrote: Hi all, I'm configuring a PIX 501 running v6.3.5 code to terminate VPN connections from remote users. I've got the config intact, but need to learn how the PIX handles these connections internally. Here's the relevant config: access-list nonatvpn permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 ip pool vpnswclient 192.168.1.2-192.168.1.254 nat (inside) 0 access-list nonatvpn and I've got vpngroups defined per-user to pull from the vpnswclient pool and split-tunnel based on the nonatvpn acl. So my inside network is 192.168.0.0/24, and the vpnclients will get addressed into 192.168.1.0/24 (correct?), and there will be no NAT on communication between them. My question is, are my vpn clients in the same broadcast domain as nope, they are not. Also, unless you have sysopt connection permit-ipsec you will need to explicitly allow their traffic into the inside. my inside interface, or will they be required to unicast to 192.168.0.x addresses? Is there a way to influence how they can communicate? They'll talk unicast, as two different subnets. You can think as if the 192.168.1.x subnet is something hanging off the outside interface. BTW, that's the reason why no internet communication via VPN without split tunneling was possible till the same-security permit intra-interface - because in that case you arrive from outside and need to go back to outside. cheers, andrew I've been looking all over Cisco's website and can find plenty of configuration examples, but nothing explaining how communication between the inside and vpn clients is handled. -- Jared Gillis - ja...@corp.sonic.net Sonic.net, Inc. Network Operations2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.3400 (Support)http://www.sonic.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non export of netflow of dscp bits from PCF3A
That's what I suspected, but I couldn't find a release note/tech note that detailed that. And cisco support hasn't been helpful either, even though I mentioned that I suspected it was a limitation of the PFC3A. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Dirk Kurfuerst [mailto:dirk.kurfue...@isarnet.de] Sent: Wednesday, July 01, 2009 1:50 AM To: Matthew Huff Cc: 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Non export of netflow of dscp bits from PCF3A Works like designed. The PFC3A doesn't export QoS informations. This has been one major reason to go for the B version for us some times ago at Qimonda. (rem: QoS-netflow-collecting seems a L2-netflow-feature; this is supported in the B versions only) Matthew Huff schrieb: We use Fluke's Netflow Tracker for netflow analysis. I've run into a weird one though. Our netflow export from our distribution switches which are running 12.2(33)SXI1 does not seem to export the dscp bits, but our core switches running 12.2(33)SXI1 as well, do export the dscp bits. The difference is the distribution switch is a PFC3A where the core switches are PFC3Bs. Anyone seen this issue before? I've verified that the netflow configurations are identical, and that the packets do have the attributes set as they pass throught he distribution. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -- Dirk Kurfuerst Tel. +49 811 99829 130 Fax: +49 89 97007 200 GSM: +49 178 7072043 e-mail: dirk.kurfue...@isarnet.de http://www.isarnet.de http://www.isarflow.de IsarNet AG Terminalstrasse Mitte 18 85356 Muenchen Sitz der Gesellschaft: Oberding Handelsregister Muenchen, HRB 127295 USt.-ID Nr. DE203054669 Vorstand: Andreas Perthel, Harald Weikert Vorsitzender des Aufsichtsrates: Andreas Gallenmueller ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
I guess, I can fid that command, I've seen in doc also. But the config points to mng vrf. aaa group server tacacs+ REG_TAC server xxx..xxx.xxx deadtime 5 use-vrf management /Arne -Oprindelig meddelelse- Fra: Tom Lanyon [mailto:t...@netspot.com.au] Sendt: 1. juli 2009 10:09 Til: Arne Larsen / Region Nordjylland Cc: cisco-nsp Emne: Re: [c-nsp] tacacs+ an nexus 5010 No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. or is blocked elsewhere - check the network that the TACACS+ traffic is being sent on and check ACLs etc that might be in the way on the way to the server. check firewall on server to ensure such traffic is allowed. ping and telnet are okay but they wont test the actual method used. ... and are you using the correct 'ip tacacs source-interface' to source the traffic? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS rewrite global capabilities
On Jul 1, 2009, at 2:05 PM, Quinn Mahoney wrote: That's not saying a whole lot. You could always get more bandwidth and more servers. That doesn't mean it's not helpful to have a specialized device multiplexing the connections to the servers, and doing more sophisticated analysis of the packets before sending them to the server. On the contrary, it's absolutely detrimental to attempt to perform such analysis on a device which is yet another attack vector, and which can easily be overwhelmed due to its limited stateful capacity (multiplexing is useful, but is unrelated to this general topic). I speak from personal hands-on operational experience, and from the personal hands-on operational experience of others who with whom I've worked in this sector. You are claiming that certain firewalls/load-balancers can't firewall and inspect packets at millions of packets per second. This claim is inconsistent with current data. I know how these devices work from the inside-out, having utilized, deployed, and participated in feature specifications for same. They don't do what you claim, and can't ever, due to their inherent design principles. These packets are the same as legit packets, I do not believe a fully effective automated system exists. My hands-on personal operational experience detecting, classifying, tracing back, and mitigating multi-gb/sec, multi-mpps DDoS attacks using precisely the approaches I've outlined indicate otherwise. Not really saying a whole lot again. My argument was not that the products you refer to aren't a part of an effective security solution. My arguments are based on large-scale operational experience and detailed knowledge of this topic and of the performance envelopes/ characteristics of these types of devices in real-world situations, as well as from a design and development perspective. They are factual, and represent ground truth, not opinions. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fun with interface counters.
Hi, It's just a Gigabit Ethernet interface with an IP, it's not attached to a VLAN. -Drew -Original Message- From: gpend...@gmail.com [mailto:gpend...@gmail.com] On Behalf Of Geoffrey Pendery Sent: Tuesday, June 30, 2009 4:25 PM To: Drew Weaver Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Fun with interface counters. Trunk port or access port? One of the main places I've seen mismatching amounts of tx/rx is on trunk ports, where either the switchport trunk allowed vlan doesn't match on both sides, or in the case of the router interface, you only have .1Q subinterfaces configured for certain VLANs, but other VLANs are flooding across the link. -Geoff On Tue, Jun 30, 2009 at 4:59 PM, Drew Weaverdrew.wea...@thenap.com wrote: I assume this is either a bug, or something else equally enjoyable. Today, I noticed that one of our switches was acting up, so I logged into it and did the usual show interfaces, sh proc cpu sort, etc etc. I noticed that the switch's uplink interface indicated that it was doing 700Mbps to the router it is connected to, the router indicated that it was only getting 200Mbps from the switch. So either there is a counter bug, or the switch was sending traffic that was being dropped by the router or dropped later by the switch (after it was counted?), or something else equally amusing? Does anyone have any thoughts on this/seen this before? Thanks! ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using a /29 mask on a /30 point-to-point
Or short of changing ISP, change your layout. I assume you are receiving either: A. One hand-off going to a switch, then ports on that switch used to connect to outside interfaces of both PIXes. B. Two hand-offs, each one going to a PIX outside interface. If it's A, then adding a router isn't really adding a single point of failure, since you already have SPoFs (the single hand-off and the single switch). Just replace the switch with either a router or a layer 3 switch (like a 3560/3750). If it's B, then add two routers, one for each hand-off, and have them do HSRP/VRRP/GLBP on the inside for your firewalls. Either solution seems less likely to get your Internet Drivers License revoked than trying to wrangle some IP trickery on a /28 (suggested above in lieu of /29, probably a better idea since none of the actual interface addresses will be seen as the broadcast address by your hosts). But yes, it would probably work. And of course correct me if your layout is actually C. -Geoff On Tue, Jun 30, 2009 at 7:25 PM, Peter Rathlevpe...@rathlev.dk wrote: On Tue, 2009-06-30 at 15:44 -0400, Deny IP Any Any wrote: Could I configure the subnet on my side of the WAN as a /29? My broadcast address would be wrong, but since its basically a point-to-point anyway, I shouldn't need broadcasts. I realize this is semi-evil, and might get my Internet drivers license revoked, but what would I break by doing this? To clear up: The PIX uses only two addresses, one for the active unit and one for the standby unit. The address for the standby unit is only used to reach the standby when the primary is still active/live. Upon failover the standby unit becomes active and takes over the IP adress of the former active. Every NAT/PAT is carried over statefully between the pair. A failover is pratically invisible for neighbors. If you couldn't change ISP and absolutely _had_ to do something that would almost certainly make your successor hate you, then you _could_ configure the PIX with a /29 mask where the addressing is thus: - PIX primary address is your side of the ISP assigned /30 - PIX secondary address is one of the broadcast addresses from the ISP assigned /30 (the one that is a valid host address in the /29) - Insert a static /30 route for the other part of the /29. Example, if the ISP assigned 10.0.0.0/30 for your link and took 10.0.0.1 for themselves (in v7+ format): ! *** pix *** interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.0.0.2 255.255.255.248 standby 10.0.0.3 ! route outside 10.0.0.4 255.255.255.252 10.0.0.1 ! Please just change ISP. :-) Regards, Peter ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
Peter If you are the customer and have multiple sites, then I would suggest you look at Dynamic Multipoint VPN (DMVPN). With DMVPN you can have each branch site create a tunnel dynamically when it needs to send traffic to the other sites in case of the MPLS link failure. DMVPN only works on routrs, not firewall, as far as I know. With Phase 3 of the DMVPN your failover to the backup network would work with normal routing protocols like EIGRP, changing a route.. Let me know if that's something you are looking for ( I could give you more info on that ) , here are some links I gathered over the time for DMVPN http://delicious.com/search?context=userpostsp=dmvpnlc=1u=tomek0001 Tom -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ivan Pepelnjak Sent: Wednesday, July 01, 2009 12:36 AM To: 'Peter Rathlev'; 'ChrisSerafin' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. If you're the provider (using MPLS between your BGP routers to offer whatever services), you can run MPLS over GRE over IPSec on the backup link (just watch for MTU issues). We built a pretty large network using it and after the initial kinks it works perfectly. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Peter Rathlev [mailto:pe...@rathlev.dk] Sent: Tuesday, June 30, 2009 11:51 PM To: ChrisSerafin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote: I have a few MPLS routers running BGP as the routing protocol. I added a public IP'ed interface on a free ports on the same router, and I'm able to get to it and use it for Internet bound traffic if I wish. I would like to configure an IPSEC VPN to provide backup if the MPLS provider fails. I'm having a hard time with Cisco TAC on this, mainly them getting back to me. dumb'ed down diagram is at: http://chrisserafin.com/design.jpg I just want a basic split tunnel VPN in the event the primary MPLS/BGP link goes down. I'm assuming let BGP take care of the MPLS side and add static routes with a very high weight for the VPN failover? And the VPN-link needs to carry MPLS traffic too? MPLSoGRE could be an option, but support is very limited AFAIK. Otherwise some extra equipment doing L2TPv3 might work. Performance limitations might very well rule this out. If MPLS isn't needed a simple GRE tunnel would of course do. You could even create a new tunnel per VRF if you need reachability in several of these. It scales bad concerning administration though. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA digital certificate
I've not used it myself, but I believe an ASA running 8.x code can actually act as a certificate authority itself. On Wed, 2009-06-24 at 03:35 -0400, almog ohayon wrote: Hello Everyone,I have the following requirements for small integration project and it's not working: 1. Remote access VPN for only 1-2 users. 2. Remote users can get access to the internal network only with certificate - software or hardware. 3. the gateway is Cisco ASA 5510. *notes:* 1. i don't want to use Microsoft CA server or any dedicated CA server for certificate enrollment. 2. i want to install the ASA as standalone device and the certificates will be installed on it. 3. i can use both Cisco IPsec client or Cisco anyconnect client. if someone has solution for me or recommendation it will be great. if anyone think of a better security authetication solution also be great. thanks. -- Almog Ohayon. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. This sounds like what I'm planning on doing.GRE for the routing protocolswe are on the CE end. If you could, please elaborate on the routing that is involved, thanks! The simplest thing would be to run BGP everywhere and make the paths over the GRE tunnels less preferred (for example, by using lower local preference). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CPU comparison - bridge vs. route on 7206?
We have a set of 7206VXR's, NPE400 CPUs on each end of a point to point OC3 using PA-POS-OC3 cards. We bridge these circuits through a PA-GE interface (essentially turning the 7206's into a OC-3 to GigE converter) with a single bridge group. We are trying to push nearly 130-140Mbps, but per the MRTG graphs, we seem to be capping @ ~110Mbps. The CPU is also averaging 80-90%. We're seeing a large number of input errors (ignored, total of 5% of input packets) and a fair amount of output pauses (0.12% of output packets). GigabitEthernet1/0 is up, line protocol is up Hardware is WISEMAN, address is 0016.46e6.1c1c (bia 0016.46e6.1c1c) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 36/255, rxload 16/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, link type is autonegotiation, media type is unknown media type output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 12w0d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 208 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 66046000 bits/sec, 29231 packets/sec 30 second output rate 141617000 bits/sec, 31690 packets/sec 2816822087 packets input, 1367339773 bytes, 0 no buffer Received 7138653 broadcasts, 0 runts, 0 giants, 0 throttles 143326584 input errors, 0 CRC, 0 frame, 481945 overrun, 142844639 ignored 0 watchdog, 4536607 multicast, 0 pause input 0 input packets with dribble condition detected 3993978307 packets output, 979813878 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 4 lost carrier, 0 no carrier, 4808187 pause output 0 output buffer failures, 0 output buffers swapped out If we move this to a routed infrastructure with CEF, can we expect the CPU to drop considerably? The routing will be static only, very simple config with no ACLs, no policy maps, etc. We're just trying to get the routers to let us push as much of the OC3 bandwidth as possible. We would rather not upgrade the NPE400's if possible. The internal LAN equipment is Nortel L3 switches which don't seem to support flow-control. Thanks in advance for any ideas. Chris -- -- Chris Hale chal...@gmail.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
Once I used to have a mail server at home and a domain for my family and friends, I tried and liked very much the free service google apps can offer, you could host your mail domain at their servers and then make the mails be automatically forwarded to your corporate mail. This way you'll enjoy both good anti-virus/anti-spam AND mail backup for free, it supports up to 500 mailboxes for free, need more? You can pay and get as much as you want. I think yahoo offers a similar service, and their integration with Outlook seems better, but I never tried it. Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah Sent: Wednesday, July 01, 2009 1:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] OT: Best Online Antispam Service Hi Team, I am interested in subscribing to a GOOD online email filtering service, through which all emails destined to an enterprise domain transit, are scanned and filtered for spam and viruses, before legitimate mails relayed to the destination mail server. As a bonus, the service should also store emails for some time if the destination mail server is down. Much as IronPort and Barracuda appliances do a good antispam job, they are typically placed onsite for which reason the network bandwidth still gets chocked with arriving spam. Please share your experienced recommendations with me on this one. It's better for me than following google search. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
Peter Rathlev wrote: On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote: I have a few MPLS routers running BGP as the routing protocol. I added a public IP'ed interface on a free ports on the same router, and I'm able to get to it and use it for Internet bound traffic if I wish. I would like to configure an IPSEC VPN to provide backup if the MPLS provider fails. I'm having a hard time with Cisco TAC on this, mainly them getting back to me. dumb'ed down diagram is at: http://chrisserafin.com/design.jpg I just want a basic split tunnel VPN in the event the primary MPLS/BGP link goes down. I'm assuming let BGP take care of the MPLS side and add static routes with a very high weight for the VPN failover? And the VPN-link needs to carry MPLS traffic too? MPLSoGRE could be an option, but support is very limited AFAIK. Otherwise some extra equipment doing L2TPv3 might work. Performance limitations might very well rule this out. If MPLS isn't needed a simple GRE tunnel would of course do. You could even create a new tunnel per VRF if you need reachability in several of these. It scales bad concerning administration though. The VPN will only need to carry the traffic behind router (the remote subnet) and no MPLS 'traffic', so I'm going to look into GRE. Found this: http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Preferring_MPLS_VPN_BGP_Path_with_IGP_Backup http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Preferring_MPLS_VPN_BGP_Path_with_IGP_Backup But I have no idea how to implement it yet. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
Ivan Pepelnjak wrote: If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. If you're the provider (using MPLS between your BGP routers to offer whatever services), you can run MPLS over GRE over IPSec on the backup link (just watch for MTU issues). We built a pretty large network using it and after the initial kinks it works perfectly. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: Peter Rathlev [mailto:pe...@rathlev.dk] Sent: Tuesday, June 30, 2009 11:51 PM To: ChrisSerafin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote: I have a few MPLS routers running BGP as the routing protocol. I added a public IP'ed interface on a free ports on the same router, and I'm able to get to it and use it for Internet bound traffic if I wish. I would like to configure an IPSEC VPN to provide backup if the MPLS provider fails. I'm having a hard time with Cisco TAC on this, mainly them getting back to me. dumb'ed down diagram is at: http://chrisserafin.com/design.jpg I just want a basic split tunnel VPN in the event the primary MPLS/BGP link goes down. I'm assuming let BGP take care of the MPLS side and add static routes with a very high weight for the VPN failover? And the VPN-link needs to carry MPLS traffic too? MPLSoGRE could be an option, but support is very limited AFAIK. Otherwise some extra equipment doing L2TPv3 might work. Performance limitations might very well rule this out. If MPLS isn't needed a simple GRE tunnel would of course do. You could even create a new tunnel per VRF if you need reachability in several of these. It scales bad concerning administration though. This sounds like what I'm planning on doing.GRE for the routing protocolswe are on the CE end. If you could, please elaborate on the routing that is involved, thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU comparison - bridge vs. route on 7206?
The PA-GE has issues at higher speeds. You should move to L2TPV3 and see if it's better in regards to performance. Your best would be pure L3 forwarding. If the PA-GE is the issue you will have to get off that PA. What happens if you move it to one of the onboard GigE ports on the NPE-400? Rodney On Wed, Jul 01, 2009 at 12:56:39PM -0400, Chris Hale wrote: We have a set of 7206VXR's, NPE400 CPUs on each end of a point to point OC3 using PA-POS-OC3 cards. We bridge these circuits through a PA-GE interface (essentially turning the 7206's into a OC-3 to GigE converter) with a single bridge group. We are trying to push nearly 130-140Mbps, but per the MRTG graphs, we seem to be capping @ ~110Mbps. The CPU is also averaging 80-90%. We're seeing a large number of input errors (ignored, total of 5% of input packets) and a fair amount of output pauses (0.12% of output packets). GigabitEthernet1/0 is up, line protocol is up Hardware is WISEMAN, address is 0016.46e6.1c1c (bia 0016.46e6.1c1c) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 36/255, rxload 16/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, link type is autonegotiation, media type is unknown media type output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 12w0d Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 208 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 66046000 bits/sec, 29231 packets/sec 30 second output rate 141617000 bits/sec, 31690 packets/sec 2816822087 packets input, 1367339773 bytes, 0 no buffer Received 7138653 broadcasts, 0 runts, 0 giants, 0 throttles 143326584 input errors, 0 CRC, 0 frame, 481945 overrun, 142844639 ignored 0 watchdog, 4536607 multicast, 0 pause input 0 input packets with dribble condition detected 3993978307 packets output, 979813878 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 4 lost carrier, 0 no carrier, 4808187 pause output 0 output buffer failures, 0 output buffers swapped out If we move this to a routed infrastructure with CEF, can we expect the CPU to drop considerably? The routing will be static only, very simple config with no ACLs, no policy maps, etc. We're just trying to get the routers to let us push as much of the OC3 bandwidth as possible. We would rather not upgrade the NPE400's if possible. The internal LAN equipment is Nortel L3 switches which don't seem to support flow-control. Thanks in advance for any ideas. Chris -- -- Chris Hale chal...@gmail.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU comparison - bridge vs. route on 7206?
Rodney Dunn wrote: The PA-GE has issues at higher speeds. You should move to L2TPV3 and see if it's better in regards to performance. Your best would be pure L3 forwarding. If the PA-GE is the issue you will have to get off that PA. What happens if you move it to one of the onboard GigE ports on the NPE-400? There aren't any onboard gigE ports on an NPE-400. You need NPE-G1 for those. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA digital certificate
Tom, Thanks for making me take a look: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067484 Good info to have handy. Guide above is for 8.2, but it's supported in all 8.x. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tom Sutherland Sent: Wednesday, July 01, 2009 12:20 PM To: almog ohayon Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ASA digital certificate I've not used it myself, but I believe an ASA running 8.x code can actually act as a certificate authority itself. On Wed, 2009-06-24 at 03:35 -0400, almog ohayon wrote: Hello Everyone,I have the following requirements for small integration project and it's not working: 1. Remote access VPN for only 1-2 users. 2. Remote users can get access to the internal network only with certificate - software or hardware. 3. the gateway is Cisco ASA 5510. *notes:* 1. i don't want to use Microsoft CA server or any dedicated CA server for certificate enrollment. 2. i want to install the ASA as standalone device and the certificates will be installed on it. 3. i can use both Cisco IPsec client or Cisco anyconnect client. if someone has solution for me or recommendation it will be great. if anyone think of a better security authetication solution also be great. thanks. -- Almog Ohayon. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
Ivan Pepelnjak wrote: If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. This sounds like what I'm planning on doing.GRE for the routing protocolswe are on the CE end. If you could, please elaborate on the routing that is involved, thanks! The simplest thing would be to run BGP everywhere and make the paths over the GRE tunnels less preferred (for example, by using lower local preference). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ Well looking at the Cisoc docs, I cannot terminate a GRE tunnel on an ASA firewall..any other ideasthanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU comparison - bridge vs. route on 7206?
I couldn't remember so I looked for a picture and thought I saw one it did have. They would need the G1/G2 then. Or maybe go to routed mode. Rodney On Wed, Jul 01, 2009 at 10:53:28AM -0700, Jay Hennigan wrote: Rodney Dunn wrote: The PA-GE has issues at higher speeds. You should move to L2TPV3 and see if it's better in regards to performance. Your best would be pure L3 forwarding. If the PA-GE is the issue you will have to get off that PA. What happens if you move it to one of the onboard GigE ports on the NPE-400? There aren't any onboard gigE ports on an NPE-400. You need NPE-G1 for those. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
Ivan Pepelnjak wrote: If you're the customer (having only CE routers), this is a classic primary/backup problem, only this time using BGP as the core routing protocol. This sounds like what I'm planning on doing.GRE for the routing protocolswe are on the CE end. If you could, please elaborate on the routing that is involved, thanks! The simplest thing would be to run BGP everywhere and make the paths over the GRE tunnels less preferred (for example, by using lower local preference). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ Well looking at the Cisoc docs, I cannot terminate a GRE tunnel on an ASA firewall..any other ideasthanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Terminate the GRE tunnel in the same router that has MPLS VPN. You could just run EIGRP over the GRE (add IPSEC as well since it's over the internet). Regards, -Luan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
Arne, This config looks good I've run a similar config in a production environment and it worked. The only thing I didn't see in your config but I would assume is there is the correct ip address assigned to your mgmt0 interface and the feature tacacs+ command. feature tacacs+ tacacs-server timeout 4 tacacs-server host 10.0.100.233 key 7 x aaa group server tacacs+ access server 10.0.100.233 use-vrf management tacacs-server directed-request vrf context management ip route 0.0.0.0/0 10.2.8.1 interface mgmt0 ip address 10.2.8.14 Also when you're performing your ping tests are you using the management vrf? I believe the command is ping 10.0.100.233 vrf management Thanks, Greg On Wed, Jul 1, 2009 at 6:26 AM, Arne Larsen / Region Nordjyllanda...@rn.dk wrote: I guess, I can fid that command, I've seen in doc also. But the config points to mng vrf. aaa group server tacacs+ REG_TAC server xxx..xxx.xxx deadtime 5 use-vrf management /Arne -Oprindelig meddelelse- Fra: Tom Lanyon [mailto:t...@netspot.com.au] Sendt: 1. juli 2009 10:09 Til: Arne Larsen / Region Nordjylland Cc: cisco-nsp Emne: Re: [c-nsp] tacacs+ an nexus 5010 No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. or is blocked elsewhere - check the network that the TACACS+ traffic is being sent on and check ACLs etc that might be in the way on the way to the server. check firewall on server to ensure such traffic is allowed. ping and telnet are okay but they wont test the actual method used. ... and are you using the correct 'ip tacacs source-interface' to source the traffic? ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
On Wed, Jul 1, 2009 at 19:01, Ziv Leyes z...@gilat.net wrote: Once I used to have a mail server at home and a domain for my family and friends, I tried and liked very much the free service google apps can offer, you could host your mail domain at their servers and then make the mails be automatically forwarded to your corporate mail. This way you'll enjoy both good anti-virus/anti-spam AND mail backup for free, it supports up to 500 mailboxes for free, need more? You can pay and get as much as you want. The maximum is 50 accounts for the Standard Edition, with ads. http://www.google.com/support/a/bin/answer.py?hl=enanswer=113251 There is a limit on the number of email you can send every day (I think it's 500). Google apps is nice anyway, but if your site suddenly drives to much traffic it'll be automatically turned off by Google. And you have no access to any stats regarding to the traffic volume. Anyway, it's certainly a nice platform to play with (still speaking about the free version). -- Stephane Paris, France. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NSAP address
hi all i have a machine with windows server 2003 installed on it i have another SDH device that deals with NSAP address now i want a static root on the server pointing to the SDH device but i dont know the syntax any ideas ? thanks _ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Default Route Handler
Folks. Regarding CEF FIB, despite the fact this term sounds self understandable, Does someone knows the exactly definition of Default Route Handler? Best regards. Jimmi. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
After a rocky start w/ false positives, we've had a decent go of things with MXLogic. They're consistently improving value to the service by adding functionality. Felix Nkansah felixnkan...@gmail.com 6/30/2009 5:56 PM Hi Team, I am interested in subscribing to a GOOD online email filtering service, through which all emails destined to an enterprise domain transit, are scanned and filtered for spam and viruses, before legitimate mails relayed to the destination mail server. As a bonus, the service should also store emails for some time if the destination mail server is down. Much as IronPort and Barracuda appliances do a good antispam job, they are typically placed onsite for which reason the network bandwidth still gets chocked with arriving spam. Please share your experienced recommendations with me on this one. It's better for me than following google search. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
I've had some really phenomenal experience using Postini. It's pricing is extremely reasonable at 12/year per user for just spam/virus filtering. It can do SMS/email alerts of host down and spooling until the server comes back up. The firm I work at uses it for about 1700 users and I have a client I support of about 30 users that use it with extremely great results. Easy for users to use. Easy to implement for inbound and outbound scanning. On 7/1/09 4:46 PM, Sean Granger sgran...@randfinancial.com wrote: After a rocky start w/ false positives, we've had a decent go of things with MXLogic. They're consistently improving value to the service by adding functionality. Felix Nkansah felixnkan...@gmail.com 6/30/2009 5:56 PM Hi Team, I am interested in subscribing to a GOOD online email filtering service, through which all emails destined to an enterprise domain transit, are scanned and filtered for spam and viruses, before legitimate mails relayed to the destination mail server. As a bonus, the service should also store emails for some time if the destination mail server is down. Much as IronPort and Barracuda appliances do a good antispam job, they are typically placed onsite for which reason the network bandwidth still gets chocked with arriving spam. Please share your experienced recommendations with me on this one. It's better for me than following google search. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LNS/LAC on 7600
Hi - does anyone know if Cisco 7600 supports LAC/LNS functionality on the latest ES+ cards. I'm not interested in old MWAM cards that they used to be supported on 7600 but I'm interested in the more recent implementation. Thanks, Marlon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 881G gprs connection problem
Hi, Is anyone here have successful deployment of Cisco 881G router in gsm network (EDGE)? I'm looking for advise, please help :) According to this sources ( http://inetpro.org/wiki/Initial_configuration_of_a_881G_router_Cellular_interfaceand http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/backup.html#wp1064962 ) I've - unlock SIM - created gsm-profile on modem - created chat script - describe interesting traffic - configured cellular interface line When some ip packets arrives toward gprs-network, cellular0 interface becomes up (L1 L2), but, at the same time, gsm-profile still inactive and the ip address for cellular0 remains unassigned. wan-rok#show ip interface brief Interface IP-Address OK? Method Status Protocol Cellular0 unassigned YES NVRAM up up wan-rok#show cellular 0 profile Profile 2 = INACTIVE PDP Type = IPv4 Access Point Name (APN) = xl.kyivstar.net Authentication = PAP Username: internet, Password: internet The biggest question is why state of gsm-profile remains inactive? How I can debug what happens with packet session? Thanks in advance. Config details: ! The dial-string refers second gsm-profile ! chat-script gsm ATDT*99*2# TIMEOUT 60 CONNECT ! ! configuration of the data interface ! interface Cellular0 ip address negotiated encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive no ppp lcp fast-start ppp authentication pap ppp pap sent-username internet password 7 0828425A0C0B0B1206 ppp ipcp dns request ! ! configuration of the control channel ! line 3 exec-timeout 0 0 script dialer gsm modem InOut no exec transport input all transport output all rxspeed 236800 txspeed 118000 ! ! traffic definition ! dialer-list 1 protocol ip permit ! ! ip route 0.0.0.0 0.0.0.0 cellular 0 Diagnostic data from modem: wan-rok#show cellular 0 all Hardware Information Modem Firmware Version = F1_2_3_15AP C:/WS/F Modem Firmware built = 07/09/08 Hardware Version = 1.1 Modem Status = Online Current Modem Temperature = 29 deg C, State = Normal Network Information === Current Service Status = Normal, Service Error = None Current Service = Combined Packet Service = EDGE (Attached) *Packet Session Status = Inactive* Current Roaming Status = Home Network Selection Mode = Manual Country = UKR, Network = UA-KS Mobile Country Code (MCC) = 255 Mobile Network Code (MNC) = 3 Location Area Code (LAC) = 47100 Routing Area Code (RAC) = 1 Cell ID = 6634 Primary Scrambling Code = 0 PLMN Selection = Manual Registered PLMN = UA-KYIVSTAR , Abbreviated = UA-KS Service Provider = KYIVSTAR Radio Information = Current Band = GSM 1800, Channel Number = 642 Current RSSI = -70 dBm Band Selected = GSM all band Modem Security Information == Card Holder Verification (CHV1) = Disabled SIM Status = OK SIM User Operation Required = None Number of Retries remaining = 3 I've read probably all solutions that google can find, but any solution doesn't resolve the problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
Our experience with Postini was pretty good until Google bought them out. When that happened some of postini's 'quirks' became more apparent (black holed mails) and the service sorta went down hill from there. I'd recommend using a provider more *focused* on email that hasn't been bought out by a giant advertising firm or getting an appliance / rolling your own system. I'd point out that Postini et. al. don't really save you that much in terms of bandwidth. They aren't generally setup as store and forward services, they operate by opening a backend proxy connection to your mail server anyway, so you'll see header traffic, and most spam is relatively small fry byte wise. If you're starving bandwidth wise, traffic shaping and ratelimiting are better options. Also, if you're an ISP, they won't solve the problem of outbound scanning; that only applies to Enterprises. ~Max On Jul 1, 2009, at 3:19 PM, Paul Stewart wrote: Yeah, Postini is what we use today... been very good to date. Service Provider pricing you can get them much more aggressive in pricing depending on volume. I believe we're doing about 35,000 mailboxes today with them - overall pretty happy. Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of MIchael Schuler Sent: Wednesday, July 01, 2009 3:03 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: Best Online Antispam Service I've had some really phenomenal experience using Postini. It's pricing is extremely reasonable at 12/year per user for just spam/virus filtering. It can do SMS/email alerts of host down and spooling until the server comes back up. The firm I work at uses it for about 1700 users and I have a client I support of about 30 users that use it with extremely great results. Easy for users to use. Easy to implement for inbound and outbound scanning. On 7/1/09 4:46 PM, Sean Granger sgran...@randfinancial.com wrote: After a rocky start w/ false positives, we've had a decent go of things with MXLogic. They're consistently improving value to the service by adding functionality. Felix Nkansah felixnkan...@gmail.com 6/30/2009 5:56 PM Hi Team, I am interested in subscribing to a GOOD online email filtering service, through which all emails destined to an enterprise domain transit, are scanned and filtered for spam and viruses, before legitimate mails relayed to the destination mail server. As a bonus, the service should also store emails for some time if the destination mail server is down. Much as IronPort and Barracuda appliances do a good antispam job, they are typically placed onsite for which reason the network bandwidth still gets chocked with arriving spam. Please share your experienced recommendations with me on this one. It's better for me than following google search. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS rewrite global capabilities
HI Quin Roland, It's a known fact that both state tracking and bandwidth are finite resources... the other finite resource that isn't talked about much is dollars for arbor boxes :-) The point I think is to balance the architecture in a manner that leaves bandwidth as the final bottleneck; at that point toss the interesting traffic into a sinkhole and filter it, drop it etc. but you need to get to that point first. From a foundation perspective, Roland is correct in stating that a well designed and configured server farm floating anycasted IP's can handle a load far greater than a single upstream firewall; but often times for various reasons a well designed server farm includes a mix of stateless filtering at the edge of the cluster farm, stateful filtering and multiplexing the next level down, and finally enough servers to handle the load up until the point of bandwidth exhaustion. Yes, it's multiple attack points or layers of potential failure, but It's pretty naive to expect people to bolt their systems to the Internet enmasse with Iptables of pf as their primary means of access control. Sinkhole routing is also not a be all end all solution. Sophisticated, DDoS prevention is great if your dealing with the absolute end target in the chain of a reflection or amplification attack. It even works really well when the attackers are using the same automated patterns, or scripts, or doing something silly like violating protocol rules or behavior. Granted, that will cover about 90% of the miscreant attacks out there but It's harder to automate such a response if the attacks are well distributed and the attacker is adhering to know protocol behaviors even looking at backscatter isn't as reliable an indicator as it used to be. ~Max On Jun 30, 2009, at 10:24 PM, Roland Dobbins wrote: On Jul 1, 2009, at 12:09 PM, Quinn Mahoney wrote: Without a firewall proxying the tcp connection? That would depend on how many servers there are and what the firewalls can handle. The server never gets traffic from the spoofed addresses with the firewall, or from a load-balancer that multiplex's the tcp connections. There isn't a firewall made which has the capacity to handle this more efficiently than a well-configured server or server farm. I wouldn't say much more efficiently, since more advanced load balancers and firewalls route via asic's and fpga's. I certainly would, and do; they none of them run into the mpps, as routers can and do. If the packet is the same as a normal request but a spoofed address, you're going to have some trouble even with automated systems looking for no syn/ack, and then hunting the source down and automatically blocking the true sources at the ingress of the upstreams. Not with appropriate detection/classification/traceback tools. This isn't new technology. And blocking at the edges isn't generally accomplished automatically, but manually, upon demand. Intelligent DDoS mitigation devices can and do black automatically. That's even if such an effective system actually existed. They do, see above. While the load-balancer or advanced firewall never sent the connection to the server, and the device is designed to be able to handle allocating memory for bogus connections. They never send the legitimate traffic, either, being overwhelmed by the DDoS. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/