Re: [c-nsp] disable break on boot for IOS??
This is good advice for newer machines but I've got a UBR 924 with 12.1T code on it - 'no service password-recover' isn't an option for me. Which config-register setting will do what I need? None. You cannot disable break during the first minute (or so) with a config register. Seems like maybe 0x8102 would do it The disable break 0x0100 disables break after the initial one-minute (or so) window. Ivan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MST config on single 3560
Hi, We have existing 3560's with multiple trunk ports to clients+upstreams - We will go very close to hitting the 128 STP instance limit, therefore MST looks to be like an option(Without upgrading the switches). The 3560's also have a trunk port to 7200's(For dot1q subints), for clients that require L3 connectivity. I'm just a little unsure how to group vlans into seperate instances(Or if it is entirely necessary?) i.e. GE0/1 (From Provider A) has: interface GigabitEthernet0/1 description GIGE_ICAP_INTERNETCONNECT_TO_PROVIDER_A switchport trunk allowed vlan 112,172,208,211,240,309,315,385,537,547,550-552 switchport trunk allowed vlan add 554,623,635,687,690,694,696,697,867,879,980 switchport mode trunk These vlan's are allocated by provider and represent individual services - These vlans are then either presented on client trunk ports for L2 services, or added to trunk port to 7200 for L3 services. So as you can see, there is no standard for how the individual vlan's are treated, nor which trunk port they may be presented on.hoping someone can provide guideance on how best to manage this? Thanks in advance. - This e-mail was sent via GCOMM WebMail http://www.gcomm.com.au/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 iBGP Route Reflector
On Sat, 11 Jul 2009 19:08:17 -0400 Steve Bertrand st...@ibctech.ca wrote: Over the weekend, I'll find out how the OP can fix the routes, and moreover, why they are broken in the first place. Steve Have you any ideas how to fix reflected routes? -- Alexandr Gurbo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Jeff, Give this a shot: http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ike.html#wp1121157 You can enable multiple peers inside a single crypto map. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Prabhu Gurumurthy Sent: Monday, July 13, 2009 4:34 PM To: Munoz, Jeff Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPsec Tunnel Failover Answer is: BGP On Jul 13, 2009, at 1:14 PM, Munoz, Jeff wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/ destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Stability of 12.2(33)SRD?
Hi all, I'm looking for thoughts on the stability of 12.2(33)SRD releases (latest is SRD2) in general, as well as any experiences running it on the 7600/RSP720 series. I'm connecting a SIP400/SPA-5x1GEv2 to a CWDM network, and only SRD supports the CWDM SFP's on the SIP400. Yay. Thanks, -- Stephen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
Hi, On Mon, Jul 13, 2009 at 06:21:39PM -0400, Jared Mauch wrote: They are now claiming the site is fixed, but I'm asking for a RFO and what their maint policy is on the website. If my bank can tell me when they do maint, I would hope that Cisco can. Where are you asking for the RFO? I have not found a way to contact the folks responsible for breaking^Wrunning the WWW and FTP servers yet. (And I have serious doubts that you'll get an answer...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgptGVtFun3bn.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
Gert Doering wrote: Hi, On Mon, Jul 13, 2009 at 06:21:39PM -0400, Jared Mauch wrote: They are now claiming the site is fixed, but I'm asking for a RFO and what their maint policy is on the website. If my bank can tell me when they do maint, I would hope that Cisco can. Where are you asking for the RFO? I have not found a way to contact the folks responsible for breaking^Wrunning the WWW and FTP servers yet. (And I have serious doubts that you'll get an answer...) Agreed. The Cisco web team are obviously extremely clueless, and I doubt anything that individual users can do will persuade them to roll back these changes. The people on this list are, I suspect, too small a percentage of the customer base to overrule the click and gawp crowd. (Unless there's someone from AOL or one of the major internet exchanges lurking here who can apply some pressure ;o) But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. Those of you speaking to Cisco now, tell them that you're going to be doing that, and that they *WILL LOSE* the next competitive tender if they can't fulfil that requirement. We did so, and I'm planning on smacking Cisco around the head with that document shortly. Doubtless it'll be futile, but it's worth a shot... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Matthew Huff mh...@ox.com writes: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. Linux, with reasonably modern kernels, automatically allows an extra 4 bytes for the 802.1q tag. You're ok, as long as the switch allows them too. This logic seems to break down when doing q-in-q, where you may have to adjust the MTU to 1508 for the untagged device. This may be fixed in the last few kernels; I haven't tried lately. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, ... but it doesn't say anything about the number of STP instances. things go wonky when you have more than 1800 virtualports per slot (which you didnt quite reach) (1200 on older eg 100mbit blades) with 13,000 in total (PVST+), 10,000 in total (RPVST+) however, with MST, you can have 6000 virtual ports per blade and 50,000 in total (yay!) however, this is all about logical interfaces. you want to know the STP instance? regarding maximum STP instances... I believe theres a platform limit of 1024 because of the MAC to VLAN bridge mapping on the platform - but, from the values above, you can see that virtual ports would hit you quite quickly without appropriate control of the VLANs alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
Hi, On Tue, Jul 14, 2009 at 09:16:23AM +0100, Phil Mayers wrote: But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. While this is a nice idea to cause some pressure, I can't see it as overly realistic - if I have a router A that will fulfill everything that we need, and a router B that will only do 80% and at the same time costs 20% more, but has a better company web interface, I think it's very unlikely that their web download thingie will be change our decision. (Besides, most competitors web sites and software download processes are even worse) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpLwQpSb1SK6.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Block URL ACCESS LIST
how can i block url using access-list ? _ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Hi, On Mon, Jul 13, 2009 at 06:38:23PM -0400, Matthew Huff wrote: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. There are a few broken NIC cards on the Linux side that have issues with baby-jumbo packets (1500 + 4 byte for 802.1q header). Decent gear - and that's what you want to use on a *server* - doesn't have any issues there. And, just to clarify: *If* you have MTU problems due to 802.1q headers, you will not see fragmentation. You'll see black-holing, because the stack will not know about the MTU issue, and thus won't even think about fragmentation. (Fragmentation happens if there is a link on the path that has smaller L3 MTU than the packet's sender - but in this scenario, the L3 endpoints assume 1500, while the L2 link cannot handle this. Black hole). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpG6IDuehHc7.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Block URL ACCESS LIST
Please go to the following URL to begin: http://weblogs.com.pk/jahil/archive/2008/11/15/how-nbar-actually-classifies-the-traffic-flows.aspx Regards, Masood how can i block url using access-list ? _ Drag n dropGet easy photo sharing with Windows Live Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 iBGP Route Reflector
Aleksandr Gurbo wrote: On Sat, 11 Jul 2009 19:08:17 -0400 Steve Bertrand st...@ibctech.ca wrote: Over the weekend, I'll find out how the OP can fix the routes, and moreover, why they are broken in the first place. Steve Have you any ideas how to fix reflected routes? I will be working on this specific issue today, as I need to make some changes in preparation of adding a new router later this week. I'll keep you posted if I find anything specific as I go. Steve smime.p7s Description: S/MIME Cryptographic Signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
I was under the impression that there was no BGP support in the ASA platform, unless someone knows otherwise? Michael. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Prabhu Gurumurthy Sent: 14 July 2009 00:34 To: Munoz, Jeff Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPsec Tunnel Failover Answer is: BGP On Jul 13, 2009, at 1:14 PM, Munoz, Jeff wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/ destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The University of Aberdeen is a charity registered in Scotland, No SC013683. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Hi, I was under the impression that there was no BGP support in the ASA platform, unless someone knows otherwise? ah, ASAs and dynamic routing protocols...and you'll be wanting those in multi-context mode too? ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Yes, but he also mentions MST, which has a much more restrictive limit. As far as I've seen, 802.1s itself only allows 64 instances (see http://en.wikipedia.org/wiki/Spanning_tree_protocol , or search for the proper RFC docs) But all the Cisco docs I've found this morning say they only support 16: for example: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/spantree.html#wp1064097 I could have sworn I found stuff saying that our gear would support 64 of them, and we've been contemplating more than 40 in recent designs, but I guess I'll have to validate in the lab whether it's actually 16 or 64 for our chassis and code. So keep in mind that if you're moving from RPVST to MST, you're talking about fewer instances, by necessity. -Geoff On Tue, Jul 14, 2009 at 3:45 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, ... but it doesn't say anything about the number of STP instances. things go wonky when you have more than 1800 virtualports per slot (which you didnt quite reach) (1200 on older eg 100mbit blades) with 13,000 in total (PVST+), 10,000 in total (RPVST+) however, with MST, you can have 6000 virtual ports per blade and 50,000 in total (yay!) however, this is all about logical interfaces. you want to know the STP instance? regarding maximum STP instances... I believe theres a platform limit of 1024 because of the MAC to VLAN bridge mapping on the platform - but, from the values above, you can see that virtual ports would hit you quite quickly without appropriate control of the VLANs alan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Geoffrey Pendery wrote: So keep in mind that if you're moving from RPVST to MST, you're talking about fewer instances, by necessity. But isn't that the whole point of MST? Most of what I've read about it talks about doing setups where you only have 2 or 3 instances, with all your vlans in the 2nd and or 3rd instance. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
There's not as of yet. OSPF, RIP, EIGRP, yes, BGP no. Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Forrest, Michael E. Sent: Tuesday, July 14, 2009 6:51 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPsec Tunnel Failover I was under the impression that there was no BGP support in the ASA platform, unless someone knows otherwise? Michael. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Prabhu Gurumurthy Sent: 14 July 2009 00:34 To: Munoz, Jeff Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPsec Tunnel Failover Answer is: BGP On Jul 13, 2009, at 1:14 PM, Munoz, Jeff wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/ destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The University of Aberdeen is a charity registered in Scotland, No SC013683. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA ssh difficulties
I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 09:26:13AM -0400, Jon Lewis wrote: But isn't that the whole point of MST? We have found MST to be mostly pointless... Too much hassle, too little gain But then, we're a service provider environment, and there are hardly two VLANs that share the same topology - which maps very poorly to MST instances. At the same time, there is a fairly high dynamic in adding and removing VLANs, which is *quite* painful with MST instance mappings... I just wish more vendors would see the light and implement rapid-PVSTP. Or at least PVSTP, instead of yes, we have VLANs, and a big global single STP (which is really useless). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpOK9BK8mgVC.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
sorry, location = local :) On Tue, Jul 14, 2009 at 9:15 AM, Nick Griffin nick.jon.grif...@gmail.comwrote: Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
If you provide your aaa configuration we might be able to assist like the output from these commands (assuming you have console access) show run aaa show run aaa-server I am not very familiar with ASDM so I don't know where the aaa config lives in ASDM but certainly you'll want to look around in that part. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jonathan Brashear Sent: Tuesday, July 14, 2009 9:06 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA ssh difficulties I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Indeed, but the original question asked was about the instance limitations, and all the responses thrown out are in the 1000-4000 range, discussing virtual interfaces and RPVST. Nobody seems to have answered the fairly simple initial question. I think that answer is either 16 or 64, depending on your code. The separate question of do you really need all 1000 of those instances is a design debate which could be had at length, and would likely come out different depending on the underlying network design and requirements. At least in the case of the enterprise where I work, the whole point of MST is that it's a proper open standard, rather than one of those super scary Cisco Proprietary Protocols. -Geoff On Tue, Jul 14, 2009 at 8:26 AM, Jon Lewisjle...@lewis.org wrote: On Tue, 14 Jul 2009, Geoffrey Pendery wrote: So keep in mind that if you're moving from RPVST to MST, you're talking about fewer instances, by necessity. But isn't that the whole point of MST? Most of what I've read about it talks about doing setups where you only have 2 or 3 instances, with all your vlans in the 2nd and or 3rd instance. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49
Dear friends please provide IPswitch Whatsup gold 11 serial key NMs... On 7/14/09, cisco-nsp-requ...@puck.nether.net cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can rDAr each the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Software Download Area is Unavailable at this time (Gert Doering) 2. Block URL ACCESS LIST (Mohammad Khalil) 3. Re: multiple vlans on a port (Gert Doering) 4. Re: Block URL ACCESS LIST (mas...@nexlinx.net.pk) 5. Re: IPv6 iBGP Route Reflector (Steve Bertrand) 6. Re: ASA IPsec Tunnel Failover (Forrest, Michael E.) 7. Re: ASA IPsec Tunnel Failover (a.l.m.bu...@lboro.ac.uk) 8. Re: Maximum spannig tree instances (Geoffrey Pendery) -- Message: 1 Date: Tue, 14 Jul 2009 10:56:48 +0200 From: Gert Doering g...@greenie.muc.de To: Phil Mayers p.may...@imperial.ac.uk Cc: Gert Doering g...@greenie.muc.de, cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net,Jared Mauch ja...@puck.nether.net Subject: Re: [c-nsp] Software Download Area is Unavailable at this time Message-ID: 20090714085648.gd...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Tue, Jul 14, 2009 at 09:16:23AM +0100, Phil Mayers wrote: But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. While this is a nice idea to cause some pressure, I can't see it as overly realistic - if I have a router A that will fulfill everything that we need, and a router B that will only do 80% and at the same time costs 20% more, but has a better company web interface, I think it's very unlikely that their web download thingie will be change our decision. (Besides, most competitors web sites and software download processes are even worse) gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: https://puck.nether.net/pipermail/cisco-nsp/attachments/20090714/13933a94/attachment-0001.bin -- Message: 2 Date: Tue, 14 Jul 2009 12:48:52 +0300 From: Mohammad Khalil eng_m...@hotmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block URL ACCESS LIST Message-ID: blu102-w20d319d228a429d7f5b1f9fa...@phx.gbl Content-Type: text/plain; charset=windows-1256 how can i block url using access-list ? _ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx -- Message: 3 Date: Tue, 14 Jul 2009 11:49:11 +0200 From: Gert Doering g...@greenie.muc.de To: Matthew Huff mh...@ox.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multiple vlans on a port Message-ID: 20090714094911.gh...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Mon, Jul 13, 2009 at 06:38:23PM -0400, Matthew Huff wrote: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. There are a few broken NIC cards on the Linux side that have issues with baby-jumbo packets (1500 + 4 byte for 802.1q header). Decent gear - and that's what you want to use on a *server* - doesn't have any issues there. And, just to clarify: *If* you have MTU problems due to 802.1q headers, you will not see fragmentation. You'll see black-holing, because the stack will not know about the MTU issue, and thus won't even think about fragmentation. (Fragmentation happens if there is a link on the path that has smaller L3 MTU than the packet's sender - but in this scenario, the L3 endpoints assume 1500, while the L2 link cannot handle this. Black hole). gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89
[c-nsp] High CPU Usage
I have a 2600 doing some GRE tunnel aggregation with IPSEC and a AIM-VPN. The CPU is consistently at 95%+, but none of the running processes are using nearly that much CPU. Is there some other place I should be looking? #sh processes cpu sorted CPU utilization for five seconds: 99%/61%; one minute: 99%; five minutes: 98% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 70 163085876 24727077 6595 15.31% 16.49% 14.22% 0 IP Input 14642276796 9771758 4326 8.24% 8.66% 7.46% 0 Crypto Support 16938417520 7286822 5272 5.22% 4.94% 5.12% 0 Crypto PAS Proc 621018268 2714504 7742 4.05% 4.99% 4.24% 0 Pool Manager 54 65680 2206 29773 2.20% 0.71% 1.20% 66 SSH Process 190 5281352 6682003790 0.48% 0.47% 0.45% 0 IP-EIGRP: HELLO 121 1163120 7759419149 0.24% 0.16% 0.13% 0 RBSCP Background 95 709328 1161174610 0.16% 0.07% 0.06% 0 CEF process ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
If you're trying to connect to the outside interface, be certain that you aren't NAT'ing the ASA's public address to some inside host. The one-to-one mapping overrides the ssh/http servers IIRC. On Tue, 2009-07-14 at 10:05 -0400, Jonathan Brashear wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Software Download Area is Unavailable at this time
Via a tac case and my account team. Jared Mauch On Jul 14, 2009, at 2:33 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Jul 13, 2009 at 06:21:39PM -0400, Jared Mauch wrote: They are now claiming the site is fixed, but I'm asking for a RFO and what their maint policy is on the website. If my bank can tell me when they do maint, I would hope that Cisco can. Where are you asking for the RFO? I have not found a way to contact the folks responsible for breaking^Wrunning the WWW and FTP servers yet. (And I have serious doubts that you'll get an answer...) gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49
The serial numbers can be found here: http://www.whatsupgold.com/ Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Digambar. Giri Sent: Tuesday, July 14, 2009 8:29 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49 Dear friends please provide IPswitch Whatsup gold 11 serial key NMs... On 7/14/09, cisco-nsp-requ...@puck.nether.net cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can rDAr each the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Software Download Area is Unavailable at this time (Gert Doering) 2. Block URL ACCESS LIST (Mohammad Khalil) 3. Re: multiple vlans on a port (Gert Doering) 4. Re: Block URL ACCESS LIST (mas...@nexlinx.net.pk) 5. Re: IPv6 iBGP Route Reflector (Steve Bertrand) 6. Re: ASA IPsec Tunnel Failover (Forrest, Michael E.) 7. Re: ASA IPsec Tunnel Failover (a.l.m.bu...@lboro.ac.uk) 8. Re: Maximum spannig tree instances (Geoffrey Pendery) -- Message: 1 Date: Tue, 14 Jul 2009 10:56:48 +0200 From: Gert Doering g...@greenie.muc.de To: Phil Mayers p.may...@imperial.ac.uk Cc: Gert Doering g...@greenie.muc.de, cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net,Jared Mauch ja...@puck.nether.net Subject: Re: [c-nsp] Software Download Area is Unavailable at this time Message-ID: 20090714085648.gd...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Tue, Jul 14, 2009 at 09:16:23AM +0100, Phil Mayers wrote: But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. While this is a nice idea to cause some pressure, I can't see it as overly realistic - if I have a router A that will fulfill everything that we need, and a router B that will only do 80% and at the same time costs 20% more, but has a better company web interface, I think it's very unlikely that their web download thingie will be change our decision. (Besides, most competitors web sites and software download processes are even worse) gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: https://puck.nether.net/pipermail/cisco-nsp/attachments/20090714/13933a9 4/attachment-0001.bin -- Message: 2 Date: Tue, 14 Jul 2009 12:48:52 +0300 From: Mohammad Khalil eng_m...@hotmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block URL ACCESS LIST Message-ID: blu102-w20d319d228a429d7f5b1f9fa...@phx.gbl Content-Type: text/plain; charset=windows-1256 how can i block url using access-list ? _ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx -- Message: 3 Date: Tue, 14 Jul 2009 11:49:11 +0200 From: Gert Doering g...@greenie.muc.de To: Matthew Huff mh...@ox.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multiple vlans on a port Message-ID: 20090714094911.gh...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Mon, Jul 13, 2009 at 06:38:23PM -0400, Matthew Huff wrote: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. There are a few broken NIC cards on the Linux side that have issues with baby-jumbo packets (1500 + 4 byte for 802.1q header). Decent gear - and that's what you want to use on a *server* - doesn't have any issues there. And, just to clarify: *If* you have MTU problems due to 802.1q headers, you will not see fragmentation. You'll see black-holing, because the stack will not know about the MTU issue, and thus won't even think about fragmentation
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 09:24:56AM -0500, Geoffrey Pendery wrote: At least in the case of the enterprise where I work, the whole point of MST is that it's a proper open standard, rather than one of those super scary Cisco Proprietary Protocols. Nothing in (rapid) PVSTP is super scary cisco proprietary. It's just logical thinking - you have VLANs, you have STP, you need to combine them to make it work in a useful way. Result: PVSTP. I was more than astonished to find that other vendors still ship boxes with single-STP, and sell this as a feature. rant MST is what comes out if vendor committees get together, and agree to implement the least common determinator in the most complicated way. /rant gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgphBQl9LhDZ9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
We have found MST to be mostly pointless... Too much hassle, too little gain But then, we're a service provider environment, and there are hardly two VLANs that share the same topology - which maps very poorly to MST instances. At the same time, there is a fairly high dynamic in adding and removing VLANs, which is *quite* painful with MST instance mappings... Depends on how you build your networks. If you build ring structures, I can see how MST would be useful. We build ring structures but have chosen the EAPS route instead. I just wish more vendors would see the light and implement rapid-PVSTP. Rapid per VLAN spanning tree has scaling limitations in many environments. Which is why some people go with MST instead. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU Usage
I haven't used a 2600 for a while, but I seem to remember they don't have a lot of grunt. Your sh proc cpu shows 61% interrupt, there is a good guide for tracking down causes on the Cisco site somewhere fx: googles) http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a00800a70f2.shtml Check your interfaces for promiscuous mode, as that means every packet generates an interrupt. Don't know if your IPSEC will be generating an interrupt when a packet hits the outgoing interface in order to do the encapsulation. Ian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeremy Parr Sent: 14 July 2009 15:43 To: cisco-nsp@puck.nether.net Subject: [c-nsp] High CPU Usage I have a 2600 doing some GRE tunnel aggregation with IPSEC and a AIM-VPN. The CPU is consistently at 95%+, but none of the running processes are using nearly that much CPU. Is there some other place I should be looking? #sh processes cpu sorted CPU utilization for five seconds: 99%/61%; one minute: 99%; five minutes: 98% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 70 163085876 24727077 6595 15.31% 16.49% 14.22% 0 IP Input 14642276796 9771758 4326 8.24% 8.66% 7.46% 0 Crypto Support 16938417520 7286822 5272 5.22% 4.94% 5.12% 0 Crypto PAS Proc 621018268 2714504 7742 4.05% 4.99% 4.24% 0 Pool Manager 54 65680 2206 29773 2.20% 0.71% 1.20% 66 SSH Process 190 5281352 6682003790 0.48% 0.47% 0.45% 0 IP-EIGRP: HELLO 121 1163120 7759419149 0.24% 0.16% 0.13% 0 RBSCP Background 95 709328 1161174610 0.16% 0.07% 0.06% 0 CEF process ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU Usage
On Jul 14, 2009, at 9:42 PM, Jeremy Parr wrote: CPU utilization for five seconds: 99%/61%; one minute: 99%; five minutes: 98% It's the 61%, which indicates interrupt-driven CPU (corresponds with the high IP Input process %). Packets being punted at a relatively high pps rate; do you have NetFlow enabled in order to characterize your traffic? Is the AIM in fact handling your GRE tunnels, or is the GRE traffic being handed in software on the CPU? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Unfortunately, inefficiency scales really well. -- Kevin Lawton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 05:03:44PM +0200, sth...@nethelp.no wrote: I just wish more vendors would see the light and implement rapid-PVSTP. Rapid per VLAN spanning tree has scaling limitations in many environments. Which is why some people go with MST instead. Usually they claim it's Cisco proprietary, MST is a proper standard instead. We have lots of customer setups with ~ 3-4 VLANs each, two of these connecting to our gear (management network and external/production network) and the rest spread across a wild mix of different switch vendors, some of them not even getting MST right. Fun to debug. NOT. MST seems too complex for an average coder to get right... (it's definitely too complex for your average network admin). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpmEFZ8Cs3lI.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU Usage
'sh ip traffic' and look for fragmentation issues. The #1 cause of high ip input CPU in tunnel environments. http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml Rodney On Tue, Jul 14, 2009 at 10:42:51AM -0400, Jeremy Parr wrote: I have a 2600 doing some GRE tunnel aggregation with IPSEC and a AIM-VPN. The CPU is consistently at 95%+, but none of the running processes are using nearly that much CPU. Is there some other place I should be looking? #sh processes cpu sorted CPU utilization for five seconds: 99%/61%; one minute: 99%; five minutes: 98% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 70 163085876 24727077 6595 15.31% 16.49% 14.22% 0 IP Input 14642276796 9771758 4326 8.24% 8.66% 7.46% 0 Crypto Support 16938417520 7286822 5272 5.22% 4.94% 5.12% 0 Crypto PAS Proc 621018268 2714504 7742 4.05% 4.99% 4.24% 0 Pool Manager 54 65680 2206 29773 2.20% 0.71% 1.20% 66 SSH Process 190 5281352 6682003790 0.48% 0.47% 0.45% 0 IP-EIGRP: HELLO 121 1163120 7759419149 0.24% 0.16% 0.13% 0 RBSCP Background 95 709328 1161174610 0.16% 0.07% 0.06% 0 CEF process ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Gert Doering wrote: On Tue, Jul 14, 2009 at 09:26:13AM -0400, Jon Lewis wrote: But isn't that the whole point of MST? We have found MST to be mostly pointless... Too much hassle, too little gain So do you just do rapid-pvst and limit which VLANs are allowed on all trunk ports? I know you're not a fan of VTP, and I suppose this may be another reason. Even with the trunks limiting which VLANs get through, VTP still creates all the vlans on all the switches, and in a PVST setup, they run a spanning tree instance for each VLAN, even if they aren't really participating in the VLAN. two VLANs that share the same topology - which maps very poorly to MST instances. At the same time, there is a fairly high dynamic in adding and removing VLANs, which is *quite* painful with MST instance mappings... I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. Maybe it is time to just turn off VTP and manually create VLANs only where they're needed, in which case we'll only have to worry about the number of PVST instances on the central 6509s, as there's no way we'd run up to 128 VLANs on a 3550. We've actually never done VTP on the 6500s...only on the 3550s. I figured if VTP ever did blow up, I didn't want it blowing on the central switches...just the edges. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU Usage
because it's interrupt level work the CPU is doing. you can try profiling the CPU and see what it says. can u get a couple of sh stacks and look at the interrupt level calls and see which one is going up the most. Regards, Masood I have a 2600 doing some GRE tunnel aggregation with IPSEC and a AIM-VPN. The CPU is consistently at 95%+, but none of the running processes are using nearly that much CPU. Is there some other place I should be looking? #sh processes cpu sorted CPU utilization for five seconds: 99%/61%; one minute: 99%; five minutes: 98% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 70 163085876 24727077 6595 15.31% 16.49% 14.22% 0 IP Input 14642276796 9771758 4326 8.24% 8.66% 7.46% 0 Crypto Support 16938417520 7286822 5272 5.22% 4.94% 5.12% 0 Crypto PAS Proc 621018268 2714504 7742 4.05% 4.99% 4.24% 0 Pool Manager 54 65680 2206 29773 2.20% 0.71% 1.20% 66 SSH Process 190 5281352 6682003790 0.48% 0.47% 0.45% 0 IP-EIGRP: HELLO 121 1163120 7759419149 0.24% 0.16% 0.13% 0 RBSCP Background 95 709328 1161174610 0.16% 0.07% 0.06% 0 CEF process ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Like Gert, I much prefer to have the system running un-needed instances as the tradeoff for not having to design and manage instance topology, and couple VLANs together, causing TCNs/blocking on VLANs which haven't experienced any disruption. I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. That's exactly why I was warning about the 16/64 instance limit. This was my mindset when moving from PVST to MST, and I suspect there are many others out there thinking this way. But if you have more than 64 VLANs, you can't do that. You'll have to look at their topology and try to map them into a limited number of instances. Most of the IOS docs I've found say 16, not 64, but I have yet to test that out in the lab. Gert, I think we mostly agree, and my sarcasm about the scary proprietary bit didn't come across. It's our management/architects here who are vehemently against the Cisco Proprietary stuff; I just live with their edicts. But then again, your statement that RPVST isn't proprietary is wrong, and the statement that it's not scary tells me you've never tried to plug it into an Enterasys core... ; ) -Geoff On Tue, Jul 14, 2009 at 10:16 AM, Jon Lewisjle...@lewis.org wrote: On Tue, 14 Jul 2009, Gert Doering wrote: On Tue, Jul 14, 2009 at 09:26:13AM -0400, Jon Lewis wrote: But isn't that the whole point of MST? We have found MST to be mostly pointless... Too much hassle, too little gain So do you just do rapid-pvst and limit which VLANs are allowed on all trunk ports? I know you're not a fan of VTP, and I suppose this may be another reason. Even with the trunks limiting which VLANs get through, VTP still creates all the vlans on all the switches, and in a PVST setup, they run a spanning tree instance for each VLAN, even if they aren't really participating in the VLAN. two VLANs that share the same topology - which maps very poorly to MST instances. At the same time, there is a fairly high dynamic in adding and removing VLANs, which is *quite* painful with MST instance mappings... I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. Maybe it is time to just turn off VTP and manually create VLANs only where they're needed, in which case we'll only have to worry about the number of PVST instances on the central 6509s, as there's no way we'd run up to 128 VLANs on a 3550. We've actually never done VTP on the 6500s...only on the 3550s. I figured if VTP ever did blow up, I didn't want it blowing on the central switches...just the edges. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
Have you tried 'pix' as the username? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Griffin Sent: Tuesday, July 14, 2009 10:16 AM To: Jonathan Brashear Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA ssh difficulties sorry, location = local :) On Tue, Jul 14, 2009 at 9:15 AM, Nick Griffin nick.jon.grif...@gmail.comwrote: Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
MST is what comes out if vendor committees get together, and agree to implement the least common determinator in the most complicated way. Which is part of the attraction of something like EAPS: It may have its warts, but compared to MST it's extremely simple. I assume REP would offer the same simplicity... Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Geoffrey Pendery wrote: I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. That's exactly why I was warning about the 16/64 instance limit. This was my mindset when moving from PVST to MST, and I suspect there are many others out there thinking this way. But if you have more than 64 VLANs, you can't do that. You'll have to look at their topology and That's not what I meant. I just meant we'd have to decide which instance (of likely just a few of them) to assign every VLAN to...as every VLAN has to be assigned to some instance. I should setup a lab of switches again and play around with MST. IIRC, the docs I've read about MST on cisco.com generally split up the VLANs between MST instances 2 and 3. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 11:16:57AM -0400, Jon Lewis wrote: On Tue, 14 Jul 2009, Gert Doering wrote: On Tue, Jul 14, 2009 at 09:26:13AM -0400, Jon Lewis wrote: But isn't that the whole point of MST? We have found MST to be mostly pointless... Too much hassle, too little gain So do you just do rapid-pvst and limit which VLANs are allowed on all trunk ports? Yes. Most of our VLANs are actually quite short reach, that is, they are distributed like this ISP Router A (6500) == ISP Switch A (6500) -- CustomerX Switch A -- Hosts |||| | ISP Router B (6500) == ISP Switch B (3550) -- CustomerX Switch B -- Hosts (leave off row B for non-VRRP customers. Double lines are trunks, single lines are single-VLAN access ports) There's an insane amount of switches and trunks, but most VLANs really span only 3 (standard case) or 6 (HSRP/VRRP) devices. The trunks between ISP Router and ISP Switch are pre-configured, the links between ISP Switch and customer switch get configured on-demand (from the VLAN range designated to ISP Switch A) I know you're not a fan of VTP, and I suppose this may be another reason. Even with the trunks limiting which VLANs get through, VTP still creates all the vlans on all the switches, and in a PVST setup, they run a spanning tree instance for each VLAN, even if they aren't really participating in the VLAN. Yes, this would kill us immediately. ISP Switch A could, theoretically, have about 350 active VLANs (one VLAN per port, 7 blades x 48 ports), while ISP Switch B would choke on more than 64... ISP Router A is linked to 4 different 6500 distribution switches, and could end up with more than 1000 active VLANs (in reality it doesn't, due to physical space constraints in this building :) ). two VLANs that share the same topology - which maps very poorly to MST instances. At the same time, there is a fairly high dynamic in adding and removing VLANs, which is *quite* painful with MST instance mappings... I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. Maybe it is time to just turn off VTP and manually create VLANs only where they're needed, in which case we'll only have to worry about the number of PVST instances on the central 6509s, as there's no way we'd run up to 128 VLANs on a 3550. Yep, this is what we do. VLANs are really only created where they are needed (some ranges are pre-created, others on-demand). switchport trunk allowed vlan *ADD* 1234 is one of our favourites, tho... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpO50riXrQBw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Gert Doering wrote: Yep, this is what we do. VLANs are really only created where they are needed (some ranges are pre-created, others on-demand). switchport trunk allowed vlan *ADD* 1234 is one of our favourites, tho... :-) I've been reluctant to roll that out on all the trunks due to the damage that could be caused if someone got careless and dropped the 'add' while adding a new VLAN to a trunk. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU Usage
Jeremy Parr wrote: I have a 2600 doing some GRE tunnel aggregation with IPSEC and a AIM-VPN. The CPU is consistently at 95%+, but none of the running processes are using nearly that much CPU. Is there some other place I should be looking? If you have ethernet interface(s) in trunk, check that (on the switch side) only the right VLAN are enabled on switch ports. In Catalyst you should have, under the trunk port, an instruction like switchport trunk allowed vlan x,y,z where x,y,z are the VLAN id defined/usefule in the router side. Otherwise all the broadcast traffic of every VLAN hits anyway the router and the CPU climbs. *am* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 11:51:26AM -0400, Jon Lewis wrote: On Tue, 14 Jul 2009, Gert Doering wrote: Yep, this is what we do. VLANs are really only created where they are needed (some ranges are pre-created, others on-demand). switchport trunk allowed vlan *ADD* 1234 is one of our favourites, tho... :-) I've been reluctant to roll that out on all the trunks due to the damage that could be caused if someone got careless and dropped the 'add' while adding a new VLAN to a trunk. Yes :( For most trunks, we use pre-configured ranges (vlan 100-999 go to dist switch 1, 1000-1499 to dist switch 2, 1500-1999 to dist switch 3), but occasionally we need to do an odd one - and indeed, mistakes happen. Mmmmh. If one does TACACS command authentication, one could investigate whether disallowing the without-add/-delete form of the command via TACACS works... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpAsbIetVEes.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, Rapid per VLAN spanning tree has scaling limitations in many environments. Which is why some people go with MST instead. we hit the PVST limits so moved to RPVST..once we hit those limits we're sure to be going to MST ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Hi, There's not as of yet. OSPF, RIP, EIGRP, yes, BGP no. ISIS ? stares blankly at the development team. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] c877 and ntp oddness
Have a bizarre NTP issue with 877 routers running 12.4(T) train. Have a simple network setup such: [HUB]---[S2 NTPD]--[S1 NTPD] / | \ [S] [S] [S] A private hub/spoke network where hub is 7200 and spokes are the 877 routers in question. Connected to the hub router is a freebsd box running latest build ntpd (recently upgraded) which is happily serving other clients as a stratum 2 box. A large percentage of the 87x routers will sync happily with the S2 box and stay in sync with it for their lifetimes. a small percentage sync initially but then lose sync after 10 minutes. On the happy boxes: #sh ntp assoc address ref clock st when poll reach delay offset disp *~S2 S1 228 512 377 8.50.13 7.5 on the sad boxes: #sh ntp assoc addressref clock st when poll reach delay offset disp ~S2 S12 43 64 377 0.000 134559. 1938.5 #sh ntp assoc det S2 configured, insane, invalid, stratum 2 ref ID S1 , time CE071C7B.D722D2EE (16:02:19.840 BST Tue Jul 14 2009) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 15.53, reach 377, sync dist 2.38 delay 0.00 msec, offset 134559.7237 msec, dispersion 1938.59 precision 2**18, version 4 org time CE071F24.C3B751E7 (16:13:40.764 BST Tue Jul 14 2009) rec time CE071E9D.B07AD5A3 (16:11:25.689 BST Tue Jul 14 2009) xmt time CE071E9D.A8FD405C (16:11:25.660 BST Tue Jul 14 2009) filtdelay = 0.020.050.020.000.000.000.000.00 filtoffset = 135.08 134.81 134.550.000.000.000.000.00 filterror = 0.000.000.00 16.00 16.00 16.00 16.00 16.00 minpoll = 6, maxpoll = 10 *Jul 14 15:45:47.737: NTP recv pkt on v4 socket, pak = 0x83E79C78. *Jul 14 15:45:47.737: NTP message received from S2 on interface 'Dialer0': *Jul 14 15:45:47.737: NTP Header: Leap = 00, Version = 4, Mode = 4, Stratum = 2, Poll Interval = 6, Precision = -18, Root Delay = 0.82, Root Dispersion = 0.1755, refid = S1, Last update reftime = 3456574670.3602360983, Originated time = 3456575147.3064944142, Received time = 3456575152.3162200771, Transmit time = 3456575152.3162396127. To get it back, I simply remove the clock-period and reconfigure the ntp server and I get another 10 mins of working ntp. This is only happening to a very small percentage of routers from a new batch recently purchased, I'm wondering if the clock-period calculation is wrong? Stuff that is the same between working/nonworking routers - clock/timezone config - latency and network quality between router and S2 server - receipt of NTP packets (debug ntp pack shows *all* are being received and processed so not an acl/filtering issue) bugtool seems to be broken when searching for keyword NTP in all 12.4(T) train, I've reported this (just gives me blank screen in multiple browsers), release notes do not show anything of interest. Anybody with good NTP foo able to look at this and immediately spot something obvious? or could it be there is a hardware problem in this batch? Footnotes: - Upgraded to 12.4(22)T where clock-period is no longer configurable by operator, same problem occurs. - Only seems to affect a small percentage of 877 routers, 878s, 1800s , 2800s seem to be fine Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CE routes
I was just reading best practices for MPLS implementations regarding CE to CE connectivity issues, specifically, CE to CE pings. The document stated that redistributing connected PE routes into BGP was the preferred method to ensure CE to CE ping success as well as other connectivity issues. This will inject the route for the PE to CE interface into BGP.I am not sure I agree, why not explicitly define which networks to advertise in the IGP, an IGP in MPLS networks is supposed to hold all infrastructure routes anyway. Are these interfaces considered infrstructure or customer interfaces? One reason may be to reduce the number of infrastructure routes in the IGP because of the potential for many CE to PE interfaces, let BGP handle the large number of routes? I am curious which method is employed in the wild, also I am not sure all connected routes should be advertised from the PE, e.g. management/infrastructure interfaces etc ... What are your thoughts and how is it being done? mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WAAS and minimum latency
Anyone got figures on the *minimum* latency the various WAN accelerators can improve on? I ask as I have a customer with a couple of sites connected via GigE. RTT for SiteA - SiteB is around 3ms. Migrating services between sites has reduced performance for some users (appears that SMB/CIFS is most affected.) I'm looking to see if I can fix things with WAAS, just not sure they are really designed for this scenario (I'm not a fan of WAAS, but if it fixes a problem...) Thanks, Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
Nick nailed it, thanks. :) The tech that built this firewall missed this line: aaa authentication ssh console LOCAL Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net -Original Message- From: Nick Griffin [mailto:nick.jon.grif...@gmail.com] Sent: Tuesday, July 14, 2009 9:16 AM To: Jonathan Brashear Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA ssh difficulties Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, Jul 14, 2009 at 11:43 AM, Jon Lewis jle...@lewis.org wrote: On Tue, 14 Jul 2009, Geoffrey Pendery wrote: I've wondered about that...if we were to move to MST, we're going to have to assign every VLAN to an MST instance, which could get messy. That's exactly why I was warning about the 16/64 instance limit. This was my mindset when moving from PVST to MST, and I suspect there are many others out there thinking this way. But if you have more than 64 VLANs, you can't do that. You'll have to look at their topology and That's not what I meant. I just meant we'd have to decide which instance (of likely just a few of them) to assign every VLAN to...as every VLAN has to be assigned to some instance. I should setup a lab of switches again and play around with MST. IIRC, the docs I've read about MST on cisco.comgenerally split up the VLANs between MST instances 2 and 3. We left everything in MST0, and pull a few VLANs into MST2 for load-balancing reasons. Core-1 is root for MST0, Core-2 is root for MST2. Works for a simple topology, where every switch has redundant links back to a couple of core switches. Not sure it would be so great for the kind of topologies being discussed here. However, as soon as I want to add another VLAN to MST2, I have touch *every* switch in the MST region. And during the process MST is inconsistent - either I adjust the two core switches first, and every edge switch flips over to MST0, or I do every edge switch first, core last. Either way it's a lot of STP fun. I'm going to guess the standards body that came up with MST doesn't do too much network configuration work... Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
switchport trunk allowed vlan *ADD* 1234 is one of our favourites, tho... :-) I've been reluctant to roll that out on all the trunks due to the damage that could be caused if someone got careless and dropped the 'add' while adding a new VLAN to a trunk. With suitable TACACS verification of commands you can make *only* the following available: switchport trunk allowed vlan none switchport trunk allowed vlan add ... switchport trunk allowed vlan remove ... which takes care of forgetting the add keyword. Done at the company we're in the process of merging with, works great. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Just implemented it based on an example I received yesterday ; we don't deploy tacacs, so no problem there. Syslog doesn't work anymore for the moment but I didn't check yet if it is vrf aware. Thanks for everyone who answered my question. If I tried out the syslog config, I'll share the result on this list. Wim Holemans -Original Message- From: Alasdair McWilliam [mailto:alasda...@gmail.com] Sent: dinsdag 14 juli 2009 19:33 To: Buhrmaster, Gary Cc: Holemans Wim; Cisco NSP Subject: Re: [c-nsp] VSS out-of-band mgmt We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS out-of-band mgmt
Tried syslog vrf awareness and yes : logging host 143.169.x.y vrf management did the trick we are running 122-33.SXI1 on this VSS cluster. Wim Holemans -Original Message- From: Alasdair McWilliam [mailto:alasda...@gmail.com] Sent: dinsdag 14 juli 2009 19:33 To: Buhrmaster, Gary Cc: Holemans Wim; Cisco NSP Subject: Re: [c-nsp] VSS out-of-band mgmt We have VSS deployed and it's management interface is on a mgmt-vrf. So far everything that needs a source interface seems to work, although I've not actually configured syslog yet, TACACS is now vrf aware. You have to define a specific AAA server group. Eg: tacacs-server host 1.1.1.1 key myacskey tacacs-server directed-broadcast ip tacacs source-interface VlanXYZ Then: aaa group server tacacs+ ACS-GROUP-NAME server 1.1.1.1 ip vrf forwarding mgmt-vrf ! aaa authentication login default group ACS-GROUP-NAME local-case I will note that you have to define each server with the tacacs-server command before you add it to the group otherwise it throws an error. Al On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote: Yes, a management VRF will do exactly what you want :-) Perhaps things have improved, but at one time for the 6500 platform certain functions could only be performed in the native(? is that the right word) context, and you needed to place all the rest of your traffic/interfaces in a VRF leaving the native context for management (sort of the reverse of your proposal, instead have a Internet VRF for everything except for management). Have the latest IOS versions eliminated those challenges on the 6500? Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Tim Durack wrote: We left everything in MST0, and pull a few VLANs into MST2 for load-balancing reasons. Core-1 is root for MST0, Core-2 is root for MST2. Works for a simple topology, where every switch has redundant links back to a couple of core switches. Not sure it would be so great for the kind of topologies being discussed here. The cisco examples I saw say to leave MST0 empty and use MST1 and MST2 for VLANs. This concerns me though: Complete any MST configuration involving a large number of either existing or new logical VLAN ports during a maintenance window because the complete MST database gets reinitialized for any incremental change (such as adding new VLANs to instances or moving VLANs across instances). Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? The topology I have is actually 2 core switches with a bunch of edge switches redundantly uplinked to both cores. However, as soon as I want to add another VLAN to MST2, I have touch *every* switch in the MST region. And during the process MST is inconsistent - either I adjust the two core switches first, and every edge switch flips over to MST0, or I do every edge switch first, core last. Either way it's a lot of STP fun. That sounds like another argument for rPVST and turning off VTP to avoid hitting the PVST instance limit on the less capable switches. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Do you have any routers/layer 3 devices on the inside of the firewalls, the weighted GRE tunnels always work well for this. On Mon, Jul 13, 2009 at 3:14 PM, Munoz, Jeff jeff.mu...@swinc.com wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. -Geoff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 2009-07-14 at 17:56 +0200, Thomas Habets wrote: On Tue, 14 Jul 2009, Peter Rathlev wrote: My bold guess would be that the system limit for number of STP instances is 1/13000 total virtual ports (RPVST/PVST). 10'000 is what the documentation said, yes http://www.cisco.com/en/US/solutions/ns340/ns394/ns50/net_design_guidance0900aecd806fe4bb.pdf Whether having 1800+ STP instances on the same switch is a good idea i something completely different. :-) Not STP instances. 48 ports of aggregation with 50 VLANs will get you well over the virtual port limit. It's not STP on 1800+ VLANs, and not unheard of. That's for virtual ports yes. But that's not the same as STP instances. As my lab test shows you can easily exceed 1800 RSTP instances. I kept each of two modules on 1799 virtual ports, but with different VLANs on each. Having more STP instances than VLANs would of course be difficuly, so i guess the limit is around 4000 instances. That's for RSTP. I'm afraid I don't know much about MST. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, Jul 14, 2009 at 2:22 PM, Geoffrey Pendery ge...@pendery.net wrote: Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. ...and if that doesn't make you nervous, you probably shouldn't be running spanning-tree... Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Disallowing sw tru all vlan X w/o add or remove (was: Maximum spannig tree instances)
On Tue, 2009-07-14 at 18:05 +0200, Gert Doering wrote:
Mmmmh. If one does TACACS command authentication, one could
investigate whether disallowing the without-add/-delete form of the
command via TACACS works...
It does indeed. We use something similar to the configuration below for
operators who can do simple maintenance chores.
group = operator {
default service = deny
login = PAM
service = exec {
priv-lvl = 15
}
...
cmd = switchport {
permit ^trunk allowed vlan add 1[0-9][0-9] cr$
permit ^trunk allowed vlan remove 1[0-9][0-9] cr$
...
}
...
}
Regards,
Peter
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
You need to enable MAC reduction (extended vlan range) if you want to support all 4096 STP instances on a 6500. I have personally seen over 3000+ STP instances running using PVST+ with MAC reduction enabled. MAC reduction will steal bits from the bridge priority in order create 4096 unique bridge IDs. The CPU load with PVST+ compared with MST is vary dramatic. As long as you stay away from the older 10/100 Ethernet cards PVST/ RPVST should scale fairly well. I have seen PVST+ start to fail when you reach 75,000 virtual ports and MST can easily handle over 100,000 virtual ports. Clinton. a.l.m.bu...@lboro.ac.uk wrote: regarding maximum STP instances... I believe theres a platform limit of 1024 because of the MAC to VLAN bridge mapping on the platform - but, from the values above, you can see that virtual ports would hit you quite quickly without appropriate control of the VLANs alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- == Clinton Work Airdrie, AB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 01:20:53PM -0400, Tim Durack wrote: I'm going to guess the standards body that came up with MST doesn't do too much network configuration work... Real Networks[tm] have Maintenance Windows[tm]. Dunno whether anybody else remembers bay networks routers that had to be rebooted(!) to accept configuration changes. At my university, monday morning was network maintenance, that is apply all config changes that have piled up during the week, reboot, pray... (Did I mention that I don't like MST? :) ) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpdb2x5koZE4.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Geoffrey Pendery wrote: Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. Well...screw that. That would mean only making MST changes during maintenance windows. I guess it's time to turn off VTP and stick with pvst. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience)
I received this message from Cisco yesterday. I found the timing to be rather ironic. I've munged the survey URL; I'm going to fill that out. I would encourage EVERYONE to participate in this process by sending a letter to tacwebsur...@cisco.com to let them know how they really feel about the quality of download experience that can be had on cisco.com. Justin Dear Justin, Last Friday, you visited Cisco Systems' on-line Technical Support Documentation Website. Our records show that you accessed the following: tools.cisco.com/support/downloads/go/DownloadImage.x Customer loyalty is Cisco's top priority. To ensure that we continually measure our performance in meeting your needs, we have partnered with Walker Information to conduct a survey regarding our Technical Support Documentation Website on Cisco.com: http://www.cisco.com/techsupport. Please accept my invitation to participate in this survey by visiting this URL http://survey.walkerinfo.com/ If you are unable to click on the link, it can be copied and pasted into your browser. This is a newly updated short survey that takes about 3 minutes to complete. I ask that you provide honest feedback, not only on our performance to date, but also on how we can better meet your needs going forward. Your valuable input will help establish continued improvement of the Technical Support Documentation Website. If you have any questions about this study, please feel free to email your comments or requests to tacwebsur...@cisco.com . If you have any difficulties gaining access to the survey, please contact supp...@walkerinfo.com for technical assistance. On behalf of Cisco Systems, thank you for being our customer and for participating in this survey. Sincerely, Julie Larsen Sr. Director, Technical Support Website Team Cisco Systems, Inc. To remove from all future surveys conducted by Walker Information, follow this link: http://survey.walkerinfo.com/remove.cfm?code= If you have any questions, please send an email to supp...@walkerinfo.com. Walker Information, Inc. 301 Pennsylvania Parkway Indianapolis, IN 46280 United States ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience)
I'm having a call with some people in a few minutes, I will share what is feasible to share once it's completed. - Jared On Jul 14, 2009, at 2:55 PM, Justin Shore wrote: I received this message from Cisco yesterday. I found the timing to be rather ironic. I've munged the survey URL; I'm going to fill that out. I would encourage EVERYONE to participate in this process by sending a letter to tacwebsur...@cisco.com to let them know how they really feel about the quality of download experience that can be had on cisco.com. Justin Dear Justin, Last Friday, you visited Cisco Systems' on-line Technical Support Documentation Website. Our records show that you accessed the following: tools.cisco.com/support/downloads/go/DownloadImage.x Customer loyalty is Cisco's top priority. To ensure that we continually measure our performance in meeting your needs, we have partnered with Walker Information to conduct a survey regarding our Technical Support Documentation Website on Cisco.com: http://www.cisco.com/techsupport . Please accept my invitation to participate in this survey by visiting this URL http://survey.walkerinfo.com/ If you are unable to click on the link, it can be copied and pasted into your browser. This is a newly updated short survey that takes about 3 minutes to complete. I ask that you provide honest feedback, not only on our performance to date, but also on how we can better meet your needs going forward. Your valuable input will help establish continued improvement of the Technical Support Documentation Website. If you have any questions about this study, please feel free to email your comments or requests to tacwebsur...@cisco.com . If you have any difficulties gaining access to the survey, please contact supp...@walkerinfo.com for technical assistance. On behalf of Cisco Systems, thank you for being our customer and for participating in this survey. Sincerely, Julie Larsen Sr. Director, Technical Support Website Team Cisco Systems, Inc. To remove from all future surveys conducted by Walker Information, follow this link: http://survey.walkerinfo.com/remove.cfm?code= If you have any questions, please send an email to supp...@walkerinfo.com . Walker Information, Inc. 301 Pennsylvania Parkway Indianapolis, IN 46280 United States ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Gert Doering wrote: Real Networks[tm] have Maintenance Windows[tm]. Yeah...but those should be for actual maintenance...software upgrades, major config changes, cable grooming, etc. Not for basic tasks like turning up a new customer. Sorry, we can't provision your connection until next Tuesday's scheduled maintenance window. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CE routes
CE-PE subnets are part of VRF and thus cannot be inserted into the core IGP, only in MP-BGP. It's way easier (and more scalable) to redistribute them than to list them in the per-VRF BGP configuration. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: harbor235 [mailto:harbor...@gmail.com] Sent: Tuesday, July 14, 2009 6:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CE routes I was just reading best practices for MPLS implementations regarding CE to CE connectivity issues, specifically, CE to CE pings. The document stated that redistributing connected PE routes into BGP was the preferred method to ensure CE to CE ping success as well as other connectivity issues. This will inject the route for the PE to CE interface into BGP.I am not sure I agree, why not explicitly define which networks to advertise in the IGP, an IGP in MPLS networks is supposed to hold all infrastructure routes anyway. Are these interfaces considered infrstructure or customer interfaces? One reason may be to reduce the number of infrastructure routes in the IGP because of the potential for many CE to PE interfaces, let BGP handle the large number of routes? I am curious which method is employed in the wild, also I am not sure all connected routes should be advertised from the PE, e.g. management/infrastructure interfaces etc ... What are your thoughts and how is it being done? mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com
You might Google for a list of negative adjectives to keep on hand for the call. If you can't find a list online I'm sure you know some people who can help contribute to one just for this occasion. Justin Jared Mauch wrote: I'm having a call with some people in a few minutes, I will share what is feasible to share once it's completed. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
IKE Keepalives and Reverse Route Injection are typical solutions for routers with IPSec tunnels. I see that both are supported on the ASA. With RRI, the route is installed only when the IPSec tunnel is up. I think IKE Keepalives and using two peer's within a single crypto-map will handle this correctly. When the first peer fails, the second peer will be established and the route will be installed to use the second peer address via RRI. David -- http://dcp.dcptech.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Nick Griffin Sent: Tuesday, July 14, 2009 2:21 PM To: Munoz, Jeff Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPsec Tunnel Failover Do you have any routers/layer 3 devices on the inside of the firewalls, the weighted GRE tunnels always work well for this. On Mon, Jul 13, 2009 at 3:14 PM, Munoz, Jeff jeff.mu...@swinc.com wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disallowing sw tru all vlan X w/o add or remove (was: Maximum spannig tree instances)
Hi, On Tue, Jul 14, 2009 at 08:40:17PM +0200, Peter Rathlev wrote: On Tue, 2009-07-14 at 18:05 +0200, Gert Doering wrote: Mmmmh. If one does TACACS command authentication, one could investigate whether disallowing the without-add/-delete form of the command via TACACS works... It does indeed. We use something similar to the configuration below for operators who can do simple maintenance chores. Cool. We're currently not doing TACACS command authorization, but I might be tempted to introduce that :-) Now: what happens if the TACACS server is unavailable? The way we currently run the shop is there is a local username configured as fallback if TACACS doesn't respond - and people know that they get slapped if they use this user without good reason. How would command authorization work in that case? ... it's not unheard-of that router configuration is direly needed to repair a broken network connection *to* the TACACS Server, so this problem must be known to other folks as well :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpqCgH7CpOcg.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, 14 Jul 2009, Jon Lewis wrote: Real Networks[tm] have Maintenance Windows[tm]. new customer. Sorry, we can't provision your connection until next Tuesday's scheduled maintenance window. Not to mention that customers even of Real Networks don't like facility wide traffic blips every single week. What would happen is that my (former) bosses would put the contract on the table and say you WILL postpone your maintenance until it fits into our schedule 6 weeks from now. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experienceat tacwebsur...@cisco.com
Right now we need a special character that shows someone flipping the bird! :) - Original Message - From: Justin Shore jus...@justinshore.com To: Jared Mauch ja...@puck.nether.net Cc: Gert Doering g...@greenie.muc.de; christ...@automatick.net; cisco-nsp@puck.nether.net Sent: Tuesday, July 14, 2009 12:09 PM Subject: Re: [c-nsp] Give Cisco your feedback on the new download experienceat tacwebsur...@cisco.com You might Google for a list of negative adjectives to keep on hand for the call. If you can't find a list online I'm sure you know some people who can help contribute to one just for this occasion. Justin Jared Mauch wrote: I'm having a call with some people in a few minutes, I will share what is feasible to share once it's completed. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AIR-LAP1131AG-E-K9 and AIR-WLC2106-K9
Hello, We have a difficulties connecting AIR-LAP1131AG-E-K9 to AIR-WLC2106-K9 , probably becouse of ETSI CNFG of AP. What do you think , is it possible to configure AP in the way to behave as FCC CNFG ? Some debug capwap error from controller and AP controller: *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 36 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 40 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 44 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 48 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 52 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 56 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 60 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 64 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 100 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 104 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 108 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 112 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.497: 00:1d:71:e1:76:90 Received an unsupported channel 116 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.500: 00:1d:71:e1:76:90 Received an unsupported channel 132 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.500: 00:1d:71:e1:76:90 Received an unsupported channel 136 for slot 1 from AP 00:1D:71:E1:76:90 *Jul 14 21:28:15.500: 00:1d:71:e1:76:90 Received an unsupported channel 140 for slot 1 from AP 00:1D:71:E1:76:90 ap: *Jul 14 21:28:28.789: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Jul 14 21:28:28.790: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Jul 14 21:28:28.802: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Jul 14 21:28:28.814: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Jul 14 21:28:28.814: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Jul 14 21:28:28.815: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down *Jul 14 21:28:28.816: CAPWAP_DETAIL: Vendor specific payload validated. *Jul 14 21:28:28.816: CAPWAP_DETAIL: Vendor specific payload validated. *Jul 14 21:28:28.848: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Jul 14 21:28:28.876: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Jul 14 21:28:28.907: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Jul 14 21:28:38.830: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jul 14 21:28:39.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.3.2 peer_port: 5246 *Jul 14 21:28:39.001: %CAPWAP-5-CHANGED: CAPWAP changed state to *Jul 14 21:28:40.650: CAPWAP_DETAIL: Dtls Event = 39 Capwap State = 3. *Jul 14 21:28:40.650: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.3.2 peer_port: 5246 *Jul 14 21:28:40.652: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.3.2 *Jul 14 21:28:40.652: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN *Jul 14 21:28:40.658: CAPWAP_DETAIL: Vendor specific payload validated. *Jul 14 21:28:40.734: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG *Jul 14 21:28:40.734: %CAPWAP-3-ERRORLOG: Starting config timer *Jul 14 21:28:40.741: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.3.2 *Jul 14 21:28:40.741: %DTLS-5-PEER_DISCONNECT: Peer 172.16.3.2 has closed connection. *Jul 14 21:28:40.742: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 172.16.3.2:5246 *Jul 14 21:28:40.742: CAPWAP_DETAIL: Dtls Event = 38 Capwap State = 8. -- Best Regards, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 12000 series routers and IOS XR.
Is anyone on the list running the Cisco 12000 Series routers with XR? We have a couple of these in our network and are having a few issues with them. Specifically the line cards will reboot for some unknown reason (12000-SIP-501). We recently replaced one of the cards and the new hardware (6mo old) is doing the same thing. Anyone have issues with these routers? -- Jim Wininger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CE routes
CE-PE subnets are part of VRF and thus cannot be inserted into the core IGP, only in MP-BGP. It's way easier (and more scalable) to redistribute them than to list them in the per-VRF BGP configuration. On this note, does a MP-BGP redist [static|connected] instruction incur an extra RIB walk as you scale in terms of VRFs on a PE? or is there a single walk and RDs are included/excluded based on the redist commands? Dave. David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Jon Lewis wrote: On Tue, 14 Jul 2009, Geoffrey Pendery wrote: Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. Well...screw that. That would mean only making MST changes during maintenance windows. I guess it's time to turn off VTP and stick with pvst. Good choice. MST is a junk standard. They missed a serious opportunity with it. But then it's the IEEE - frankly I'm amazed it didn't have a whacking great security hole in it. R-PVST + manual VLAN management works like a charm here. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disallowing sw tru all vlan X w/o add or remove (was: Maximum spannig tree instances)
Gert Doering wrote: Now: what happens if the TACACS server is unavailable? The way we currently run the shop is there is a local username configured as fallback if TACACS doesn't respond - and people know that they get slapped if they use this user without good reason. How would command authorization work in that case? I think it would once again require the mighty hand of the Gert to slap his underling back into line. I believe you can create an authorization list locally that simply permits all commands. Then set that list as the backup to tacacs in the AAA config. Like you said before, this is the backup plan in case the world is coming to an end. I don't do AAA authorization yet but I do use TACACS and I fall back to a local user for authentication. It's very handy. That userid passwd don't stray far from my hands. I wouldn't make it something that's known to everyone though. It would be a very select list. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206VXR BGP Sessions
Hi there. I need to move several hundred BGP sessions (low traffic peers, about 500 Mb/s combined) over to another box - have a 7206VXR with NPE1G and a 7206VXR with NPE2G sitting spare at moment. How many sessions/traffic should the 1G and the 2G be able to handle approximately? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disallowing sw tru all vlan X w/o add or remove (was: Maximum spannig tree instances)
Justin Shore wrote: Gert Doering wrote: Now: what happens if the TACACS server is unavailable? The way we currently run the shop is there is a local username configured as fallback if TACACS doesn't respond - and people know that they get slapped if they use this user without good reason. How would command authorization work in that case? I think it would once again require the mighty hand of the Gert to slap his underling back into line. I believe you can create an authorization list locally that simply permits all commands. Then set that list as the backup to tacacs in the AAA config. Like you said before, this is the backup plan in case the world is coming to an end. I don't do AAA authorization yet but I do use TACACS and I fall back to a local user for authentication. It's very handy. That userid passwd don't stray far from my hands. I wouldn't make it something that's known to everyone though. It would be a very select list. That might work in some places, and our auditors certainly seem to think there should only be 1 person with the router enable password (wtf?!) but we adopted a slightly more low-tech solution. It's not as sexy as running a TACACS server: alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...then: conf t int g1/1 tagvlan 100,101 detagvlan 200 ...and just don't use the more dangerous commands. I imagine something even more sophisticated could be done with the new EEM cli commands interface. Does anyone know if this can be done without TACACS? Using CLI views or similar? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Ethernet Loopback plug on an ME3400
Is there anything special one needs to do in order to get an ethernet loopback plug to bring a port on an ME3400 up/up? In a 3550 it works fine, but on an ME, no joy. Does the port need to be in any specific mode (UNI/NNI) or some other voodoo? I can't imagine that the MEs would just detect it and kill it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disallowing sw tru all vlan X w/o add or remove
On Tue, 2009-07-14 at 22:33 +0200, Gert Doering wrote: Now: what happens if the TACACS server is unavailable? The way we currently run the shop is there is a local username configured as fallback if TACACS doesn't respond - and people know that they get slapped if they use this user without good reason. How would command authorization work in that case? You can have if-authenticated as fall back mechanism. Kind of like a local permit any authorization list. aaa authorization exec METHOD group tacacs+ if-authenticated aaa authorization commands 0 METHOD group tacacs+ if-authenticated aaa authorization commands 15 METHOD group tacacs+ if-authenticated Currently we only allow if-authenticated on the console port. After a few funny situations the past year I'm seriously considering just enabling it for VTYs also. I'm not exactly sure why I haven't done this yet, but there's something inside my head telling me that there's some security aspect here. I just can think of it. :-) Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISIS Mesh group question
Hi All I have a question about ISIS mesh groups which is used to reduce LSP flooding in full-mesh p2p enviroments , that means we lose redudacny for sake of LSP flooding reducation hence it affects forwarding and traffic is forced to inactive or interfaces in different groups only . is that right ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SA-VAM NPE-200
Hi, Just wondering if this combination works. The documentation says a NPE225 is required however i'm wondering if that is just a warning or an actual requirement... -- Kind Regards, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 1300 347 329 Direct: 07 3123 5511 Email: kris@eip.net.auoutbind://2-FC347F44727AD040BF1A93E9A3DC68310700065EB17B7262634485BBBA18AFE92E3E0007A2A2A7EE065EB17B7262634485BBBA18AFE92E3E0007D22B1035/kris@eip.net.au ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet Loopback plug on an ME3400
Maybe you need to disable MDX on the FastE port which is preventing the port from coming up. *http://tinyurl.com/npuuwt * Jason Lixfeld wrote: Is there anything special one needs to do in order to get an ethernet loopback plug to bring a port on an ME3400 up/up? In a 3550 it works fine, but on an ME, no joy. Does the port need to be in any specific mode (UNI/NNI) or some other voodoo? I can't imagine that the MEs would just detect it and kill it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- == Clinton Work Airdrie, AB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Oh I mean use BGP over IPsec, with BGP behind the ASA firewalls and yes, ASA supports OSPF and RIP only AFAIK. On Jul 13, 2009, at 1:14 PM, Munoz, Jeff wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/ destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Tim Durack wrote: On Tue, Jul 14, 2009 at 2:22 PM, Geoffrey Pendery ge...@pendery.net wrote: Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. ...and if that doesn't make you nervous, you probably shouldn't be running spanning-tree... Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Come on guys, study the proto a little before going off. In order for MST to work all members of an MST domain *MUST* agree on the VLAN - MST group mapping. If you change the mapping it must update across all members of the domain. YOU ARE REDEFINING THE STP TOPOLOGY _Pick a topology_ MST group pre-assign... 0 VLAN 1 1 VLAN 2-999 2 VLAN 1000-1999 3 VLAN 2000-2999 4 VLAN 3000-3999 5 VLAN 4000-4094 Or whatever grouping youl want, even/odd, by hundreds, whatever. You are now free to pick a different root and set link costs for each of the groups independent of the others, just like pvst but by group. If you *cannot* manage vlans by group, then stick with a rapid per vlan variant. If you need to move vlans in bulk across the core, and can afford to pre-assign membership in the group then MST can be lower overhead. The only real rules here Leave group zero for vlan one *only* If you have to change the base MST config more than once a year you are not planning correctly, or you should not be using MST. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
