Re: [c-nsp] Disallowing sw tru all vlan X w/o add or remove
Hi, On Wed, Jul 15, 2009 at 02:09:17AM +0200, Peter Rathlev wrote: Currently we only allow if-authenticated on the console port. After a few funny situations the past year I'm seriously considering just enabling it for VTYs also. I'm not exactly sure why I haven't done this yet, but there's something inside my head telling me that there's some security aspect here. I just can think of it. :-) Well, one angle of attack could be... - null-route the TACACS server IP - instant full access Of course the null-route command would be visible in TACACS command accounting, so you know whom to slap :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpAhXXO3vUJ6.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Hi, On Tue, Jul 14, 2009 at 08:58:53PM -0800, Christopher E. Brown wrote: Come on guys, study the proto a little before going off. We did... In order for MST to work all members of an MST domain *MUST* agree on the VLAN - MST group mapping. If you change the mapping it must update across all members of the domain. YOU ARE REDEFINING THE STP TOPOLOGY ... and that's just not workable for Real Networks that undergo daily changes, and have wildly differing VLAN topologies. Especially the latter one (due to traffic reasons, we have to move the STP active link for VLAN 714 to *this* trunk). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpT4ac1yACvx.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience)
On (2009-07-14 14:57 -0400), Jared Mauch wrote: I'm having a call with some people in a few minutes, I will share what is feasible to share once it's completed. While I subscribe to the download manager hate, it doesn't bother me nearly as much as unusable bugtool since the last upgrade two years ago. Prior to the upgrade, I could solve maybe 1/3 of my cases, without involving TAC. At that time, I thought bugtool was incredibly poorly implemented, little did I know that it could get worse, much worse. Why bugtool bothers me more is that I have software defects more often than I need to upgrade boxes (new IOS maybe 3-4 times a year, but defects several per week, as I open case for everything out of ordinary), and worse come worse I can always email my SE to fetch me latest IOS, but sucky bugtool is seriously hurting time it takes for me to solve an issue. I don't think the bugtool can carry that large amount of data, that it can't be indexed with modern machine in acceptable time, delivering instant searches without any qualifiers. The forced qualifying they now have is annoying, as the bugs are tagged so poorly it makes you miss them, even choosing just the main train, can lead you off (after you've waited 20min to get the results). Also how on earth can the bugs be tagged so poorly, I don't think it would be large change process or DE effort when fixing a bug, to give commitID for fix and commitID for the change which caused the bug, allowing software to give perfect list of affected, non-affected and fixed IOS'. So if people are making some stand to CSCO about download manager, it would be nice to include bugtool in the cry also. Thanks, -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stability of 12.2(33)SRD?
On Tue, July 14, 2009 07:46, Stephen Fulton wrote: I'm looking for thoughts on the stability of 12.2(33)SRD releases (latest is SRD2) in general, as well as any experiences running it on the 7600/RSP720 series. I'm connecting a SIP400/SPA-5x1GEv2 to a CWDM network, and only SRD supports the CWDM SFP's on the SIP400. Yay. For proper CWDM SFP support on that platform, you might want to wait for SRD2a (due Jul 20th) or SRD3, which include a fix for an annoying issue where original CWDM SFPs from Cisco (recently produced ones starting from a particular serial number) are not recognised properly and don't work - CSCsv79583. -jr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience)
On Wed, 15 Jul 2009, Saku Ytti wrote: While I subscribe to the download manager hate, it doesn't bother me nearly as much as unusable bugtool since the last upgrade two years ago. Prior to the upgrade, I could solve maybe 1/3 of my cases, without involving TAC. At that time, I thought bugtool was incredibly poorly implemented, little did I know that it could get worse, much worse. Why bugtool bothers me more is that I have software defects more often than I need to upgrade boxes (new IOS maybe 3-4 times a year, but defects several per week, as I open case for everything out of ordinary), and worse come worse I can always email my SE to fetch me latest IOS, but sucky bugtool is seriously hurting time it takes for me to solve an issue. I don't think the bugtool can carry that large amount of data, that it can't be indexed with modern machine in acceptable time, delivering instant searches without any qualifiers. The forced qualifying they now have is annoying, as the bugs are tagged so poorly it makes you miss them, even choosing just the main train, can lead you off (after you've waited 20min to get the results). Also how on earth can the bugs be tagged so poorly, I don't think it would be large change process or DE effort when fixing a bug, to give commitID for fix and commitID for the change which caused the bug, allowing software to give perfect list of affected, non-affected and fixed IOS'. So if people are making some stand to CSCO about download manager, it would be nice to include bugtool in the cry also. I guess cisco-nsp has become a soapbox for catharsis in regards to Cisco - but everyone should realize that is about all it is. Cisco has no interest in fixing their download or bugtool problems. It is a simple matter of cost cutting and budgets and taking the cheapest offer or hiring the cheapest labor. So keep filling out those feedback forms and calling your Cisco bigwig friends. If that makes you feel any better, go for it. Me - I've moved on as many others have. Regards, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Gert Doering wrote: Hi, On Tue, Jul 14, 2009 at 08:58:53PM -0800, Christopher E. Brown wrote: Come on guys, study the proto a little before going off. We did... In order for MST to work all members of an MST domain *MUST* agree on the VLAN - MST group mapping. If you change the mapping it must update across all members of the domain. YOU ARE REDEFINING THE STP TOPOLOGY ... and that's just not workable for Real Networks that undergo daily changes, and have wildly differing VLAN topologies. Especially the latter one (due to traffic reasons, we have to move the STP active link for VLAN 714 to *this* trunk). gert Exactly, MST only applies when you can group the vlans _long term_, and this only happens when individual VLANs are a small percentage of traffic. The traffic routing ability is linited to the _group_. If this does not apply, the a per vlan variant is needed. I use both, complex large flow per vlan is rapid per vlan, bulk distribution domains are MST with pre-assigned use per group. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49
DEar frend i need a crak... IPswitch Whatsup gold 11 On Tue, Jul 14, 2009 at 8:27 PM, Matlock, Kenneth L matlo...@exempla.orgwrote: The serial numbers can be found here: http://www.whatsupgold.com/ Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Digambar. Giri Sent: Tuesday, July 14, 2009 8:29 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49 Dear friends please provide IPswitch Whatsup gold 11 serial key NMs... On 7/14/09, cisco-nsp-requ...@puck.nether.net cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can rDAr each the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Software Download Area is Unavailable at this time (Gert Doering) 2. Block URL ACCESS LIST (Mohammad Khalil) 3. Re: multiple vlans on a port (Gert Doering) 4. Re: Block URL ACCESS LIST (mas...@nexlinx.net.pk) 5. Re: IPv6 iBGP Route Reflector (Steve Bertrand) 6. Re: ASA IPsec Tunnel Failover (Forrest, Michael E.) 7. Re: ASA IPsec Tunnel Failover (a.l.m.bu...@lboro.ac.uk) 8. Re: Maximum spannig tree instances (Geoffrey Pendery) -- Message: 1 Date: Tue, 14 Jul 2009 10:56:48 +0200 From: Gert Doering g...@greenie.muc.de To: Phil Mayers p.may...@imperial.ac.uk Cc: Gert Doering g...@greenie.muc.de, cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net,Jared Mauch ja...@puck.nether.net Subject: Re: [c-nsp] Software Download Area is Unavailable at this time Message-ID: 20090714085648.gd...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Tue, Jul 14, 2009 at 09:16:23AM +0100, Phil Mayers wrote: But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. While this is a nice idea to cause some pressure, I can't see it as overly realistic - if I have a router A that will fulfill everything that we need, and a router B that will only do 80% and at the same time costs 20% more, but has a better company web interface, I think it's very unlikely that their web download thingie will be change our decision. (Besides, most competitors web sites and software download processes are even worse) gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: https://puck.nether.net/pipermail/cisco-nsp/attachments/20090714/13933a9 4/attachment-0001.bin -- Message: 2 Date: Tue, 14 Jul 2009 12:48:52 +0300 From: Mohammad Khalil eng_m...@hotmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block URL ACCESS LIST Message-ID: blu102-w20d319d228a429d7f5b1f9fa...@phx.gbl Content-Type: text/plain; charset=windows-1256 how can i block url using access-list ? _ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx -- Message: 3 Date: Tue, 14 Jul 2009 11:49:11 +0200 From: Gert Doering g...@greenie.muc.de To: Matthew Huff mh...@ox.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multiple vlans on a port Message-ID: 20090714094911.gh...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Mon, Jul 13, 2009 at 06:38:23PM -0400, Matthew Huff wrote: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. There are a few broken NIC cards on the Linux side that have issues with baby-jumbo packets (1500 + 4 byte for 802.1q header). Decent gear - and that's what you want to use on a
Re: [c-nsp] c877 and ntp oddness
Hi, * David Freedman david.freed...@uk.clara.net wrote: Have a bizarre NTP issue with 877 routers running 12.4(T) train. - Only seems to affect a small percentage of 877 routers, 878s, 1800s , 2800s seem to be fine A coworker reported the exact same behavior a couple of weeks ago. They got 87x routers with a new hardware revision, these routers do not sync with ntp anymore. TAC case is open, but nothing concrete so far. Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Block https
I want to block the url https://www.facebook.com Without using NBAR Using access-lists ?? And if I want to block based on the IP address it has a lot of IP addresses ( i dont want to block a whole class) And the cache only blocks based on HTTP port 80 _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Block https
Hi One I used a while ago to test was the below ip urlfilter allow-mode on ip urlfilter exclusive-domain deny www.theregister.co.uk is a while since ive used this but you can check the Cisco Docs for the ip urlfilter feature, if you want to block based on IP just use access lists as normal to block traffic to that IP. Regards Kev [][] Kev Barrass | YHMAN Operations Team [][www.yhman.net.uk] -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: 15 July 2009 08:44 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block https I want to block the url https://www.facebook.com Without using NBAR Using access-lists ?? And if I want to block based on the IP address it has a lot of IP addresses ( i dont want to block a whole class) And the cache only blocks based on HTTP port 80 _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Where to buy What's Up Gold
Maybe not crack, but it might work: http://www.clubsmokey.nl/. Listen kid, your question is clearly not on topic here even though it does have some entertainment value. You make yourself look like a stupid 11 year old kid. If you really want to use What's Up Gold then go to http://www.whatsupgold.com/online-shop/ and see if you can figure out how it works. You should also seriously consider the consequences of posting questions like these to a public mailing list with your real name. It is standard practice for potential employers to e.g. google your name before hiring you. Regards, Peter On Wed, 2009-07-15 at 12:54 +0530, Digambar. Giri wrote: DEar frend i need a crak... IPswitch Whatsup gold 11 On Tue, Jul 14, 2009 at 8:27 PM, Matlock, Kenneth L matlo...@exempla.orgwrote: The serial numbers can be found here: http://www.whatsupgold.com/ Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Digambar. Giri Sent: Tuesday, July 14, 2009 8:29 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49 Dear friends please provide IPswitch Whatsup gold 11 serial key NMs... ... -- Regards, Digambar Giri +91- 9975776368 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST config on single 3560
the standard is ieee 802.1s don't change anything to your interface config mst instance and vlan association is a global config if you planned to migrate to mst on your side, make sure you will migrate to mst with your client ;) On Tue, Jul 14, 2009 at 6:57 AM, m...@adv.gcomm.com.au wrote: Hi, We have existing 3560's with multiple trunk ports to clients+upstreams - We will go very close to hitting the 128 STP instance limit, therefore MST looks to be like an option(Without upgrading the switches). The 3560's also have a trunk port to 7200's(For dot1q subints), for clients that require L3 connectivity. I'm just a little unsure how to group vlans into seperate instances(Or if it is entirely necessary?) i.e. GE0/1 (From Provider A) has: interface GigabitEthernet0/1 description GIGE_ICAP_INTERNETCONNECT_TO_PROVIDER_A switchport trunk allowed vlan 112,172,208,211,240,309,315,385,537,547,550-552 switchport trunk allowed vlan add 554,623,635,687,690,694,696,697,867,879,980 switchport mode trunk These vlan's are allocated by provider and represent individual services - These vlans are then either presented on client trunk ports for L2 services, or added to trunk port to 7200 for L3 services. So as you can see, there is no standard for how the individual vlan's are treated, nor which trunk port they may be presented on.hoping someone can provide guideance on how best to manage this? Thanks in advance. - This e-mail was sent via GCOMM WebMail http://www.gcomm.com.au/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Siemens
i have siemens wimax cpe (gigaset SX682) i cannot access the web interface using the default password admin always prompted its incorrect and i need a user manual can anyone help _ Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Block https
Man, thts pretty straightforward. all u needed is http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab4ddb.shtml if i am remembering correctly, you can block https using proxy/cache server; If it is Squid thn i can help you. Regards, Masood Hi One I used a while ago to test was the below ip urlfilter allow-mode on ip urlfilter exclusive-domain deny www.theregister.co.uk is a while since ive used this but you can check the Cisco Docs for the ip urlfilter feature, if you want to block based on IP just use access lists as normal to block traffic to that IP. Regards Kev [][] Kev Barrass | YHMAN Operations Team [][www.yhman.net.uk] -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: 15 July 2009 08:44 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block https I want to block the url https://www.facebook.com Without using NBAR Using access-lists ?? And if I want to block based on the IP address it has a lot of IP addresses ( i dont want to block a whole class) And the cache only blocks based on HTTP port 80 _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c877 and ntp oddness
Would you mind sharing the tac SR with me? about to open my own and would help me lots if my request is in sync (pun intended) with yours. David. Christian Zeng wrote: Hi, * David Freedman david.freed...@uk.clara.net wrote: Have a bizarre NTP issue with 877 routers running 12.4(T) train. - Only seems to affect a small percentage of 877 routers, 878s, 1800s , 2800s seem to be fine A coworker reported the exact same behavior a couple of weeks ago. They got 87x routers with a new hardware revision, these routers do not sync with ntp anymore. TAC case is open, but nothing concrete so far. Christian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49
A few things. 1) I'm not your 'friend'. My friends actually PAY for what they use, not try outright theft (and advertise it on a public forum!) 2) This has nothing to do with Cisco equipment 3) If you want a monitoring package, I'd suggest either paying for it, or using one of the many open-source packages out there. Look through the archives and you'll find plenty of dicsussions about them. Some people's kids. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org From: Digambar. Giri [mailto:digambar.g...@gmail.com] Sent: Wed 7/15/2009 1:24 AM To: Matlock, Kenneth L Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49 DEar frend i need a crak... IPswitch Whatsup gold 11 On Tue, Jul 14, 2009 at 8:27 PM, Matlock, Kenneth L matlo...@exempla.org wrote: The serial numbers can be found here: http://www.whatsupgold.com/ Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Digambar. Giri Sent: Tuesday, July 14, 2009 8:29 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco-nsp Digest, Vol 80, Issue 49 Dear friends please provide IPswitch Whatsup gold 11 serial key NMs... On 7/14/09, cisco-nsp-requ...@puck.nether.net cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can rDAr each the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Software Download Area is Unavailable at this time (Gert Doering) 2. Block URL ACCESS LIST (Mohammad Khalil) 3. Re: multiple vlans on a port (Gert Doering) 4. Re: Block URL ACCESS LIST (mas...@nexlinx.net.pk) 5. Re: IPv6 iBGP Route Reflector (Steve Bertrand) 6. Re: ASA IPsec Tunnel Failover (Forrest, Michael E.) 7. Re: ASA IPsec Tunnel Failover (a.l.m.bu...@lboro.ac.uk) 8. Re: Maximum spannig tree instances (Geoffrey Pendery) -- Message: 1 Date: Tue, 14 Jul 2009 10:56:48 +0200 From: Gert Doering g...@greenie.muc.de To: Phil Mayers p.may...@imperial.ac.uk Cc: Gert Doering g...@greenie.muc.de, cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net,Jared Mauch ja...@puck.nether.net Subject: Re: [c-nsp] Software Download Area is Unavailable at this time Message-ID: 20090714085648.gd...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Tue, Jul 14, 2009 at 09:16:23AM +0100, Phil Mayers wrote: But can I just make a recommendation to everyone here: next time you go out to competitive tender, specify the nature of docs software availability. List HTTP downloads without client software or plugins as a mandatory requirement. While this is a nice idea to cause some pressure, I can't see it as overly realistic - if I have a router A that will fulfill everything that we need, and a router B that will only do 80% and at the same time costs 20% more, but has a better company web interface, I think it's very unlikely that their web download thingie will be change our decision. (Besides, most competitors web sites and software download processes are even worse) gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not
Re: [c-nsp] Block https
You cannot block HTTPS on the router with anything but the IP-based access lists because (by definition) the HTTP request (which the URL filter, content filter or NBAR recognizing HTTP uses) is encrypted. If you want to block HTTPS requests for particular hosts, you need a HTTP proxy which intercepts the CONNECT requests and allows/denies them. You could force the users to go through a proxy by blocking direct Internet access for ports 80 through 443. However, to block HTTPS access to Facebook, the easiest thing to do is this: * do a DNS lookup for www.facebook.com * do a WHOIS query for the IP address * at the moment facebook does not use distributed CDN, so the IP address is within the IP address range allocated to Facebook Inc. * block the whole address range assigned to them. ... And keep in mind that this is a whack-a-mole game ;) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: mas...@nexlinx.net.pk [mailto:mas...@nexlinx.net.pk] Sent: Wednesday, July 15, 2009 1:03 PM To: Kevin Barrass Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Block https Man, thts pretty straightforward. all u needed is http://www.cisco.com/en/US/products/ps5855/products_configurat ion_example09186a0080ab4ddb.shtml if i am remembering correctly, you can block https using proxy/cache server; If it is Squid thn i can help you. Regards, Masood Hi One I used a while ago to test was the below ip urlfilter allow-mode on ip urlfilter exclusive-domain deny www.theregister.co.uk is a while since ive used this but you can check the Cisco Docs for the ip urlfilter feature, if you want to block based on IP just use access lists as normal to block traffic to that IP. Regards Kev [] [] Kev Barrass | YHMAN Operations Team [][www.yhm an.net.uk] -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: 15 July 2009 08:44 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Block https I want to block the url https://www.facebook.com Without using NBAR Using access-lists ?? And if I want to block based on the IP address it has a lot of IP addresses ( i dont want to block a whole class) And the cache only blocks based on HTTP port 80 _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends .aspxmkt=en-us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, Jul 14, 2009 at 3:45 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, ... but it doesn't say anything about the number of STP instances. things go wonky when you have more than 1800 virtualports per slot (which you didnt quite reach) (1200 on older eg 100mbit blades) with 13,000 in total (PVST+), 10,000 in total (RPVST+) As a matter of coincidence, I've been in talks recently with our local Cisco SEs for some 6k5/3750E design, mostly discussing RSTP vs MST. I have asked about the 1800 virtual ports per blade limit and they say this only applies to 61xx and 63xx cards - the 65xx and 67xx have no such limit. There is a ddts that a message errorneously warning of exceeding 1800 virtual ports on a 67xx is removed since SXI (or SXI1 it was). Re MST vs RSTP... the worst case in MST for us is that once you get any tiny irregularity on a port, it gets to interoperability mode, which means the port is calculated against CIST (MST0). And then, any issue or TCN you have, everything gets propagated to all remaining instances, causing MAC table flushes and other nice stuff for the *whole* infrastructure. We had an idea of having two independent MST domains interconnected by a (VSS/Multichassis Etherchannel) trunk, so we could have STP events contained within a single physical location. But with respect to abovewritten the trunk would be in the interop mode, amplyfing all events instead of separating the domains. We could have had BPDU filter to solve this on the trunk, but obviously would lose loop prevention because of that. And not speaking of MST experience we had building a large-scale Metro Ethernet network, with many access rings. We have repeatedly seen BPDUs transported via EoMPLS pseudowires in 3750ME based rings causing NNI trunks (running MST) get into P2P Edge mode and thus bringing the whole ring down. Yes, this is more due to the pretty weird MPLS implementation on the 3750ME, but nicely showing MST weaknesses... So far, MST hase become a no-go for us unless there's a *very* strong scaling requirement. -- deejay __ Informacia od ESET NOD32 Antivirus, verzia databazy 4240 (20090713) __ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
Well sure, I'm aware of the logic behind the behavior - I'm not saying it's a bug. But the result is that it is a good choice protocol for a very specific scenario, while RPVST is a much superior choice for certain other scenarios. So having been provided with a lovely open standard car and a proprietary boat, we're understandably vexed to be told we must cross the ocean in cars - since they're open standard. -Geoff On Tue, Jul 14, 2009 at 11:58 PM, Christopher E. Brownchris.br...@acsalaska.net wrote: Tim Durack wrote: On Tue, Jul 14, 2009 at 2:22 PM, Geoffrey Pendery ge...@pendery.net wrote: Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. ...and if that doesn't make you nervous, you probably shouldn't be running spanning-tree... Tim: ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Come on guys, study the proto a little before going off. In order for MST to work all members of an MST domain *MUST* agree on the VLAN - MST group mapping. If you change the mapping it must update across all members of the domain. YOU ARE REDEFINING THE STP TOPOLOGY _Pick a topology_ MST group pre-assign... 0 VLAN 1 1 VLAN 2-999 2 VLAN 1000-1999 3 VLAN 2000-2999 4 VLAN 3000-3999 5 VLAN 4000-4094 Or whatever grouping youl want, even/odd, by hundreds, whatever. You are now free to pick a different root and set link costs for each of the groups independent of the others, just like pvst but by group. If you *cannot* manage vlans by group, then stick with a rapid per vlan variant. If you need to move vlans in bulk across the core, and can afford to pre-assign membership in the group then MST can be lower overhead. The only real rules here Leave group zero for vlan one *only* If you have to change the base MST config more than once a year you are not planning correctly, or you should not be using MST. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXR BGP Sessions
Default timers...several hundred will be ok. You get in trouble when you try to bring the timers down less than say 20/60. We introduced a new scheduler to handle hellos for the peers that allows them to work at smaller intervals but it can't guarantee no false positives. Rodney On Tue, Jul 14, 2009 at 06:54:47PM -0400, Paul Stewart wrote: Hi there. I need to move several hundred BGP sessions (low traffic peers, about 500 Mb/s combined) over to another box - have a 7206VXR with NPE1G and a 7206VXR with NPE2G sitting spare at moment. How many sessions/traffic should the 1G and the 2G be able to handle approximately? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WAAS and minimum latency
Tim, I doubt you will see improvement over 3ms for general latency reduction (assuming a OCX P-t-P link?). However it will improve CIFS performance if the files are being accessed and changed a lot by the users at the site remote from the CIFS server. The WAE on the server side of the link will cache operations locally. So say you move a file between CIFS shares, normally that comes back through the client and back down to another share.With the WAE unit it will proxy that operation and the operation completes at local LAN speed instead of WAN speed through the remote client and back to the other server. While WAE's will fiddle with TCP settings to improve some performance, the main function in the current release code is the data reduction features. Either the raw DRE caches or application level proxies (CIFS/MAPI,NFS, etc). Latency may not improve, but effective speed and bandwidth will go up. For our MPLS connected sites in the 50ms+ range, there is some improvement of the RTT of around 40% on average across all the sites. Traffic reduction runs an average of 30% with Content and version management protocols and CIFS/MAPI making up the bulk of the traffic reduction (all above 50%) . The main non-optimized traffic is internet bound in our case, as we centrally route internet out a data center from the MPLS connected sites. --- James Michael Keller Tim Durack wrote: Anyone got figures on the *minimum* latency the various WAN accelerators can improve on? I ask as I have a customer with a couple of sites connected via GigE. RTT for SiteA - SiteB is around 3ms. Migrating services between sites has reduced performance for some users (appears that SMB/CIFS is most affected.) I'm looking to see if I can fix things with WAAS, just not sure they are really designed for this scenario (I'm not a fan of WAAS, but if it fixes a problem...) Thanks, Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience)
Interesting comment. I stopped giving feedback a long time ago when they did the first major trainwreck of cisco.com. tv - Original Message - From: Hank Nussbacher h...@efes.iucc.ac.il To: Saku Ytti s...@ytti.fi Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 15, 2009 2:13 AM Subject: Re: [c-nsp] Give Cisco your feedback on the new download experience at tacwebsur...@cisco.com (was: several heart-felt flames regarding the mess that is the Cisco.com download experience) I guess cisco-nsp has become a soapbox for catharsis in regards to Cisco - but everyone should realize that is about all it is. Cisco has no interest in fixing their download or bugtool problems. It is a simple matter of cost cutting and budgets and taking the cheapest offer or hiring the cheapest labor. So keep filling out those feedback forms and calling your Cisco bigwig friends. If that makes you feel any better, go for it. Me - I've moved on as many others have. Regards, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SA-VAM NPE-200
I've done this before; this will work but Cisco will not give you support if there are issues;also the VAM combo with this router engine results in very llittle throughput; not worth it IMHO. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Kris Amy wrote: Hi, Just wondering if this combination works. The documentation says a NPE225 is required however i'm wondering if that is just a warning or an actual requirement... -- Kind Regards, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 1300 347 329 Direct: 07 3123 5511 Email: kris@eip.net.auoutbind://2-FC347F44727AD040BF1A93E9A3DC68310700065EB17B7262634485BBBA18AFE92E3E0007A2A2A7EE065EB17B7262634485BBBA18AFE92E3E0007D22B1035/kris@eip.net.au ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MLPPP throughput
I'm bringing up a MLPPP PPPoA bundle with 4 7-meg DSL lines. It had worked fine with only 2 lines in the bundle and provided the full expected speed. Adding the next two lines didn't provide an increase in speed, it actually might have decreased a bit. It tops out at around 10 megabits with 4 links in the bundle. The hardware on the customer side is a 3745 running 12.4(4)T1. It has 4 WIC-1ADSL's installed. The config on the ADSL interfaces are all identical: interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in pvc 0/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 ip address negotiated no ip proxy-arp encapsulation ppp dialer pool 1 dialer vpdn dialer-group 1 ppp pap sent-username removed ppp link reorders ppp multilink ppp multilink fragment disable ! We've tried it with and without the reorders and fragment changes in the config. The server side is a 7206 with an NPE-G1. We're not topping out the processor on either side during transfers. The multilink bundle shows a lot of discards and reorders. This is after a reset and downloading less than a gig of data on the client: Virtual-Access3, bundle name is isprouter Endpoint discriminator is isprouter Bundle up for 01:15:43, total bandwidth 40, load 1/255 Receive buffer limit 48768 bytes, frag timeout 1000 ms Using relaxed lost fragment detection algorithm. Dialer interface is Dialer0 0/0 fragments/bytes in reassembly list 242 lost fragments, 1237543 reordered 29169/15194784 discarded fragments/bytes, 16700 lost received 0x1F9178 received sequence, 0x6A517 sent sequence Member links: 4 (max not set, min not set) Vi4, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi6, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM1/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi5, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/2 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi2, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/1 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 No inactive multilink interfaces Any ideas to get this closer to 20+ megs? THanks dave -- Dave Weis djw...@internetsolver.com http://www.internetsolver.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WAAS and minimum latency
Tim, While in theory you should still see some improvement from CIFS with a setup like this, I've done a PoC/trial with a near identical setup, 1G/3-4ms latency, and the performance improvements where minimal at best. The one caveat was the CIFS shares were being used by a questionable financial application and the average filesize was small, but in the end, the price/performance was impossible to justify given the size of WAE needed to handle that much traffic. In the more 'traditional' WAAS space above ~20ms of latency I've had great results every time. Eric Girard -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Michael Keller Sent: Wednesday, July 15, 2009 10:41 AM To: Tim Durack Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WAAS and minimum latency Tim, I doubt you will see improvement over 3ms for general latency reduction (assuming a OCX P-t-P link?). However it will improve CIFS performance if the files are being accessed and changed a lot by the users at the site remote from the CIFS server. The WAE on the server side of the link will cache operations locally. So say you move a file between CIFS shares, normally that comes back through the client and back down to another share.With the WAE unit it will proxy that operation and the operation completes at local LAN speed instead of WAN speed through the remote client and back to the other server. While WAE's will fiddle with TCP settings to improve some performance, the main function in the current release code is the data reduction features. Either the raw DRE caches or application level proxies (CIFS/MAPI,NFS, etc). Latency may not improve, but effective speed and bandwidth will go up. For our MPLS connected sites in the 50ms+ range, there is some improvement of the RTT of around 40% on average across all the sites. Traffic reduction runs an average of 30% with Content and version management protocols and CIFS/MAPI making up the bulk of the traffic reduction (all above 50%) . The main non-optimized traffic is internet bound in our case, as we centrally route internet out a data center from the MPLS connected sites. --- James Michael Keller Tim Durack wrote: Anyone got figures on the *minimum* latency the various WAN accelerators can improve on? I ask as I have a customer with a couple of sites connected via GigE. RTT for SiteA - SiteB is around 3ms. Migrating services between sites has reduced performance for some users (appears that SMB/CIFS is most affected.) I'm looking to see if I can fix things with WAAS, just not sure they are really designed for this scenario (I'm not a fan of WAAS, but if it fixes a problem...) Thanks, Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Question on h.323 video calls through a PIX 525 with NAT
I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has: inspect h323 h225 inspect h323 ras do I need: fixup protocol h323 h225 1718-1720 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 instead of the inspect commands? In addition to them? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Vulnerabilities in Unified Contact Center Express Administration Pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Unified Contact Center Express Administration Pages Advisory ID: cisco-sa-20090715-uccx http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml Revision 1.0 For Public Release 2009 July 15 1600 UTC (GMT) Summary === Cisco Unified Contact Center Express (Cisco Unified CCX) server contains both a directory traversal vulnerability and a script injection vulnerability in the administration pages of the Customer Response Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) products. Exploitation of these vulnerabilities could result in a denial of service condition, information disclosure, or a privilege escalation attack. Cisco has released free software updates that address these two vulnerabilities in the latest version of Cisco Unified CCX software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml. Affected Products = The Cisco Unified Contact Center Express (Cisco Unified CCX) is a single-server, integrated contact center in a box for use in deployments with up to 300 agents. Vulnerable Products +-- All versions of Cisco Unified CCX server running the following software may be affected by these vulnerabilities, to include: * Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x, and 7.x * Cisco Customer Response Applications versions 3.x * Cisco IP Queue Manager (IP QM) versions 3.x Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco Unified Contact Center Express (Cisco Unified CCX) servers may be affected by both a directory traversal vulnerability and a script injection vulnerability. The directory traversal vulnerability may allow authenticated users to view, modify, or delete any file on the server through the Customer Response Solutions (CRS) Administration interface. This vulnerability is documented in Cisco Bug ID CSCsw76644 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-2047. The script injection vulnerability may allow authenticated users to enter JavaScript into the Cisco Unified CCX database. The stored script could be executed in the browser of the next authenticated user. This vulnerability is documented in Cisco Bug ID CSCsw76649 and has been assigned CVE ID CVE-2009-2048. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * Incomplete input validation allows modification of OS files/directories (CSCsw76644) CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed * script injection vulnerability in admin interface pages (CSCsw76649) CVSS Base Score - 5.5 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.5 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of the directory traversal vulnerability may result in read and write access to files on the underlying operating system. Successful exploitation of the script injection vulnerability may result in the execution of JavaScript of authenticated users and prevent server pages from displaying properly. Software
Re: [c-nsp] IGMP snooping ME6500
Tim Stevenson wrote: Ok - if you have mrouter ports being learned, then the upstream router should be sending IGMP queries already IGMP snooping querier is not required. You may want to check the igmp snooping stats see what type of joins etc are being seen on 1/26. Also what is the downstream switch doing from a snooping standpoint? Probably you should just open a case w/TAC to get to the bottom of this one. Tim At 12:01 PM 7/13/2009, Adrian Minta asserted: Thank you all ! I think I will start this process. -- Best regards, Adrian Minta ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP router-id - Chaos?
Just checking something that I haven't been able to verify online... Changing the bgp router-id manually will require you to clear the bgp sessions? Correct? Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Free NMS Tools
We're currently using Cacti, Nagios, and RANCID in an ISP environment. Nagios is a bit bulky when it comes to the management side of things but I highly recomend both RANCID and Cacti. Depending on your knowledge level with *nix systems, CactiEZ is also available. The EZ version is a CentOS-based pre-loaded iso. Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] A little gift - Ram
Ram Krishna Pariyar belongs to Skoost and sent you a little gift. Click below to collect your gift: http://uk.skoost.com/fun?cisco%2Dnsp%40puck%2Enether%2Enet/21588610/8 P.S. This is a safe and innocent gift that Ram Krishna Pariyar sent from Skoost, the free goodies website. This e-mail was sent to cisco-nsp@puck.nether.net on 7/15/2009 6:33:39 PM on behalf of Ram Krishna Pariyar (rkitsolut...@yahoo.com) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP router-id - Chaos?
As far as I know, changing the router ID will take care of clearing the BGP tables for you. :) It should reset all sessions. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Cartier Sent: Wednesday, July 15, 2009 1:49 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP router-id - Chaos? Just checking something that I haven't been able to verify online... Changing the bgp router-id manually will require you to clear the bgp sessions? Correct? Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT
Hi Steven, On Wed, Jul 15, 2009 at 6:28 PM, Steven Pfisterspfis...@dps.k12.oh.us wrote: I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has: inspect h323 h225 inspect h323 ras do I need: fixup protocol h323 h225 1718-1720 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 instead of the inspect commands? In addition to them? inspect is the name of the fixup from 7.0 onwards - obviously as time went, some more enhancements were added. you can enter the fixup commands, but they will be autoconverted into the respective inspect under magic default policy. You mention that the inbound call works - so a nice way to debug would be to grab the pcap on inside+ pcap on the outside and study them in wireshark for both failing and working scenarios and see what is different. The first cutover point is whether you see the tcp/1720 in the outbound direction or not - if not, or if it is going to the wrong address, would mean there is an issue related to RAS signaling - else it's something with the call signaling. The above can be tested much easier if you are able to make the direct calls by IP address and the other party can accept such calls without involving RAS at all - this could be an easy shortcut instead of staring at the sniffer traces :-) - if the direct call using IP address works, then you can further investigate RAS. If the inbound calls to you work, most probably it is going to be the case, but worth doublechecking. The inspect in the default configuration normally should be able to tweak all the embedded IPs both for RAS and call setup, so the endpoints would not need to have any NAT awareness nor do any special efforts to detect/traverse the NAT. Also might be quite useful to have a quick test with another h323 stack if you can - openh323 had a very tweakable client, and ekiga can do h323 video as well. If those work, again you get one more baseline to compare the sniffer traces with. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP router-id - Chaos?
Oh that's lovely :) Thanks for the heads up all! -Original Message- From: Paul G. Timmins [mailto:ptimm...@clearrate.com] Sent: Wednesday, July 15, 2009 2:06 PM To: Jeff Cartier; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP router-id - Chaos? As far as I know, changing the router ID will take care of clearing the BGP tables for you. :) It should reset all sessions. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Cartier Sent: Wednesday, July 15, 2009 1:49 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP router-id - Chaos? Just checking something that I haven't been able to verify online... Changing the bgp router-id manually will require you to clear the bgp sessions? Correct? Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPV6 to IPV4
Hi, The IPV6 host has to communicate to some IPV4 on Internet, I can use NAT-PT one but I see that it is now no more recommended. So, what is best translation mechanism achieve this when I being ISP provide IPV6 Internet service to my customer? Regards, CS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CE routes
I see, PE to CE routing protocols are segmented from PE to P routing protocols. So for PE to PE traffic, the ingress LSR only needs to know how to route to the egress PE router via IGP label, once there the VPN label forwards traffic to the proper VRF. The next -hop for the desination route comes into play once at the egress PE? Mike On Tue, Jul 14, 2009 at 3:02 PM, Ivan Pepelnjak i...@ioshints.info wrote: CE-PE subnets are part of VRF and thus cannot be inserted into the core IGP, only in MP-BGP. It's way easier (and more scalable) to redistribute them than to list them in the per-VRF BGP configuration. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ -Original Message- From: harbor235 [mailto:harbor...@gmail.com] Sent: Tuesday, July 14, 2009 6:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CE routes I was just reading best practices for MPLS implementations regarding CE to CE connectivity issues, specifically, CE to CE pings. The document stated that redistributing connected PE routes into BGP was the preferred method to ensure CE to CE ping success as well as other connectivity issues. This will inject the route for the PE to CE interface into BGP.I am not sure I agree, why not explicitly define which networks to advertise in the IGP, an IGP in MPLS networks is supposed to hold all infrastructure routes anyway. Are these interfaces considered infrstructure or customer interfaces? One reason may be to reduce the number of infrastructure routes in the IGP because of the potential for many CE to PE interfaces, let BGP handle the large number of routes? I am curious which method is employed in the wild, also I am not sure all connected routes should be advertised from the PE, e.g. management/infrastructure interfaces etc ... What are your thoughts and how is it being done? mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT
I don't think you can have the inspect and fixup in the same config. I believe the inspection policies replace the fixup commands in the 7.x+ code. either one pretty much does the same thing- its going into the packet and rewriting the IP in the h323 data payload (if necessary). we had some issues with this behaviour and ended up disabling the h323 inspection and turning on the NAT traversal option of the device and things worked great for us. YMMV. Obviously you'll want to make sure you don't have any other h323 device traffic that would be affected by this change. -andy From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven Pfister [spfis...@dps.k12.oh.us] Sent: Wednesday, July 15, 2009 9:28 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has: inspect h323 h225 inspect h323 ras do I need: fixup protocol h323 h225 1718-1720 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 instead of the inspect commands? In addition to them? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP router-id - Chaos?
I tried in my lab with two boxes 28xx-76xx 28xx is running 12.4(15)T9 76xx is running 12.2(33)SRB6 eBGP between the boxes. I changed the route-id manually on 28xx 2800#sh ip bgp sum BGP router identifier 10.10.10.1, local AS number 1020 BGP table version is 1, main routing table version 1 NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2.2.2.2 4 1021 14 16100 00:01:460 10.10.10.2 4 1021 14 16100 00:01:340 2800# 2800# 2800#sh run | s bgp router bgp 1020 no synchronization bgp router-id 10.10.10.1 bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 1021 neighbor 2.2.2.2 ebgp-multihop 10 neighbor 2.2.2.2 update-source Loopback0 neighbor 10.10.10.2 remote-as 1021 no auto-summary 2800# 2800#conf t Enter configuration commands, one per line. End with CNTL/Z. 2800(config)# 2800(config)#router bgp 1020 2800(config-router)#bgp rout 2800(config-router)#bgp router-id 1.1.1.1 2800(config-router)#end 2800# *Jul 15 14:11:21.199 EST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down Router ID changed *Jul 15 14:11:21.199 EST: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Down Router ID changed *Jul 15 14:11:21.211 EST: %SYS-5-CONFIG_I: Configured from console by console *Jul 15 14:11:21.239 EST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up *Jul 15 14:11:21.251 EST: %BGP-5-ADJCHANGE: neighbor 10.10.10.2 Up 2800# 0# 2800#sh ip bgp sum BGP router identifier 1.1.1.1, local AS number 1020 BGP table version is 1, main routing table version 1 NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2.2.2.2 4 1021 17 21100 00:00:280 10.10.10.2 4 1021 17 21100 00:00:280 2800# I then tried in on 7600 7600#sh ip bgp sum Load for five secs: 0%/0%; one minute: 3%; five minutes: 2% Time source is hardware calendar, *18:13:06.279 EST Wed Jul 15 2009 BGP router identifier 10.10.10.2, local AS number 1021 BGP table version is 1, main routing table version 1 NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 1.1.1.1 4 1020 4 3100 00:00:060 10.10.10.1 4 1020 4 3100 00:00:060 7600# 7600# 7600#sh run | b router bgp router bgp 1021 no synchronization bgp router-id 10.10.10.2 bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 1020 neighbor 1.1.1.1 ebgp-multihop 10 neighbor 1.1.1.1 update-source Loopback0 neighbor 10.10.10.1 remote-as 1020 no auto-summary ! 7600#conf t Enter configuration commands, one per line. End with CNTL/Z. 7600(config)#router bgp 1021 7600(config-router)#bgp route 7600(config-router)#bgp router-id 2.2.2.2 7600(config-router)#end 7600# *Jul 15 18:13:34.819: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down Router ID changed *Jul 15 18:13:34.819: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Down Router ID changed *Jul 15 18:13:35.475: %SYS-5-CONFIG_I: Configured from console by console 7600# 7600# 7600# *Jul 15 18:13:50.159: %BGP-5-ADJCHANGE: neighbor 10.10.10.1 Up 7600# *Jul 15 18:13:53.287: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up 7600# 7600#sh ip bgp sum Load for five secs: 1%/0%; one minute: 2%; five minutes: 2% Time source is hardware calendar, *18:13:57.819 EST Wed Jul 15 2009 BGP router identifier 2.2.2.2, local AS number 1021 BGP table version is 1, main routing table version 1 NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 1.1.1.1 4 1020 4 3100 00:00:040 10.10.10.1 4 1020 4 3100 00:00:070 7600# Hope that helps. Shimol Jeff Cartier wrote: Just checking something that I haven't been able to verify online... Changing the bgp router-id manually will require you to clear the bgp sessions? Correct? Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT
Yes, tcp/1720 seems to be going to the correct address. The thing I'm wondering now is this... I did the capture on the PIX itself on the outside interface. I've found at least one spot where the internal address for the unit on our side appears. I would have thought the NAT transversal setting on the unit itself would have taken care of this before hitting the PIX. And the capture being on the outside interface... would it be showing the packets before or after inspect has gotten to them. We've got one unit in the same building as the firewall... hopefully I can duplicated the problem on that. When I first started getting involved with the video conferencing units here, we weren't able to dial out until I turned the NAT transversal setting on. Then I found out about inspect/fixup and never understood why that setting on the unit would be needed if those commands were on the firewall config. Maybe we should try it without the inspect? No other h.323 traffic normally goes in or out of our network. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Andrew Yourtchenko ayour...@gmail.com 7/15/2009 2:07 PM Hi Steven, On Wed, Jul 15, 2009 at 6:28 PM, Steven Pfisterspfis...@dps.k12.oh.us wrote: I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has: inspect h323 h225 inspect h323 ras do I need: fixup protocol h323 h225 1718-1720 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 instead of the inspect commands? In addition to them? inspect is the name of the fixup from 7.0 onwards - obviously as time went, some more enhancements were added. you can enter the fixup commands, but they will be autoconverted into the respective inspect under magic default policy. You mention that the inbound call works - so a nice way to debug would be to grab the pcap on inside+ pcap on the outside and study them in wireshark for both failing and working scenarios and see what is different. The first cutover point is whether you see the tcp/1720 in the outbound direction or not - if not, or if it is going to the wrong address, would mean there is an issue related to RAS signaling - else it's something with the call signaling. The above can be tested much easier if you are able to make the direct calls by IP address and the other party can accept such calls without involving RAS at all - this could be an easy shortcut instead of staring at the sniffer traces :-) - if the direct call using IP address works, then you can further investigate RAS. If the inbound calls to you work, most probably it is going to be the case, but worth doublechecking. The inspect in the default configuration normally should be able to tweak all the embedded IPs both for RAS and call setup, so the endpoints would not need to have any NAT awareness nor do any special efforts to detect/traverse the NAT. Also might be quite useful to have a quick test with another h323 stack if you can - openh323 had a very tweakable client, and ekiga can do h323 video as well. If those work, again you get one more baseline to compare the sniffer traces with. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Management interface on 2950T-24 appears to be dead
Out of the blue the other day I received a NAGIOS alert about a 2950T-24 being down. I was off-site, so I called over to the onsite tech who confirmed that traffic was flowing just fine. When I checked later, I couldn't ping or telnet to it. I went onsite today had no response at the console port, and even when I pressed the mode button on the left to cycle through speed, duplex, etc, there was no change. It's like the management interface totally died. The unit runs off an inverter, so power should not be an issue. Has anyone seen this before? Can we trust this box anymore? We plan to power-cycle this evening during a maintenance window. Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 to IPV4
Dual Stack. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chintan Shah Sent: Wednesday, July 15, 2009 2:08 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPV6 to IPV4 Hi, The IPV6 host has to communicate to some IPV4 on Internet, I can use NAT-PT one but I see that it is now no more recommended. So, what is best translation mechanism achieve this when I being ISP provide IPV6 Internet service to my customer? Regards, CS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS Mesh group question
Ibrahim Abo Zaid wrote on Wednesday, July 15, 2009 02:47: Hi All I have a question about ISIS mesh groups which is used to reduce LSP flooding in full-mesh p2p enviroments , that means we lose redudacny for sake of LSP flooding reducation hence it affects forwarding and traffic is forced to inactive or interfaces in different groups only . is that right ? no, doesn't sound right. mesh-groups only affect LSP flooding within the area, they don't have an effect of the links when it comes to SPF/topology, so the final routing table will look the same, whether you used mesh-groups or not. oli P.S: I've never worked with them and haven't looked at it in detail.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip per-packet load-sharing on single interface
ip per-packet load-sharing on single ethernet interface with multiple iBGP routes installed to different nodes on that ethernet interface. Software router, 12.3 Does not seem to be balancing. Is this supposed to work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip per-packet load-sharing on single interface
Joe, Which platform is it? Can you share show ip route and show ip cef internal? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Wednesday, July 15, 2009 22:29 To: cisco-nsp Subject: [c-nsp] ip per-packet load-sharing on single interface ip per-packet load-sharing on single ethernet interface with multiple iBGP routes installed to different nodes on that ethernet interface. Software router, 12.3 Does not seem to be balancing. Is this supposed to work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip per-packet load-sharing on single interface
Joe, Which platform is it? Can you share show ip route and show ip cef internal? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Wednesday, July 15, 2009 22:29 To: cisco-nsp Subject: [c-nsp] ip per-packet load-sharing on single interface ip per-packet load-sharing on single ethernet interface with multiple iBGP routes installed to different nodes on that ethernet interface. Software router, 12.3 Does not seem to be balancing. Is this supposed to work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip per-packet load-sharing on single interface
c7100-jk9o3s-mz.123-12e.bin Raw output sent direct. Arie Vayner (avayner) wrote: Joe, Which platform is it? Can you share show ip route and show ip cef internal? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Wednesday, July 15, 2009 22:29 To: cisco-nsp Subject: [c-nsp] ip per-packet load-sharing on single interface ip per-packet load-sharing on single ethernet interface with multiple iBGP routes installed to different nodes on that ethernet interface. Software router, 12.3 Does not seem to be balancing. Is this supposed to work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question on h.323 video calls through a PIX 525 with NAT
On Wed, Jul 15, 2009 at 8:58 PM, Steven Pfisterspfis...@dps.k12.oh.us wrote: Yes, tcp/1720 seems to be going to the correct address. The thing I'm wondering now is this... I did the capture on the PIX itself on the outside interface. I've found at least one spot where the internal address for the unit on our side appears. If the rfc1918 address is seen on the outside (presumably in one of the openLogicalChannel/openLogicalChannelAck exchanges?) - then it would be a very good reason for the media streams to not reach you from the remote end. I would have thought the NAT transversal setting on the unit itself would have taken care of this before hitting the PIX. And the capture being on the outside interface... would it be showing the packets before or after inspect has gotten to them. capture is in the packet path shortly before putting the packet onto the low-level driver for transmission. So, it's after all the inspect work is already don (if we're talking of the inside-outside). For the outside-inside, it's indeed the opposite - very early in the packet processing, so before the inspect. We've got one unit in the same building as the firewall... hopefully I can duplicated the problem on that. ok. this indeed could be useful too. When I first started getting involved with the video conferencing units here, we weren't able to dial out until I turned the NAT transversal setting on. Then I hmm I thought it was indeed the outbound calls that had difficulties now ? Or those are two different failures of a different degree ? Anyway, normally inspect should take care of the translating the embedded addresses. found out about inspect/fixup and never understood why that setting on the unit would be needed if those commands were on the firewall config. Maybe we should try it without the inspect? No other h.323 traffic normally goes in or out of our network. Yes - it's either/or, so if you don't have any other H.323 traffic, then indeed give nat traversal a shot without the h323 inspects enabled on the PIX. cheers, andrew Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfis...@dps.k12.oh.us Andrew Yourtchenko ayour...@gmail.com 7/15/2009 2:07 PM Hi Steven, On Wed, Jul 15, 2009 at 6:28 PM, Steven Pfisterspfis...@dps.k12.oh.us wrote: I'm having some trouble with h.323 (video) calls through a PIX 525 using NAT. We can get incoming calls fine, but not outgoing calls for some reason. My question has to do with 'inspect h323' vs 'fixup protocol h323'. What's the difference between them? The video conferencing unit in question has a NAT transversal option where I can supply an address and mask.I'm wondering if I'm having a NAT transversal problem anyway. Which one would handle the NAT transversal, inspect or fixup? Currently, the PIX config has: inspect h323 h225 inspect h323 ras do I need: fixup protocol h323 h225 1718-1720 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 instead of the inspect commands? In addition to them? inspect is the name of the fixup from 7.0 onwards - obviously as time went, some more enhancements were added. you can enter the fixup commands, but they will be autoconverted into the respective inspect under magic default policy. You mention that the inbound call works - so a nice way to debug would be to grab the pcap on inside+ pcap on the outside and study them in wireshark for both failing and working scenarios and see what is different. The first cutover point is whether you see the tcp/1720 in the outbound direction or not - if not, or if it is going to the wrong address, would mean there is an issue related to RAS signaling - else it's something with the call signaling. The above can be tested much easier if you are able to make the direct calls by IP address and the other party can accept such calls without involving RAS at all - this could be an easy shortcut instead of staring at the sniffer traces :-) - if the direct call using IP address works, then you can further investigate RAS. If the inbound calls to you work, most probably it is going to be the case, but worth doublechecking. The inspect in the default configuration normally should be able to tweak all the embedded IPs both for RAS and call setup, so the endpoints would not need to have any NAT awareness nor do any special efforts to detect/traverse the NAT. Also might be quite useful to have a quick test with another h323 stack if you can - openh323 had a very tweakable client, and ekiga can do h323 video as well. If those work, again you get one more baseline to compare the sniffer traces with. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
[c-nsp] adding a port forward on a Cisco Pix
Hi, so I've started working with the Pix and am trying to forward port 80 and 443 in from an outside facing address to a 10.x space inside. I have two basic interfaces (outside and inside) and am running Pix 6.3 for firmware. I was thinking the following line would work but wasn't sure if I formatted it correctly. static (outside,inside) tcp general-internet-rtr-svc-nat 80 inside-ip-object 80 netmask 255.255.255.255 0 0 general-internet-rtr-svc-nat is an object group name that contains a network-object-host with the outside static IP defined. Is this more or less correct? Should I invert the address objects or are they in the proper order? Any basic pointers or pointers to good examples would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip per-packet load-sharing on single interface
Turn on 'ip cef account load per pre' and send the 'sh ip cef internal' for the prefix you are going towards. On Wed, Jul 15, 2009 at 10:33:34PM +0200, Arie Vayner (avayner) wrote: Joe, Which platform is it? Can you share show ip route and show ip cef internal? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Wednesday, July 15, 2009 22:29 To: cisco-nsp Subject: [c-nsp] ip per-packet load-sharing on single interface ip per-packet load-sharing on single ethernet interface with multiple iBGP routes installed to different nodes on that ethernet interface. Software router, 12.3 Does not seem to be balancing. Is this supposed to work? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On 14/07/2009, at 11:26 PM, Jon Lewis wrote: But isn't that the whole point of MST? Most of what I've read about it talks about doing setups where you only have 2 or 3 instances, with all your vlans in the 2nd and or 3rd instance. Yup. In a DC / Hosting environment it's a must. Particularly if you have large VMWare type clusters where there can be 100's of unique vlans that need to be presented to all cluster nodes. Can't do that with any form of Per Vlan STP on top-of-rack or blade-chassis switches. In a classic dual attached L2 access layer there are only 2 possible paths so 2 MST instances does the job. Having more STP instances than paths to the root bridge adds no value at all. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On 15/07/2009, at 4:01 AM, Jon Lewis wrote: The cisco examples I saw say to leave MST0 empty and use MST1 and MST2 for VLANs. Good option. Only non-MST speakers will end up in instance 0. Spread your vlans over instance 1 and 2 (and root those instances appropriately) and all will be good. We use blocks of 50 vlans for the load sharing which gives us what we need and keeps the config small. Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? The topology I have is actually 2 core switches with a bunch of edge switches redundantly uplinked to both cores. Not sure. We pre-configure the MST vlan mappings (see below) and just prune vlans on the trunks. We run the same MST config on every switch in the network and will worry about changing the vlan mappings when we have more than 2000 vlans in a single layer 2 domain. I can't see that being a problem for any of the L2's at any of our datacentres for a while. For us, once we got MST in place it's been set-and-forget. It's worked flawlessly. --- spanning-tree mst configuration instance 1 vlan 1-49, 100-149, 200-249, 300-349, 400-449, 500-549, 600-649 instance 1 vlan 700-749, 800-849, 900-949, 1000-1049, 1100-1149, 1200-1249 instance 1 vlan 1300-1349, 1400-1449, 1500-1549, 1600-1649, 1700-1749 instance 1 vlan 1800-1849, 1900-1949 instance 2 vlan 50-99, 150-199, 250-299, 350-399, 450-499, 550-599, 650-699 instance 2 vlan 750-799, 850-899, 950-999, 1050-1099, 1150-1199, 1250-1299 instance 2 vlan 1350-1399, 1450-1499, 1550-1599, 1650-1699, 1750-1799 instance 2 vlan 1850-1899, 1950-1999 ! spanning-tree mst 0-1 priority 8192 spanning-tree mst 2 priority 16384 --- Thanks David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On 15/07/2009, at 4:22 AM, Geoffrey Pendery wrote: Will adding new VLANs to an MST instance disrupt traffic flow for other VLANs in that MST instance? Yes. We've verified this. A trunk port carrying only VLAN 30, or even an access port carrying only VLAN 30. VLAN 30 is in instance 2. You go into config mode and add VLAN 50 to instance 2 (or remove it from instance 2) The port, be it access or trunk, goes to blocking, learning, forwarding. But MST implements Rapid-STP in each instance (except 0 naturally) so even if the config change did recalc the tree it'll be sub-second. Not that any STP recalc is a good thing but at least it'll be over and done with quickly. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On 15/07/2009, at 8:02 AM, Phil Mayers wrote: R-PVST + manual VLAN management works like a charm here. . works like a charm until it doesn't. Any PV based STP will not work in a dense server virtualisation environment. So these days that's basically any hosting provider. MST is your only choice and if you pre-provision your vlan/instance mappings it works fine. Been running it without a single issue for ages. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST config on single 3560
Quoting Manu Chao linux.ya...@gmail.com: the standard is ieee 802.1s don't change anything to your interface config mst instance and vlan association is a global config if you planned to migrate to mst on your side, make sure you will migrate to mst with your client ;) Thanks for the reply. As we have single 3560's that do not participate in VTP (vtp mode transparent), would I be able to have a config similar to this(On each 3560 in each POP): spanning-tree mode mst spanning-tree mst configuration name LOC_A revision 10 instance 0 : Vlan 1-4094 spanning-tree mst 0 root primary And maintain the existing port configs? If we are getting close to reaching port capacity on each 3560, we will be upgrading to 4500's. - This e-mail was sent via GCOMM WebMail http://www.gcomm.com.au/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] adding a port forward on a Cisco Pix
Hi Scott, For your NAT to work you need to things: 1. static command 2. Access-list static (outside,inside) tcp general-internet-rtr-svc-nat 80 inside-ip-object 80 netmask 255.255.255.255 0 0 You have it round the wrong way, you would need: static (inside,outside) tcp outside_ip outside_port inside_ip inside_port It's confusing but the bit in brackets (for the interfaces) has inside first and outside second and then when you specify the IP addresses and ports you have outside first, then inside second. And then you would need an ACL like this: access-list 101 permit tcp any host outside_ip outside_port And then you need to apply the ACL to inbound traffic on the outside interface: access-group 101 in interface outside I don't know about using object groups to specify the IP addresses, it should work as long as you've got it correct. I would try with putting the actual IP addresses in the commands and then once you know it works you can change them to objects. You can find a list of PIX configuration examples here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html http://tinyurl.com/3o7gk One specifically for NAT is: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml http://tinyurl.com/yqeap Make sure you follow which parts are for earlier PIX versions and your version. The earlier versions use the conduit command instead of an access list. regards, Tony --- On Thu, 16/7/09, Scott Granados gsgrana...@comcast.net wrote: From: Scott Granados gsgrana...@comcast.net Subject: [c-nsp] adding a port forward on a Cisco Pix To: cisco-nsp@puck.nether.net Date: Thursday, 16 July, 2009, 7:52 AM Hi, so I've started working with the Pix and am trying to forward port 80 and 443 in from an outside facing address to a 10.x space inside. I have two basic interfaces (outside and inside) and am running Pix 6.3 for firmware. I was thinking the following line would work but wasn't sure if I formatted it correctly. static (outside,inside) tcp general-internet-rtr-svc-nat 80 inside-ip-object 80 netmask 255.255.255.255 0 0 general-internet-rtr-svc-nat is an object group name that contains a network-object-host with the outside static IP defined. Is this more or less correct? Should I invert the address objects or are they in the proper order? Any basic pointers or pointers to good examples would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP throughput
I bet your out of order is getting so bad you are dropping the packets. I'm not a PPPox expert...but could you create 7 dialers and do CEF per packet over them? On Wed, Jul 15, 2009 at 10:07:24AM -0500, Dave Weis wrote: I'm bringing up a MLPPP PPPoA bundle with 4 7-meg DSL lines. It had worked fine with only 2 lines in the bundle and provided the full expected speed. Adding the next two lines didn't provide an increase in speed, it actually might have decreased a bit. It tops out at around 10 megabits with 4 links in the bundle. The hardware on the customer side is a 3745 running 12.4(4)T1. It has 4 WIC-1ADSL's installed. The config on the ADSL interfaces are all identical: interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in pvc 0/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 ip address negotiated no ip proxy-arp encapsulation ppp dialer pool 1 dialer vpdn dialer-group 1 ppp pap sent-username removed ppp link reorders ppp multilink ppp multilink fragment disable ! We've tried it with and without the reorders and fragment changes in the config. The server side is a 7206 with an NPE-G1. We're not topping out the processor on either side during transfers. The multilink bundle shows a lot of discards and reorders. This is after a reset and downloading less than a gig of data on the client: Virtual-Access3, bundle name is isprouter Endpoint discriminator is isprouter Bundle up for 01:15:43, total bandwidth 40, load 1/255 Receive buffer limit 48768 bytes, frag timeout 1000 ms Using relaxed lost fragment detection algorithm. Dialer interface is Dialer0 0/0 fragments/bytes in reassembly list 242 lost fragments, 1237543 reordered 29169/15194784 discarded fragments/bytes, 16700 lost received 0x1F9178 received sequence, 0x6A517 sent sequence Member links: 4 (max not set, min not set) Vi4, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi6, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM1/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi5, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/2 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi2, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/1 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 No inactive multilink interfaces Any ideas to get this closer to 20+ megs? THanks dave -- Dave Weis djw...@internetsolver.com http://www.internetsolver.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MLPPP throughput
Depending on your apps ability to handle out of order frames on the end stations of course. On Wed, Jul 15, 2009 at 09:59:04PM -0400, Rodney Dunn wrote: I bet your out of order is getting so bad you are dropping the packets. I'm not a PPPox expert...but could you create 7 dialers and do CEF per packet over them? On Wed, Jul 15, 2009 at 10:07:24AM -0500, Dave Weis wrote: I'm bringing up a MLPPP PPPoA bundle with 4 7-meg DSL lines. It had worked fine with only 2 lines in the bundle and provided the full expected speed. Adding the next two lines didn't provide an increase in speed, it actually might have decreased a bit. It tops out at around 10 megabits with 4 links in the bundle. The hardware on the customer side is a 3745 running 12.4(4)T1. It has 4 WIC-1ADSL's installed. The config on the ADSL interfaces are all identical: interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in pvc 0/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 ip address negotiated no ip proxy-arp encapsulation ppp dialer pool 1 dialer vpdn dialer-group 1 ppp pap sent-username removed ppp link reorders ppp multilink ppp multilink fragment disable ! We've tried it with and without the reorders and fragment changes in the config. The server side is a 7206 with an NPE-G1. We're not topping out the processor on either side during transfers. The multilink bundle shows a lot of discards and reorders. This is after a reset and downloading less than a gig of data on the client: Virtual-Access3, bundle name is isprouter Endpoint discriminator is isprouter Bundle up for 01:15:43, total bandwidth 40, load 1/255 Receive buffer limit 48768 bytes, frag timeout 1000 ms Using relaxed lost fragment detection algorithm. Dialer interface is Dialer0 0/0 fragments/bytes in reassembly list 242 lost fragments, 1237543 reordered 29169/15194784 discarded fragments/bytes, 16700 lost received 0x1F9178 received sequence, 0x6A517 sent sequence Member links: 4 (max not set, min not set) Vi4, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi6, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM1/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi5, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/2 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi2, since 01:15:43, unsequenced PPPoATM link, ATM PVC 0/32 on ATM0/1 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 No inactive multilink interfaces Any ideas to get this closer to 20+ megs? THanks dave -- Dave Weis djw...@internetsolver.com http://www.internetsolver.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
On Tue, Jul 14, 2009 at 05:00:36PM +0200, Gert Doering wrote: rant MST is what comes out if vendor committees get together, and agree to implement the least common determinator in the most complicated way. /rant I completely disagree - it's what comes out of solving problems related to the LAN - the LOCAL area network. In virtualized LANs, there's typically only a few possible physical topologies that can exist. MST seeks to exploit this to lower the amount of processing power that is required. My employer is a datacenter service provider and this holds in our scenario - there's only ever two possible physical topologies. Two distribution routers each have a connection to hundreds of access switches. We started out by mapping what VLANs went to which physical topology and we're done forever. It's great - we get redundancy everywhere and mostly even load balancing. If your network doesn't behave like this, then you need a better control plane than MST can provide. But don't complain about standards bodies just because they solved a problem that doesn't concern you. -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Logging event link-status 6509
Hi Guys, I'm seeing an issue on some of our 6509's where no matter what I do I can't disable the event link status up/down appearing in the logs. 'no logging event link-status' appears in the interface config but does nothing. 6509 with sup 720 and s72033-pk9sv-mz.122-18.SXD6.bin as the image. Any commands you know of that might conflict with these settings? Any other suggestions? Thanks, Giles __ Information from ESET NOD32 Antivirus, version of virus signature database 4248 (20090716) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logging event link-status 6509
Excerpts from Giles Woolston's message of Wed Jul 15 21:18:58 -0700 2009: I'm seeing an issue on some of our 6509's where no matter what I do I can't disable the event link status up/down appearing in the logs. 'no logging event link-status' appears in the interface config but does nothing. 6509 with sup 720 and s72033-pk9sv-mz.122-18.SXD6.bin as the image. Any commands you know of that might conflict with these settings? Any other suggestions? There's also a global logging event link-status [ boot | default ] option. Cheers, jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logging event link-status 6509
Yea, as I understand that makes the default value enabled, but you should still be able to disable on a per interface basis. Which I can do on other 6500's but not these ones. The boot option suppresses link state messages during a reload/bootup but I need to disable logging for specific interfaces permanently. Appreciate the suggestion though. Giles Jonathan Lassoff wrote: Excerpts from Giles Woolston's message of Wed Jul 15 21:18:58 -0700 2009: I'm seeing an issue on some of our 6509's where no matter what I do I can't disable the event link status up/down appearing in the logs. 'no logging event link-status' appears in the interface config but does nothing. 6509 with sup 720 and s72033-pk9sv-mz.122-18.SXD6.bin as the image. Any commands you know of that might conflict with these settings? Any other suggestions? There's also a global logging event link-status [ boot | default ] option. Cheers, jonathan __ Information from ESET NOD32 Antivirus, version of virus signature database 4248 (20090716) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4248 (20090716) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/