Re: [c-nsp] c877 and ntp oddness
Well, 1. the problem is apparent in both 15T and 22T 2. No access groups are configured 3. NTPv3, 2 and 1 were tried. 4. Peer syncs and after about 10 mins is declared insane and relationship is lost, removal of the clock-period (in 15T) fixes the issue which points to incorrect calculation of the clock-period (hardware offset), since this persists between versions would suggest a hardware issue to me? Dave. David Freedman Group Network Engineering Claranet Limited http://www.clara.net -Original Message- From: Kevin Graham [mailto:kgra...@industrial-marshmallow.com] Sent: Sun 7/19/2009 04:24 To: David Freedman; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] c877 and ntp oddness Have a bizarre NTP issue with 877 routers running 12.4(T) train. - Only seems to affect a small percentage of 877 routers, 878s, 1800s , 2800s seem to be fine A coworker reported the exact same behavior a couple of weeks ago. They got 87x routers with a new hardware revision, these routers do not sync with ntp anymore. TAC case is open, but nothing concrete so far. Are you sure its hardware related and release-specific? With the introduction of NTPv4 in (22)T it appears NTP access-groups are broken, requiring them to be removed or everything given 'peer' access. (Covered in CSCsw79186, though the problem is much more widespread than release notes there indicate). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA Multiple Context Mode
Hi All, As I understand that the ASA in multiple context mode does not support VPN's, does this also inclue SSL VPN's?? Someone has mentioned that it turns off IPSEC engine in this mode, but I have not been able to find anywhere where it says SSL VPN's are not supported. If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? TIA, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
Clue, I am pretty sure that it doesn't support SSL VPN's either. All NetPro discussions show the same results. Assuming you are support multiple customers and want to give them access to their firewall, or whatever you reason for choosing multiple context may be, you should use another ASA pair in Active/Standby to provide VPN termination services. You may have to mess around with RRI, but you should be able to pull off customer segregation using VLANs. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store Sent: Sunday, July 19, 2009 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Multiple Context Mode Hi All, As I understand that the ASA in multiple context mode does not support VPN's, does this also inclue SSL VPN's?? Someone has mentioned that it turns off IPSEC engine in this mode, but I have not been able to find anywhere where it says SSL VPN's are not supported. If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? TIA, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
I've done IOS based WebVPN with multiple VRFs (vrf-lite in this case); this is somewhat analogous to the ASA w/ multiple context; I know you mentioned how to do this on the ASA which I don't believe is possible. Our Cisco Acct SE mentioned vlan mapping where you terminate the webvpn/ipsec tunnel on one interface but then funnel the designated traffic per customer to different downstream vlan or interfaces; essentially this allows you to have multiple customer group in one context; i've seen docs on cisco cco that mentions this as well; good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ryan West wrote: Clue, I am pretty sure that it doesn't support SSL VPN's either. All NetPro discussions show the same results. Assuming you are support multiple customers and want to give them access to their firewall, or whatever you reason for choosing multiple context may be, you should use another ASA pair in Active/Standby to provide VPN termination services. You may have to mess around with RRI, but you should be able to pull off customer segregation using VLANs. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store Sent: Sunday, July 19, 2009 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Multiple Context Mode Hi All, As I understand that the ASA in multiple context mode does not support VPN's, does this also inclue SSL VPN's?? Someone has mentioned that it turns off IPSEC engine in this mode, but I have not been able to find anywhere where it says SSL VPN's are not supported. If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? TIA, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
Ge, That's exactly what I was referring to, 2 pairs, one for the multiple context and one for the VPN terminations. Then the group-policy mappings contain the VLAN mapping for each customer. -ryan -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Sunday, July 19, 2009 3:27 PM To: Ryan West Cc: Clue Store; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Multiple Context Mode I've done IOS based WebVPN with multiple VRFs (vrf-lite in this case); this is somewhat analogous to the ASA w/ multiple context; I know you mentioned how to do this on the ASA which I don't believe is possible. Our Cisco Acct SE mentioned vlan mapping where you terminate the webvpn/ipsec tunnel on one interface but then funnel the designated traffic per customer to different downstream vlan or interfaces; essentially this allows you to have multiple customer group in one context; i've seen docs on cisco cco that mentions this as well; good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ryan West wrote: Clue, I am pretty sure that it doesn't support SSL VPN's either. All NetPro discussions show the same results. Assuming you are support multiple customers and want to give them access to their firewall, or whatever you reason for choosing multiple context may be, you should use another ASA pair in Active/Standby to provide VPN termination services. You may have to mess around with RRI, but you should be able to pull off customer segregation using VLANs. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store Sent: Sunday, July 19, 2009 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Multiple Context Mode Hi All, As I understand that the ASA in multiple context mode does not support VPN's, does this also inclue SSL VPN's?? Someone has mentioned that it turns off IPSEC engine in this mode, but I have not been able to find anywhere where it says SSL VPN's are not supported. If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? TIA, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Splicing a roll-over cable
Hi all, I've finally got some new routers in that I'll be using for testing (the IPv6 BGP route-reflector situation is on the top of the list). The lab area is very close to my workstation. Before I have the devices connected to a network, I prefer to use my workstation to copy config snips et-al to the devices. Oftentimes, I'll use a lab pc to do similar jobs, so I unplug the console cable from the device from my workstation serial port and connect to a lab pc serial port. I don't know much (ie. anything) about the electrical properties of a serial pc interface, so I thought I'd ask whether it would do any harm to 'splice' into a roll-over cable so the input/output from the console can be used simultaneously from multiple command stations, without having to do the physical unplug/replug. Essentially, I'd like keystrokes to be seen on one monitor that is connected to the console that is typed on another device connected to the same console port. Steve ps. I'll be testing this on a 26xx tomorrow if this hasn't been tried ;) smime.p7s Description: S/MIME Cryptographic Signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splicing a roll-over cable
Steve Bertrand wrote: Hi all, I've finally got some new routers in that I'll be using for testing (the IPv6 BGP route-reflector situation is on the top of the list). The lab area is very close to my workstation. Before I have the devices connected to a network, I prefer to use my workstation to copy config snips et-al to the devices. Oftentimes, I'll use a lab pc to do similar jobs, so I unplug the console cable from the device from my workstation serial port and connect to a lab pc serial port. I don't know much (ie. anything) about the electrical properties of a serial pc interface, so I thought I'd ask whether it would do any harm to 'splice' into a roll-over cable so the input/output from the console can be used simultaneously from multiple command stations, without having to do the physical unplug/replug. Essentially, I'd like keystrokes to be seen on one monitor that is connected to the console that is typed on another device connected to the same console port. RS-232 drivers should have sufficient current to drive two receivers, but two drivers in parallel will tend to pull the line in opposite directions. In other words, if you connect the router's send line and ground to both monitors, the output can be displayed on both simultaneously. You probably won't see the command input on the second one, however. Two keyboards driving the router isn't going to work well, probably not at all. VNC on the PCs might be a better choice to solve this problem. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
On 20/07/2009, at 4:13 AM, Clue Store wrote: If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? Hi We use a router running vrf-aware ipsec to drop users from each customer into a vlan on their ASA context. Works pretty well. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
Hi David, Does this mean you're terminating the ipsec tunnel on a router inside the vrf through the context?? I was thinking about this but wasn't sure what nastyness would come out of it. MTU issues, etc... On Sun, Jul 19, 2009 at 4:39 PM, David Hughes da...@hughes.com.au wrote: On 20/07/2009, at 4:13 AM, Clue Store wrote: If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? Hi We use a router running vrf-aware ipsec to drop users from each customer into a vlan on their ASA context. Works pretty well. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
I think I read your post wrong the first time around. You're terminating the tunnel on a router thats vrf aware and dropping the traffic on the inside of the tunnel on a vlan that's in the same vlan as their context. Correct?? On Sun, Jul 19, 2009 at 7:01 PM, Clue Store cluest...@gmail.com wrote: Hi David, Does this mean you're terminating the ipsec tunnel on a router inside the vrf through the context?? I was thinking about this but wasn't sure what nastyness would come out of it. MTU issues, etc... On Sun, Jul 19, 2009 at 4:39 PM, David Hughes da...@hughes.com.auwrote: On 20/07/2009, at 4:13 AM, Clue Store wrote: If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? Hi We use a router running vrf-aware ipsec to drop users from each customer into a vlan on their ASA context. Works pretty well. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Network documentation tool
On 19/07/2009, at 1:25 AM, Peter Rathlev wrote: What do people use to store documentation? Currently we use a CIFS share but this seems clumsy at best. Hi We use a Subversion repository and store all documents in there (word, pdf, text, etc etc). Our reasoning for using this rather than the corporate sharepoint installation or a Wiki is that using a solution that requires a functioning network just to access your documentation is fundamentally flawed IMHO. I wanted my team to have access to all network doc's on their notebook any time they needed them (i.e. during a network outage etc). There are Mac, Windows and *nix clients. It's worked very well over the years. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
Hi No, the outside of the router is outside the firewall. The tunnel terminates on that device and we drop the client traffic through the vrf and a sub-int onto a vlan that's presented as a DMZ to the firewall context. Any security policy can then be applied to it via the ASA. David ... On 20/07/2009, at 10:01 AM, Clue Store wrote: Hi David, Does this mean you're terminating the ipsec tunnel on a router inside the vrf through the context?? I was thinking about this but wasn't sure what nastyness would come out of it. MTU issues, etc... On Sun, Jul 19, 2009 at 4:39 PM, David Hughes da...@hughes.com.au wrote: On 20/07/2009, at 4:13 AM, Clue Store wrote: If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? Hi We use a router running vrf-aware ipsec to drop users from each customer into a vlan on their ASA context. Works pretty well. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
Gotcha, after I re-read your post, that's when it hit me as to what you were doing. This seems much more ecominical than buying another active/failover pair of ASA's just to terminate tunnels. I have a couple of 7200's on the shelf that would be perfect for this as we are almost at our budget limit for this project. Great solution, thanks. Clue On Sun, Jul 19, 2009 at 7:49 PM, David Hughes da...@hughes.com.au wrote: Hi No, the outside of the router is outside the firewall. The tunnel terminates on that device and we drop the client traffic through the vrf and a sub-int onto a vlan that's presented as a DMZ to the firewall context. Any security policy can then be applied to it via the ASA. David ... On 20/07/2009, at 10:01 AM, Clue Store wrote: Hi David, Does this mean you're terminating the ipsec tunnel on a router inside the vrf through the context?? I was thinking about this but wasn't sure what nastyness would come out of it. MTU issues, etc... On Sun, Jul 19, 2009 at 4:39 PM, David Hughes da...@hughes.com.au wrote: On 20/07/2009, at 4:13 AM, Clue Store wrote: If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? Hi We use a router running vrf-aware ipsec to drop users from each customer into a vlan on their ASA context. Works pretty well. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splicing a roll-over cable
What about something from Black Box. I'm not sure if the link below is exactly what you need, but they have all sorts of devices for converting, extending and sharing serial connections. Not as cheap as splicing your own serial/console cable, but potentially more chance of success (and you can return it if it doesn't work). There's also probably someone making something similar in a no-name product that does the same thing if you look around. http://www.blackbox.com/Store/Detail.aspx/Modem-Splitter-3-Port-MS-3/TL073A-R4 regards, Tony. --- On Mon, 20/7/09, Steve Bertrand st...@ibctech.ca wrote: From: Steve Bertrand st...@ibctech.ca Subject: Re: [c-nsp] Splicing a roll-over cable To: Jay Hennigan j...@west.net Cc: Cisco-NSP Mailing List cisco-nsp@puck.nether.net Date: Monday, 20 July, 2009, 10:37 AM Jay Hennigan wrote: [..huge snip..] VNC on the PCs might be a better choice to solve this problem. I'm used to FreeBSD... instead of: # ssh -l myname lab.box # sudo cu -l /dev/cuad0 ... I was hoping for something a little more closer to the device itself (if possible). The lab pc boxen are not connected to any network (including the network my workstation belongs to). I was hoping to communicate with the defunct and way-too-old devices without having to use IP based communication. Because my knowledge and experience is being forced upon playing with the likes of 2691-type hardware, I figured that I might try frying a couple during testing... ..instead of using a remote control software, I was hoping that rs232 would solve this, just for playing around. Steve ps: For the love of God...does anyone have 1 or 10 g lab hardware that a semi-skilled engineer can look at, and get familiar with it's convention ?! ;) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splicing a roll-over cable
Essentially, I'd like keystrokes to be seen on one monitor that is connected to the console that is typed on another device connected to the same console port. rtty (you can find it in /usr/ports/sysutils/rtty in the FreeBSD ports collection, source is at http://ftp.isc.org/isc/rtty/) does exactly what you want. Stephen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splicing a roll-over cable
On Sun, 19 Jul 2009, Steve Bertrand wrote: I was hoping to communicate with the defunct and way-too-old devices without having to use IP based communication. Then I guess you could serial console into the lab PC box from your PC, and run screen -x on it (if you want multiple sources talking to it at the same time). Remember that 19200 serial only goes 10-20 meters in standard form (very approximate, depends on serial hardware etc) http://www.connectworld.net/interface-troubleshooting.html says even less (20 feet). screen -x is a wonderful collaboration tool. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] edge router BGP
Gert Doering wrote: Hi, On Thu, Jul 16, 2009 at 04:20:50PM -0500, Justin Shore wrote: It has 5x the backplane to boot plus it's hardware forwarding. The only real downside IMHO is that the unit uses SPAs which require SmartNets per SPA (per license and per a lot of other things for that matter too). Uh. Could you elaborate on that? Especially the per-license and a lot of other things bit? We have no ASR1k yet, but if something like the ES20 extra license for IPv6 *per ES20 card* is going to come back, this would be a strong reason to finally go to the Vendor J camp. You can see the prices in the Dynamic Config Tool on cisco.com when you build an ASR. I just built a 1002 in the DCT as an example. I added a couple SPAs and licenses. On the summary page there are SmartNet line items for: ESP Chassis IOS SW Redundancy Right-to-Use License Crypto Right-to-Use License Each SPA And the IOS itself So for a $95k chassis @ list I have $5800 in SmartNets (8x5xNBD) @ list per year. Fire away... Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/