[c-nsp] 7600 QoS policing
Hi all, I'm hoping that someone might be able to help with some suggestions for how to configure QoS for the following setup. I've read a whole lot of documentation and can't find anything that helps me. Device: 7609 sup720-3b running 12.2(33)SRD1. GigE card = WS-X6516-GE-TX Site 1 = 40Mbps, two VLANs, connected to Gi7/5 Site 2 = 10Mbps, two VLANs (21 22), connected to Gig7/4 Site 3 = 4Mbps, two VLANs (31 32), connected to Gig7/4 Site 4 = 4Mbps, two VLANs (41 42), connected to Gig7/4 All of the links are provided by external carriers (two different ones) and it is assumed that they rate limit to the agreed purchased bandwidth non-discriminantly (ie. they chuck out whatever exceeds the configured rate). If you're wondering how 40Mbps in from one site is ever going to work going out to other sites that only have an aggregate of 18Mbps, that's because there are other sites connected via MPLS, I'm just interested in the ones that are local to this PE for now. What I want to achieve is that for each of site 2, 3 4 I prioritise voice traffic. This voice traffic is allowed to have up to 3Mbps of the link to itself if required, the rest is available for general data traffic. The voice traffic will always be in ONE of the VLANs to each site. The voice VLAN is attached to a seperate VRF than the data VLAN, but no MPLS on the site links, the traffic is L3 seperated by being on different VLANs, with each VLAN connecting to different gear at the CPE. I have been looking at PFC QoS and my first thought was to police based on the VLANs using a hierarchical model like this (assuming hierarchical qos is supported on PFC3B, which I think it is ?): class-map c1 match any class-map s2 !site 2 match vlan 21, 22 class-map s3 !site 3 match vlan 31, 32 class-map s4 !site 4 match vlan 41, 42 policy p_gig7-4 class c1 police 1800 service-policy p_vlan policy p_vlan class s2 police 1000 class s2 police 400 class s2 police 400 I'm well aware that the above isn't a valid config, consider it pseudocode for what I'm trying to achieve which is to limit all of the vlans together to 18Mbps, with each site limited to it's own specific bandwidth within a child policy below that. This seems like a reasonable place to start (provided it could actually be implemented). I don't think I can match on vlan attribute, but I can probably get around that by matching on either destination address or something else. The main problem I can see is that the policer won't discriminate between the different vlan's so if the data vlan is using too much, then I'm probably going to lose voice packets when both vlans get policed (which I don't want, I want to chuck data packets first). The voice packets are marked DSCP-EF (COS-5), so will the policer favour throwing out the lower DSCP packets first to keep within the policed values ? I can't see anything that says it will and I can't see why it would as it's just a plain policer. I could police the data vlan for each site so that there is always 3Mbps left for the voice (ie. site2 - police to 7Mbps, site34 police to 1Mbps), but this means that I am enforcing that limit regardless of whether there is voice traffic or not and so not getting most efficient use of bandwidth available. My understanding from the documentation flowcharts that I've read is that policing is done by PFC BEFORE interface queueing, so that if I want to police to a certain rate, it needs to be done before the traffic gets to the egress queues (ie. Q1, Q2 PQ for my particular card). Once it gets to the egress queues I can't rate-limit and it will try to send at the interface speed (ie. Gbps) to the provider, who will most likely accept the traffic at Gbps rate and then drop at a later stage somewhere in their network if it exceeds link speed to the site in question. So how can I police to a certain rate with preference given to dropping lower priority packets up to the policed rate ? I'd like to be able to specify a policing situation so that for each pair of VLANs per site I have 4Mbps of bandwidth with up to 3Mbps committed to voice traffic. Ideally I could also speficy others too, so up to 3Mbps for COS-5, up to 1Mbps guaranteed for COS-4 (after COS-5 had been served) and then whatever is left for everything else. Am I missing something simple here ? I haven't really said anything about Site 1, but it needs to have a similar config so that traffic over the configured rate will be dropped with lower priority packets being dropped first. I'm not looking for someone to give me the entire answer with config included, I'm happy to be pointed in the right direction. Any workarounds will be actively entertained. If you've read this far, thanks for sticking with me. regards, Tony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
Re: [c-nsp] Cisco Catalyst 2960PD-8TT-L
You mean _Carthago delenda est_ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Hilliard Sent: Monday, July 27, 2009 11:16 PM To: Justin Shore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco Catalyst 2960PD-8TT-L On 27/07/2009 19:57, Justin Shore wrote: Interesting. So they don't have a Cisco CLI but they have an otherwise limited CLI if you know the tricks to get into it. I don't think that will be helpful in RANCID though. I don't think I can make it jump through all the hoops necessary to get logged in or pass meta control characters. Interesting nonetheless though. Well, they do have a limited Cisco CLI, which is enough for them to store the complete switch configuration in a cisco-style configuration file. You can see this file if you boot into the bootprom (press either ESC or CTRL-U on bootup on the serial console). In theory you can also tftp this file up to a tftp server, but from an automation point of view, the problem in practice turns out to be getting past the stupid curses based interface and dealing with the various models. The SRW224, for example, doesn't support lcli at all, although at least it supports browsers other than IE6/IE7. I don't think the SLM series supports lcli either - which is a pain, given that they are newer boxes and support cisco style configuration files (the SRW224 config files are binary). On a delenda est carthago note, whoever in Linksys made the dysfunctional decision only to support IE6/IE7 seriously needs to be kicked up the ass. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS
Thanks, After looking deeper into the scenario and router configs I kinda managed to come up with it. I still didn't implement it and if we're talking I'd better show you so you can confirm it will do what I need it to do. The customer has a 13Mb internet link and I need to set 2Mb for the tunnel, this is what I've set: ip access-list standard CUSTOMER ! this is the customer's rtr - xconnect destination ip: permit 12.34.56.78 ! class-map match-all CUSTOMER match access-group name CUSTOMER ! ! policy-map CUSTOMER-L2TPV3 class CUSTOMER priority 2000 police rate 200 ! Ziv -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Monday, July 27, 2009 6:12 PM To: Ziv Leyes; Cisco-nsp Subject: RE: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You should be able to match the tunnel by matching it's IP endpoints. If you could share more info about your QOS requirements, I could assist with building the policy. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Monday, July 27, 2009 11:15 To: Cisco-nsp Subject: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Hi all, I'd like to know if there is a feasible way to guarantee QoS for an L2TPv3 tunnel My customer has a 13Mb uplink to the internet and we've set a tunnel between customer's router and one of our routers, we want to perform some settings on his side that will assure the L2TP tunnel gets always 2Mb I know that some settings will not only guarantee but also limit it to 2M, and it's ok for us. My question is what shall I set as a matching setting? The remote tunnel IP? The inside IPs? TIA, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS
Ziv, You need to apply a nested policy... The parent policy should do shaping to the real link rate, or else the router does not have any way to know how much bandwidth is really out there. The child policy should have the policy you want for the different classes. Are you sure you want to put the tunnel in the priority queue? You could assign it to a regular class, and just assign bandwidth to it. This would allow the tunnel to burst to more than 2M if the BW is available. Arie On Tue, Jul 28, 2009 at 10:11 AM, Ziv Leyes z...@gilat.net wrote: Thanks, After looking deeper into the scenario and router configs I kinda managed to come up with it. I still didn't implement it and if we're talking I'd better show you so you can confirm it will do what I need it to do. The customer has a 13Mb internet link and I need to set 2Mb for the tunnel, this is what I've set: ip access-list standard CUSTOMER ! this is the customer's rtr - xconnect destination ip: permit 12.34.56.78 ! class-map match-all CUSTOMER match access-group name CUSTOMER ! ! policy-map CUSTOMER-L2TPV3 class CUSTOMER priority 2000 police rate 200 ! Ziv -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Monday, July 27, 2009 6:12 PM To: Ziv Leyes; Cisco-nsp Subject: RE: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You should be able to match the tunnel by matching it's IP endpoints. If you could share more info about your QOS requirements, I could assist with building the policy. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Monday, July 27, 2009 11:15 To: Cisco-nsp Subject: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Hi all, I'd like to know if there is a feasible way to guarantee QoS for an L2TPv3 tunnel My customer has a 13Mb uplink to the internet and we've set a tunnel between customer's router and one of our routers, we want to perform some settings on his side that will assure the L2TP tunnel gets always 2Mb I know that some settings will not only guarantee but also limit it to 2M, and it's ok for us. My question is what shall I set as a matching setting? The remote tunnel IP? The inside IPs? TIA, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Humor: Cisco announces end of BGP
I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Catalyst 2960PD-8TT-L
On 28/07/2009 08:02, Ziv Leyes wrote: delenda est carthago This is ridiculously off-topic, but the original wording as Cato used in his speeches is long lost. The primary reference for this phrase comes from Plutarch who wrote in one of his Lives: ...και η Καρχηδόνα πρέπει να καταστραφεί (...and it is fitting that Carthage be destroyed). The Latin delenda est carthago is usually used, but carthago delenda est is occasionally quoted and means the same thing - latin is pretty insensitive about the location of words, and it unambiguously means the same thing. Anyway, the point of all this is that Linksys need to realise that not everyone has internet explorer on their computer, and depending on its presence to be able to configure your switch is something which pegs my suck-o-meter. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DAI (arp inspection) Issue on 6500 [SXH2a,SUP720-3b]
I am attempting to use statically configured arp inspection on a vlan on our 6500. Here's an example, we have , say, vlan500, vlan 500 is assigned to ports gi11/1-48 The configuration on the ports are as follows: switchport switchport access vlan 500 switchport mode access switchport block unicast switchport port-security switchport port-security maximum 4 switchport port-security aging time 60 switchport port-security violation restrict switchport port-security aging type inactivity switchport port-security mac-address sticky ip arp inspection limit rate 25 burst interval 5 storm-control broadcast level 0.50 storm-control multicast level 0.50 no cdp enable spanning-tree bpduguard enable I created, arp access-list vlan500 and then i did ip arp inspection filter vlan500 vlan 500 I made the arp access-list simply permit ip any mac any so it should allow everything. The problem is, none of the machines on vlan 500 can talk to each other. They can talk to the gateway address which is on interface vlan 500 interface Vlan500 ip address 10.0.0.1 255.255.255.192 ip helper-address 10.10.10.10 no ip redirects no ip unreachables ip sticky-arp no ip proxy-arp arp timeout 3200 So what am I doing wrong that nothing on this vlan can send arp requests to each other?? If i disable arp inspection they can send/receive arp responses fine.. say 10.0.0.5 can arp 10.0.0.6 (10.0.0.5 would be on say gi11/5 and 10.0.0.6 be on gi11/6) but when i enable it, arps don't make it. Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH2a, RELEASE SOFTWARE (fc2) cisco WS-C6513 (R7000) processor (revision 1.0) with 458720K/65536K bytes of memory. This is SUP720-3B My understanding is that this should work, so I am thinking this is a bug in the code? I tried this on two 6500's both with the same code. I will try it on a test in the lab with SXH5. If anoyne has any idea feel free to chime in and cc my email in the reply. Thanks!! -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 p...@gtcomm.net http://www.gtcomm.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP Sla
hi all i configured the following on my router ip sla 200 icmp-echo 4.2.2.2 threshold 50 frequency 5 ip sla schedule 200 life forever start-time now event manager applet FILE event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.7.200 get-type exact entry-op eq entry-val 1 exit-op eq exit-val 2 poll-interval 5 action 1.0 syslog msg RTT action 1.1 mail server x.x.x.x to x...@x.com from y...@x.com subject test now the average RTT value to 4.2.2.2 is about 90ms i configured the threshold to be 50 so that the sla will count continously but i received one mail and didnt receive another mail after that ? any ideas how to keep sending that mail ? thanks in advnace _ Share your memories online with anyone you want. http://www.microsoft.com/middleeast/windows/windowslive/products/photos-share.aspx?tab=1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS
Would you give an example for the nested policy? I do want to put it in the priority queue, the link that ends the xconnect is an interface connected to a Metro-E service that is physically limited to 2Mb so it won't be able to exceed it anyway, that's why I want to limit it on the router too, while also guaranteeing its priority. Thanks, Ziv From: Arie Vayner [mailto:arievay...@gmail.com] Sent: Tuesday, July 28, 2009 10:43 AM To: Ziv Leyes Cc: Arie Vayner (avayner); Cisco-nsp Subject: Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You need to apply a nested policy... The parent policy should do shaping to the real link rate, or else the router does not have any way to know how much bandwidth is really out there. The child policy should have the policy you want for the different classes. Are you sure you want to put the tunnel in the priority queue? You could assign it to a regular class, and just assign bandwidth to it. This would allow the tunnel to burst to more than 2M if the BW is available. Arie On Tue, Jul 28, 2009 at 10:11 AM, Ziv Leyes z...@gilat.netmailto:z...@gilat.net wrote: Thanks, After looking deeper into the scenario and router configs I kinda managed to come up with it. I still didn't implement it and if we're talking I'd better show you so you can confirm it will do what I need it to do. The customer has a 13Mb internet link and I need to set 2Mb for the tunnel, this is what I've set: ip access-list standard CUSTOMER ! this is the customer's rtr - xconnect destination ip: permit 12.34.56.78 ! class-map match-all CUSTOMER match access-group name CUSTOMER ! ! policy-map CUSTOMER-L2TPV3 class CUSTOMER priority 2000 police rate 200 ! Ziv -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.commailto:avay...@cisco.com] Sent: Monday, July 27, 2009 6:12 PM To: Ziv Leyes; Cisco-nsp Subject: RE: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You should be able to match the tunnel by matching it's IP endpoints. If you could share more info about your QOS requirements, I could assist with building the policy. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Monday, July 27, 2009 11:15 To: Cisco-nsp Subject: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Hi all, I'd like to know if there is a feasible way to guarantee QoS for an L2TPv3 tunnel My customer has a 13Mb uplink to the internet and we've set a tunnel between customer's router and one of our routers, we want to perform some settings on his side that will assure the L2TP tunnel gets always 2Mb I know that some settings will not only guarantee but also limit it to 2M, and it's ok for us. My question is what shall I set as a matching setting? The remote tunnel IP? The inside IPs? TIA, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses.
Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS
Ziv, Take a look here: http://www.cisco.com/en/US/partner/docs/ios/qos/configuration/guide/qos_ mqc.html#wp1060197 Arie From: Ziv Leyes [mailto:z...@gilat.net] Sent: Tuesday, July 28, 2009 12:35 To: Arie Vayner Cc: Arie Vayner (avayner); Cisco-nsp Subject: RE: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Would you give an example for the nested policy? I do want to put it in the priority queue, the link that ends the xconnect is an interface connected to a Metro-E service that is physically limited to 2Mb so it won't be able to exceed it anyway, that's why I want to limit it on the router too, while also guaranteeing its priority. Thanks, Ziv From: Arie Vayner [mailto:arievay...@gmail.com] Sent: Tuesday, July 28, 2009 10:43 AM To: Ziv Leyes Cc: Arie Vayner (avayner); Cisco-nsp Subject: Re: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You need to apply a nested policy... The parent policy should do shaping to the real link rate, or else the router does not have any way to know how much bandwidth is really out there. The child policy should have the policy you want for the different classes. Are you sure you want to put the tunnel in the priority queue? You could assign it to a regular class, and just assign bandwidth to it. This would allow the tunnel to burst to more than 2M if the BW is available. Arie On Tue, Jul 28, 2009 at 10:11 AM, Ziv Leyes z...@gilat.net wrote: Thanks, After looking deeper into the scenario and router configs I kinda managed to come up with it. I still didn't implement it and if we're talking I'd better show you so you can confirm it will do what I need it to do. The customer has a 13Mb internet link and I need to set 2Mb for the tunnel, this is what I've set: ip access-list standard CUSTOMER ! this is the customer's rtr - xconnect destination ip: permit 12.34.56.78 ! class-map match-all CUSTOMER match access-group name CUSTOMER ! ! policy-map CUSTOMER-L2TPV3 class CUSTOMER priority 2000 police rate 200 ! Ziv -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Monday, July 27, 2009 6:12 PM To: Ziv Leyes; Cisco-nsp Subject: RE: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Ziv, You should be able to match the tunnel by matching it's IP endpoints. If you could share more info about your QOS requirements, I could assist with building the policy. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Monday, July 27, 2009 11:15 To: Cisco-nsp Subject: [c-nsp] L2TPv3 Tunnel bandwidth and QoS Hi all, I'd like to know if there is a feasible way to guarantee QoS for an L2TPv3 tunnel My customer has a 13Mb uplink to the internet and we've set a tunnel between customer's router and one of our routers, we want to perform some settings on his side that will assure the L2TP tunnel gets always 2Mb I know that some settings will not only guarantee but also limit it to 2M, and it's ok for us. My question is what shall I set as a matching setting? The remote tunnel IP? The inside IPs? TIA, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been
Re: [c-nsp] IP Sla
Mohammad, The way it works is that the entry-val would trigger an event once (enter into the state) and until you do not hit the exit-val, you would not get another event. This is done basically to generate a single alarm instead of getting a repeating one. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, July 28, 2009 11:49 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP Sla hi all i configured the following on my router ip sla 200 icmp-echo 4.2.2.2 threshold 50 frequency 5 ip sla schedule 200 life forever start-time now event manager applet FILE event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.7.200 get-type exact entry-op eq entry-val 1 exit-op eq exit-val 2 poll-interval 5 action 1.0 syslog msg RTT action 1.1 mail server x.x.x.x to x...@x.com from y...@x.com subject test now the average RTT value to 4.2.2.2 is about 90ms i configured the threshold to be 50 so that the sla will count continously but i received one mail and didnt receive another mail after that ? any ideas how to keep sending that mail ? thanks in advnace _ Share your memories online with anyone you want. http://www.microsoft.com/middleeast/windows/windowslive/products/photos- share.aspx?tab=1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] osamas...@hotmail.com
osamas...@hotmail.com _ Windows Live™ Hotmail®: Celebrate the moment with your favorite sports pics. Check it out. http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_sports_photos_072009cat=sports ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] STP state of MSFC internal ports
Hi, I have two 6500 in a LAN connected at layer 2. Each of them have a SVI with an IP and HSRP working without problems. When I configure Fallback Bridging in the SVI in both switches, HSRP stop working, so I think the problem can be related to a segmented L2 network topology. I found the following link: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800a7af6.shtml The questions is: How can I check the STP state of the ports connecting to the MSFC? The configuration in both switches is like the following: interface VlanXX ip address X.X.X.X 255.255.255.0 standby 28 ip X.X.X.Y bridge-group 1 bridge 1 protocol vlan-bridge bridge 1 priority 2 Best regards. -- Daniel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
ODR perhaps? Or maybe OER (that#39;s one letter higher anyway...) ;) -David Hank Nussbacher wrote: I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA v8 , VPN, and time-range access-lists
Hi chaps, I want to have my VPN Client users bound to time ranges so they can only connect during a certain period of time on week days.Typically my remote guys will connect at the start of the day and stay connected till the very end of it or not disconnect at all. I've been experimenting with access-hours settings on the group policy and time-range access lists, from what I have worked out if a user is connected before the access-hours kicks in (i.e. when they aren't allowed to connect) they will remain connected until they disconnect by hand or if I boot them off manually. I decided to try out the time range access-lists on the outside interface to block their connection attempts once they have logged in via VPN and start up their application, this seems to work for when I've connected out of the allowed time but if I am connected before the time-range kicks in my connection stays active (I was running a simple ping -t host). Although I did notice after a certain period of time (around 30 minutes) my ping's stopped replying and the access-list worked. Am I doing something wrong hence why the time range access-lists aren't working properly? The time on the FW is always correct and sync'd to NTP and I'd appreciate any help! Cheers, W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP state of MSFC internal ports
show bridge group On Tue, Jul 28, 2009 at 1:22 PM, Daniel Garrido gara...@gmail.com wrote: Hi, I have two 6500 in a LAN connected at layer 2. Each of them have a SVI with an IP and HSRP working without problems. When I configure Fallback Bridging in the SVI in both switches, HSRP stop working, so I think the problem can be related to a segmented L2 network topology. I found the following link: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800a7af6.shtml The questions is: How can I check the STP state of the ports connecting to the MSFC? The configuration in both switches is like the following: interface VlanXX ip address X.X.X.X 255.255.255.0 standby 28 ip X.X.X.Y bridge-group 1 bridge 1 protocol vlan-bridge bridge 1 priority 2 Best regards. -- Daniel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA v8 , VPN, and time-range access-lists
Hello, The standard approach is to send at authentication via a eg. radius attribute a session timeout calculated to the end of the work-day. ACLs may not work because the sessions are already established. You could experiment with stateless ACLs on a router somewhere above your ASA, but I would go with the Radius approach. Regards, John On Tue, 28 Jul 2009, William wrote: Hi chaps, I want to have my VPN Client users bound to time ranges so they can only connect during a certain period of time on week days.Typically my remote guys will connect at the start of the day and stay connected till the very end of it or not disconnect at all. I've been experimenting with access-hours settings on the group policy and time-range access lists, from what I have worked out if a user is connected before the access-hours kicks in (i.e. when they aren't allowed to connect) they will remain connected until they disconnect by hand or if I boot them off manually. I decided to try out the time range access-lists on the outside interface to block their connection attempts once they have logged in via VPN and start up their application, this seems to work for when I've connected out of the allowed time but if I am connected before the time-range kicks in my connection stays active (I was running a simple ping -t host). Although I did notice after a certain period of time (around 30 minutes) my ping's stopped replying and the access-list worked. Am I doing something wrong hence why the time range access-lists aren't working properly? The time on the FW is always correct and sync'd to NTP and I'd appreciate any help! Cheers, W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA v8 , VPN, and time-range access-lists
William, This was discussed another list as well, but it seems the router time-based ACLs are absolute and that the ASA waits for active sessions to time out at least when used with vpn-filter. I believe the vpn-filter is only called once when the user first connects, if you have to make changes to that ACL, it requires a user re-auth. It would be nice if something like kron existed for the ASA, you could just force a re-auth at 5:00PM. Have you looked at using 'vpn-access-hours' under the group-policy? I noticed John mentioned using Radius for the access-hours, but I've been using LDAP a lot of authorization, although I guess that function of Radius would be under authentication. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of William Sent: Tuesday, July 28, 2009 9:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA v8 , VPN, and time-range access-lists Hi chaps, I want to have my VPN Client users bound to time ranges so they can only connect during a certain period of time on week days.Typically my remote guys will connect at the start of the day and stay connected till the very end of it or not disconnect at all. I've been experimenting with access-hours settings on the group policy and time-range access lists, from what I have worked out if a user is connected before the access-hours kicks in (i.e. when they aren't allowed to connect) they will remain connected until they disconnect by hand or if I boot them off manually. I decided to try out the time range access-lists on the outside interface to block their connection attempts once they have logged in via VPN and start up their application, this seems to work for when I've connected out of the allowed time but if I am connected before the time-range kicks in my connection stays active (I was running a simple ping -t host). Although I did notice after a certain period of time (around 30 minutes) my ping's stopped replying and the access-list worked. Am I doing something wrong hence why the time range access-lists aren't working properly? The time on the FW is always correct and sync'd to NTP and I'd appreciate any help! Cheers, W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN clients on Cisco ASA
Hi Guys, Appreciate your help on this. Have tried the VPN Wizard and the CLI config from the below link but still no luck. The Cisco VPN client tries to connect and after for a few seconds shows Not Connected. I think it is an ACL issue but I am not 100% sure. I have attached the running config, could someone please take a look? Many thanks, Kiran -Original Message- From: Ryan West [mailto:rw...@zyedge.com] Sent: 27 July 2009 13:57 To: Oddiraju, Kiran @ London SMC; cisco-nsp@puck.nether.net Subject: RE: VPN clients on Cisco ASA Hello again Kiran, I think you should take a quick read through the following link. You can use the ASDM Remote Access VPN wizard to configure most of the settings and if you're interested in doing it via CLI, that's also an option. http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a008060f25c.shtml In particular, the options you have asked are all covered in the doc except for split-tunneling, at least the associated output in CLI. You'll want to configure that inside the group policy you create from the link above. Here is an example: group-policy mygrouppolicyname attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL Here Let me know how it works out for you. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC Sent: Monday, July 27, 2009 8:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN clients on Cisco ASA Hi List, Cisco ASA 5505 Cisco VPN Client 5.0 ASA External IP: 80.90.100.117 /29 Internal range: 192.168.0.0 /24 I am new to Cisco ASA world and have been struggling to configure my 5505 to accept VPN connections from external hosts. I want to allocate IP address dynamically, allow access to certain subnets and allow internet access thru their local connection. Can someone please post me a sample ASA config? Thanks guys Regards, Kiran CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. cUcM-FiReWall# sh run : Saved : ASA Version 8.0(3) ! hostname cUcM-FiReWall domain-name cisco.com enable password 8Ry2YjIyt7RRXT24 encrypted names name 192.168.0.0 LAN_INSIDE description ### Inside ### ! interface Vlan1 nameif outside security-level 0 ip address 80.90.100.117 255.255.255.248 ! interface Vlan2 nameif inside security-level 100 ip address 192.168.0.253 255.255.255.0 ! interface Ethernet0/0 description OUTSIDE ! interface Ethernet0/1 description INSIDE switchport access vlan 2 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6
Re: [c-nsp] VPN clients on Cisco ASA
Kiran, You'll want to get Xauth configured for your RA-VPN. Do you have an internal auth server you can query? You can query AD directly through LDAP / NT protocol / Kerberos or use IAS through RADIUS. Once you establish those servers, you'll want to call them in your tunnel-group Kir-VPN gen attributes. You probably also want to set your default-group-policy to Kiran-CUCM-VPN in the same section. Since you are most likely failing IKE negotiations, you can run a 'debug cry isa 2' and gather more information. I would recommend following this guide and leveraging IAS, it's more of the traditional method, but I think it would be a good fit for your needs. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml You should try to sanitize your configs in the future, just put in x.x.x.x when posting public IPs. -ryan -Original Message- From: Oddiraju, Kiran @ London SMC [mailto:kiran.oddir...@cbre.com] Sent: Tuesday, July 28, 2009 10:01 AM To: Ryan West Cc: cisco-nsp@puck.nether.net Subject: Re: VPN clients on Cisco ASA Hi Guys, Appreciate your help on this. Have tried the VPN Wizard and the CLI config from the below link but still no luck. The Cisco VPN client tries to connect and after for a few seconds shows Not Connected. I think it is an ACL issue but I am not 100% sure. I have attached the running config, could someone please take a look? Many thanks, Kiran -Original Message- From: Ryan West [mailto:rw...@zyedge.com] Sent: 27 July 2009 13:57 To: Oddiraju, Kiran @ London SMC; cisco-nsp@puck.nether.net Subject: RE: VPN clients on Cisco ASA Hello again Kiran, I think you should take a quick read through the following link. You can use the ASDM Remote Access VPN wizard to configure most of the settings and if you're interested in doing it via CLI, that's also an option. http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a008060f25c.shtml In particular, the options you have asked are all covered in the doc except for split-tunneling, at least the associated output in CLI. You'll want to configure that inside the group policy you create from the link above. Here is an example: group-policy mygrouppolicyname attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL Here Let me know how it works out for you. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC Sent: Monday, July 27, 2009 8:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN clients on Cisco ASA Hi List, Cisco ASA 5505 Cisco VPN Client 5.0 ASA External IP: 80.90.100.117 /29 Internal range: 192.168.0.0 /24 I am new to Cisco ASA world and have been struggling to configure my 5505 to accept VPN connections from external hosts. I want to allocate IP address dynamically, allow access to certain subnets and allow internet access thru their local connection. Can someone please post me a sample ASA config? Thanks guys Regards, Kiran CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender
Re: [c-nsp] MTU wierdness
Michael, Check: http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12 .2SX/configuration/guide/intrface.html#wp104 http://www.cisco.com/en/US/partner/docs/ios/interface/command/reference/ ir_l2.html#wp1030775 http://www.cisco.com/en/US/partner/docs/ios/fundamentals/command/referen ce/cf_s3.html#wp1019645 I think it should be in there. I couldn't get to any of these, even taking into account the wrapped lines. It is likely that you have configured an SVI or a VLAN on the 6509 for 9216 already. If any VLAN that crosses the switchport is 9216, then you can't adjust the MTU of the port to a value below 9216. Do a 'show vlan' and also check all the SVI's for an MTU higher than 1504, then either reduce the MTU in those locations or I think you could also restrict the large VLAN from being sent on the trunk Once you define the L2 MTU, packets on that VLAN can traverse any ports on that VLAN up to that MTU, but if you need to route them and retain the L2 MTU then the L3 SVI must have the same MTU. You can have the SVI different, say 1500, as long as you understand that the packets will be fragged if larger than 1500, or dropped if the DF bit is set. If you have defined an SVI to a 9k+ MTU, that will force the L2 interfaces on that vlan to be the same since they must carry that size packets. I finally sorted this out: If I was setting the MTU on a routed interface, then I could set the MTU to anything up to 9216B (using the mtu interface command), however, if I was trying to set the MTU an a switchported interface, then the mtu command would only allow me to change the MTU to the value defined in the global system jumbmtu command - this is a feature not a bug. Thanks, Michael -- Michael Robson | Tel: +44 (0) 161 275 6113 Networks| Fax: +44 (0) 161 275 6120 Net North West | Email: michael.rob...@manchester.ac.uk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU wierdness
Michael Robson wrote: Michael, Check: http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12 .2SX/configuration/guide/intrface.html#wp104 http://www.cisco.com/en/US/partner/docs/ios/interface/command/reference/ ir_l2.html#wp1030775 http://www.cisco.com/en/US/partner/docs/ios/fundamentals/command/referen ce/cf_s3.html#wp1019645 I think it should be in there. I couldn't get to any of these, even taking into account the wrapped lines. Replace /partner/ with /customer/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
Hank Nussbacher wrote: I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank Full tables in IS-IS of course! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
EIGRP... Ducks and runs for cover Justin Shore wrote: Hank Nussbacher wrote: I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank Full tables in IS-IS of course! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Active Template Library (ATL) Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Active Template Library (ATL) Vulnerability Advisory ID: cisco-sa-20090728-activex http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml Revision 1.0 For Public Release 2009 July 28 1800 UTC (GMT) - - Summary === Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site. Cisco will release free software updates for products that are affected by this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml Affected Products = Vulnerable Products +-- The following products are affected by this vulnerability: * Cisco Unity 4.x, 5x., and 7.x Products Confirmed Not Vulnerable + The following Cisco products are not known to be affected by this vulnerability: * Cisco AnyConnect VPN Client * Cisco Adaptive Security Device Manager (ASDM) * Cisco Building Broadband Service Manager (BBSM) * Cisco Catalyst Operating System (Catalyst OS) * Cisco Computer Telephony Integration Object Server (CTI) * Cisco IOS Software * Cisco IP/TV * Cisco Meetingplace * Cisco Mobile Wireless Fault Mediator (MWFM) * Cisco NAC Appliance (formerly Cisco Clean Access) * Cisco Secure Access Control Server (ACS) * Cisco Secure Desktop * Cisco Security Agent * Cisco Security Monitoring, Analysis and Response System (MARS) * Cisco SSL VPN Client (SVC) * Cisco Unified Contact Center Express (Unified CCX) * Cisco Video Surveillance Media Server (VSMS) * CiscoWorks LAN Management Solution (LMS) * WebEx Details === Microsoft has identified vulnerabilities in the Active Template Library (ATL) headers that are shipped with the Software Development Kit (SDK) for Microsoft Windows systems and used in Cisco products. In general, this vulnerability, if exposed by an ActiveX control, could lead to remote code execution on a client's system. For complete details, please review the Microsoft Security Bulletin at: http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx The following Bug IDs have been filed for Cisco Products affected by this vulnerability: * CSCta71728 ( registered customers only) Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCta71728 - Vulnerability in the ActiveX headers used in Unity +- CVSS Base Score - 9.3 Access Vector- Network Access Complexity- Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Proof-of-Concept Remediation Level- Unavailable Report Confidence- Confirmed Impact == Successful exploitation of the vulnerability may result in remote code execution. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds === General information on ActiveX attacks and mitigation techniques can be found at the following link: http://www.cisco.com
[c-nsp] PBR + NAT route-map issue
Hi All, Im kinda new to the list and hope someone can help me an issue. I'm trying to do some PBR with nat and am having an issue understanding how the route-maps apply in combination with the nat process. I would like to send my Phone based vlan traffic out of the T1 and the Data traffic out of the DSL. IF possible, I'd like them to failover for each other (which makes the config even more confusing). I have the ability to route a few/30's to this router over the dsl or the t1. Any help with the nat statements and route-maps would be greatly appreciated. Relevent config so far is posted. The 64.x.x.x and 208.x.x.x are my phone servers. Thanks for any help!!! 2651-XM 12.4.(23) ip dhcp excluded-address 172.16.0.1 172.16.0.99 ip dhcp excluded-address 192.168.1.1 192.168.1.100 ip dhcp excluded-address 192.168.1.113 ! ip dhcp pool PHONES network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 dns-server 208.66.61.109 208.66.61.110 option 150 ip 208.83.93.113 lease 3 ! ip dhcp pool Computers network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 208.66.61.109 208.66.61.110 lease 3 ! ! ! track 1 interface Dialer0 ip routing delay up 15 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.150 description To Phones encapsulation dot1Q 150 ip address 172.16.0.1 255.255.255.0 ip nat inside ! interface FastEthernet0/0.200 description Computers encapsulation dot1Q 200 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 74.113.88.62 255.255.255.252 ip nat outside priority-group 1 ! interface ATM0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/1.1 point-to-point pvc 1/100 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation ppp ip route-cache flow ip tcp adjust-mss 1412 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname rubenst...@authcall.net ppp chap password 0 ppp pap sent-username rubenst...@authcall.net password 0 x ! ip route 0.0.0.0 0.0.0.0 Dialer0 track 1 ip route 0.0.0.0 0.0.0.0 74.113.88.61 254 ip route 64.193.113.0 255.255.255.0 74.113.88.61 101 ip route 64.193.113.0 255.255.255.0 Dialer0 120 ip route 208.83.93.0 255.255.252.0 74.113.88.61 101 ip route 208.83.93.0 255.255.252.0 Dialer0 120 ! no ip http server ip nat inside source list 10 interface Serial0/0 overload access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit 172.16.0.0 0.0.0.255 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXRG2 performance question
I'll try to provide more details regarding the desired setup (opinions in favour/against it are welcomed). As I said, roughly half of the spokes will connect to hub1 while the other half will connect to hub2. As all servers are in hub1, spokes connecting to hub2 will reach the servers via a dedicated link between hub1 and hub2. Hub2 is also a DR site, so this link will also be used for replicating some of hub1's content there. Regarding connectivity, spokes will connect to the hubs via two providers (P1 an P2). The connections will use the provider's internal network, not over the Internet. So, a spoke will have one tunnel (T1) to hub1 via P1, one tunnel (T2) to hub1 via P2, one tunnel (T3) to hub2 via P1 and one tunnel (T4) to hub2 via P2. Depending on which hub the spoke will connect to, either T1 and T2 will be used (per flow load balancing) or T3 and T4. Should a hub become unavailable, the spokes connected to it will failover to the other one, so either hub must be able to handle all spokes simultaneously. Regarding bandwidth, I doubt it will exceed 10 mbit/s per provider in the hubs. Spokes will probably have 128kbps and 256kbps per provider. I read a bit about VTIs and the most appropriate setup seems to be with static VTIs on the spokes and dynamic VTIs on the hubs. However, there are some notes in the document[1] saying that routing with DVTIs is not supported and SVTI remote to DVTI interfaces are not supported (I dont know what this means). Spokes will indeed have static link speeds (values mentioned above are CIR). If I understand correctly the link you gave, I would need two nhrp groups (one for 128kbps and the other one for 256kbps) which I will further divide as required. Besides that, we'll also need shaping to limit the outgoing physical interface to 10 mbps (or whatever we'll get from the provider). The spokes would then be configured with the proper nhrp-group. So, as I said in the original message, my main concern is whether or not the 7206 will be able to handle this, but, from the replies I got, I understand it shouldn't be a problem. Gabriel [1] http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_virt_tunnl.html#wp1110852 On Sun, Jul 26, 2009 at 6:17 AM, Rodney Dunnrod...@cisco.com wrote: For those low rates a 7206VXR with a NPE-G2 would be a plenty. You should look at dynamic VTI's I think it is to get per spoke QOS. You don't need an external box especially if your link speeds at the spokes are static. There are different ways to do per spoke QOS but it's a bit more complex with dmvpn. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tunnel_qos.html Rodney Gabriel wrote: Hi all, the company I work for is involved in a WAN redesing process, so we got in touch with a few Cisco partners to help us. We're considering a dual-hub and spoke topology (about 100 spokes, more in the future) with both hubs active (half of the spokes will connect to one hub, the other half to the other). As I said, we contacted some Cisco partners (as we don't have the necessary expertise to do this on our own) and one of them recommended that, besides using the 7206 (with NPE-G2 and VSA) as the hub router, we should also get a SCE1010 box to handle the QoS. One of the aspects I'd like your feedback on is whether this SCE box is required or not (from the docs and design guides I read, it was only present in SP networks). I'll try to give more details (please let me know if they are relevant or not and what others have I missed): - DMVPN (although one tunnel/branch was also suggested) over IPSec - spokes connect to hubs via two providers (with per-flow load-balancing) - hub bandwith will probably not exceed 10 mbit/provider - spoke bandwith will be 256kbps/provider for roughly half of the spokes and 128kbps/provider for the other half - EIGRP as routing protocol - no VoIP at the moment, but it could appear sometime in the future Traffic is not latency-sensitive (as I said, no VoIP yet) and will be split into four QoS classes (in the future, others might appear). So, based on the above, can you comment on the capabilities of the 7206 alone to handle everything without issues? Thanks, Gabriel ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
Gentlemen, you forgot about IDRP (http://www.javvin.com/protocolIDRP.html). You can already transport IPv4 and IPv6 over CLNS, this is the next logical step :D -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Tuesday, July 28, 2009 6:57 PM To: Hank Nussbacher Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Humor: Cisco announces end of BGP Hank Nussbacher wrote: I just got this product alert from Cisco: From: cisconotificationserv...@cisco.com To: h...@efes.iucc.ac.il Subject: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT Cisco Notification Service Alert: Cisco Notification Alert -Alerts_Daily-07/28/2009 07:38 GMT End-of-Sale and End-of-Life Announcements-Border Gateway Protocol (BGP)-07/27/2009 08:44 GMT-07/28/2009 07:35 GMT What exactly does Cisco have planned as a replacement? :-) -Hank Full tables in IS-IS of course! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR + NAT route-map issue
Hi Max, You might want to combine pbr with object tracking (and add some nat statements to this mix). To make a long story short, you can configure ip sla and object tracking to monitor your gateway(s) availability and use a route-map with the verify-availability statement to select the preferred/available route. I've described it in my blog [1] a couple of months ago. Sorry, it's still in portuguese only :( ... Well, since the configs have been written in a universal language (aka ios commands) there should be no problem trying to figure out the portuguese part (or use the google translator to do the trick). :) [1] http://blog.nexthop.com.br/2009/02/um-roteador-dois-provedores-e-alguma.html Gustavo. On Tue, Jul 28, 2009 at 4:13 PM, Max Piersonmax.pier...@mycallis.com wrote: Hi All, Im kinda new to the list and hope someone can help me an issue. I'm trying to do some PBR with nat and am having an issue understanding how the route-maps apply in combination with the nat process. I would like to send my Phone based vlan traffic out of the T1 and the Data traffic out of the DSL. IF possible, I'd like them to failover for each other (which makes the config even more confusing). I have the ability to route a few/30's to this router over the dsl or the t1. Any help with the nat statements and route-maps would be greatly appreciated. Relevent config so far is posted. The 64.x.x.x and 208.x.x.x are my phone servers. Thanks for any help!!! 2651-XM 12.4.(23) ip dhcp excluded-address 172.16.0.1 172.16.0.99 ip dhcp excluded-address 192.168.1.1 192.168.1.100 ip dhcp excluded-address 192.168.1.113 ! ip dhcp pool PHONES network 172.16.0.0 255.255.255.0 default-router 172.16.0.1 dns-server 208.66.61.109 208.66.61.110 option 150 ip 208.83.93.113 lease 3 ! ip dhcp pool Computers network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 208.66.61.109 208.66.61.110 lease 3 ! ! ! track 1 interface Dialer0 ip routing delay up 15 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.150 description To Phones encapsulation dot1Q 150 ip address 172.16.0.1 255.255.255.0 ip nat inside ! interface FastEthernet0/0.200 description Computers encapsulation dot1Q 200 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 74.113.88.62 255.255.255.252 ip nat outside priority-group 1 ! interface ATM0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/1.1 point-to-point pvc 1/100 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation ppp ip route-cache flow ip tcp adjust-mss 1412 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname rubenst...@authcall.net ppp chap password 0 ppp pap sent-username rubenst...@authcall.net password 0 x ! ip route 0.0.0.0 0.0.0.0 Dialer0 track 1 ip route 0.0.0.0 0.0.0.0 74.113.88.61 254 ip route 64.193.113.0 255.255.255.0 74.113.88.61 101 ip route 64.193.113.0 255.255.255.0 Dialer0 120 ip route 208.83.93.0 255.255.252.0 74.113.88.61 101 ip route 208.83.93.0 255.255.252.0 Dialer0 120 ! no ip http server ip nat inside source list 10 interface Serial0/0 overload access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit 172.16.0.0 0.0.0.255 ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXRG2 performance question
NPEG2 and VAM+ could do 60Mbps VPN throughput. NPEG2 and VSA could do 160Mbps VPN throughput. These are with 500 bytes packet. If you need more throughput, might want to go with the ASR1002. Not that much more expensive than the 7206VXR NPEG2/VSA combo. Regarding design, you should go with DMVPN/EIGRP. You could do direct spoke-spoke communication as well. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel Sent: Tuesday, July 28, 2009 4:17 PM To: rod...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7206VXRG2 performance question I'll try to provide more details regarding the desired setup (opinions in favour/against it are welcomed). As I said, roughly half of the spokes will connect to hub1 while the other half will connect to hub2. As all servers are in hub1, spokes connecting to hub2 will reach the servers via a dedicated link between hub1 and hub2. Hub2 is also a DR site, so this link will also be used for replicating some of hub1's content there. Regarding connectivity, spokes will connect to the hubs via two providers (P1 an P2). The connections will use the provider's internal network, not over the Internet. So, a spoke will have one tunnel (T1) to hub1 via P1, one tunnel (T2) to hub1 via P2, one tunnel (T3) to hub2 via P1 and one tunnel (T4) to hub2 via P2. Depending on which hub the spoke will connect to, either T1 and T2 will be used (per flow load balancing) or T3 and T4. Should a hub become unavailable, the spokes connected to it will failover to the other one, so either hub must be able to handle all spokes simultaneously. Regarding bandwidth, I doubt it will exceed 10 mbit/s per provider in the hubs. Spokes will probably have 128kbps and 256kbps per provider. I read a bit about VTIs and the most appropriate setup seems to be with static VTIs on the spokes and dynamic VTIs on the hubs. However, there are some notes in the document[1] saying that routing with DVTIs is not supported and SVTI remote to DVTI interfaces are not supported (I dont know what this means). Spokes will indeed have static link speeds (values mentioned above are CIR). If I understand correctly the link you gave, I would need two nhrp groups (one for 128kbps and the other one for 256kbps) which I will further divide as required. Besides that, we'll also need shaping to limit the outgoing physical interface to 10 mbps (or whatever we'll get from the provider). The spokes would then be configured with the proper nhrp-group. So, as I said in the original message, my main concern is whether or not the 7206 will be able to handle this, but, from the replies I got, I understand it shouldn't be a problem. Gabriel [1] http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_v irt_tunnl.html#wp1110852 On Sun, Jul 26, 2009 at 6:17 AM, Rodney Dunnrod...@cisco.com wrote: For those low rates a 7206VXR with a NPE-G2 would be a plenty. You should look at dynamic VTI's I think it is to get per spoke QOS. You don't need an external box especially if your link speeds at the spokes are static. There are different ways to do per spoke QOS but it's a bit more complex with dmvpn. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tun nel_qos.html Rodney Gabriel wrote: Hi all, the company I work for is involved in a WAN redesing process, so we got in touch with a few Cisco partners to help us. We're considering a dual-hub and spoke topology (about 100 spokes, more in the future) with both hubs active (half of the spokes will connect to one hub, the other half to the other). As I said, we contacted some Cisco partners (as we don't have the necessary expertise to do this on our own) and one of them recommended that, besides using the 7206 (with NPE-G2 and VSA) as the hub router, we should also get a SCE1010 box to handle the QoS. One of the aspects I'd like your feedback on is whether this SCE box is required or not (from the docs and design guides I read, it was only present in SP networks). I'll try to give more details (please let me know if they are relevant or not and what others have I missed): - DMVPN (although one tunnel/branch was also suggested) over IPSec - spokes connect to hubs via two providers (with per-flow load-balancing) - hub bandwith will probably not exceed 10 mbit/provider - spoke bandwith will be 256kbps/provider for roughly half of the spokes and 128kbps/provider for the other half - EIGRP as routing protocol - no VoIP at the moment, but it could appear sometime in the future Traffic is not latency-sensitive (as I said, no VoIP yet) and will be split into four QoS classes (in the future, others might appear). So, based on the above, can you comment on the capabilities of the
Re: [c-nsp] Humor: Cisco announces end of BGP
According to a Pannaway SE who visited us a few years ago, he'd seen SPs many times our size who used static routes for everything. He said we weren't big enough to need a routing protocol. Of course he also said that our pipes weren't saturated so we didn't need QoS and that IPv6 was just a fad and would never be adopted in the US. *sigh* Ivan Pepelnjak wrote: Gentlemen, you forgot about IDRP (http://www.javvin.com/protocolIDRP.html). You can already transport IPv4 and IPv6 over CLNS, this is the next logical step :D ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
Justin Shore wrote: According to a Pannaway SE who visited us a few years ago, he'd seen SPs many times our size who used static routes for everything. We could encapsulate it all in IPX, and yank those Netware servers out of surplus to handle the routing. Bring back RIPs and SAPs... Or we could encode the AS numbers into Appletalk cable-ranges. Yeah, that's the ticket... Jeff :-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Humor: Cisco announces end of BGP
You are forgetting NLSP (Novell Link State Protocol) designed to eliminate RIP/SAP adverts But IPX had a lot of advantages large address space, local network autoconfiguration, anti-spoofing, service autolocation Jeff Kell wrote: Justin Shore wrote: According to a Pannaway SE who visited us a few years ago, he'd seen SPs many times our size who used static routes for everything. We could encapsulate it all in IPX, and yank those Netware servers out of surplus to handle the routing. Bring back RIPs and SAPs... Or we could encode the AS numbers into Appletalk cable-ranges. Yeah, that's the ticket... Jeff :-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Freezing counters at 6500
Grzegorz Janoszka wrote: We have several 6500's, some of them heavily loaded. We use snmp to graph traffic on all interfaces - just the simplest solution. Since some time we have had an issue with the interface counters. When the CPU box is really loaded (usually synchronization of BGP sessions), the counters just freeze. The important thing is that only the displaying freezes, the counters are still counting. Both snmp and 'show interface' data is frozen and does not update for various time - from 30 seconds to 3-4 minutes. As the result we have spikes on graphs - there is always spike down, when snmp gives frozen data from the past, and after that spike up, when the counters unlock and start displaying correct data. Just forgot to add - we have this issue with SXF14, 15, 16 and SXI1. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Freezing counters at 6500
Hi, We have several 6500's, some of them heavily loaded. We use snmp to graph traffic on all interfaces - just the simplest solution. Since some time we have had an issue with the interface counters. When the CPU box is really loaded (usually synchronization of BGP sessions), the counters just freeze. The important thing is that only the displaying freezes, the counters are still counting. Both snmp and 'show interface' data is frozen and does not update for various time - from 30 seconds to 3-4 minutes. As the result we have spikes on graphs - there is always spike down, when snmp gives frozen data from the past, and after that spike up, when the counters unlock and start displaying correct data. Have you had similar problems? It is not the big issue, only the graphs look not so nice with the rows of spikes down/up. If there is a simple solution to the problem we would like to know it. Kind regards, -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN clients on Cisco ASA
Hello Kiran, 1) you are using upper-case and lower case o in your crypto map -can't do that. relevant changes (within parentheses)below- crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000 crypto dynamic-map O(o)utside_dyn_map 10 set reverse-route crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map O(o)utside_map 10 ipsec-isakmp dynamic O(o)utside_dyn_map crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside 2) keyword any in split-tunnel acl effectively disables split-tunneling. Instead, specify subnets for which traffic needs to be encrypted. 3) crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 (make sure the vpn client supports D-H group 2) lifetime 43200 4) make sure isakmp identity is not 'hostname' use 'address' instead. Also disable DPD(no isakmp keepalive. NAT-T should be enabled. If you are using udp/tcp wrappers, ensure udp/tcp ports match on both ends. 5) the outside acl is wide-open(with permit ip any any) Recommend locking it down. for vpn, allow tcp 50 and udp 500 to the outside int from any unless sysopt conn ipsec permit is enabled. 6) Probable would be a good idea to replace ip's with x.x.x.x when posting configs on a public site. regards, ./Randy --- On Tue, 7/28/09, Oddiraju, Kiran @ London SMC kiran.oddir...@cbre.com wrote: From: Oddiraju, Kiran @ London SMC kiran.oddir...@cbre.com Subject: Re: [c-nsp] VPN clients on Cisco ASA To: Ryan West rw...@zyedge.com Cc: cisco-nsp@puck.nether.net Date: Tuesday, July 28, 2009, 7:01 AM Hi Guys, Appreciate your help on this. Have tried the VPN Wizard and the CLI config from the below link but still no luck. The Cisco VPN client tries to connect and after for a few seconds shows Not Connected. I think it is an ACL issue but I am not 100% sure. I have attached the running config, could someone please take a look? Many thanks, Kiran -Original Message- From: Ryan West [mailto:rw...@zyedge.com] Sent: 27 July 2009 13:57 To: Oddiraju, Kiran @ London SMC; cisco-nsp@puck.nether.net Subject: RE: VPN clients on Cisco ASA Hello again Kiran, I think you should take a quick read through the following link. You can use the ASDM Remote Access VPN wizard to configure most of the settings and if you're interested in doing it via CLI, that's also an option. http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a008060f25c.shtml In particular, the options you have asked are all covered in the doc except for split-tunneling, at least the associated output in CLI. You'll want to configure that inside the group policy you create from the link above. Here is an example: group-policy mygrouppolicyname attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ACL Here Let me know how it works out for you. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC Sent: Monday, July 27, 2009 8:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN clients on Cisco ASA Hi List, Cisco ASA 5505 Cisco VPN Client 5.0 ASA External IP: 80.90.100.117 /29 Internal range: 192.168.0.0 /24 I am new to Cisco ASA world and have been struggling to configure my 5505 to accept VPN connections from external hosts. I want to allocate IP address dynamically, allow access to certain subnets and allow internet access thru their local connection. Can someone please post me a sample ASA config? Thanks guys Regards, Kiran CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient
Re: [c-nsp] Freezing counters at 6500
Depending on what software you're using to monitor with you might look into whether it supports filtering values retrieved via SNMP to within a sane range that you configure ? Eg. On an E1 interface the maximum should only ever be 2048Kbps so it is ok to discard anything with a value greater than that as being a wrong value. To be safe usually we would configure it a little above the theoretical maximum, so maybe 2500Kbps in this example. The solution you are looking for is on the SNMP software side, not the router. regards, Tony --- On Wed, 29/7/09, Grzegorz Janoszka grzeg...@janoszka.pl wrote: From: Grzegorz Janoszka grzeg...@janoszka.pl Subject: [c-nsp] Freezing counters at 6500 To: cisco-nsp@puck.nether.net Date: Wednesday, 29 July, 2009, 7:14 AM Hi, We have several 6500's, some of them heavily loaded. We use snmp to graph traffic on all interfaces - just the simplest solution. Since some time we have had an issue with the interface counters. When the CPU box is really loaded (usually synchronization of BGP sessions), the counters just freeze. The important thing is that only the displaying freezes, the counters are still counting. Both snmp and 'show interface' data is frozen and does not update for various time - from 30 seconds to 3-4 minutes. As the result we have spikes on graphs - there is always spike down, when snmp gives frozen data from the past, and after that spike up, when the counters unlock and start displaying correct data. Have you had similar problems? It is not the big issue, only the graphs look not so nice with the rows of spikes down/up. If there is a simple solution to the problem we would like to know it. Kind regards, -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VSS question...
Excuse the naive question, just starting to look at VSS and trying to tune to the concept... For those of you that have dived into VSS... are you still doing redundant supervisors per chassis? or just duplicating links on each chassis and crossing your fingers? I've done the 3750 stacks and perhaps locked my thinking into designing with a complete chassis failure being tolerable in the end design. Does this scale up to VSS, or just a matter of how many ports can you afford to drop? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Monitoring VPN User on ASA
I want to monitoring vpn user on my ASA by snmp, it can trap vpn group but it cannot trap the username (no such object available .) I use oid 1.3.6.1.4.1.9.9.392.1.3.21.1.1 , can you help me solve this problem ? _ Note: The information contained in this e-mail is intended only for the use of the individual or entity named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended party to receive the message and its attachment(s), you are hereby notified that any dissemination, distribution or copy of the message is strictly prohibited. Please immediately notify the sender and delete the message as soon as possible. Thank you for kind attention. Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk penggunaan individu atau kelompok yang disebutkan di atas dan mungkin berisi informasi yang istimewa, rahasia dan dikecualikan dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan ini adalah sangat dilarang. Harap segera memberitahu pengirim dan menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS question...
Multiple sups per chassis are not supported. From access to core, since VSS looks like one chassis, you would do 1 uplink to each physical 6500. Cisco's data sheet: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/product_data_sheet0900aecd806ed759.html Want to get into the weeds a little? How about some tasty config guide? http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html tv - Original Message - From: Jeff Kell jeff-k...@utc.edu To: 'NSP List' cisco-nsp@puck.nether.net Sent: Tuesday, July 28, 2009 9:06 PM Subject: [c-nsp] VSS question... Excuse the naive question, just starting to look at VSS and trying to tune to the concept... For those of you that have dived into VSS... are you still doing redundant supervisors per chassis? or just duplicating links on each chassis and crossing your fingers? I've done the 3750 stacks and perhaps locked my thinking into designing with a complete chassis failure being tolerable in the end design. Does this scale up to VSS, or just a matter of how many ports can you afford to drop? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS question...
Last I had heard, the IOS code can only understand 2 supervisors total. Meaning you have an active and a standby, and that's it. So you have 1 supervisor in each chassis total. There is no current concept of an active, and multiple 'hot' standby supervisors. That (among other things) made us decide not to do VSS, although having portchannels span multiple 6500's was an attractive feature And keep in mind that for VSS, you're looking at the Sup720-10G supervisors, and the WS-X6708 cards for the links between VSS pairs (sure, you can get away with just the links on the supervisors, but you have a huge single point of failure). Ken Matlock matlo...@exempla.org Network Analyst Exempla Healthcare (303) 467-4671 From: cisco-nsp-boun...@puck.nether.net on behalf of Jeff Kell Sent: Tue 7/28/2009 8:06 PM To: 'NSP List' Subject: [c-nsp] VSS question... Excuse the naive question, just starting to look at VSS and trying to tune to the concept... For those of you that have dived into VSS... are you still doing redundant supervisors per chassis? or just duplicating links on each chassis and crossing your fingers? I've done the 3750 stacks and perhaps locked my thinking into designing with a complete chassis failure being tolerable in the end design. Does this scale up to VSS, or just a matter of how many ports can you afford to drop? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS question...
Hi there, We are about to roll out VSS at our distro layer. Currently with SXI1, you can't have redundant sups. Our assigned Cisco arch guy said that maybe later this year or early next year that you will be able to have redundant sups in a vss member chassis. On 7/28/09 9:06 PM, Jeff Kell jeff-k...@utc.edu wrote: Excuse the naive question, just starting to look at VSS and trying to tune to the concept... For those of you that have dived into VSS... are you still doing redundant supervisors per chassis? or just duplicating links on each chassis and crossing your fingers? I've done the 3750 stacks and perhaps locked my thinking into designing with a complete chassis failure being tolerable in the end design. Does this scale up to VSS, or just a matter of how many ports can you afford to drop? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/