Re: [c-nsp] ASA5505, Restricted VLAN VPN
Dave, Have you checked out the logs. I think you should see your answer there. Even if the tunnel came up properly, the ASA would still detect that it's coming from the DMZ VLAN and drop the connections. The only option is connections from the inside or outside VLANs into the DMZ VLAN. http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/vlans.html#wp1101628 -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dave Brockman Sent: Tuesday, September 15, 2009 5:27 PM To: Cisco Mailing list Subject: [c-nsp] ASA5505, Restricted VLAN VPN I have a client with an ASA5505, base license, currently utilizing the restricted VLAN to provide access to the internet only, across the outside interface. Is it possible to make a VPN connection from the restricted VLAN via (I assume) the outside interface, and gain connectivity to the inside interface across said VPN? I've been able to do similar things with IOS routers in the past, I just can't nail down from the documentation if this would be allowed on an ASA utilizing the included restricted VLAN. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ifType of 877W ATM and ADSL interfaces
Hello I have an 877W with IOS 12.4(22)T1 here, and I am writing some code to interpret ATM and ADSL stats from the router. IF-MIB::ifTable shows ATM0 as being of type adsl(94), ATM0-atm layer as being of type atm(37) and ATM0-adsl as being of type adsl(94). ATM-MIB::atmVclTable has entries for ATM0, even though this is an 'adsl' interface. This seems wrong - should the entries not be indexed for the 'atm(37)' interface? Also, if there are two interfaces with type 'adsl(94)', why is it that the second - ATM0-adsl - only has entries in the ADSL-LINE-MIB? ISTM the ifTypes are set incorrectly, and maybe ATM0 should have an ifType to more accurately reflect what it is. I am thoroughly confused - is this a bug in the SNMP agent? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2950 issues - Link comes UP only after reboot - Wimax
Observing starnge problem in WS-C2950G-24-EI switches. The link goes down and does not comes up . Link cames up only , when the switch is rebooted manually. change patch cord and change Gibic module does not help UDLD messages are observed . but after the reboot , the switch becomes OK. Thanks, Biddu. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 4948 NAT support
Hi, On Mon, Sep 14, 2009 at 02:02:05PM -0500, Doug McIntyre wrote: So, don't go searching for switches that support NAT, the Cat6500 is it. But there are caveats - not all IP protocols are supported in the hardware path. I seem to remember postings on this lists that had somewhat unusual traffic (GRE tunnels?) going through a 6500, and that was all done in software. Cisco leaves NAT to firewalls and routers, not switches. Just don't do NAT in the first place. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgptErluhDr73.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] instabilities with SXI2?
-Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, September 15, 2009 12:27 AM I have a long laundry list of bugs in SXI2, including one that I've not quite yet isolated when you have several levels of recursion on routes causing it to take quite some time to finally settle down after a network event. We don't see the same problem in pre-cef/mfi code (ie: SXF) but do see poor convergence properties in SXH/SXI. To add to the list. The customer is SXI2a modular already. We had pretty long responses to sh run two days ago. Turned out to be the SP at 100% indefinitely. No log events that'd suggest a reason, no excessive amounts of traffic. No idea so far, working with TAC. -- deejay __ Informacia od ESET NOD32 Antivirus, verzia databazy 4423 (20090914) __ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
Hi, On Mon, Sep 14, 2009 at 10:47:17AM -0400, Jared Mauch wrote: On Sep 14, 2009, at 10:36 AM, Gert Doering wrote: On Mon, Sep 14, 2009 at 09:52:36AM -0400, Jared Mauch wrote: While you're at it, ask for protected memory in the software. It's not like ram/flash are expensive these days... Does modular have that? Or not yet? (I want to see modular on *all* IOS based platforms, and not as a somewhat-neglected step child on one specific niche platform that is actually fighting with another BU for line card support... or if that is not feasible, completely abandon IOS and provide XE or NX-OS on *all* platforms) The modular that showed up on 65xx was because 65xx saw value in it. No other platform sees the same value, meaning no protected memory for you. Between your lines, I read modular *has* protected memory, which is a good thing - we bought $lots of 6506's last year specifically because we wanted to run modular on it (and did not get RSP720s + 7600s). It's sad when you see all the effort that went into the modular over the years being thrown away/ignored then keep having devices crash with more catastrophic outcomes and no usable debugging information. Yes. Stupid company, this one. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpdYKFL6MKNj.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
Hi, On Mon, Sep 14, 2009 at 05:30:11PM +0100, Alan Buxey wrote: that is not feasible, completely abandon IOS and provide XE or NX-OS on *all* platforms) NX-OS on all platforms? nothanks - some of us want functionality ;-) The problem with the multitude of different operating systems in that company is that their development efforts are so horribly fragmented. Just imagine how much functionality NX-OS could get if they would stop wasting effort on 17 different software trains for classic IOS and instead focus on getting NX-OS on all hardware platforms, and getting feature parity for it. Yes, I'm now going to wake up, it's grey and foggy outside and I have to go to work... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpUYTsZalhBd.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2801 as console server
I've been looking through the Cisco doc but didn't found what I was looking for, therefor this question : I transformed a 2801 router which we used as a dialin server to a console server. The config seems to work, I can do a telnet xxx 2018 to get access to serial port 0/1/1, also ssh -l user:portnumber works. But I still have 2 problems : -The escape character doesn't work when using ssh, also e.g. defining CTRL-Z as disconnect character doesn't work. The only way to stop the connection, is by killing it at the ssh client side. Is there another way to stop the ssh connection, just like the telnet escape character ? -Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I'm running c2801-ipbasek9-mz.124-25a on the router. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 as console server
Hi Wim, On Wed, 16 Sep 2009, Holemans Wim wrote: -Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I've done this in the past by connecting to an IP address on the router - the one assigned to the ethernet interface for example. We use a 2511 as a console server for last resort access to devices. In the worst case scenario if the ethernet interface is down we access it via the console port. If that's the case then the ethernet IP address won't be reachable. I've assigned a loopback IP address (192.168.0.0/32 I think) and use that instead (router telnet 192.168.0.0 2001) Hope this helps. -Ronan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 as console server
-Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I've done this in the past by connecting to an IP address on the router - the one assigned to the ethernet interface for example. We use a 2511 as a console server for last resort access to devices. In the worst case scenario if the ethernet interface is down we access it via the console port. If that's the case then the ethernet IP address won't be reachable. I've assigned a loopback IP address (192.168.0.0/32 I think) and use that instead (router telnet 192.168.0.0 2001) If you create aliases on the router you can then just use the router name for example ip host accessjn2 2002 192.168.7.4 ip host accessjn3 2003 192.168.7.4 ip host accessjn6 2006 192.168.7.4 Then just telnet accessjn2 Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Inter-AS M-VPNs
I am running with _ Save time by using Hotmail to access your other email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] (no subject)
I am running with a project at the moment with regards to getting Inter-AS mvpns working ALL hardware is Cisco. If I read all the material correctly and I would like some clarification, I cannot use non MDT SAFI capable router as Route-Reflectors, as type 2 RDs are non-transitive. The challenge I have is that nearly all my PEs are non MDT SAFi capable, although I can implement MDT SAFI capable Route-Reflectors. So with that prospect does anyone see me having a problem implementing MDT SAFI capable RRs with non MDT SAFI capable PEs and using Cisco's MVPN Inter-AS Support Option C Thanks in advance Mat _ Use Hotmail to send and receive mail from your different email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Help with unique BGP setup
We're trying to do a custom bgp setup for one of our customers but I'm not sure if it's even possible with IOS. Our network has its primary upstream connection in a different city from where this customer will connect. However each city has its own local internet connection as well for backup purposes. The market that this bgp customer is to be turned up on uses the local isp connection as its primary due to capacity issues on the intercity going back to the core city. This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. To my knowledge I know of no configuration that can drop a bgp session based on some next hop attribute. Is there some way to control this customer's traffic as stated above? Any examples you guys can offer? Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with unique BGP setup
Lobo wrote: We're trying to do a custom bgp setup for one of our customers but I'm not sure if it's even possible with IOS. Our network has its primary upstream connection in a different city from where this customer will connect. However each city has its own local internet connection as well for backup purposes. The market that this bgp customer is to be turned up on uses the local isp connection as its primary due to capacity issues on the intercity going back to the core city. This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. To my knowledge I know of no configuration that can drop a bgp session based on some next hop attribute. Is there some way to control this customer's traffic as stated above? Any examples you guys can offer? Thanks. Jose Can you only advertise their prefixes out of the local upstream? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with unique BGP setup
Lobo wrote: This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. We have the ability to do this in our network through the use of communities. We'd tag the customer's incoming routes with our-ASN:2XX02, and the trailing '2' would tell the local city to advertise it (by matching the XX POP code) and the remote cities to not advertise it (by not-matching the XX POP code). We'd selectively filter what routes we sent to the customer by limiting them to our-ASN:2 (any customer in any POP), our-ASN:3 (our routes in any POP), and our-ASN:4XX.. (upstream routes in this POP). In this case, the session wouldn't go down, but the customer's routes wouldn't go to other markets (and therefore out the main upstream connection), and the customer would only receive external routes from the local connection(s). We do this by sticking a coded community on EVERY route that goes into BGP at the point that the route enters our BGP mesh. We redistribute connected and static routes into BGP through a route-map, and apply an inbound route-map to all BGP neighbors, then send-community to the rest of our iBGP mesh. The coded community is our-ASN:ABCDE, where A represents the type of route (customer, ours, upstream), BC represents the POP number (I sorted them alphabetically; any new POPs just go on the end of the list), D represents how strong/weak we want the traffic to come in (useful by customers who want to use us a little less or as pure backup), and E signals our georouting (MED) logic (0 means bring it in through any POP, 1 means steer it towards the nearest POPs, 2 means this POP only). It's worked exceptionally well in a huge variety of scenarios, and I'm painfully having to extend it to our parent network now that we've been acquired. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with unique BGP setup
Lobo wrote: We're trying to do a custom bgp setup for one of our customers but I'm not sure if it's even possible with IOS. Our network has its primary upstream connection in a different city from where this customer will connect. However each city has its own local internet connection as well for backup purposes. The market that this bgp customer is to be turned up on uses the local isp connection as its primary due to capacity issues on the intercity going back to the core city. This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. To my knowledge I know of no configuration that can drop a bgp session based on some next hop attribute. Is there some way to control this customer's traffic as stated above? Any examples you guys can offer? Do you actually need to drop the session, or is it sufficient to advertise zero prefixes? If the latter, you could apply a route-map outbound towards the customer that only allows the local internet routes to be advertised to them, by setting/matching communities appropriately. For example: route-map transit-in permit 10 set community YOURAS:1234 ip community-list standard LOCAL-ROUTES permit YOURAS:1234 route-map customer-out permit 10 match community LOCAL-ROUTES Similar can be applied in reverse to prevent the customer's routes being advertised out transit links other than the local one. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA Licensing
Does anybody know if it is possible to run the AnyConnect Essentials license and a small 10 user ssl license to allow only 10 people access to the webportal but all the rest to use the AnyConnect client. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Licensing
That is not currently possible. Once AnyConnect Essentials is enabled, Clientless (webportal) VPN will be disabled, along with CSD. Users accessing the ASA via the web page will automatically be sent to the AnyConnect Web launch after successful authentication. Sincerely, David. nm...@guesswho.com wrote: Does anybody know if it is possible to run the AnyConnect Essentials license and a small 10 user ssl license to allow only 10 people access to the webportal but all the rest to use the AnyConnect client. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Licensing
Thank you. Exactly what I was looking for. -Original Message- From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] Sent: Wednesday, September 16, 2009 10:04 AM To: Nicholas Maio Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Licensing That is not currently possible. Once AnyConnect Essentials is enabled, Clientless (webportal) VPN will be disabled, along with CSD. Users accessing the ASA via the web page will automatically be sent to the AnyConnect Web launch after successful authentication. Sincerely, David. nm...@guesswho.com wrote: Does anybody know if it is possible to run the AnyConnect Essentials license and a small 10 user ssl license to allow only 10 people access to the webportal but all the rest to use the AnyConnect client. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Licensing
David, Does this mean that DAP policies that may leverage CSD returned registry values will not work with Essentials? -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: Wednesday, September 16, 2009 10:04 AM To: nm...@guesswho.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Licensing That is not currently possible. Once AnyConnect Essentials is enabled, Clientless (webportal) VPN will be disabled, along with CSD. Users accessing the ASA via the web page will automatically be sent to the AnyConnect Web launch after successful authentication. Sincerely, David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] instabilities with SXI2?
I have an issue where after setting up a BGP peer on one side, then issuing a 'sh run | b router bgp' to check my config before going to the adjacent peer and setting that side up, the command hung. As it turns out the active sup (I suppose the RP) crashed and failed over to the hot spare. Prior to this, the day prior, I added 'bgp graceful-restart' in support of SSO/NSF. I am working with Cisco TAC on this issue. No root cause yet. 6509 Sup720-3bxl SXI2 X6748-ge-tx - no DFC -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Daniska, Tomas Sent: Wednesday, September 16, 2009 1:02 AM To: Jared Mauch; Alan Buxey Cc: Gert Doering; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] instabilities with SXI2? -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Tuesday, September 15, 2009 12:27 AM I have a long laundry list of bugs in SXI2, including one that I've not quite yet isolated when you have several levels of recursion on routes causing it to take quite some time to finally settle down after a network event. We don't see the same problem in pre-cef/mfi code (ie: SXF) but do see poor convergence properties in SXH/SXI. To add to the list. The customer is SXI2a modular already. We had pretty long responses to sh run two days ago. Turned out to be the SP at 100% indefinitely. No log events that'd suggest a reason, no excessive amounts of traffic. No idea so far, working with TAC. -- deejay __ Informacia od ESET NOD32 Antivirus, verzia databazy 4423 (20090914) __ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Licensing
Hi Ryan, Yes, that is correct. Since CSD is disabled, DAP cannot obtain any host/registry values to make it's decisions. However, AAA attributes for DAP will still work. Sincerely, David. Ryan West wrote: David, Does this mean that DAP policies that may leverage CSD returned registry values will not work with Essentials? -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr. (dwhitejr) Sent: Wednesday, September 16, 2009 10:04 AM To: nm...@guesswho.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Licensing That is not currently possible. Once AnyConnect Essentials is enabled, Clientless (webportal) VPN will be disabled, along with CSD. Users accessing the ASA via the web page will automatically be sent to the AnyConnect Web launch after successful authentication. Sincerely, David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750 https bad certificate?
I have a 3750 running 12.2.44 I have one or two units that I cannot https into because the certificate cannot be trusted. Everything seems to point to the keys on the switch and even after generating new keys it still fails https. I can ssh in to CLI, just can't https. I have zeroized keys and disabled ip http secure-server and reenabled it, but still no luck. I did not reset the switch yet. Does anybody have any ideas on this. I'am stuck. Thanks in advance for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need a switch suggestion for upgrade
Hi List, Presently I have two foundry FI400 switches in the core that provide layer 3 functionality as well. I'm serving about 20 access switches and a few virtual machine hosts in an enterprise environment with approximately 50 VLANS. We're outgrowing this and also since it's older hardware new firmware / features are hard to come by as well as support.;) What would be a good Cisco product to replace these? The big things I'm interested in are layer 3 routing (very simple mostly static) good multicast support (this customer is an IPTV developer) and decent gig port dencity (say 48 ports of gig or more) Would a 4500 series fit the bill here or should I consider something else. Someone familiar with Cisco switching products who has some good pointers please contact me. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 weirdness
Hello, I have a pair of 7606s running single SUP 720 – 3BXLs with Version 12.2(18)SXF7 (IP Services) What I saw last night is perplexing and mind you I’m not the greatest with these devices. Sep 15 18:39:04: %LINK-3-UPDOWN: Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:04: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:07: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:08: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/2, changed state to up Sep 15 19:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINK-3-UPDOWN: Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/41, changed state to down Sep 15 19:44:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/3, changed state to down Sep 15 19:44:08: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/3, changed state to down Sep 15 19:44:08: %LINK-3-UPDOWN: Interface GigabitEthernet4/3, changed state to down So basically I have interfaces bouncing regularly – but there’s 45 minutes of time where nothing showed in my logs at all. That is very uncommon, but what makes this perplexing is that the 7600 still sent traps to my Solarwinds box about multiple port up / downs during the 19:00:10 to 19:44:08 timeframe. Nothing else on the box had issues, I had no network problems (my voice network would’ve flaked to high hell if I had any cpu / network issues). My CPU holds between 20-30% at any given time – with the occasional spike up near 80ish (and when I say spike – I literally mean momentarily –it doesn’t hold there at all). The history for the CPU doesn’t show anything corresponding to that time frame and even spikes. Memory looks fine on the box with tons free. What I’m looking for is where I can start looking on the box – or ideas that may help me sort out why the box seems to have flipped and stopped reporting for a bit. I’m familiar with the logging – but anything more and it gets fuzzy for me. Thanks Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 https bad certificate?
Hi Jeff, On Wed, 2009-09-16 at 11:48 -0400, Jeff Fitzwater wrote: I have a 3750 running 12.2.44 I have one or two units that I cannot https into because the certificate cannot be trusted. Everything seems to point to the keys on the switch and even after generating new keys it still fails https. I can ssh in to CLI, just can't https. I have zeroized keys and disabled ip http secure-server and reenabled it, but still no luck. I assume that the certificates you generate on the switch are self signed, and that would of course give a warning since the browser doesn't trust the issuer, which is the switch itself. I did not reset the switch yet. Does anybody have any ideas on this. You either have to explicitely trust the self signed certificate or get a certificate from a trusted CA. Or am I misunderstanding you question? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with unique BGP setup
Lobo wrote: We're trying to do a custom bgp setup for one of our customers but I'm not sure if it's even possible with IOS. Our network has its primary upstream connection in a different city from where this customer will connect. However each city has its own local internet connection as well for backup purposes. The market that this bgp customer is to be turned up on uses the local isp connection as its primary due to capacity issues on the intercity going back to the core city. This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. To my knowledge I know of no configuration that can drop a bgp session based on some next hop attribute. Is there some way to control this customer's traffic as stated above? Any examples you guys can offer? I advise You to look at BGP conditional advertisement feature, which can be used on customers BGP peers. Hereby is an example. neighbor city-link-nei-ip advertise-map cust-map non-exist-map checked-map ip prefix-list cust-pref permit seq 5 permit cust-prefix/xx ip prefix-list checked-pref permit seq 5 permit anyTIER1-pref/xx route-map advertise-map permit 10 match ip address prefix-list cust-pref route-map checked-map permit 10 match ip address prefix-list checked-pref WBR Roman A. Nozdrin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 weirdness
I don't know how often you got the snmp traps, but maybe there was some micro flapping happening and the logging process didn't catch it. I have seen many down/up snmp traps at the same time (*), while there where only a few of logging events (and no drops due to rate-limit). Besides checking for any logging rate-limit configs, sh int x/x can probably give you more details about actual resets. * There is a bug on dot1-tunnel ports, where the reset of them causes cdp to be disabled. Many times, although there were no logs about down/up, cdp was disabled under these ports...probably due to a very fast reset. -- Tassos Timothy Young wrote on 16/09/2009 19:07: Hello, I have a pair of 7606s running single SUP 720 – 3BXLs with Version 12.2(18)SXF7 (IP Services) What I saw last night is perplexing and mind you I’m not the greatest with these devices. Sep 15 18:39:04: %LINK-3-UPDOWN: Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:04: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:07: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to up Sep 15 18:39:08: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/2, changed state to up Sep 15 19:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINK-3-UPDOWN: Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/41, changed state to down Sep 15 19:00:10: %LINK-SP-3-UPDOWN: Interface GigabitEthernet4/41, changed state to down Sep 15 19:44:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/3, changed state to down Sep 15 19:44:08: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet4/3, changed state to down Sep 15 19:44:08: %LINK-3-UPDOWN: Interface GigabitEthernet4/3, changed state to down So basically I have interfaces bouncing regularly – but there’s 45 minutes of time where nothing showed in my logs at all. That is very uncommon, but what makes this perplexing is that the 7600 still sent traps to my Solarwinds box about multiple port up / downs during the 19:00:10 to 19:44:08 timeframe. Nothing else on the box had issues, I had no network problems (my voice network would’ve flaked to high hell if I had any cpu / network issues). My CPU holds between 20-30% at any given time – with the occasional spike up near 80ish (and when I say spike – I literally mean momentarily –it doesn’t hold there at all). The history for the CPU doesn’t show anything corresponding to that time frame and even spikes. Memory looks fine on the box with tons free. What I’m looking for is where I can start looking on the box – or ideas that may help me sort out why the box seems to have flipped and stopped reporting for a bit. I’m familiar with the logging – but anything more and it gets fuzzy for me. Thanks Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with unique BGP setup
Thanks for the responses everyone. I like the idea of conditional advertisement and will likely work with something like that. The session does not necessarily need to go down but advertising them nothing could work good. Zoe, I like your method as well and will look at seeing if I can work something like that as well since we tag all of our local internet connections with specific communities that are unique per market. Jose Zoe O'Connell wrote: Lobo wrote: We're trying to do a custom bgp setup for one of our customers but I'm not sure if it's even possible with IOS. Our network has its primary upstream connection in a different city from where this customer will connect. However each city has its own local internet connection as well for backup purposes. The market that this bgp customer is to be turned up on uses the local isp connection as its primary due to capacity issues on the intercity going back to the core city. This customer's requirements for bandwidth can be met if they use the local connection only but should the connection go down, they would most likely saturate the intercity connection and impact everyone else. What has been proposed is that they will use the local connection to get internet access and should this access go down, they want the bgp session to be dropped or something equivalent that will make sure they don't go over the intercity. To my knowledge I know of no configuration that can drop a bgp session based on some next hop attribute. Is there some way to control this customer's traffic as stated above? Any examples you guys can offer? Do you actually need to drop the session, or is it sufficient to advertise zero prefixes? If the latter, you could apply a route-map outbound towards the customer that only allows the local internet routes to be advertised to them, by setting/matching communities appropriately. For example: route-map transit-in permit 10 set community YOURAS:1234 ip community-list standard LOCAL-ROUTES permit YOURAS:1234 route-map customer-out permit 10 match community LOCAL-ROUTES Similar can be applied in reverse to prevent the customer's routes being advertised out transit links other than the local one. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Configurable MAC address flap settings?
Hi, Does anybody know if there's some way to configure the MAC flapping settings on a 3560/3750? I would like to be able to specify how many changes with a certain time period should make the switch log a flapping issue. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 as console server
If you use the 6018 instead of 2018 you should find the control characters escape characters etc work. 2xxx are 7 bit connections 4xxx give echo - you don't want that 6xxx are 8 bit connections. Don't remember trying it with ssh but the 6xxx are certainly better for connecting to Cisco devices via TS as it even allows you to get at the boot loader if you need to - however that does obviously have security implications!! Regards Nigel I've been looking through the Cisco doc but didn't found what I was looking for, therefor this question : I transformed a 2801 router which we used as a dialin server to a console server. The config seems to work, I can do a telnet xxx 2018 to get access to serial port 0/1/1, also ssh -l user:portnumber works. But I still have 2 problems : -The escape character doesn't work when using ssh, also e.g. defining CTRL-Z as disconnect character doesn't work. The only way to stop the connection, is by killing it at the ssh client side. Is there another way to stop the ssh connection, just like the telnet escape character ? -Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I'm running c2801-ipbasek9-mz.124-25a on the router. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 https bad certificate?
Well it looks like the key storage, which is in NVRAM by default (from what I have read) was not there or corrupted. So doing a crypto key storage nvram fixed it. No sure why but it works now. Jeff On Sep 16, 2009, at 12:44 PM, Peter Rathlev wrote: Hi Jeff, On Wed, 2009-09-16 at 11:48 -0400, Jeff Fitzwater wrote: I have a 3750 running 12.2.44 I have one or two units that I cannot https into because the certificate cannot be trusted. Everything seems to point to the keys on the switch and even after generating new keys it still fails https. I can ssh in to CLI, just can't https. I have zeroized keys and disabled ip http secure-server and reenabled it, but still no luck. I assume that the certificates you generate on the switch are self signed, and that would of course give a warning since the browser doesn't trust the issuer, which is the switch itself. I did not reset the switch yet. Does anybody have any ideas on this. You either have to explicitely trust the self signed certificate or get a certificate from a trusted CA. Or am I misunderstanding you question? Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
I'm pretty sure either I'm not understanding something architecuture-wise or we've enabled something globally that halves this. The marketing sheet says this will do 1M ipv4 routes. My show commands lead me to believe our systems will only do 512k. Not a problem today (for full internet) but I would like to understand. We are doing ipv4 only, some MPLS, nothing earth-shattering. The command and output that leads me to post this is: router# sh platform hardware capacity forwarding snip Module FIB TCAM usage: TotalUsed %Used 1 72 bits (IPv4, MPLS, EoM) 524288 293721 56% 144 bits (IP mcast, IPv6) 2621448 1% /snip This is half of the rated max for the 3CXL and double that of the 3C. We are running ES+ line cards but we have some CFC-based cards in it as well. So my operating mode is still: router# sh platform hardware pfc mode PFC operating mode : PFC3CXL Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
What exact flavor of ES card are you using ? 'sh mod ' Putting a ES20-3C in to a chassis with RSP720-3CXL lowers the effective table capacity of the system to the level of 3C Brandon Applegate said the following on 9/16/2009 2:19 PM: I'm pretty sure either I'm not understanding something architecuture-wise or we've enabled something globally that halves this. The marketing sheet says this will do 1M ipv4 routes. My show commands lead me to believe our systems will only do 512k. Not a problem today (for full internet) but I would like to understand. We are doing ipv4 only, some MPLS, nothing earth-shattering. The command and output that leads me to post this is: router# sh platform hardware capacity forwarding snip Module FIB TCAM usage: Total Used %Used 1 72 bits (IPv4, MPLS, EoM) 524288 293721 56% 144 bits (IP mcast, IPv6) 262144 8 1% /snip This is half of the rated max for the 3CXL and double that of the 3C. We are running ES+ line cards but we have some CFC-based cards in it as well. So my operating mode is still: router# sh platform hardware pfc mode PFC operating mode : PFC3CXL Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
On Wed, Sep 16, 2009 at 8:19 PM, Brandon Applegate bran...@burn.net wrote: I'm pretty sure either I'm not understanding something architecuture-wise or we've enabled something globally that halves this. The marketing sheet says this will do 1M ipv4 routes. Hi, It supports 1M ipv4 routes *only*. Default setup is 512K ipv4 and mpls + 256 ipv6 and mcast. Use mls cef max in conf mode to reconfigure this. HTH Sidney ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA: NAT based on destination URL?
I'm looking for an option to redirect some traffic from a web server that can not handle it's current load. For example, can I send traffic bound for hosta.domain.com/images to one NAT destination while traffic bound for hosta.domain.com/anythingelse to another NAT destination? This is a temporary work-around to buy the time it will take to rebuild the application. Would it be possible to use a Webtype Access List in conjuction with Policy NAT, for example? If that wouldn't work, is there functionality on the ASA platform that could be used to get this result? Thanks in advance for your help. Per ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
Hi Brandon, On Wed, 2009-09-16 at 14:19 -0400, Brandon Applegate wrote: I'm pretty sure either I'm not understanding something architecuture-wise or we've enabled something globally that halves this. The marketing sheet says this will do 1M ipv4 routes. It has 1M 72-bit TCAM slots. Default partitioning reserves half for 72-bit entries (IPv4, MPLS) and half for 144-bit entries (IPv6), resulting in what you see. Look at the mls cef maximum-routes for adjusting the defaults. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 arbitrarily ignoring ACL
All, I've taken over a 3560 around 10 months ago, and it's been performing well until last night. With no warning, no log output or anything to indicate trouble, it stopped processing one of my ACL rules. I have about 100 rules in the ACL and this one is near the beginning. It stopped allowing port 443 to a particular vip, which was alive and well at the time. After creating a copy of the ACL and flipping from the original to the copy and back, all was well again. Anyone know anything about this issue? Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Tue 30-Aug-05 17:56 by yenanh Switch Ports Model SW Version SW Image -- - - -- -- *1 52 WS-C3560G-48TS 12.2(25)SEB4C3560- ADVIPSERVICESK ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
On Wed, 16 Sep 2009, Sidney Boumendil wrote: It supports 1M ipv4 routes *only*. Default setup is 512K ipv4 and mpls + 256 ipv6 and mcast. Use mls cef max in conf mode to reconfigure this. HTH Sidney This is exactly what I was looking for, thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
On 16/09/2009, at 6:06 PM, Gert Doering wrote: Just imagine how much functionality NX-OS could get if they would stop wasting effort on 17 different software trains for classic IOS and instead focus on getting NX-OS on all hardware platforms, and getting feature parity for it. Totally agree. It looks like NX-OS has the sort of architecture we all want. And it works. And its reliable (MDS has been solid). And its getting features quite quickly. NX-OS on Cat6k and ASR? Why not? Other than BU politics naturally. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
On Wed, Sep 16, 2009 at 7:43 PM, David Hughes da...@hughes.com.au wrote: On 16/09/2009, at 6:06 PM, Gert Doering wrote: Just imagine how much functionality NX-OS could get if they would stop wasting effort on 17 different software trains for classic IOS and instead focus on getting NX-OS on all hardware platforms, and getting feature parity for it. Totally agree. It looks like NX-OS has the sort of architecture we all want. And it works. And its reliable (MDS has been solid). And its getting features quite quickly. NX-OS on Cat6k and ASR? Why not? Other than BU politics naturally. That was my thinking. Unfortnately the Cisco Nexus guys have publicly stated the C6K stays on IOS, Nexus with NX-OS. No plans to port. Kind of crazy given that the Nexus doesn't look like much more than C6K++, and the MDS is the C6K repurposed. Oh well. Once the Nexus supports MPLS, maybe we'll start voting with our wallets. That's really the only language Cisco listens to. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Inter-As Multicast VPNs
Hi I am running with a project at the moment with regards to getting Inter-AS mvpns working ALL hardware is Cisco. If I read all the material correctly and I would like some clarification, I cannot use non MDT SAFI capable router as Route-Reflectors, as type 2 RDs are non-transitive. The challenge I have is that nearly all my PEs are non MDT SAFi capable, although I can implement MDT SAFI capable Route-Reflectors. So with that prospect does anyone see me having a problem implementing MDT SAFI capable RRs with non MDT SAFI capable PEs and using Cisco's MVPN Inter-AS Support Option C Thanks in advance Mat _ Save time by using Hotmail to access your other email accounts. http://clk.atdmt.com/UKM/go/167688463/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2600 and ISDN
I have a central side 2600 with an ISDN BRI card in it, and a remote site with a 2600 and ISDN BRI card in it. I have the ISDN lines working, and I have the remote site calling into the central site (I can see the calls on the console) and RADIUS appears to be authenticating the call. Then the session drops with this: snip Unsure what IOS version you're running, but you might try using the ppp authorization command in your dialer interfaces. debug ppp author will also help there. From your debug output, authentication is working but a few years back the PPP code change to require authorisation whereas before that random point it didn't really care... B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/