Re: [c-nsp] Cisco vs. Juniper
Mark, what's your thoughts on the MX240? I'm curious now since you state not to get you started. :-) Not answering for Mark here. In any case, MX240 is a sweet little box, but the price difference to the MX480 (and MX960) is so small that it is only interesting if you are *really* pressed for rack space and/or power. We have a couple of them for precisely that reason. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco vs. Juniper
On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: Mark, what's your thoughts on the MX240? I'm curious now since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BPDU Guard issue
On 03/11/2009, at 5:25 PM, Stanly Johns wrote: Is it possible for a BPDU guard enabled switch port to get disabled without connecting any other device than the IP Phone and a PC ? I had to do a shut and no shut to bring it up ! The logs are as follows. your inputs are highly appreciated. you had a loop on a portfast port, BPDU guard prevented that from causing it to melt your network down. you should be thankful. i've seen loops caused by all sorts of things. some virtualization software does it. some vendors' iLO ports can be bridged with a non- iLO port, and some teaming/failsafe NIC drivers can do it. my suggestion is to find out the root cause and fix that. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem with policies on interfaces C3750E IOS12.2(50) SE2
Hello all, I recently updated the IOS version on my C3750 to version IOS12.2(50) SE2. Now I have next problem -- all policies on my interfaces don't shape a traffic. The mls qos is enabled and policy-map has next view policy-map Customer-200Mbps-critical-In class class-default police 209712000 100 exceed-action drop On interface I override all ingress packets and set cos for packets to 1 mls qos cos 1 mls qos cos override This is necessary because traffic must be in certain queue So I begin to experiment. And I gets next result -- when I remove option mls qos cos override then the policy is working, but when I am returning this option it doesn't work Has anyone the same problem? I can't disable mls qos cos override because I want that qos scheme remained working But I can't disable policy too. -- Andrey Teslenko Leading ip engineer JSC Farlep-Invest, Ukraine, Odessa Backbone network department Network operation sector mob: 8063 617-01-68 tel: 8048 716-55-72 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat 3550 policy routing at layer 4
Does anyone known if the Catalyst 3550 has a some restriction on policy routing ACL at layer 4 ? In my lab the PBR works well if the route map acl is at layer 3 only access-list 200 permit ip src dst if I use an acl with layer four ACE, like access-list 200 permit tcp src dst eq 25 it doesn't work anymore. The manual generically states that it is possible select the traffic via layer 4 parameters. IOS 12.2.44 SE6 Thanks in advance *am* --- cut here ... interface Vlan20 ip address 192.168.1.1 255.255.255.0 ip route-cache policy ip policy route-map SPECIAL-ROUTES ... access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq smtp access-list 200 permit tcp 192.168.1.0 255.255.255.0 any eq pop3 ! route-map SPECIAL-ROUTES permit 5 match ip address 200 set ip next-hop 1.1.1.2 ... --- cut here - Andrea Montefusco iw0hdvhttp://www.montefusco.com - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco vs. Juniper
### The MX-FPC swallows two whole DPC slots. In an MX240, that's just a waste of time. You're better of getting an M120 or M40e (M40e if you don't need STM-64/OC-192). This makes the MX480 or MX960 more appealing when used with the MX-FPC. But then, that's not in the same space as the ASR1000 series anymore. # Really? The price difference between a 240 and 480 has always made me wonder why someone wouldn't just buy the 480. The difference is small. We'll have to wait and see what the answer is going to be to the ASR. I suspect it will be the SRX, because of the integrated services and flow-based QoS. From: Mark Tinka mti...@globaltransit.net To: Brian Spade bitkr...@gmail.com Cc: sth...@nethelp.no; cisco-nsp@puck.nether.net Sent: Wed, November 4, 2009 4:37:16 AM Subject: Re: [c-nsp] Cisco vs. Juniper On Wednesday 04 November 2009 09:10:33 am Brian Spade wrote: Mark, what's your thoughts on the MX240? I'm curious now since you state not to get you started. :-) Really... :-)? Well, the MX240 is probably the smallest of the bunch (not considering the MX80, as it probably won't be modular enough to provide SONET/SDH support). Again, Cisco are slightly better in the segment, at present. Juniper might do well to refresh the M7i/M10i. And I've said this to them, time and time again. As much as I adore Juniper, and with due respect to the ingenious design of the M7i/M10i platform, the ASR1000 levels (and perhaps, exceeds) the playing field in this platform space. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Issue with secondary ip address
You need to setup a superscope on the windows box that includes both the primary and secondary subnets. Even if you don't hand out any addresses in the primary subnet, it needs to exist and bound to the same superscope as your secondary subnet. Sent from my iPhone. On Nov 3, 2009, at 11:19 AM, CJ cjinfant...@gmail.com wrote: Hello all, I have a vlan that has a primary and secondary ip address. My DHCP server is in the secondary ip address. The DHCP server is a windows 2003 server with the scope enabled and correct. If I plug a computer into a switch with the vlan configured I cannot get an address. If I create a DHCP server in the primary ip address range with the same scope and options and disable the scope on the other DHCP server it works. I cannot figure out what is going on. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] rate limits on 2970?
Hi, I have a pair of 2970's and I want to know if/how it's possible to establish input and output rate limits on it? If there's a cisco guide sorry for bothering you all but a very quick google doesn't give me any answer. The switches are running 12.2(25)SEC code if it makes a difference. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] rate limits on 2970?
Hello. As far as I know, there is no ratelimitg on 2950/60/70. You can use the mechanisms of QoS, but the ratelimiting not work as well, as it described by cisco(token bucket mechanism and etc.). Although you can use srr-queue bandwidth in config-if mode, but it affect only ingress traffic. 2009/11/4 Mike mike-cisconspl...@tiedyenetworks.com Hi, I have a pair of 2970's and I want to know if/how it's possible to establish input and output rate limits on it? If there's a cisco guide sorry for bothering you all but a very quick google doesn't give me any answer. The switches are running 12.2(25)SEC code if it makes a difference. Thank you. WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka http://www.brainyquote.com/quotes/authors/m/mike_ditka.html - If God had wanted man to play soccer, he wouldn't have given us arms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco vs. Juniper
On Wed, Nov 04, 2009 at 05:49:52AM -0800, Derick Winkworth wrote: Really? The price difference between a 240 and 480 has always made me wonder why someone wouldn't just buy the 480. The difference is small. Funny, I say the same thing about the 960 vs 480. We bought exactly one 480 for a place where we couldn't get anything in the 200-240v range for power, because 90-120v is supported only on 240/480. For the money I'd have much rather gotten a 960 and just not powered up the second half. Actually if you look at it from a components perspective it actually costs you more to buy the smaller chassis. For example a fully redundant MX960 comes with 3 SCBs (fabric modules), a fully redundant MX480 comes with 2. And the price difference between the two is a fraction of the cost of buying a spare SCB. Hopefully MX80 fixes these chassis cost issues with its new more integrated design. I think there is probably a product line opening for an MX120 or MX160 as well. But again, wrong mailing list. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Restricting VPN connections to company hardware?
Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 04, 2009 9:43 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Restricting VPN connections to company hardware? Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] rate limits on 2970?
2950 can rate limit in 1Mbps increments if you have the EI software using policers. Not sure about 2970. -- Randy -- Original Message --- From: Alexey Polyakov bergh...@gmail.com To: Mike mike-cisconspl...@tiedyenetworks.com Cc: cisco-nsp@puck.nether.net Sent: Wed, 4 Nov 2009 20:19:14 +0300 Subject: Re: [c-nsp] rate limits on 2970? Hello. As far as I know, there is no ratelimitg on 2950/60/70. You can use the mechanisms of QoS, but the ratelimiting not work as well, as it described by cisco(token bucket mechanism and etc.). Although you can use srr-queue bandwidth in config-if mode, but it affect only ingress traffic. 2009/11/4 Mike mike-cisconspl...@tiedyenetworks.com Hi, I have a pair of 2970's and I want to know if/how it's possible to establish input and output rate limits on it? If there's a cisco guide sorry for bothering you all but a very quick google doesn't give me any answer. The switches are running 12.2(25)SEC code if it makes a difference. Thank you. WBR Aleksey Polyakoff ICQ:9001016 Mike Ditka http://www.brainyquote.com/quotes/authors/m/mike_ditka.html - If God had wanted man to play soccer, he wouldn't have given us arms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End of Original Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/