Re: [c-nsp] Tier-2 Internet Provider Design
BGP design and implementation - http://www.amazon.com/BGP-Design-Implementation-Randy-Zhang/dp/1587051095 Practical BGP - http://www.amazon.com/Practical-BGP-Russ-White/dp/0321127005 Routing TCP/IP Volume 1 - http://www.amazon.com/Routing-TCP-IP-1-2nd/dp/1587052024 Routing TCP/IP Volume 2 - http://www.amazon.com/Routing-TCP-CCIE-Professional-Development/dp/1578700892 If you are running MPLS then you will need a firm grounding in MPLS. MPLS TE is indispensable for large scale backbones. LR Mack McBride -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah Sent: Tuesday, April 20, 2010 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Tier-2 Internet Provider Design Hi, I am working on the design of a large-scale Internet pop and services for a national carrier. I would appreciate if you could direct me to some very good books or guides on this subject. Thanks. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] USB to Serial Converter recommendation
Hello List, Someone once told me that there is no such thing as dummy question so I am going to ask. Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I have been stuck with this model that doesn't know how to end breaks, useless : http://www.trendnet.com/products/proddetail.asp?prod=150_TU-S9cat=49 I have been googling around but manufacturers documentations are very detailed about their products' capabilities. Thanks for your feedbacks. Cheers. Y. -- Youssef BENGELLOUN-ZAHR …… Ingénieur Réseaux et Télécoms Technopole de l'Aube en Champagne - BP 601 - 10901 TROYES Cedex 9 Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE Tel +33 (0) 825 000 720 Tel. direct +33 (0) 1 77 35 59 14 Tel. portable +33 (0) 6 22 42 63 80 Emaily...@720.fr …….www.720.fr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On 4/21/10 1:15 AM, Youssef Bengelloun-Zahr wrote: Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, Apr 21, 2010 at 10:15 AM, Youssef Bengelloun-Zahr yous...@720.fr wrote: Someone once told me that there is no such thing as dummy question so I am going to ask. Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, http://osx-pl2303.sourceforge.net/ - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* http://lists.slug.org.au/archives/slug/2006/11/msg00477.html I would recommend ATEN UC232A (http://www.aten-usa.com/?productcat=795Item=UC232A), I have used it every day without a problem for the last 5 years. Best regards -- Aleksandar Topuzović ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
Hi, On 4/21/10 1:15 AM, Youssef Bengelloun-Zahr wrote: Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. same here. only small gotcha - doest seem to work properly if OSX is running in 64bit mode native (either by manually setting, or holding down '6' when booting up. fix? run in 32bit mode currently. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Apr 21, 2010, at 3:37 AM, Jay Hennigan wrote: I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. +1 for the USA-19HS. Had mine about 4 years now, and it just keeps working despite rattling around in my bag all that time. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, 2010-04-21 at 10:15 +0200, Youssef Bengelloun-Zahr wrote: Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I have been stuck with this model that doesn't know how to end breaks, useless : http://www.trendnet.com/products/proddetail.asp?prod=150_TU-S9cat=49 I have been googling around but manufacturers documentations are very detailed about their products' capabilities. According to some quick googling it uses the PL2303 chip. We use those a lot (others brands though) on Linux. We can send breaks through minicom without problems. (Just tested on a 828.) We seem to have problems making the small Catalyst switches understand breaks though (3560/3750). Could that be related to your problem? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
Hello all! does anyone have experiance with something like this: http://www.microdirect.co.uk/Home/Product/17745?source=googleps I think this could be cool - if it works fine :-) On Wed, Apr 21, 2010 at 11:21 AM, Zisko zisko@gmail.com wrote: Hello all! does anyone have experiance with something like this: http://www.microdirect.co.uk/Home/Product/17745?source=googleps I think this could be cool - if it works fine :-) On Wed, Apr 21, 2010 at 10:15 AM, Youssef Bengelloun-Zahr yous...@720.frwrote: Hello List, Someone once told me that there is no such thing as dummy question so I am going to ask. Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I have been stuck with this model that doesn't know how to end breaks, useless : http://www.trendnet.com/products/proddetail.asp?prod=150_TU-S9cat=49 I have been googling around but manufacturers documentations are very detailed about their products' capabilities. Thanks for your feedbacks. Cheers. Y. -- Youssef BENGELLOUN-ZAHR …… Ingénieur Réseaux et Télécoms Technopole de l'Aube en Champagne - BP 601 - 10901 TROYES Cedex 9 Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE Tel +33 (0) 825 000 720 Tel. direct +33 (0) 1 77 35 59 14 Tel. portable +33 (0) 6 22 42 63 80 Emaily...@720.fr …….www.720.fr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
when would you send a break to a 3560/3750? to break in you hold the mode button on boot. On Wed, Apr 21, 2010 at 7:12 PM, Peter Rathlev pe...@rathlev.dk wrote: On Wed, 2010-04-21 at 10:15 +0200, Youssef Bengelloun-Zahr wrote: Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I have been stuck with this model that doesn't know how to end breaks, useless : http://www.trendnet.com/products/proddetail.asp?prod=150_TU-S9cat=49 I have been googling around but manufacturers documentations are very detailed about their products' capabilities. According to some quick googling it uses the PL2303 chip. We use those a lot (others brands though) on Linux. We can send breaks through minicom without problems. (Just tested on a 828.) We seem to have problems making the small Catalyst switches understand breaks though (3560/3750). Could that be related to your problem? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
Hello, Looks like the keyspan is a great adapater. Does it ship with drivers or is it plug-and-play for Mac OS X ? Thanks. Y. 2010/4/21 Chris Boyd cb...@gizmopartners.com On Apr 21, 2010, at 3:37 AM, Jay Hennigan wrote: I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. +1 for the USA-19HS. Had mine about 4 years now, and it just keeps working despite rattling around in my bag all that time. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Youssef BENGELLOUN-ZAHR …… Ingénieur Réseaux et Télécoms Technopole de l'Aube en Champagne - BP 601 - 10901 TROYES Cedex 9 Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE Tel +33 (0) 825 000 720 Tel. direct +33 (0) 1 77 35 59 14 Tel. portable +33 (0) 6 22 42 63 80 Emaily...@720.fr …….www.720.fr ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
Hi, On Wed, Apr 21, 2010 at 11:12:43AM +0200, Peter Rathlev wrote: We seem to have problems making the small Catalyst switches understand breaks though (3560/3750). Could that be related to your problem? Some of the more recent switches don't want a break on the console, but pressing of the front side button at the right moment in time. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpIBT7EEe7rj.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Apr 21, 2010, at 4:32 AM, Youssef Bengelloun-Zahr wrote: Looks like the keyspan is a great adapater. Does it ship with drivers or is it plug-and-play for Mac OS X ? It does require a driver--I've been using the one that came with mine. Looks like there's a new one for 10.6: http://www.tripplite.com/shared/software/Driver/Mac-OS-10-6-v26b3-driver.zip --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Apr 21, 2010, at 4:38 AM, Chris Boyd wrote: It does require a driver--I've been using the one that came with mine. Looks like there's a new one for 10.6: http://www.tripplite.com/shared/software/Driver/Mac-OS-10-6-v26b3-driver.zip And to follow up my own post, the release notes say that this version provides 64 bit support. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, 2010-04-21 at 19:30 +1000, joshua atterbury wrote: when would you send a break to a 3560/3750? to break in you hold the mode button on boot. That might sometimes be a problem if the switch is in some far away place with only a console cable in place. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, 21 Apr 2010, Chris Boyd wrote: +1 for the USA-19HS. Had mine about 4 years now, and it just keeps working despite rattling around in my bag all that time. Agreed, same. I prefer screen over minicom though - 'screen /dev/tty.KeySeriail1' and it just works. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Apr 21, 2010, at 4:37 AM, Jay Hennigan wrote: I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. +1. I use my Keyspan between my MacBookPro and my Linux based netbook (both with minicom) and it just works.. -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Disclaimer: Any errors in spelling, tact, or fact are transmission errors. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Apr 21, 2010, at 5:09 AM, Alan Buxey wrote: same here. only small gotcha - doest seem to work properly if OSX is running in 64bit mode native (either by manually setting, or holding down '6' when booting up. fix? run in 32bit mode currently. works fine here, native 64 bit USA28Xdriver::init 2.6b4 Aug 12 2009 10:35:37 (whichInstance 0) USA28Xdriver::attach (whichInstance 0 temporaryInstance 1) USA28Xdriver::probe (whichInstance 0) USA28Xdriver::probe vendor 6cd product 121 USA28Xdriver::detach (whichInstance 0 temporaryInstance 1) USA28Xdriver::attach (whichInstance 0 temporaryInstance 1) USA28Xdriver::start (whichInstance 0) [~] uname -mpv Darwin Kernel Version 10.3.0: Fri Feb 26 11:57:13 PST 2010; root:xnu-1504.3.12~1/RELEASE_X86_64 x86_64 i386 [~] sysctl kern.bootargs kern.bootargs: arch=x86_64 -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C YOUR PC's broken and I'VE got a problem? -- The BOFH Slogan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Two routers with Single ISP Scenario
Thanks a lot All for your valuable advice and time. regards, Nad On Tue, Apr 20, 2010 at 5:32 PM, Vincent C Jones v.jo...@networkingunlimited.com wrote: On Mon, 2010-04-19 at 14:29 +0200, Peter Rathlev wrote: On Mon, 2010-04-19 at 14:11 +0200, shadow floating wrote: I've one of my customers who wants to stick to single ISP but wants to implement the full redundancy (no single point of failure) network scenario, is there a way to connect to 2 routers internet facing with in an active/standby fashion to a single ISP with a single IP range? The provider and the customer could both use HSRP (or VRRP or GLBP). It needs a L2 connection between the two sites though, and that might not be optimal. It can work fine though. We currently use this as a customer of AS3308. +--+ +--+ | ISP PE 1 |--- (?) ---| ISP PE 2 | +--+ +--+ | | | | +--+ +--+ | CE 1 |--| CE 2 | +--+ +--+ The top link (between ISP PE 1 and PE 2) is not strictly necessary and the ISP might prefer not having it. A much simpler and more robust approach is to get a private ASN from your ISP and run BGP. This is the scenario private ASN's are intended for and eliminates many layer 2 dependencies. All you need to do is accept a default route from the ISP and advertise your prefix to the ISP. Don't forget to test and verify that the ISP is passing on your prefixes from your advertisements rather than static routing. You will regret depending on a link failure being detected by the interfaces on both ends. Of course, if you really care about redundancy, you need to make sure the two paths between your routers and the ISP's routers are physically diverse so that when one fails, the other has a fighting chance of staying up. Watch out for common paths not just getting to the ISP but also from the ISP's points of presence you are using to their upstream connections. Also consider physical diversity of the routers at each end, you probably don't want a site problem (e.g. fire or extended power outage) to take you off the Internet either. Lot's of possibilities, your choices are limited only by your budget. For example, you may want to extend your routing through your firewalls to your internal sites so an internal network problem does not isolate the survivors (yes, you can dynamically route through firewalls without sacrificing security. But just like it is easy to add redundancy that sacrifices, rather than improves, availability; it takes care and effort to route through firewalls without degrading your security). Bottom line is you can protect against everything except your ISP fat fingering their routing tables and going completely off the air. Good luck and have fun! -- Vincent C. Jones Networking Unlimited, Inc. Phone: +1 201 568-7810 v.jo...@networkingunlimited.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
I didn't know screen can be used in such way, thanks for the idea. Anyway, minicom is configurable, but for a GUI environment I prefer using GTKTerm which has much more easy ways to configure stuff. I'd second the Keyspan or ATen, I've worked with both of them with no problems, for Windows and Mac they need a driver, on linux they work just out of the box. And by the way, no matter the brand, they all seem to use the same Prolific PL2303 chip, no need to reinvent the wheel... Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ian Henderson Sent: Wednesday, April 21, 2010 12:28 PM To: Chris Boyd Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] USB to Serial Converter recommendation On Wed, 21 Apr 2010, Chris Boyd wrote: +1 for the USA-19HS. Had mine about 4 years now, and it just keeps working despite rattling around in my bag all that time. Agreed, same. I prefer screen over minicom though - 'screen /dev/tty.KeySeriail1' and it just works. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
Youssef Bengelloun-Zahr yous...@720.fr wrote: Someone once told me that there is no such thing as dummy question so I am going to ask. Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* I have been stuck with this model that doesn't know how to end breaks, useless : http://www.trendnet.com/products/proddetail.asp?prod=150_TU-S9cat=49 I have been googling around but manufacturers documentations are very detailed about their products' capabilities. Thanks for your feedbacks. FTDI make some *very* nice cables (supports break): http://apple.clickandbuild.com/cnb/shop/ftdichip?productID=54op=catalogue-product_info-nullprodCategoryID=84 The TTL 3.3V 3.5mm 'headphone' plug ones are also nice for embedded projects, but that's getting off topic :) Cheers -- Alexander Clouter .sigmonster says: Anything free is worth what you pay for it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
- is compatible Mac OS X, *- knows how to send breaks (the must have feature),* On OSX there's a great terminal emulator called ZTerm, written by Dave Alverson. It supports a nifty feature to send BREAK even when your hardware or drivers don't support it. BREAK amounts to holding the TX pin high for longer than the duration of a character. It's not a character. It's more like a framing error. High voltage on the TX pin is a binary zero. To send the unsupported BREAK, ZTerm briefly the baud rate, then sends the ascii NUL character (binary zero). The string of zero bits at (say) 300 baud looks exactly like BREAK to your 9600 baud router console. Works great! As for choosing a USB dongle, I'm partial to anything with a PL2303 chip inside. These are well supported on lots of platforms, and can usually be had for almost nothing: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=350320547894 /chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, 21 Apr 2010, Ziv Leyes wrote: And by the way, no matter the brand, they all seem to use the same Prolific PL2303 chip, no need to reinvent the wheel... Ziv I have seen and used others...but the last time I went looking for several, they all seemed to use the PL2303 chip...and these will send a break. If you have one that doesn't, you can probably still use the baud rate trick to send something resembling a break. Assuming you're talking to a cisco device at 9600bps, set the baud rate in your term program to 1200, hit space a few times, then change back to 9600. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
I would recommend ATEN UC232A (http://www.aten-usa.com/?productcat=795Item=UC232A), I have used it every day without a problem for the last 5 years. IOGear rebadges this as the GUC-232A. Works very well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] non-cisco transceivers on A9K
Hello! Could anybody in the list confirm that service unsupported transceiver command and non-Cisco XFP modules are supported on ASR9000 platform? Thanks! -- Dmitry Kiselev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT: Backup Software
Hi all, I'm in search for a good centralized unified backup system for all our devices. If I said I have cisco devices you'd all probably say rancid, but I have several different types of devices I need to backup and the way I access them varies from one to another. So far we've been working with Kiwi and JasFTP, but I find them rather limited, perhaps I should take a look on their last versions. My problem is not with Cisco or Linux devices which they all can be accessed and backed up quite easily. I have some dumb devices that all they can do is to receive a command to copy their config via tftp to a remote server, nothing is wrong with that, the problem is this kind of backup is a passive task, I send the command to the device and I just wait for it to tftp to me, but what if the device fails to upload or uploads only a part of the file? I would like a more proactive system, one that can alert on this kind of failures. I'll like you to share your experiences and suggestions. It can be either commercial or freeware software. Thanks in advance, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
Like someone else said, if you don't have to run dynamic routing protocol, then ODR or static would do wonder. In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. With EIGRP, you could safely do 500+ spokes per ASR. A few years back, either Cisco did some tests and found that only a few...2,3 nodes fail when they tried to bring up 500 tunnels at the same time on 7206VXR platform if I recall correctly. I've done 300+ spokes EIGRP on a 7206VXR before and never had any problem. A 2851 with SSL-2 VPN card could push ~35M of DMVPN/IPSEC traffic. Of course, if you do QOS, Zone Based Firewall...etc, any additional feature, then performance will degrade a lot. What kind of software do you folks use to provision/manage bigger size DMVPN? Way back, I used Cisco IP Solution Center. -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Engelhard Sent: Monday, April 19, 2010 8:06 PM To: rod...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's Any suggestion for 2000+ spokes with 4 headends? Headends will be ASR100x. We think to put Loadbalancer (ACE) in front of ASR to spread DMVPN traffic. Is it design wise? Sent from my iPhone On 2010/04/19, at 23:28, Rodney Dunn rod...@cisco.com wrote: My suggestion is to run code that support dynamic BGP neighbors at the hub and run BGP over the mGRE to the spokes. ..or followed by EIGRP. Rodney On 4/18/10 7:14 AM, Anton Kapela wrote: On Apr 17, 2010, at 8:54 PM, Erik Witkop wrote: We are considering DMVPN for a WAN network with (92) Cisco 870 remote routers and (2) Cisco 2851 headend routers. My concern is around the scalability of the 92 connections to each 2851. Assuming we have AIM modules in each 2851 router, do you think that would be sized properly. While you have a chance, it'd be wise to toss in as much DRAM as the 2851 can take. The reasons are many, but mostly you'll want plenty (i.e. 20+ megabytes) of free ram to cover your needs during transient conditions -- i.e. when all the ipsec endpoints flap, timeout, then re-establish, or perhaps when 400 ospf spoke neighbors timeout, flap, and re-stablish. If memory serves, advipservices 12.4t and 15.0 on 28xx leaves a bit less than 100 megs free after booting (on a 256m box); expect another 20 to 30m consumed when you have protocols + ipsec endpoints + full config up and active. Probably safe with 256, but it's not worth risking a surprise reload (that more dram could have prevented). My overall experience using DMVPN (i.e. mGRE + ipsec tunnel protection) has been positive, and I find that usually boxes with AIM-VPN or SA's (on 7200's I've used the SA-VAM and its cousins) is the first 'wall' often hit -- i.e. max number of concurrent crypto sessions is reached *well before* the platform maximum IDB limit is reached. This means the first thing you should investigate is how many sessions your installed AIM can support -- it may be far less than you expected, and less than you require. As for GRE and encaps processing on the 28xx, this seems to be nearly the same perf (without fragment processing considered) as native IP forwarding on the box. In practice, I see 80+ mbits usable (or 9 to 12 kpps) out of an 1841 doing GRE or IPIP encaps without crypto -- and 2851 will usually push 100mbit+ doing same. Again, the per-session crypto performance and max-session count will be determined by the AIM, so YMMV, etc. Generally, the Cisco guidelines for DMVPN are sane, and my experiences don't (so far) run counter to them. One definite wall that I'd recommend you find before deployment is how many protocol neighbors you can have up (i.e. ospf, isis, or eigrp neighbors), flap, and re-establish in a timeframe you're happy with. That is to say, I highly recommend lab'ing up a config that emulates 100, 200, 300, etc OSPF neighbor sessions between the 28xx's -- you'll want to know for certain that your routers can both support/hold up the number of neighbors you need, *and* recover in a timely fashion after they flap. So, while your platform may be more than adequate for your given WAN-facing bandwidth needs to the spoke sites, you may actually find that your 2851 cpu is under-whelming when endpoints flap/register/converge -- depending, again, on the scale you're taking things to. -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Backup Software
Ziv Leyes z...@gilat.net writes: I'm in search for a good centralized unified backup system for all our devices. If I said I have cisco devices you'd all probably say rancid, rancid can handle more than Cisco. Rule of thump: If there is a command line interface you probably can use rancid for your config backups. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast traffic being sent to every port? Aging issue?
Replying to an old thread... I'm seeing a very similar situation caused not by ZFS but by a dual-switch model resulting in one switch never seeing the frames that come in over the other since their least-cost routing hop is on the same switch. We've tuned our CAM and ARP timeouts to prevent this normally, but spanning-tree events/TCNs put all of those CAM entries into a fast-aging queue, which results in traffic to each host flooding until the ARP entry times out. Clearing the ARP table manually is a fix, but not exactly without its own impact. However, while researching the issue I found this paragraph in Cisco's docs: Note: In MSFC IOS, there is an optimization that will trigger VLAN interfaces to repopulate their ARP tables when there is a TCN in the respective VLAN. This limits flooding in case of TCNs, as there will be an ARP broadcast and the host MAC address will be relearned as the hosts reply to ARP. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml#cause2 Given that the switches in question are Cat6Ks running SX code, any reason the above might either not be working or not helping us even if it is? Is there a command needed to enable this optimization? Thanks, -C On Mar 23, 2010, at 4:12 PM, Gert Doering wrote: Hi, On Mon, Mar 22, 2010 at 07:03:36PM -0700, Ray Van Dolson wrote: What's happening is, esx1/2 beging talking to zfs1. All is well for a while... but at some point, zfs1's MAC address expires from the CAM on the switch (I guess that is what is happening). If zfs is only receiving packets, yes, that's likely to happen. What we do is easy: install something like rwhod that broadcasts a single packet every minute. Make sure all CAM tables are always up to date. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-cisco transceivers on A9K
Command accepted in 3.9.0 but did not confirm the laser actually worked. Randy On Wed, Apr 21, 2010 at 5:47 AM, Dmitry Kiselev dmi...@dmitry.net wrote: Hello! Could anybody in the list confirm that service unsupported transceiver command and non-Cisco XFP modules are supported on ASR9000 platform? Thanks! -- Dmitry Kiselev ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast traffic being sent to every port? Aging issue?
Hi, On Wed, Apr 21, 2010 at 10:05:29AM -0400, Chris Woodfield wrote: However, while researching the issue I found this paragraph in Cisco's docs: Note: In MSFC IOS, there is an optimization that will trigger VLAN interfaces to repopulate their ARP tables when there is a TCN in the respective VLAN. This limits flooding in case of TCNs, as there will be an ARP broadcast and the host MAC address will be relearned as the hosts reply to ARP. if there is a TCN. TCN = Topology Change Notice, so unless a port is causing a spanning-tree event, there won't be any TCNs - no rebroadcasting. You don't want gratuitous TCNs :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpGDTSBzA7ma.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast traffic being sent to every port? Aging issue?
You're right, we don't, but they're not *completely* unavoidable... :) -C On Apr 21, 2010, at 10:38 AM, Gert Doering wrote: Hi, On Wed, Apr 21, 2010 at 10:05:29AM -0400, Chris Woodfield wrote: However, while researching the issue I found this paragraph in Cisco's docs: Note: In MSFC IOS, there is an optimization that will trigger VLAN interfaces to repopulate their ARP tables when there is a TCN in the respective VLAN. This limits flooding in case of TCNs, as there will be an ARP broadcast and the host MAC address will be relearned as the hosts reply to ARP. if there is a TCN. TCN = Topology Change Notice, so unless a port is causing a spanning-tree event, there won't be any TCNs - no rebroadcasting. You don't want gratuitous TCNs :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, Apr 21, 2010 at 10:15:43AM +0200, Youssef Bengelloun-Zahr wrote: Hello List, Someone once told me that there is no such thing as dummy question so I am going to ask. Could anyone recommend a USB to Serial Converter that : - is compatible Mac OS X, - is compatible with minicom (or else), *- knows how to send breaks (the must have feature),* http://www.amazon.com/gp/product/B000II9OR4/ref=wms_ohs_product Is my favorite by far, it uses generic USB profiles so it works out of the box with every OS I've tried, no drivers required, no grief on x64 OS, etc. Never leave home without one. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 line card mounted cable management bars (??)
copper cards. Lots of modular solutions, cable assembles, patch panels, available. Panduit makes a cable assemblies for this purpose. Might not be exactly what the OP was looking for, but it may help. http://bit.ly/bT6Nfd ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Cisco Small Business Video Surveillance Cameras and Cisco 4-Port Gigabit Security Routers Authentication Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Small Business Video Surveillance Cameras and Cisco 4-Port Gigabit Security Routers Authentication Bypass Vulnerability Advisory ID: cisco-sa-20100421-vsc http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml Revision 1.0 For Public Release 2010 APR 21 1600 UTC (GMT) +- Summary === Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port Gigabit Security Routers contain a vulnerability that could allow an authenticated user to view passwords for other users, regardless of the authenticated user's level of authorization. An unprivileged user could take advantage of this vulnerability to gain full administrative access on the device or view another user's credentials. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available on some devices. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100421-vsc.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects the Cisco RVS4000 4-port Gigabit Security Router and all Cisco Small Business Video Surveillance Cameras, except for the Cisco PVC300 Pan Tilt Optical Zoom Camera. These cameras are affected: * Cisco PVC2300 Business Internet Video Camera - Audio/PoE * Cisco WVC200 Wireless-G PTZ Internet Video Camera - Audio * Cisco WVC210 Wireless-G PTZ Internet Video Camera - 2-way Audio * Cisco WVC2300 Wireless-G Business Internet Video Camera - Audio Products Confirmed Not Vulnerable + The Cisco PVC300 Pan Tilt Optical Zoom Camera and Cisco Small Business cameras are not affected by this vulnerability. No other Cisco cameras or products are currently known to be affected by this vulnerability. Details === Cisco Small Business Video Surveillance Cameras are a component of network-based, physical security solutions. More information on the surveillance cameras can be found at this link: http://www.cisco.com/cisco/web/solutions/small_business/products/security/small_business_video_surveillance_cameras/index.html The Small Business Video Surveillance Cameras are connected to an IP network and are remotely accessible for both surveillance and device management. An administrator can restrict a user's ability to manage the device, allowing the user to employ the camera for surveillance only. The Cisco RVS4000 Gigabit Security Router delivers high-speed network access and IPsec VPN capabilities for as many as five users. The Cisco RVS4000 also provides firewall and intrusion prevention capabilities. More information on the Cisco RVS4000 Gigabit Security Router can be found at this link: http://www.cisco.com/en/US/products/ps9928/index.html A user on the PVC2300 and WVC2300 cameras can use a specifically crafted URL to bypass any restrictions that are configured to prevent the device configuration from being viewed. The user could then view the passwords for all users on the device. A user on the WVC200 and WVC210 camera must have been granted setup privileges to take advantage of this vulnerability to view the passwords. The ability to configure setup privileges is not available on the other devices affected by this vulnerability. Administrative users on the RVS4000 router may be able to view the passwords of other administrative users. This vulnerability is documented in Cisco bug ID CSCte64726 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0593. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCte64726 (Unprivileged users may be able to view passwords for other users) CVSS Base Score - 9.0 Access Vector -Network Access Complexity -Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
On Wed, 21 Apr 2010 06:35:37 -0700, Luan Nguyen l...@netcraftsmen.net wrote: In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. Single-hub, dual-cloud scales and performs and converges better than dual-hub, single-cloud and are not even recommended by Cisco. Therefore, I would stick to the dynamic routing protocol approach. -- Octavio. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
We are using a laptop running windows xp and ftp server from 3com 3cdeamon. connected to the cable modem - 10kcmts - cisco 3650 sw - deal power edge server running ubunto server. I connect to the servers using ssh and from the shell I ftp to the laptop Doing command line put's and get's using ftpd. Buddy On Wed, 2010-04-21 at 11:03 -0700, Octavio Alvarez wrote: On Wed, 21 Apr 2010 06:35:37 -0700, Luan Nguyen l...@netcraftsmen.net wrote: In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. Single-hub, dual-cloud scales and performs and converges better than dual-hub, single-cloud and are not even recommended by Cisco. Therefore, I would stick to the dynamic routing protocol approach. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
I wouldn't say not recommended by Cisco though. The DMVPN design guide is pretty old (2008) http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_3.html I wish that Cisco would update that with ASR and ISR2 information and design guidance. That's a very good document and the performance numbers are quite accurate. When I first worked with DMVPN, most of the designs were dual hubs, dual cloud with EIGRP. I was tempted with BGP as well, but mostly in a lab environment since operation folks didn't want to support it. Today, I believe the drive is toward single cloud, with tier layered...etc. I am using single cloud DMVPN design for a 3 hubs spoke-to-spoke TLS network with EIGRP and it has been working great. Then again, the number of spokes is way 2000. -Luan -Original Message- From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org] Sent: Wednesday, April 21, 2010 2:04 PM To: Luan Nguyen; 'Engelhard'; rod...@cisco.com; Erik Witkop Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's On Wed, 21 Apr 2010 06:35:37 -0700, Luan Nguyen l...@netcraftsmen.net wrote: In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. Single-hub, dual-cloud scales and performs and converges better than dual-hub, single-cloud and are not even recommended by Cisco. Therefore, I would stick to the dynamic routing protocol approach. -- Octavio. __ Information from ESET NOD32 Antivirus, version of virus signature database 5047 (20100421) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5047 (20100421) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Radius Accounting Question
Hi there.. On a 7206VXR with the following radius configuration, does the accounting packets get delivered to all radius servers or is it something else like round robin? I'm trying to troubleshoot an issue where accounting packets are not showing up where expected all the time... in particular I want all accounting packets to be delivered to .123 below... aaa group server radius server-private xxx.xxx.xx.28 auth-port 1812 acct-port 1813 key x server-private xxx.xxx.xx.13 auth-port 1645 acct-port 1646 key x server-private xxx.xxx.xx.216 auth-port 1812 acct-port 1813 key xxx server-private xx.xxx.xx.123 auth-port 0 acct-port 1813 key xxx ip radius source-interface Loopback0 Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Backup Software
Has anyone tried zip-tools for this type of thing? On 4/21/10, Jens Link li...@quux.de wrote: Ziv Leyes z...@gilat.net writes: I'm in search for a good centralized unified backup system for all our devices. If I said I have cisco devices you'd all probably say rancid, rancid can handle more than Cisco. Rule of thump: If there is a command line interface you probably can use rancid for your config backups. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
For managing DMVPN, we are testing with a new product from Cisco which is Cisco Security Manager. Anyone has experience with this ? This software is part of Cisco Virtual Office solution. What kind of software do you folks use to provision/manage bigger size DMVPN? Way back, I used Cisco IP Solution Center. -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Engelhard Sent: Monday, April 19, 2010 8:06 PM To: rod...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's Any suggestion for 2000+ spokes with 4 headends? Headends will be ASR100x. We think to put Loadbalancer (ACE) in front of ASR to spread DMVPN traffic. Is it design wise? Sent from my iPhone On 2010/04/19, at 23:28, Rodney Dunn rod...@cisco.com wrote: My suggestion is to run code that support dynamic BGP neighbors at the hub and run BGP over the mGRE to the spokes. ..or followed by EIGRP. Rodney On 4/18/10 7:14 AM, Anton Kapela wrote: On Apr 17, 2010, at 8:54 PM, Erik Witkop wrote: We are considering DMVPN for a WAN network with (92) Cisco 870 remote routers and (2) Cisco 2851 headend routers. My concern is around the scalability of the 92 connections to each 2851. Assuming we have AIM modules in each 2851 router, do you think that would be sized properly. While you have a chance, it'd be wise to toss in as much DRAM as the 2851 can take. The reasons are many, but mostly you'll want plenty (i.e. 20+ megabytes) of free ram to cover your needs during transient conditions -- i.e. when all the ipsec endpoints flap, timeout, then re-establish, or perhaps when 400 ospf spoke neighbors timeout, flap, and re-stablish. If memory serves, advipservices 12.4t and 15.0 on 28xx leaves a bit less than 100 megs free after booting (on a 256m box); expect another 20 to 30m consumed when you have protocols + ipsec endpoints + full config up and active. Probably safe with 256, but it's not worth risking a surprise reload (that more dram could have prevented). My overall experience using DMVPN (i.e. mGRE + ipsec tunnel protection) has been positive, and I find that usually boxes with AIM-VPN or SA's (on 7200's I've used the SA-VAM and its cousins) is the first 'wall' often hit -- i.e. max number of concurrent crypto sessions is reached *well before* the platform maximum IDB limit is reached. This means the first thing you should investigate is how many sessions your installed AIM can support -- it may be far less than you expected, and less than you require. As for GRE and encaps processing on the 28xx, this seems to be nearly the same perf (without fragment processing considered) as native IP forwarding on the box. In practice, I see 80+ mbits usable (or 9 to 12 kpps) out of an 1841 doing GRE or IPIP encaps without crypto -- and 2851 will usually push 100mbit+ doing same. Again, the per-session crypto performance and max-session count will be determined by the AIM, so YMMV, etc. Generally, the Cisco guidelines for DMVPN are sane, and my experiences don't (so far) run counter to them. One definite wall that I'd recommend you find before deployment is how many protocol neighbors you can have up (i.e. ospf, isis, or eigrp neighbors), flap, and re-establish in a timeframe you're happy with. That is to say, I highly recommend lab'ing up a config that emulates 100, 200, 300, etc OSPF neighbor sessions between the 28xx's -- you'll want to know for certain that your routers can both support/hold up the number of neighbors you need, *and* recover in a timely fashion after they flap. So, while your platform may be more than adequate for your given WAN-facing bandwidth needs to the spoke sites, you may actually find that your 2851 cpu is under-whelming when endpoints flap/register/converge -- depending, again, on the scale you're taking things to. -Tk ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5034 (20100416) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Radius Accounting Question
We use accounting to start/stop an internet filtering service for customer who've signed up, and we've not had an issue with RADIUS accounting. We added aaa accounting update periodic 480 jitter maximum 600 to help catch an hiccups on the internet filtering device if it loses state on a connection. In our virtual template we have ppp authentication xxx radius-group-aaa defined, and which depends on the following: aaa group server radius radius-group server-private a.b.0.36 auth-port 1645 acct-port 1646 key 7 snip server-private a.b.0.37 auth-port 1645 acct-port 1646 key 7 snip load-balance method least-outstanding ! aaa authentication ppp default group radius-group aaa authentication ppp radius-group-aaa group radius-group aaa authorization network default group radius-group aaa authorization network radius-group-aaa group radius-group aaa accounting delay-start all aaa accounting update periodic 480 jitter maximum 600 aaa accounting network default start-stop group radius-group aaa accounting network radius-group-aaa start-stop group radius-group We're running 12.2(31)SB16. Frank -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart Sent: Wednesday, April 21, 2010 5:25 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Radius Accounting Question Hi there.. On a 7206VXR with the following radius configuration, does the accounting packets get delivered to all radius servers or is it something else like round robin? I'm trying to troubleshoot an issue where accounting packets are not showing up where expected all the time... in particular I want all accounting packets to be delivered to .123 below... aaa group server radius server-private xxx.xxx.xx.28 auth-port 1812 acct-port 1813 key x server-private xxx.xxx.xx.13 auth-port 1645 acct-port 1646 key x server-private xxx.xxx.xx.216 auth-port 1812 acct-port 1813 key xxx server-private xx.xxx.xx.123 auth-port 0 acct-port 1813 key xxx ip radius source-interface Loopback0 Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Radius Accounting Question
On 22 April 2010 10:24, Paul Stewart p...@paulstewart.org wrote: Hi there.. On a 7206VXR with the following radius configuration, does the accounting packets get delivered to all radius servers or is it something else like round robin? I'm trying to troubleshoot an issue where accounting packets are not showing up where expected all the time... in particular I want all accounting packets to be delivered to .123 below... The default depends on the software version. It can be either a 'fail-over' setup (i.e. all packets are send to the first one, if it stops replying to the next one, etc) or load-balance, where packets are distributed in round-robin fashion between the servers. In neither of the cases any individual server gets all of the packets. If you want a particular server to receive all of the packets I would suggest looking at geting the active server to clone the packets and send them to .213. kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Load balance IPSec with Cisco ACE
Does anyone know if Cisco ACE can loadbalance IPSec protocol? Docs on Cisco said that AcE only able to loadbalance TCP/UDP/SIp/SSL/ Firewall but doesn't mention specifically about IPSec Appreciate for any info ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS 15.1 and 'inspect' rule (zone-based firewall)
Hi all, I couldn't find explanation to this oddity on TAC, I would appreciate some help. I'm running (migrating to) 15.1 on Cisco 2821 router. The router configured with zone-based firewall. The config has following lines: -- ... parameter-map type inspect audit audit-trail on alert off ... class-map type inspect match-all cls_10.0.128.0 match access-group name acl_10.0.128.0 ... policy-map type inspect pol-OutsideToDMZ class type inspect cls_10.0.128.0 inspect audit class class-default drop log ... ip access-list extended acl_10.0.128.0 permit ip 10.0.128.0 0.0.15.255 10.0.80.0 0.0.0.255 ... -- The way I'm reading it is that class-map is configured with named ACL. Then the class-map is applied to policy-map with action 'inspect'. There's no protocol specified thus all protocols should be inspected (this is what I want). Here is the problem. When router is booting up the following message appears on the console: %No specific protocol or access-group configured in class cls_10.0.128.0 for inspection. All packets will be dropped IMO this is not correct: there's ACL configured in class-map. Before (in 12.4) this message was different -- it was about no protocols specified, all protocols will be inspected. Has something changed in the way ZBF behaves in 15.x? And is it documented anywhere? I was not able to find the information. Any help is appreciated! Thank you! -- Ivan Poddubnyy Sr. Systems Administrator Symantec Corporation / EHG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, Apr 21, 2010 at 09:14:37AM -0400, Jon Lewis wrote: On Wed, 21 Apr 2010, Ziv Leyes wrote: And by the way, no matter the brand, they all seem to use the same Prolific PL2303 chip, no need to reinvent the wheel... Ziv I have seen and used others...but the last time I went looking for several, they all seemed to use the PL2303 chip...and these will send a break. If you have one that doesn't, you can probably still use the baud rate trick to send something resembling a break. Assuming you're talking to a cisco device at 9600bps, set the baud rate in your term program to 1200, hit space a few times, then change back to 9600. The original PL2303 driver for OSX did NOT support sending break. They updated it at some point years past the original release. The opensource driver also supported break just fine. Perhaps the OP's driver disk was including one of the really old versions? (assuming his Trendnet device is really a PL2303 chip). Its not like vendors take care of shipping the latest driver or anything. Even 6-8 year old versions.. +1 on Keyspan as well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/