[c-nsp] Compressed IPv6 ACLs on Cat6500
Hi We just implementing IPv6 in our network. As we operating Cisco 6500/Sup720 we also have to configure some IPv6 ACLs on these devices. In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6 acl compress address unicast' mode (only match 112 bits of IPv6 address field). My question is: After enabled 'ipv6 acl compress' Can I use 112 addresses (eg. single hosts - /128) in IPv6 ACL line which don't have port numbers ? For example: ipv6 access-list test 10 permit ip any :::::3::/128 20 permit tcp any :::::3::/112 eq 22 Will line '10' work proper or it will match /112 subnet instead of /128 ? Robert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
The bits that are ignored are a little higher up. :::::33xx:xx33: The rules are a bit more complicated than that as those bits are fixed in EUI-64 addresses. A different set of bits is lost if the upper 64 bits are zero. So you only lose those bits when a statically configured IP is used. Additionally those bits are only ignored in hardware. Response in software will be different. The assumption is that if you are manually assigning addresses then you are using something less than 256 trillion hosts per vlan and can live with losing those bits. The vlan boundary is arbitrarily designed to be a /64. So if you are assigning /112 you should still reserve the full /64 in case you need more hosts. Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Hass Sent: Wednesday, December 08, 2010 1:42 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Compressed IPv6 ACLs on Cat6500 Hi We just implementing IPv6 in our network. As we operating Cisco 6500/Sup720 we also have to configure some IPv6 ACLs on these devices. In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6 acl compress address unicast' mode (only match 112 bits of IPv6 address field). My question is: After enabled 'ipv6 acl compress' Can I use 112 addresses (eg. single hosts - /128) in IPv6 ACL line which don't have port numbers ? For example: ipv6 access-list test 10 permit ip any :::::3::/128 20 permit tcp any :::::3::/112 eq 22 Will line '10' work proper or it will match /112 subnet instead of /128 ? Robert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2TPv3 question
We tried to make a pseudowire yesterday with the following setup: Side A has a certain device connected to C3750 Switch on port 19. Port 20 on C3750 Switch is set as trunk and it's connected to C7200VXR router port g0/1 The xconnect is done on subinterface G0/1.200 (VLAN200 dot1q encapsulation The other of the xconnect is a C2811 router on port f0/0 while its f0/1 port is connected to the device that needs to communicate with the device on the other end of the tunnel. It didn't work and my colleague suspects it's because one side is tagged as vlan while the other is not. Is there a way to make it work given the above mentioned setup? Thanks, Ziv The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 question
Not sure I understand your answer, Jefri... -Original Message- From: je...@grid.ui.edu [mailto:je...@grid.ui.edu] Sent: Wednesday, December 08, 2010 3:13 PM To: Ziv Leyes; cisco-nsp-boun...@puck.nether.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2TPv3 question You have to create interworking ip, it's available on pseudo-wires configuration. Powered by Telkomsel BlackBerry(r) -Original Message- From: Ziv Leyes z...@gilat.net Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 8 Dec 2010 15:00:20 To: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: [c-nsp] L2TPv3 question We tried to make a pseudowire yesterday with the following setup: Side A has a certain device connected to C3750 Switch on port 19. Port 20 on C3750 Switch is set as trunk and it's connected to C7200VXR router port g0/1 The xconnect is done on subinterface G0/1.200 (VLAN200 dot1q encapsulation The other of the xconnect is a C2811 router on port f0/0 while its f0/1 port is connected to the device that needs to communicate with the device on the other end of the tunnel. It didn't work and my colleague suspects it's because one side is tagged as vlan while the other is not. Is there a way to make it work given the above mentioned setup? Thanks, Ziv The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2L VPN with NATed IP
Dear Experts! I have a need to configure L2L vpn to different clients. I have built the vpns under a single crypto map, but an issue has come up. One of my Client requires me to NAT my inside network to my public address as he also had NAT his inside network to his public address. How do I accomplish this? I basically need to NAT my inside 10.10.x.x network for Client to 193.32.x.x. My Client his inside network 172.10.x.x network for me to 173.32.x.x . In my side i have a Cisco IOS router and on my client side they have Cisco PIX. My Tunnel is up but can't get reach to my inside network and same on remote side. My ipsec log shows sh crypto ipsec sa peer 173.32.x.x packet encrypted and decrypted. I assume my NAT and ACL is working well, still not being able for tunnel traffic reachable either side. is there anyway to make this scenario to my customer? So i request if any one can provide me any suggest and support. It will be the great help. Thank You FourPros ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISG with DHCP Option 82 sessions
Greetings, I'm looking to roll out a GPON deployment using the ISG as our BRAS with DHCP-based sessions but we are experience some problems with session restart. We're using an external DHCP server and RADIUS. Sessions come up fine the first time, but if there is an existing session and the CPE node is rebooted the session gets stuck. To clear the session we turn off the CPE device, clear the state in the GPON shelf and wait for more than 5 minutes. Doing some debug shows the SG-DPM process thinking there is an existing DHCP lease that seems to clear out after five minutes of silence. I'd like to get this five minutes down to something in the less than 60 seconds range. Anybody know of any knobs to tweak this? Or is this normal behavior? Dec 2 12:49:19.642 EST: SG-DPM: getting the context for mac_address = 0024.c823.7322 Dec 2 12:49:19.642 EST: SG-DPM: input override for mac_address = 0024.c823.7322 Dec 2 12:49:19.642 EST: SG-DPM: null input interface from dhcp,returning access interface GigabitEthernet0/3.300 Dec 2 12:49:19.642 EST: SG-DPM: DHCP Offer notification from client, mac_address = 0024.c823.7322 Dec 2 12:49:19.642 EST: SG-DPM: getting the context for mac_address = 0024.c823.7322 Dec 2 12:49:19.642 EST: SG-DPM: Aborting update. IP address: 10.2.2.162 hasn't changed Running 12.2 (31) SB19 with the following code snippet: aaa authorization subscriber-service USER_LOGON group radius policy-map type control USER class type control always event session-start 20 authorize aaa list USER_LOGON password blablabla identifier circuit-id 30 service disconnect ! interface GigabitEthernet0/3.300 encapsulation dot1Q 300 ip dhcp relay information trusted ip address 10.1.1.1 255.255.255.224 ip helper-address 10.10.10.10 no cdp enable service-policy type control USER ip subscriber l2-connected initiator dhcp -Steve S. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 question
Le 08/12/2010 14:00, Ziv Leyes a écrit : We tried to make a pseudowire yesterday with the following setup: Side A has a certain device connected to C3750 Switch on port 19. Port 20 on C3750 Switch is set as trunk and it's connected to C7200VXR router port g0/1 The xconnect is done on subinterface G0/1.200 (VLAN200 dot1q encapsulation The other of the xconnect is a C2811 router on port f0/0 while its f0/1 port is connected to the device that needs to communicate with the device on the other end of the tunnel. It didn't work and my colleague suspects it's because one side is tagged as vlan while the other is not. Is there a way to make it work given the above mentioned setup? Hi, I quickly read, but be aware of MTU problem on this kind of stuff. L2TPv3 session will not become UP between dot1q if and native. Best regards, Thanks, Ziv The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christophe Lucas - Network Engineer - c.lu...@infosat-telecom.fr Tel : +33(0)974.762.595 - Fax : +33(0)09.72.19.53.58 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS DHCP Server - dynamic and static in one subnet
Since you mentioned one subnet with static allocations from a portion of that subnet I assume that you don't want the DHCP server handing out your static allocations. You can configure exclusions (i.e. don't give out these addresses) with ip dhcp excluded-address Vijay Ramcharan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Artyom Viklenko Sent: Wednesday, December 08, 2010 2:09 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IOS DHCP Server - dynamic and static in one subnet Hi, List! I'm trying to figure out how to achive the foloving. Let's say we have one subnet, f.e. x.y.z.192/27. I would like to use DHCP in it. But also have static mappings for some portion of address space from this subnet. I've create dhcp pool with 'network' statement. So far so good. All works as expected. Now I put text file on tftp server and created another pool with 'origin' statement. But clients PC's still get their ip assigned from the first dhcp pool. ip dhcp pool test-pool network x.y.z.192 255.255.255.224 default-router x.y.z.193 dns-server 1.2.3.4 5.6.7.8 domain-name test.domain.tld lease 0 12 ! ip dhcp pool test-static-pool origin file tftp://t.t.t.t/test-static-pool default-router x.y.z.193 dns-server 1.2.3.4 5.6.7.8 domain-name test.domain.tld lease 0 12 ! What's wrond with this config? Is it possible with ios dhcp server at all? Please, give me some hints. Thanks in advance! -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1006 L2TP Tunnel Switching to himself
Alexey Lapkis wrote: Hi, I am wondering if it is possible to configure the ASR 1006 to perform L2TP Tunnel Switching to himself. I mean that both authentication processes (RADIUS) take place from the same ASR 1006 but from different loopback addresses. Tried to configure, but it does not work. What are you trying to achieve with this? Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA55xx | DNS Maximum message
We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns pol_name parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA55xx | DNS Maximum message
Bill, Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues. -ryan From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on behalf of Bill Blackford [bblackf...@nwresd.k12.or.us] Sent: Wednesday, December 08, 2010 1:55 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA55xx | DNS Maximum message We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns pol_name parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA55xx | DNS Maximum message
One more point: One set of ASA's places the maximum *before* client auto. This set is exhibiting the odd behavior. The other set of ASA's places it *after*. This set is running a newer code rev. and the odd behavior not reproducible. Someone offered the 'client auto' offlist as a fix as well. -b -Original Message- From: Ryan West [mailto:rw...@zyedge.com] Sent: Wednesday, December 08, 2010 11:04 AM To: Bill Blackford; cisco-nsp@puck.nether.net Subject: RE: ASA55xx | DNS Maximum message Bill, Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues. -ryan From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on behalf of Bill Blackford [bblackf...@nwresd.k12.or.us] Sent: Wednesday, December 08, 2010 1:55 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA55xx | DNS Maximum message We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns pol_name parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA55xx | DNS Maximum message
Hi Bill, The change (tracked by CSCta35563) re-ordered the message-length maximum client auto command and also enabled it by default in the preset and migrated dns_map. This change went into Versions: 8.3(1), 8.2(2), 8.1(2.37), 8.0(5.2), 7.2(5) Sincerely, David. Bill Blackford wrote: One more point: One set of ASA's places the maximum *before* client auto. This set is exhibiting the odd behavior. The other set of ASA's places it *after*. This set is running a newer code rev. and the odd behavior not reproducible. Someone offered the 'client auto' offlist as a fix as well. -b -Original Message- From: Ryan West [mailto:rw...@zyedge.com] Sent: Wednesday, December 08, 2010 11:04 AM To: Bill Blackford; cisco-nsp@puck.nether.net Subject: RE: ASA55xx | DNS Maximum message Bill, Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues. -ryan From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on behalf of Bill Blackford [bblackf...@nwresd.k12.or.us] Sent: Wednesday, December 08, 2010 1:55 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA55xx | DNS Maximum message We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns pol_name parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME Series for a LAN/Server Farm
I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA55xx | DNS Maximum message
David, -Original Message- From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] Sent: Wednesday, December 08, 2010 2:38 PM The change (tracked by CSCta35563) re-ordered the message-length maximum client auto command and also enabled it by default in the preset and migrated dns_map. This change went into Versions: 8.3(1), 8.2(2), 8.1(2.37), 8.0(5.2), 7.2(5) New shipment ASA's will have this as the default now? Will upgrades apply maximum client auto as well? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA55xx | DNS Maximum message
Ryan West wrote: David, -Original Message- From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com] Sent: Wednesday, December 08, 2010 2:38 PM The change (tracked by CSCta35563) re-ordered the message-length maximum client auto command and also enabled it by default in the preset and migrated dns_map. This change went into Versions: 8.3(1), 8.2(2), 8.1(2.37), 8.0(5.2), 7.2(5) New shipment ASA's will have this as the default now? As long as they are running one of the above versions - then yes. As the change is in the default preset dns-map. Will upgrades apply maximum client auto as well? As long as the upgrade is to one of the minimum above versions, then yes. I think the only place where the change would not be applied is if you have a custom dns-map in an older version, and then upgrade. Sincerely, David. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
On (2010-12-08 09:41 +0100), Robert Hass wrote: In ACLs we need to match tcp/udp port numbers so we will use 'mls ipv6 acl compress address unicast' mode (only match 112 bits of IPv6 address field). Where did you arrive to 112? My understanding of the compressed mode is 128-src_port-dst_port-flags = 128-16-16 = 88 usable bits for addresses. You can use 'show tcam int foo acl in|out ipv6' to see what is actually being programmed to hardware. In older versions if you punched it too specific address, it was programmed as punt adjacency, which is undesired, today it seems to just program more specifics as /88. My question is: After enabled 'ipv6 acl compress' Can I use 112 addresses (eg. single hosts - /128) in IPv6 ACL line which don't have port numbers ? No. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
Where did you arrive to 112? My understanding of the compressed mode is 128-src_port-dst_port-flags = 128-16-16 = 88 usable bits for addresses. omitted -8 there, flags = 8bits, so 128-16-16-8 = 88. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. What platforms were you looking at? ME3400, 3750ME? You should take note that the ME3400 series doesn't offer stacking and the 3750ME, while it has stacking ports on the chassis, they are non functional, so you cant stack them either. You should probably look into the 3750X series switches for stacking and redundant PSU's. Though if you NEED fiber access ports, you will have to look at the 3750G-12S as unfortunately, there is no SFP based 3750 platform newer than that. That said, If you need the SFP's and redundant power, you may be better off going to a chassis switch. You could also look at the Nexus if this is for a DC, but I don't have any experience with them, so I will leave those comments/suggestions, to others. - Ed On Wed, Dec 8, 2010 at 2:44 PM, Keegan Holley keegan.hol...@sungard.comwrote: I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On Wed, Dec 8, 2010 at 16:50, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. Double check the specs on these. If I am remembering correctly, there is a limit on some ME switches to the number of NNI ports you can enable. (I believe it was 4). Also be aware of the power supplies being fixed. As in, you cannot swap an AC for a DC, nor are they field replaceable. Andy Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On 12/8/2010 1:44 PM, Keegan Holley wrote: I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Options for 1G fiber connectivity with dual power: 3750G-12S with an RPS 4900M with 4/8-port modules and TwinX converters 4500 with WS-X4624-SFP-E or WS-X4448-GB-SFP line cards 6500 with WS-X6724-SFP or WS-X6748-SFP line cards Jeremy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
Correct. In older versions of the IOS you were limited to the number of nni ports but that has changed. -Original Message- From: Andrew Koch andrew.k...@gawul.net Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 8 Dec 2010 17:19:07 To: Keegan Holleykeegan.hol...@sungard.com Cc: Cisco NSPscisco-nsp@puck.nether.net Subject: Re: [c-nsp] ME Series for a LAN/Server Farm On Wed, Dec 8, 2010 at 16:50, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. Double check the specs on these. If I am remembering correctly, there is a limit on some ME switches to the number of NNI ports you can enable. (I believe it was 4). Also be aware of the power supplies being fixed. As in, you cannot swap an AC for a DC, nor are they field replaceable. Andy Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
I'm looking at the new 3600X series it was just released in Sept. I noticed the no local switching for UNI ports. Is there a way to disable the UNI/NNI relationship completely or enable local switching for UNI ports? On Wed, Dec 8, 2010 at 5:50 PM, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. What platforms were you looking at? ME3400, 3750ME? You should take note that the ME3400 series doesn't offer stacking and the 3750ME, while it has stacking ports on the chassis, they are non functional, so you cant stack them either. You should probably look into the 3750X series switches for stacking and redundant PSU's. Though if you NEED fiber access ports, you will have to look at the 3750G-12S as unfortunately, there is no SFP based 3750 platform newer than that. That said, If you need the SFP's and redundant power, you may be better off going to a chassis switch. You could also look at the Nexus if this is for a DC, but I don't have any experience with them, so I will leave those comments/suggestions, to others. - Ed On Wed, Dec 8, 2010 at 2:44 PM, Keegan Holley keegan.hol...@sungard.comwrote: I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On 9/12/2010 10:28 AM, Jeremy Bresley wrote: On 12/8/2010 1:44 PM, Keegan Holley wrote: I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. Options for 1G fiber connectivity with dual power: 3750G-12S with an RPS 4900M with 4/8-port modules and TwinX converters 4500 with WS-X4624-SFP-E or WS-X4448-GB-SFP line cards 6500 with WS-X6724-SFP or WS-X6748-SFP line cards What about the ME6524 with the SFP instead of copper downlink ports? http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6845/ps6846/prod_bulletin0900aecd80406599.html It has two PSUs (can operate on 1) and is based on the 6500 and runs 12.2(33)SXI, but smaller form factor and a bit less expensive ? We bought one recently and are delighted with it, the only slight annoyance is the TCAM size which limits the hardware routing to 256k entries... Reuben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
3600X might be an option, otherwise there are other vendors with cheaper L2-switch-only products with 24+ SFP ports on them. The Nexus 5548 has 1G support coming sometime in the near future, so if you are looking to buy further down the line it might be an option. The older 5010/5020 models have limited 1G support (only on first 16 ports if I recall correctly) Phil On 12/8/10 6:26 PM, Keegan Holley keegan.hol...@sungard.com wrote: I'm looking at the new 3600X series it was just released in Sept. I noticed the no local switching for UNI ports. Is there a way to disable the UNI/NNI relationship completely or enable local switching for UNI ports? On Wed, Dec 8, 2010 at 5:50 PM, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. What platforms were you looking at? ME3400, 3750ME? You should take note that the ME3400 series doesn't offer stacking and the 3750ME, while it has stacking ports on the chassis, they are non functional, so you cant stack them either. You should probably look into the 3750X series switches for stacking and redundant PSU's. Though if you NEED fiber access ports, you will have to look at the 3750G-12S as unfortunately, there is no SFP based 3750 platform newer than that. That said, If you need the SFP's and redundant power, you may be better off going to a chassis switch. You could also look at the Nexus if this is for a DC, but I don't have any experience with them, so I will leave those comments/suggestions, to others. - Ed On Wed, Dec 8, 2010 at 2:44 PM, Keegan Holley keegan.hol...@sungard.comwrote: I know from previous conversations that the architecture as well as some of the defaults for the ME series are different than the traditional switching platforms. I was curious if there were any reasons why I shouldn't use them in a vanilla switching environment such as a LAN or a server farm. I need to do fiber aggregation and I haven't been able to find any cisco platform that will allow me to create an all 1G fiber stack with dual power. I was curious if anyone had experience using these as just normal switching platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4900M with QoS on a portchannel
Hi, I must be missing something obvious here, so please stay with me. I'm currently devising config for the device. We have a 4900M that will be connected over 2x10G to a customer. I want to apply a very simple QoS in this scenario - mark packets on input and act on that on output: class-map match-any CUST-SW-IN-PRIO match cos 5 6 class-map match-any CUST-SW-IN-AF4 match cos 4 class-map match-any CUST-SW-IN-AF1 match cos 2 3 class-map match-any CUST-SW-OUT-PRIO match qos-group 15 class-map match-any CUST-SW-OUT-AF4 match qos-group 14 class-map match-any CUST-SW-OUT-AF1 match qos-group 11 policy-map CUST-SW-IN-INPUT class CUST-SW-IN-PRIO set qos-group 15 class CUST-SW-IN-AF4 set qos-group 14 class CUST-SW-IN-AF1 set qos-group 11 class class-default policy-map CUST-SW-OUT-OUTPUT class CUST-SW-OUT-PRIO priority police rate percent 37 class class-default The idea is that there should never be more then 37% of CoS 5 and CoS 6 traffic leaving the interface. All ingress interfaces have the CUST-SW-IN-INPUT policy applied (on either physical interfaces, or PortChannels). When I try to apply the output policy I get the following: 1. On physical interface (member of the portchannel): ASAUESD01(config)#int te1/1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with non-queuing actions should be attached to the port-channel associated with this physical port. 2. On a portchannel: ASAUESD01(config-if)#int po1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with queuing actions can be attached in output direction only on physical ports. What am I missing here? software: Version 12.2(53)SG1 (cat4500e-IPBASEK9-M) hardware: WS-C4900M kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] full routes / backup router
Hi, I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
This is not correct. The field is actually 288 bits (v4 uses 144 bits). Some of these bits are used for protocol, flags and such, 2 bits are used for IPv6 address type. The remaining available for IPv6 addresses + ports is 256. Source and destination are each allotted 128 bits. The bits removed are [39:24] ie. :::::33xx:xx33: in the OP example. The part marked x is removed. See the following for specifics: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1090842 Embedded IPv4 removes the upper 16 bits as these are all zero. Link local discard bits 95:80 which are zero. All other formats remove bits [39:24] The misunderstanding is anything with a prefix longer than /88 includes discarded bits in the subnet portion as opposed to the host portion. Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: Wednesday, December 08, 2010 1:38 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Compressed IPv6 ACLs on Cat6500 Where did you arrive to 112? My understanding of the compressed mode is 128-src_port-dst_port-flags = 128-16-16 = 88 usable bits for addresses. omitted -8 there, flags = 8bits, so 128-16-16-8 = 88. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2L VPN with NATed IP
Hi, I suggest you to ask your client to do NAT for both traffic incoming and traffic outgoing as client has PIX at his side. PIX has this intelligence (bi-directional translation) to solve such private network overlapping issue behind the VPN gateway. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml Thank you, Ramesh On Wed, Dec 8, 2010 at 6:10 AM, Fourpros it fourpro...@gmail.com wrote: Dear Experts! I have a need to configure L2L vpn to different clients. I have built the vpns under a single crypto map, but an issue has come up. One of my Client requires me to NAT my inside network to my public address as he also had NAT his inside network to his public address. How do I accomplish this? I basically need to NAT my inside 10.10.x.x network for Client to 193.32.x.x. My Client his inside network 172.10.x.x network for me to 173.32.x.x . In my side i have a Cisco IOS router and on my client side they have Cisco PIX. My Tunnel is up but can't get reach to my inside network and same on remote side. My ipsec log shows sh crypto ipsec sa peer 173.32.x.x packet encrypted and decrypted. I assume my NAT and ACL is working well, still not being able for tunnel traffic reachable either side. is there anyway to make this scenario to my customer? So i request if any one can provide me any suggest and support. It will be the great help. Thank You FourPros ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On 12/8/2010 6:32 PM, Edward Salonia wrote: Correct. In older versions of the IOS you were limited to the number of nni ports but that has changed. The limit is 4 NNIs in the METROBASE image and unlimited in the IPACCESS image. There is an ACCESS image in between BASE and IPACCESS it may allow for a few more NNIs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routes / backup router
On Wed, Dec 8, 2010 at 5:30 PM, Adam Greene maill...@webjogger.net wrote: Hi, I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. Thanks, Adam ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ If its a backup router and only one peering session why have full routes? Just a default route would work for all transit. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On 09/12/2010 00:05, Phil Bedard wrote: The Nexus 5548 has 1G support coming sometime in the near future, so if you are looking to buy further down the line it might be an option. The older 5010/5020 models have limited 1G support (only on first 16 ports if I recall correctly) ObWarning: down-stepping from 10G to 1G on a box often requires lots of buffers if the traffic is bursty. The N5548 is a cut-thru switch with small port buffers (680k per port, of which only 160k is allocated for egress)[1]. If you randomly mix 10G and 1G on a box without careful consideration on a box like this, you may end up losing lots of data. In this light, I would suggest that the N5k limits on 1G port availability aren't as much of a problem as they might seem. Nick [1] http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/qa_c67-618605_ps9670_Products_Q_and_A_Item.html#wp9000216 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MSI Cisco VPN Client Software ?
Hi Anyone know if we can create a .MSI of the CIsco VPN IPsec software that include all parameter of the connexion ? Thanks for your help STephane ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On Thursday, December 09, 2010 08:05:49 am Phil Bedard wrote: 3600X might be an option,... For the application the OP is looking at, the ME3600X/3800X might be overkill. It's a very powerful switch, bordering on a real router. I'd keep things simple unless the OP needs all these features. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MSI Cisco VPN Client Software ?
I don't know about creating an .MSI, but the way I always did it was by surfing to the Cisco VPN folder in program files, there is a folder with .pcf files that you can save aside and then from within the VPN Client window you can import those files and you get all the profile ready. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephane MAGAND Sent: Thursday, December 09, 2010 8:02 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MSI Cisco VPN Client Software ? Hi Anyone know if we can create a .MSI of the CIsco VPN IPsec software that include all parameter of the connexion ? Thanks for your help STephane ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/