[c-nsp] IOS XR SSH
Hi, Do you need the k9 version of IOS XR in order to set up the ssh server for secure connections into it? I cant see any command references to enable the ssh server in the basic 4.1.0 version. Any help much appreciated. Nick -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR SSH
Do you need the k9 version of IOS XR in order to set up the ssh server for secure connections into it? I cant see any command references to enable the ssh server in the basic 4.1.0 version. yes, you need the crypto image (k9), the command you're looking for is ssh server [v2] to enable a ssh server (default is off/no server listening to tcp/22).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR SSH
Hi Nick, Yep - the k9 version of IOS indicates it comes with crypto support. no k9 = no crypto = no ssh, https, etc. Regards, Chris On 26/08/2011, at 9:00 PM, Nick Ryce wrote: Hi, Do you need the k9 version of IOS XR in order to set up the ssh server for secure connections into it? I cant see any command references to enable the ssh server in the basic 4.1.0 version. Any help much appreciated. Nick -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 8.3 nat question asa
I have defined dynamic source nat rule: Here is the relevant config: object network obj-10.201.0.0 subnet 10.201.0.0 255.255.0.0 object network obj-2.2.2.102 host 2.2.2.102 nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102 Food for thought (not sure if this is worse/better/same). Say the outside interface, 2.2.2.102, is part of network 2.2.2.96/28 ! object network Obj-Everything subnet 0.0.0.0 0.0.0.0 ! ! Subnet that non-employees end up on; they go out via a different ! public IP object network Obj-Guest-Net subnet 172.20.0.0 255.255.0.0 ! object network Obj-Everything nat (inside,outside) dynamic interface object network Obj-Guest-Net nat (inside,outside) dynamic 2.2.2.103 What i am looking to do, if possible (i believe it should be) is do a static mapping from the outside of 2.2.2.102:80 to a single ip address in the 10.201.0.0/16 net, for ex 10.201.10.10:80 [...] Is that correct? Also, what is the syntax for mapping only port 80 of obj-2.2.2.102 to obj-10.201.10.10? so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80 Map all ports on public IP x to private IP y should be similar but we have only implemented the latter, more specific case: object network HostName1_TCP7979 host 10.201.1.10 object network HostName1_TCP host 10.201.1.10 ! object-group service HostName-Ports tcp description GPIM active tcp ports port-object eq 7979 port-object eq ! access-list Inbound extended permit tcp any host 10.201.1.10 object-group HostName-Ports log ! object network HostName1_TCP7979 nat (inside,outside) static interface service tcp 7979 7979 object network HostName1_TCP nat (inside,outside) static interface service tcp ! I do remember the sh run output for the object related commands in 8.3 seemed a little wacky, but looking at this I'm not sure if we tried something like this or not: Object network HostName1_PortMap host 10.201.1.10 nat (inside,outside) static interface service object HostName-Ports ~JasonG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560-X qinq support
Hi, Does Cat3560-X support qinq? Some old threads says most Cat3K does such support but feature navigator doesn't say so clearly about that. I check if command switchport mode dot1q-tunnel there, but apparently it not. This is lanbase license, do I need ipabase for that? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2x WS-X6408A-GBIC or a WS-X6816-GBIC
On Thu, 25 Aug 2011, chiel wrote: I got a 6506-E with a Sup7203BXL. Now I need to add some line cards to this chassis. I got two options. 1. Install 2x WS-X6408A-GBIC that I still have lying around 2. Upgrade a WS-X6816-GBIC which I got (currently has a DFC3A) with a DFC3BXL. I need to buy the DFC3BXL in this case. As others have mentioned, there should not be a problem with forwarding capacity using those blades, but you will be limited with what you can do in terms of QoS. Also, if vendor support is important to you, it's worth noting that both of these blades are end-of-sale. The 6408 has been end-of-life for about five years. The replacement blade that is mentioned in the bulletin below, the 6408A, was announced for end-of-sale in 2009, and will go end-of-life in 2014. The 6416 went end-of-life at the beginning of this year. WS-X6408-GBIC: http://www.cisco.com/en/US/products/hw/switches/ps700/prod_eol_notice09186a008032d814.html WS-X6416-GBIC: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd802e87bb.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR SSH
It makes me die inside that a router of the asr calibre cant have management access encrypted with ssh without a different software version :( Nick -Original Message- From: Oliver Boehmer (oboehmer) [mailto:oboeh...@cisco.com] Sent: 26 August 2011 12:51 To: Nick Ryce; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] IOS XR SSH Do you need the k9 version of IOS XR in order to set up the ssh server for secure connections into it? I cant see any command references to enable the ssh server in the basic 4.1.0 version. yes, you need the crypto image (k9), the command you're looking for is ssh server [v2] to enable a ssh server (default is off/no server listening to tcp/22).. oli -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560-X qinq support
On 26/08/11 14:24, Nikolay Shopik wrote: Hi, Does Cat3560-X support qinq? Some old threads says most Cat3K does such support but feature navigator doesn't say so clearly about that. I check if command switchport mode dot1q-tunnel there, but apparently it not. This is lanbase license, do I need ipabase for that? Just checked a box running ipbase, yes, it is there. Dave. -- David Freedman Group Network Engineering Claranet Group ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR SSH
On 26/08/11 14:49, Nick Ryce wrote: It makes me die inside that a router of the asr calibre cant have management access encrypted with ssh without a different software version :( http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXR NPE-G1 Upgrade from 12.4 to 15.0 High CPU
sh run all isn't a valid option. I can do a sh run full, but that gives me the same config as sh run. On 8/25/2011 7:05 AM, Andriy Bilous wrote: If you're still OK with reloading the box you could try 'show run all' with both trains and compare those. It prints out the great deal of defaults along with custom config and might give you a hint where to look next. On Tue, Aug 23, 2011 at 5:03 PM, Chris Gotsteinch...@uplogon.com wrote: Update on this issue: After combing the config and google, i tried several things to get CPU usage down including filtering of IP Options, fragments and reorganizing my ACLs. Even completely disabling the ACL lists and any filtering did not help. One document mentioned moving to 12.4 train in order to get more information about the packets coming into the router. I upgraded the router to 12.4.25f (Service provider w/ IPSEC and LI). After the reload, router came up and my high cpu usage was no longer there. Didn't make any changes to my config from SRE that was giving me the high CPU or for that matter from 15.0 that was giving me high CPU. So my question is why? What is different about 12.4 from SRE and 15.0? If i have to stay on 12.4 train, i'd rather be on 12.4T, but not sure if i'll run back into the same problem. -- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QinQ config sample on Cisco 7600/6500
Hi To add up with complete configurations: define a transport vlan: vlan 1285 name qinq-transport configure QinQ port. Increase mtu (7600 does not inherit system mtu when configuring qinq port) If any layer 2 transport required, configure this. interface GigabitEthernet4/2 description QinQ accessport switchport switchport access vlan 1285 switchport mode dot1q-tunnel mtu 2200 no cdp enable l2protocol-tunnel cdp l2protocol-tunnel stp l2protocol-tunnel vtp Trunk transport vlan out of switch, and all the way to the other end of the tunnel: (all switches in between) interface GigabitEthernet1/20 description trunk switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1285 switchport mode trunk mtu 2200 and finally, if desired: no mac-address-table learning vlan 1285 Jon Den 8/26/2011 12:41 AM, skrev Peter Rathlev: On Thu, 2011-08-25 at 23:37 +0200, Rolf Hanßen wrote: nobody an idea about this ? Cannot be i am the first one trying to run/built such setup or migrating from a platform that can do it. ;) Okay then, I'll bite. :-) On Wed, 2011-08-24 at 18:46 +0200, Rolf Hanßen wrote: All I can find is several howtos saying to configure something like that here on the customer port: switchport switchport mode dot1q-tunnel That sounds right. When trying to set the above commands I get that error: Gi4/48 doesn't support 802.1q tunneling. My linecard is a WS-X6548-GE-TX, does that mean I cannot use QinQ here or is there another way ? You can't AFAIK. There's no alternative that I know of, and the URL Stig posted describes the limitation. It's probably a limitation in the hardware ASICs. You would need another card, like the WS-X6748-GE-TX. Same config on a WS-X6724-SFP is accepted. What I cannot find is where to set the vlan id that I use on my router (i.e. the outer tag like 123 in the Froundry config). Do I need to configure it like an access port or is there a setting somewhere else ? You use switchport access vlanID. The naming might seem illogical but considering how Catalyst switches forward traffic it does make sense. Port towards my equipment will be on a WS-X6704-10GE card. Furthermore I read about setting vlan dot1q tag native to support forwarding of untagged frames. How does this work if I do not know the vlans used by my custimer and therefore cannot set an ID for untagged ? The vlan dot1q tag native has no effect on the customer facing port. It's on your core links it matters. (It's a global command though.) Cisco's native VLAN for a trunk is normally a VLAN that is untagged. There can of course be only one of these on a trunk. Untagged traffic received on a port is assumed to be in this VLAN. If you were to transport customer traffic in a VLAN that is used as a native VLAN on one of your trunks you could end up having the traffic go places you don't expect. Always tagging all traffic, even the native VLAN, would work around this problem. Always using a native VLAN not used for anything else would give you the same result. Is untagged traffic dropped then or does it work anyway? The command means that untagged traffic is dropped on your core links, i.e. all trunks. Untagged traffic from a customer would carry only one tag but still be forwarded. The dot1q-tunnel ports are not considered trunks but access ports. Concerning the MTU: Do I need to increase the ports manually or is there a setting like aggregated-vlan on some Foundrys that increases all MTUs for QinQ ? You would need to configure each switchport with a higher MTU, using something like: interface GigabitEthernet9/4 mtu 1508 ! Does increasing the interface MTUs have some side-effects to take care about if I do not touch the vlan mtu and the MTUs of the Layer3 vlan interfaces ? I can't think of any side-effects. We always adjust the MTU of (non customer) links to whatever max the interface supports. You would only adjust the (physical) interface MTU. VLAN MTU (i.e. the mtu# command in vlan-config-mode) is irrelevant here; take a look at this page for an explanation (the Note: There is no relationship between ... section): http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#cc4 Do you have any L3 VLAN interfaces (SVIs) on these customer tunnel VLANs? That doesn't make sense to me, but maybe I misunderstand. Concerning learning of MAC-adresses: On Foundry (MLX/XMR) you can turn off learning of MAC-adresses on vlans with only 2 ports (transparent-hw-flooding) to save ressources. Is there an equivalent that should be used on Cisco ? You can use no mac-address-table learning vlan#. You can use it on a VLAN with more than one port, but it does mean that every frame is flooded. Software used is 15.1(2)S, devices are only used for usual switching + routing (OSPF+BGP, MTU 1500, no MPLS) at the moment. Caveat: My experience is almost exclusively with the 6500, not the 7600. But this specific use is
[c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface
Last winter we purchased a pair of 7606 routers to use out at the NYSE colo facility. We connect via a 1gb fiber to the SFTI LCN for market data and FIX traffic. We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. The netflow output we get is random, sporadic and very incomplete. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. Nowhere in the Cisco marketing literature, Cisco Documentation, or even Cisco bug lists does it mention this. There are some caveats listed regarding NDE and NAT (flow mask conflicts, and fragments), but even given that, the caveats imply that it will work if the caveats don't apply or the flowmask conflicts are resolved. Also, there are no warnings when configuring it. The feature manager shows no errors or conflicts, etc... At every step, in my opinion, cisco has been reluctant to admit that it doesn't work. Only when confronted with the evidence, they did finally admit it. Had we known of this limitation, we would have purchased different hardware including possibly another vendor's solution. I'm looking at using SPAN to replicate the data and send it to a linux box to then create netflow data exports, however, given the nature of the data (high bandwidth and microburst), I'm not sure that the Linux box will work accurately. I assumed the PFC would be doing the exports in hardware giving us the most accurate realtime look at the market data. Evidently I was wrong. I'm sending this so that no one else will make the same mistake we did as well as being in the nsp archives. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface
NAT on the 6500/7600 doesn't work well and uses substantial software resources. NDE on the 6500/7600 has a large number of limitations. Netflow itself is done in hardware but the export is done in software. I have used both on the 6500 platform with no issues so it may be software dependent. I migrated off of netflow to the SPAN setup you describe with specialized software versus attempting to generate netflow data. SPAN as you describe works well but you are limited by the replication on the PFC/DFC. If you are only interested in 'interesting' tcp traffic (ignore packets with ACK only) you can sample very large quantities of data on the linux box. This can be done with VACL functions. If your data is mostly UDP it may be more difficult to determine what is interesting. Mack -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Friday, August 26, 2011 10:26 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface Last winter we purchased a pair of 7606 routers to use out at the NYSE colo facility. We connect via a 1gb fiber to the SFTI LCN for market data and FIX traffic. We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. The netflow output we get is random, sporadic and very incomplete. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. Nowhere in the Cisco marketing literature, Cisco Documentation, or even Cisco bug lists does it mention this. There are some caveats listed regarding NDE and NAT (flow mask conflicts, and fragments), but even given that, the caveats imply that it will work if the caveats don't apply or the flowmask conflicts are resolved. Also, there are no warnings when configuring it. The feature manager shows no errors or conflicts, etc... At every step, in my opinion, cisco has been reluctant to admit that it doesn't work. Only when confronted with the evidence, they did finally admit it. Had we known of this limitation, we would have purchased different hardware including possibly another vendor's solution. I'm looking at using SPAN to replicate the data and send it to a linux box to then create netflow data exports, however, given the nature of the data (high bandwidth and microburst), I'm not sure that the Linux box will work accurately. I assumed the PFC would be doing the exports in hardware giving us the most accurate realtime look at the market data. Evidently I was wrong. I'm sending this so that no one else will make the same mistake we did as well as being in the nsp archives. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LACP in 7206VXR with NPE-G1
I'm running IOS 12.4-12c advanced IP services. LACP is supposedly supported, and I can create a port-channel and add the gigabit ethernet interfaces to it. However, I can't find any of the LACP configuration commands such as mode active/passive, system-ID, etc. Any help would be appreciated. I suspect I need a different IOS or possibly feature set, but have tried several with no success. Bug toolkit returns nothing obvious. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface
On 8/26/2011 11:25 AM, Matthew Huff wrote: We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. Why? The netflow output we get is random, sporadic and very incomplete. This is a very well known limitation. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. Keep in mind, not a lot of people, even within Cisco, really understand the limitations. Nowhere in the Cisco marketing literature, That's marketing. Marketing doesn't list, describe or otherwise details hardware limitation or caveats. Cisco Documentation, or even Cisco bug lists does it mention this. See above. But, I'm sure someone has come across this on this list. There are some caveats listed regarding NDE and NAT (flow mask conflicts, and fragments), but even given that, the caveats imply that it will work if the caveats don't apply or the flowmask conflicts are resolved. Also, there are no warnings when configuring it. The feature manager shows no errors or conflicts, etc... The platform (and related 6500) are VERY well known to have serious limitation around netflow. NAT is a netflow assisted feature. At every step, in my opinion, cisco has been reluctant to admit that it doesn't work. See my above comment. I know people with 10 years of 6500 experience that don't know some of the limitations. Had we known of this limitation, Was that part of your requirements previous to purchasing it? Are you working with knowledgeable people? It's unfortunate that the platform doesn't meet your requirement. I hope you can find some knowledgeable Cisco people in the future to help you with your design and purchasing. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HDLC PPP encapsulation
if two nodes are connected via single or multiple E1s, for what purpose both HDLC and PPP encapsulation are used. Node AE1-Node B ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/