Re: [c-nsp] Testing Tools
Do you know about dns request tool? BRgds Henrry H ITALTEL El 01/07/2013, a las 00:12, Rati Berikaant Jokhadze iinf...@gmail.com escribió: Yersinia http://www.yersinia.net/ On 07/01/2013 02:15 AM, M K wrote: HiI am trying to test some features on Catalyst switchesI want attack tools to test mac layer attacks , Vlan Hopping , DHCP spoofing attacksIs there any free testing tools to test these ? Thanks BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Testing Tools
Hi, Take a look at www.netrounds.com Cloudbased with active probes in your network. You can configure your own testschemes etc. /Fredrik On 1 Jul 2013 00:31, M K gunner_...@live.com wrote: HiI am trying to test some features on Catalyst switchesI want attack tools to test mac layer attacks , Vlan Hopping , DHCP spoofing attacksIs there any free testing tools to test these ? Thanks BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SDR//Logical Routers
Hi Amit, Unfortunately there's no option to configure two BGP processes in XE yet. If you only need to act as a different AS# for a particular eBGP or even iBGP peer, you might use the local-as feature. Or if you would like to achieve more separation you might be looking at the route-server-context feature and prepend desired AS# manually via route-map. adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dhamija Amit Sent: Friday, June 28, 2013 7:10 PM To: Andrew Miehs Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SDR//Logical Routers VRF Lite is only to separate the Global VPN Routing table . My requirement is to have two routing domains i.e 2 AS Numbers in a single router , One to be used for EBGP Second for IBGP. On Fri, 6/28/13, Andrew Miehs and...@2sheds.de wrote: Subject: Re: [c-nsp] SDR//Logical Routers To: Dhamija Amit amiitdham...@yahoo.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Date: Friday, June 28, 2013, 10:40 AM VRF Lite ? Sent from a mobile device On 28/06/2013, at 20:04, Dhamija Amit amiitdham...@yahoo.com wrote: Hi Could you please let me know if ASR - 1K Supports the concept of Logical Routers or SDR ?? Or else is there any seprate mechanism to isolate the routings between two domains on ASR 1K . Thanks Amit Dhamija ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP as IPV6 PE-CE
Just verified on XR 4.2.3 router eigrp 123 vrf test address-family ipv6 (config-eigrp-vrf-af)#? autonomous-system Set the autonomous system of VRF clear Clear the uncommitted configuration commit Commit the configuration changes to running default-metric Set metric of redistributed routes describe Describe a command without taking real actions distance Set distance for EIGRP routes do Run an exec command exit Exit from this submode interface EIGRP interface configuration submode log-neighbor-changes Enable/Disable EIGRP neighbor logging log-neighbor-warnings Enable/Disable EIGRP neighbor warnings maximum-paths Maximum paths maximum-prefix Maximum number of IP prefixes acceptable in aggregate metric Modify EIGRP routing metrics and parameters neighbor Neighbor prefix limits configuration no Negate a command or set its defaults nsfAddress family specific NSF related configuration pwdCommands used to reach current submode redistribute Redistribute another protocol root Exit to the global configuration mode route-policy Configure inbound/outbound policies router-id Set router ID show Show contents of configuration stub EIGRP stub timers Configure EIGRP timers variance Control load balancing variance adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of M K Sent: Friday, June 28, 2013 5:06 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP as IPV6 PE-CE Still ipv6 vrf is not implemented on IOS (Someone wrote, Cisco already did on IOS-XR line) ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Testing Tools
Thanks a lot for the kind replies , If i installed http://www.yersinia.net/download.htm on Ubuntu , can i connect this to GNS3 if anyone has tried it ? Thanks again BR, Date: Mon, 1 Jul 2013 08:55:49 +0200 Subject: Re: [c-nsp] Testing Tools From: fredrik.vo...@bredband2.se To: gunner_...@live.com CC: cisco-nsp@puck.nether.net Hi, Take a look at www.netrounds.com Cloudbased with active probes in your network. You can configure your own testschemes etc. /Fredrik On 1 Jul 2013 00:31, M K gunner_...@live.com wrote: HiI am trying to test some features on Catalyst switchesI want attack tools to test mac layer attacks , Vlan Hopping , DHCP spoofing attacksIs there any free testing tools to test these ? Thanks BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hi, If I had a support contract for that box I would open a tac case now. ;) kind regards Rolf On 28/06/2013 17:55, Rolf Hanßen wrote: does not look like this is a general hardware version issue. mmm, ok. I would: - run a context diff on the configuration on each of these machines to ensure that there are no syntactic differences - disable and then re-enable copp on the affected box to ensure that it's reprogrammed correctly into the hardware (sometimes things get messed up on the way down to the line cards) - compare the output of show mls rate-limit on all machines - check your platform acl tcam capacity using show platform hardware capacity acl, to ensure that you still have some acl tcam space available for your copp config. If this doesn't point towards a resolution, I'd open up a tac case. Nick But I found a box with the same hardware versions: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.3 Fw : 8.4(2) Sw : 12.2(33)SXJ Sw1: 20.1(1)SXJ WS-SUP720 ### Hw : 2.6 Fw : 12.2(17r)SX7 Sw : 12.2(33)SXJ WS-F6K-PFC3B ### Hw : 2.3 This box also works as soon as I enter mls rate-limit unicast cef glean 500. kind regards Rolf Any further ideas except hardware failure, buggy software or try rebooting it ? Could be a hardware issue. As someone else mentioned (Phil?), this particular feature is hardware revision dependent. What hardware versions are each of your SUP720s (show module)? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Testing Tools
On 30/06/2013 23:15, M K wrote: HiI am trying to test some features on Catalyst switchesI want attack tools to test mac layer attacks , Vlan Hopping , DHCP spoofing attacksIs there any free testing tools to test these ? mausezahn: http://www.perihel.at/sec/mz/ Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Testing Tools
The latest GNS3 you can have VM's. Load a backtrack ISO in the VM, which should accomplish what you're after. BT5 has tonnes of pen testing tools for free. If you want to have physical kit connected to GNS3, use the tap interfaces and bridge it to your Ethernet adapter. Blinghog.net has some tutorials. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of M K Sent: 01 July 2013 09:07 To: Fredrik Vöcks Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Testing Tools Thanks a lot for the kind replies , If i installed http://www.yersinia.net/download.htm on Ubuntu , can i connect this to GNS3 if anyone has tried it ? Thanks again BR, Date: Mon, 1 Jul 2013 08:55:49 +0200 Subject: Re: [c-nsp] Testing Tools From: fredrik.vo...@bredband2.se To: gunner_...@live.com CC: cisco-nsp@puck.nether.net Hi, Take a look at www.netrounds.com Cloudbased with active probes in your network. You can configure your own testschemes etc. /Fredrik On 1 Jul 2013 00:31, M K gunner_...@live.com wrote: HiI am trying to test some features on Catalyst switchesI want attack tools to test mac layer attacks , Vlan Hopping , DHCP spoofing attacksIs there any free testing tools to test these ? Thanks BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the Symantec Email Security Cloud System, Managed and Supported by TekNet Solutions (http://www.teknet.co.uk) __ __ This email has been scanned by the Symantec Email Security Cloud System, Managed and Supported by TekNet Solutions (http://www.teknet.co.uk) __ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Logging
I have a question , if i have logging buffered informational (facility 6) configured , that means i am logging facility 6 and 7 messages right ? does that mean for example when i change the state of an interface like below%LINK-5-CHANGED: Interface FastEthernet1/5, changed state to administratively downDoes that mean the log message will no longer appear as i am logging only 6 and 7 ? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logging
On Mon, 2013-07-01 at 14:40 +0300, M K wrote: I have a question , if i have logging buffered informational (facility 6) configured , that means i am logging facility 6 and 7 messages right ? does that mean for example when i change the state of an interface like below%LINK-5-CHANGED: Interface FastEthernet1/5, changed state to administratively downDoes that mean the log message will no longer appear as i am logging only 6 and 7 ? Nope, the reverse. The logging level you specify is the one closest to debug(7) that will be logged. So logging buffered informational will log levels 0 through 6. (And please seriously consider using a mail user agent that can do proper formatting.) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Finding source of ISIS authentication failure
This one has me and TAC stumped. Let's say you have a 7600 with multiple devices connected to it running ISIS. One of them has the wrong authentication key, so you see a bunch of this in the logs: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed How do you find out what neighbor is causing that? We have not found any show command or debug command, either ISIS or CLNS, that would show us the source of the problem. This is very easy in OSPF, but it's starting to look pretty dang hard to do with ISIS. Does anyone know what ninja commands or procedure I need to find the source of ISIS authentication failures from the router CLI? Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pros and cons for IPTV multicast in rosen-mvpn vs GRT
On Monday, February 18, 2013 10:19:17 PM Sigurbjörn Birkir Lárusson wrote: The implementation of draft-rosen on the 7600 is very quirky and it has been our experience that there are more bugs and problems with it than can reasonably be expected. In particular in regards to protected sources (particularly problems with duplicate streams) and punting of traffic to the IBC, neither of which are easy to troubleshoot and can cause mayhem. If you intend to do a new implementation on the 7600 at this point and have your mind set on using MVPN, I'd recommend going with MLDP When I ran an NG-MVPN network, we took advantage of the MPLS data plane and implemented FRR within the p2mp RSVP-TE tunnels. So failure within the core resulted in ultra-quick switchovers to the backup links. Most times, there was no visible effect on picture quality; sometimes, it was very minor pixelation which could have been mistaken for a cloud passing over a Ku-band dish :-). Things were a little more challenging between the Sender and Receiver PE routers, where we ran PIM. Those links fed into BGP (which signaled PIM in the core), so the network could easily converge to backup PE-CE links (we had three) using LOCAL_PREF. This took care of where PIM Joins were going to, and in effect, where downstream traffic was coming from. The slowest part of convergence was when the primary link returned, and BGP immediately re-installed the path toward that link (since it had the highest LOCAL_PREF), and it took as many as 30 seconds for video to resume across the new path. This was even after setting the BGP timers to their lowest (about 6.6 seconds in Junos). This also varied depending how the link was recovered, whether it was brought up with the no shutdown command or by plugging the fibre in, e.t.c. So 30 seconds was the worst average we concluded on, for simplicity. There was some work going on with draft-morin-l3vpn-mvpn- fast-failover-05, but I haven't followed progress or implementation of this since I stopped managing that network. Hopefull, I soon will with the new one :-). That said, I think this draft focused mostly on p2mp RSVP-TE, I'm not sure how applicable it could be to mLDP (and certainly wouldn't be to regular IP/GRE Multicast). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
debug isis possibly add lsp at the end On Mon, Jul 1, 2013 at 11:41 AM, John Neiberger jneiber...@gmail.comwrote: This one has me and TAC stumped. Let's say you have a 7600 with multiple devices connected to it running ISIS. One of them has the wrong authentication key, so you see a bunch of this in the logs: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed How do you find out what neighbor is causing that? We have not found any show command or debug command, either ISIS or CLNS, that would show us the source of the problem. This is very easy in OSPF, but it's starting to look pretty dang hard to do with ISIS. Does anyone know what ninja commands or procedure I need to find the source of ISIS authentication failures from the router CLI? Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
We've tried pretty much every relevant isis and clns debug and haven't found one that works. It's pretty strange. I wonder if this is just a quirk of the code we're running. On Mon, Jul 1, 2013 at 10:31 AM, Aaron dudep...@gmail.com wrote: debug isis possibly add lsp at the end On Mon, Jul 1, 2013 at 11:41 AM, John Neiberger jneiber...@gmail.comwrote: This one has me and TAC stumped. Let's say you have a 7600 with multiple devices connected to it running ISIS. One of them has the wrong authentication key, so you see a bunch of this in the logs: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed How do you find out what neighbor is causing that? We have not found any show command or debug command, either ISIS or CLNS, that would show us the source of the problem. This is very easy in OSPF, but it's starting to look pretty dang hard to do with ISIS. Does anyone know what ninja commands or procedure I need to find the source of ISIS authentication failures from the router CLI? Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugs that confirm that we're having an authentication problem but they also don't show the source of the problem. Not even an interface. On Mon, Jul 1, 2013 at 10:17 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
When testing on 12.4 code I get the following from debug isis adj-packets and debug isis authentication information: ISIS-Adj: Rec L2 IIH from c201.0d84. (FastEthernet0/0), cir type L1L2, cir id ..0002.01, length 1497 ISIS-AuthInfo: Packet failed the md5 check, 1497 bytes, type 16 ISIS-Adj: Authentication failed So the MAC address and interface is recorded. Don't you have these debugs or do your debugs not show this information? Best regards, Daniel Dib CCIE #37149 2013-07-01 18:31 skrev John Neiberger: This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugs that confirm that we're having an authentication problem but they also don't show the source of the problem. Not even an interface. On Mon, Jul 1, 2013 at 10:17 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp [1] archive at http://puck.nether.net/pipermail/cisco-nsp/ [2] Links: -- [1] https://puck.nether.net/mailman/listinfo/cisco-nsp [2] http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
On (2013-07-01 10:31 -0600), John Neiberger wrote: This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugs that confirm that we're having an authentication problem but they also don't show the source of the problem. Not even an interface. I think best you can see is existence of auth TLV and its length 'show isis database detail'. If this is not sufficient precision SPAN the control-plane traffic over GRE to some linux PC and wireshark it, to see exactly the bytes of the auth TLV. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
Hi, have you tried debug isis update-packets? Works on SRC2: 000484: Jul 1 19:27:57.428: ISIS-Upd (proc): Rec L2 LSP ID, seq 1D, ht 65171, 000485: Jul 1 19:27:57.428: ISIS-Upd (proc): from SNPA ID (GigabitEthernet2/0/0) 000486: Jul 1 19:27:57.428: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed 000487: Jul 1 19:27:57.428: ISIS-Upd (proc): LSP authentication failed br Thomas -Ursprüngliche Nachricht- Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von John Neiberger Gesendet: Montag, 1. Juli 2013 18:31 An: Alan Buxey Cc: cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] Finding source of ISIS authentication failure This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugs that confirm that we're having an authentication problem but they also don't show the source of the problem. Not even an interface. On Mon, Jul 1, 2013 at 10:17 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
As pointed out to me by Ytti I was doing interface authentication and you are doing LSP autentication. I changed my lab and got the following debug from debug isis update-packets: ISIS-Upd: Rec L1 LSP ..0002.00-00, seq 4, ht 1199, ISIS-Upd: from SNPA c201.22dc. (FastEthernet0/0) %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed So there you have the system ID which was 000..0002 for my NET which was 49.0001...0002 This URL seems to explain it pretty well: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot [3] Best regards, Daniel Dib CCIE #37149 2013-07-01 19:33 skrev daniel@reaper.nu: When testing on 12.4 code I get the following from debug isis adj-packets and debug isis authentication information: ISIS-Adj: Rec L2 IIH from c201.0d84. (FastEthernet0/0), cir type L1L2, cir id ..0002.01, length 1497 ISIS-AuthInfo: Packet failed the md5 check, 1497 bytes, type 16 ISIS-Adj: Authentication failed So the MAC address and interface is recorded. Don't you have these debugs or do your debugs not show this information? Best regards, Daniel Dib CCIE #37149 2013-07-01 18:31 skrev John Neiberger: This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugsthat confirm that we're having an authentication problem but they alsodon't show the source of the problem. Not even an interface. Links: -- [1] http://puck.nether.net/pipermail/cisco-nsp/ [2] https://puck.nether.net/mailman/listinfo/cisco-nsp [3] http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
Yep, that's the one we were looking for. I don't know how we missed it before. I tried it now and it gave us the info I was looking for. I know I tried it before, but I think maybe I had it enabled along with other debug commands and just missed it in the flood of info. It's easy to spot when you only have that one enabled. Thanks! John On Mon, Jul 1, 2013 at 11:38 AM, Thomas Sillaber tlis...@t-online.dewrote: Hi, have you tried debug isis update-packets? Works on SRC2: 000484: Jul 1 19:27:57.428: ISIS-Upd (proc): Rec L2 LSP ID, seq 1D, ht 65171, 000485: Jul 1 19:27:57.428: ISIS-Upd (proc): from SNPA ID (GigabitEthernet2/0/0) 000486: Jul 1 19:27:57.428: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed 000487: Jul 1 19:27:57.428: ISIS-Upd (proc): LSP authentication failed br Thomas -Ursprüngliche Nachricht- Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von John Neiberger Gesendet: Montag, 1. Juli 2013 18:31 An: Alan Buxey Cc: cisco-nsp@puck.nether.net Betreff: Re: [c-nsp] Finding source of ISIS authentication failure This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugs that confirm that we're having an authentication problem but they also don't show the source of the problem. Not even an interface. On Mon, Jul 1, 2013 at 10:17 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
Thanks! On a related note, I'm stumped by the bewildering array of authentication options and commands in 12.2. We know that some authentication problem exists between this 7600 and another device but I don't know exactly what it is. We have the following on our interfaces: isis authentication mode md5 isis authentication key-chain OurChain It is my understanding that in IOS, this enables hello authentication only. Not sure if that is even remotely correct. We have the same thing under router isis: router isis authentication mode md5 authentication key-chain OurChain I thought that this enabled area authentication in IOS, but I'm reading a 12.2 ISIS configuration guide that seems to indicate otherwise. So, I'm confused. What exactly are we authenticating as currently configured? We do not have an explicit area password or domain password set. It was my assumption that the current config was doing hello and area authentication, but the more I read, the more I realize that I don't know what IOS is doing here. Thanks! John On Mon, Jul 1, 2013 at 12:07 PM, daniel@reaper.nu wrote: As pointed out to me by Ytti I was doing interface authentication and you are doing LSP autentication. I changed my lab and got the following debug from debug isis update-packets: ISIS-Upd: Rec L1 LSP ..0002.00-00, seq 4, ht 1199, ISIS-Upd: from SNPA c201.22dc. (FastEthernet0/0) %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed So there you have the system ID which was 000..0002 for my NET which was 49.0001...0002 This URL seems to explain it pretty well: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot [3] Best regards, Daniel Dib CCIE #37149 2013-07-01 19:33 skrev daniel@reaper.nu: When testing on 12.4 code I get the following from debug isis adj-packets and debug isis authentication information: ISIS-Adj: Rec L2 IIH from c201.0d84. (FastEthernet0/0), cir type L1L2, cir id ..0002.01, length 1497 ISIS-AuthInfo: Packet failed the md5 check, 1497 bytes, type 16 ISIS-Adj: Authentication failed So the MAC address and interface is recorded. Don't you have these debugs or do your debugs not show this information? Best regards, Daniel Dib CCIE #37149 2013-07-01 18:31 skrev John Neiberger: This box is running 12.2(33)SRC code. The TAC engineer and I haven't really found a good way to find what we're looking for. I have found some debugsthat confirm that we're having an authentication problem but they alsodon't show the source of the problem. Not even an interface. Links: -- [1] http://puck.nether.net/pipermail/cisco-nsp/ [2] https://puck.nether.net/mailman/listinfo/cisco-nsp [3] http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f36.shtml#tshoot ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/