Re: [c-nsp] DHCP relay still forwarding to old helper even if it's removed or changed
On Mon, 2015-01-19 at 21:18 +0200, Tarko Tikan wrote: I tried to change the helper address, but after making the change, the box was still routing broadcasts to the old helper. Are you 100% sure it's actually relayed traffic and not DHCP client that remembers DHCP server address and unicasts the request? On Mon, 2015-01-19 at 19:20 -0500, Jason Lixfeld wrote: The lease timer is 3 minutes, so if after 4 minutes it’s still trying to reach the old server, it shouldn’t be a client-side problem. That said, I’ll reboot a client tomorrow and see what happens. As long as the client can actually renew the lease it will continue to unicast requests to the old server. So unless the scope is disabled on the old server (making it reply with NAKs or not reply) they will not move to the new server. Are you actually seeing DISCOVERs on the old server? Or just REQUESTs? (Takes a server that actually logs this to find out of course.) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Proxy
As far as I'm aware, there is only DHCP option 252 which can be used to specify the URL of a wpad.dat file (which can in turn be used to specify proxy settings). You can configure custom DHCP options in IOS (such as option 252) - Google will help you find the relevant documentation. Josh On Tue, Jan 20, 2015 at 3:39 PM, Ambedkar p.ambed...@gmail.com wrote: Hi, I want to send the Proxy settings includes IP address, port number through DHCP in cisco routers and switches. Is it possible to send ? If yes, How ?? Thanks in advance, P Ambedkar, Hyderabad. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Proxy
On Tue, 2015-01-20 at 10:09 +0530, Ambedkar wrote: I want to send the Proxy settings includes IP address, port number through DHCP in cisco routers and switches. Is it possible to send ? If yes, How ?? Can you be a bit more precise? Do you want to forward DHCP requests on a non standard port, i.e. not 67/UDP? You could configure IOS to forward the packets as such, but I'm not sure the forwarding router will fill in the required GI-address and other stuff. Otherwise it's: ip forward-protocol udp port Maybe IOS will recognize that it's UDP as long as it's processed, or maybe it will only do the DHCP relay specific processing on port 67/UDP. If you could describe what problem you're trying to solve then maybe someone on the list has good advice. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Proxy
On Tue, 2015-01-20 at 09:06 +0100, Peter Rathlev wrote: On Tue, 2015-01-20 at 10:09 +0530, Ambedkar wrote: I want to send the Proxy settings includes IP address, port number through DHCP in cisco routers and switches. Is it possible to send ? If yes, How ?? Can you be a bit more precise? Do you want to forward DHCP requests on a non standard port, i.e. not 67/UDP? [...] Sorry, misread your question. :-) Joshua seems to have it right. According to Microsoft Technet: http://technet.microsoft.com/en-us/library/cc940962%28v=ws.10%29.aspx the option 252 is a string in the format: http://SecurityServerName:PortNumber/wpad.dat Configuration like this could thus work: ip dhcp pool 192.0.2.0/24 [ other options and parameters ] option 252 ascii http://192.0.2.50:1234/wpad.dat; exit ! Beware that some clients aren't asking for option 252 during the DORA sequence and instead sends INFORMs some time after, as this message seems to imply: https://lists.isc.org/pipermail/dhcp-users/2013-September/017193.html As far as I know, in IOS you can't send options the client isn't asking for in the REQUEST. (That is: You can't modifWhich means your clients might not pick up the WPAD option at all. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9001 doesn't send log messages
Dear colleagues, I have an ASR9001-S with IOS XR 5.1.3. I have configured the router to send the log messages to a syslog server with the following configuration: logging trap debugging logging buffered debugging logging 10.2.32.254 vrf MGMT severity debugging logging source-interface Lo20 vrf MGMT interface Loopback20 description Mgmt in-band vrf MGMT ipv4 address 10.2.33.129 255.255.255.255 The router has ping with the syslog server and the server firewall permit the packets. I have put a tcpdump sniffing packets but I don't see any syslog packet. Are there missing commands that I have to configure? Is it a bug? I have the same problem with the configuration backup. I have configured: configuration commit auto-save filename tftp://10.2.32.254/config.cfg tftp client vrf MGMT source-interface Loopback20 Best regards, Jordi ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 1841 with IOS 12.4(3i) does not pad frame to 68 bytes if it adds the 802.1q field?
Hi, I have a following network-topology: T60_laptop[eth2] - [Fa0/1]C1841_1[Fa0/0] - [Fa0/1]C1841_2[Fa0/0] - [Fa0/0]C1841_3[Fa0/1] - passive_network_tap - [Gi0/23]C2960[Gi0/1] - [eth0]HP_laptop C2960 interface Gi0/23 is a 802.1q trunk interface with very simple configuration: interface GigabitEthernet0/23 switchport mode trunk media-type rj45 speed auto 100 spanning-tree portfast trunk spanning-tree bpduguard enable end Likewise, there is a 802.1q sub-interface configured to C1841_3: interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip address 192.168.23.254 255.255.255.0 no ip redirects ip nat inside no ip virtual-reassembly no snmp trap link-status ! Now if I send ICMP echo request messages with no payload(ping 192.168.23.1 -s 0) from T60_laptop to HP_laptop, then T60_laptop puts following frames onto wire: https://www.cloudshark.org/captures/19068f94522c As seen from the packet capture, packets are padded with zeros correctly to 64 bytes(includes FCS). So far everything looks good. Now the packet is sent over IPsec tunnel to C1841_3 router, which needs to send the packet over Fa0/1.2 interface. This means that C1841_3 has to add the IEEE 802.1q field. Now if I packet-capture those ICMP echo request messages originated from T60_laptop with a passive network tap right before they reach the C2960 switch port Gi0/23, then C1841_3 puts following frames onto wire: https://www.cloudshark.org/captures/6c935c056545 As seen from the packet-capture, 4-byte 802.1q field is added to the frame as it should, but for some reason, packet is not padded to 68 bytes, but left to 64 bytes(again, capture results include the FCS). WS-C2960G-24TC-L switch port Gi0/23 receives those frames, counts those properly as TrunkFramesRx according to sh int Gi0/23 counters trunk, but also counts those frames as Undersize according to sh int Gi0/23 counters errors: WS-C2960G-24TC-L#sh int Gi0/23 counters errors PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize Gi0/23 0 0 0 012 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen RuntsGiants Gi0/23 0 0 0 0 0 0 0 WS-C2960G-24TC-L# This makes sense as after popping the 802.1q field, the frame is 60 bytes in length. Am I correct that this is an erroneous behavior and thus a bug in C1841_3 router? I also checked with Cisco Bug Search for bugs for 1841 platform and c1841-advsecurityk9-mz.124-3i.bin software release, but found nothing related. Has anyone seen something like this before? In addition, what I also find strange, is that C2960 switch forwards frames to HP_laptop instead of dropping those.. Or maybe it is the switch which should pad the frame back to 64 bytes according to RFC's and thus the router behaves correctly? Please let me know if additional information is needed. thanks, Martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 1841 with IOS 12.4(3i) does not pad frame to 68 bytes if it adds the 802.1q field?
Hi, WS-C2960G-24TC-L supports only 802.1q encapsulation: WS-C2960G-24TC-L(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode WS-C2960G-24TC-L(config-if)#do sh int Gi0/23 trunk PortMode Encapsulation StatusNative vlan Gi0/23 on 802.1q trunking 1 PortVlans allowed on trunk Gi0/23 1-4094 PortVlans allowed and active in management domain Gi0/23 1-4 PortVlans in spanning tree forwarding state and not pruned Gi0/23 1-4 WS-C2960G-24TC-L(config-if)# regards, Martin On 1/20/15, Rich Davies rich.dav...@gmail.com wrote: On your 2960 trunk port you may be missing switchport trunk encapsulation dot1q Sent from my iPhone On Jan 20, 2015, at 5:23 AM, Martin T m4rtn...@gmail.com wrote: Hi, I have a following network-topology: T60_laptop[eth2] - [Fa0/1]C1841_1[Fa0/0] - [Fa0/1]C1841_2[Fa0/0] - [Fa0/0]C1841_3[Fa0/1] - passive_network_tap - [Gi0/23]C2960[Gi0/1] - [eth0]HP_laptop C2960 interface Gi0/23 is a 802.1q trunk interface with very simple configuration: interface GigabitEthernet0/23 switchport mode trunk media-type rj45 speed auto 100 spanning-tree portfast trunk spanning-tree bpduguard enable end Likewise, there is a 802.1q sub-interface configured to C1841_3: interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip address 192.168.23.254 255.255.255.0 no ip redirects ip nat inside no ip virtual-reassembly no snmp trap link-status ! Now if I send ICMP echo request messages with no payload(ping 192.168.23.1 -s 0) from T60_laptop to HP_laptop, then T60_laptop puts following frames onto wire: https://www.cloudshark.org/captures/19068f94522c As seen from the packet capture, packets are padded with zeros correctly to 64 bytes(includes FCS). So far everything looks good. Now the packet is sent over IPsec tunnel to C1841_3 router, which needs to send the packet over Fa0/1.2 interface. This means that C1841_3 has to add the IEEE 802.1q field. Now if I packet-capture those ICMP echo request messages originated from T60_laptop with a passive network tap right before they reach the C2960 switch port Gi0/23, then C1841_3 puts following frames onto wire: https://www.cloudshark.org/captures/6c935c056545 As seen from the packet-capture, 4-byte 802.1q field is added to the frame as it should, but for some reason, packet is not padded to 68 bytes, but left to 64 bytes(again, capture results include the FCS). WS-C2960G-24TC-L switch port Gi0/23 receives those frames, counts those properly as TrunkFramesRx according to sh int Gi0/23 counters trunk, but also counts those frames as Undersize according to sh int Gi0/23 counters errors: WS-C2960G-24TC-L#sh int Gi0/23 counters errors PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize Gi0/23 0 0 0 012 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen RuntsGiants Gi0/23 0 0 0 0 0 0 0 WS-C2960G-24TC-L# This makes sense as after popping the 802.1q field, the frame is 60 bytes in length. Am I correct that this is an erroneous behavior and thus a bug in C1841_3 router? I also checked with Cisco Bug Search for bugs for 1841 platform and c1841-advsecurityk9-mz.124-3i.bin software release, but found nothing related. Has anyone seen something like this before? In addition, what I also find strange, is that C2960 switch forwards frames to HP_laptop instead of dropping those.. Or maybe it is the switch which should pad the frame back to 64 bytes according to RFC's and thus the router behaves correctly? Please let me know if additional information is needed. thanks, Martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Switch for vlan translation needed
Hello, I look for a small switch that can do vlan translation. Should have 1000T ports and port channel support. I want to connect one port channel with several tagged vlans that are mapped to other vlan ids on another port channel. Do you have any cheap suggestion? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 10G gear
On 17/01/2015 15:18, Justin M. Streiner wrote: I have a 6500 that I want to equip with 10G. I am as confused as I can be in terms of what is / is not supported. There is also the question of what is or soon will be end-of-life. I don't know what kind of budget you have to work with, but the Sup720 and many of the 6700-series linecards are end-of-sale. FWIW the WS-X6704-10GE is one of a fairly long list if 67xx series cards which go End-Of-Sale in July 2015. http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/eos-eol-notice-c51-733297.html Alan -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RAD MiNID
Anyone got experience with RAD MiNID? I need to do some L2 protocol tunneling (L2PT), and this looks like it might scratch that itch. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switch for vlan translation needed
On 20/01/2015 14:01, Rolf Hanßen wrote: Do you have any cheap suggestion? me3400 / me3600. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SNMP and interface description - IOS-XR
In IOS 12.2(33)SRE7a in order to read an interface description we did: snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28 [This is the Cisco specific locIfDescr] SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via vidcast-pix (Rack #6) but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3. Any clue would be appreciated. Thanks, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP and interface description - IOS-XR
On Jan 20, 2015, at 4:27 PM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2015-01-20 at 19:13 +0200, Hank Nussbacher wrote: In IOS 12.2(33)SRE7a in order to read an interface description we did: snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28 [This is the Cisco specific locIfDescr] SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via vidcast-pix (Rack #6) but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3. This might be a stupid question but is there any specific reason not to just use IF-MIB::ifAlias? The locIfDescr is from OLD-CISCO-INTERFACES-MIB and has probably been deprecated for some time now. This is what we use, we collect some information from interfaces MIB and the balance from the ifMIB. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Rancid permissions
Hi all, Does anyone have a link to the permissions needs to get the full config for IOS 15? Thanks. -- Kind Regards, Gavin Henry. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP and interface description - IOS-XR
On Tue, 2015-01-20 at 19:13 +0200, Hank Nussbacher wrote: In IOS 12.2(33)SRE7a in order to read an interface description we did: snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28 [This is the Cisco specific locIfDescr] SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via vidcast-pix (Rack #6) but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3. This might be a stupid question but is there any specific reason not to just use IF-MIB::ifAlias? The locIfDescr is from OLD-CISCO-INTERFACES-MIB and has probably been deprecated for some time now. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP and interface description - IOS-XR
FYI, if you like to be able to get more than 64 bytes, use snmp-server ifmib ifalias long http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/system_management/command/reference/yr37snmp.html#wp1143236 . Tony On Tue, Jan 20, 2015 at 4:44 PM, Jared Mauch ja...@puck.nether.net wrote: On Jan 20, 2015, at 4:27 PM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2015-01-20 at 19:13 +0200, Hank Nussbacher wrote: In IOS 12.2(33)SRE7a in order to read an interface description we did: snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28 [This is the Cisco specific locIfDescr] SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via vidcast-pix (Rack #6) but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3. This might be a stupid question but is there any specific reason not to just use IF-MIB::ifAlias? The locIfDescr is from OLD-CISCO-INTERFACES-MIB and has probably been deprecated for some time now. This is what we use, we collect some information from interfaces MIB and the balance from the ifMIB. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid permissions
In our experience, RANCID requires privilege level 15. The following from our tacacs conf works on IOS v15 devices. I'm sure you could do it just as easily with a parser view or some such. user = rancid { # default service = permit name = RANCID daemon login = (some password) # RANCID requires priv 15 to do it's thing service = exec { priv-lvl = 15 } # RANCID only uses these commands cmd = admin { permit .* } cmd = dir { permit .* } cmd = more { permit .* } cmd = show { permit .* } # This is redundant on all (our) devices #cmd = write { permit term } } -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gavin Henry Sent: January-20-15 2:55 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Rancid permissions Hi all, Does anyone have a link to the permissions needs to get the full config for IOS 15? Thanks. -- Kind Regards, Gavin Henry. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/