Re: [c-nsp] MACSec Stages
802.1AE Look that up for how it works alan On Wed, 4 Apr 2018, 00:32 Alex K.,wrote: > Hello everyone, > > After a few implementations of MACSec, I began wondering is there a > complete documentation of that technology out there? > > For example, I have quite an experience with L2TP. Now, SCCRP may sound > like a bad language to some, but as we all know, it's an important step in > tunnel setup. The internet is literally brimming with information about > L2TP. As for MACSec, maybe it's only me - but I'm having a hard time > finding information on MACSec internal workings (beyond packets formats) > especially - when it comes to protocols stages and related cisco debugs. > > All I was able to find this far, are some really general sketches of MACSec > exchanges and seemingly unrelated debug commands. > > Am I missing something? Any help, such as linking to proper documentation, > successful and unsuccessful debug outputs and such, on and off-list, will > be gladly appreciated. > > > Thank you, > Alex. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Syslog timezone
just to check - do you mean the events are coming through to syslog with wrong timezone - or do you mean the syslog server is showing the wrong timzene in its events - both are unique/seperate alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LACP between router VMs
I thought STP passed over a linux bridge interface unless you used brctl to change its behaviour? been a little while since I last looked alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS/BFD Monitoring
RouteExplorer is a nice tool (Commercial, from Packet Design) On 15 Sep 2017 10:50 am, "Alex K."wrote: > Hello everyone, > > A customer of mine, ran into interesting problem - his monitoring software > unable to provide him with a meaningful alert, in case a link goes down. > > As an ISP, they have lots of links, they run ISIS/BFD on all of them but, > as it regularly happens with carriers, layer 2 never actually goes down > (apart from SDH and dark fiber links, but those are few). > > I tested their equipment (mainly Cisco gear) and all it generates, is a > trap wich basically say - "ISIS sission 657843347853325524854 went down". > > What they looking for, is a monitoring system, which on the scenario above, > is able to provide the NOC team with a meaningful alert, such as: "ISIS > status on interface changed to down. Please notify > the network team". > > Any suggestions and sharing of personal experience will be appreciated. > > Thank you. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] stange vlan 1 output
>I have two equal trunk configuration ports False assertion. They have different vlan allow lists and one has a 'udld port' setting (which might be the cause of difference rather than the allow list) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2960X SDM Template
Yes. Tell me about it. The values for the routing SDM are worse across the board so why would you use that profile instead??? One day I'll get a nice explanation ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Level 2 switch 1U, 4 x 10GE
Nexus 3k series? What l2 performance are you after? Required buffer size etc? A stack of 2 2960x would give you 4x10GSFP+ for example alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Link encryption and scalability kit etc
Slightly larger frames and a bit more config. In terms of throughput its line speed or near enough to not distinguishwe're doing it on 10Gb links. Be aware though that any WAN carriers that might be doing tagged MPLS stuff have to support the protocol our initial circuit was such and MACSEC didn't work - temp fix was ipsec/gre. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Poor speed through GRE tunnel
What hardware for a Gig connection? :) (Currently its looking like a pair of Linux boxes) alan On 16 July 2015 10:54:45 BST, Nick Cutting ncutt...@edgetg.co.uk wrote: Buy cheap 1921's with sec licences - In every case I've deployed these as DMVPN / VTI can get GREoIPsec to hit the 85Megabit limit on fast enough internet connections. I'm sure without ipsec you could hit 150 Megabits+ (no Ipsec ISR G2 Speed limits) -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 16 July 2015 08:39 To: Gert Doering Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Poor speed through GRE tunnel Hi, (And occasionally talk to your colleagues) ;-) we worked long yesterday...and at the end of the day had discussions about next steps and where we could ask for advice... i went home and sent the email to c-nsp and , since I'm at a remote site this morning we didnt get chance to catch-up over coffee this AM ! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mixing 2960S and X in stack
Gert has given the answer. Yes, you can mix them but there are so many caveats... I've advised our team to just not think about mixing them ever. Better to swap out 2960s elsewhere with a 2960x to get a 2960s stack member! ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3850?
Cisco have been dumping quite a lot of features into their 38xx stores. .. and even 2960x!! The netflow features on both is far far ahead of their historical investments into 'edge switching'. They might even now compare to the options that HP offer ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restoring switch config to floating spare
There are many ways of doing this, either using commercial switch provisioning tools or using ciscos native switch provisioning toolkit (which then usually gets config from tftp server by default). Either way will get you the 'plug in and go' result that you desire alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco console port to USB
This is the best USB to serial adapter ever. +1 ♡ :) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios aaa
' If I put them into radius then they can access all of our devices, not good.' Huh? Yes. It's not good which is why RADIUS servers have the abilities to define policies. Configure the RADIUS server so that people can only log in from the NAS they are authorised to do so from the locations allowed alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA
Going from 0 to 100 . That's a default block on the ASA platform isn't it? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Wireless 2.4ghz
;) I guess the answer quotidian be 'when you want to' . There will always be legacy devices out there that people want to keep and won't do 5GHz It will be down to you when you turn of 2.4GHz support.a decision bases in support costs/overhead. I guess you already disable 802.11b? Are there any 5GHz only APs ? Perhaps time to talk to the wifi vendors about that. :) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How can I increase Ethernet MTU?
35min??? :) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] End-of-Life
Is access to cisco.com or Google blocked at your workplace? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WLC5700 and Unparalleled scalable wireless solution
I would suggest taking a look at the 8500 series WLCs if that sort of scale is what you need Yep. +1 It can do the numbers you are taking about... but your decision might be based on other requirements Ps wism2 with 1000 APs - yes. But the licencing is stupid. It's astronomical and a farce. Almost as cheap to buy another wism2! A disgrace and something that is pushing me to think about controller-less solution for our next wireless refresh. ie sort out your exhorbitant licencing cash cow exercise cisco or you won't get anything from us alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPFv3 Multiple Address Families Support in IOS
IS-IS is still an excellent alternative. +1 for that! ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] UDLD enabling port prematurely?
Very useful with optical links alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need suggestion on cisco 3560 sw IOS
It's the fact that all the fan control stuff is STOPPED when doing the update. That's how noisy the things would always be if there was no fan control (its actually how noisy they can get if in a really bad environment ;) ). A bit like servers before you enable all the sensible stuff 8) alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6880-X XL vs. ASR
Obviously no love here for VSS etc But how is any of this any different not only to other virtual technologies (be they VLAN, MPLS, OTV etc) but to the code that you all rely on from cisco for the other things that keep the network running (spanning tree, EIGRP, OSPF, FIBs etc) ? Surely if you have code/quality issues then trust in ANY of the stuff is an issue and this isn't just a knee jerk reaction in classic luddite fashion? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1x radius
depends on your implementation and architecturebut FreeRADIUS is probably what you're looking for. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1x radius
What are you trying to do? This is now out of scope of this mailing list - suggest you use the freeradius mailing lists. Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RAM thing
I passed this info to our team this AM. They've known about this since at least Dec 2010 too :( we have items from that list .. so far our stuff seems to have died after power cycle sure to the faulty capacitor problem instead! :/ Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP DDoS
Something I can point customers to for testing their own set ups. ;) On a Linux or mac ntpdc -c monlist xxx.xxx.xxx.xxx If you get a reply (which will consist of a list of IP addresses that have sync'd with the daemon) then the server has a non optimal config. ... and if it's already been found by others they will all be listed. .. You might even see openntp project and team cymru servers listed ;) Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco autonomous AP - 802.11n / ac ?
You can get autonomous image on to the new APs but the future is not certain. However. .. with controller based APs (either local like cisco or cloud based like meraki or aerohive) you don't need to hit single APs in this manner. .. You just add profile to the APs or join APs to a profile and then just update the profile using the controller API or various other methods. Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP DDoS
Yep. Had a system on one of our ranges that was involved in yesterday's cloudfare ddos. It's not anymore and won't be anymore. Open to all NTP queries types from the world :/ Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP DDoS
+1 yep. Use any of these NTP resources to find issues within your ASNs/remit . As network admins it's our duty/responsibility to look after each other and try to keep the Internet free of such 'filth' :) Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
The ASA can be brought to its knees by small packets with not a very large PPS... its the ring buffer system it uses. Which brings to mind the current flavour du jour of ddos, that of NTP amplification. I'd do a span of your 2950G links to eg a Linux box with tcpdump and get a pretty picture of what's passing through. .. or being blocked/dropped Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 latency OSPF drops
and because it's wrong to make statements without documentation: http://geant3.archive.geant.net/service/edupert/Resources/Documents/Firewall_Performance_TIP2013.pdf that's a 'highend' 5585x dying with just 1Mpps Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750G memory leak?
Similar issue with 3750e in stacks... eventually you cannot have remote access. Latest IOS doesn't help (so other stacks are on older IOS) . Chatting to someone last week mixed mode 3750/3750e or x = even worse. Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750G memory leak?
Good to know about that 15.2 release sorting out the SNMP... Maybe I'll be able to remove all the OID filters that I currently have to stop SNMP polling causing an issue on these switches Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird problem with 2960S and desktop switch
Sounds like you've got bpduguard enabled. .. This will stop random switches being plugged into portfast access ports. If you don't want that then turn off the bpdugard Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: Weird problem with 2960S and desktop switch
You've turned off protection and control. ... which means that the downstream switch had the chance to mess you up. Especially as your switch is in flat mode and thus very susceptible for vlan 1 to be messed up. ... which I'm guessing you use for management. The downstream switch might be taking over root Bridge mode for vlan 1, it might have a nasty l2 loop on it etc etc. Only turn off protection on links to kit you can really really Trust... and prepare to get messed up by links that have such protection turned off in the future at some time (and change config on this switch to use a different vlan for edge/end devices) Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re-licensing secondhand Cisco equipment
What about support with Cisco (eg TAC) and software updates, security patches, bug fixes etc? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCPv6
... It's almost as if the people that wrote the specs didn't run client networks.Anyway, back to normal service now (and I am keeping my eye on when the RA extensions appear in our IOS) Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCPv6
There's finally discussion and documentation for DHCPv6 to provide more than just a client address and on the flip side ( and the other stupidity) extensions so that SLAAC can provide eg DNS servers and NTP server details which will finally make it more auto config and mean no more dual stack SLAAC+DHCPv4 shenanigans Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCPv6
The requester wants DHCPv6 not SLAAC for the clients . Wonder if there's an interface setting missing here for this platform? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configuring Multiple Cisco Devices
Since when was that free? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS and just one 10GE link
What link are you going to use for your heartbeat? VSS will work with one link otherwise those sites that only use 2 10G links would be hosed if one of those links failed ;) -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6500 mounting with cables
We use cable management bars and route all cables to the left and right thus ensuring that we don't have cables blocking the removal of a failed module or a module that needs swapping out for upgrade. Would recommend wider racks for such locations . You have more space to each side and often containment channels alan Original message From: Jon Lewis jle...@lewis.org Date: 08/07/2013 13:11 (GMT+00:00) To: chris stand cstand...@gmail.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 6500 mounting with cables On Mon, 8 Jul 2013, chris stand wrote: Does anyone mount 6500s directly under the patch panels ? If you do, do the cables run to the left and right and would you share a photo or two ? I've run cables in from both sides. You can get cable management bars that rack mount on top of the 6500 chassis rack ears. These are literally a steel bar with 2 radiused 90* bends, the ends of which are welded to rack ears. Mounting these in front of the line cards, you can then use velcro to secure the cables on their way to the line card ports. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6500 mounting with cables
Interesting kit. Regarding fan unit - have had plenty of blade/sup swaps and failures. .. no fan tray (now I've said that. ..) the only time we had a fan swap was for a wholesale upgrade to e-series so ALL kit got taken out. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Finding source of ISIS authentication failure
Hi Odd. Unless the 7600 is missing a whole load of things then you shouldn't have any issues running the standard debug commands for ISIS...I certainly did to find source of an issue onour 6500. This was on SXI release of 12.2(18) or such.. we're on 15.x now alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5515-X self power on (Vladimir Horak)
I'm guessing that there's some 'wait' algorithm to ensure that the power is back and 'stable' rather than coming straight back up when the juice arrives. .. otherwise things could get interesting if the power is wibbling up/down alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid causing reload SUP2T 12.2.50-SY3
Yes I've known several non priv show commands to crash their routers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Old C2950 Strangness..
Yes, that date was too early for 2.6 kernel IIRC and BSD != Linux :) just do a password recovery on it alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Confirmation of Gigabit Ethernet autonegotiation behavior
Probably better looking at the RFC ...however , duplex? Gigabit requires full duplex. You can't have half duplex... alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6708-10G-3CXL usable with SUP2T?
Yep, unfortunately. Have done the DFC4 daughter board upgrade on the other cards (you get some more memory to swap-in on the base card too). Easy job but frustrating that the 6708 couldn't be part of it. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN Tunnels
Given that same setup elsewhere is working then this problem is local. The world isn't ideal. I would suggest its an L1 or L2 issue with this customers line or broadband modem. Maybe line issues and renegotiation of the link or faulty modem. Get the line checked/measured/conditioned and/or the modem swapped out. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] enable secret 'password'
Hi, Warning: The CLI will be deprecated soon 'enable secret 5 $x/' Please move to 'enable secret password' CLI Any suggestions on how to get around this - I don't really want the password lying around in plain text... the password shouldnt be lying around in plaintext after entering the command - it should be stored in encrypted format alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RIPE 554, availability of required IPv6 features
Hi, Are my assumptions wrong? We're (in part politically) not allowed to require anything that only one or two vendors would be able to fulfill, i'm afraid that you may find only a couple of vondors who actually care about IPv6 - at least in such a way that they do eg RA gaurd, MLDv2 snooping, DHCPv6 protection, DAD etc etc as you (rightfully!) require in your new equipment procurement. might want to ask those complaining that their kit doesnt do it 'why not?' and 'what timeframe?' as a minimum. Cisco themselves have only just started to roll out basic IPv6 stuff (that still doesnt match their IPv4 featureset) to their lower level switches.if they expect everyone to run 6500, 4500 or 3750 at the edge then they are having a laugh. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan limit hit...but havent?
24 port with couple of SFP ports? I've got a sneaking suspicion that this is one of those cases where resources are reserved for physical ports alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wireless Controllers, SVIs and WCCP
Hi, I am still waiting on the VSS support for the 4500s, but it looks like the first version won't be available until the start of next year - and I don't really want to use bleeding edge software for this application. So it looks as if I am left with the 6500 VSS Sup2T solution with plenty of room to add more line cards. The 6500s are a really great work horse. FWIW we use 6500 devices in VSS pair - but our wireless controllers are WISM-2 - and therefore we need the chassis! ;-) I mentioned the larger controllers because if all your APs go back to just a big HA pair then you can have everything under one hood - thus negating the need for doing MPLS etc (which I assume you want to do to get the right network out to all your 5508s as they are spread over the place?) - if you were spending money on 6500's, sup2Ts, line cards etc then thats money that could be spent on controller: http://www.cisco.com/en/US/products/ps12722/index.html alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wireless Controllers, SVIs and WCCP
With latest code you can run them in hotstandby modeties up licences though. Have you looked at just swapping the 5508s with just a pair of the really big wireless controllers? Ideal WCCP functionality would just be present...might talk to our contacts about that. Have you looked at 4500 instead of 6500? Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config management
Sssh. they'd ditch it all for a java front end using proprietary signed and encrypted XML format that would end up being the PRIME way of doing INFRATRUCTURE control and management ;) alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config management
Thousands of switches...we use our own local scripts to put config/verify/audit alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic shaping does not work (and is not supported) on Port-Channel interfaces on Software based routers
Of all things Cisco is good at, pissing of its users ranks #1 on the list. I'm hoping that their move to concentrate on switching and core business rather than eg digital cameras (what were they thinking with that? Did John Chambers ask his PA to buy a flip video and it was misheard?) will start to fix this Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K NX-OS SCP config
Hi, Does RANCID not support NXOS? yes 'cisco-nx' with nxrancid alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience with Chineese manufacturer of Optical transceivers
Hi, Do any of you have experience with a Chinese manufacturer of optical transceivers named: Yoranco - www.yoranco.comhttp://www.yoranco.com/ They have quite a broad product portfolio and a very low price compared to other manufacturers. got one of their emails today like I did? ;-) all I'll say is their 'fiber wireless router' - yep. when will cisco have APs that can be fed by fibre? 1152AP or such. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Aruba AP70
This is a Cisco mailing list. There are aruba resources out there...I guess the wireless installation guide would help too...I'd also guess that they are work in a similar way to Cisco wifi you either have a DNS entry for the controller or give the info to the APs VIA DHCP alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS 15.0 ipv6-related weirdness (fails to fallback to ipv4)
Hi, int voip-null0 no ipv6 enable yes, i have - no such command. I'm looking for whats needed - the same thing happens on IOS 15 on 2960s/3750x etc - its nice to see some IPv6 stuff in the system at last (for example, you can assign IPv6 addresses for the domain servers etc - and IPv6 for TACACS_ and RADIUS etc but sometimes you need to just have no IPv6 for some remote stuff. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid use without level 15 access?
We use TACACS+ (shrubbery) to give the rancid user the rights to only the commands it needs. As for silently failing, you can eg run the login command and scripts manually (it was through checking those scripts we knew what commands to allow) alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6k power reserved for redundant sup?
Hi, We'll have to consider if we try to find new PSUs (we have some 6000W in some remote boxes that could cope with 3000W) or move the module. We prefer to use slot 8 for aesthetic reasons but nobody really looks that these boxes that much. choosing a slot due to aesthetic reasons is not the best of ideas - you are aware that on the 6500 chassis certain slots are poorer than others? we just put our module into the slot that the reserved power was on - as we run with just 1 supervisor (we have other resilience/redundancy methods that dont rely on the 2nd sup hackiness) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6k power reserved for redundant sup?
Hi, As Andy points out the 6509-V-E does not have special slots (apart from the supervisor ones of course). And by aesthetic reasons I mean things like cable management. It's probably not a big thing since we seldomly change anything (it's all supposed to cabled at deployment time) but we still like it to be neat. I prefer my network to be in a working state than neat...but hey, some people think that the data centre needs to look like a beauty contest ;-) this, by the way, DOESNT mean that I like some rats nest of unknown cables. there are important rules 1) cables must be labelled (at both ends! and bonus points for extra labels at inspection points) 2) cables must run as neatly as to make changes easy and efficient 3) cables should not trap equipment..or be trapped by equipment 4) use the correct coloured cables 5) broken retain clip? cable gets binned. 6) install every cable as if its there for the long term no 'its just a quick bodge/fix that'll go' (it never goes...its there in a years time...) 7) If a contractor could snag it, they will - ensure cables are secured and contained. I'm sure theres more but those are the top of the list. overly neat/hidden cables make routine work very awkward and frustrating I dont think theres a 'cabling' course in the line of CCNA...I wish there were...the number of sites I've been to...or people I've dealt with that dont care for this makor part of the network...if the PHY layer cannot be controlled then forget anything travelling on it alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shutting down a switch port automatically after a specific time
Hi, I would like to shutdown certain switch ports in my cisco 3550 switch automatically after a specific time. I tried configuring Time range with access list.But that only denies the ip traffic to the port while the port remains UP. I need the port to be down and then get the intimation about the port gone down in my syslog server through traps,which is not possible through time range as the port remains in the UP state. very easy with energywisebut this is 3550 so doesnt have that featureset for timers we used to just use extrenal scripts which would use SNMP to UP/DOWN a port at certain times alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Servers
Hi, Agreed - but there are also the political issues to consider - server (hosting team) vs. appliance (network team). I work in a network team. and we run servers - DNS, DHCP, NTP, RADIUS, SYSLOG, SNMP - basically all the network related things and bits that ensure a client can use the network. from then on its all upper layers and we dont go above layer 4 ;-) It is easy for *nix admins to support a free Linux environment, but unfortunately, some companies are moving away from *nix based operating systems - and as such would prefer an appliance. ..which are usually Linux boxes ;-) It is cheaper to buy 3 appliances than to hire 2 *nix admins to look after your 3 time servers for you. ...and who runs the appliances? who debugs the appliances when they dont do what they are expected to do? you might have a little more argument with something more complex like DNS/DHCP when you might buy into some IPAM solutionbut NTP? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Servers
Hi, If that was the case then I'd have to provide mgmt the case, costs, best practice etc for things to change ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] single static ip address for customer(s)
Hi, I think may I deleted the original post(s) in this thread, but has anyone mentioned LISP. one possibility is to have a big NAT box on the edge of the network, then their address can be changed to whatever you need internally but they are seen on the same address externally. messy and nasty but if they want to keep the address.. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rapid-PVST and RSTP compatibility
The cisco kit should fall back to the lower method. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] StackWise Plus performance
Hi, I found in documentation that StackWise Plus is providing up to 64 Gbps of throughput. But is it full-duplex (then 128 Gbps half-duplex) or half-duplex (then 32Gbps full-duplex) ? Is it per one port ? Or both stack ports ? just wondering why your company blocks access to google? ;-) cisco provide plenty of white papers about its technology eg http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_white_paper09186a00801b096a.pdf alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2960S IOS
12.2.58 is not going anywhere, we're halfway through upgrading to 15.0 (first versions had some show stoppers but latest version okay..so far! ;) ) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP monitoring routing table over time
Hi, some years ago I thought about this myself - coupled with SNMPtraps etc you can build a map of the routing across your network. the trouble was, i went into planning it and all the required features...and it just grew and grew... i had a couple of quagga boxes joined into the IGP and EGP systems and was recording stuff but I'm no compsci and got stuck in a mess of SQL relantional tables that just didnt scale. yes, i saw events...but i saw events already and I hadnt worked out how to draw the map for the routing topology at date X - without re-writing routing algorithms myself. in the end I bought a little applicane that does most of what i needed - yes, not ALL i needed, but its a start. http://packetdesign.com/products/rex.htm I was then able to spent time on projects that local mgmt felt were more high priority (hey, its good having a working local network... ;-) ) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended IPv6 Resources
Hi, I'm dipping my toe into the world of IPv6 and I'm looking for recommendations on resources - books, design guides, white papers, tutorials etc. there are a few IPv6 books out there - from the cisco offerings to third party and usual stalwart publishers. they should get you well versed on the subject. yes, address space is bigger - but its the other things that will get you .. uses multicast to do everything, ICMPv6 is very very important for operation of hosts, SLAAC is the 'easy way' to get addresses from the router - your DHCP server may well not do DHCPv6 (and if it does, the clients probably dont! ;-) ) so how do you record/manage hosts? what about reverse records - you going to have 65k of entries for each /64 that you deal with? ACLs and switch behaviour - and what about end point protection - theres a good layer of ipv4 protection on particualr cisco access layer switches now - but the ipv6 is lacking. likewise management - its a big big shame that cisco havent gone full-on with mgmt in IPv6 - theres no reason why the mgmt of your switches/APs etc cant all be in IPv6 and you have no IPv4 on those netsbut no.. latest IOS has some mgmt functions that work over IPv6.. not bad considering how long v6 has been around before. my take home message? you can leanr a WHOLE LOT more about it by having a dev/test router, a couple of VLANs and home hosts (oh, be sure to tick the IPv6 box in VMware if you are virtualised with it ;-) ) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] port channel numbering schemes
As I said, we TRY . The vendors will do their best to scupper us, other things will come up to b0rk it. But as a rule of thumb its a starting point (i'm more concerned that other things change such as the MIB value between different platforms) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] port channel numbering schemes
Hi, We try not to match interface numbers to VLAN ID's. That works out alright when you're starting out, but as the network grows, many face-palm and hair-pulling moments :-). Agreed. Clever numbering schemes can just be misleading when they don't line up. another 'agreed' - however, we do try to use standard numbers for particular types of port-channel - ie doing something like ensuring the po1 on an aggregator switch is ALWAYS the link up to the core (and not a port-channel to a stack of access switches or a workstation) - this simplifies a lot of monitoring and sanity checking of configs/status of links etc. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
RANCID and a couple of home-made scripts for custom jobs alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Can do SSH. Use read-only account though, no need for a powerful account to read the config. Also stores the config with revision control/history and the file stored has obfuscated passwords/credentials. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Asset Management and Discovery Toll
netdisco is my favourite. Then there's Cisco tools and other offerings such as Orion NPM..most of the kiwisoft things are now on Orion products (they had some great tools) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] high CPU usage when coyping to flash
hi, its not just your 4900 device - somethings gone a little wierd in cisco land since around the introduction of 3750 or 2960 devices too - as doing an eg 'archive download-sw ' command kills the switch performance for end user connected devices... this never used to be the case with eg the 2950, 2970 or 3550 devices - we could install new IOS firmware at any time and then reload out of hours...we now have to upload the firmware out of hours too :-| alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Switch (2960G-48TC-L) CPU Utilization
hi, 12.2(52)SE ? hideously old and full of wierd little bugs - really, check the IOS release notes and the closed/resolved caveats for every release since that version... you might be suprised how it even worked at all... ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fibre link flapping
Unidirectional optic link. Check out udld for detection/protection alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches
Hi, What type of mtrie stride could possibly do this? IPv4 8-8-8-8 and IPV6 16-16-16-16-16-16-16-16, this would make IPv6 mtrie depth and width 2x of IPV4. For them to be same depth IPv6 stride would need to be 4294967296-4294967296-4294967296-4294967296 if you could have that wide stride, IPv4 could be looked up from flat mtrie. hmmm, generically, there shouldnt be such an issue for handling traffic - as the IPv6 packet is likely to be same size or smaller (smaller header) as IPv4.. which then would suggest that the issue is in stages such as address handling and lookups. now 64bit CPU isnt the best for 128bit addresses - so theres going to be some hit there - what you need is some GPU technology for doing address mashing rather than the old CPU way... so thats ASIC territory. it is a shame that we are trying to move from IPv4 to IPv6but even the latest hardware from Cisco gives us a big performance hit for doing that - this 2x slowdown is nothing new...its been around on all their devices :-| It's very difficult for me to understand how to do these in same constant time, without having very poor IPV4 implementation. 2 data paths? IPv4 go one way, IPv6 go another... but then you have to duplicate ALL the stuff onboard - expensive! noone wants to pay more for IPv6 (just like noone wanted to pay more for IPv4 when they were migrating from DECNET/ATALK/IPX) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches
Hi, Physics. typical engineer...always blaming the scientists and their methods 8-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Feedback on terminal exec prompt timestamp
Hi, Hell, how about turning proxy arp off by default? seconded (I see a future method for cisco feedback here ;-) ) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Feedback on terminal exec prompt timestamp
Hi, No thanks. When I want that info I'll ask for it or I'll turn this feature on. Plus it could break or confuse scripts and programs that interact with Cisco routers. I agree - have no need of this detail whenever i run a commandor if any of our polling scripts collect data. IF I want to check the time and source I can simply run 'show clock detail' alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] When do you upgrade IOS?
Hi, 1.What drives you to upgrade code on critical routers switches? new features + bug fixes. keeping the firmware up to date should be part of the planning process - whatever network mgmt method you follow (FCAPS, ITIL, TMN, etc) upgrading should be part of planned actions - or one day you find your whole estate running very old. one advantage of keeping up to date is you read the release notes...and see things that make you think 'oooh! thas a cool feature'...and 'ooh! thats a bug that would hit us, glad we havent had that YET' ;-) 2.Do you upgrade code on a fixed schedule if not driven to by some other immediate requirement? upgrades are done during advertised/known 'network at risk' period, this is early on a weekday morning before business hours/core hours. we also found that buy keeping the IOS reasonably up to date...whenever another team has come to us asking for requirement/feature our switches tend to already have that available - eg energywise or LLDP alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sup2 lead times/costs
Hi, I've got two-month lead times on my sup2t orders. aye. we had to fight hard to get ours...and they went into service pretty quick! What I'm seeing is a lack of discounting, so to speak. And so much demandso why reduce the price? the early people wanting access to the platform will be paying more. much like the rest of the tech world. And I'm sure this year will bring a few large bankruptcies of European (and American) financial institutions which will cause a bunch of new-new kit from big banks to hit the resale market, further helping your cause. Then you can get your toys. :) ;-) there'll also be a deluge of sup720 blades for those people still on sup2 or sup32 from all the sup2t upgraders alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flow tools
Hi, Second: I'm curious if people are seeing prices that make sense for the DFC4 upgrade parts for 67xx linecards. They were about 50% more than the equivalent DFC3 parts. When we costed out the upgrade of our main core routers to sup2T, the DFC parts made it quite pricey, and pushed us to look at more radical options. having now migrated to a 100% Sup2T core system I can give a quick answer.. it was cheaper to get some WS-F6K-DFC4-A upgrades for our X6724 cards than it was to buy the X6924 modules.and you need the DFC4... alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flow tools
Hi, I'm finding it slightly ironing that the subject of this email is about netflow...and yet people are dissing the Sup2T - the Sup2T is a netflow beast! :-) I'm just suprised that they took the opportunity to ditch the old PFC/DFC mixing but kept the old inter-module communication link... 10/half ? :-| alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
Hi, been using .0 and .255 addresses (in the proper class-less places eg in middle of a /23 ) for years now. any kit or system that cannot handlesuch addresses as being client/end-station addresses should be dumped onto the recycling pile and got rid of (its likely that such kit cannot do IPv6 either.) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 2950 freezing
Hi, Hello, Switch configuration for customer ports is below. If you have any recommendations, they are welcome :-) Current configuration : 190 bytes ! interface FastEthernet0/1 description #customer: CUST01i_L2 [4M] switchport access vlan 115 load-interval 30 speed 10 duplex full no cdp enable spanning-tree bpdufilter enable surely switchport mode access spanning-treep portfast switchport nonegotiate is wanted on those links... you dont want a customer to hit your switch with spanning tree or force a trunk negotiation do you? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyconnect force upgrade
Hi, easy question I'm sure. How do you turn off the feature on the ASA that forces the upgrade of anyconnect? Q. Is there a way to prevent the Adaptive Security Appliance (ASA) from automatically upgrading to a new AnyConnect version? A. Not prior to AnyConnect version 2.3.0.185 .With version 2.3.0.185 and beyond there is a capability to not automatically upgrade the client. It's via a profile Autoupdate parameter. Please reference the Release notes for these preferences options. http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html#wp908334 with thanks to cisco support forums and google ;-) and I believe if you put an old version on the ASA then the update/upgrade wont happen - so keep the version on ASA disk as old as the oldest version you want to support alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyconnect force upgrade
Hi, Alan and Mike-- thanks, but that is the same stuff i've found. �I'm looking for the Commands or ASDM steps to make it happen. �I found client-update enable, but is that the command? �It still updated the anyconnect client after i removed it. �(ASA 8.4.2 and anyconnect 2.5.x) the profile must have AutoUpdatefalse/AutoUpdate in the ClientInitialization template - as per the doc i linked. this can be done under the ASDM ...cisco dont like you using the command line for anything these days...it'll end up in one of the XML blobs on disk alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS advertise passive-only for ipv6?
Do you want me to be added to your feature request? I'm getting a little frustrated, all I want is feature parity for ipv6 , it seems like completely separate teams did the work on this platform and didn't see how things worked in the v4 world alan -- Message may be brief as it has been sent from my mobile ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sup2t/15.0(1) guidance
Hi, Is there a handy changes from 12 to 15 for dummies guide? Or, don't worry about it, it's really not a big deal? Mostly care about cat6k mgmt, MPLS VPN and MVPN, BGP, OSPF, IPv4 environment. Anyone using sup2t in anger yet, and opinions on 12 vs 15? (Though clearly 12.2(50) doesn't seem like the future) I'd say go for 15 :-) we've started to use them 'in anger' and so far havent seen any show-stoppers - unlike eg SXH and early SXI releases on our previous sup720 systems alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5550 url-filtering capacity
Hi, We are running into slow web sites and random/incorrect 403's on a 5550 as an internet gateway doing NAT for an enterprise with upwards of 40,000 users. I killed a 5580 doing URL REGEX'ing - and that was without any NAT - just a pure /16 going straight through are you also logging these matches? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] negative effects of jumbos on cat6500?
Hi, This is specifically talking about cat6500 with sup2 or sup720 architecture, but the general questions why do vendors not ship large-mtu on L2-ports by default, what is the drawback? remains. some do TP-Link and netgear gig unmanaged switches, for example, just have it on... in fact, the TP-Link stuff does 15k jumbos :-) now, i'm sure a nice scare story will come out saying what might happen...but we've had the max jumbo frame set on our 6500 and 3750/E/X and 2970 etc aggregator switches for years now and not seen anything 'untoward'...certainly been affected by lots of OTHER things during that time that really shouldnt be bugs anymore :-| jumbo frames on VLAN interfaces however.. now THAT is a different story ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/