from:"Alan Buxey"

Re: [c-nsp] MACSec Stages

2018-04-10 Thread Alan Buxey

802.1AE

Look that up for how it works

alan

On Wed, 4 Apr 2018, 00:32 Alex K.,  wrote:

> Hello everyone,
>
> After a few implementations of MACSec, I began wondering is there a
> complete documentation of that technology out there?
>
> For example, I have quite an experience with L2TP. Now, SCCRP may sound
> like a bad language to some, but as we all know, it's an important step in
> tunnel setup. The internet is literally brimming with information about
> L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
> finding information on MACSec internal workings (beyond packets formats)
> especially - when it comes to protocols stages and related cisco debugs.
>
> All I was able to find this far, are some really general sketches of MACSec
> exchanges and seemingly unrelated debug commands.
>
> Am I missing something? Any help, such as linking to proper documentation,
> successful and unsuccessful debug outputs and such, on and off-list, will
> be gladly appreciated.
>
>
> Thank you,
> Alex.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Syslog timezone

2018-03-22 Thread Alan Buxey

just to check - do you mean the events are coming through to syslog
with wrong timezone - or do you mean the syslog server is showing the
wrong timzene in its events - both are unique/seperate

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] LACP between router VMs

2017-11-08 Thread Alan Buxey

I thought STP passed over a linux bridge interface unless you used
brctl to change its behaviour?
been a little while since I last looked

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISIS/BFD Monitoring

2017-09-15 Thread Alan Buxey

RouteExplorer is a nice tool

(Commercial, from Packet Design)



On 15 Sep 2017 10:50 am, "Alex K."  wrote:

> Hello everyone,
>
> A customer of mine, ran into interesting problem - his monitoring software
> unable to provide him with a meaningful alert, in case a link goes down.
>
> As an ISP, they have lots of links, they run ISIS/BFD on all of them but,
> as it regularly happens with carriers, layer 2 never actually goes down
> (apart from SDH and dark fiber links, but those are few).
>
> I tested their equipment (mainly Cisco gear) and all it generates, is a
> trap wich basically say - "ISIS sission 657843347853325524854 went down".
>
> What they looking for, is a monitoring system, which on the scenario above,
> is able to provide the NOC team with a meaningful alert, such as: "ISIS
> status on interface  changed to down. Please notify
> the network team".
>
> Any suggestions and sharing of personal experience will be appreciated.
>
> Thank you.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] stange vlan 1 output

2016-10-07 Thread Alan Buxey

>I have two equal trunk configuration ports

False assertion. They have different vlan allow lists and one has a 'udld port' 
setting (which might be the cause of difference rather than the allow list)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2960X SDM Template

2016-07-08 Thread Alan Buxey

Yes.  Tell me about it.  The values for the routing SDM are worse across the 
board so why would you use that profile instead??? One day I'll get a nice 
explanation ;)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Level 2 switch 1U, 4 x 10GE

2016-05-23 Thread Alan Buxey

Nexus 3k series? 

What l2 performance are you after? Required buffer size etc? A stack of 2 2960x 
would give you 4x10GSFP+ for example

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Link encryption and scalability kit etc

2016-05-06 Thread Alan Buxey

Slightly larger frames and a bit more config.  In terms of throughput its line 
speed or near enough to not distinguishwe're doing it on 10Gb links. 

Be aware though that any WAN carriers that might be doing tagged MPLS stuff 
have to support the protocol our initial circuit was such and MACSEC didn't 
work - temp fix was ipsec/gre. 

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Poor speed through GRE tunnel

2015-07-16 Thread Alan Buxey

What hardware for a Gig connection?  :)
(Currently its looking like a pair of Linux boxes)

alan

On 16 July 2015 10:54:45 BST, Nick Cutting ncutt...@edgetg.co.uk wrote:
Buy cheap 1921's with sec licences - In every case I've deployed these
as DMVPN / VTI can get GREoIPsec to hit the 85Megabit limit on fast
enough internet connections.

I'm sure without ipsec you could hit 150 Megabits+ (no Ipsec ISR G2
Speed limits)

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
a.l.m.bu...@lboro.ac.uk
Sent: 16 July 2015 08:39
To: Gert Doering
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Poor speed through GRE tunnel

Hi,

 (And occasionally talk to your colleagues)

;-)


we worked long yesterday...and at the end of the day had discussions
about next steps and where we could ask for advice... i went home and
sent the email to c-nsp and , since I'm at a remote site this morning
we didnt get chance to catch-up over coffee this AM !  :-)


alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mixing 2960S and X in stack

2015-05-31 Thread Alan Buxey

Gert has given the answer.  Yes,  you can mix them but there are so many 
caveats... I've advised our team to just not think about mixing them ever.  
Better to swap out 2960s elsewhere with a 2960x to get a 2960s stack member!  ;)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3850?

2015-04-09 Thread Alan Buxey

Cisco have been dumping quite a lot of features into their 38xx stores. .. and 
even 2960x!! The netflow features on both is far far ahead of their historical 
investments into 'edge switching'. They might even now compare to the options 
that HP offer ;)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Restoring switch config to floating spare

2015-03-13 Thread Alan Buxey

There are many ways of doing this,  either using commercial switch provisioning 
tools or using ciscos native switch provisioning toolkit (which then usually 
gets config from tftp server by default). Either way will get you the 'plug in 
and go' result that you desire

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco console port to USB

2015-03-04 Thread Alan Buxey

 This is the best USB to serial adapter ever.

+1  ♡

:)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ios aaa

2015-03-01 Thread Alan Buxey

' If I put them into radius then they can access all of our devices, not good.'

Huh?  Yes.  It's not good  which is why RADIUS servers have the abilities to 
define policies.  Configure the RADIUS server so that people can only log in 
from the NAS they are authorised to do so from the locations allowed

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA

2015-02-11 Thread Alan Buxey

Going from 0 to 100 . That's a default block on the ASA platform isn't it?

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Wireless 2.4ghz

2015-02-03 Thread Alan Buxey

;)

I guess the answer quotidian be 'when you want to' . There will always be 
legacy devices out there that people want to keep and won't do 5GHz  It 
will be down to you when you turn of 2.4GHz support.a decision bases in 
support costs/overhead. I guess you already disable 802.11b?  Are there any 
5GHz only APs ? Perhaps time to talk to the wifi vendors about that.  :)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How can I increase Ethernet MTU?

2015-01-24 Thread Alan Buxey

35min??? :)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] End-of-Life

2014-11-21 Thread Alan Buxey

Is access to cisco.com or Google blocked at your workplace? 

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WLC5700 and Unparalleled scalable wireless solution

2014-09-30 Thread Alan Buxey

 I would suggest taking a look at the 8500 series WLCs if that sort of scale 
 is what you need

Yep. +1

It can do the numbers you are taking about... but your decision might be based 
on other requirements

Ps wism2 with 1000 APs - yes.  But the licencing is stupid.  It's astronomical 
and a farce. Almost as cheap to buy another wism2! A disgrace and something 
that is pushing me to think about controller-less solution for our next 
wireless refresh.  

ie sort out your exhorbitant licencing cash cow exercise cisco or you won't get 
anything from us

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPFv3 Multiple Address Families Support in IOS

2014-08-05 Thread Alan Buxey

 IS-IS is still an excellent alternative.

+1 for that! ;)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] UDLD enabling port prematurely?

2014-07-17 Thread Alan Buxey

Very useful with optical links

alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need suggestion on cisco 3560 sw IOS

2014-06-27 Thread Alan Buxey

It's the fact that all the fan control stuff is STOPPED when doing the update.  
That's how noisy the things would always be if there was no fan control (its 
actually how noisy they can get if in a really bad environment ;) ). A bit like 
servers before you enable all the sensible stuff 8)

alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6880-X XL vs. ASR

2014-05-05 Thread Alan Buxey

Obviously no love here for VSS etc

But how is any of this any different not only to other virtual technologies (be 
they VLAN, MPLS, OTV etc) but to the code that you all rely on from cisco for 
the other things that keep the network running (spanning tree, EIGRP, OSPF, 
FIBs etc) ?

Surely if you have code/quality issues then trust in ANY of the stuff is an 
issue and this isn't just a knee jerk reaction in classic luddite fashion?  

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 802.1x radius

2014-03-29 Thread Alan Buxey

depends on your implementation and architecturebut FreeRADIUS is probably 
what you're looking for. 

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 802.1x radius

2014-03-29 Thread Alan Buxey

What are you trying to do?  

This is now out of scope of this mailing list - suggest you use the freeradius 
mailing lists.

Alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RAM thing

2014-02-13 Thread Alan Buxey

I passed this info to our team this AM.  They've known about this since at 
least Dec 2010 too :(   we have items from that list .. so far our stuff seems 
to have died after power cycle sure to the faulty capacitor problem instead!  :/

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

2014-02-12 Thread Alan Buxey

 Something I can point customers to for testing their own set ups. ;)

On a Linux or mac

ntpdc -c monlist xxx.xxx.xxx.xxx

If you get a reply (which will consist of a list of IP addresses that have 
sync'd with the daemon) then the server has a non optimal config. ... and if 
it's already been found by others they will all be listed. .. You might even 
see openntp project and team cymru servers listed ;)

Alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco autonomous AP - 802.11n / ac ?

2014-02-12 Thread Alan Buxey

You can get autonomous image on to the new APs but the future is not certain.  

However. .. with controller based APs (either local like cisco or cloud based 
like meraki or aerohive) you don't need to hit single APs in this manner. .. 
You just add profile to the APs or join APs to a profile and then just update 
the profile using the controller API or various other methods. 

Alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

2014-02-11 Thread Alan Buxey

Yep.  Had a system on one of our ranges that was involved in yesterday's 
cloudfare ddos. It's not anymore and won't be anymore.  Open to all NTP queries 
types from the world :/

Alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

2014-02-11 Thread Alan Buxey

+1  yep.  Use any of these NTP resources to find issues within your ASNs/remit 
. As network admins it's our duty/responsibility to look after each other and 
try to keep the Internet free of such 'filth' :)

Alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA5520 latency OSPF drops

2014-02-01 Thread Alan Buxey

The ASA can be brought to its knees by small packets with not a very large 
PPS... its the ring buffer system it uses. Which brings to mind the current 
flavour du jour of ddos, that of NTP amplification.  I'd do a span of your 
2950G links to eg a Linux box with tcpdump and get a pretty picture of what's 
passing through. .. or being blocked/dropped

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA5520 latency OSPF drops

2014-02-01 Thread Alan Buxey

 and because it's wrong to make statements without documentation:

http://geant3.archive.geant.net/service/edupert/Resources/Documents/Firewall_Performance_TIP2013.pdf

that's a 'highend' 5585x dying with just 1Mpps

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G memory leak?

2014-01-25 Thread Alan Buxey

Similar issue with 3750e in stacks... eventually you cannot have remote access. 
 Latest IOS doesn't help (so other stacks are on older IOS) . Chatting to 
someone last week mixed mode 3750/3750e or x = even worse. 

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G memory leak?

2014-01-25 Thread Alan Buxey

Good to know about that 15.2 release sorting out the SNMP... Maybe I'll be able 
to remove all the OID filters that I currently have to stop SNMP polling 
causing an issue on these switches

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird problem with 2960S and desktop switch

2014-01-08 Thread Alan Buxey

Sounds like you've got bpduguard enabled. .. This will stop random switches 
being plugged into portfast access ports.  If you don't want that then turn off 
the bpdugard

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] * GMX Spamverdacht * Re: Weird problem with 2960S and desktop switch

2014-01-08 Thread Alan Buxey

You've turned off protection and control. ... which means that the downstream 
switch had the chance to mess you up.  Especially as your switch is in flat 
mode and thus very susceptible for vlan 1 to be messed up. ... which I'm 
guessing you use for management.  
The downstream switch might be taking over root Bridge mode for vlan 1, it 
might have a nasty l2 loop on it etc etc.
Only turn off protection on links to kit you can really really Trust... and 
prepare to get messed up by links that have such protection turned off in the 
future at some time (and change config on this switch to use a different vlan 
for edge/end devices)

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Re-licensing secondhand Cisco equipment

2014-01-07 Thread Alan Buxey

What about support with Cisco (eg TAC) and software updates,  security patches, 
 bug fixes etc? 

alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCPv6

2014-01-06 Thread Alan Buxey

... It's almost as if the people that wrote the specs didn't run client 
networks.Anyway,  back to normal service now (and I am keeping my eye on 
when the RA extensions appear in our IOS)

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCPv6

2014-01-05 Thread Alan Buxey

There's finally discussion and documentation for DHCPv6 to provide more than 
just a client address and on the flip side ( and the other stupidity) 
extensions so that SLAAC can provide eg DNS servers and NTP server details 
which will finally make it more auto config and mean no more dual stack 
SLAAC+DHCPv4 shenanigans

Alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCPv6

2014-01-04 Thread Alan Buxey

The requester wants DHCPv6 not SLAAC for the clients . Wonder if there's an 
interface setting missing here for this platform? 

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Configuring Multiple Cisco Devices

2013-11-03 Thread Alan Buxey

Since when was that free?


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS and just one 10GE link

2013-10-04 Thread Alan Buxey

What link are you going to use for your heartbeat? VSS will work with one link 
otherwise those sites that only use 2 10G links would be hosed if one of those 
links failed ;)
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6500 mounting with cables

2013-07-08 Thread Alan Buxey

We use cable management bars and route all cables to the left and right thus 
ensuring that we don't have cables blocking the removal of a failed module or a 
module that needs swapping out for upgrade. Would recommend wider racks for 
such locations . You have more space to each side and often containment channels

alan



 Original message 
From: Jon Lewis jle...@lewis.org
Date: 08/07/2013 13:11 (GMT+00:00)
To: chris stand cstand...@gmail.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco 6500 mounting with cables


On Mon, 8 Jul 2013, chris stand wrote:

 Does anyone mount 6500s directly under the patch panels ?  If you do, do
 the cables run to the left and right and would you share a photo or two ?

I've run cables in from both sides.  You can get cable management bars
that rack mount on top of the 6500 chassis rack ears.  These are literally
a steel bar with 2 radiused 90* bends, the ends of which are welded to
rack ears.  Mounting these in front of the line cards, you can then use
velcro to secure the cables on their way to the line card ports.

--
  Jon Lewis, MCP :)   |  I route
  |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6500 mounting with cables

2013-07-08 Thread Alan Buxey

Interesting kit.  Regarding fan unit -  have had plenty of blade/sup swaps and 
failures. .. no fan tray (now I've said that. ..) the only time we had a 
fan swap was for a wholesale upgrade to e-series so ALL kit got taken out.

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Finding source of ISIS authentication failure

2013-07-01 Thread Alan Buxey

Hi

Odd.  Unless the 7600 is missing a whole load of things then you shouldn't have 
any issues running the standard debug commands for ISIS...I certainly did to 
find source of an issue onour 6500. This was on SXI release of 12.2(18) or 
such.. we're on 15.x now

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5515-X self power on (Vladimir Horak)

2013-06-26 Thread Alan Buxey

I'm guessing that there's some 'wait' algorithm to ensure that the power is 
back and 'stable' rather than coming straight back up when the juice arrives. 
.. otherwise things could get interesting if the power is wibbling up/down

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rancid causing reload SUP2T 12.2.50-SY3

2013-03-27 Thread Alan Buxey

Yes I've known several non priv show commands to crash their routers

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Old C2950 Strangness..

2013-03-19 Thread Alan Buxey

Yes, that date was too early for 2.6 kernel IIRC and BSD != Linux  :)

just do a password recovery on it

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Confirmation of Gigabit Ethernet autonegotiation behavior

2013-01-25 Thread Alan Buxey

Probably better looking at the RFC ...however , duplex? Gigabit requires full 
duplex. You can't have half duplex...

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-X6708-10G-3CXL usable with SUP2T?

2013-01-08 Thread Alan Buxey

Yep, unfortunately. Have done the DFC4 daughter board upgrade on the other 
cards (you get some more memory to swap-in on the base card too). Easy job but 
frustrating that the 6708 couldn't be part of it.

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA VPN Tunnels

2012-12-28 Thread Alan Buxey

Given that same setup elsewhere is working then this problem is local. The 
world isn't ideal. I would suggest its an L1 or L2 issue with this customers 
line or broadband modem. Maybe line issues and renegotiation of the link or 
faulty modem. Get the line checked/measured/conditioned and/or the modem 
swapped out.

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] enable secret 'password'

2012-11-27 Thread alan buxey

Hi,

  Warning: The CLI will be deprecated soon
  'enable secret 5 $x/'
  Please move to 'enable secret password' CLI
 
 Any suggestions on how to get around this - I don't really want the
 password lying around in plain text...

the password shouldnt be lying around in plaintext after entering the command -
it should be stored in encrypted format

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RIPE 554, availability of required IPv6 features

2012-11-24 Thread alan buxey

Hi,

 Are my assumptions wrong? We're (in part politically) not allowed to
 require anything that only one or two vendors would be able to fulfill,

i'm afraid that you may find only a couple of vondors who actually
care about IPv6 - at least in such a way that they do eg RA gaurd, MLDv2 
snooping,
DHCPv6 protection, DAD etc etc as you (rightfully!) require in your new 
equipment
procurement.

might want to ask those complaining that their kit doesnt do it 'why not?' and
'what timeframe?' as a minimum.  Cisco themselves have only just started to roll
out basic IPv6 stuff (that still doesnt match their IPv4 featureset) to their
lower level switches.if they expect everyone to run 6500, 4500 or 3750 at 
the
edge then they are having a laugh.

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] vlan limit hit...but havent?

2012-11-17 Thread Alan Buxey

24 port with couple of SFP ports?

I've got a sneaking suspicion that this is one of those cases where resources 
are reserved for physical ports

alan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Wireless Controllers, SVIs and WCCP

2012-11-15 Thread alan buxey

Hi,

I am still waiting on the VSS support for the 4500s, but it looks like the
first version won't be available until the start of next year - and I
don't really want to use bleeding edge software for this application.
So it looks as if I am left with the 6500 VSS Sup2T solution with plenty
of room to add more line cards. The 6500s are a really great work horse.

FWIW we use 6500 devices in VSS pair - but our wireless controllers are WISM-2 
- and therefore
we need the chassis! ;-)

I mentioned the larger controllers because if all your APs go back to just a 
big HA pair
then you can have everything under one hood - thus negating the need for doing 
MPLS etc
(which I assume you want to do to get the right network out to all your 5508s 
as they are 
spread over the place?) - if you were spending money on 6500's, sup2Ts, line 
cards etc
then thats money that could be spent on controller: 
http://www.cisco.com/en/US/products/ps12722/index.html


alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Wireless Controllers, SVIs and WCCP

2012-11-14 Thread Alan Buxey

With latest code you can run them in hotstandby modeties up licences though.

Have you looked at just swapping the 5508s with just a pair of the really big 
wireless controllers?  Ideal WCCP functionality would just be present...might 
talk to our contacts about that.

Have you looked at 4500 instead of 6500?

Alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config management

2012-10-27 Thread Alan Buxey

Sssh. they'd ditch it all for a java front end using proprietary signed and 
encrypted XML format that would end up being the PRIME way of doing 
INFRATRUCTURE  control and management ;)

alan

--
This smartphone uses free WiFi around the world with eduroam, now that's what I 
call smart.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config management

2012-10-26 Thread Alan Buxey

Thousands of switches...we use our own local scripts to put config/verify/audit

alan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Traffic shaping does not work (and is not supported) on Port-Channel interfaces on Software based routers

2012-10-10 Thread Alan Buxey



Of all things Cisco is good at, pissing of its users ranks #1 on the list.

I'm hoping that their move to concentrate on switching and core business rather 
than eg digital cameras (what were they thinking with that? Did John Chambers 
ask his PA to buy a flip video and it was misheard?) will start to fix this


Alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7K NX-OS SCP config

2012-10-09 Thread alan buxey

Hi,

   Does RANCID not support NXOS?

yes 'cisco-nx' with nxrancid

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Experience with Chineese manufacturer of Optical transceivers

2012-09-18 Thread alan buxey

Hi,

 Do any of you have experience with a Chinese manufacturer of optical 
 transceivers named: Yoranco - www.yoranco.comhttp://www.yoranco.com/
 They have quite a broad product portfolio and a very low price compared to 
 other manufacturers.

got one of their emails today like I did?  ;-)


all I'll say is their 'fiber wireless router' - yep.  when will cisco have APs 
that
can be fed by fibre?   1152AP or such.


alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Aruba AP70

2012-08-28 Thread Alan Buxey

This is a Cisco mailing list. There are aruba resources out there...I guess the 
wireless installation guide would help too...I'd also guess that they are work 
in a similar way to Cisco wifi you either have a DNS entry for the 
controller or give the info to the APs VIA DHCP

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS 15.0 ipv6-related weirdness (fails to fallback to ipv4)

2012-07-10 Thread alan buxey

Hi,

  int voip-null0
   no ipv6 enable

yes, i have - no such command. I'm looking for whats needed - the same thing 
happens
on IOS 15 on 2960s/3750x etc -  its nice to see some IPv6 stuff in the system 
at last
(for example, you can assign IPv6 addresses for the domain servers etc - and 
IPv6 for TACACS_
and RADIUS etc but sometimes you need to just have no IPv6 for some remote 
stuff.

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rancid use without level 15 access?

2012-07-06 Thread Alan Buxey

We use TACACS+ (shrubbery) to give the rancid user the rights to only the 
commands it needs. As for silently failing, you can eg run the login command 
and scripts manually (it was through checking those scripts we knew what 
commands to allow)

alan

--
This smartphone uses free WiFi around the world with eduroam, now that's what I 
call smart.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C6k power reserved for redundant sup?

2012-07-02 Thread alan buxey

Hi,

 We'll have to consider if we try to find new PSUs (we have some 6000W in
 some remote boxes that could cope with 3000W) or move the module. We
 prefer to use slot 8 for aesthetic reasons but nobody really looks that
 these boxes that much.

choosing a slot due to aesthetic reasons is not the best of ideas - you
are aware that on the 6500 chassis certain slots are poorer than others?

we just put our module into the slot that the reserved power was on - as we run 
with 
just 1 supervisor (we have other resilience/redundancy methods that dont rely 
on the
2nd sup hackiness)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C6k power reserved for redundant sup?

2012-07-02 Thread alan buxey

Hi,

 As Andy points out the 6509-V-E does not have special slots (apart
 from the supervisor ones of course). And by aesthetic reasons I mean
 things like cable management. It's probably not a big thing since we
 seldomly change anything (it's all supposed to cabled at deployment
 time) but we still like it to be neat.

I prefer my network to be in a working state than neat...but hey, some people
think that the data centre needs to look like a beauty contest  ;-)

this, by the way, DOESNT mean that I like some rats nest of unknown cables.
there are important rules

1) cables must be labelled (at both ends! and bonus points for extra labels at 
inspection points)
2) cables must run as neatly as to make changes easy and efficient
3) cables should not trap equipment..or be trapped by equipment
4) use the correct coloured cables
5) broken retain clip? cable gets binned.
6) install every cable as if its there for the long term no 'its just a quick 
bodge/fix that'll go'
(it never goes...its there in a years time...)
7) If a contractor could snag it, they will - ensure cables are secured and 
contained.

I'm sure theres more but those are the top of the list.  overly neat/hidden 
cables make
routine work very awkward and frustrating

I dont think theres a 'cabling' course in the line of CCNA...I wish there 
were...the number
of sites I've been to...or people I've dealt with that dont care for this makor 
part
of the network...if the PHY layer cannot be controlled then forget anything 
travelling on it

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Shutting down a switch port automatically after a specific time

2012-06-24 Thread alan buxey

Hi,

 I would like to shutdown certain switch ports in my cisco 3550 switch
 automatically after a specific time.
 I tried configuring Time range with access list.But that only denies the ip
 traffic to the port while the port remains UP.
 I need the port to be down and then get the intimation about the port gone
 down in my syslog server through traps,which is not possible through time
 range as the port remains in the UP state.

very easy with energywisebut this is 3550 so doesnt have that featureset for
timers we used to just use extrenal scripts which would use SNMP to UP/DOWN
a port at certain times

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP Servers

2012-06-23 Thread alan buxey

Hi,

 Agreed - but there are also the political issues to consider - server 
 (hosting team) vs. appliance (network team).

I work in a network team. and we run servers - DNS, DHCP, NTP, RADIUS, SYSLOG, 
SNMP - basically all the
network related things and bits that ensure a client can use the network. from 
then on its
all upper layers and we dont go above layer 4  ;-)

 It is easy for *nix admins to support a free Linux environment, but 
 unfortunately, some companies are moving away from *nix based operating 
 systems - and as such would prefer an appliance.

..which are usually Linux boxes ;-)

 It is cheaper to buy 3 appliances than to hire 2 *nix admins to look after 
 your 3 time servers for you.

...and who runs the appliances? who debugs the appliances when they dont do 
what they are expected
to do?  you might have a little more argument with something more complex like 
DNS/DHCP when you might
buy into some IPAM solutionbut NTP?  

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP Servers

2012-06-23 Thread Alan Buxey

Hi,

If that was the case then I'd have to provide mgmt the case, costs, best 
practice etc for things to change ;)

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] single static ip address for customer(s)

2012-06-22 Thread alan buxey

Hi,
 I think may I deleted the original post(s) in this thread, but has anyone 
 mentioned LISP.

one possibility is to have a big NAT box on the edge of the network, then their 
address can be changed to whatever you need internally 
but they are seen on the same address externally.  messy and nasty but if they 
want to keep the address..


alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rapid-PVST and RSTP compatibility

2012-05-23 Thread Alan Buxey

The cisco kit should fall back to the lower method. 

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] StackWise Plus performance

2012-04-25 Thread alan buxey

Hi,

 I found in documentation that StackWise Plus is providing up to 64
 Gbps of throughput.
 But is it full-duplex (then 128 Gbps half-duplex) or half-duplex (then
 32Gbps full-duplex) ?
 Is it per one port ? Or both stack ports ?

just wondering why your company blocks access to google?   ;-)

cisco provide plenty of white papers about its technology eg

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/prod_white_paper09186a00801b096a.pdf

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2960S IOS

2012-03-20 Thread Alan Buxey

12.2.58 is not going anywhere, we're halfway through upgrading to 15.0 (first 
versions had some show stoppers but latest version okay..so far! ;) )

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SNMP monitoring routing table over time

2012-03-13 Thread Alan Buxey

Hi,

some years ago I thought about this myself - coupled with SNMPtraps etc you can 
build a map
of the routing across your network. the trouble was, i went into planning it 
and all the
required features...and it just grew and grew... i had a couple of quagga boxes 
joined into
the IGP and EGP systems and was recording stuff but I'm no compsci and got 
stuck in
a mess of SQL relantional tables that just didnt scale. yes, i saw events...but 
i saw events
already and I hadnt worked out how to draw the map for the routing topology at 
date X - without
re-writing routing algorithms myself.  in the end I bought a little applicane 
that does most
of what i needed - yes, not ALL i needed, but its a start. 

http://packetdesign.com/products/rex.htm

I was then able to spent time on projects that local mgmt felt were more high 
priority
(hey, its good having a working local network... ;-) )

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommended IPv6 Resources

2012-03-13 Thread Alan Buxey

Hi,

 I'm dipping my toe into the world of IPv6 and I'm looking for
 recommendations on resources - books, design guides, white papers,
 tutorials etc. 

there are a few IPv6 books out there - from the cisco offerings
to third party and usual stalwart publishers. they should get you well versed
on the subject.

yes, address space is bigger - but its the other things that will get you ..
uses multicast to do everything, ICMPv6 is very very important for operation
of hosts, SLAAC is the 'easy way' to get addresses from the router - your DHCP
server may well not do DHCPv6 (and if it does, the clients probably dont! ;-) )
so how do you record/manage hosts? what about reverse records - you going to 
have
65k of entries for each /64 that you deal with?

ACLs and switch behaviour - and what about end point protection - theres a good 
layer
of ipv4 protection on particualr cisco access layer switches now - but the ipv6 
is
lacking.  likewise management - its a big big shame that cisco havent gone 
full-on
with mgmt in IPv6 - theres no reason why the mgmt of your switches/APs etc cant 
all be in IPv6
and you have no IPv4 on those netsbut no..  latest IOS has some mgmt
functions that work over IPv6.. not bad considering how long v6 has been around 
before.

my take home message? you can leanr a WHOLE LOT more about it by having a 
dev/test router,
a couple of VLANs and home hosts (oh, be sure to tick the IPv6 box in VMware if
you are virtualised with it ;-) )

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] port channel numbering schemes

2012-03-09 Thread Alan Buxey

As I said, we TRY . The vendors will do their best to scupper us, other things 
will come up to b0rk it. But as a rule of thumb its a starting point
(i'm more concerned that other things change such as the MIB value between 
different platforms)

alan


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] port channel numbering schemes

2012-03-08 Thread Alan Buxey

Hi,

  We try not to match interface numbers to VLAN ID's. That
  works out alright when you're starting out, but as the
  network grows, many face-palm and hair-pulling moments :-).
 
 Agreed. Clever numbering schemes can just be misleading when they 
 don't line up.

another 'agreed' - however, we do try to use standard numbers for particular
types of port-channel - ie doing something like ensuring the po1 on
an aggregator switch is ALWAYS the link up to the core (and not a port-channel
to a stack of access switches or a workstation) - this simplifies a lot
of monitoring and sanity checking of configs/status of links etc.

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE

2012-03-02 Thread Alan Buxey

without DFC cards, some work/decisions still have to go to the supervisor. DFC 
(distributed) is what gives your modules autonomy

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config Backups

2012-03-02 Thread Alan Buxey

RANCID and a couple of home-made scripts for custom jobs

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config Backups

2012-03-02 Thread Alan Buxey

Can do SSH. Use read-only account though, no need for a powerful account to 
read the config. Also stores the config with revision control/history and the 
file stored has obfuscated passwords/credentials.

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Asset Management and Discovery Toll

2012-02-28 Thread Alan Buxey

netdisco is my favourite. Then there's Cisco tools and other offerings such as 
Orion NPM..most of the kiwisoft things are now on Orion products (they had some 
great tools)

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] high CPU usage when coyping to flash

2012-02-26 Thread Alan Buxey

hi,

its not just your 4900 device - somethings gone a little wierd
in cisco land since around the introduction of 3750 or 2960
devices too - as doing an eg 'archive download-sw ' command
kills the switch performance for end user connected devices...
this never used to be the case with eg the 2950, 2970 or 3550 devices -
we could install new IOS firmware at any time and then reload out 
of hours...we now have to upload the firmware out of hours too  :-|

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Switch (2960G-48TC-L) CPU Utilization

2012-02-26 Thread Alan Buxey

hi,

12.2(52)SE ?

hideously old and full of wierd little bugs - really, check the IOS
release notes and the closed/resolved caveats for every release since
that version... you might be suprised how it even worked at all...  ;-)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Fibre link flapping

2012-02-22 Thread Alan Buxey

Unidirectional optic link. Check out  udld for detection/protection

alan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches

2012-02-16 Thread Alan Buxey

Hi,

 What type of mtrie stride could possibly do this? IPv4 8-8-8-8 and IPV6
 16-16-16-16-16-16-16-16, this would make IPv6 mtrie depth and width 2x of
 IPV4.
 For them to be same depth IPv6 stride would need to be
 4294967296-4294967296-4294967296-4294967296 if you could have that wide
 stride, IPv4 could be looked up from flat mtrie.

hmmm, generically, there shouldnt be such an issue for handling traffic - as
the IPv6 packet is likely to be same size or smaller (smaller header) as IPv4..
which then would suggest that the issue is in stages such as address handling 
and
lookups.  now 64bit CPU isnt the best for 128bit addresses - so theres going to
be some hit there - what you need is some GPU technology for doing address 
mashing
rather than the old CPU way... so thats ASIC territory.  

it is a shame that we are trying to move from IPv4 to IPv6but even the 
latest
hardware from Cisco gives us a big performance hit for doing that - this 2x 
slowdown 
is nothing new...its been around on all their devices :-|

 It's very difficult for me to understand how to do these in same constant
 time, without having very poor IPV4 implementation.

2 data paths?  IPv4 go one way, IPv6 go another... but then you have to 
duplicate ALL
the stuff onboard - expensive! noone wants to pay more for IPv6 (just like 
noone wanted to
pay more for IPv4 when they were migrating from DECNET/ATALK/IPX)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches

2012-02-16 Thread Alan Buxey

Hi,

 Physics.  

typical engineer...always blaming the scientists and their methods  8-)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Feedback on terminal exec prompt timestamp

2012-02-16 Thread Alan Buxey

Hi,

 Hell, how about turning proxy arp off by default?

seconded

(I see a future method for cisco feedback here ;-) )

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Feedback on terminal exec prompt timestamp

2012-02-16 Thread Alan Buxey

Hi,
 No thanks. When I want that info I'll ask for it or I'll turn this feature 
 on. Plus it could break or confuse scripts and programs that interact with 
 Cisco routers.

I agree - have no need of this detail whenever i run a commandor if any of
our polling scripts collect data.  IF I want to check the time and source I can
simply run 'show clock detail'

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] When do you upgrade IOS?

2012-02-16 Thread Alan Buxey

Hi,

 1.What drives you to upgrade code on critical routers  switches?

new features + bug fixes. keeping the firmware up to date should be part of the
planning process - whatever network mgmt method you follow (FCAPS, ITIL, TMN, 
etc) upgrading
should be part of planned actions - or one day you find your whole estate 
running 
very old.   one advantage of keeping up to date is you read the release 
notes...and see
things that make you think 'oooh! thas a cool feature'...and 'ooh! thats a bug 
that would
hit us, glad we havent had that YET'  ;-)

 2.Do you upgrade code on a fixed schedule if not driven to by some other 
 immediate requirement?

upgrades are done during advertised/known 'network at risk' period, this is 
early on a weekday
morning before business hours/core hours.  we also found that buy keeping the 
IOS reasonably up
to date...whenever another team has come to us asking for requirement/feature 
our switches
tend to already have that available - eg energywise or LLDP 

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] sup2 lead times/costs

2012-01-20 Thread Alan Buxey

Hi,

 I've got two-month lead times on my sup2t orders. 

aye. we had to fight hard to get ours...and they went into
service pretty quick!

 What I'm seeing is a lack of discounting, so to speak. And

so much demandso why reduce the price? the early people
wanting access to the platform will be paying more. much like the
rest of the tech world.

 And I'm sure this year will bring a few large bankruptcies of
 European (and American) financial institutions which will cause
 a bunch of new-new kit from big banks to hit the resale market,
 further helping your cause. Then you can get your toys. :)

;-)  there'll also be a deluge of sup720 blades for those people
still on sup2 or sup32   from all the sup2t upgraders

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Flow tools

2012-01-18 Thread Alan Buxey

Hi,

 Second: I'm curious if people are seeing prices that make sense for 
 the DFC4 upgrade parts for 67xx linecards. They were about 50% more than 
 the equivalent DFC3 parts. When we costed out the upgrade of our main 
 core routers to sup2T, the DFC parts made it quite pricey, and pushed us 
 to look at more radical options.

having now migrated to a 100% Sup2T core system I can give a quick answer..
it was cheaper to get some WS-F6K-DFC4-A upgrades for our X6724 cards than it 
was to buy the
X6924 modules.and you need the DFC4...

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Flow tools

2012-01-18 Thread Alan Buxey

Hi,

I'm finding it slightly ironing that the subject of this email is about
netflow...and yet people are dissing the Sup2T - the Sup2T is a netflow beast!  
:-)

I'm just suprised that they took the opportunity to ditch the old PFC/DFC mixing
but kept the old inter-module communication link... 10/half ?  :-|

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-06 Thread Alan Buxey

Hi,

been using .0 and .255 addresses (in the proper class-less places eg in middle
of a /23 ) for years now.  any kit or system that cannot handlesuch addresses
as being client/end-station addresses should be dumped onto the recycling pile
and got rid of (its likely that such kit cannot do IPv6 either.)

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 2950 freezing

2011-12-19 Thread Alan Buxey

Hi,
 Hello,
 
 Switch configuration for customer ports is below.
 If you have any recommendations, they are welcome :-)
 
 Current configuration : 190 bytes
 !
 interface FastEthernet0/1
  description #customer: CUST01i_L2 [4M]
  switchport access vlan 115
  load-interval 30
  speed 10
  duplex full
  no cdp enable
  spanning-tree bpdufilter enable

surely

switchport mode access
spanning-treep portfast
switchport nonegotiate


is wanted on those links... you dont want a customer to hit your switch with 
spanning
tree or force a trunk negotiation do you?

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyconnect force upgrade

2011-12-19 Thread Alan Buxey

Hi,
 easy question I'm sure. How do you turn off the feature on the ASA that
 forces the upgrade of anyconnect?

Q. Is there a way to prevent the Adaptive Security Appliance (ASA) from 
automatically upgrading to a new AnyConnect version?

A. Not prior to AnyConnect version 2.3.0.185 .With version 2.3.0.185 and beyond 
there is a capability to not automatically upgrade the client. It's via a 
profile Autoupdate parameter. Please reference the Release notes for these 
preferences options.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html#wp908334



with thanks to cisco support forums and google  ;-)

and I believe if you put an old version on the ASA then the update/upgrade 
wont happen - so keep
the version on ASA disk as old as the oldest version you want to support

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyconnect force upgrade

2011-12-19 Thread Alan Buxey

Hi,
Alan and Mike--
thanks, but that is the same stuff i've found. �I'm looking for the
Commands or ASDM steps to make it happen. �I found client-update enable,
but is that the command? �It still updated the anyconnect client after i
removed it. �(ASA 8.4.2 and anyconnect 2.5.x)

the profile must have AutoUpdatefalse/AutoUpdate in the ClientInitialization
template - as per the doc i linked. this can be done under the ASDM ...cisco 
dont like
you using the command line for anything these days...it'll end up in one
of the XML blobs on disk



alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IS-IS advertise passive-only for ipv6?

2011-12-16 Thread Alan Buxey

Do you want me to be added to your feature request?

I'm getting a little frustrated, all I want is feature parity for ipv6 , it 
seems like completely separate teams did the work on this platform and didn't 
see how things worked in the v4 world

alan

--
Message may be brief as it has been sent from my mobile

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] sup2t/15.0(1) guidance

2011-12-13 Thread Alan Buxey

Hi,

 Is there a handy changes from 12 to 15 for dummies guide? Or, don't worry 
 about it, it's really not a big deal? Mostly care about cat6k mgmt, MPLS VPN 
 and MVPN, BGP, OSPF, IPv4 environment. 
 
 Anyone using sup2t in anger yet, and opinions on 12 vs 15? (Though clearly 
 12.2(50) doesn't seem like the future)

I'd say go for 15  :-)  we've started to use them 'in anger' and so far
havent seen any show-stoppers - unlike eg SXH and early SXI releases
on our previous sup720 systems

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5550 url-filtering capacity

2011-12-05 Thread Alan Buxey

Hi,
 We are running into slow web sites and random/incorrect 403's on a
 5550 as an internet gateway doing NAT for an enterprise with upwards
 of 40,000 users.

I killed a 5580 doing URL REGEX'ing  - and that was without any NAT -
just a pure /16 going straight through

are you also logging these matches?

alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] negative effects of jumbos on cat6500?

2011-11-24 Thread Alan Buxey

Hi,

 This is specifically talking about cat6500 with sup2 or sup720 architecture,
 but the general questions why do vendors not ship large-mtu on L2-ports
 by default, what is the drawback? remains.

some do TP-Link and netgear gig unmanaged switches, for example, just have
it on... in fact, the TP-Link stuff does 15k jumbos  :-)


now, i'm sure a nice scare story will come out saying what might happen...but
we've had the max jumbo frame set on our 6500 and 3750/E/X and 2970 etc 
aggregator
switches for years now and not seen anything 'untoward'...certainly been 
affected
by lots of OTHER things during that time that really shouldnt be bugs anymore 
:-|

jumbo frames on VLAN interfaces however.. now THAT is a different story 
;-)


alan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

1 2 3 >

1 - 100 of 247 matches

Mail list logo