Re: [c-nsp] ASA equiv to aaa login local group blah
I only ever touch my ASA via ASDM, but what I've got is Connection Profile Default - AAA(local) Connection Profile 123 - AAA (radius) And then the users chose the connection profile from the login page (using tunnel-group-list enable). In your case you could just reverse that. Thanks, Erik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason Lixfeld Sent: Wednesday, November 20, 2013 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA equiv to aaa login local group blah I'm trying to do a quick and dirty add to a 9.1(3) ASA running WebVPN to allow a contractor in without having to create them an account on our main directory server. In IOS land, I could specify local auth before a server group and it would work fine. It seems that in ASA land you can only specify local auth after a server group fails. I tried to create a specific group policy for the user, but it doesn't seem to wanna work. ! group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLITTUNNEL gateway-fqdn value foo.bar.com address-pools value SSLVPN group-policy LocalAuthOnly internal group-policy LocalAuthOnly attributes group-lock value LocalAuthOnly username contractor password mEkEo2tG2a/HS2Ah encrypted username contractor attributes vpn-group-policy LocalAuthOnly group-lock value LocalAuthOnly service-type remote-access tunnel-group DefaultRAGroup general-attributes authentication-server-group CORPRADIUS LOCAL tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group CORPRADIUS LOCAL tunnel-group LocalAuthOnly type remote-access tunnel-group LocalAuthOnly general-attributes default-group-policy LocalAuthOnly ! Is there another way that I'm missing? Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Show mac addresses connected to ports
No reason to use the inc. On most of my gear, sh mac add int interface gives the macs off that port. This in the config on the port will also help :evil-grin: switchport port-security Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Childs, Aaron Sent: Friday, November 02, 2012 11:30 AM To: 'Harry Hambi'; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Show mac adresses connected to ports Yep. Sh mac address-table | inc mod/port Have a good day, Aaron Aaron Childs, CCNA Associate Director, Networking Information Technology www.westfield.ma.edu/it Please Note: new e-mail address - aa...@westfield.ma.edu -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Harry Hambi Sent: Friday, November 02, 2012 11:19 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Show mac adresses connected to ports Hi all, Is there a command that will show me the list mac addresses connected to a port. I suspect more than one device connected to a port. Thanks Rgds Harry Harry Hambi BEng(Hons) MIET Rsgb http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Servers
There was discussion about NIC HW timestamping on the NTP mailing list recently. I didn't read the whole thing, but one of the issues that was brought up was How accurate is the clock on the nic?. For very high precision, you'd have to discipline the NIC clock as well, so then you get twice the issues. Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: Monday, June 25, 2012 11:24 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NTP Servers On (2012-06-25 10:50 -0400), Josh Baird wrote: And guess what the Infoblox appliances run? :) Earlier poster also wondered why waste money on NTP appliance'. Some of these appliances have hardware timestamping, which will significantly increase accuracy, if your network is low-jitter and low-delay (like most HW switched networks today are). Curiously at least on ingress side your random NIC can support HW timestamping today, and IIRC even egress. Couldn't be arsed to surf intel.com through the datasheets. I wonder if the NIC HW timestamping function is flexible enough to inject timestamp in NTP packets as very first thing in ingress and very last thing as egress. And if there is way to give the NIC accurate timing somehow. Probably quickly becomes cheaper to buy some appliance than try to figure out how to hack this in NIC driver, possibly kernel and NTPd. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] understanding interface traffic counters of Cisco router and Cisco switch
What about all the other control packet stuff that might be running on the switch (CDP, Spanning Tree, VTP, etc)? Thanks, Erik Soosalu -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin T Sent: Friday, November 11, 2011 2:12 PM To: Christopher J. Pilkington Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] understanding interface traffic counters of Cisco router and Cisco switch Sergey, Christopher: I doubt that it's the VLAN tag which adds this additional 0.3% traffic to switch interface counters when compared to router interface counters. As far as I understand, VLAN tag is added in case when frame leaves the switch via trunk(802.1Q) port, but this is not a case in my test- all the switch ports are in switchport mode access. Traffic between switch ports in the switch should have no VLAN information applied.. Any other ideas? Or am I wrong that traffic inside the switch-internal-VLAN has no VLAN tag information? regards, martin 2011/11/11 Christopher J. Pilkington c...@0x1.net: Fa0/1 is an access port, not a 802.1q trunk, the traffic on that interface is not tagged, so the monitor destination will see untagged traffic. On Nov 10, 2011, at 19:38, Martin T m4rtn...@gmail.com wrote: Sergey, I modified the setup a little: http://img64.imageshack.us/img64/5736/interfacestrafficcounte.png ..so now port Fa0/3 in the switch is in monitoring state and all the traffic from switch port Fa0/1 is copied to Fa0/3, which is connected to eth1 interface on ubuntu machine. Now if I start tcpdump -nei eth1 -c10 in ubuntu machine in the middle of the iperf test, then results are: root@ubuntu:~# tcpdump -nei eth1 -c10 tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 00:10:30.167558 10:40:10:40:10:40 00:06:d7:4d:c0:61, ethertype IPv4 (0x0800), length 1512: 10.10.10.2.54064 10.10.11.2.5001: UDP, length 1470 00:10:30.167563 00:06:d7:4d:c0:61 10:40:10:40:10:40, ethertype IPv4 (0x0800), length 1512: 10.10.11.2.46531 10.10.10.2.5001: UDP, length 1470 00:10:30.168556 10:40:10:40:10:40 00:06:d7:4d:c0:61, ethertype IPv4 (0x0800), length 1512: 10.10.10.2.54064 10.10.11.2.5001: UDP, length 1470 00:10:30.168805 00:06:d7:4d:c0:61 10:40:10:40:10:40, ethertype IPv4 (0x0800), length 1512: 10.10.11.2.46531 10.10.10.2.5001: UDP, length 1470 00:10:30.169805 10:40:10:40:10:40 00:06:d7:4d:c0:61, ethertype IPv4 (0x0800), length 1512: 10.10.10.2.54064 10.10.11.2.5001: UDP, length 1470 00:10:30.170055 00:06:d7:4d:c0:61 10:40:10:40:10:40, ethertype IPv4 (0x0800), length 1512: 10.10.11.2.46531 10.10.10.2.5001: UDP, length 1470 00:10:30.171054 10:40:10:40:10:40 00:06:d7:4d:c0:61, ethertype IPv4 (0x0800), length 1512: 10.10.10.2.54064 10.10.11.2.5001: UDP, length 1470 00:10:30.171303 00:06:d7:4d:c0:61 10:40:10:40:10:40, ethertype IPv4 (0x0800), length 1512: 10.10.11.2.46531 10.10.10.2.5001: UDP, length 1470 00:10:30.172304 10:40:10:40:10:40 00:06:d7:4d:c0:61, ethertype IPv4 (0x0800), length 1512: 10.10.10.2.54064 10.10.11.2.5001: UDP, length 1470 00:10:30.172308 00:06:d7:4d:c0:61 10:40:10:40:10:40, ethertype IPv4 (0x0800), length 1512: 10.10.11.2.46531 10.10.10.2.5001: UDP, length 1470 10 packets captured 10 packets received by filter 0 packets dropped by kernel root@ubuntu:~# In other words it looks like traffic isn't VLAN-tagged(ethertype should be 0x8100 in this case). Or might this be some sort of switch-internal VLAN tag? regards, martin 2011/11/10 Sergey Nikitin oldn...@oldnick.ru: Hi, Most likely this is because of 802.1Q tag (4 bytes) added to the counter on a switch interface (and obviously you don't see this tag on a router interface). For example, interfaces Fa3/0 and Fa0/24: 773476480 - 771435576 = 2040904 2040904 / 510226 = 4 HTH Martin T wrote: I made a following setup: http://img828.imageshack.us/img828/5736/interfacestrafficcounte.png ..and executed iperf -s -u -fm in ubuntu machine and iperf -c 10.10.11.2 -fm -u -d -b 10m -t600 in PE860 machine. Before the test I cleared all interface counters. Iperf results were following: root@PE860:~# iperf -c 10.10.11.2 -fm -u -d -b 10m -t600 Server listening on UDP port 5001 Receiving 1470 byte datagrams UDP buffer size: 0.12 MByte (default) Client connecting to 10.10.11.2, UDP port 5001 Sending 1470 byte datagrams UDP buffer size: 0.12 MByte (default) [ 3] local 10.10.10.2 port 44911 connected with 10.10.11.2 port 5001 [ 4] local 10.10.10.2 port 5001 connected with 10.10.11.2 port 49469 [ ID] Interval
Re: [c-nsp] 2921 Fan noise
The 2921 was chosen due to the number of phones I could attach to it. The thing is that the fans sound like they are on high, but show environment says they are set to low. The router is sitting on a two post rack with lots of room around it. Just looked at the official sound figures for the router and I see that the spec is ridiculously loud. Time to check out other fans for it... Thanks, Erik Soosalu Network and Security Administrator Ground Transportation Solutions a division of Calyx Transportation Group Inc. T: 905.761.0009 x2143 F: 905-761-6683 E: erik.soos...@calyxinc.com -Original Message- From: Andrew Jones [mailto:andrew.jo...@alphawest.com.au] Sent: Tuesday, October 25, 2011 12:30 AM To: Erik Soosalu; cisco-nsp@puck.nether.net Subject: RE: 2921 Fan noise Hi I've had the same issues before with other routers. This was a 3845 and at the time we couldn't find any way to reduce the noise, but found that if we installed small cooling fans into the small cabinet they were in, we could reduce the amount of time, (if not eliminate) that the router was on its high speed fan setting. Try looking at a 2911, not sure what your performance requirements are, but it was designed to be 2ru tall so they could fit larger (therefore quieter, due to lower rpm) fans. Thanks, Andrew Jones Alphawest -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Soosalu Sent: Sunday, 23 October 2011 5:44 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 2921 Fan noise Anyone know if there is a way to quiet down the fans in a 2921? I've got one that will be deployed in an office space and I'm going to hear about it if I don't do something. Show environment says that it is a quiet as its going to get, but the fans are really loud still (much louder that the 2821 it is replacing) SYSTEM FAN STATUS = Fan 1 OK, Low speed setting Fan 2 OK, Low speed setting Fan 3 OK, Low speed setting Fan 4 OK, Low speed setting SYSTEM TEMPERATURE STATUS = Intake Left temperature: 25 Celsius, Normal Intake Right temperature: 27 Celsius, Normal Exhaust Left temperature: 32 Celsius, Normal Exhaust Right temperature: 32 Celsius, Normal CPU temperature: 54 Celsius, Normal Power Supply Unit temperature: 26 Celsius, Normal Thanks, Erik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2921 Fan noise
Anyone know if there is a way to quiet down the fans in a 2921? I've got one that will be deployed in an office space and I'm going to hear about it if I don't do something. Show environment says that it is a quiet as its going to get, but the fans are really loud still (much louder that the 2821 it is replacing) SYSTEM FAN STATUS = Fan 1 OK, Low speed setting Fan 2 OK, Low speed setting Fan 3 OK, Low speed setting Fan 4 OK, Low speed setting SYSTEM TEMPERATURE STATUS = Intake Left temperature: 25 Celsius, Normal Intake Right temperature: 27 Celsius, Normal Exhaust Left temperature: 32 Celsius, Normal Exhaust Right temperature: 32 Celsius, Normal CPU temperature: 54 Celsius, Normal Power Supply Unit temperature: 26 Celsius, Normal Thanks, Erik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
This seems to come back with the info in the log: login on-failure log sh log shows this: Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011 Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: Wednesday, February 23, 2011 3:22 PM To: Greg Whynott Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] debug to see what IP is trying to log in via telnet Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) however, scanning some login/security docs on cisoc.com tonight has been a nice refresher of some other things that need to be put onto a work schedule! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] More than 128M CF on C1800 router?
Don't hot insert the flash - *bad* things happen. Always insert with the router powered down, but 2GB cards work fine. rt-02#sh ver Cisco 1841 (revision 7.0) with 118784K/12288K bytes of memory. 2 FastEthernet interfaces 1 ATM interface DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 2000880K bytes of ATA CompactFlash (Read/Write) rt-02#sh flash: filesys ATA Flash Card Geometry/Format Info ATA CARD GEOMETRY Manufacturer Name Model Number SanDisk SDCFH2-002G Serial Number 116905E0509S3212 Firmware Revision HDX 4.32 Number of Heads16 Number of Cylinders3970 Sectors per Cylinder 63 Sector Size512 Total Sectors 4001760 ATA PARTITION 1 INFO Start Sector 63 Number of Sectors 4001697 Size in Bytes 2048868864 File System Type FAT16 Number of FAT Sectors 245 Sectors Per Cluster64 Number of Clusters 62514 Number of Data Sectors 4000896 Base FAT Sector238 Base Root Sector 728 Base Data Sector 760 ATA MONLIB INFO Image Monlib size 117868 Disk Monlib Size 117740 Disk Space Available 121344 Name piptom-atafslib-m Start sector 2 End sector 231 Updated By C1841-BROADBAND-M12.4(24)T Version2 The card in this router is a SanDisk Ultra II 2GB. I've also used Transcend 2GB cards. Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Hilliard Sent: Wednesday, November 24, 2010 6:18 AM To: Mikael Abrahamsson Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] More than 128M CF on C1800 router? On 24/11/2010 11:13, Mikael Abrahamsson wrote: When I last inserted a larger than 128M CF card into a 12.2(24)T2 running 1841 it crashed and rebooted and then failed to boot properly. So no, as far as I know, it's not supported and it actually doesn't work. meh, annoying. For some reason, 64Mb cards are easy to get, and 256M too. Just not 128M cards. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1841/Loopback/ADSL issue
Wondering if I could ask you all for a quick comment on my issue before I try an open a TAC case on this. Situation is a 1841 router with WIC-1ADSL terminating a PPPoE and T1 LANe circuit (which is delivered to me over Ethernet). I have a loopback interface on the router that is used both for connecting monitoring and as an un-numbered interface for the PPPoE. My issue is that when the PPPoE flaps, I temporarily lose connection to the loopback on the router. I have verified that as it flaps, there is no change in OSPF routing and the LANe is still the preferred route. Relevant portions of the config: interface Loopback10 ip address 10.1.255.15 255.255.255.255 ! interface FastEthernet0/1 description LANe ip address 10.1.254.30 255.255.255.248 ! interface ATM0/0/0 pvc 0/35 pppoe-client dial-pool-number 1 ! interface Dialer1 ip unnumbered Loopback10 dialer pool 1 This router has exhibited this issue with at least three different versions of IOS. As the PPPoE flaps, if I'm connected to the internal network interface of the router, I'm good. Connect to the loopback, I lose connection. I know I could simply setup another loopback for management purposes, but I thought that the loopback was always supposed to stay up. Any tweaks anyone can think of, or should I open a TAC case? Thanks, Erik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
I would recommend ATEN UC232A (http://www.aten-usa.com/?productcat=795Item=UC232A), I have used it every day without a problem for the last 5 years. IOGear rebadges this as the GUC-232A. Works very well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mysterious ASIC
Apparently not very new (as some of this gear is 2.5 years old) and used in a lot of stuff... #sh version | i cisco WS- cisco WS-C3560-24PS (PowerPC405) processor (revision U0) with 122880K/8184K bytes of memory. vau1sw-01#sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 # #sh ver | i cisco WS- cisco WS-C3560-8PC (PowerPC405) processor (revision A0) with 131072K bytes of memory. #sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 #sh ver | i cisco WS- cisco WS-C2960-8TC-L (PowerPC405) processor (revision A0) with 65536K bytes of memory. #sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 #sh ver | i cisco WS- cisco WS-C2960-48TT-L (PowerPC405) processor (revision D0) with 65536K bytes of memory. con1sw-04#sh pla con1sw-04#sh platform port-asic versi Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 ASIC-1: Version:8 DeviceType:0x2C1 #sh ver | i cisco WS- cisco WS-C3560-48PS (PowerPC405) processor (revision N0) with 131072K bytes of memory. #sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 ASIC-1: Version:8 DeviceType:0x2C1 Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Freedman Sent: Thursday, January 21, 2010 6:46 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Mysterious ASIC Look at this: #sh ver | in cisco WS- cisco WS-C2960G-48TC-L (PowerPC405) processor (revision E0) with 0K/4088K bytes of memory. #sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:1 DeviceType:0x2CA ASIC-1: Version:1 DeviceType:0x2CA ASIC-2: Version:1 DeviceType:0x2CA ASIC-3: Version:1 DeviceType:0x2CA ASIC-4: Version:1 DeviceType:0x2CA ASIC-5: Version:1 DeviceType:0x2CA ASIC-6: Version:1 DeviceType:0x2CA ASIC-7: Version:1 DeviceType:0x2CA ASIC-8: Version:1 DeviceType:0x2CA ASIC-9: Version:1 DeviceType:0x2CA ASIC-10: Version:1 DeviceType:0x2CA ASIC-11: Version:1 DeviceType:0x2CA So, the WS-C2960G-48TC-L has 12 Port ASICs , for a published 39Mpps of throughput. But now look at this, the 2960-24TC-L Advertised at 6.5Mpps: #sh ver | in cisco WS- cisco WS-C2960-24TC-L (PowerPC405) processor (revision H0) with 65536K bytes of memory. #sh platform port-asic version Port-Asic Version Info: ASIC-0: Version:8 DeviceType:0x2C1 Yes, a single 6.5Mpps forwarding ASIC, type 0x2C1 Does anybody know what this new ASIC may be and what else it is used in? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 VPN with 2008 NPS as AD Integrated RADIUS
With a 5510 we are using 2008 NPS for AD auth. Do you have something under you Connection Request Policy? The log seems to be telling you that there is something missing there. Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Tuesday, October 20, 2009 3:58 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5505 VPN with 2008 NPS as AD Integrated RADIUS Hi All, Has anyone gotten ASA based VPN (soft clients) to work with Windows 2008 NPS - AD Integrated RADIUS to work? As our engineer put it: Cisco does not have a document for authentication configuration with Windows 2008. Since they say the ASA configuration looks fine they have washed their hands of it and want to close the case. I can see this in the logs on our AD server: Contact the Network Policy Server administrator for more information. User: Security ID: NULL SID Account Name: %domain\username% Account Domain: - Fully Qualified Account Name: - Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: %some ip address% Calling Station Identifier: %some originating ip address% NAS: NAS IPv4 Address:%ip of server% NAS IPv6 Address:- NAS Identifier: - NAS Port-Type: Virtual NAS Port: 159744 RADIUS Client: Client Friendly Name: whl_vpn_new Client IP Address: %ip address of client% Authentication Details: Proxy Policy Name: - Network Policy Name: - Authentication Provider: - Authentication Server: %fqdn of server% Authentication Type: - EAP Type: - Account Session Identifier: - Reason Code:49 Reason: The connection attempt did not match any connection request policy. If this has been asked and answered (or if there is a better forum for this), I apologize. If someone could nudge me in the right direction that would be very awesome. Technet for the above error is pretty pointless as usual Thanks again, -Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco router 2800/3800 serie
With some things neutered... Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version 12.4(22)T1, RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport rt-02#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/110.1.254.14 YES NVRAM up up rt-02#conf t Enter configuration commands, one per line. End with CNTL/Z. rt-02(config)#int fa 0/1 rt-02(config-if)#mtu ? 64-1600 MTU size in bytes rt-02(config-if)#mtu 1600 rt-02(config-if)#end rt-02#sh run int fa 0/1 Building configuration... Current configuration : 239 bytes ! interface FastEthernet0/1 mtu 1600 Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: Wednesday, August 26, 2009 2:41 PM To: Justin Shore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco router 2800/3800 serie On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: I'm suspect that the interface MTU of the 1841 may not go above 1500. It's even worse, it doesn't seem to support MTU != 1500 at all on the built in FE interfaces. Router(config-if)#do sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/010.251.9.5 YES NVRAM up up FastEthernet0/1unassigned YES NVRAM administratively down down ATM0/0/0 unassigned YES NVRAM down down Router(config-if)#int fa0/0 Router(config-if)#mtu 1501 % Interface FastEthernet0/0 does not support user settable mtu. Router(config-if)#int fa0/1 Router(config-if)#mtu 1501 % Interface FastEthernet0/1 does not support user settable mtu. Router(config-if)#do sh ver | incl IOS Cisco IOS Software, 1841 Software (C1841-BROADBAND-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Router(config-if)# Outdated IOS but this MTU thingy probably hasn't changed. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Internet Web Caching Solution
Squid on a Linux/FreeBSD box McAfee WebGateway (can be bought as an appliance) ISA on Windows Untangle Pretty much any Web filtering package runs on a proxy/cache or includes one. I've run the first three with user loads in 300-400 range with no issues. Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 10:14 AM To: shiran guez Cc: Cisco certification; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: Internet Web Caching Solution Hi Shiran, I must say that I am NOT looking for a WAN optimization tool. I want an Internet web proxy, caching and acceleration appliance. Is that also covered by Expand Networks? Many Thanks. On Thu, Aug 13, 2009 at 2:10 PM, shiran guez shira...@gmail.com wrote: I can suggest a better solution Expand Networks one of the leaders in the last several years in WAN optimization ( for being frankly i would indicate that I work for Expand as 3rd level Eng) On Thu, Aug 13, 2009 at 4:41 PM, Felix Nkansah felixnkan...@gmail.comwrote: Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix Blogs and organic groups at http://www.ccie.net ___ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html -- Shiran Guez MCSE CCNP NCE1 JNCIA-ER CCIE #20572 http://cciep3.blogspot.com http://www.linkedin.com/in/cciep3 http://twitter.com/cciep3 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Best Online Antispam Service
I've been using Forefront Online Security for Exchange (formerly Exchange Hosted Filtering, formerly FrontBridge) for a number of years. We find it works extremely well. It is store and forward (they will store for 5 days if your MX goes down). Last year we had a few issues with handoffs to the service from a limited set of clients (but these self resolved in 4-5 hours). Also, all the spam I get is 'from me'. I would think that if a message originates out on the public internet that is from me, to me, not originating from our SMTP server would be looked at a little closer? In FOSE you can set a policy to block this kind of stuff. It is actually part of their best practices config guide. Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, July 02, 2009 9:15 AM To: Maxwell Reid; Cisco-nsp Subject: Re: [c-nsp] OT: Best Online Antispam Service We just cut over to Postini a few months ago and there have definitely been some quirks. Awhile back we had a mail loop where one message that keep spooling back and forth between Postini and us that kept getting a few k bigger each trip back and forth and eventually swamped out our entire internet connection. Don't recall what our mail admin had to do to stop the loop but the Postini tech was useless. Thank goodness for Netflow or I would have never figured out what the heck was going on. Also, all the spam I get is 'from me'. I would think that if a message originates out on the public internet that is from me, to me, not originating from our SMTP server would be looked at a little closer? So there are a few gaps. Naturally this is better than when I worked for a dial-up ISP with ~ 500 customers. We used Declude and I had to manually sort mail that the didn't fall into the probably not spam or the probably spam buckets! -Jeff -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Maxwell Reid Sent: Wednesday, July 01, 2009 8:58 PM To: Cisco-nsp Subject: Re: [c-nsp] OT: Best Online Antispam Service Our experience with Postini was pretty good until Google bought them out. When that happened some of postini's 'quirks' became more apparent (black holed mails) and the service sorta went down hill from there. I'd recommend using a provider more *focused* on email that hasn't been bought out by a giant advertising firm or getting an appliance / rolling your own system. I'd point out that Postini et. al. don't really save you that much in terms of bandwidth. They aren't generally setup as store and forward services, they operate by opening a backend proxy connection to your mail server anyway, so you'll see header traffic, and most spam is relatively small fry byte wise. If you're starving bandwidth wise, traffic shaping and ratelimiting are better options. Also, if you're an ISP, they won't solve the problem of outbound scanning; that only applies to Enterprises. ~Max On Jul 1, 2009, at 3:19 PM, Paul Stewart wrote: Yeah, Postini is what we use today... been very good to date. Service Provider pricing you can get them much more aggressive in pricing depending on volume. I believe we're doing about 35,000 mailboxes today with them - overall pretty happy. Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of MIchael Schuler Sent: Wednesday, July 01, 2009 3:03 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: Best Online Antispam Service I've had some really phenomenal experience using Postini. It's pricing is extremely reasonable at 12/year per user for just spam/virus filtering. It can do SMS/email alerts of host down and spooling until the server comes back up. The firm I work at uses it for about 1700 users and I have a client I support of about 30 users that use it with extremely great results. Easy for users to use. Easy to implement for inbound and outbound scanning. On 7/1/09 4:46 PM, Sean Granger sgran...@randfinancial.com wrote: After a rocky start w/ false positives, we've had a decent go of things with MXLogic. They're consistently improving value to the service by adding functionality. Felix Nkansah felixnkan...@gmail.com 6/30/2009 5:56 PM Hi Team, I am interested in subscribing to a GOOD online email filtering service, through which all emails destined to an enterprise domain transit, are scanned and filtered for spam and viruses, before legitimate mails relayed to the destination mail server. As a bonus, the service should also store emails for some time if the destination mail server is down. Much as IronPort and Barracuda appliances do a good antispam job, they are typically placed onsite for which reason the network bandwidth still gets chocked