Re: [c-nsp] fabric switching enable
I believe that is correct. When a switching mode changes automatically due to cards with different capabilities being inserted, then there is no chassis or card resets. However, when you force bus mode the effected cards are reset. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Yourtchenko Sent: Wednesday, June 18, 2008 7:55 AM To: Richard A Steenbergen Cc: Pham, Loc; Cisco NSPs Subject: Re: [c-nsp] fabric switching enable On Tue, 17 Jun 2008, Richard A Steenbergen wrote: On Tue, Jun 17, 2008 at 11:27:23PM +0200, Peter Rathlev wrote: Changing switching mode power cycles the modules by the way. I guess that's a gotcha. :-) I'm pretty sure thats not true. You may be thinking of PFC/DFC modes, where inserting a lower capability card (3a or 3b into a 3bxl system, etc) brings down the entire switch to the lowest common card, and requires a reboot of the entire system to bring it back (after removing the offending card of course). This doesn't happen to the switching mode at all. I think Peter had http://www.cisco.com/en/US/ts/fn/610/fn61935.html in mind. thanks, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC Transport mode
That doesn't make sense. Encrypt the traffic before acceleration from what perspective? From looking at it from the WAN in between the two sites? That I can see, but that's not usually how VPN's and encryption are described, and can confuse a lot of people. If described in the normal way, from the perspective of the main or local site and not within the WAN, then I fail to see how an acceleration device would be able to accelerate encrypted traffic. I can see how an acceleration device may be able to accelerate traffic before it is encrypted and sent over the WAN. That would describe a normal VPN connection, and you would theoretically be able to put your WAN acceleration device in-line between your remote site and the WAN router/ASA. If the acceleration device ignores ESP and says they can accelerate a non-ESP connection, then that means to be they require AH, which isn't encryption at all and just authentication (that the data didn't change, and hence would fail anyway if the acceleration device modified the data which it presumably has to do to reduce the number of bits sent). I think there is a large misunderstanding, possibly on my part, as to what the design requirements are. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziv Leyes Sent: Wednesday, June 18, 2008 10:12 AM To: Jeremy Stretch; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPSEC Transport mode We need to find a way to encrypt the data BEFORE the acceleration and from what I've read, is not possible to accelerate TCP when the data is inside an encrypted tunnel, so the possible way to be able to spoof the TCP is in transport mode instead of tunnel mode of the IPSec. But that's only based on what I've read on the web, perhaps I'm missing something. If the only way to do it is using only two routers, is somebody willing to share a sample config of a GRE/IPIP tunnel with transport encryption within? Thanks, Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Stretch Sent: Wednesday, June 18, 2008 12:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPSEC Transport mode Ziv, I have a setup very similar to what you describe, a transport mode tunnel between two 3725s connected via satellite. We have accelerators in place but I'm not familiar with them. It's a fairly standard setup; what do you need to know? stretch http://packetlife.net Ziv Leyes wrote: Hi, I'm making a VPN Site to Site tunnel in a lab test between a Cisco 1840 router and ASA5510, each one connected behind a satellite link, because of the high latency in such setup (1300ms RTT) we're trying to implement acceleration and the appliance we're trying to implement needs the VPN to encrypt in transport mode in order to be able to accelerate the traffic, the appliance knows to ignore the ESP protocol and accelerate/compress the data, it can't do nothing on an IPSec in tunnel mode. I searched the web and the only thing I've found was a proposed setup with GRE or L2TP tunnel and then encrypting the data that goes through the tunnel. Does somebody know what I'm talking about? I'll appreciate some ideas. Thanks, Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp
Re: [c-nsp] Need some help troubleshooting l2tpv3 tunnel
Although it may work with an interface address, you are really supposed to create a loopback interface for the L2TPv3 tunnels, and point to the other side loopback address in your xconnect statements. You would also obviously need a route to the other end loopback addresses, either using a dynamic protocol or just via a static route. Also, on the remote side you have an address on the main interface, and then an xconnect on a sub-interface. I'm not sure that is a valid configuration. The L2TPv3 tunnels I've used have one physical interface out of which the L2TPv3 encapsulated packets travel to the remote destination, and another physical interface on which there are multiple (50+) subinterfaces (encaps dot1q xxx) with xconnects on them, plus a sub-interface with an assigned IP address (not on the main interface, and not an xconnect). Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Pfister Sent: Friday, June 13, 2008 9:28 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need some help troubleshooting l2tpv3 tunnel I've got a project I'm trying to use an l2tpv3 tunnel for. The tunnel seems to establish just fine, but it doesn't seem to do quite what I expected it to do. I'm trying to access vlans on a remote site that's connected via ATM. The remote side is connected by a 3640 router, plus a 8510 switch. On the local side, I've got another 3640, plus a 3500 switch. As a possible clue, doing a 'show vlans' shows many packets output, but only a few input on the local side. On the remote side, the counts are zero in and out. Here is a piece of the config on both sides. There is a vlan 77 on the network connected to f0/0 on the remote side that I'd like to be able to assign to the network connected to f0/0 on the local side. Thanks! --Steve === remote side === l2tp-class l2-dyn hostname ABC password password cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface FastEthernet0/0 ! interface FastEthernet0/0 ip address 10.77.0.1 255.255.0.0 no ip redirects no ip proxy-arp ip pim sparse-mode ip route-cache flow speed 100 full-duplex ! interface FastEthernet0/0.77 encapsulation dot1Q 77 no snmp trap link-status no cdp enable xconnect 10.52.0.10 77 pw-class pw-dynamic ! interface ATM1/0.2 multipoint bandwidth 2284 ip address 10.99.60.77 255.255.255.0 ip pim sparse-mode no ip mroute-cache pvc data 0/277 protocol ip 10.99.60.1 broadcast ubr 2284 broadcast encapsulation aal5snap ! ! == local side == l2tp-class l2-dyn hostname ADM password password cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface FastEthernet0/0 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.77 encapsulation dot1Q 77 no snmp trap link-status no cdp enable xconnect 10.77.0.1 77 pw-class pw-dynamic ! interface FastEthernet2/0 no ip address no ip redirects no ip proxy-arp ip pim sparse-mode duplex auto speed auto ! interface FastEthernet2/0.52 encapsulation dot1Q 52 native ip address 10.52.0.10 255.255.0.0 no snmp trap link-status ! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] configuring RFC1948 on the ASA 5505
Oh, well that changes things. I don't mean to make excuses for Cisco, but the only TCP sessions TO the ASA should be from specific hosts or segments that are considered safe or clean such as a management subnet. In all likelihood, if your management stations are compromised you're screwed anyway, as they most certainly have the credentials and access rights to manage any of your network devices. If access into your ASA is wide-open, I'd suggest that you have more serious, policy based, issues. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Monday, June 09, 2008 4:57 AM To: Luan M Nguyen Cc: cisco-nsp Subject: Re: [c-nsp] configuring RFC1948 on the ASA 5505 On Sat, 2008-06-07 at 22:58 -0400, Luan M Nguyen wrote: I wonder if you do this: class-map tcp_traffic match any policy-map global_policy class tcp_traffic set connection random-sequence-number disable Would you get TCP Sequence Prediction: Difficulty=0 (Trivial joke)? Well, I tried that now, but it doesn't change the result. The above is about randomizing TCP sequence numbers for connections passing _through_ the ASA. It doesn't change anything for connections with the ASA as one endpoint. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA IPS Module
That is the newbie text. What part are you having difficulties with? I could suggest the certification guide from Cisco Press for the IPS test. It certainly has more information than you will likely ever use. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of aaron Sent: Monday, June 09, 2008 6:03 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ASA IPS Module Hi Guys, I am hoping to get some advice / experiences on the configuration of the ASA IPS Module. Mainly where should i start? I am currently reading the Installing and Using Cisco Intrusion Prevention System Device Manager 6.0 guide but if anyone has any further information for a newbie in this area that would be great. Many thanks in advance, Aaron. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] configuring RFC1948 on the ASA 5505
It could be that he has random sequence number generation turned off, possibly because it causes issues with eBGP MD5's. This can be done in a NAT statement with the norandomseq keyword, or for all TCP traffic with the set connection random-sequence-number disable command on a class in a policy map. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Thursday, June 05, 2008 6:16 AM To: Jerry Kemp Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] configuring RFC1948 on the ASA 5505 Hi Jerry, I have a 5550 providing truly random sequence numbers according to NMap: :: [EMAIL PROTECTED] ~]# nmap -v -sT -O -p 22,23,443 10.x.y.z :: :: Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-05 :: 12:11 CEST :: DNS resolution of 1 IPs took 0.00s. :: Initiating Connect() Scan against 10.x.y.z [3 ports] at 12:11 :: Discovered open port 443/tcp on 10.x.y.z :: Discovered open port 23/tcp on 10.x.y.z :: Discovered open port 22/tcp on 10.x.y.z :: The Connect() Scan took 0.00s to scan 3 total ports. :: Warning: OS detection will be MUCH less reliable because we did :: not find at least 1 open and 1 closed TCP port :: For OSScan assuming port 22 is open, 43522 is closed, and neither :: are firewalled :: For OSScan assuming port 22 is open, 36850 is closed, and neither :: are firewalled :: For OSScan assuming port 22 is open, 30796 is closed, and neither :: are firewalled :: Host 10.x.y.z appears to be up ... good. :: Interesting ports on 10.x.y.z: :: PORTSTATE SERVICE :: 22/tcp open ssh :: 23/tcp open telnet :: 443/tcp open https :: Device type: router|printer|load balancer :: Running (JUST GUESSING) : Cisco IOS 12.X (91%), Canon embedded :: (85%), Cisco embedded (85%) :: Aggressive OS guesses: Cisco 2611 router running IOS 12.0(7)T :: (91%), Canon iR 2200 printer (85%), Cisco CSS 11501 Content :: Services Switch (85%) :: No exact OS matches for host (test conditions non-ideal). :: TCP Sequence Prediction: Class=truly random :: Difficulty=999 (Good luck!) :: IPID Sequence Generation: Randomized :: :: Nmap finished: 1 IP address (1 host up) scanned in 9.588 seconds ::Raw packets sent: 50 (4556B) | Rcvd: 37 (1912B) :: [EMAIL PROTECTED] ~]# There could be a difference between the 5505 and the 5550, but hopefully not for something like the devices own TCP stack. What version of ASA software are you using? The above is tested on 7.2(2) and 7.2(4). Regards, Peter On Wed, 2008-06-04 at 23:44 -0500, Jerry Kemp wrote: Is it possible to configure to configure RFC 1948 sequence number generation on a Cisco ASA 5505 firewall? A recent nmap port scan shows TCP sequence prediction to be Difficulty=0 (Trivial joke). I did RTFM both Cisco and did several Yahoo searches, and did not turn up anything of value. Below is an (abbreviated) nmap scan sample of an internal port on my ASA. In case my question is not obvious, I have also included (very bottom) the RFC 1948 configuration from a standard Unix (Solaris) set up. TIA for any replies, Jerry K # nmap -v -sT -O 1.1.1.1 Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-04 23:27 CDT Initiating ARP Ping Scan at 23:27 Scanning 1.1.1.1 [1 port] Completed ARP Ping Scan at 23:27, 0.20s elapsed (1 total hosts) Initiating Connect() Scan at 23:27 Scanning 1.1.1.1 (1.1.1.1) [1697 ports] Completed Connect() Scan at 23:27, 30.77s elapsed (1697 total ports) Host 1.1.1.1 (1.1.1.1) appears to be up ... good. Interesting ports on 1.1.1.1 (1.1.1.1): Not shown: 1694 filtered ports PORTSTATE SERVICE 22/tcp open ssh 23/tcp open telnet 443/tcp open https MAC Address: 00:19:7:24:AD:67 (Cisco Systems) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=0 (Trivial joke) -- # TCP_STRONG_ISS sets the TCP initial sequence number generation parameters. # Set TCP_STRONG_ISS to be: # 0 = Old-fashioned sequential initial sequence number generation. # 1 = Improved sequential generation, with random variance in increment. # 2 = RFC 1948 sequence number generation, unique-per-connection-ID. # TCP_STRONG_ISS=2 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net
Re: [c-nsp] ACL making me insane
What platform is this on again? If you want to use a Cisco IOS router as a firewall, why don't you use the firewall features and configure CBAC? Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Blayzor Sent: Wednesday, June 04, 2008 8:35 AM To: Ziv Leyes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ACL making me insane On Jun 4, 2008, at 7:25 AM, Ziv Leyes wrote: There's no way to use established for UDP though, so I can share what works for me, I call them operational rules because they suit everything I need to allow that is host initiated/related for its own functionality, of course you could add some more rules to permit other tcp/udp ports to reach the desired host/net. Of course not.. ACL's are very basic and are not stateful in any way. So if you're trying to use it in that way, it's very difficult and you end up with a lot of loose rules. Of course for DNS you could just allow responses from the DNS server from UDP port 53 to any port 1023, but it's loose. If you have a recursive DNS server inside of that ACL, then you're going to have to allow from ALL IP's from port UDP port 53. Keep your ACL's basic and to the point, trying to make them overly complicated to replace a stateful firewall kind of defeats the purpose and ends up being more trouble than it's worth. (IMHO) -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] http://www.inoc.net/~rblayzor/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Solution to %SPANTREE-2-RECV_PVID_ERR, except disable spanning tree?
The provider may not support PVST+ or Rapid PVST+. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 04, 2008 9:38 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Solution to %SPANTREE-2-RECV_PVID_ERR,except disable spanning tree? We had a similar problem a time ago. We did some tests with a cisco es20 linecard and eompls services. This card has a feature called vlan-translation were you can translate one vlan to a other. So we had a setup like this |-||---||-| |2960 |--Vlan 2412-|Eompls |--Vlan 2413-|2960 | |-||---||-| The problem is, that the PVSTP couples the vlan id with the bridge priority. Means if you let your bridge priority by default, the bridge priority of vlan 2412 is 32768 + 2412 = 35180. Hence the bridge priority of vlan 2413 is 35181. You can verify this with the command sh spanning-tree. Both, the bridge priority and the vlan id are integrated in the bpdu of the pvstp algorithm. If the left-hand switch sends a bpdu to the eompls core, the vlan id 2412 will be translated to 2413, but the bridge priority remains. Because the bridge priority and the vlan id are coupled by a simple addition, the right-hand switch (2960) detects, that something changed the vlan id. The Switch will then block the vlan and it apperas with the message you got: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/25 on VLAN2413. Inconsistent local vlan So, I would mean it is the fault of your service provider rather than yours. Regards, Benjamin Conconi On Mon, Jun 02, 2008 at 09:34:10PM -0600, Clinton Work wrote: I think that you need to speak with your service provider. Based upon the error message it looks like vlan 2412 at site #1 is connected to vlan 2413 at site #2. There was a post six to 12 months ago on the same topic and it was a service provider issue. I don't think the provider has got a bad configuration, partly because we have spoken with them about this several times and partly because of what I didn't include below, that we have the same problem for every vlan they gave us (30 in all, 6 each to 5 locations). As long as we only use one vlan to each location, everything works. When we add another vlan to one of the locations, all 6 vlans to that location goes into blocking mode because of the errors below. It could possibly be a systematic error somewhere. STP to L2 FTTx gear: http://puck.nether.net/pipermail/cisco-nsp/2008-January/046310.html Great thread on the subject. I hadn't seen that, I will read it and check for ideas. Many thanks! Peter Olsson Clinton. Peter Olsson wrote: Two offices have a cisco 3750 each. They connect via a bridged fastethernet service, on non-cisco equipment, which offers six vlans on the line. When the 3750 only allow one vlan on the switch port toward the line, everything works fine. When we try to add another allowed vlan, we get this error and both vlans block: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 2412 on GigabitEthernet1/0/25 VLAN2413. %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/25 on VLAN2413. Inconsistent local vlan. %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/25 on VLAN2412. Inconsistent peer vlan. -- === Clinton Work Airdrie, AB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6608-T1 for data?
You're thinking of the CMM, not the 6608. It is not supported in Native IOS. It must run on a box running Hybrid - CatOS on the SP and IOS on the RP. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Moya Sent: Wednesday, June 04, 2008 5:56 PM To: Asbjorn Hojmark - Lists Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WS-X6608-T1 for data? It Is supported on ios and it runs ios code Sent from my iPhone On Jun 4, 2008, at 4:02 PM, Asbjorn Hojmark - Lists [EMAIL PROTECTED] wrote: My question is basically, can the WS-X6608-T1 support traditional data T1's? No. It's a dedicated voice gateway for Call Manager. Does it require a specific IOS version (such as a voice image) to come online? It isn't supported in IOS, only CatOS. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asa ipsec problem
You misunderstood that part of IPsec. The phase 1 ISAKMP policy does not have to match anything in the phase 2 policy (transform set in Cisco terminology). They are completely different. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Tuesday, June 03, 2008 2:37 PM To: Sergey Alexanov Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] asa ipsec problem On Tue, 2008-06-03 at 20:55 +0300, Sergey Alexanov wrote: 2008/6/3 Peter Rathlev [EMAIL PROTECTED]: The only thing I can think of would be that your ISAKMP policies don't match your transform sets. I don't know why it would work one way though. ASA# sh run ipsec | i transform-set crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac ISR# sh cry ipsec transform-set Transform set ESP-AES-MD5: { esp-aes esp-md5-hmac } will negotiate = { Tunnel, }, Transform sets match on both sides yes, but your ISAKMP policies don't match your transform sets. You seem to only define e.g. policy 1 with 3DES-MD5, but not a policy allowing AES-MD5 which you use. I may have misunderstood that part of ISAKMP, but shouldn't your transform set be allowed in an ISAKMP policy for Phase 1 to complete? Are you using dynamic maps for a specific reason? no You seem to specify all the required parameters for a static map. But I can't to define type of static map without reference to dynamic map: # cry map TEST 1 ipsec-isakmp ? configure mode commands/options: dynamic Entry is a dynamic map I can do it without problems on an ASA 5550 7.2(2): ASA/act(config)# crypto map TEST 1 ipsec-isakmp ? configure mode commands/options: dynamic Entry is a dynamic map cr ASA/act(config)# crypto map TEST 1 ipsec-isakmp ASA/act(config)# Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging Ethernet VLANs over T1
I haven't used it either, but vlan-bridge is designed to bridge non-IP traffic between VLANs on Catalyst switches. Theoretically, you are supposed to be able to bridge all VLANs together for non-IP traffic. For example, say you have a legacy network with Appletalk or IPX on it that you are upgrading to Cisco Catalyst hardware. You don't have Enterprise software for edge switches, say 3750 stacks, but yet want/need to do Layer-3 to the edge and still support IPX. You can use vlan-bridge to bride together all the VLANs for non-IP traffic. At least that is my understanding. I've never met anyone that actually implemented it. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Ziv Leyes [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2008 3:30 AM To: Fred Reimer; Joe Freeman Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Bridging Ethernet VLANs over T1 What about using bridge 1 protocol vlan-bridge Just a wild guess, never used it... Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Friday, May 30, 2008 9:27 PM To: Joe Freeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 If it were me I'd use L2TPv3 xconnects. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 From: Joe Freeman [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2008 2:24 PM To: Fred Reimer Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 If it were me, I'd look at using frame encaps on the T1, then use a seperate dlci for each vlan. On Fri, May 30, 2008 at 12:45 PM, Fred Reimer [EMAIL PROTECTED] wrote: By using the same bridge group number for both VLANs would you not be merging the two VLANs into one bridge group? That's not what you want, is it? You may want to use a separate bridge group number for the two VLANs, like the example in the document you quoted. bridge 1 protocol ieee bridge 2 protocol ieee ! interface ethernet 0 vlan-range dot1q 1 600 bridge-group 1 vlan-range dot1q 800 4000 bridge-group 2 ! interface serial 0 encapsulation ppp bridge-group 1 ! interface serial 1 encapsulation ppp bridge-group 2 Two bridge groups, two serial interfaces, for two separate VLANs. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Gary T. Giesen Sent: Friday, May 30, 2008 12:11 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 Jay, Thanks for the reply. Unfortunately that doesn't seem to work, I assume because there's no way to specify which VLAN that IP actually resides on. Normally bridge-groups/BVI's are only used to bridge one VLAN, but in this case it's bridging multiple VLANs. GG On Fri, May 30, 2008 at 12:05 PM, Jay Hennigan [EMAIL PROTECTED] wrote: Gary T. Giesen wrote: Hi all, I have an application that requires us to bridge Ethernet VLANs over a T1. I've previously done this using Nortel/Tasman boxes, and have got it working with a Cisco 1841 w/T1 WIC (per http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp. h tml), but I'm having one issue. The Tasman/Nortel boxes allow me to inject an IP address into one of the VLANs for management purposes, whereas I can't for the life of me figure out how to do it in Cisco-land. Cisco config snippet: bridge 1 protocol ieee interface FastEthernet0/0 no ip address duplex auto speed auto vlan-id dot1q 10 description Data VLAN bridge-group 1 exit-vlan-config ! vlan-id dot1q 20 description Management VLAN bridge-group 1 exit-vlan-config ! ! interface Serial0/1/0 no ip address encapsulation ppp service-module t1 clock source internal bridge-group 1 bridge irb bridge 1 proto ieee bridge 1 route ip int bvi1 ip address 10.10.10.11 255.255.255.0 -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco
Re: [c-nsp] 6500 diagnosing performance problems
You need to understand the architecture of the 6500 platform in order to begin troubleshooting this on your own. I would suggest you create a TAC case and have them assist - that is what they are there for and what you pay maintenance fees for. If you don't want to, or can't because you don't have a contract, then you can start by looking at the following: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_ paper0900aecd80673385.html I found this by typing in 6500 architecture on the Cisco.com web site front page. It was the first result, go figure. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Jimmy Stewpot Sent: Wednesday, May 28, 2008 2:34 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6500 diagnosing performance problems Hello, I am interested to know if anyone has any good resources or references that I can read in regards to diagnosing performance problems on the 6500 or any cisco switching platform. The reason I ask this is that we are currently experiencing performance problems with customers connected to the same blade communicating on that blade. If we move the servers onto other blades on the same switch we continue to see performance problems. I would like to know how I can go about learning to fix this type of problem. Any additional info would be greatly appreciated. Regards, Jimmy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM vlans down after host SSO
I had a similar problem at a customer running 12.2(18)SXF? Modular code. I would stay away from modular code for another few years. The bug was a memory leak, which was supposedly fixed, only to discover other bugs. The eventual fix was to downgrade to non-modular code. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Bernhard Schmidt Sent: Saturday, May 24, 2008 10:41 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] FWSM vlans down after host SSO Hello everyone, we are having a pretty serious problem with one of our boxes. 6509 2* WS-SUP720-BASE + WS-F6K-PFC3B running 12.2(33)SXH1 modular 1* WS-X6704-10GE 2* WS-X6724-SFP 2* WS-X6408A-GBIC 1* WS-SVC-NAM-2 1* WS-SVC-FWM-1 running 3.1(4) The FWSM has 10 contexts in routing mode and 4 contexts in transparent mode. One of the routed contexts has IPv6 enabled. Every few days the 6500 does a SSO failover without much explaination. Console output of the formerly active Sup just starts with the System Bootstrap again, there is nothing really useful in the remote syslog, other than a lot UPDOWN messages the first message is May 24 13:37:04 CEST: %OIR-SP-3-PWRCYCLE: Card in module 5, is being power-cycled (RF request) (module 5 was the active Sup before, so it doesn't match CSCsh34467 which should be resolved in SXH1 anyway). This is all very inconvenient, but SSO is fast enough for this network and everything comes back as it should. Except for the FWSM, while the failover happens every transport VLAN (between the hosting 6500 and the FWSM) goes to up/down state and stays there. Interestingly the traffic does not stop immediately, while the failover and the final %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3500, changed state to down was at 13:37, the system monitoring the IPv6 customer did not see outages before 14:20. The only thing that seems to help in this mess is to reboot the FWSM. Reload on the FWSM console does not work by the way (it seems to hang), I had to use hw-module module 9 reset every time this happened so far. Anyone having any ideas? I can get to the test kit in the lab on Monday earliest unfortunately. Bernhard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] AAA
You can do accounting without authentication/authorization. I've used a separate AAA accounting server on an ASA to send accounting updates to a Cisco NAC Appliance (CAS) for VPN SSO, while doing authentication to a Cisco ACS (RADIUS) for authentication and authorization (downloadable ACLs). HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Manu Chao Sent: Saturday, May 24, 2008 1:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] AAA Does Radius Accounting require Radius Authentification? Or is it possible to enable Radius accounting only without authentification? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Discussion list for RADIUS?
Why don't you just ask your question, and if anyone can help you or point you in the right direction we will? I know you said it is not a Cisco product question, but there have been enough emails already that initially asking the question, but asking for direct replies instead of to the list because it wasn't a Cisco question, would probably have been more efficient. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Tuc at T-B-O-H.NET Sent: Friday, May 23, 2008 6:47 PM To: Joe Maimon Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Discussion list for RADIUS? Tuc at T-B-O-H.NET wrote: Hi, Hi, Does anyone know of a good discussion list for the RADIUS protocol? You could try the freeradius list. You could also try the freeradius server. Been there, done that, told to RTFRFCs, its not about FreeRadius but the protocol, go elsehwere, thank you, goodbye. Hence my search elsewhere.. Thanks, Tuc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LWAPP Problems
Your configuration is wrong then. The DHCP option should point to the management interface. The AP should do a LWAPP Discover and the management interface should return a list of IP addresses that the AP can connect to (ap-manager address(es)), along with the relative load on each interface (max AP's and total AP's). See section 5.2.4 and 5.2.5 of the draft: 5.2.4. WTP Manager Control IPv4 Address The WTP Manager Control IPv4 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and their current load. This message element is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 99 for WTP Manager Control IPv4 Address Length: 6 5.2.5. WTP Manager Control IPv6 Address The WTP Manager Control IPv6 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and their current load. This message element is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 137 for WTP Manager Control IPv6 Address Length: 6 IP Address: The IP Address of an interface. WTP Count: The number of WTPs currently connected to the interface. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 22, 2008 9:28 AM To: Rupert Finnigan; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LWAPP Problems I have always used the ap-manager interface in my DHCP option 43 configuration. My understanding is that the Management interface is used for controller to controller traffic to terminate EOIP tunnels. I would call your configuration correct now :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Rupert Finnigan [EMAIL PROTECTED] Hi, Thanks to all who offered advise - It was the IP address in the end. I'd setup DHCP Option 43 to the ap-manager interface address, and not the management one. Now that's corrected all is fine. I'm still confused as to how this particular network has worked in the past though! Thanks again, Rupert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with L2TPv3
Yes, with 3845's, post your test config. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Steven Pfister Sent: Thursday, May 22, 2008 12:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help with L2TPv3 I'm trying to get L2TPv3 figured out to help with a project. I've got a test network consisting of 2 3640s (which is what is going to be used as the endpoints of the tunnels in the production network) connect by a crossover cable. Even using sample configs from the cisco site, I can't seem to keep the tunnel from going down after about a minutes. I think it may be an authentication problem. Does anyone have a working L2TPv3 tunnel between two 3640s? Thank you! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LWAPP Problems
When an AP initially connects to a controller it will save the list of controllers in the same mobility group to NVRAM, and attempt to connect to those controller (management addresses) upon reboot. It is likely a caveat in the code running on the controller/AP, or a result of a proper management address being stored in the AP and the AP using that rather than what is being passed in DHCP. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Higham, Josh Sent: Thursday, May 22, 2008 12:45 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LWAPP Problems If an access point has connected to a controller, I believe that it attempts to connect to that controller as part of the discovery process. It is another of those 'invisible' configuration errors, that only raises its head months or years after the fact. You could test with a new access point, or change your management IP address and bounce an AP. You can also watch LWAPP debug on the console while power cycling the access point, and/or span the port and verify. Thanks, Josh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 22, 2008 7:37 AM To: Fred Reimer; Rupert Finnigan; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LWAPP Problems Interesting. Why does it work? -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Fred Reimer [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with L2TPv3
It laziness because a reply to all sends traffic to both... Your loopback addresses are in the same subnet, which is not a valid configuration. As someone else mentioned, you'll need a route to the loopback address of the other end, either via a dynamic routing protocol or static routes. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Steven Pfister Sent: Thursday, May 22, 2008 1:37 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Need help with L2TPv3 The configs are below. By the way... whenever I post to this list, I get replies both to me and to the list (so I get two copies). Is this intentional? Just curious... Thanks! --Steve -- router 1 -- Current configuration : 1374 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SanFran ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! l2tp-class l2-dyn password 7 15025C0600722C21 cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.102 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto no cdp enable ! interface FastEthernet0/0.200 encapsulation dot1Q 200 no snmp trap link-status no cdp enable xconnect 10.1.1.103 33 pw-class pw-dynamic ! interface FastEthernet0/0.201 encapsulation dot1Q 201 no snmp trap link-status no cdp enable ! interface ATM2/0 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/1 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/2 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/3 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! ip http server ! ip classless ! ! no cdp run ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! end -- router 2 -- Current configuration : 901 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname NewYork ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! l2tp-class l2-dyn hostname NewYork password 7 0616582B48160E1C cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.103 255.255.255.0 ! interface FastEthernet1/0 no ip address duplex auto speed auto no cdp enable ! interface FastEthernet1/0.201 encapsulation dot1Q 201 no cdp enable xconnect 10.1.1.102 34 pw-class pw-dynamic ! ip http server ! ip classless ! ! no cdp run ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end Fred Reimer [EMAIL PROTECTED] 5/22/2008 12:21 PM Yes, with 3845's, post your test config. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Steven Pfister Sent: Thursday, May 22, 2008 12:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Need help with L2TPv3 I'm trying to get L2TPv3 figured out to help with a project. I've got a test network consisting of 2 3640s (which is what is going to be used as the endpoints of the tunnels in the production network) connect by a crossover cable. Even using sample configs from the cisco site, I can't seem to keep the tunnel from going down after about a minutes. I think it may be an authentication problem. Does anyone have a working L2TPv3 tunnel between two 3640s? Thank you! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton
Re: [c-nsp] Need help with L2TPv3
It may not bring up the link without a reason to; you might need to generate some traffic and have both Ethernet ports plugged in... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Steven Pfister Sent: Thursday, May 22, 2008 3:11 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Need help with L2TPv3 Thanks to all that responded. I've made changes to the config and I can ping the other router's ethernet and loopback addresses. The tunnel doesn't show up at all now, though. Do I need to have something plugged into the ethernet ports with the xconnect statements? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] Joe Freeman [EMAIL PROTECTED] 5/22/2008 2:16 PM It looks like you're trying to do an 'ip unnumbered' config on those ethernet ports. IP unnumbered only works on p2p interfaces. You need to have the interfaces between the two routers numbered and static routes, or a routing protocol in place to ensure reachability between them. Also, I'd change the loopback addresses to /32 masks. with the configuration you have, I'd also make sure the connection between the routers is on a different port than the vlans you are trying to xconnect at layer 2. Joe On Thu, May 22, 2008 at 1:10 PM, Steven Pfister [EMAIL PROTECTED] wrote: No I can't ping the loopbacks. That's been bothering me. I've added 10.2.2.x addresses to the FastEthernet ports (which I thought I had problems with earlier) and I can ping those from the other router. And I've added static routes for the 10.1.1.x network pointing at the FastEthernet interfaces. Still can't ping the loopback addresses. I thought it was strange, but that's what the sample configs had. Yes, the xconnect statements are on the same interfaces the crossover is connected to. I can try adding ethernet ports to each side and see what happens. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] Joe Freeman [EMAIL PROTECTED] 5/22/2008 2:03 PM Can you ping the loopbacks from the opposite router? There's nothing in either config that indicates how traffic flows from one router to the other. You said you're using an ethernet x-over to connect them, but surely it's not on the ports on which you've setup xconn statements. Each router must be able to see the other's loop0 ip address for this to work. Joe On Thu, May 22, 2008 at 12:37 PM, Steven Pfister [EMAIL PROTECTED] wrote: The configs are below. By the way... whenever I post to this list, I get replies both to me and to the list (so I get two copies). Is this intentional? Just curious... Thanks! --Steve -- router 1 -- Current configuration : 1374 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SanFran ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! l2tp-class l2-dyn password 7 15025C0600722C21 cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.102 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto no cdp enable ! interface FastEthernet0/0.200 encapsulation dot1Q 200 no snmp trap link-status no cdp enable xconnect 10.1.1.103 33 pw-class pw-dynamic ! interface FastEthernet0/0.201 encapsulation dot1Q 201 no snmp trap link-status no cdp enable ! interface ATM2/0 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/1 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/2 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/3 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! ip http server ! ip classless ! ! no cdp run ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line
Re: [c-nsp] 6509 power supply question
con.clu.sive (kn-klsv) adj. Serving to put an end to doubt, question, or uncertainty; decisive. I don't think you will ever know conclusively. The best bet is to create a TAC case and have them put a 1300W and 1800W power supply in a 65009 chassis loaded with the same cards that you have. Good luck with getting that done before your replacement arrives (it isn't there yet?) I'd concur with the rest of the engineers that say it should not be a problem, FWIW. At least you don't have one of those funky power cords that were wired wrong and when plugged in would energize the whole chassis. That must have been a shocking discovery! HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Jarrod Friedland Sent: Thursday, May 22, 2008 9:52 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6509 power supply question Hi All We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - anyway, one of the power supplies has died, we are sourcing a replacement however, in the meantime I have another 6509 sitting next to me however it has 1800W power supplies. The question Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues with doing this we should be aware of? I have asked this question of cisco integrators however all we get is The engineers have put their heads together and say NO Its not something we would normally do however this is only temporary but I cant do until we know conclusively that it will not have a detrimental affect on the 6509 or any of its contents. Thanks -- -- Jarrod ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 2960G Tacacs
Why are you using a timeout of 1 second for your TACACS+ server? That's awfully short, especially if you use two-factor authentication or a punt from ACS to an external database. If anything I've had to increase the timeout from the default. Your authorization command doesn't look right either. You would obviously also need to define some local username(s) with appropriate privilege levels and (hopefully) a secret in order for local fallback to work. You can't fallback to local if you have no local usernames... If authentication to the ACS isn't working, check the ACS failure logs, and also do some debugs on the router/switch. You can setup buffered logging, unplug your connection to your ACS, do your test, then plug back in to get the detailed messages in the log on why AAA is failing. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of DAVID Sébastien Sent: Monday, May 19, 2008 12:09 PM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Catalyst 2960G Tacacs Thanks for help, But my configuration is OK with cisco 2950 only with 2960 I have a problem. This is my configuration aaa : aaa authentication login telnet group tacacs+ local aaa authentication login console group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization exec default if-authenticated aaa authorization config-commands aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ tacacs-server host x.x.x.x timeout 1 line console 0 login authentication console line vty 0 4 logging synchronous login authentication telnet transport input ssh -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : lundi 19 mai 2008 18:05 À : DAVID Sébastien Cc : cisco-nsp@puck.nether.net Objet : Re: [c-nsp] Catalyst 2960G Tacacs Hi, HI, I met some difficulties to set up my switch 2960G with tacacs. I have configured a username in local and set an authentification list as follow : you need to configure the groups for it to use local if server fails. eg aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host 192.168.1.0 tacacs-server host 192.168.0.255 tacacs-server key 7 crackable secret alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN/QOS Questions Was MPLS - 6500's
Yes, no. Quality of Service Options on GRE Tunnel Interfaces: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080 17405e.shtml Quality of Service - qos pre-classify command: http://www.cisco.com/en/US/docs/routers/access/3200/software/configuration/g uide/M032qos.html#wp1077010 Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Paul Stewart [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 11:41 AM To: Fred Reimer; 'Phil Bedard' Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's Thanks very much - I find this interesting for sure. There is already GRE/IPSec tunnels up between these locations - it's the added element of voice that has driven me in several different directions ;) So if I read this correctly, it's possible to classify the voice packets inside of the existing VPN in place and maintain QOS so when it hits congestion we can give voice a high precedence? Does it matter that this is currently GRE based? If this is correct, I just need to do some digging up on cisco.com Thanks, Paul -Original Message- From: Fred Reimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 12:32 AM To: Paul Stewart; Phil Bedard Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's The VoIP packets should be marked normally at the ingress port to the network. This is most likely the port on the switch that the phone is plugged into, or on the switch the router is plugged into. You may find it difficult to classify and mark traffic on the (sub) interfaces on which you configure the xconnects for L2TPv3 because the router treats them as layer-2 interfaces (i.e., you can't assign an IP address to them, etc). With the VoIP properly marked before they get to the router, as they should be, you can use the tos reflect feature to copy the TOS bytes of the packets coming into the router (even though they are treated as layer-2 packets) to the L2TPv3 header that is sent out the router. The resulting L2TPv3 encapsulated traffic can be queued just like any other traffic. One note, you say you need to create VPN's. The P in VPN is Private; L2TPv3 provides no encryption of the packets. If you need a private network you should use IPsec. You can use qos preclassify in order to classify the packets before they are encapsulated; providing a similar feature as tos reflect does with L2TPv3. It sounds to me like you just want to setup IPsec VPN's. You can put the voice and data into the same tunnel, and with qos preclassify have the marking on the IPsec header reflect the QoS you want the packet treated with. I don't see the need for MPLS here. At 5Mbps max rate there are a ton of options as far as what hardware to select. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Monday, May 05, 2008 10:11 PM To: 'Phil Bedard' Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's Oops.. overlooked it in the software advisor. According to Cisco.com l2tpv3 is supported even in the 1811's... So, what QOS levels can I invoke with l2tpv3 if the packets are tunneled? In other words, is there a way to mark voice packets inside of l2tpv3 tunnels across a core network to another location? Here's a scenario on where the MPLS thoughts came from: Location A - Cisco 1811, two subnets inbound to the router internally - one voice and one data. Location B - Cisco 1811, two subnets inbound to the router internally - one voice and one data. The data portions need to be joined via VPN (currently using GRE/IpSec). Each site has public Internet access via NAT. The voice portions need to be joined on a VPN basis also. I want the voice portions to have dscp bits set (could mark via NBAR?) so that on the transport side we can prioritize. Each site has 5 Mb/s of layer3 connectivity so congestion will definitely occur at times. In between each site is some 6500's (hence my questions on MPLS with 6500's) running Sup2/MSFC2 functioning as distribution routers. To do this properly I keep coming back to an MPLS solution that we don't have today... our other option is to convert a bunch of gear and make each site a trunked layer2 connection but rather avoid that if possible... Open to ideas... thanks folks.. Paul -Original Message- From: Phil Bedard [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 7:16 PM To: Paul Stewart Cc: 'Justin M. Streiner'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's You may want to look
Re: [c-nsp] VPN/QOS Questions Was MPLS - 6500's
The VoIP packets should be marked normally at the ingress port to the network. This is most likely the port on the switch that the phone is plugged into, or on the switch the router is plugged into. You may find it difficult to classify and mark traffic on the (sub) interfaces on which you configure the xconnects for L2TPv3 because the router treats them as layer-2 interfaces (i.e., you can't assign an IP address to them, etc). With the VoIP properly marked before they get to the router, as they should be, you can use the tos reflect feature to copy the TOS bytes of the packets coming into the router (even though they are treated as layer-2 packets) to the L2TPv3 header that is sent out the router. The resulting L2TPv3 encapsulated traffic can be queued just like any other traffic. One note, you say you need to create VPN's. The P in VPN is Private; L2TPv3 provides no encryption of the packets. If you need a private network you should use IPsec. You can use qos preclassify in order to classify the packets before they are encapsulated; providing a similar feature as tos reflect does with L2TPv3. It sounds to me like you just want to setup IPsec VPN's. You can put the voice and data into the same tunnel, and with qos preclassify have the marking on the IPsec header reflect the QoS you want the packet treated with. I don't see the need for MPLS here. At 5Mbps max rate there are a ton of options as far as what hardware to select. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Monday, May 05, 2008 10:11 PM To: 'Phil Bedard' Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's Oops.. overlooked it in the software advisor. According to Cisco.com l2tpv3 is supported even in the 1811's... So, what QOS levels can I invoke with l2tpv3 if the packets are tunneled? In other words, is there a way to mark voice packets inside of l2tpv3 tunnels across a core network to another location? Here's a scenario on where the MPLS thoughts came from: Location A - Cisco 1811, two subnets inbound to the router internally - one voice and one data. Location B - Cisco 1811, two subnets inbound to the router internally - one voice and one data. The data portions need to be joined via VPN (currently using GRE/IpSec). Each site has public Internet access via NAT. The voice portions need to be joined on a VPN basis also. I want the voice portions to have dscp bits set (could mark via NBAR?) so that on the transport side we can prioritize. Each site has 5 Mb/s of layer3 connectivity so congestion will definitely occur at times. In between each site is some 6500's (hence my questions on MPLS with 6500's) running Sup2/MSFC2 functioning as distribution routers. To do this properly I keep coming back to an MPLS solution that we don't have today... our other option is to convert a bunch of gear and make each site a trunked layer2 connection but rather avoid that if possible... Open to ideas... thanks folks.. Paul -Original Message- From: Phil Bedard [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 7:16 PM To: Paul Stewart Cc: 'Justin M. Streiner'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's You may want to look at L2TPv3 unless you really need TE features. It's supported on more platforms and supported in non 'T' train releases. Phil On May 5, 2008, at 4:52 PM, Paul Stewart wrote: Thanks... So if someone wanted to build a low traffic volume, bare bones MPLS network could they not use: Cisco 7206VXR-NPE-G1 for P router Cisco 3825 or 2821 for PE router This would give you every MPLS feature but VPLS specifically or am I way off? Why I bring this up is that in this particular case there is still the Sup2/MSFC2 6500's in the middle but they could remain in the middle just as layer2 devices connecting the above devices together at layer3 as MPLS devices right? This particular project *could* use some of the TE and QOS features in MPLS but total traffic might be 10Mb/s on a peak hence why upgrading the 6500's would not make sense but adding some gear around them might work just fine...?? Thanks, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin M. Streiner Sent: Monday, May 05, 2008 4:40 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's On Mon, 5 May 2008, Paul Stewart wrote: With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what can you NOT do with MPLS on these chassis? Is it just VPLS that requires an OSM card or a FlexWAN card for example? We are working on a project where MPLS may come into play .. VPLS would be a nice option
Re: [c-nsp] Downloadale acl for ASA-pix to VPN-clients
Yes and no. The ACL isn't downloaded to the VPN client itself, it is downloaded to the ASA and enforced at that point. It's pretty simple, and here are the references. http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/gui de/fwaaa.html#wp1043588 And: http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/gui de/vpngrp.html#wp1133080 Sorry for the partner links, but you can do your own search. It's all in the configuration guides. I know it sounds simple, but just download the command line configuration guide, and read it. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Arne Larsen / Region Nordjylland Sent: Sunday, May 04, 2008 3:53 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Downloadale acl for ASA-pix to VPN-clients Hi All. Is it possible via RADIUS to download access-list to a vpn client that is connecting to an ASA-firewall, so that the clients are restricted separately. And how is it done. Any links or example would be appreciated. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7201 rack mounting
You have several things to consider before you start worrying about the 14 screws. First is the shear force necessary to break the screws, and second is the fact that a properly mounted chassis will result in the friction between the mounting gear and the rack post taking up most of the weight and considerably less weight being put on the screws. It is even possible for the screws to be under little or effectively no direct shear force. I'm not a mechanical engineer, but I'm sure that Cisco did the proper engineering to ensure sufficient screws if mounted properly. The only related case I'm aware of is a manufacturing defect where the side handles on 6500 chassis would break off; I'm glad I'm not the one that called TAC the day that was discovered! Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Wednesday, April 23, 2008 1:19 PM To: Dean Smith Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7201 rack mounting Not really on topic, but we just finished mounting three 6509-V-E chassis; I know they come with some stub shelves, but otherwise they just hang in seven 4 mm long screws in each side. (It doesn't matter how many rack mouting nuts you use, the panel you fasten to the rack is fastened to the chassis with those seven screws.) The chassis itself weighs in at just below 50 kg. Add a supervisor and some heavy line cards and you're approaching my weight, and I'm not exactly lean. Fourteen tiny screws... I wouldn't rest in a hammock mounted in that way. :-) Regards, Peter On Wed, 2008-04-23 at 11:17 +0100, Dean Smith wrote: Anyone else shocked at the appalling rack mounting supplied for 7201 ? Single ears at either front or back is simply not good enough for that sort of box. Look at any 1U server (equivalent value/weight) and you'll get a decent adjustable rail that can go front to back and offer a proper stable mounting Our first 7201 install is drooping alarmingly (and I dont think its cheap rack rails) At cisco prices i dont expect to have to go and buy additional shelves/brackets just to get an acceptable rack mount solution ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policy based routing on FWSM
No, PBR is not supported in the FWSM. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Junaid Sent: Friday, April 18, 2008 8:11 AM To: cisco-nsp Subject: [c-nsp] Policy based routing on FWSM Hi, I am using a Cisco 6509 with an FWSM blade. FWSM is in routed mode. I have my server behind the FWSM in a VLAN. This 6509 is connected to my B-RAS. Is it possible for me to do policy-based routing from B-RAS right to my server? I can do PBR from B-RAS to MSFC and the MSFC can redirect the traffic to SVI address that is connected to the VLAN my server is in. Now the question is, whether PBR or something similar is supported in FWSM? Regards, Junaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EAP SSL certificates - how to?
That sounds like a problem with OSX. You need to get a more verbose explanation of what the issue is. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of matthew zeier Sent: Friday, April 18, 2008 1:54 PM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] EAP SSL certificates - how to? GeoTrust is a well known root CA and I don't get prompts going to websites signed by them. I do, however, if I use the same cert for RADIUS. The error is unknown trust setting. [EMAIL PROTECTED] wrote: Hi, What's the magic to getting an EAP SSL cert (WLCs using RADIUS for WPA Enterprise) to work with machines without getting cert warnings? I've used a self-signed one and got unknown root errors (expected) and took a GeoTrust cert off a webserver and got unknown trust settings in OSX. In either case, going into the OS certificate store and setting the trust settings gets me past that but I'd rather not confuse users. the root CA that signed the cert needs to be in the store of the client. for self-signed this means you must put the CA onto the client.. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] When are ACLs inserted to TCAM
I believe named ACL's are only pushed when you exit out of the named ACL config. Numbered ACL's are pushed after every entry, hence the recommendation to used named ACL's. Or at least that's what I heard somewhere. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of mack Sent: Thursday, April 17, 2008 6:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] When are ACLs inserted to TCAM It is best practice to not make changes to an active ACL. Obviously making changes to a live ACL is at your own risk. When are extended ACLs actually inserted into TCAM? Under SXF versions of IOS it seems that the ACL is not applied until the exit statement is executed. This would make sense as the ODM is a processor intensive task and executing it for every statement might not be the best behavior. However the documentation is not at all clear on this. And it seems that SXH1 may behave differently. Does anyone have a definitive answer? -- LR Mack McBride Network Administrator Alpha Red, Inc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco LWAPP - statically assignedcontroller...Controller IP has since changed.
You wouldn't. It does not work like that. You would setup a special DNS entry for something like CISCOLWAPPCONTROLLER.localdomain. or whatever (read the Cisco docs, it is all clearly described). You point that DNS entry towards the WLC addresses. Another option would be DHCP options, which is my preferred method. Assignment of primary, secondary, and tertiary controller names for the AP's, configured through the WLC or WCS, is recommended. It allows you to control how failover will work with redundant controller, which you should have. It also helps with troubleshooting because you always know what WLC a given AP is attached to. Plus, there have been problems with Cisco's load balancing algorithms when using dynamic controller assignments (where no controller names are specified). Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Jeff Cartier Sent: Wednesday, April 16, 2008 11:33 AM To: Mike Louis; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco LWAPP - statically assignedcontroller...Controller IP has since changed. Continued... So if they were assigned by names...lets say...WLC1 (primary) and WLC2 (secondary). How would I use DNS entries to transition them? -Original Message- From: Mike Louis [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 16, 2008 11:30 AM To: Jeff Cartier; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cisco LWAPP - statically assigned controller...Controller IP has since changed. You should be assigning the WLC controller names in the LWAPP AP configuration using their system name. You can use DNS entries to make the transition easier. Do not use IP addresses though. As long as the AP can join one controller, and that controller is in the same mobility group as all the other controllers, the AP will be able to download the controller list during its first join. I normally prefer to use DHCP + Options for LWAPP assignment and controller configuratios. Makes setup and changes much easier. YMMV mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Cartier Sent: Wednesday, April 16, 2008 11:06 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco LWAPP - statically assigned controller...Controller IP has since changed. Greetings! So I'm running into a issue where I've configured a bunch of Cisco LWAPPs. The idea was to statically assign the IP address and to which Controller (Primary/Secondary) the LWAPP would join. Everything worked fine. No issues. A couple days later I found out that the WLC Management + AP Manager subnets would have to change. Since the LWAPPs are configured statically to look for and join on a specific subnet that doesn't exist, whats the simplest way to tell these LWAPPs (that are statically configured) to find the new WLC IP address? Thanks!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Transparent Mode with VLAN Trunks
Why off-list? Do share, others might benefit. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Ge Moua Sent: Wednesday, April 16, 2008 11:30 AM To: 'Mike Louis'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Transparent Mode with VLAN Trunks Email me off-line, I have working configs for this. Regards, Ge Moua | Email: [EMAIL PROTECTED] Network Design Engineer University of Minnesota | Networking Telecommunications Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis Sent: Wednesday, April 16, 2008 10:13 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Transparent Mode with VLAN Trunks I am trying to configure an ASA in Transparent mode running 7.2(3) version of code. It has trunk interfaces trunking vlans 100,101 on both the inside and outside interfaces of the device. However the ASA will not let me assign VLAN 100,101 to subinterfaces on both sides of the firewall. Does anyone have a working configuration on how to accomplish this? I want to trunk 2 VLANs through a L2 firewall using the same VLAN tags on each inside/outside sides of the firewall. TIA Mike Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SPA-5X1GE-V2
Anyone have a SPA-5X1GE-V2 running in a 6500 with a SUP720 and a 7600-SIP-400? If so, would you mind telling what version of IOS you are running? Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wanting to learn Juniper...
Not to drag this on any longer than necessary, but anyone who calls themselves a network engineer should have no problem understanding Boolean math and bitwise operations. How can you understand how a device decides to send traffic to a local device or through a router if you don't understand a bitwise AND between the destination address and subnet mask, bitwise AND between your address and subnet mask, and a comparison between the two? NOT AND OR XOR SHIFT, this is all computing, and networking, 101 stuff. How it can be considered non-natural, non-obvious, or hard to understand by a network engineer is something I can't grasp. For a newbie in an introductory class, I'd start off with some basic math and logical operations, perhaps some introductory programming so that they can understand the operations that a device goes through in routing traffic, and even in parsing the configuration. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Jeremy Stretch Sent: Friday, April 11, 2008 4:15 AM To: Ben Steele Cc: Campbell, Alex; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Wanting to learn Juniper... Of course it seems intuitive to anyone who's worked with Cisco gear for even a short amount of time. But in running newbies through the basics in an introductory Cisco class, this is one thing I've noticed that seems odd to them. Obviously this isn't a huge stumbling block, just noting that the concept of not off isn't as natural as on. stretch http://packetlife.net Ben Steele wrote: That seems very intuitive to me, as soon as you understand that no in IOS removes/negates , means less commands which makes sense. Unless the term shutdown doesn't seem clear in an interface? I would assume it does to the majority of people though, IOS familiar or not. On 11/04/2008, at 3:43 PM, Jeremy Stretch wrote: Tolstykh, Andrew wrote: Cisco IOS is in fact extremely intuitive, there is nothing intuitive about the JunOS IMHO. I can't speak on JunOS, but considering that the IOS command to enable an interface is no shutdown, IOS may not be as intuitive as you think. stretch http://packetlife.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSM for service providers
Sounds like no one has used the ACE. I have for two customers, one in production for approx six months and the other not in production yet. Other than some issues with the new load balancing with the GSS, which hopefully has been resolved now, we haven't run into any problems. I'm not in sales, so I don't have to worry about cost ;-), but I do know there was, and still may be, a special on the appliance (not the module) where you get some large percentage off (35% or 50% or something) in addition to your normal Cisco discount. So if you are interested in an ACE, pick one up now... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Chris Riling Sent: Monday, April 07, 2008 6:24 PM To: Ross Vandegrift Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] CSM for service providers I've been running the CSM for about the year and a half I've been at the service provider I work for. I like the fact that it's pretty scalable and that you can be multiple L2 hops down the line and build it out however you like, and every port in the chassis is a load balanced capable port... I haven't been using the config sync feature since it requires a CSM software upgrade, which requires us to do an IOS upgrade; from what I can hear I haven't missed much. The fault tolerance has worked alright, I just had my first failover last night - I had some config sync related issues but that was due to our environment and not the blade... I push a fair amount of traffic through it and it doesn't skip a beat. However, other than the basic load balancing / health probes and the occasional serverfarm nat, I don't really use the CSM to it's fullest extent. I will also agree that the documentation is horrible; I learned more by running it than I ever did reading the documentation... Overall I think it's pretty decent though... I did hear it's on it's way out also, but I haven't used the ACE Chris On Mon, Apr 7, 2008 at 5:33 PM, Ross Vandegrift [EMAIL PROTECTED] wrote: On Mon, Apr 07, 2008 at 08:30:17PM +, Ramcharan, Vijay A wrote: Last I knew, the CSM was on its way out and being replaced with the ACE blade/appliance. That's not quite the answer to the question you asked but it does address the long term viability issue. I don't believe you should be looking at the CSM as a long-term solution. If it's in place and working then it may have some life left in it. If it's for a new deployment, look elsewhere. I mean seriously look at other options. You just need to look at the bug list for the ACE releases to get a teeny bit wary of the ACE in general. There is no Safe Harbor code release as yet and it's been probably over a year since the product was available. We have two existing CSM installations, and the question is going to be do we size-up these to match demand or do we start moving to another solution? As for the ACE: unless the ACE represents substantial benefits, there's no way the cost of all the license crap is going to be worth it. And if Cisco wants to hold us CSM customers hostage for working redundancy, we'll find another solution. Interesting that the safe-harbor listing is gone - CSM does receive safe-harbor qualifications, and I know that 4.2(5) was previously listed as receiving qualifications. See the stub at: http://www.cisco.com/en/US/docs/safe_harbor/enterprise/csm/4_2_5__12_2_ 18_sxf5/425.html Interesting that this isn't linked from the main safe-harbor page anymore. Moreover, CSM 3.X has announced end-of-support in 2011. While there is no comparable EOL/EOS data (that I know of) on CSM 4.2 software, I have no reason to think it's going to drop out of support soon. Ross Vijay Ramcharan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Vandegrift Sent: April 07, 2008 15:20 To: cisco-nsp@puck.nether.net Subject: [c-nsp] CSM for service providers Hello everyone, I'm looking to solicit some input from others that are using the Cisco CSM, in particular, service providers that are using it to host layer 4-7 switching for customers. The archives don't seem to have a ton of opinions on these guys. In general, I like the device's performance and scalability. I have actually seen them handle a million simultaneous sessions, and I've seen VIPs with 900+k sessions cause no impact to other VIPs. However, we're run into some issues that are a bit troublesome: 1) Fault-tolerance is a feature that was obviously tacked-on after the fact. Config sync is slow process that interacts badly with other IOS features like SNMP. We've been reduced to manually syncing all configs because of IOS crash risk
Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk
On a FWSM you don't need separate contexts and can setup up to eight bridge groups. If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external router back to another bridge group in the FWSM. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a system log server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. Finally one thing a FWSM does better than an ASA! (feature wise) Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 08, 2008 5:11 AM To: Chris Riling Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk Hi Chris, This is feasible if you use multiple contexts in transparent mode as described here : http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ examples.html#wp1010043 Basically you define all necessary vlan subifs into the global context, then you use them as inside/outside pairs into each context. A guy called Ge Moua here at c-nsp sent me a working configuration for this a couple of months ago, unfortunately can't get my hands on it anymore. Maybe Ge can kick-in and repost it for you. Jerome Covini Selon Chris Riling [EMAIL PROTECTED]: Hey Guys, Forgive the dumb question, I'm not much of a Cisco security guy... I have a 5510 I need to put in transparent mode and I want it to sit in the middle of a dot1q trunk and filter traffic for the 4 VLANs traversing the trunk between the two switches. What is the best way to do this? As someone on the list had pointed out to me once, you should be able to create inside and outside VLAN subinterfaces for each VLAN but I'm still a little confused... Anyone else have any input? The ASA supposedly does some tag switching and you need to have the same VLANs have one tag on the inside, and another tag on the outside, but I'm not exactly sure how you associate each inside VLAN with it's respective outside VLAN and vice versa in the config... Thanks, Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC VTIs
I don't know what code you are running, supposedly 12.4 something, but in later versions of code you can put an input and output ACL in the crypto map in addition to the match ACL. I've used this with VRF aware IPsec with failover separating out several different connections. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Behl, Jeff Sent: Tuesday, April 08, 2008 12:27 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPSEC VTIs I've switched to using VTIs (http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hi p sctm.html) where possible, both for their simplicity in configuration and (more importantly) I can put ACLs on the actual tunnel interfaces to manage incoming traffic. Where this isn't the case (there's a Juniper at the other end, so IPSEC/GRE) what or where is the best place to enforce ACLs? Applying them to the tunnel interface obviously doesn't work so it seems the other choice is to put ACLs on all non-tunnel interfaces, which isn't ideal, or to do something using VRFs? Thanks for any input. -Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 Questions
Well, it's kind of both: CoPP is actually applied at two different levels on the Cisco Catalyst 6500 Series. The first level is the hardware-based forwarding engine mitigation, and the second level is the software CoPP. Forwarding engines are programmed with the same global CoPP policy even though they each police traffic independently, so the route processor CPU could ultimately be presented N times the configured traffic rate, where N denotes the number of forwarding engines (active PFCs and DFCs) present in a Cisco Catalyst 6500 Series chassis. In Figure 3, after each forwarding engine has independently mitigated a line-rate attack in hardware, CoPP is enforced in software at interrupt level to make sure that only the exact rate configured in the control-plane policy is processed by the route processor. This should be taken into account when configuring a control-plane policer. Hardware will take care of most of it, but it still does software policing. Even if you don't have many ingress points on a system (multiple DFC's and the central PFC) my understanding is that software must still re-police the traffic once the hardware is done with it. That can, I suppose, cause issues depending on how you have it configured. If there are multiple ingress points, say during a DDoS attack, then depending on how many it could cause issues. Here's another doc that explains CoPP on various platforms: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/pro d_white_paper0900aecd804ac831.pdf Some other points from that document: Omitting the policy parameters in a class causes the class to be handled by software-based CoPP. Use the police command and set the policy parameters to ensure the class is handled by hardware-based CoPP. With PFC3A, egress QoS and CoPP cannot be configured at the same time. In this situation, CoPP is performed in software, and a warning message is generated. In the rare situation where a large QoS configuration is being used, it is possible that the system may run out of TCAM space. When this scenario occurs, CoPP may be performed in software. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Boehmer (oboehmer) Sent: Friday, March 28, 2008 2:41 AM To: Justin Shore; Mikael Abrahamsson Cc: user user; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7600 Questions Justin Shore wrote on Friday, March 28, 2008 4:31 AM: Mikael Abrahamsson wrote: On Thu, 27 Mar 2008, Justin Shore wrote: Also, you should skip the Sup720-3BXL and get the RSP720-3CXL for the same $$. And you should also get your 67xx linecards with DFCs that match the Sup as well. It's worth the added expense. Why do you think that it's worth the added expense initially? I'd say it's worth it when you start to approach 5-10MPPS (due to CFC worst case limit of ~15 MPPS) but not before. It depends on how you're using your linecards. For some people it's a matter of the performance capabilities of the FE. For anyone with a 6500/7600 carrying full Internet tables or having their chassis publicly accessible on the Internet, it's a matter of offloading CoPP onto the DFC. Otherwise CoPP happens in software on the MSFC. You may in fact be less susceptible to being DoSed without CoPP enabled in chassis without DFCs. Otherwise you're opening up a path straight to the CPU. I don't think this is true. CoPP on the 6500/7600 is implemented in hardware (assuming mls qos is enabled): on the PFC within the Sup as well as on the DFCs (if there are any). Please take a look at the CoPP chapter in http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_wh ite_paper0900aecd802ca5d6.html which describes the CoPP architecture on this platform. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM - No Traceroute
The FWSM isn't a half-assed ASA. It is a firewall-only module. It doesn't have the VPN capabilities of the ASA, obviously does not have modules you can add like an IPS or CSC, and is strictly a firewall. It also lags behind in features; you'll notice that the FWSM is one or two features behind an ASA. I have no doubt you'll be impressed with the next major rev when it comes out though. So I wouldn't call the FWSM a half-assed ASA, meaning it wanted to be like an ASA but couldn't quite hack it. Rather, it tries to fit into a different role, and does quite well at it. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Sent: Tuesday, March 25, 2008 5:24 PM To: Raul Lopez Nevot Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM - No Traceroute traceroute is in ASA though... /act# traceroute ? Hostname or A.B.C.D Trace route to IPv4 address or hostname /act# traceroute and FWSM is like a half-ass ASA..thats why i am curious what exactly is the technical reason that there isnt a traceroute command On Tue, Mar 25, 2008 at 5:12 PM, Raul Lopez Nevot [EMAIL PROTECTED] wrote: On Tue, Mar 25, 2008 at 8:17 PM, Christian [EMAIL PROTECTED] wrote: yeah why is there no traceroute command, sorrry not being clearer This question only can be answered by cisco people, but I live with cisco PIX (so then ASA and FWSM, we have a few) since version 4.4 and never was this command there. Since the PIX is not native from cisco (its OS, named Finesse, was from another company, Network Translation I think it was), and is not IOS-powered, sure the former did not implement this command and nobody at Cisco did. By the way, and sorry for the very BIG off-topic, do anybody know the name of Cisco Engineer that converted a PIX into FWSM? They told me this engineer is from Sabadell (Barcelona/Spain), and I'm from there, and it would be nice to meet him! Sorry again for the OT. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 noob question
I believe those commands are for Native IOS, to get to the switch processor, where you can do nifty things like a packet capture if you know the commands. For Hybrid CatOS/IOS you'd have to go from the SP to the RP. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tassos Chatzithomaoglou Sent: Wednesday, March 26, 2008 6:40 AM To: David Prall Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6509 noob question The following two could probably help you too: remote command switch xxx remote login switch -- Tassos David Prall wrote on 25/3/2008 11:05 μμ: Switch console can only be done from catos. You want to find and entry that has a mac address within the cisco range. What does sh cdp neighbor give you. I don't remember this working, but it has been a long time. Then sh cdp neighbor detail for the address. Might get lucky. David -- http://dcp.dcptech.com -Original Message- From: Adam Greene [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2008 4:58 PM To: David Prall; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6509 noob question Thanks, all. Neither the session nor switch console commands are recognized on the IOS side. Is there anything specific I should look for in the ARP table? There are about 1000 entries in there. I guess next step will be to call this switch's admin thanks, Adam - Original Message - From: David Prall [EMAIL PROTECTED] To: 'Adam Greene' [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Sent: Tuesday, March 25, 2008 4:45 PM Subject: RE: [c-nsp] 6509 noob question You need the management interface address for the catos side, from their you can session to the msfc/msfc's. Can telnet from the msfc to the catos side if you know the address. Might be able to figure out where it is from the arp table. David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Tuesday, March 25, 2008 4:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6509 noob question How's this for a stupid question? I'm working remotely on a pair of 6509's: CatOS 8.3(3) / IOS 12.1(8a)E3. I can telnet to the devices and access the IOS CLI. The million-dollar question: how to I access the CatOS CLI? As far as I can tell all the switch configs live in CatOS while the routing configs live in IOS, and I'm trying to gain access to the spanning-tree info (CatOS), to see if the switch is running PVST+, MST or what. Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Router Considerations
Or you may want to look into the new ASR routers. They are supposed to be positioned between the 7200's and the 7600's, but it doesn't sound like you are really pushing that much traffic through the system. If you need it now it's probably not an option, but if you are looking to what would be ideal in the near future this may be the answer. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, March 26, 2008 1:13 PM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Router Considerations Hi, On Wed, Mar 26, 2008 at 12:02:15PM -0400, Paul Stewart wrote: What I'm considering is removing the 12012 because of the space it consumes (does all BGP today) and replacing it with a pair of 7606's Sup720-3BXL etc For BGP edge that's feeding 3 full BGP transit feeds and a couple hundred peering sessions will the Sup720-3BXL cope ok from a memory perspective. The Sup720 is not very fast, regarding CPU wise (= BGP update handling) but it will handle 3 full feeds just fine. If you want a faster CPU, you might want to check the RSP720, but beware (see below). The traffic is not a lot (500Mb/s or so) on this network . Traffic-wise, the Sup720 *is* fast :-) Thanks for any feedback.. We have lots of 6500's but everyone keeps telling me lately to go 7600 series instead?? Basically it's the same thing. And with IOS 12.2SX*, there was no difference, except chassis colour. Then came the 7600 business unit (BU) inside Cisco and decided we're going to sell Real Routers, can't have this switch chassis crap around! and forked a software train (12.2SRA/SRB/SRC) that nowadays doesn't run on chassis that are labeled 6500 anymore. Just because they do an EEPROM check. Otherwise there is still no difference. There is some new hardware - the RSP720, the ES20 line cards, and the 7600-S chassis - that are *only* supported by SR* software. OTOH, there are LAN style line cards, notably the 6708 8x10GE card, that only just recently have been supported in SRC, and as far as I have heard, SRC is not very mature yet. Politely said. OTOH, there is the 6500 business unit, that targets enterprises - their IOS fork is 12.2SXH these days. They build nice things that ISPs might want to have as well, like modular IOS with restartable processes in case BGP leaks memory (and, in theory, upgrades-without-reboot, and such), the Sup720-10G supervisor engine, and thus. Until recently, buying a 7600+Sup720 and running SXF/SXH was what we considered future proof - you have a chassis that supports all the software that's out there, and are saved from the internal politics bullshit. Unfortunately, that's not completely true anymore - the 7600-S chassis are NOT supported by SXH IOS, and as far as we have been told, there are no plans to do so. So - what's the summary? Cisco internal politics is hurting customers. Whatever you decide upon, you'll be f***ed in a year or so. Get a Juniper M7i. For your traffic needs, it's definitely fast enough - and the CPU to handle the BGP updates is much faster. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Router Considerations
Absolutely, that's why I said if you need it now it is probably not an option. However, that will change with time. I expect the feature list to be mostly complete a year from now. If it is a question of long-term planning then the platform should be considered. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: David Curran [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2008 4:03 PM To: Fred Reimer; Gert Doering; Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Router Considerations Be very mindful of features here. The feature list for all but certain large carriers is pretty slim pickens. From: Fred Reimer [EMAIL PROTECTED] Date: Wed, 26 Mar 2008 13:22:37 -0400 To: Gert Doering [EMAIL PROTECTED], Paul Stewart [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Conversation: [c-nsp] BGP Router Considerations Subject: Re: [c-nsp] BGP Router Considerations Or you may want to look into the new ASR routers. They are supposed to be positioned between the 7200's and the 7600's, but it doesn't sound like you are really pushing that much traffic through the system. If you need it now it's probably not an option, but if you are looking to what would be ideal in the near future this may be the answer. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, March 26, 2008 1:13 PM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Router Considerations Hi, On Wed, Mar 26, 2008 at 12:02:15PM -0400, Paul Stewart wrote: What I'm considering is removing the 12012 because of the space it consumes (does all BGP today) and replacing it with a pair of 7606's Sup720-3BXL etc For BGP edge that's feeding 3 full BGP transit feeds and a couple hundred peering sessions will the Sup720-3BXL cope ok from a memory perspective. The Sup720 is not very fast, regarding CPU wise (= BGP update handling) but it will handle 3 full feeds just fine. If you want a faster CPU, you might want to check the RSP720, but beware (see below). The traffic is not a lot (500Mb/s or so) on this network . Traffic-wise, the Sup720 *is* fast :-) Thanks for any feedback.. We have lots of 6500's but everyone keeps telling me lately to go 7600 series instead?? Basically it's the same thing. And with IOS 12.2SX*, there was no difference, except chassis colour. Then came the 7600 business unit (BU) inside Cisco and decided we're going to sell Real Routers, can't have this switch chassis crap around! and forked a software train (12.2SRA/SRB/SRC) that nowadays doesn't run on chassis that are labeled 6500 anymore. Just because they do an EEPROM check. Otherwise there is still no difference. There is some new hardware - the RSP720, the ES20 line cards, and the 7600-S chassis - that are *only* supported by SR* software. OTOH, there are LAN style line cards, notably the 6708 8x10GE card, that only just recently have been supported in SRC, and as far as I have heard, SRC is not very mature yet. Politely said. OTOH, there is the 6500 business unit, that targets enterprises - their IOS fork is 12.2SXH these days. They build nice things that ISPs might want to have as well, like modular IOS with restartable processes in case BGP leaks memory (and, in theory, upgrades-without-reboot, and such), the Sup720-10G supervisor engine, and thus. Until recently, buying a 7600+Sup720 and running SXF/SXH was what we considered future proof - you have a chassis that supports all the software that's out there, and are saved from the internal politics bullshit. Unfortunately, that's not completely true anymore - the 7600-S chassis are NOT supported by SXH IOS, and as far as we have been told, there are no plans to do so. So - what's the summary? Cisco internal politics is hurting customers. Whatever you decide upon, you'll be f***ed in a year or so. Get a Juniper M7i. For your traffic needs, it's definitely fast enough - and the CPU to handle the BGP updates is much faster. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any attachments (Message) may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Monday, March 24, 2008 9:21 AM To: David Barak Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Good info. It's always risky when people add config without knowing what it does. I usually tell people to compare a before and after diff of the config of a lab router to see what exactly autosecure did. Then I point them to the online docs to figure out what the the reason was behind each of the changes. It's a good way for folks to learn. It doesn't get much easier than go research this command to learn what it does. Then they can decide what will or will not work on their network. Everyone should have a lab, even if work won't provide one. Justin David Barak wrote: Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net
Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Have you looked into implementing control plan policing, or for 6500 SUP720 platform the hardware rate-limiters, to allow some control traffic, but limit the bandwidth? Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Monday, March 24, 2008 9:14 AM To: Leonardo Gama Souza Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..) Both redirects and unreachables can be used to implement a Denial of Service attack.We allow internally for troubleshooting but disallow both transmission to and reception from the global internet.Both to prevent DDoS from compromised hosts and from external hosts with hostile intent. I really want to go back to the days when it was safe and acceptable to run a completely open network. Right now the internet is becoming more and more like a no-man's land. Leonardo Gama Souza wrote: as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Why, exactly? Performance of the firewall? Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
So the root question is why a Cisco 7200 router would perform better than a PC running BSD, beefy as that PC may be? Without questioning the merits behind spending time on this I'm not sure what benefit a firewall would provide. Exactly what are you looking for the firewall to do? You wanted to see how it performs with the firewall in various locations. Doing what? Sorry I can't be of more help. I understand what you are trying to find out, but not what a firewall has to do with it. You could possibly put a firewall before and/or after in transparent mode. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Sridhar Ayengar [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2008 3:12 PM To: Fred Reimer Cc: Masood Ahmad Shah; Cisco NSPs Subject: Re: [c-nsp] External Firewall Fred Reimer wrote: Why, exactly? Performance of the firewall? Yes. I have two identical networks setup for one company in two different locations. One has a Cisco router (said 7200) talking upstream to a big WAN pipe and downstream to two gigabit ethernet networks. The second location has the same WAN and LAN configuration, WAN line distance and quality measurement numbers, etc. The only difference it is a BSD PC. The Cisco performs noticeably and measurably better in latency and throughput. Neither is running firewall code. Now, the BSD PC has gobs more processor horsepower, memory- and bus-bandwidth. Why should the Cisco outperform it? To find out, I wanted to set up a selection of scenarios in the lab. (1) I wanted to try setting up the firewall between the internal gigabit network and the 7200. (2) I then wanted to setup the firewall between the WAN interface and the router to see how that performs. (3) I wanted to setup what I described in my original message, with the firewall performing only stateful inspection functions, and allowing the router to perform packet switching functions without interference from the firewall once the session is operating. As far as I can see, the advantage of (1) is that traffic heading to the external gigabit LAN wouldn't come across the firewall PC. However, the disadvantage would be that traffic between the two LANs would have to pass through it. That might be unacceptable. The advantage of (2) might be that traffic between the internal and external LANs wouldn't come near the firewall PC. Also, the WAN pipe may not require the throughput advantage of the Cisco. (It may indeed, but it might not be as sensitive.) However, this does add a couple dozen ms to the latency of the upstream connection. As far as I can tell, (3) would be the best of both worlds, but I, for the life of me, can't figure out if there's a way to set a network up like that. Any ideas? Peace... Sridhar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 1:31 PM To: Masood Ahmad Shah Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall Masood Ahmad Shah wrote: Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch That's what I was hoping to avoid. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Don't be giving out any NDA materials now... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, March 24, 2008 5:07 PM To: 'Sridhar Ayengar' Cc: 'Cisco NSPs' Subject: Re: [c-nsp] External Firewall What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Something like that should be possible in the not-too-distant future, though not with the 7200. However, one of the larger ASAs should be able to keep up with the 7200. Or you could go for the new ASR, which should be able to do both tasks at the same time even faster than the 7200. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Proxy ARP -- To disable, or not to disable..
I think there may be a misunderstanding as to whether I think proxy-ARP is a good thing, or should be left on everywhere. I don't; I believe it should be turned off wherever possible. However, I can at the same time understand Cisco's reasoning for leaving it on by default. As others have stated, if the default were changed now it will break networks. Not likely networks for the vast majority of cisco-nsp users manage, but nonetheless a significant number of networks. So, Cisco could change the default and even put a big fat warning in the release notes, which most of their customers won't read anyway. And it will cause problems. And people with a clue will manage, but those without will blame Cisco. Or, Cisco could go with the status quo, which is to have proxy-ARP enabled by default. Those without a clue will continue to install new networks with proxy-ARP enabled. It will cause some inefficiencies and is unfortunate. However, existing networks that may require proxy-ARP will continue to function. And, those with a clue will continue to install new networks with it disabled and remove it from those networks where it is enabled when possible. Some people would obviously prefer the prize behind door #1. I'd prefer to choose door #2. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, March 22, 2008 12:36 PM To: Fred Reimer Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable.. brainwashed crap Are you trolling? It's quite clear that proxy ARP doesn't *have* to be turned on (proof by example: Juniper M series routers). If you read the RFC's for gateway requirements it does not say that gateways MUST or SHOULD use proxy ARP. However, it is strongly suggestive that most gateways DO use proxy ARP, and makes references to other RFC's which state plainly that it is in common use. Because it has to be refers to the need for it is most clueless networks where the network administrators don't understand octet boundary subnetting, let alone subnet boundaries on any bit position or, God help them, variable subnet masks. And the opinion of lots of people (myself included) is that leaving proxy ARP on here is likely to create much more problems than it solves. The Cisco default *may* have been sensible many years ago. In 2008 it's an extremely bad default. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Proxy ARP -- To disable, or not to disable..
brainwashed crap Are you trolling? If you read the RFC's for gateway requirements it does not say that gateways MUST or SHOULD use proxy ARP. However, it is strongly suggestive that most gateways DO use proxy ARP, and makes references to other RFC's which state plainly that it is in common use. Because it has to be refers to the need for it is most clueless networks where the network administrators don't understand octet boundary subnetting, let alone subnet boundaries on any bit position or, God help them, variable subnet masks. If the network administrator has a clue, it should be no big deal in remembering to turn it off. There are a host of things that need to be setup on a router, some of which can't have appropriate defaults because they require network-specific settings. I did not think it was necessary to explain this. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Gert Doering [mailto:[EMAIL PROTECTED] Sent: Saturday, March 22, 2008 3:07 AM To: Fred Reimer Cc: Gert Doering; Eric Cables; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable.. Hi, On Fri, Mar 21, 2008 at 08:47:18PM -0400, Fred Reimer wrote: I believe it is on by default because it has to be. because it has to be? What sort of brainwashed crap is that? It's on because someone in the past thought it might be a good idea (and when I was young and green and before the first nasty surprises, I even agreed...) - and Cisco really dislikes changing defaults. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Proxy ARP -- To disable, or not to disable..
I believe it is on by default because it has to be. Even Cisco best practices say to turn it off. IP source routing is on by default also... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Friday, March 21, 2008 5:29 PM To: Eric Cables Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Proxy ARP -- To disable, or not to disable.. Hi, On Fri, Mar 21, 2008 at 12:12:45PM -0700, Eric Cables wrote: A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Disable it, but expect surprises. Proxy arp is a wonderful way to hide network misconfigurations - like machines configured with a wrong subnet mask *usually* will just work (thanks to proxy ARP), but all of a sudden fail due to a seemingly unrelated network change. So if you turn it off, it might uncover existing issues that have been masked. Which is why I think that having proxy ARP on-by-default is a massively stupid idea - it might seem like a nice and helpful feature, but as it hides *other* problems, in the end, the issues are alway going to be *more* nasty than without proxy ARP. (Selectively enabled, it can be a nice and very useful tool. But not on-by-default). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM, Contexts and ASA's
The solution for the classifier issue is to put a VRF routing instance on the SUP720 in between the FWSM contexts, so that you don't share a VLAN between contexts and hence it will not get confused. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Kent Sent: Wednesday, February 13, 2008 1:06 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM, Contexts and ASA's AFAIK, the FWSM is not going to be able to be a general perimeter firewall, in conjunction with other contexts. That is, if you think Hey, I've got multiple contexts, why not use one for general Internet filtering and then that can funnel into per-customer and/or per-businessUnit contexts? then the answer is it'll confuse the classifier for outbound traffic The fwsm does not seem to be as advanced as the ASA in at least a few ways (no enhanced object groups, no ability to tie a unique MAC address to shared interfaces). Also, multiple contexts means static routing. Regarding this: I would also ask a strategy question, Do you think the FWSM product really has a future compared to ASA? Is that rhetorical? Is it generally believed that the answer is No? Regarding this comment: We recently had an issue where one of the network processors in an FWSM got confused and refused to pass traffic for new flows. I think that happened to me yesterday (with 3.2(4)). Spent hours trying to figure out what was going on, finally ripped out the contexts, redefined them and all was OK. This isn't even in production yet (i.e., no real load). Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Real brief question
Except for on the 4500 platform, which has some restrictions. But for the 6500's you should be fine to use all of them on any module, including redundant SUPs. You probably have a bad port, bad optics, or bad patch cable. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chip Sent: Wednesday, December 19, 2007 12:40 PM To: Drew Weaver Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Real brief question On Dec 19, 2007 12:19 PM, Drew Weaver [EMAIL PROTECTED] wrote: Howdy. snip My question is Are you not able to use the interfaces on a standby Supervisor 720 if you are in SSO mode? Thanks, -Drew There should be no problem with this. I've used all 4 ports at the same without problems. --chip -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GLBP over 802.1q subinterface
Yes, use the same group number on the two (or more) routers that will be participating for a particular VLAN / subinterface. However, on an individual router you must use different group numbers for the different VLANs / subinterfaces. Technically you shouldn't have to; it's just a limitation on how Cisco implemented it. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Ultra [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 19, 2007 1:50 PM To: Fred Reimer Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] GLBP over 802.1q subinterface Thanks for your answer Fred. So let me see if I understand everything correctly. The steps are... - configure 802.1q subinterfaces as usual in the routers - configure glbp over those interfaces using the same group id for the subinterfaces in the same vlan. Is that correct? El mar, 18-12-2007 a las 15:43 -0500, Fred Reimer escribió: Yes, of course it is. You have to use different group numbers per sub-interface though. On a 6500 with a SVI, for example, you can use the same group number on all of your VLAN interfaces. For a router with 802.1q sub-interfaces you would have to use a different sub-interface. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ultra Sent: Tuesday, December 18, 2007 7:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] GLBP over 802.1q subinterface Hi all, I tried to find the answer by myself but I didn't find it. The question is very simple, is possible to execute GLBP over 802.1q subinterface? I am not sure since I don't know which is going to happen with STP. Any experience with that? The reason is that I want to create subinterfaces in order to use 802.1q and VRFs but I am not sure if it is going to be possible in my actual scenenario. Any comments is appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Access Point 2 SSID's Trunked to Vlan's
This is incorrect. You don't get fast roaming, such as may be required for some protocols like VoIP, but you will not get disconnected by the common use of the term. You are of course disassociated from one AP and you need to reassociate to another AP. However, it would depend on what kind of authentication you are doing as to whether this would disconnect the client. The client makes the decision on when to roam, but an AP can of course forcefully disassociate a client. You can configure the power settings for each radio in an AP. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 18, 2007 9:17 AM To: Dan Letkeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Access Point 2 SSID's Trunked to Vlan's Hi, If I copy this configuration to my other ap's in the building will a client(notebook) automatically roam from ap to ap without getting disconnected? not without using other technologies - as each AP runs the authentication so your client needs to reauthenticate when associating with each AP Do you have 802.11a clients or is the 802.11a radio used for something else? How would I setup the AP so there is a minimum signal level that is allowed? eg, if a user is outside the building and still connected that it won't work if the users device is say past -75db... you can start off by using the 'speed' command to select the supported connection rates - but a decent antennae may negate the 'security' of such a setup. personally i feel that WPA2 is strong enough that it doesnt matter if the signal can be received from further away. you could also turn down the power of the antennae (antenna gain) - but, once again, that will affect how your own users will receive the wireless. place a decent zinc/neodynium mesh or somesuch in your wall cavities - there are some papers out there describing such blocking methods. Also, I accidentally ordered LWAPP's and I have converted them back to autonomous ap's. Is there any difference between a converted one vs a bought autonomous ap? apart from how it appears in CDP, inventory lists and its bootloader? no functional difference as far as i'm aware. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Access Point 2 SSID's Trunked to Vlan's
Again, be careful with terminology. Open when talking about WiFi is not unprotected. WPA uses open authentication, as opposed to shared. The authentication method should also be tested with VoIP, or any embedded device not running a standard supplicant. Most will only support LEAP and/or WPA/PSK. However, I've seen problems with various embedded devices that don't get even WPA/PSK right, and can't roam or have roaming problems. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 18, 2007 5:21 PM To: Kaj Niemi Cc: [c-nsp] Subject: Re: [c-nsp] Access Point 2 SSID's Trunked to Vlan's Hi, associating between access points works fine using open (time taken to reassociate to another isn't really noticeable) but will not work reliably with WPA2 EAP TTLS due to the amount of time it takes to reauthenticate. Using WDS will help in that case. I tried this out with Nokia E61(i) and E90 terminals and AP1130s late in the summer. exactly - and if your client is doing voip or multicast video etc then the loss in packets causes service interuption. the use of mobileIP methods and mobility layers is essential. As to your question; using open, calls are probably not going to be dropped but you might lose some frames when reassociating :) Using WPA2 EAP and all the nice things for OTA encryption needs some thought before implementing. open wifi with voip? nice. exactly what i like when sniffing conversations alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750 Rate Limit.
Just search on cisco.com for 3750 qos http://www.cisco.com/warp/public/473/cat3750-qos-config.pdf http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/1 2.2_25_see/configuration/guide/swqos.pdf Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michalis Palis Sent: Friday, December 14, 2007 4:21 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 3750 Rate Limit. Hello all We have a 3750 switch with IOS c3750-ipbase-mz.122-25.SEE3 and I was wondering wether we can put rate limit on the interfaces. If yes I will appreciate if you send me an example or a reference link. Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging two VLANs together
Did you mean bridge 2 protocol vlan-bridge? I suggest you read this Cisco document before you consider doing this: http://www.cisco.com/warp/public/473/inter-vlan_11072.pdf HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: Wednesday, December 12, 2007 11:54 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Bridging two VLANs together Well, If I understand you are talking about inter-vlan bridging. Yes it should work fine. You may need to add bridge 2 protocol ieee It's bridge protocol global configuration command to define the type fo STP. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Wednesday, December 12, 2007 9:15 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Bridging two VLANs together We have a unique situation where our transport equipment can't bridge the traffic between two endpoints, so we would like to dump off each link's VLAN onto our router (7609-S with WS-X6748-GE-TX blades) where it can perform the bridging. Any reason why the following configuration wouldn't work? interface GigabitEthernet1/31 description Customer networks switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 221-222 switchport mode trunk end interface Vlan221 description Site 1 no ip address bridge-group 2 bridge-group 2 spanning-disabled ! interface Vlan222 description Site 2 no ip address bridge-group 2 bridge-group 2 spanning-disabled ! Some of you might ask why not put the endpoints in the same VLAN, but the endpoints don't maintain an MAC address table so there's nothing to make them exchange traffic with each other. Regards, Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policing Question
You want WRED then. You are getting global TCP synchronization. That's where all of the TCP streams are transmitting and then you hit your maximum bandwidth and packets get dropped from all streams. So TCP will back off and slow things down, on all streams. Then they see that no more packets are being dropped, so will crank up the throughput again (open up the window), and your bandwidth will start going up again. You eventually hit your policing level and start all over again. You want WRED where you selectively drop packets before you actually reach the policing level. This will slow some TCP streams down and even out the aggregate bandwidth curve. Then those streams will speed back up after a bit, while you drop packets from other random streams. What you probably have now is tail drop, where you are dropping all new packets once you reach the maximum. That causes the TCP window synchronization. You can read more here: http://www.cisco.com/application/pdf/en/us/guest/products/ps4032/c2001/ccmig ration_09186a008011dfed.pdf I'd also recommend you do a search on Amazon for Cisco qos and order some of the books on the subject. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk - iNAME Sent: Wednesday, December 05, 2007 11:51 PM To: 'Paolo Lucente'; Bill ford Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Policing Question We have a 7609-S with a SUP720C and DFC3C's on our 10/100/1000 cards. It appears that we can't do shaping. Our first attempt at policing on the outbound shows that it's very choppy -- bursts of traffic 2 to 4x more than CIR, and then 0, and then back again. It drops to 0, I believe, because the policer kciks in. Is there any way to smooth things out? Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paolo Lucente Sent: Wednesday, December 05, 2007 5:14 AM To: Bill ford Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Policing Question Hi Bill, Fred already correctly commented most of the points. Policing is widely supported but shaping is hardware-dependent. FlexWANs and SIPs for example support shaping. But the key point is you really want to shape egress traffic to the customer to put in force an SLA with them. Also for egress shaping purposes you might also want to check whether the SRR scheduling algorithm applies. I've personally used it for smooth rate-limiting purposes on lower-range switches (2960s); it works nicely but it's coarse grained (interface-wide) and suspect it might not cope with your Etherchannel there. Previous Bc/Be suggestions were OK for software-based policing; going the PFC way (hardware-based QoS) then yours were correct: Bc of 2000 bytes and Be of 4000 bytes - which generously take into account a bucket replenishment of 4ms (which is recommended to make sure the switch can sustain the configured rate, this is also why you should modify it to 400 from 4194304; otherwise you may need to raise Bc/Be values just a little bit). Hope this helps. Cheers, Paolo On Tue, Dec 04, 2007 at 10:42:15AM -0800, Bill ford wrote: Thanks Guys.. So seeing the rough diagram depiction and Etherchannel between the Cat 3750 and Cat 6500, is it right to assume that Police will be applied to Etherchannel out direction and Shaping to Etherchannel in direction? Also there is no voice traffic. Etherchannel out Police Etherchannel in shape (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer Also, can some through the bc and be values for both shaping and policing for cat 6500 with the below requirement. CIR of 4 Mbps and burst up to 8 Mb based on availability. Also check this URL link talking about burst rate calculation using policing on Cat 6500, looks a bit different than that on router especially with tc value mentioned as 0.00025 seconds. Paolo had given the calculation however based on this document it looks to be bit different on cat 6500. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918 6a00801c8c4b.shtml Thanks in advance for all your help. Cheers, Bill Fred Reimer [EMAIL PROTECTED] wrote: I believe Paolo was trying to say that you don't want to do just policing for traffic to cap it at a maximum rate without having shaping somewhere in the picture. It is recommended to use policing for traffic such as VoIP, where you know the exact bandwidths and you can police any traffic over those rates, because the traffic should never exceed those rates. If you police general traffic you will get TCP synchronization, which is a bad thing. I'm assuming you don't do any CBWFQ preemptive dropping. If you have to do this and can't shape you should at least tell your customer that you will police at a given rate, and Strongly recommend that they shape on their side
Re: [c-nsp] Question to ACS
You would setup a new group in your AD domain, and then map it to a new group on the ACS. Then, set the default group to the default ACS group, and disable this group. You can create multiple NT group mappings and use per group settings to allow them access to certain resources, via downloadable ACL's for example. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ahmad Cheikh-Moussa Sent: Thursday, December 06, 2007 11:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Question to ACS Hi! I don't know, whether this is the right list or not. I have an ACS Appliance which is connected to an Active directory Server. The configuration for that connection is done in the external database configuration. All user within the domain can be authenticated. Now I do not want that every active directory user can log to the network. I want to add a group into the active directory and only this user, who are a member of this group should be allowed to log in. I think this would be done in the external database configuration of the ACS. Does anyone knows, how to configure this ? Can I configure the name of such a group in the GroupAttributeName ? Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang Aufsichtsrat: Detlev Huebner (Vorsitz) Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942 Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policing Question
I believe Paolo was trying to say that you don't want to do just policing for traffic to cap it at a maximum rate without having shaping somewhere in the picture. It is recommended to use policing for traffic such as VoIP, where you know the exact bandwidths and you can police any traffic over those rates, because the traffic should never exceed those rates. If you police general traffic you will get TCP synchronization, which is a bad thing. I'm assuming you don't do any CBWFQ preemptive dropping. If you have to do this and can't shape you should at least tell your customer that you will police at a given rate, and Strongly recommend that they shape on their side of the connection. Policing to 10Mbps on a 100Mbps connection is NOT the same as having a 10Mbps connection. Shaping to 10Mbps on a 100Mbps connection is not either, but it is a heck of a lot closer. It also depends on what direction you plan on policing. In general you should shape on the outbound and police on the inbound, although you can police on the outbound also if you have traffic that should be policed, like VoIP or other constant bit-rate traffic. This, of course, depends on the capabilities of the particular hardware you are doing. Cisco has manuals for their hardware. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Bill ford Sent: Tuesday, December 04, 2007 12:40 PM To: Paolo Lucente Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Policing Question Hi Paolo, Let me just summarize the scenario maybe it was not clear. Find below a short depiction. (Internet)---Cat3750---(L3 Etherchannel)Cat6500 Customer Planning to apply bandwidth restriction(policing) on the L3 Etherchannel between 3750G and Cat 6500. Maybe this will clear up the confusion a bit. Also check this URL link talking about burst rate calculation using policing on Cat 6500. http://www.cisco.com/en/US/products/hw/switches/ps700/produc ts_tech_note09186a00801c8c4b.shtml Any insight on this will be great.. Cheers, Bill Paolo Lucente [EMAIL PROTECTED] wrote: Hi Bill, 1) i would recommend you to police ingress traffic from the customer and shape egress traffic to the customer. This gives you several benefits including ease of configuration your side (limited to the 6509 box only) and smooth congestion management. If it's an un-managed CE solution advice your customer he has to shape egress traffic on his CPE. This is to avoid TCP traffic from performing very badly when hitting your policer. 2) I believe it's the shaping Tc value you are referring to - but your question is about policing. I would point the following two values: Bc = (CIR/8)*1.5 = 786000; Be = 2*Bc = 1572000. This is basing on a 4 Mbps CIR. Remember Bc/Be are expressed in bytes. Moreover because you want them to be able to burst beyond their CIR, you don't want the exceed-action drop action there. You can simply replace it with a transmit to make it working - but it wouldn't really have sense: you want to mark the excess burst to be able to handle it differently in periods of congestion. 3) If i understood correctly the etherchannel is a backbone link (P-P) so the question doesn't reaply apply. Btw, as far as i'm aware there shouldn't be any problems. Cheers, Paolo On Tue, Dec 04, 2007 at 01:38:21AM -0800, Bill ford wrote: Guys, Need your help on this... Here is the scenario: We have a Catalyst 6509 with Sup 720+Policy Feature Card 3 connected to the Internet gateway Switch (catalyst 3750G). We are running Layer 3 etherchannel between the Cat 6509 and Cat 3750G. We need to restrict the bandwidth for one of the customer. Requirement is as follows: CIR of 4 Mbps and burst up to 8 Mb based on availability. Thinking of using policing with ACLs based on the public IP address range on the customer, however few questions here. 1) Is it advisable to do Policing only on the Cat 6509s in both direction and avoid do any changes on the Cat 3750G. Is this the right way? 2) What should be the CIR, bc and be values to provide double the burst than CIR based on avaliability? Is the below statement correct? I believe Tc value for Cat 6509s is 0.00025 seconds, calculation is based on that. police cir 4194304 bc 2000 be 4000 conform-action transmit exceed-action drop violate-action drop 3) Is there any issues applying Policing on L3 etherchannels in both ways on Cat 6509s? Any help will be appreciated. Thanks in advance, Bill - Get easy, one-click access to your favorites. Make Yahoo! your homepage. ___ cisco-nsp mailing list cisco-nsp
Re: [c-nsp] Policing Question
It would help if standard terminology were used. In and out refer to traffic ingress and egress from a particular interface. They can't apply to an Etherchannel connection, but do apply to either end of the Etherchannel connection (with opposite meanings, out on one end is in on the other). With that said, you can't shape on the inbound direction. You can only shape on the outbound, and different hardware has different capabilities. Since the 6500 is a hardware based switch, it may not even have usable shaping capabilities (all the queues are hardware queues). Plus, you need to define what direction you want this shaping or policing (customer bandwidth limiting for lack of a better term) to occur. Is it from the customer to the Internet, or from the Internet to the customer, or both. You'll also need to take a look at the QoS capabilities of the particular modules you have in that 6500. Some of the modules have O.K. QoS capabilities, and some of them don't as far as QoS is concerned. Plus, if you are using DEC (Distributed EtherChannel) you'll need to watch out for the consistency checking done as far as QoS capabilities of individual ports before they are allowed in the channel. Something like no mls qos consistency-check rings a bell. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Bill ford [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 04, 2007 1:42 PM To: Fred Reimer; Paolo Lucente Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Policing Question Thanks Guys.. So seeing the rough diagram depiction and Etherchannel between the Cat 3750 and Cat 6500, is it right to assume that Police will be applied to Etherchannel out direction and Shaping to Etherchannel in direction? Also there is no voice traffic. Etherchannel out Police Etherchannel in shape (Internet)--Cat3750--(L3 Etherchannel)--Cat6500---Customer Also, can some through the bc and be values for both shaping and policing for cat 6500 with the below requirement. CIR of 4 Mbps and burst up to 8 Mb based on availability. Also check this URL link talking about burst rate calculation using policing on Cat 6500, looks a bit different than that on router especially with tc value mentioned as 0.00025 seconds. Paolo had given the calculation however based on this document it looks to be bit different on cat 6500. http://www.cisco.com/en/US/products/hw/switches/ps700/produc ts_tech_note09186a00801c8c4b.shtml Thanks in advance for all your help. Cheers, Bill Fred Reimer [EMAIL PROTECTED] wrote: I believe Paolo was trying to say that you don't want to do just policing for traffic to cap it at a maximum rate without having shaping somewhere in the picture. It is recommended to use policing for traffic such as VoIP, where you know the exact bandwidths and you can police any traffic over those rates, because the traffic should never exceed those rates. If you police general traffic you will get TCP synchronization, which is a bad thing. I'm assuming you don't do any CBWFQ preemptive dropping. If you have to do this and can't shape you should at least tell your customer that you will police at a given rate, and Strongly recommend that they shape on their side of the connection. Policing to 10Mbps on a 100Mbps connection is NOT the same as having a 10Mbps connection. Shaping to 10Mbps on a 100Mbps connection is not either, but it is a heck of a lot closer. It also depends on what direction you plan on policing. In general you should shape on the outbound and police on the inbound, although you can police on the outbound also if you have traffic that should be policed, like VoIP or other constant bit-rate traffic. This, of course, depends on the capabilities of the particular hardware you are doing. Cisco has manuals for their hardware. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Bill ford Sent: Tuesday, December 04, 2007 12:40 PM To: Paolo Lucente Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Policing Question Hi Paolo, Let me just summarize the scenario maybe it was not clear. Find below a short depiction. (Internet)---Cat3750---(L3 Etherchannel) Cat6500 Customer Planning to apply bandwidth restriction(policing) on the L3 Etherchannel between 3750G and Cat 6500. Maybe this will clear up the confusion a bit. Also
Re: [c-nsp] Native VLAN mismatches between 2924/2950
You shouldn't be using VLAN 1 anyway, but it does not get the name from the configuration. This appears to be an incompatibility between the two switches, and if you want to stop the message you'll need to turn off CDP on one of them. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Pierre Lamy Sent: Friday, November 30, 2007 2:56 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Native VLAN mismatches between 2924/2950 I'm getting a lot of Native VLAN mismatches between my 2950 and 2924s. This is due to the case difference on the 2 platforms, between VLAN1 and Vlan1. Is there any way to (1) fix the error or (2) suppress the CDP error messages Nov 30 14:54:27 192.168.0.113 26469: %CDP-4- NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/15 (0), with SW1 FastEthernet0/18 (1). The documentation and a google search indicate that simply changing the name doesn't work; changing the conf file, uploading via tftp didn't work either. And you can't simply delete/recreate the Vlan1. Regards, Pierre Lamy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2))
I have not configured this myself, but... What does your syslog configuration look like? Would snmp-server host dmz instead of snmp-server host outside help? What do your logs show? And lastly, have you opened a case with Cisco? Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Bagosi Rómeó [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 28, 2007 3:21 AM To: Fred Reimer; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) The management-access is alredy configured (I can use the syslog for example) But this vpn-filter thing is not clear for me. I've searched about it, but didn't found anything to allow snmp traffic (I can filter it, with this command). -Original Message- From: Fred Reimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 27, 2007 7:34 PM To: Bagosi Rómeó; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) group-policy attributes vpn-filter and/or management-access Look them up. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Bagosi Rómeó Sent: Tuesday, November 27, 2007 10:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) From: Bagosi Rómeó Sent: Tuesday, November 27, 2007 4:37 PM To: 'gagandeep singh' Subject: RE: [c-nsp] SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) Thank you, i've found this link, but the problem is that we don't want to snmp query the outside interface (it's not permitted to communicate through VPN). From: gagandeep singh [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 27, 2007 8:53 AM To: Bagosi Rómeó Subject: Re: [c-nsp] SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) Try this link. http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/produ cts_configuration_example09186a0080094497.shtml Bagosi Rómeó [EMAIL PROTECTED] wrote: Hello Experts! I have the following problem. I want to monitor my PIX with SNMP over VPN. The network look like this: inside --- ASA -- PIX --- dmz I have a monitoring server on the ASA inside interface (ex. 10.200.0.205). The PIX dmz interface: 10.250.130.1 The traffic from ASA inside network to PIX dmz network travels through VPN. I want to query PIX's dmz interface with SNMP from the monitoring server, I can't. I've configured the snmp things (snmp-server host outside 10.200.0.205 poll community ** version 2c) and the management-access dmz command, but still doesn't works, and I found nothing with G**gle, about this. Anybody has alredy the same scenario? Thank you, RB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ size=1 width=100% align=center Now you can chat without downloading messenger. Click here http://in.rd.yahoo.com/tagline_webmessenger_5/*http:/in.mes senger.yahoo.com/webmessengerpromo.php to know how. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2))
group-policy attributes vpn-filter and/or management-access Look them up. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Bagosi Rómeó Sent: Tuesday, November 27, 2007 10:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) From: Bagosi Rómeó Sent: Tuesday, November 27, 2007 4:37 PM To: 'gagandeep singh' Subject: RE: [c-nsp] SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) Thank you, i've found this link, but the problem is that we don't want to snmp query the outside interface (it's not permitted to communicate through VPN). From: gagandeep singh [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 27, 2007 8:53 AM To: Bagosi Rómeó Subject: Re: [c-nsp] SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2)) Try this link. http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/produ cts_configuration_example09186a0080094497.shtml Bagosi Rómeó [EMAIL PROTECTED] wrote: Hello Experts! I have the following problem. I want to monitor my PIX with SNMP over VPN. The network look like this: inside --- ASA -- PIX --- dmz I have a monitoring server on the ASA inside interface (ex. 10.200.0.205). The PIX dmz interface: 10.250.130.1 The traffic from ASA inside network to PIX dmz network travels through VPN. I want to query PIX's dmz interface with SNMP from the monitoring server, I can't. I've configured the snmp things (snmp-server host outside 10.200.0.205 poll community ** version 2c) and the management-access dmz command, but still doesn't works, and I found nothing with G**gle, about this. Anybody has alredy the same scenario? Thank you, RB ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ size=1 width=100% align=center Now you can chat without downloading messenger. Click here http://in.rd.yahoo.com/tagline_webmessenger_5/*http:/in.mes senger.yahoo.com/webmessengerpromo.php to know how. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Symmetric load-splitting with CEF
Yes, interchassis EtherChannel is now supported with Cisco's VSS technology. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Tomas Daniska Sent: Monday, November 19, 2007 9:06 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Symmetric load-splitting with CEF Hi all, I am aware that symmetric load splitting to transparent stateful devices (such as IPS, SCE etc...) is possible with EtherChanneling (with some careful balancing algorithm design), and is available on c6k5 for some time. But - c6k5 do not support cross-chassis EtherChannels with current supervisors; so if topological redundancy is required, L2- based LB is not the way to go. I've noticed someone somewhere saying this is also possible with CEF at L3, but I can find no reference for such solutions. Can anyone advise me please... thanks much -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN
Yes, it works fine. You would need to configure the option on the SUP to allow multiple SVI's to be configured when they are assigned/trunked to the firewall. See here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuratio n/guide/switch_f.html Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Vikas Sharma [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 6:20 AM To: Fred Reimer; cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN Hi, on the same line i have few more doubts. pls help me to solve this. I have 5 vlans namely data, voice , video and CCTV. Packet coming out of access switch will go to SVI and then come to FWSM as firewall-group has been configured. Now I want to integrate this LAN to my MPLS cloud. I have created two vrf (one for voice/data and video) and another for CCTV and importing and exporting to all remote sites. My question is how does FWSM behave when default gateway is on MSFC svi (i have created dot1 q interfaces on svi and assign vrf forwarding to respective interfaces). Since on svi i have configured vrf forwarding, will FWSM understand the firewall-group in this case? any help is greatly appreciated Regards Vikas Sharma On 11/12/07, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Can I configure FWSM as a default gateway for my internal vlans (similar to HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm then MSFC !!! If u have some doc on this pls share if possible.. Regards Vikas Sharma On Nov 7, 2007 7:00 PM, Fred Reimer [EMAIL PROTECTED] wrote: There are many ways that you can configure the 6500 with a FWSM and IDSM. It depends on what you want to do with it. You can place the MSFC (routing entity) inside or outside of the FWSM. I prefer inside unless there is a really good reason to have it outside (such as routing sessions to providers, etc) as you don't need to secure it quite as much as when it is on a publically accessible address. You could also use VRF on the MSFC and have one instance on the outside and one on the inside (or a bunch of instances and one on each DMZ interface of the FWSM also). For the IDSM you also have an option of in-line mode or not. You want in-line mode if you want IPS functionality, and promiscuous mode if you want IDS functionality. Again, you can place the IDSM inside or outside the FWSM, but it really makes sense to drop malicious traffic before it even reaches your FW. Perhaps have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC - inside networks. You really need to talk to, or hire, a security specialist. Fred Reimer, CISSP, CCNP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Vikas Sharma Sent: Wednesday, November 07, 2007 3:14 AM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM Hi, I have FWSM and IDSN-2 on 6500 switch. Since I am not a security guy I am not able to visualize how traffic flow will take place in this situation. My requirement is to secure internal traffic from external / DMZ traffic and inspect malicious traffic. Can someone give me the logical picture how packet will flow inside 6500 switch? whether it will first go to FWSM then to MSFC or first to MSFC then firewall? I have vlan (SVIs) created on msfc and these ips are default gateway for my internal traffic. Any help is appreciated... Regards Vikas Sharma ___ cisco-nsp mailing list cisco- [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco- nsp https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
Re: [c-nsp] VOIP QOS
Yea, you don't want to shape VoIP traffic, you want to place it in a priority queue and police it to an absolute maximum. If there are any slow links in between, you probably want to configure LFI also. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Church, Charles Sent: Thursday, November 08, 2007 12:26 PM To: Paul Stewart; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VOIP QOS I think you still want to priority queue the VoIP traffic, to cut down on jitter. You need to do that on the main interfaces though. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Thursday, November 08, 2007 10:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VOIP QOS Hi there... I know this has been discussed several times and searched the archives... I'm being told by a client that this isn't working well.. my question is what is a better way to offer this? 5 Meg synchronous connection carrying VOIP (SIP/RTP) and general Internet traffic. Want to prioritize the VOIP and carve out up to 2 meg of traffic when needed leaving up to 3 meg for general traffic... also want to be able to use 4 meg of general traffic when VOIP isn't using much etc Cisco 2821 at customer premise with FE0/0 being the edge interface - Cisco 7206VXR on our side with customer connection coming off subinterface GigE0/0.101 Between these devices is ethernet equipment that supports DSCP and is supposed to prioritize - below you'll see no congestion in place but on the VOIP side we're seeing dropped packets frequently that are not seen when we remove QOS from interfaces indicating something in this config is wrong Any thoughts are appreciated... Both sides have the following applied outbound on the edge interface: class-map match-any VOIP match protocol rtp match protocol sip ! ! policy-map QOS-VOIP class VOIP set dscp ef shape average 200 class class-default set dscp default shape average 300 FastEthernet0/0 Service-policy output: QOS-VOIP Class-map: VOIP (match-any) 4649311 packets, 996776732 bytes 5 minute offered rate 401000 bps, drop rate 0 bps Match: protocol rtp 4644189 packets, 993315456 bytes 5 minute rate 397000 bps Match: protocol sip 5121 packets, 3461062 bytes 5 minute rate 4000 bps QoS Set dscp ef Packets marked 4649311 Traffic Shaping Target/Average Byte Sustain ExcessInterval Increment Rate Limit bits/int bits/int (ms) (bytes) 200/200 12500 5 5 25 6250 Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 0 4649311 996776732 0 0 no Class-map: class-default (match-any) 1687936 packets, 438092041 bytes 5 minute offered rate 12 bps, drop rate 0 bps Match: any QoS Set dscp default Packets marked 1680145 Traffic Shaping Target/Average Byte Sustain ExcessInterval Increment Rate Limit bits/int bits/int (ms) (bytes) 300/300 18750 75000 75000 25 9375 Adapt Queue Packets Bytes Packets Bytes Shaping Active Depth Delayed Delayed Active - 0 1687936 438092041 40206 48842063 no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with simple QoS configuration
Why the .1q link between the 3548XL and the 2811? Are there other customers on other VLANs on the 3548XL that also get trunked to the 2811? The proper place to start QoS would be on the 3548XL switch. However, the QoS capabilities of that switch are limited, IIRC, so you may need to replace that antiquated equipment. Note I said earlier that the proper place to start QoS is on the 3548XL. In order to truly obtain QoS and bandwidth guarantee you need QoS on each and every hop through your whole network. That means allocating whatever you promise the customer on every link from their connection point to your hand-off point. Fred Reimer, CISSP, CCNP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sascha E. Pollok Sent: Wednesday, November 07, 2007 8:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Help with simple QoS configuration Folks, maybe someone could push me into the right direction for some QoS related stuff. We have a setup like this: 7206VXR| 100M |c2811| .1q | 3548XL | Access Router | -- | CPE | --- | Switch | VLAN x From right to left: a public IP network is connected to a switch. The VLAN on this access port is terminated on a Cisco 2811's Sub-I/F. The 2811 has a 100M link to an access-router (7206VXR). I need to give the customer connected via VLAN x a bandwidth guarantee on the 100M link in both directions. Since there is no NAT in place, we are able to match on source/dest IPs. I guess I would need to configure service-policies but I am unsure about where exactly to configure them on the 2811 and/or on the 7206VXR. I tried class-based policies on the Sub-I/F of the 2811 but it said that those aren't supported there. Anyone with an example configuration or something like this? Thanks Sascha ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-Aware IPSec for Remote Access
Yes, I have. I'm not sure what you mean by not being able to access the VRF interface configured on the same PE. I used a crypto map entry per VPN, and not a dynamic map. For a normal, non dynamic, map you'd have an ACL that would match the network(s) being encrypted in the tunnel. I had to include a static route for each VRF pointing towards the global routing table next-hop to the Internet, using the global keyword, to get it to route the traffic so that it hits the crypto map and encapsulates it. This is from memory, so I may have some items wrong. HTH, Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zahid Hassan Sent: Monday, November 05, 2007 3:45 PM To: Cisco NSP Puck Nether Net; Cisco NSP Subject: [c-nsp] VRF-Aware IPSec for Remote Access Dear All, Has anyone successfully implemented VRF-Aware IPSec for Remote Access ? I am trying to implement this feature on a PE which has MPLS enabled on the Internet facing interface. With the config below, I am being able to connect but not being able to access the VRF interface configured on the same PE. I will be really grateful for any comment or any pointers for what could be possibly wrong with the configuration below: ! aaa new-model ! aaa authentication login USER-AUTHENTICATION local aaa authorization network GROUP-AUTHORISATION local ! crypto keyring test-1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group test-1 key test-1 domain test.com pool cpe-1 acl 101 ! crypto isakmp profile test-1 vrf test-1 keyring test-1 match identity group test-1 client authentication list USER-AUTHENTICATION isakmp authorization list GROUP-AUTHORISATION client configuration address initiate client configuration address respond client configuration group test-1 ! crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1 ! ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1 ! crypto dynamic-map test-1 1 set transform-set test-1 set isakmp-profile test-1 reverse-route ! Internet facing interface interface GigabitEthernet4/0/0 ip address x.x.x.x 255.255.255.240 ip router isis mpls ip crypto map IPSEC-AWARE-VRF Customer facing interface --- interface GigabitEthernet1/0/0.1 encapsulation dot1Q 100 ip vrf forwarding test-1 ip address 110.110.110.1 255.255.255.0 Kind regards, ZH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 IOS features
The software advisor is notoriously behind, or just plain inaccurate. Cisco has roadmaps the describe the different features in the IP Services and Advanced IP Services feature sets. Checking out that is probably your best bet. In particular, you can check here: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5460/pr od_bulletin0900aecd80281b17.html Or here for the PDF: http://www.cisco.com/application/pdf/en/us/guest/products/ps5460/ c1037/cdccont_0900aecd80281b17.pdf The description is as such: Cisco IOS Packaging for Switches Advanced IP Services [c6500-advipservicesk9] . Advanced IP Services is a comprehensive set of Cisco IOS Software features designed for IP-only networks. It includes all the features of IP Services plus additional features including ISIS, MPLS, Layer 2 VPNs, Layer 3 VPNs, and IPv6. . Deployment Guidelines: Service Provider Environments, Enterprise: Campus WAN and Metro Edge If you want a list of bugs, use the release notes. HTH, Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John I Sent: Monday, October 29, 2007 6:23 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6500 IOS features Hi, I'm trying to research (Research software) the following two images for a 6500 SUP2/MSFC2: s222-advipservicesk9_wan-mz.122-18.SXF10a s222-ipservices_wan-mz.122-18.SXF11 In the Software Advisor I have found both images but when I click on the Software Features: View link it says Not available. Basically, I just want to see the feature list of both of these images.. Or compare them. Am I doing something wrong? Also, searching for bugs I was told to use the new Bug Toolkit.. I've tried it a few times now and receive: Error occurred while fetching bug summary from database. Please try later. Any suggestions appreciated. Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Managed, cheap, DC powered switch
The 3750E's will run at whatever license feature you purchase it with. It does not require anything special at all if you just want the feature set you purchased. It is only if you want to upgrade the feature set that you need to install a new license. And you can install it manually, or use a free application/server to manage large installations. It does not phone home. Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Prall Sent: Friday, October 26, 2007 7:24 AM To: 'Tim Jackson' Cc: 'Murphy, William '; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Managed, cheap, DC powered switch There isn't any phone home. I find the license key easier then having to put a new image on. Especially easier in a large deployment with multiple licenses. Just upgrade all 3750E's with this image, they will run with the correct license. -- http://dcp.dcptech.com -Original Message- From: Tim Jackson [mailto:[EMAIL PROTECTED] Sent: Friday, October 26, 2007 3:51 AM To: David Prall Cc: Murphy, William ; Dan Armstrong; Justin Shore; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Managed, cheap, DC powered switch You can order the DC power supplies seperately, plus the 3750E has the licensing management stuff, which requires phone-home/license keys to upgrade. I'm personally boycotting these :) -- Tim On 10/25/07, David Prall [EMAIL PROTECTED] wrote: The DC Power Supply has to be ordered seperately. Don't know what I would do with the AC that came with it if I required DC. -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murphy, William Sent: Thursday, October 25, 2007 11:25 PM To: Dan Armstrong; Justin Shore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Managed, cheap, DC powered switch According to the Cisco Summer/Fall 2007 QRG the 3560-E and 3750-E both have support for DC power... Refer to page 2-14 and 2-20, last line in the table AC/DC support Bill Murphy Senior Network Analyst University of Texas Health Science Center - Houston -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Armstrong Sent: Thursday, October 25, 2007 9:38 PM To: Justin Shore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Managed, cheap, DC powered switch The 3560E and 3750E are not available with DC power. I wish they were!! Justin Shore wrote: Eric Helm wrote: Brandon Bennett wrote: I work for a telco and have a need for cheap managed switches that are DC powered. Cisco's line up is a 2950-24-DC. Haven't kept up much with Cisco's product line for 1U DC lately. Last I knew only a 24 port 2950 or 3550 were available for a cheap 1U DC switch. Foundry's FastIron Edge X Series is very reasonably priced, but 1.5U for 48 ports. It may be overkill for what you are looking for though with full L3 and 10GbE capabilities. ME-2400-24TS-D http://tinyurl.com/2nnx7z ME-3400-24TS-D ME-3400G-12CS-D http://tinyurl.com/yues25 ME-C3750-24TE-M w/ PWR-ME3750-DC(-R) http://tinyurl.com/3e2pgl http://tinyurl.com/3e2pgl The 3560E and 3750E series are also available with DC power supplies. http://tinyurl.com/24rg2l The 4900s (ME and non-ME) as well as all the larger chassis-based solutions but those would be cost-prohibitive for your application. If you don't need fancy features then you can buy the cheapest licenses to save more $$$. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman
Re: [c-nsp] Cisco WS-X6724-GE-TX Blade
You may want to check what speed(s) are supported on the 6724/48 SFP blades when using TX SFP's. SOME switches support 10/100/1000 when using TX SFP's, but SOME switches (and I believe all Gigabit blades for the 6500 series fall in this category) only support 1000Mbps on TX SFP's... Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of andrew burns Sent: Wednesday, October 24, 2007 12:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco WS-X6724-GE-TX Blade Hi, We're in a situation where next year we're going to have to replace our 6513 chassis with 6509-E simply to get a full complement of 6748-GE-TX blades. What we'd prefer to do is just add 6724-GE-TX to slots 1-6 as required. However, these blades don't exist - only 6724-SFP exist. So, as 24 SFP's cost the same as a 6509-E chassis it's a no-brainer financially, but a nightmare technically. We have hundreds of 6513's and were hoping to make them last until the next gen chassis come out (whenever that is) but the need for fabric blades is forcing our hand. We've been making do with the 6516-GE-TX but that's EoS in Jan. Anyone else in the same boat, or also asking Cisco to make a GE-TX version of the 6724? TIA Andrew. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA/AIP-SSM-10 to replace a IDS-42xx
You can put the ASA in transparent mode so that you don't have to route through it, but the traffic does have to pass through the device. The external Ethernet interface on the AIP is strictly for management only... Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 19, 2007 11:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA/AIP-SSM-10 to replace a IDS-42xx Hi, Is it possible to use an ASA with a AIP-SSM-10 like a simple IDS sensor ? Idea is to span a vlan on a switchport, then connect and use the physical GE interface featured on the AIP-SSM-10 module to sniff traffic and report alerts. No IPS functionnality is needed. Is such a way of using AIP-SSM sensor possible ? Or, do I have to filter the traffic thru the underlying ASA appliance absolutely ? Basically, I don't want to add a routing/firewall instance on my network. Just a transparent IDS. -jc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vty access-list
Is there any compelling reason why SSH should only be allowed to one particular IP on the router? Yes, if you have VRF's setup and only want to allow inbound traffic to particular interfaces in a particular VRF (or default/global)... Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of C and C Dominte Sent: Friday, September 14, 2007 2:54 AM To: Tom Storey; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] vty access-list Try permitting based on IP address only, e.g. access-list 199 permit ip x.x.x.x 0.0.0.255 host y.y.y.y still the same result, all the ip's are blocked. Well you are allowing TCP port 22 from x.x.x.x/24 to any destination, which will be any IP address on the router. But that doesnt neccessarily explain why the first access list doesnt work. Personally Ive never used an extended ACL to control VTY access to a router, I generally use standard ACLs and permit only a specific set of source subnets access. It works just fine. I wanted to use that, but I thought it is easier to cut the access to a destination, rather than cut the access based on source address. This way, I don't have to RDP / SSH to my desktops, to be able to connect to the router. Is there any compelling reason why SSH should only be allowed to one particular IP on the router? I wanted to see if I can force the router to allow SSH traffic only on one IP interface, not on all of them. Thanks, Catalin - Yahoo! Answers - Get better answers from someone who knows. Tryit now. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vty access-list
If the device supports CPP can't you put an ACL on the control-plane to handle all interfaces at once? Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Daubman Sent: Thursday, September 13, 2007 10:58 AM To: C and C Dominte Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] vty access-list Catalin, ... Is this a normal behavior of the IOS, to block access to all the ip's, including to the one that is supposed to be allowed? While not explicitly called out, I believe the intent is to use a 'standard' access list with one's vty access-class statements. To that end, an extend list that specifies a destination as well as a source will deny all traffic. I would hazard a guess that this is due to the fact the one's destination is no-longer the external interface IP address used to reach the router at this point, but rather the internal VTY... I believe the only way to restrict SSH access to a specific IP on the router is to apply the appropriate extended access list entries to each router interface, which, given enough processing overhead, is probably a good idea anyway... See: http://www.cisco.com/en/US/products/ps6441/products_configuration _guide_chapter09186a0080716ec2.html for the implied restriction to use only standard access lists... Regards, ~Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about the CCNA and CCNP certification
Yes, a CCNA is required in order to get your CCNP. I believe you can get your CCIE without any previous certifications, however. Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernd Ueberbacher Sent: Friday, September 07, 2007 5:04 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Question about the CCNA and CCNP certification Hi there! As you might know from my earlier posts I'm currently learning for my CCNA with the goal of achieving the CCNP afterwards. Sometimes it's a bit boring to learn for the CCNA, because I work all day long with Cisco devices and in the evening when I'm learning for the CCNA certification I have to calculate subnet masks etc. Not the most exciting stuff... A guy I know from a different company also wants to become a CCNP, but today he told me, that he is heading directly towards the CCNP without passing the CCNA. I said that this is not possible, but he was completely sure about it and had an interesting explanation... He says that the CCNA is a requirement for the CCNP if you want to attend a CCNP class room course. This prevents that you have absolutely no clue about networking and slow down the whole group/class. If you don't attend the class, but do it by self studying and just take the exam with Pearson Vue etc, you don't need a valid CCNA certification. This is because it's your money/problem if you fail but you are not annoying anybody else with your incompetence and if you have no clue you just don't pass. It somehow sounds right, because why would anybody need a lower level certification just to take the CCNP exam? Of course you need to know the topics from the CCNA to become a CCNP, but is the certification really required? So is this guy right and is it just a prerequisite for class room trainings or is it a prerequisite for the exam? Thanks, Bernd PS: Yes, I googled, but the Cisco website just says: CCNP Prerequisites: Valid CCNA certification and the link below says CCNA ensures that CCNP candidates possess a solid foundation of networking knowledge, which lays the foundation for the professional curriculum. Without that prerequisite foundation, the student may not be able to keep up with others in class and learn the advanced knowledge and skills presented in the CCNP courses. so this guy might be right... http://ciscocert.custhelp.com/cgi-bin/ciscocert.cfg/php/enduser/s td_adp.php?p_faqid=3825p_created=1176617893p_sid=tU6KJ7Lip_acc essibility=0p_lva=p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlk c29ydD0mcF9yb3dfY250PTM1JnBfcHJvZHM9JnBfY2F0cz0mcF9wdj0mcF9jdj0mc F9zZWFyY2hfdHlwZT1zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9Q0 NOUA**p_li=p_topview=1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about the CCNA and CCNP certification
Jay, You are right. You don't need a CCNA in order to take the CCNP tests, but you will require one before you get your actual certification. Just like you are required to have a signed exam certification agreement on-file (usually a click-through one you do for every test). However, there is no prereq for a CCIE. If you're board with figuring out subnet masks and the basic stuff why don't you just get a CCIE? Fred Reimer, CISSP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Hennigan Sent: Friday, September 07, 2007 5:35 PM To: Bernd Ueberbacher Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Question about the CCNA and CCNP certification Bernd Ueberbacher wrote: A guy I know from a different company also wants to become a CCNP, but today he told me, that he is heading directly towards the CCNP without passing the CCNA. I said that this is not possible, but he was completely sure about it and had an interesting explanation... He says that the CCNA is a requirement for the CCNP if you want to attend a CCNP class room course. This prevents that you have absolutely no clue about networking and slow down the whole group/class. If you don't attend the class, but do it by self studying and just take the exam with Pearson Vue etc, you don't need a valid CCNA certification. This is because it's your money/problem if you fail but you are not annoying anybody else with your incompetence and if you have no clue you just don't pass. He is wrong. CCNA is a prerequisite for CCNP regardless if you take classroom training or just schedule the exams at Pearson VUE. You will not receive a CCNP certificate without first having a valid CCNA. I suppose you could take them all at once if you want to do so. See http://www.cisco.com/go/ccnp See the line CCNP Prerequisites. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/