Re: [c-nsp] L2 over L3 scenario
+1 for holistically thinking about the MTU issues (as the L2TPv3 headers shrinks the size of the payload of a std 1500 mtu, worse yet if you add ipsec on top of that for a "secure pseudowire" type setup) Overlay features akin to VxLAN and eVPN were not mature at the time, but I would at least consider that now if feasible. Contact me off-list I can provide topology diagrams for real-world deployments re: L2TPv3 (with and without IPsec). Regards, Ge Moua moua0...@umn.edu U of MN Alumnus -- On 10/23/2015 05:30 AM, John Kougoulos wrote: Hi, On Fri, Oct 23, 2015 at 10:37 AM, james list <jameslis...@gmail.com> wrote: I’d like to share experience, receive suggestions if any, alternatives if any, recommendations, scalability numbers if any, etc. Make sure to handle the MTU appropriately or your routers will start fragmenting packets Regards, John. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Divide large PVST domain?
I've seen good MST practice where the vlans per mst region/area are accounted for ahead of time to mitigate what you stated here. ie, assign vlans by odd / even grouping for 2 mst regions (or more mst regions if desired by some other preferred method). Regards, Ge Moua University of Minnesota Alumnus moua0...@umn.edu -- On 07/09/2014 11:14 AM, Victor Sudakov wrote: Am I correct to assume that every time I need to move a vlan from one MST instance to another, my whole MST domain will fall apart until the MST reconfiguration is complete on all the switches? Somehow I don't like this idea. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS: catch 22 when enabling new bgp neighbors
method_1: a. upload config_snippet to flash: (via method of choice tftp, sneaker-net via flash2, etc) b. copy flash:/config_snippet.txt system:running.config method_2: b. copy tftp://ip_addr/config_snippet.txt system:running.config I prefer method_1 as this mitigate dependencies on network connectivity. However, both methods assume config syntax valid and QA'd (as error msgs will manifest to std_output, so avoid garbage in, garbage out scenario). Regards, Ge Moua University of Minnesota Alumnus moua0...@umn.edu -- On 06/20/2014 09:39 AM, Lukas Tribus wrote: copy'n'pasting from notepad is not enough in that situation (somehow, the terminal slows down when pasting the config to some 2 - 3 chars per second) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to prevent https facebook from the cisco router 1841
+1 dansguardian Regards, Ge Moua moua0...@umn.edu University of Minnesota Alumnus -- On 11/13/13, 9:58 PM, mohamed nagy wrote: archive athttp://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to prevent https facebook from the cisco router 1841
+1 dansguardian Regards, Ge Moua moua0...@umn.edu University of Minnesota Alumnus -- On 11/13/13, 9:58 PM, mohamed nagy wrote: Hello , i need to prevent users to open Facebook https traffic from my router cisco 1841 i can put it as ip but is there any thing else because the ip way not efficient What is the best scenario for that ?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Question
inject map ? -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/22/2013 10:28 AM, M K wrote: Hi allI have a prefix that is originated let us say in AS 300 and the route is installed in the routing table normallyR1 (the router that receives the route) has an iBGP relation with R2Can I influence the origin of this prefix and advertise it to R2 ? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIM BiDir on Nexus
Colin, thx for the feedback. -- Regards, Ge Moua Univ of Minn Alumnus -- On 06/19/2013 06:36 PM, Colin Whittaker wrote: This was all M108 and M132 cards. We were doing both pim bidir and pim-sm. The fib bugs were rare enough but we had enough scale that even at something like 1 in 1000 error rates ment that we saw it frequently. Thankfully we turned off multicast about 6 months ago so only the unicast bugs to deal with. The FIB bugs all relate to a fundamental defect in the n7k software architecture in that the sup never validates that the linecards have received the updates sent to the them so I would expect the f2 to have similar issues. In addition to the multicast issues we have seen unicast fib inconsistency and interface mtus not matching. Colin On Wed, Jun 19, 2013 at 05:16:32PM -0500, Ge Moua wrote: Colin- Thx for the feedback. I'm looking at the the F2 cards on nx-7k; are you doing this on the older M-series cards? Also are you also doing specifically BiDir PIM? Standard PIM (SM specifically for use-case in question here) seems to work but without some minor hiccups on the newer F2 cards. Thx again. :-) -- Regards, Ge Moua Univ of Minn Alumnus -- On 06/19/2013 04:35 PM, Colin Whittaker wrote: It works pretty well on n7k. The multicast code is prone to a class of bugs on the 7k where the fibs on the line cards get out of sync with the rib/mrib on the sup. We had multiple instances of routers blackholing traffic after topology changes because linecards had missing routes. reloading the line card would fix it but it was always a bugger to find the affected cards. colin On Wed, Jun 19, 2013 at 12:04:25PM -0500, Ge Moua wrote: c-nsp folks: Anyone out there looking to do PIM BiDir on Nexus? There appears to be some limitations with PIM BiDir on the nx-7k but the nx-6k may be a viable option (albeit the hw arch between the nx-7k nx-6k are not exactly apples-for-apples). I'd appreciate opinion/feedback from others here. Thanks in advance. -- Regards, Ge Moua Univ of Minn Alumnus -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PIM BiDir on Nexus
c-nsp folks: Anyone out there looking to do PIM BiDir on Nexus? There appears to be some limitations with PIM BiDir on the nx-7k but the nx-6k may be a viable option (albeit the hw arch between the nx-7k nx-6k are not exactly apples-for-apples). I'd appreciate opinion/feedback from others here. Thanks in advance. -- Regards, Ge Moua Univ of Minn Alumnus -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIM BiDir on Nexus
Colin- Thx for the feedback. I'm looking at the the F2 cards on nx-7k; are you doing this on the older M-series cards? Also are you also doing specifically BiDir PIM? Standard PIM (SM specifically for use-case in question here) seems to work but without some minor hiccups on the newer F2 cards. Thx again. :-) -- Regards, Ge Moua Univ of Minn Alumnus -- On 06/19/2013 04:35 PM, Colin Whittaker wrote: It works pretty well on n7k. The multicast code is prone to a class of bugs on the 7k where the fibs on the line cards get out of sync with the rib/mrib on the sup. We had multiple instances of routers blackholing traffic after topology changes because linecards had missing routes. reloading the line card would fix it but it was always a bugger to find the affected cards. colin On Wed, Jun 19, 2013 at 12:04:25PM -0500, Ge Moua wrote: c-nsp folks: Anyone out there looking to do PIM BiDir on Nexus? There appears to be some limitations with PIM BiDir on the nx-7k but the nx-6k may be a viable option (albeit the hw arch between the nx-7k nx-6k are not exactly apples-for-apples). I'd appreciate opinion/feedback from others here. Thanks in advance. -- Regards, Ge Moua Univ of Minn Alumnus -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] InfoBlox
+2 for isc dhpcd bind (sorry for being off-topic though). -- Regards, Ge Moua moua0...@umn.edu Univ of Minn Alumnus -- On 4/24/13 1:12 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, My thoughts are that this group is very knowledgeable about all networking topics and it makes sense to me this group works because its a forum dedicated to a particular vendor and specific remit. the SnR is pretty good and you get answers because its a specific group FOR that purpose. if you want to ask questions about InfoBlox then visit/use an InfoBlox forumas its a commercial product you could even ask them - have you got a maintenance contract? offtopic personal view if thats how they've decided to engineer their kit then so be it...if you want to do things on different interfaces then just install your own Linux box and put your own copy of ISC DHCPD and BIND onto it - then you can do whatever you want with whatever interfaces you've got.. (and no, c-nsp isnt here for when theres issues with that, use a Linux or ISC mailing list ;-) ) now, back on topic, I'm using AAA/dot1X with multi-host but recent cisco docs seem to suggest multi-auth is the way to go when theres a VOIP handset present - any views? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP as industry standard ?
It was interesting to see an IETF doc about EIGRP: http://tools.ietf.org/html/draft-savage-eigrp-00 I’m wondering if Cisco may be releasing this to the wider Internet community for possible industry standards consideration. While technically classified by Cisco as a distance-vector protocol, there are hybrid features of EIGRP that makes it attractive over traditional link-state IGPs like OSPF IS-IS (which I'm a big fan of). However, what’s not so attractive is the proprietary nature (tied to Cisco) and lack of support on other big name vendor equipment. Maybe Cisco is looking to change this in the horizon. I'd be interested to know what other ppl way smarter than me thinks. Thanks for your feedback. -- Regards, Ge Moua Univ of Minn Alumnus -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip tcp adjust-mss
This comes in handy when one jams a bunch of headers together but then constraints payload size which would result in frag/defrag and may lead to decreased throughput/performance. ex: use case I think of would be user facing before encaps into maybe something like gnarly like gre inside ipsec facing Internet (where MTU can not be controlled is likely to be assumed = 1500 ). -- Regards, Ge Moua Univ of Minn Alumnus -- On 02/11/2013 01:56 PM, Eric A Louie wrote: I just put in this command on my upstream interfaces to help my mpls network pass traffic - that is, my effort to eliminate fragmentation in my backbone. Is anyone else using this method of mtu control? I need some support - my CEO is asking why I have to do this, and who else does it, and is it a common practice, etc, so I'm looking for evidence, more than just The Cisco TAC told me to do it. thanks Much appreciated, Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip tcp adjust-mss
For UDP, one would have to do something like touch the end-hosts and adjust mtu size on the ip_stack itself. Not very scalable and may require too much touch-points (also would be somewhat permanent). Some client vpn shims do this to end-hosts after installations of said software. -- Regards, Ge Moua Univ of Minn Alumnus -- On 02/11/2013 02:25 PM, Peter Rathlev wrote: TCP MSS adjusting only works for TCP and probably puts an extra load on the CPU of the router. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5510 in transparent with multiple subnets
You should be able to do transparent mode, multiple interfaces. -- Regards, Ge Moua moua0...@umn.edu Univ of Minn Alumnus -- On 11/30/12 5:33 PM, Lee Starnes wrote: Hello everyone, I was looking through documentation for the ASA5510 as we have a client who is running one in transparent mode. They need to add an additional IP block to their network and from what I am able to gather, it looks like you can not add a second /28 to their network configuration. Am I reading this correctly? Thanks, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux BGP tool
+1 for Quagga on *BSD You mentioned Linux and there is port for that too. -- Regards, Ge Moua Univ of Minn Alumnus -- On 11/06/2012 01:11 AM, CiscoNSP_list CiscoNSP_list wrote: Hi Guys, Looking for a linux bgp utility to inject full bgp tables into our Lab Cisco ASR1000 (To simulate real-world peering taking multiple full tables) Any suggestions? Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Overflows During Microbursts on Cisco Switch
+1 for: * get a reasonable switch maybe something like a 2960-X (or higher) will provide for deeper buffers during micro-burst use case. -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/30/2012 08:46 AM, Gert Doering wrote: Hi, On Tue, Oct 30, 2012 at 04:01:45PM +0300, Righa Shake wrote: I would like to get to understand how I can solve a problem of buffer overflows during microbursts on a 2960 Cisco Switch. - turn off mls qos - increase egress bandwidth (2x or 4x GE channel) - get a reasonable switch gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP NAT router limitations
Those Cisco ISR-G1 mostly punt NAT ( DHCP) functionality to CPU as such you may have scalability issues for the NATs for CPU resource usage. I've seen ASA5550 do 65k NAT connections with minimal CPU load (I'm sure the lower ASA models can achieve similar results depending on how much memory on board). I'd concur that throughput of ~ 100Mbps without NAT can be easily done by these ISR-G1 models. -- Regards, Ge Moua Univ of Minn Alumnus -- On 05/31/2012 06:39 AM, Rens wrote: Where do you get that info that a 1841 2811 can't do this? They do fine average Internet traffic @ 50Mbps I got 2811's doing 100Mbps Indeed my wifi setup can cope with 2K connections From: aled.w.mor...@googlemail.com [mailto:aled.w.mor...@googlemail.com] On Behalf Of Aled Morris Sent: woensdag 30 mei 2012 17:09 To: Rens Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP NAT router limitations On 30 May 2012 11:17, Rensr...@autempspourmoi.be wrote: For a one day wifi event I'm looking which kind of router can be used to deliver DHCP NAT for 1000-2000 simultaneous users Total WAN capacity will be +- 50Mbps Would a 1841 or a 2811 be able to handle all this NAT/DHCP? Neither of these would cope with 50Mbps even without the NAT. If you are purely Ethernet then the cheapest Cisco solution would be an ASA5505 I assume you've already got a wifi setup that can cope with 2,000 connections. Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet inside a VRF?
In RE networks, separation of commodity Internet-1 and Internet-2 traffic. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 3/13/12 8:17 PM, Jose Madrid wrote: I would like to understand why you guys would do this? What is the reasoning behind this? Super granular control? Cant this level of granularity be achieved with route-maps? Sent from my iPhone On Mar 13, 2012, at 8:27 PM, Dan Armstrongd...@beanfield.com wrote: We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. This is all on ASR 9Ks and 7600s. On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: Hi, On 14 March 2012 11:59, Dan Armstrongd...@beanfield.com wrote: I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links… In my previous role we've done just that. One internet VRF for all transit functions, separate vrfs for peering and customers and import-export statements to tie them all together. All done on ASR1k (mainly 1006, but a few of 1002 as well). kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TACACS vs RADIUS
+1 Radiator -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/29/12 2:05 AM, Oscar Zovo wrote: Have you heard of Radiator (http://www.open.com.au/radiator/index.html)? Its a RADIUS server with support for TACACS, The good with Radiator is that it supports a wide range of authentication methods and is very flexible for authentication and authorization schemas. You can use the same rules for RADIUS and retain the authorization and accounting facilities provided by TACACS. Best Regards, Zovo On Tue, Feb 28, 2012 at 4:17 AM, Jason 'XenoPhage' Frisvold xenoph...@godshell.com wrote: On Feb 27, 2012, at 8:25 PM, Nick Hilliard wrote: www.shrubbery.net/tac_plus/ Cisco wrote the original version but hasn't contributed anything for some years. One great feature of this daemon is that it doesn't have a GUI, and that it's fully configuration file based. Obviously if you don't like it, you should use something else. Actually, that's what we're using now and it works great. I was looking elsewhere because we have RADIUS which we need, and we have LDAP, which we need.. Mayhaps we can have tac_plus talk to LDAP? Though I haven't seen a way to do that as of yet ... Nick --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- Any sufficiently advanced magic is indistinguishable from technology. - Niven's Inverse of Clarke's Third Law ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dot1Q trunk, not point-to-point
re: VTP I've seen where if VTP frames arrive as out-of-order, then they get discarded/dropped (albeit not with the specific implementation you are looking at). -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/28/12 8:26 AM, Victor Sudakov wrote: Phil Mayers wrote: Is it required that a 802.1Q trunk is a point-to-point link between exactly two switches? What if I have several switches with trunk ports connected to a shared medium, should I expect problems? No. It should work fine. Any possible problems with VTP and DTP? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC Remote access to MPLS VPN
See below for exemplar for vrf-aware ra-vpn on IOS: !! c7206vxr / npe-g1 / vam2+ ! ip vrf VRF-LITE_RA-VPN description (VRF Lite) RA-VPN to (MPLS VRF) RA-VPN for remote access vpn applications rd 200:1000 aaa authorization network aaa-list local group AAA-AUTHORIZATION_GROUP-LIST_LOCAL aaa authentication login AAA-AUTHENTICATION_LIST_LOCAL local ip local pool IP-POOL_RA-VPN 192.168.50.177 192.168.50.188 access-list 100 remark ## [START] Extended ACL 100 ## access-list 100 remark ## Facilitate Split-Tunneling for Remote Access IPSec Clients to RA-VRF VRF ## access-list 100 remark ## Match Egress Traffic Sourced from RA-VPN VRF Enable Crypto Encryption ## access-list 100 remark ## Bypass Crypto for Non-matching Egress Traffic Punt to Clear-Text ## access-list 100 permit ip 172.16.48.0 0.0.15.255 any access-list 100 permit ip 172.16.1.0 0.0.1.255 any access-list 100 remark ## [END] Extended ACL 100 ## crypto isakmp client configuration group CRYPTO-GROUP_RA-VPN-CENTSEC key removed. dns ip_addr_1 ip_addr_2 domain domain_suffix pool IP-POOL_RA-VPN acl 100 netmask 255.255.255.248 crypto isakmp profile ISAKMP-PROFILE_RA-VPN description ## Crypto ISAKMP Profile (VRF-Aware IPSec) * RA IPSec VPN to RA-VPN VRF ## vrf RA-VPN match identity group CRYPTO-GROUP_RA-VPN ! client authentication list AAA-AUTHENTICATION_LIST_LOCAL isakmp authorization list AAA-AUTHORIZATION_GROUP-LIST_LOCAL ! client configuration address initiate client configuration address respond crypto dynamic-map CRYPTO-DYNAMIC-MAP_RA-VPN 1 set transform-set TRANSFORM-SET_3DES-SHA set isakmp-profile ISAKMP-PROFILE_RA-VPN reverse-route crypto map CRYPTO-MAP_RA-VPN 1 ipsec-isakmp dynamic CRYPTO-DYNAMIC-MAP_RA-VPN ! interface GigabitEthernet0/1.791 description VRF-aware IPSec front-door VRF termination encapsulation dot1Q 791 ip vrf forwarding RA-VPN ip address ip_addr subnet_mask ip flow ingress logging event subif-link-status snmp trap link-status standby delay reload 120 standby version 2 standby 791 ip hsrp_vip standby 791 preempt standby 791 name HA-FVRF_RA-VPN standby 791 track GigabitEthernet0/2.3565 crypto map CRYPTO-MAP_RA-VPN redundancy HA-FVRF_RA-VPN ! no shut interface GigabitEthernet0/2.3565 description VRF-aware IPSec inside VRF decryption encapsulation dot1Q 3565 ip vrf forwarding RA-VPN ip address ip_addr subnet_mask ip flow ingress logging event subif-link-status snmp trap link-status standby delay reload 120 standby version 2 standby 3565 ip hsrp_vip standby 3565 preempt standby 3565 name HA-IVRF_RA-VPN standby 3565 track GigabitEthernet0/1.791 ! no shut !! route return path to orginating ipsec clients from front-door VRF RA-VPN !! ! ip route vrf RA-VPN 0.0.0.0 0.0.0.0 fvrf_next_hop name Dest: Default Route * Next-Hop: node_name * Descr: (VRF-Lite) RA-VPN to (MPLS VRF) 'RA-VPN' ! !! route to inside VRF RA-VPN !! ip route vrf RA-VPN 172.16.48.0 255.255.240.0 192.168.140.118 name Dest: /20 CIDR Summary Route * Next-Hop: node_name * Descr: 'RA-VPN' MPLS VRF ip route vrf RA-VPN 172.16.0.0 255.255.254.0 192.168.140.118 name Dest: /23 CIDR Summary Route * Next-Hop: node_name * Descr: 'RA-VPN' MPLS VRF -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/15/12 3:21 AM, Ge Moua wrote: + hw_platforms * 7206 vxr / npe-g1 / vam2+ * 18xx ISR / 28xx ISR / 28xx ISR2 + sw * 12.4 (x) T * 15.x (x) T The only significant problem we ran into was for the use case of RRI there was a bug that didn't populate the next-hop correctly and this had to be manually specified; hopefully cisco has fixed this by now: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetailsbugId=CSCtg41606 Give me some time to scrub the configs and I'll send them off-line to you. -- Regards, Ge Moua University of Minnesota Alumnus Email:moua0...@umn.edu -- On 2/15/12 3:07 AM, ar wrote: Hi Ge. Thanks for your response. What platform did you use? 7200 also? Can you share your template? I'll try the following: -site to site - remote access using vpn client software (Cisco/microsoft) - SSL VPN if possible *From:* Ge Moua moua0...@gmail.com *To:* ar_...@yahoo.com *Sent:* Wednesday, February 15, 2012 12:52 AM *Subject:* Re: [c-nsp] IPSEC Remote access to MPLS VPN We did all of the requirements you mentioned at the Univ of Minn. As you mentioned, the documentation is out there but not nicely in one area of Cisco CCO land. You're looking down the right path with vrf-aware IPSec. We experimented with both flavors: * full blown mpls/bgp/vrf (6VPE / 4VPE) * vrf-lite In the end we thought doing the vrf-lite option then mapping these to 6VPE / 4VPE mpls-bgp provided the best options for functionality config flexibility: * well defined front-door vrf to inside-vrf mapping (native ip) * native ip termination
Re: [c-nsp] IPSEC Remote access to MPLS VPN
We did all of the requirements you mentioned at the Univ of Minn. As you mentioned, the documentation is out there but not nicely in one area of Cisco CCO land. You're looking down the right path with vrf-aware IPSec. We experimented with both flavors: * full blown mpls/bgp/vrf (6VPE / 4VPE) * vrf-lite In the end we thought doing the vrf-lite option then mapping these to 6VPE / 4VPE mpls-bgp provided the best options for functionality config flexibility: * well defined front-door vrf to inside-vrf mapping (native ip) * native ip termination for front-door vrf (vs. 6vpe / 4vpe will be ldp/mpls at front-door vrf limited to default table unless you start dealing with complexity of route-leaking RD/RT; violated KISS in my opinion). Contact me off-list and I'll share config exemplars for what you are looking for. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/15/12 2:09 AM, ar wrote: Hi Guys. I would like to setup a remote access IPSEC/SSL VPN then maps to MPLS VPN/VRFs. I'm thinking of using 7206VXR as the concentrator/PE for this. Remote clients will use cisco/microsoft vpn clients. Site-to-site vpn will be supported too. Anyone has good documentation for configuration? I'm reading vrf-aware ipsec but it seems to lack more configurations options. Any comments? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC Remote access to MPLS VPN
+ hw_platforms * 7206 vxr / npe-g1 / vam2+ * 18xx ISR / 28xx ISR / 28xx ISR2 + sw * 12.4 (x) T * 15.x (x) T The only significant problem we ran into was for the use case of RRI there was a bug that didn't populate the next-hop correctly and this had to be manually specified; hopefully cisco has fixed this by now: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetailsbugId=CSCtg41606 Give me some time to scrub the configs and I'll send them off-line to you. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/15/12 3:07 AM, ar wrote: Hi Ge. Thanks for your response. What platform did you use? 7200 also? Can you share your template? I'll try the following: -site to site - remote access using vpn client software (Cisco/microsoft) - SSL VPN if possible *From:* Ge Moua moua0...@gmail.com *To:* ar_...@yahoo.com *Sent:* Wednesday, February 15, 2012 12:52 AM *Subject:* Re: [c-nsp] IPSEC Remote access to MPLS VPN We did all of the requirements you mentioned at the Univ of Minn. As you mentioned, the documentation is out there but not nicely in one area of Cisco CCO land. You're looking down the right path with vrf-aware IPSec. We experimented with both flavors: * full blown mpls/bgp/vrf (6VPE / 4VPE) * vrf-lite In the end we thought doing the vrf-lite option then mapping these to 6VPE / 4VPE mpls-bgp provided the best options for functionality config flexibility: * well defined front-door vrf to inside-vrf mapping (native ip) * native ip termination for front-door vrf (vs. 6vpe / 4vpe will be ldp/mpls at front-door vrf limited to default table unless you start dealing with complexity of route-leaking RD/RT; violated KISS in my opinion). Contact me off-list and I'll share config exemplars for what you are looking for. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu mailto:moua0...@umn.edu -- On 2/15/12 2:09 AM, ar wrote: Hi Guys. I would like to setup a remote access IPSEC/SSL VPN then maps to MPLS VPN/VRFs. I'm thinking of using 7206VXR as the concentrator/PE for this. Remote clients will use cisco/microsoft vpn clients. Site-to-site vpn will be supported too. Anyone has good documentation for configuration? I'm reading vrf-aware ipsec but it seems to lack more configurations options. Any comments? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] private use for 4byte ASN
Does anyone know if there is a RFC standard that define private use of (32bit) 4byte ASN? I was hoping that since 4byte ASN allows for a much larger range then the same would be for best-practice use of private ASN as well. -- Regards, Ge Moua moua0...@umn.edu -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] private use for 4byte ASN
Hi David K- Your the second person who's told me that; thanks. For a large organization with a few thousand branch sites (using BGP for internal inter-connectivity and without the need to advertise the AS_Path to the pubic Internet), I was thinking it be nice designate a private ASN per site. Of course this count would exceed that of what 2byte / 16 bit ASN would prescribe per RFC-1930. I was hoping that maybe the use of 4byte / 32bit ASN would provide an expanded range of private ASN to meet this requirement. I was hoping to avoid BGP trickery such AS-overide and the like. Thanks again for the feedback. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0...@umn.edu -- On 2/15/12 5:16 PM, Daniel Kratz wrote: Hi Ge Moua, IANA did not allocate 4bytes AS to private use[1]. Probably they considered that the range between 64512 ~ 65534 from 16bits ASN is enough. The 32bits ASN is easy to get/justify than 16bits ASN... Same thinking is valid to get an IPV6 CIDR. []'s Kratz [1] - IANA Autonomous System Numbers http://www.iana.org/assignments/as-numbers/as-numbers.xml 2012/2/15 Ge Moua moua0...@umn.edu mailto:moua0...@umn.edu Does anyone know if there is a RFC standard that define private use of (32bit) 4byte ASN? I was hoping that since 4byte ASN allows for a much larger range then the same would be for best-practice use of private ASN as well. -- Regards, Ge Moua moua0...@umn.edu mailto:moua0...@umn.edu -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Any fool can know. The point is to understand. Albert Einstein ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS ?s
Once upon a time, we too did this between two sites about 90 miles apart with: * a transport in the middle with a partner/service provider doing MPLS CsC * on the edge sites with EoMPLS lesson learned: * as previously mentioned already, do as large MTU as possible for all transit links * large MTU at the core we had a situation where we forgot to enable jumbo frame one of the core transit links needless to say traffic traversing that path was being dropped if pkt size was greater than that specify MTU (which was just the default of 1500); fix was to enable jumbo frame there too then all was working MPLS is pretty unforgiving in that area (also as previously mentioned) -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/12/11 3:02 PM, Arie Vayner (avayner) wrote: Jason, There is no fragmentation in MPLS. Either you can forward the packet, or it is dropped. You need to either have a larger MTU on the core (usually the way it is implemented today), or reduce MTU at both sides. As this is a L2 link, you can't use things like MSS adjust etc... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc Sent: Wednesday, October 12, 2011 20:53 To: cisco-nsp@puck.nether.net Subject: [c-nsp] EoMPLS ?s We're considering using EoMPLS port mode to bridge two datacenters together temporarily for a move using sup720-3BXL on both ends with 6724 blades, probably 2 or 4 gig links, possibly 10g if I can get them to buy the HW. The question I have primarily is with regard to MTU. I have heard there are issues with ensuring both sides match, not much concern there. But the network between the two facilities may be lower than the 1518 bytes, causing fragmentation. I know this gets punted to the RP, and is going to be a problem. Is there any work around? Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS ?s
In the past, we've used hw engines like the Cisco PXF (NSE-1xx) on the 73xx router platforms to do hw-based L2TPv3 processing; otherwise L2TPv3 in CPU is very resource intensive. One can also consider doing something like MPLSoGRE/ATOM, then allow for the L3/GRE headers to do frag/defrag where needed (for 1500 MTU links). Throughput may be a concern here as frag/defrag typically punted to CPU (unless there are ASICS now that can do that which I'm not aware of). There are platforms that handle GRE processing in hw, but not necessarily fragmentation for the large payload inside the GRE pkts. I've been told by Cisco TAC that one should do some baseline testing then see if performance related to chosen transport/signaling methodology is sufficient base on needs. Also on more than one occasion, Cisco TAC has recommended a MPLS transport variation for extending L2 nets in-lieu of doing L2 over native IP like L2TPv3 (assuming one already have a MPLS core); justification was something about more SMEs for MPLS vs L2TPv3. Good luck. -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/13/11 11:00 AM, Jason LeBlanc wrote: I may not be able to use this option then as I have no control of MTU between the sites, and I am assuming it is 1500 bytes. No room for MPLS headers. Not sure I can get the throughput with L2TPv3 unless this can be done in HW on some platform. On 10/13/2011 09:19 AM, Ge Moua wrote: Once upon a time, we too did this between two sites about 90 miles apart with: * a transport in the middle with a partner/service provider doing MPLS CsC * on the edge sites with EoMPLS lesson learned: * as previously mentioned already, do as large MTU as possible for all transit links * large MTU at the core we had a situation where we forgot to enable jumbo frame one of the core transit links needless to say traffic traversing that path was being dropped if pkt size was greater than that specify MTU (which was just the default of 1500); fix was to enable jumbo frame there too then all was working MPLS is pretty unforgiving in that area (also as previously mentioned) -- Regards, Ge Moua Univ of Minn Alumnus -- On 10/12/11 3:02 PM, Arie Vayner (avayner) wrote: Jason, There is no fragmentation in MPLS. Either you can forward the packet, or it is dropped. You need to either have a larger MTU on the core (usually the way it is implemented today), or reduce MTU at both sides. As this is a L2 link, you can't use things like MSS adjust etc... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc Sent: Wednesday, October 12, 2011 20:53 To: cisco-nsp@puck.nether.net Subject: [c-nsp] EoMPLS ?s We're considering using EoMPLS port mode to bridge two datacenters together temporarily for a move using sup720-3BXL on both ends with 6724 blades, probably 2 or 4 gig links, possibly 10g if I can get them to buy the HW. The question I have primarily is with regard to MTU. I have heard there are issues with ensuring both sides match, not much concern there. But the network between the two facilities may be lower than the 1518 bytes, causing fragmentation. I know this gets punted to the RP, and is going to be a problem. Is there any work around? Thanks, Jason ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source netflow recommendations
If vendors start playing games with license fees per feature (to pad their revenues), then one either conform or work-around them. If this pertains to netflow, I've done something like the following in the past: * span traffic to pkt collector * on pkt collector, run something like fprobe to convert raw pkt to flow format * export flow to said flow collector This man-in-the-middle approach may be somewhat silly to bypass licensed netflow feature, and could be moot if one needed another license to do spans. Regards, Ge Moua On Wed, May 18, 2011 at 8:13 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Tue, 17 May 2011, Lee Starnes wrote: Does anyone have any recommendations for an open source netflow solution? If there is nothing out there, what is recommended in the non-open source world? Are there any to absolutely stay away from? The answer to that question would depend on what you want to do with the Netflow data you collect. If you're mainly interested in generating graphs and top-talker reports, NFSen/NFDump is a very usable option. If you're looking for something that does more than that, then you're getting into the realm of commercial applications. Another increasingly important question is if you want or need Netflow v9/v10 (IPFIX) support, to get Netflow data for IPv6 traffic. This becomes important, not only in terms of gauging the capabilities of your Netflow collection/analysis setup, but also determining features and pricing for new router hardware/software/licensing. Both Cisco and Juniper are moving toward a model where certain features need to be individually licensed and activated, or additional hardware needs to be purchased (Juniper's Multiservices PICs/MPCs for the M/MX platforms comes to mind). jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM upgrade
i agree with tony here. if you are somewhat paranoid; then take the compact flash and do: dd to snapshot image dd snapshot image to another compact flash with same capacity if anything goes wrong with the upgrade then you have an exact replica of the previous f/s, ios, etc. the fwsm is some linux derivative with a vanilla boot partition ext filesystem i've done this before and this works well. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 3/31/11 3:05 PM, Tony Varriale wrote: I would save my config, load the software then reload. 3.1x to 3.2x isn't anything big. If you are already on 3.1 you have the correct maintenance software. http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/upgrade/guide/fwsm31up.html#wp2070189 tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME6524 dying
we've got similar boxes at a few large remote sites doing similar functionality as yours, and these run pretty rock solid with the exception of running into a few IOS bugs here there: sh inv NAME: ME-C6524GS-8S, DESCR: Cisco Systems Catalyst 6500 1.5 RU virtual Chassis System PID: ME-C6524GS-8S , VID: V03, SN: CAT1203C01Y -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 3/15/11 9:38 AM, Bernhard Schmidt wrote: Hi, we have a ME6524-GT series in a remote location that keeps dying on us every couple of weeks. Symptoms are: * All routing protocols and LLDP time out on our side * Physically the box looks fine, Status LED and even the link LEDs are still green - I cannot really say something about the physical link status, since the link in question does not forward link-state to our side * Console is dead, no reaction at all - we do not have any OOB equipment on location yet, so I cannot tell whether it emitted a dying gasp * CPU, Memory, all look normal up to five minutes before the crash * remote syslog is enabled, nothing visible in it * no crashdump on any file system * looks fine after power cycle, no warnings anywhere The box is not doing much at all, OSPFv2/v3, MPLS LDP and BGP towards our core and one partial transit, maybe 4000 prefixes, 200 Mbps of traffic. Up to now we have been running 12.2(33)SXI5 Adv.IP non-modular, I have now downgraded to SXI4. This is my first Cisco ever that isn't even accessible on the console anymore when it crashes. Has anyone seen something similar? Best Regards, Bernhard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Leaking global into VRF
some of these issues are addressed in previous post; search for: *VRF and STATIC ROUTE to GLOBAL* -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 3/11/11 4:40 AM, Anrey Teslenko wrote: Hello. We have same issue, which you discussed here. How we can configure route back to the VRF if routes inside it getting through eBGP? According this http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml we can do that only for static routes. How do Dynamic Route leaking from VRF to Global? Thanks for advise 2010/11/9 Harold Ritterhrit...@cisco.com Jason, Remember that the traffic will be forwarded according to the global routing table, so you do not need a label unless you have a BGP free core. Does the destination have a route back to the VRF route though? Regards Le 2010-11-09 à 08:45, Jason Lixfeld a écrit : On 2010-11-09, at 1:18 AM, Oliver Boehmer (oboehmer) wrote: Jason, I'm trying to lab up a scenario where I can leak routes from the global table into a VRF, but I'm running up against an issue and I'm hoping someone here can point out where I might be misstepping. My P router is also my peering router. That is, in addition to it's P duties, it also speaks eBGP to another autonomous system. I want to take the eBGP learned prefixes and import them into a VRF. This part seems to work, but the issue is that the adjacent PE doesn't seem to see the prefix that has been imported. The PE sees the global entry, but it doesn't see the prefix in the vpnv4 AF for the VRF in question. This looks expected as a PE router (your peering router) importing a prefix from another VRF (or from global in your case) into a VRF never exports this prefix from the importing VRF into vpnv4. So in your case, you need the import ipv4 unicast map VRF-IMPORT on all PE routers needing the prefix. Interesting. I was of the belief that MPBGP would take care of announcing these prefixes once leaked into a VRF AF. Have I misunderstood the extent of MPBGP here, or is there another way to do it that uses (MP)BGP in some way? Until then, I've set import ipv4 ... on all the PEs down the line, and while the prefix is now seen inside the VRF on all the devices I expect it to, my packets still don't seem to be getting to where I want them to go. That is, they seem to be going nowhere. I think one reason why is because no routers inside my network have a label associated with the eBGP prefix I'm trying to reach: P1#show ip route vrf INTERNET 7.7.7.7 Routing Table: INTERNET Routing entry for 7.7.7.7/32 Known via bgp , distance 20, metric 0 Tag 1, type external Last update from 7.0.0.1 00:02:38 ago Routing Descriptor Blocks: * 7.0.0.1 (default), from 7.0.0.1, 00:02:38 ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 1 MPLS label: none P1# And if this is potentially the root cause, how to get a label on this prefix isn't clear to me. This is an eBGP prefix from an outside AS. They have no knowledge that their announcements are ultimately going to end up in a VRF once they get over to us. I only mention that incase it turns out to be part of the problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Harold Ritter Directeur Technique/Technical Leader Advanced Services Central Engineering CCIE 4168 (RS, SP) har...@cisco.com Téléphone: 514 847 6856 Les Systèmes Cisco 1800 McGill College Suite 700 Montréal, Québec H3A 3J6 Canada ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Searching for cheap IPv6 NAT-PT Cisco-device
what about the option of doing a 6to4 relay; we do this with some low-end c2621xm routers and these work just fine -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 2/25/11 7:17 AM, Andreas Mueller wrote: Hello, I would like to connect IPv4-only devices like printers to an IPv6-only Network and I thought about doing this with NAT-PT on a cisco-device. To play around with NAT-PT and do some tests I need a cheap device. According to the cisco document Implementing NAT-PT for IPv6 (http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html) I need IOS 12.4(2)T if I want to use all the available features. What is the cheapest cisco-device with at least two or better four fast ethernet ports running IOS 12.4(2)T to evaluate, if configuring NAT-PT is a solution for my problem ? greetings and thanks for help, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 IPv6 OSPF Auth
I agree with Nick's well written point. That is why I like a link-state IGP like IS-IS where one does have the option of running IPv6 with authentication and not have to worry about different versions of said dynamic routing protocol, but this is clearly deviating from the initial question/issue. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 2/18/11 12:36 PM, Nick Hilliard wrote: On 18/02/2011 17:51, Justin Krejci wrote: Yeah... I guess no one would ever use IPv6 with OSPF until IPv6 feature sets are completely matured on all platforms of every major vendor. Or maybe no vendor should release any v6 support until every feature was 100% v6 enabled. I don't think that was the problem. The IETF wonks saw MD5 authentication on OSPFv2 as a dirty hack, rather than as a quick and easy means of providing a 99.99% solution to OSPF authentication. Instead, they wanted a 100% solution, and in their opinion IPsec was the way to do this because it provided a cryptographically sound framework for authentication and encryption services. So they mandated that there should be no MD5 authentication for OSPFv3, just IPsec. As hooking anything into IPsec tends to be difficult (there is no standardised API, and it's a pretty gargantuan framework), ospfv3 authentication is not implemented on many platforms. Perfection is the enemy of good enough. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP war stories (was Re: EoMPLS or VPLS loop prevention/storm control)
thanks, Ivan for the correction; that was a good read by the way; so to clarify what we do on our end: * (in addition to setting edge distribution switched to vtp client or transparent mode) one should also delete the vlan db (akin to doing): del flash:/vlan.dat -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 02/09/2011 06:01 PM, Ivan wrote: It is not always as well known, but client mode will not prevent usurping the vtp domains This article covers things in a bit more detail - http://www.networkworld.com/community/node/19931 Ivan I'd agree that vtp can cause major problems if not deployed with caution mechanisms to mitigate disasters. we have a huge lan infrastructure here with over 65,000 edge ports. what we do is divide the campus/enterprise into 18 vtp domains so if there is a layer2 or vtp meltdown this doesn't affect all of campus; also the core switch (in this case 6509 w/sup720-3bxl) per vtp domain is the sole designated vtp server mode device (this is important) as well as the root bridge (fine-tune stp cost to do so); all others are in client mode or transparent. for edge or distribution switches, it also important to change default server mode to client (or transparent) -- again this is important to avoid usurping the vtp domains. vtp comes in handy when dealing with large amount of ports and one doesn't want to hand configure vlan to port mapping manually; however as already mention all of this is not without risks. when our current network was deployed intially about 7 years ago, we had periodic spanning-tree meltdown per vtp domain, but never to all 18 vtp domain at the same time; root cause was typical offenders: * misbehaving gear that seized control as root bridge * dumb hub connecting multiple vlans * etc. over the years, cisco ios has had many vtp/stp/layer-2 bugs worked out; and I'd say one doesn't see as much issues in this area as was in the past; but caution is always a good thing. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 2/9/11 4:28 PM, Paul Wozney wrote: I've seen VTP fail spectacularly. A customer was using it on about 30 switches distributed to about 10-15 wiring closets. They had a temp student come in who wanted to learn about networking, so the student copied the core switch configuration and deployed it on a lab switch. The student decided to wipe the VLANs from this lab switch and start from scratch. When the lab switch was connected to the production network, its VTP instance had the correct VTP password (as it was copied from the core switch), but it had none of the VLANs required for the correct operation of the network, and of course it had the higher revision number. It was an innocent mistake, but it ended up to be a very bad day for everyone involved and we've never used VTP for any other customer since that day. --- Paul Wozney Network Consultant phone: +1 604-629-9975 toll free: +1 866-748-0516 email: p...@wozney.ca web: http://wozney.ca On Wed, Feb 9, 2011 at 14:10, Martin Barryma...@supine.com wrote: $quoted_author = Nick Hilliard ; Also, don't use VTP unless you like living dangerously. Nick, that sounds like you have a good war story or three. Care to share? Can't say I've blown anything up with VTP ... yet. :-) cheers Marty ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
If there were ISR on both end then I'd just do vrf-aware IPSec and plumb L2TPv3 inside of this to transport the vlan; of course this doesn't answer the original question of doing this with ASA -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 02/03/2011 04:26 AM, John Kougoulos wrote: I believe that you can use ASA for the IPsec part and create GRE tunnels between the PE and CE (one for each VRF). You would need though something like ISR on both ends or switches that support GRE in hardware, so 3560/3750 should change. Regards, John On Tue, 1 Feb 2011, Jeff Kell wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?
we are doing a similar setup with l2tpv3 inside vrf-aware ipsec (on IOS); my preference would be to do this w EoMPLS/Atom (again on IOS) which also maintains the vlan/mpls vrf integrity; of course this doesn't answer your question about do this on the asa; i'd be interested too in knowing how you'd solve this with an ASA setup (as a mental exercise). -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 2/1/11 5:20 PM, Jeff Kell wrote: Ran across a new requirement where we would like to extend our campus standard multi-VRF routed building out to a remote site over the public Internet. Absent the ideal MPLS or multiple-vlan Metro-E, can you do this site-to-site over a pair of ASAs? Ideally it would be something along the lines of: VRF A vlan 123-- VRF B vlan 456--(terminating on --- Site ASA Campus ASA Campus PE (VRF A/B/C) VRF C vlan 789-- 3560/3750 CE) Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto similar VRF vlans on the campus side. On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE. Can you trunk them into the ASA and do separate tunnels over the public IP endpoints, dropping them on separate vlans on the other end? Without meshing the routing / crossing the streams with respect to the VRFs? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM Port-channel shutdown
we saw similar behavior for some of the early batches of the fwsm back in 04/05; i'd suggest rma these back to cisco; unofficial word was that there may have been bad capacitor issues. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 1/26/11 1:06 AM, Andrew Harris wrote: Hi, I have an issue in which when a new FWSM is inserted into one of our 6500s the internal Port-channel is immediately put into the admin down status. It is a 6509-E chassis running 12.2(18)SXF4 and the FWSM is running 3.1(3) in slot 3. We have two other FWSM in slot 4 and 6 respectively, running fine. We have other 6500s running SXF4 with a FWSM in slot 3 so I don't think it is a placement issue. Even if I boot into the maintenance partition it still immediately shuts down the etherchannel. I am sure I am missing something really basic, but any pointers would be appreciated! Thanks Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS on 7401ASR
arie, thank you for the explanation. I have seen the PXF engine on the 7304/nse-100 cause out-of-order packet for L2 protocols like VTP (and disabling PXF did remedied this), however I was told that by TAC this was a bad idea. What we ended doing was use VTP transparent mode (so VTP updates are not neeed) and enabling PXF. Thanks again. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS 2218 University Ave SE -- On 01/19/2011 02:00 PM, Arie Vayner (avayner) wrote: The comment for disabling PXF was meant specifically for 7401, as I am quite sure there are no PXF enhancements for the AToM functionality on this platform (it is an old end of life box). The 7304 is a different animal, and you should not consider this comment relevant (I am not really sure what is implemented on 7304 in PXF, but again - a different kind of animal) Arie -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Wednesday, January 19, 2011 20:29 To: Arie Vayner (avayner); cisco_nsp Subject: Re: [c-nsp] EoMPLS on 7401ASR the comment about disable PXF when testing I thought the PXF engine was suppose to allow more cef-like switching for things like xconnect pseudowires. Is it generally a bad idea to disable this? I'm asking because we have 7304 w/NSE-100 engines (with PXF enabled). Any feedback would be appreciated. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS 2218 University Ave SE -- On 01/19/2011 12:02 PM, Arie Vayner (avayner) wrote: Jeroen, The 7400 has reached Last Day of Support on December 2009, so I do not really believe it is on any support contract with Cisco... http://www.cisco.com/en/US/prod/collateral/routers/ps354/prod_end-of-lif e_notice0900aecd8010d319.html Anyway, I can see on the download tool that 12.4(15)T is available for this platform. I am quite sure it would have at least basic AToM functionality (not 100% sure)... Don't forget to disable PXF when testing... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeroen van Ingen Sent: Wednesday, January 19, 2011 18:35 To: cisco-nsp@puck.nether.net Subject: [c-nsp] EoMPLS on 7401ASR Hi, I've been experimenting with AToM (mainly EoMPLS) in a lab situation and I'd like to make my test network a bit larger, but the only extra hardware that I have available are old 7400 boxen (7401ASR). Now according to the Software Advisor and the docs on AToM, the 7400 should support this feature starting from IOS 12.2(14)S. However the images that Software Advisor lists can't be downloaded. I understand that it this old stuff might be full of bugs (considering the track record of 7400/PXF and the age of this image), but does anyone happen to have a compatible IOS image in their archives? Preferably c7400-k91p-mz.12.2-14.S8 but I guess any c7400-*12.2*.S* will do. By the way, our 7400 are still under a maintenance contract, but the distributor is having a hard time getting this image (TAC couldn't find it for them, if I understood correctly). Since the reach of this list is much greater I was hoping that someone would happen to have this image in their archives... Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 1841 DHCP CONFIGURATION and NAT NOT WORKING
I don´t see your nat ¨outside¨ reference; see below for a working config on one of our routers that is doing what you are looking for: ip dhcp excluded-address 10.2.10.254 ! ip dhcp pool INSIDE network 10.2.10.0 255.255.255.0 domain-name comcastbusiness.net dns-server 68.87.77.130 68.87.72.130 default-router 10.2.10.254 lease 7 ! interface FastEthernet0/0 description VoicePerfTuning-RR-01-Fa-0-0 * Simulate SIP though NAT behind SOHO ip address 173.11.44.235 255.255.255.240 ip access-group EXT-ACL_BASIC-PROTECTION in ip nat outside ip virtual-reassembly duplex auto speed auto interface FastEthernet0/1 description VoicePerfTuning-RR-01-Fa-0-1 * Connect to SIP phone clients ip address 10.2.10.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ip route 0.0.0.0 0.0.0.0 173.11.44.238 name Default via Comcast Business Class Internet ip nat inside source list 10 interface FastEthernet0/0 overload -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 11/03/2010 09:04 AM, Rocker Feller wrote: Hi, I have done dhcp and nat before, But it does not work on an 1841. What have I missed out. The lease is given but the NAT does not work. I do not see the dhcp ip on arp. but see it on the lease pool- Please help ip dhcp excluded-address 192.168.1.254 ! ip dhcp pool grm network 192.168.1.0 255.255.255.0 dns-server x.x.x.x x.x.x.x default-router 192.168.1.254 interface FastEthernet0/1 description Link to LAN ip address 192.168.1.254 255.255.255.252 ip nat inside ip virtual-reassembly duplex auto speed auto ip nat inside source list 2 interface FastEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 y.y.y.y ! access-list 2 permit 192.168.1.0 0.0.0.255 Thanks Rocker. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP support on the new ASA5585-X
we too have a need for Cisco firewalls to speak BGP, especially at some our smaller mpls vrf borders; we get around this by running the Cisco firewall in transparent mode (layer-2 mode) which allows for the bgp sessions to be built without any layer 3 boundary on the firewall to prohibit bgp sessions. of course this doesn't address the need for bgp on the cisco firewall but does provide a work-around for the lack of. i too am would like to see bgp on cisco firewalls -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- sth...@nethelp.no wrote: At this moment we know that ASA5585-X does not support BGP. I'm sure it doesn't. Routers are routers, firewalls are firewalls. There are several firewall platforms that support BGP - and this can actually be quite useful. Fortigate is one of them. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LNS alternative to 7200?
viable and cost-effective approach; any ideas if this package would support L2TPv3? or if there is another open-source package that would do L2TPv3? -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/15/10 8:44 AM, Tom Devries wrote: The CPU was way too high and we off-loaded the LNS function to an open-source platform called L2TPNS running on a couple of HP DL380 linux machines. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2821 NAT Limitations
Rodney, thanks for the correction and feedback. Is it true then that the ASR1K platform could achieve the same amount of NAT throughput without severe resource exhaustion much like the ASA? If so the this would be a viable option for the OP as route-map features would also be available on said router platform. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/14/10 4:47 AM, Rodney Dunn wrote: In the spirit of technical accuracy. NAT is a more complex feature than it appears on the surface. In regards to the process switch portion. NAT today for normal http traffic is CEF switched, even the SYN's, along with the payload data. The FIN/RST's are punted to tear the translations down. As for the 2821 specifically, NAT is no different there (assuming same code version) than it is on a 72xx for example. Only difference is CPU power and memory (depending on the difference). Therefore, scale is a directly related to those two factors on the platform. And port ranges if you do overload. The main factors to watch from a scale are: CPU Memory NAT pool allocation Input Queue drops on interfaces (set them to the max) Good NAT'ing. :) For an IOS device the ASR1k is the leader today. It does ALL NAT'ing (even ALG) in the *hardware* forwarding path. Rodney On 10/13/10 5:40 PM, Ge Moua wrote: forgot to mention that I'm fairly certain that many NAT sessions that you require will overun the 2800 which process switch that function (no good). -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/13/10 4:38 PM, Ge Moua wrote: we do upwards of 75,000 NAT sessions on an asa-5550 with no problems; bad thing here for you is that you'll also need a router platform to do the route maps not sure if you can split the functions, but if so then this might work for you. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/13/10 4:11 PM, Dan Letkeman wrote: Hi, Wondering if anyone has some experience with the NAT limitations on a 2821 router? I have about 1500 users, which about half of them are on the internet at one time, but we have a proxy web filter appliance that all of the clients connect to that does a website lookup, and check before it lets the client access the page, so it creates a separate entry for every page requested. This doubles the NAT entries in the router. Would 40,000 - 60,000 NAT translation entries be too much for a 2821? It's not doing much else except NAT and a couple of route-maps. If so would device would be recommended that could handle this amount of translations? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2821 NAT Limitations
forgot to mention that I'm fairly certain that many NAT sessions that you require will overun the 2800 which process switch that function (no good). -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/13/10 4:38 PM, Ge Moua wrote: we do upwards of 75,000 NAT sessions on an asa-5550 with no problems; bad thing here for you is that you'll also need a router platform to do the route maps not sure if you can split the functions, but if so then this might work for you. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/13/10 4:11 PM, Dan Letkeman wrote: Hi, Wondering if anyone has some experience with the NAT limitations on a 2821 router? I have about 1500 users, which about half of them are on the internet at one time, but we have a proxy web filter appliance that all of the clients connect to that does a website lookup, and check before it lets the client access the page, so it creates a separate entry for every page requested. This doubles the NAT entries in the router. Would 40,000 - 60,000 NAT translation entries be too much for a 2821? It's not doing much else except NAT and a couple of route-maps. If so would device would be recommended that could handle this amount of translations? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High CPU util on a 2811 with two ipsec tunnels
James G- What do you see when you do: sh ip tra -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 10/7/10 1:45 PM, Lasher, Donn wrote: In my experience, two things hammer the CPU for IPSEC tunnels: 1. mGRE is not accelerated by the hardware. 2. Fragmenting Packets, lower MTU/MSS, CPU driven. Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a tunnel, in my experience. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Graebner [VPNtranet] Sent: Thursday, October 07, 2010 10:32 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] High CPU util on a 2811 with two ipsec tunnels I have a 2811 w/ AIM module terminating two 10m ipsec tunnels that is nearly always above 80% and often above 95% cpu util during the day. Buffers show no significant number of misses. sh int switching shows that 100% of the outbound encrypted packets are being process switched. IOS C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1. Why would this traffic not be fast switched? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netflow tools
flowscan by Dave Plonka can do this. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS 2218 University Ave SE Minneapolis, MN 55414-3029 Email: moua0...@umn.edu | Office: 612.626.2779 -- On 9/19/10 6:01 PM, Sharlon R. Carty wrote: Hello, Anyone know of any netflow collector tools that can filter the data based on ASN? The majority tools I have tried filter based on IP address, IP group, domain name etc. Looking for something that can show me x amount of traffic from asn124 and so on etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7606 config issue !!!
we just upgrade one of our core 6509 / 3bxl to this code a few days ago and so far no problem; you're probably looking for feedback on the the 7600 platform though. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 8/10/10 4:28 PM, David Hughes wrote: On 23/07/2010, at 9:45 AM, Jared Mauch wrote: Cisco has posted sxi4a. Has anyone identified any early issues with sxi4a ? Thanks David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM and IPv6
I've heard rumors from our Cisco acct SE that FWSMv2 will do IPv6 in Hw; right now with transparent mode one can pass IP protocol type 41 but can not actually write any IPv6 ACLs. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 6/24/10 11:09 AM, Benjamin Lovell wrote: Did a quick search and found that IPv6 packet are still processed by the CPU not the ASICs on the FWSM. Also only works in routed, not transparent mode. I don't know any hard numbers for forwarding performance for the CPU but I would guess it's unacceptably low. As for software versus architecture limitation, it's tough to say. I would guess architectural limitation but either way I doubt it will change as FWSM is near the end of it's life cycle for new feature development. -Ben On Jun 24, 2010, at 7:59 AM, Matthew Melbourne wrote: Are there any real-world data available for the performance of the FWSM when using IPv6 (actually multi-tenant IPv6 and IPv4). A Networkers' presentation I saw suggested that IPv6 forwarding was punted to the CPU rather than performed in hardware; is this still the case and is it an architectural issue which cannot be addressed through software? Cheers, Matt -- Matthew Melbourne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Leaking VRF routes
I've got IOS code snippet for doing this on a 7206vxr with npe-g1; contact me off list if you are interested in seeing this. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 5/18/10 1:40 AM, Peter Rathlev wrote: On Mon, 2010-05-17 at 22:46 -0500, Dave Weis wrote: I am doing VRF lite on a 7200 to place PPPoA/PPPoE users into a VRF. You can leak fine just with VRF-Lite, if that's what you're after. You need to enable BGP though. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Leaking VRF routes
There were a few requests for this, so I'm just going to post this to the distro-list. This was done about a year and half ago, but I recall that this was a working config snippet: * the idea at the time was to terminate a L2L IPSec tunnel in a given VRF A * using VRF-aware IPSec, drop the decrypted traffic to VRF B * one had to export the RD * also had to run BGP (this was already mentioned in a previous thread) In the end we decided not to go with this config and just terminate the IPSec tunnel in the global table, as the global table already had the hooks into the other custom VRF by default. - Ge ! ip vrf FVRF-L2L_NTS-TEST description VRF Lite * (VRF-Aware IPSec) Front-Door VRF to (MPLS VRF) tc * Encrypted Data Transport for L-2-L IPSec (Single Customer) NTS Test rd 217:599 route-target export 217:1001 route-target export 217:599 ! ! ip vrf IVRF-L2L_tc description VRF Lite * (VRF-Aware IPSec) Inside VRF to (MPLS VRF) tc * Decrypted Data Transport for L-2-L IPSec (VRF Wide) UofMn - Twin Cities General Campus rd 217:1001 route-target import 217:599 ! ! router bgp 65535 no synchronization bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf FVRF-L2L_NTS-TEST redistribute static no synchronization exit-address-family ! ip route vrf FVRF-L2L_NTS-TEST 134.84.4.232 255.255.255.248 134.84.4.222 name ROUTE-LEAK-TO-IVRF-VIA-BGP-REDIST ! no ip access-list extended CRYPTO-ACL_NTS-TEST ! ip access-list extended CRYPTO-ACL_NTS-TEST remark ## [START] Extended ACL CRYPTO-ACL_NTS-TEST ## remark ## Crypto ACL * IPSec Interesting Traffic Between L-2-L IPSec End-Points NTS Test ## permit ip any 134.84.4.232 0.0.0.7 remark ## [END] Extended ACL CRYPTO-ACL_NTS-TEST ## crypto map CRYPTO-MAP_NTS-TEST 1 ipsec-isakmp no reverse-route static -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 5/18/10 8:15 AM, Ge Moua wrote: I've got IOS code snippet for doing this on a 7206vxr with npe-g1; contact me off list if you are interested in seeing this. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 5/18/10 1:40 AM, Peter Rathlev wrote: On Mon, 2010-05-17 at 22:46 -0500, Dave Weis wrote: I am doing VRF lite on a 7200 to place PPPoA/PPPoE users into a VRF. You can leak fine just with VRF-Lite, if that's what you're after. You need to enable BGP though. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ftp fixup on firewall service module
yes, I've seen these on our fwsms on 3.x code; the current 4.x code seems to have fix this. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- On 5/5/10 12:20 PM, B wrote: I don't think passive mode (from inside to outside) requires fixup. Both channels are outbound initiated. Does the control connection get established? Perhaps it's something else... On Wed, May 5, 2010 at 7:29 AM, Mishka, Jasonjason.mis...@utoledo.eduwrote: A you ftping on the default port, 21? If not, it won't work (unless you specify otherwise, I believe). The inspection engine needs to see the data channel port negotiation. There was also a ftp related bug prior to 3.1(10) for session termination but this doesn't sounds like it. Bug check out CSCsi27512 just in case. Jason -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Wednesday, May 05, 2010 6:04 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] ftp fixup on firewall service module Hi all. I'm having some problems with a client connecting to a ftp server. The client uses passive mode, shouldn't the fixup in the service module take care of the data channel. I can se anything being dropped in firewall, but then again I don't s really se any traffic on the data channel. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN over Comcast
we are extending l2 pseudowire over ipsec tunnels through comcast business class internet and this seems to work mostly stable for us; I'm not sure if the sla for residential cable would incur more outage or not; albeit we are in the minneapolis mkt and not chicago. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS On 4/27/10 12:42 PM, Michael Malitsky wrote: I will probably be laughed at, but I'll ask just in case. We are having particularly bad luck trying to run VPN tunnels over Comcast cable in the Chicago area. The symptoms are basically complete loss of connectivity (lasting minutes to sometimes hours), or sometimes flapping for a period of time. More often than not, a reboot of the cable modem is required. The most interesting ones involve the following: a PIX or ASA configured as an EZvpn client, connecting to a 3000 concentrator, authentication over RADIUS. When I go to look at the RADIUS logs, I see connections from the same box with small intervals. Timeout is 8 hours, so theoretically I should see 3 connections in a 24-hr period. In some cases, I see dozens, in the most egregious cases, thousands over a 24-hour period. I am taking that as an indicator of a really unstable Comcast circuit. We have not had this problem with any other ISP, anywhere in the country. I am pretty much down to telling customers to find another provider... Any thoughts or ideas on the matter will be appreciated. PS. To be fair (?) to Comcast, this is not a ubiquitous problem. It affects about 25% of the installations I get to see. Sincerely, Michael Malitsky ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP in L2TPv3
I saw this across a few router platforms; so I'm guessing in may me embedded in the base IOS code: * 7200 * 1800 * 2600 -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS 2218 University Ave SE Minneapolis, MN 55414-3029 Email: moua0...@umn.edu | Office: 612.626.2779 -- On 3/15/10 9:26 AM, Chris Flav wrote: Was your issue on the 800 series specifically or using L2TPv3 on any hardware platform? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP in L2TPv3
I had a case open with Cisco on this same issue pending for 6 months or so then I finally closed the ticket; what I saw was basically the STP pkts was arriving out-of-order due to fragmentation; the remote end never get STP updates as such. I've been meaning to test this with EoMPLS over GRE to see if STP behaves the same way; one funny thing I did see though that if I turned off the PXF engine on the head-end, then STP gets transmiitted then frrag/defrag properly; down side is that PXF engine provides for enhanced throughput of L2TPv3 (which is very CPU intensive if process switched); in the end Cisco TAC advised us to run VTP domain in transparent mode so as not to pass STP pkts; that's what we are doing now. If I get around to testing STP updates on EoMPLS over GRE then I'll post my results on this distro list; good luck. -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS 2218 University Ave SE Minneapolis, MN 55414-3029 Email: moua0...@umn.edu | Office: 612.626.2779 -- Chris Flav wrote: I am having a devil of a time getting spanning-tree packets to work over a functional L2TPv3 tunnel. I can see arp, cdp, SSDP, and all sorts of other garbage traffic over the link, DHCP works, Internet, the works. However, if I connect a catalyst switch on each end and send STP, I do not see the spanning-tree packets on the remote end of the link. I am using Cisco 800-series routers (cheating by reversing the Fe4 and Vlan1 ports) and as stated, the L2TPv3 tunnel is reliable and functional, with the exception of STP. Is there something fundamental I am missing? See below configs; SiteA: == l2tp-class l2-dyn authentication hostname MTL password 7 071B29495E08 cookie size 8 ! ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Vlan1 ! ! ! interface FastEthernet4 no ip address duplex auto speed auto no cdp enable xconnect 66.xxx.xxx.xxx 1 encapsulation l2tpv3 pw-class pw-dynamic ! interface Vlan1 ip address 66.xxx.xxx.xxx 255.255.255.192 no ip proxy-arp show l2tun session all L2TP Session Information Total tunnels 1 sessions 1 Session id 61551 is up, tunnel id 735 Remote session id is 21103, remote tunnel id 25982 Locally initiated session Call serial number is 241411 Remote tunnel name is SHE Internet address is 66.xxx.xxx.21 Local tunnel name is MTL Internet address is 66.xxx.xxx.195 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:09:59 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 UDP checksums are disabled Session cookie information: local cookie, size 8 bytes, value CB 2A 48 48 59 BA 49 A5 remote cookie, size 8 bytes, value 0D F2 0A CF 7A ED 2A B4 FS cached header information: encap size = 32 bytes 4514 FF73347F 429E81C3 42818015 526F 0DF20ACF 7AED2AB4 1327 Packets sent, 12 received 119801 Bytes sent, 1295 received Last clearing of counters never Counters, ignoring last clear: 1327 Packets sent, 12 received 119801 Bytes sent, 1295 received Receive packets dropped: out-of-order: 0 total: 0 Send packets dropped: exceeded session MTU: 0 total:0 Sequencing is off Conditional debugging is disabled Unique ID is 1 Session Layer 2 circuit, type is Ethernet, name is FastEthernet4 Session vcid is 1 Circuit state is UP Local circuit state is UP Remote circuit state is UP SiteB: = l2tp-class l2-dyn authentication hostname SHE password 7 14031A0E1C0 cookie size 8 ! ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Vlan1 ! ! interface FastEthernet4 no ip address duplex auto speed auto no cdp enable xconnect 66.xxx.xxx.195 1 encapsulation l2tpv3 pw-class pw-dynamic ! interface Vlan1 ip address 66.xxx.xxx.21 255.255.255.0 no ip proxy-arp show l2tun session all L2TP Session Information Total tunnels 1 sessions 1 Session id 21103 is up, tunnel id 25982 Remote session id is 61551, remote tunnel id 735 Remotely initiated session Call serial number is 15905 Remote tunnel name is MTL Internet address is 66.xxx.xxx.195 Local tunnel name is SHE Internet address is 66.xxx.xxx.21 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:12:43 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 UDP checksums are disabled Session cookie information: local cookie, size 8 bytes, value 0D F2 0A CF 7A ED 2A B4 remote cookie, size 8 bytes, value CB 2A 48 48 59 BA 49 A5 FS cached header information: encap size = 32 bytes 4514 FF73347F 42818015 429E81C3 F06F CB2A4848 59BA49A5 14 Packets sent, 1607
Re: [c-nsp] Network-to-network connection - MPLS / non-MPLS
* EoMPLS over GRE * L2TPv3 -- Regards, Ge Moua Network Design Engineer University of Minnesota | OIT - NTS -- Mike wrote: What options are available for establishing network-to-network connections between an MPLS network and a native IP network that has no current MPLS capability? The scenario I have is a single POP ISP (non-MPLS) that is desirous of establishing a connection to a larger MPLS-based ISP. The idea being the ability sell circuits off the larger network's footprint and back-haul the traffic to the smaller network, thereby extending the physical reach of the smaller ISP. I know this can be done using a IP aggregation type setup, but are there other options available, particularly something that would provide visibility at the lower layers for troubleshooting isolation purposes? Thanks, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT - Infoblox vs. Bluecat
We are using infoblox over here; works pretty well. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Church, Charles wrote: I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco VPN and 64 bit Windows
this one is free: www.shrewsoft.com Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Jonathan Charles wrote: The short answer is... no. Cisco said they will never release a 64-bit version of their VPN Client. However, Anyconnect has a 64-bit variant, however, this requires a separate license for the ASA... There is a third-party VPN client for 64-bit that works fine: http://www.ncp-e.com/en.html Jonathan On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber mh+cisco-...@zugschlus.de wrote: Hi, at a number of customer sites, we run a VPN service for mobile users. Since we usually are not in charge of the firewall that is in place there, we have the following construction Internet | -- |Firewall|-|VPN Router| -- | internal network The VPN router is usually an 1841, and the mobile users have the standard Cisco VPN client for IPSEC (the one with the nice .pcf files and which is currently shipping as version 5.0.04.0300). This works just fine, and we would really like to stay with this setup for some time. Unfortunately, Cisco seems to have decided to not ship the standard VPN client for 64 bit Windows variants, which are increasingly often used out in the wild. They refer to the AnyConnect VPN Client which, to my knowledge, can only connect to an ASA and not to an IOS device. Can anybody here tell me whether there will be a possibility available to connect from 64 bit Windows to an IOS device? Any hints will be appreciated. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BDF over port-channels?
we've got some p2p routed ports over here ! interface Port-channel1 description [removed] mtu 4470 ip address 192.168.11.105 255.255.255.252 no negotiation auto snmp trap link-status hold-queue 150 in ! Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Arie Vayner (avayner) wrote: Just out of curiosity, what are the port-channel on the 7200/7600 is used for? Is it a point to point routed port, or with L2 VLANs switched on top of it? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of luismi Sent: Tuesday, November 17, 2009 19:11 To: Gert Doering Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BDF over port-channels? I was just curious, because I would like to deploy BFD but I saw those messages on my routers because the port-channels configurations and I would like to know if it was supported in other train or something similar. El mar, 17-11-2009 a las 15:12 +0100, Gert Doering escribió: Hi, On Tue, Nov 17, 2009 at 01:20:58PM +0100, luismi wrote: I wrote it in a previous email but here is again :D 7200 npe-g2 and 7600 rsp720-pfc3 These are very very *VERY* different platforms... I am using 12.2SRC but it is not supported there an I would like to know if it is supported in another train. ... so it might very well be supported on one of them, and not on the other... Just for the record - my assumption was wrong. I just tried to configure BFD on a 6500 with SXF and SXH3a, and neither even permits me to enter the bfd commands on the port-channel interfaces. Physical interfaces only. (Which makes some sort of sense, *iff* the BFD-handling is done in the line card - where it belongs, to be independent of whatever load the main CPU is having. OTOH, I don't think normal 6500 LAN cards are smart enough to run BFD locally. So whatever...) gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass?
I've always been leery of this feature; I've consider using it in the past to troubleshoot badly written apps that mucks up tcp 3-way handshakes/4-way teardowns; I can see this as a quick dirty mechanism to bypass the stateful inspection engine without taking the firewall logically out of the data path; I'd be careful with using this feature without serious consideration of consequences; I also don't like the fact that it changes the default stateful inspection behavior. I'd also be interested to hear what other folks think about this.. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Peter Rathlev wrote: On Tue, 2009-11-10 at 10:44 -0600, James Slepicka wrote: Just keep in mind that traffic through the firewalls usually* needs to be symmetric. Be sure to account for that in your design. * https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html I've read about this, but I fail to see what the point is. If the firewall doesn't do stateful inspection, then why use a firewall? Why not just a router/switch with L4 ACLs? What am I missing? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux VPN client suggestion?
yum install vpnc you may need to epel repo for his. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Scott Granados wrote: Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] how to make ASA vrf-aware / remote-access client VPN
C-NSP Wizards: Our Cisco account team seems to be touting the ASA appliance (in a cluster configuration) as the preferred solution for remote access client vpn (IPSec SSL); as such my question then is: Is it possible to make an ASA be vrf-aware? I will use vrf-aware IOS terminology to describe my goals: * teminate remote access vpn client traffic on outside interface (front-door vrf) * re-direct decrypted traffic to inside interface (inside vrf) towards enterprise apps I tried to use the group-policy vlan mapping feature on only achieved some success to redirect traffic out different egress vlans/interface. Here are my findings why the vlan-mapping feature on the Cisco ASA will not work in our environment (I stand by this unless Cisco have other means that I do know of that will achieve vrf-aware connectivity from the ASA): * vlan map can re-direct traffic out egress vlan (only at layer 2) * layer 3 routes still needed from the ASA for outbound traffic to egress vlan + asa only allowed one default route in routed, single mode * if this is to work for vrf-aware client vpn connection, I'm thinking a default route per egress vlan will be needed; I was not able to do this * vlan mapping does work, but only for simple routing environments; not really geared for multiple VRFs that get connected to a MPLS backbone and border with BGP OSPF inter-related workings So I proceeded to consider a design that assume that the ASA will only do remote access termination and leave the vrf-awarness (vrf-enabled) capabilities to the underlying network; this is what I came up with: vpn_host_1 == IP_Cloud == ASA_VPN-Pool-A == PBR_BlackBox == VRF_A vpn_host_2 == IP_Cloud == ASA_VPN-Pool-B == PBR_BlackBox == VRF_B * ASA strictly doing remote access ipsec/ssl client vpn termination; btw, this really simplifies the ASA config significantly * ASA has ingress for client vpn termination egress for decrypted traffic * decrypted traffic handled by black box (in this case catalyst-3750 running router code) that does policy based routing based on source IP of client vpn ip pools pros: * ASA relegated to doing only client vpn termination * simplified config per components * PBR moved to another box to facilitate vrf-aware client vpn + simple routing on the ASA * one default route * no dynamic routing required cons: * more equipment needed in addition to ASA * downstream failure may not trigger a VPN cluster member to be down (as it should in my opinion); what is needed is something like BFD (bi-directional forward detect) or some form of more intelligent route tracking (this may yet be possible; I've got to think more about this) * overall design complexity increase because vrf-enabled moved off ASA At minimum, I think this design will work for our needs; this design assumes additional complex components that I like to avoid if possible (PBR on a black box device). Let me know what folks think; I'd really appreciate any ideas or feedback. ** Note Iif the ASA wias truly VRF-aware like it's IOS brethren then all of this extra complexity may be minimized. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how to make ASA vrf-aware / remote-access client VPN
I did some throughput testing with iperf while connected as an ipsec clinets and seemed to get over + 120 Mbs easily; I too was interested in how far I can push the pbr on the 3750. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ryan West wrote: Ge, Just wanted to add one more thing. * decrypted traffic handled by black box (in this case catalyst- 3750 I've had very poor performance using the 3750 for PBR functions, have you tried to push any load through it? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 policy routing
Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: I concur; I can't seem to do anything beyond some basic match set; the IOS complained when I tried som SET commands with VRF parameters. I suppose this is really a switch platform and not a true router platform. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Daniska, Tomas wrote: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: Tuesday, November 03, 2009 12:01 AM To: Ryan West Cc: cisco-nsp Subject: Re: [c-nsp] 3560/3750 policy routing It has been running IOS 12.2(50)SE1 IP Services all its life (some months). When we started using it I was a little nervous if it would cope (and posted on this list about it too) but it performs splendidly for us. I second this, 12.2(50)SE3, doing some PBR-based VoIP spliting to different SBCs, all done in HW. Note that PBR on these platforms is very limited in supported route-map match options, e.g. per cco: When configuring match criteria in a route map, follow these guidelines: -Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping. -Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization. Did your matching ACLs meet the no-deny requirement? -- deejay __ Informacia od ESET NOD32 Antivirus, verzia databazy 4565 (20091102) __ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded T1 Circuits
something like this should work (got it off one of production router): interface Serial0/0/0 mtu 4470 no ip address encapsulation ppp ppp multilink ppp multilink group 1 interface Serial0/1/0 mtu 4470 no ip address encapsulation ppp ppp multilink ppp multilink group 1 interface Multilink1 mtu 4470 ip address 192.168.11.205 255.255.255.252 ppp multilink ppp multilink group 1 ppp multilink fragment disable Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Dominic wrote on 10/20/2009 10:05 AM: Hi Everyone: Two questions: 1. I need to bond two T1 circuits. Does anyone have a working sample config? The POP end is a 7206VXR with NPE-G2 and the PA-MC-2T3-EC Card, and the customer end is a Cisco 1841. 2. Also need to bond as many as 4 T1s. Would that be pushing it, and what would generally be the cleanest way to do it? Dominic ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] monitoring switch stacks
Dale Carder- Are you guys also monitoring queue drops on the interfaces too; if so can you forward me the OID? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Dale W. Carder wrote: On Oct 14, 2009, at 1:19 PM, Alan Buxey wrote: just wondered what folk did out there to monitor switch stacks (eg stackwise+ switch stacks like 3750e, 2975gs etc (not the older gigastack ones) ) - using the basic methods such as ICMP will only show the presence of connectivity to the stack but not the actual health of the stack - eg one member is missing. I'm looking at maybe SNMP but support for MIBS in stacks seems somewhat poor They show up fine, at least on recent code. On earlier versions of code (2 years ago or so), it was very buggy and was not reliable. We monitor the following. There have been occasions when the switch stack ports fail and this caught it. Cheers, Dale IF-MIB::ifDescr.5365 = STRING: StackPort1 IF-MIB::ifDescr.5366 = STRING: StackSub-St1-1 IF-MIB::ifDescr.5367 = STRING: StackSub-St1-2 IF-MIB::ifDescr.5368 = STRING: StackPort2 IF-MIB::ifDescr.5369 = STRING: StackSub-St2-1 IF-MIB::ifDescr.5370 = STRING: StackSub-St2-2 IF-MIB::ifDescr.5371 = STRING: StackPort3 IF-MIB::ifDescr.5372 = STRING: StackSub-St3-1 IF-MIB::ifDescr.5373 = STRING: StackSub-St3-2 IF-MIB::ifOperStatus.5365 = INTEGER: up(1) IF-MIB::ifOperStatus.5366 = INTEGER: up(1) IF-MIB::ifOperStatus.5367 = INTEGER: up(1) IF-MIB::ifOperStatus.5368 = INTEGER: up(1) IF-MIB::ifOperStatus.5369 = INTEGER: up(1) IF-MIB::ifOperStatus.5370 = INTEGER: up(1) IF-MIB::ifOperStatus.5371 = INTEGER: up(1) IF-MIB::ifOperStatus.5372 = INTEGER: up(1) IF-MIB::ifOperStatus.5373 = INTEGER: up(1) CISCO-STACKWISE-MIB::cswSwitchState.1001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.2001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.3001 = INTEGER: ready(4) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] monitoring switch stacks
Dale, are you guys monitoring queue drops on the edge switches like a Cisco 3750? If so, I'm thinking the OID will be slightly different? Thanks for the reply ! Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Dale W. Carder wrote: Hey Ge! We monitor for input queue drops on 6500's with this oid: .1.3.6.1.4.1.9.9.276.1.1.1.1.10 Our alert for the NOC is drops 100/sec results in a major alarm. Usually it's something stupid happening on a given vlan that needs to be beat down. For SVI's, this goes hand in hand with punts causing cpu exhaustion on these wimpy RP's. I've thought about watching output queue drops, but am not sure how to how to differentiate normal from abnormal. Dale On Oct 14, 2009, at 1:59 PM, Ge Moua wrote: Dale Carder- Are you guys also monitoring queue drops on the interfaces too; if so can you forward me the OID? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Dale W. Carder wrote: On Oct 14, 2009, at 1:19 PM, Alan Buxey wrote: just wondered what folk did out there to monitor switch stacks (eg stackwise+ switch stacks like 3750e, 2975gs etc (not the older gigastack ones) ) - using the basic methods such as ICMP will only show the presence of connectivity to the stack but not the actual health of the stack - eg one member is missing. I'm looking at maybe SNMP but support for MIBS in stacks seems somewhat poor They show up fine, at least on recent code. On earlier versions of code (2 years ago or so), it was very buggy and was not reliable. We monitor the following. There have been occasions when the switch stack ports fail and this caught it. Cheers, Dale IF-MIB::ifDescr.5365 = STRING: StackPort1 IF-MIB::ifDescr.5366 = STRING: StackSub-St1-1 IF-MIB::ifDescr.5367 = STRING: StackSub-St1-2 IF-MIB::ifDescr.5368 = STRING: StackPort2 IF-MIB::ifDescr.5369 = STRING: StackSub-St2-1 IF-MIB::ifDescr.5370 = STRING: StackSub-St2-2 IF-MIB::ifDescr.5371 = STRING: StackPort3 IF-MIB::ifDescr.5372 = STRING: StackSub-St3-1 IF-MIB::ifDescr.5373 = STRING: StackSub-St3-2 IF-MIB::ifOperStatus.5365 = INTEGER: up(1) IF-MIB::ifOperStatus.5366 = INTEGER: up(1) IF-MIB::ifOperStatus.5367 = INTEGER: up(1) IF-MIB::ifOperStatus.5368 = INTEGER: up(1) IF-MIB::ifOperStatus.5369 = INTEGER: up(1) IF-MIB::ifOperStatus.5370 = INTEGER: up(1) IF-MIB::ifOperStatus.5371 = INTEGER: up(1) IF-MIB::ifOperStatus.5372 = INTEGER: up(1) IF-MIB::ifOperStatus.5373 = INTEGER: up(1) CISCO-STACKWISE-MIB::cswSwitchState.1001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.2001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.3001 = INTEGER: ready(4) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Firewalls placement in the network!
yes, but the whole point of public NTP services is to allow any IPv4 to do NTP sync. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Adrian Minta wrote: Ge Moua wrote: The worst thing you can do is put a stateful firewall in front of a busy DNS server - every single packet creating new state will bring most hardware-based firewalls to their knees, because session churn is usually handled at much lower packet rate as pure packet throughput for existing state... I concur and have battle scar to attest for this; we tried to put a stateful firewall in front of our public NTP server (which also happen to be our DNS servers) and the firewall tipped over within 5 minutes; state tables got exhausted quick. Is there a way to disable sessions for specific port or IP ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Firewalls placement in the network!
Joel M Snyder - If you do the job right, from a security point of view, you can certainly put a fine firewall in front of a very busy DNS server. (and when I say very busy I'm talking 10K queries a second, which is to say about 20Mbit/second sustained round-the-clock load, for less than $10K) what you recommend for this? Some of my colleague have suggested a redundant open-bsd cluster (with plenty of RAM b/c memory is cheap these days) with PF; I can see a scalable home grown solution that can address the exhausted state table issue; I'm just wondering if cheap fast CPU will be on par (performance and throughput wise) with fast ASIC like the big box vendor uses on their firewall products. What do you think? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Joel M Snyder wrote: The worst thing you can do is put a stateful firewall in front of a busy DNS server Well, as a security guy (rather than as a network guy), I would respectfully disagree. First of all, if your firewall is underspecified or underrated, then yes, you'll have problems. Secondly, if your firewall is misconfigured or mistuned, then yes, you'll have problems. Of course, both of these things are true of the network itself as everyone on this list knows very well. If you do the job right, from a security point of view, you can certainly put a fine firewall in front of a very busy DNS server. (and when I say very busy I'm talking 10K queries a second, which is to say about 20Mbit/second sustained round-the-clock load, for less than $10K) So then the question comes: well, what's the point? I think that a lot of the folks on this list feel that throwing an ACL in front of a box is effectively the same, from a security point of view, as a firewall and a hell of a lot cheaper. If you have a lousy firewall (i.e., one that is doing nothing more than keeping a UDP session open), yes, absolutely. However, good firewalls are doing a lot more than that. You may remember last year's the Internet is falling and only Dan Kaminsky can explain it flap around DNS. Well, a lot of the discussion around this bug/problem/issue ignored the truth that a good firewall prevented the attack directly, by knowing enough 'deep packet smarts' around the DNS protocol that the attack scenario was effectively blocked (hey, that's why we have a session table in the first place!). Similarly, a well-configured firewall would have per-IP rate limits in it, which would have been a second line of defense. Now, if you put in a piece-o-crap firewall that is misconfigured, too slow, doesn't have a big enough session table, and doesn't do anything more than your average reflexive access control list, then you're right on: rip that junk out and go bareback. But if you do it right, there is value to be provided by a firewall. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Firewalls placement in the network!
The worst thing you can do is put a stateful firewall in front of a busy DNS server - every single packet creating new state will bring most hardware-based firewalls to their knees, because session churn is usually handled at much lower packet rate as pure packet throughput for existing state... I concur and have battle scar to attest for this; we tried to put a stateful firewall in front of our public NTP server (which also happen to be our DNS servers) and the firewall tipped over within 5 minutes; state tables got exhausted quick. - Ge Univ of Mn Gert Doering wrote: Hi, On Fri, Oct 09, 2009 at 10:06:49PM -0500, Brian Johnson wrote: So are you actually saying that DPI is a bad thing relative to server protection? What makes this a bad idea? In what way does it make them more vulnerable to attacks? Well, the point of a well-maintained server is that it is *open* to the world - if you want a web server to be visible by the world, then there isn't much you can do, besides open HTTP to it. And other services should not be running in the first place. So, if you put a fiewall in front of a well-maintained server, all you add is extra state table handling with all the problems it brings - state table overflow (=new connections getting dropped), state getting desynchronized with the server, firewall CPU exploding long before the server is hitting any load boundaries, and worst of all, weaknesses in the firewall products that can be used to crash the firewall, DoSing the server. The worst thing you can do is put a stateful firewall in front of a busy DNS server - every single packet creating new state will bring most hardware-based firewalls to their knees, because session churn is usually handled at much lower packet rate as pure packet throughput for existing state... Now, for a typical office network, things look different, because you don't have that stringent control over the machines behind the firewall (so you never know who installed what application on their machine), and the typical direction for connection setup is different (outbound connection = state handling is needed for the return packets). Your example of crafted packets that crash the server but can be handled by the firewall brings up the interesting question why one would upgrade the firewall (to recognize this packet), but not the server (to be not vulnerable to the bad packet in the first place)... - and *that* is what I meant by well-maintained server in the first paragraph. Now, if your servers are not hardened enough, I'm happy to sell you a firewall to put in front of it - but it won't do zilch against the next buggy PHP application that will be used to exploit the server via perfectly nice HTTP requests - no crafted packets, just bad applications... (I'm also one of those people that think the claim NAT will improve your security was true 10 years ago, but wont't help at all for todays security issues - browser exploits, e-mail viruses, etc.) gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring HTTP / url access @10gig
We beta tested the GigaMon platform and for the most part it does what it claims it can do; basically takes a span feed and fans it out for analysis; in the end it was just too $$pricey$$ ( ~$100K USD); seems like the target mkt are carriers and large service providers. Our OITSecurity group has been looking at NetOptics as a less expensive alternative: http://www.network-taps.eu/home/home.php Does basically the same as the Gigamon but not nearly as expensive (~$50K USD); albeit with less bells and whistles. I forgot to mention that our focus is on IPS/IDS and these 10-gig feeds are to our IPS/IDS home grown clusters. Good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Phil Mayers wrote: We currently monitor web access from our campus with a VACL capture, picked up by a server-class machine with a 10gig port. Hardware is sup720, and our internet links are 10gig, doing well over 1gbit/sec. For various reasons this solution is unsatisfactory; the VACL doesn't work well and doesn't support IPv6, SPAN sessions are limited and policy routing to a web cache is exactly what we don't want to do. What other solutions can people recommend? I see that GigaMon make an interesting (and expensive looking) product: http://www.gigamon.com/gigavue-420.php ...which claims to be able to tap a 10gig link, filter the traffic then direct it to a 1gig port. This could be interesting for a number of reasons. Other suggestions welcome. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring HTTP / url access @10gig
I'm a bit surprise you were not able to match on IPv6 addresses; will something like this get any IPv6 traffic at all? ipv6 access-list IPv6-Sample-ACL permit ipv6 any any To answer your question: current: * Vlan based SPANs, with edge feed on dot.1q trunk; this allows for poor man granularity by vlan (permit all not as good as VACL) * IDS are open-bsd running snort with extensive ruleset for matching attack signatures not-so-distant-future (which will buy as a few years): * net-optics In my opinion all of this is analogous to an arms race where at some point traffic volume over-runs current method or technology used then the whole design needs to be re-visited again; but then again IT is somewhat like that by nature. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services 2218 University Ave SE | Minneapolis, MN 55414-3029 Office: 612.626.2779 | Pager: 612.648.0103 | Fax: 612.626.1818 Phil Mayers wrote: Ge Moua wrote: We beta tested the GigaMon platform and for the most part it does what it claims it can do; basically takes a span feed and fans it out for analysis; in the end it was just too $$pricey$$ ( ~$100K USD); seems like the target mkt are carriers and large service providers. Our OITSecurity group has been looking at NetOptics as a less expensive alternative: http://www.network-taps.eu/home/home.php Does basically the same as the Gigamon but not nearly as expensive (~$50K USD); albeit with less bells and whistles. Which specific products are you using, if you don't mind my asking? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring HTTP / url access @10gig
What code are you running on the Sup720 (3bxl ? I assume) ?? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Phil Mayers wrote: Ge Moua wrote: I'm a bit surprise you were not able to match on IPv6 addresses; will something like this get any IPv6 traffic at all? It's complicated, but seemingly the 6500 won't VACL-capture IPv6 traffic which it's also routing. It could be a bug, but as I say we've had other problems with VACL capture (e.g. it just stopped working one day with no config changes, then started back up a week later with no explanation) so we're keen to move away from it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP720 - 12.2(18)SXF17
not a on Sup720 but deployed this with a Sup32 recently; still working with Cisco TAC on Norton Ghost muliticast causing OSPF to reset. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Drew Weaver wrote: Anyone deployed this monster yet? Have any wacky issues that were unexpected? -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Graph packet loss , delay , BER
smokeping Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Oliver Boehmer (oboehmer) wrote: Mohammad Khalil wrote on Thursday, October 01, 2009 09:26: hey all i want to be able to graph the packet loss between 2 routers or even between a router and a remote site as well as BER or delay , can i do that ? what is the best method to calculate this ? I would set up an IP-SLA probe on the router(s) to measure the latency/etc., and I would expect there are mrtg/cacti scripts around which are able to graph this data (using SNMP)... check out www.cisco.com/go/ipsla for more info on ip-sla.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS v L2TPv3
David Freeman- We do have a native MPLS backbone and one of our provider does procide MPLS CsC about 24 of our remote sites. For about 12 of our other sites, the service providers only offer native IP services. Any reasons why you have a distaste for MPLSoGRE? The Cisco TAC has actually told me they have more expertise and experience with MPLSoGRE and has suggested the move away from L2TPv3. Thanks for your feedback. Regards, Ge Moua University of Minnesota david.freedman at uk Sep 25, 2009, 9:56 AM Post #7 of 10 (18 views) Permalink Re: EoMPLS v L2TPv3 Remove Highlighting [In reply to] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think the choice is simple. If you have a native MPLS backbone, use EoMPLS. If you don't, then don't, use L2TPv3, please don't do MPLSoGRE, it is more trouble than it is worth. That said, can you not build out a native MPLS network? does your provider not give you the ability to do this? Dave. David Freedman- Do you have a preference of one over the other? I've been thinking about the option of replacing our L2TPv3 deployment with EoMPLS (ie, Cisco's ATOM model). We are using Cisco 7203 with NSE engine for L2TPv3 acceleration; but I'm not a big fan of this platform; we have 3bxl-sup720/cat6k at the core that can do MPLS in hardware; I was just thinking of using GRE to encapsulate the MPLS packet over to the spoke sites (thereby bypassing the need to do MPLS end-to-end); this would allow EoMPLS over service providers' native IP infrastructure. Feedback? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services David Freedman wrote: Wow, this is actually a tricky question, so I'll jot down some points for you to think about from the top of my head (and anybody, please feel free to correct these if they are wrong, they may be out of date) EoMPLS: - Requires end-to-end MPLS LSP - Does not support path fragmentation (need wider MTU end-to-end) - Hardware support good - OAM available - Closer ties with MPLS-TE - some vendors have attachment circuit interworking - some hardware vendors may not be happy about attachment circuit MTU mismatch L2TPv3: - Only requires IP (but has some rudimentary security (Cookie)) - Path Can be encrypted by IPSEC (this is actually a moot point, even in a world where stuff like draft-raggarwa-mpls-ipsec wasn't implemented, you can still encrypt the payloads of both technologies) - Not well supported in hardware, lots of restrictions - interworking support in hardware poor - lack of proper OAM Dave. Michael Robson wrote: What is the added benefit of running an EoMPLS pseudowire across an MPLS cloud over an L2TPv3 tunnel over the same cloud? Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS v L2TPv3
David Freedman- Do you have a preference of one over the other? I've been thinking about the option of replacing our L2TPv3 deployment with EoMPLS (ie, Cisco's ATOM model). We are using Cisco 7203 with NSE engine for L2TPv3 acceleration; but I'm not a big fan of this platform; we have 3bxl-sup720/cat6k at the core that can do MPLS in hardware; I was just thinking of using GRE to encapsulate the MPLS packet over to the spoke sites (thereby bypassing the need to do MPLS end-to-end); this would allow EoMPLS over service providers' native IP infrastructure. Feedback? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services David Freedman wrote: Wow, this is actually a tricky question, so I'll jot down some points for you to think about from the top of my head (and anybody, please feel free to correct these if they are wrong, they may be out of date) EoMPLS: - Requires end-to-end MPLS LSP - Does not support path fragmentation (need wider MTU end-to-end) - Hardware support good - OAM available - Closer ties with MPLS-TE - some vendors have attachment circuit interworking - some hardware vendors may not be happy about attachment circuit MTU mismatch L2TPv3: - Only requires IP (but has some rudimentary security (Cookie)) - Path Can be encrypted by IPSEC (this is actually a moot point, even in a world where stuff like draft-raggarwa-mpls-ipsec wasn't implemented, you can still encrypt the payloads of both technologies) - Not well supported in hardware, lots of restrictions - interworking support in hardware poor - lack of proper OAM Dave. Michael Robson wrote: What is the added benefit of running an EoMPLS pseudowire across an MPLS cloud over an L2TPv3 tunnel over the same cloud? Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EoMPLS v L2TPv3
Gert- what about the 3cxl; we have some of those on hand too. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Gert Doering wrote: Hi, On Fri, Sep 25, 2009 at 11:49:47AM -0500, Ge Moua wrote: We are using Cisco 7203 with NSE engine for L2TPv3 acceleration; but I'm not a big fan of this platform; we have 3bxl-sup720/cat6k at the core that can do MPLS in hardware; I was just thinking of using GRE to encapsulate the MPLS packet over to the spoke sites (thereby bypassing the need to do MPLS end-to-end); this would allow EoMPLS over service providers' native IP infrastructure. Feedback? PFC3b cannot do MPLS-over-GRE (... at least not without the help of a SIP or ES line card) gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco SSL VPN?
We've used this free IPSec 64-bit Windows client for the Cisco VPN: http://www.shrew.net/ Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Eric Girard wrote: Something relatively recent that makes the lack of 64-bit support much more palatable is the new Essentials license. It needs 8.2 code, but for short money it gives you AnyConnect client only SSL VPN support for the max number of tunnels supported by the box. It restores the cost/benefit of the old IPSec client. Beyond that, to add to what Justin said, nothing fancy, it pretty much works, similar to the old IPSec client. I tend to stay away from the clientless and Java client stuff, just stick to the AnyConnect. Eric -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: Friday, August 21, 2009 4:22 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? On Fri, 21 Aug 2009, Charles Mills wrote: Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? I'm in uncharted territory with this feature and not sure if it is worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a show version on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source Substitute for Cisco's Secure ACS?
Yep, RADIATOR is great; we use it over here :-) Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Scott McGrath wrote: Not so much - we use ACS for TACACS services and proxy the TACACS via RADIUS for some application but Cisco ACS is now an appliance and on the close order of 8K + SmartNet so you are looking at 20K $US for a new solution. RADIATOR is open-source but not 'free' it has 200+ authenticators and interfaces to billing systems built in and a basic license and support for 1 yr is under $2000 US Nothing wrong with FreeRADIUS it's just you need to 'roll your own' for a lot of stuff, If your time is worth nothing or it's a hobby or experimental setup FreeRADIUS may be the better choice. But if you want someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in and ready to go RADIATOR is your tool. - Scott Alan Buxey wrote: Hi, Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux with fear of pouring petrol onto a RADIUS flamewar I'd say if the original post aint got funding for ACS then free open source is pushing the answer to FreeRADIUS. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pseudowire over ip/mpls
Been doing that for a few years over here; works fairly good (although ds-z ckts are pricey). Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Mike wrote: Hello, This may not be a strictly cisco question, but does anyone here have good operational experience with pseudowire (t1 and ds3) carried over ip/mpls? I'm just interested in real world experiences and deployment scenarios that have went live. I previously posted to the nanog list without success. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server
I like minicom. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Gregory Boehnlein wrote: Hello, Received a request from a client that needs to access a modem on a Cisco router from standard serial applications on a Linux box. These are for standard applications that do modem control (I.E. ATDT1X etc..) and not PPP. There used to be a few piece of software out there that did it, but I can't seem to find any of them. Anyone have any solutions for this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] tcam exhaustion for netflow vacl capture for cat6500
on 6500 with 3bxl sup720: will concurrent use of ( 10K) netflow exports ( 10Gb/s) vacl caputure exhaust tcam more quickly than each by itself? how do I monitor this? how do I check status? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Multiple Context Mode
I've done IOS based WebVPN with multiple VRFs (vrf-lite in this case); this is somewhat analogous to the ASA w/ multiple context; I know you mentioned how to do this on the ASA which I don't believe is possible. Our Cisco Acct SE mentioned vlan mapping where you terminate the webvpn/ipsec tunnel on one interface but then funnel the designated traffic per customer to different downstream vlan or interfaces; essentially this allows you to have multiple customer group in one context; i've seen docs on cisco cco that mentions this as well; good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ryan West wrote: Clue, I am pretty sure that it doesn't support SSL VPN's either. All NetPro discussions show the same results. Assuming you are support multiple customers and want to give them access to their firewall, or whatever you reason for choosing multiple context may be, you should use another ASA pair in Active/Standby to provide VPN termination services. You may have to mess around with RRI, but you should be able to pull off customer segregation using VLANs. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store Sent: Sunday, July 19, 2009 2:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Multiple Context Mode Hi All, As I understand that the ASA in multiple context mode does not support VPN's, does this also inclue SSL VPN's?? Someone has mentioned that it turns off IPSEC engine in this mode, but I have not been able to find anywhere where it says SSL VPN's are not supported. If it doesn't support SSL VPN, what are other folks doing for VPN's in this situation where multiple contexts are being used?? TIA, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SA-VAM NPE-200
I've done this before; this will work but Cisco will not give you support if there are issues;also the VAM combo with this router engine results in very llittle throughput; not worth it IMHO. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Kris Amy wrote: Hi, Just wondering if this combination works. The documentation says a NPE225 is required however i'm wondering if that is just a warning or an actual requirement... -- Kind Regards, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 1300 347 329 Direct: 07 3123 5511 Email: kris@eip.net.auoutbind://2-FC347F44727AD040BF1A93E9A3DC68310700065EB17B7262634485BBBA18AFE92E3E0007A2A2A7EE065EB17B7262634485BBBA18AFE92E3E0007D22B1035/kris@eip.net.au ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Yes, I've done this on a few Xen boxes myself; contact me off-line and I can send you my install notes. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Cord MacLeod wrote: I realize this is impossible, at least I have read it is on an access port. So if I sent up a trunk port with the machine, does the machine need to speak 802.1q as well? interface GigabitEthernet0/15 switchport access vlan 120 switchport trunk native vlan 120 switchport trunk allowed vlan 100,120,231,321 switchport mode trunk end The purpose of this is that the machine in a Linux machine running Xen, so the cloud will decide what machines and vlans it needs to spin up at what time. Meaning this port will need access to these vlans. This being the case, will I need to configure the Linux machine for 802.1q trunking as well? I found this article that seemed to suggest, yes, but I wanted a second opinion. http://www.linuxjournal.com/article/7268 Thanks for your help. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and VLANs
How do I make this happen on the HQ router? Each l2tp tunnel will have its own vc: sh l2tun all You obviously have thoughts this all out as your logic for how it will and should work is sound. We are doing a very similar setup over here at the UofMn and this is working well for us. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ziv Leyes wrote: Hi, I'm trying to make sure this following scenario can work. 3 remote sites, one is the HQ which has a switch that handles 2 vlans, let's say vlan 10 and vlan 20. The other two branches needs to be connected to the HQ and have a flat LAN between them and the HQ, but each branch to it's own vlan, branch 1 to vlan 10 and branch 2 to vlan 20. They must NOT see each other's traffic. Every site has a switch and a router (C2801 I think) Is it possible to do? If yes, then I was thinking about L2TPv3, but in this case I'd need to make two different xconnections between HQ--Branch 1 and HQ--Branch 2. How do I make this happen on the HQ router? I was thinking to bring the vlans via a trunk from the switch and then finishing them on sub-interfaces with dot1q and then xconnecting the sob-interface to each l2tp tunnel to each respective branch. Is it correct or there is a better way? Will this work? Thanks in advance for your help Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and VLANs
Yep, ran into that to; on the upstream layer-3 hop from hosts do something like tcp-mss adjust 1300 which will ensure tcp packets haver enough head-room for l2tpv3 headers. With UDP traffic, this get more tricky; I haven't done this yet but one can adjust max segment size on end-station hosts to something like 1300 (which of course would affect all protocol types); there are open source tools to do this, but downside is that all the end-station hosts need to touched for consistency; i suppose I'm too lazy : - ( Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: How did you deal with MTU issues from l2tpv3? In our testing we would see packets drop instead of fragmenting where they should... I've been meaning to followup on this as we have some great l2tpv3 deployments waiting in the wings... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ge Moua Sent: Thursday, June 18, 2009 10:44 AM To: Ziv Leyes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2TPv3 and VLANs How do I make this happen on the HQ router? Each l2tp tunnel will have its own vc: sh l2tun all You obviously have thoughts this all out as your logic for how it will and should work is sound. We are doing a very similar setup over here at the UofMn and this is working well for us. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ziv Leyes wrote: Hi, I'm trying to make sure this following scenario can work. 3 remote sites, one is the HQ which has a switch that handles 2 vlans, let's say vlan 10 and vlan 20. The other two branches needs to be connected to the HQ and have a flat LAN between them and the HQ, but each branch to it's own vlan, branch 1 to vlan 10 and branch 2 to vlan 20. They must NOT see each other's traffic. Every site has a switch and a router (C2801 I think) Is it possible to do? If yes, then I was thinking about L2TPv3, but in this case I'd need to make two different xconnections between HQ--Branch 1 and HQ--Branch 2. How do I make this happen on the HQ router? I was thinking to bring the vlans via a trunk from the switch and then finishing them on sub-interfaces with dot1q and then xconnecting the sob-interface to each l2tp tunnel to each respective branch. Is it correct or there is a better way? Will this work? Thanks in advance for your help Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and VLANs
Ive also seen out-of-order packets get discarded (essentially dropped); if fragmentation is clean and in correct order, L2TPv3 as implemeted by Cisco seems to work better; we've open a case with Cisco about this re: VTP traffic and their response essentially was to do nothing about it and not use VTP (so we are now using VTP transparent mode with no VTP updates) and thus no VTP being transmitted over the l2tpv3 pseudowire. I've been meaning to do pseudowire testing using AToM/EoMPLS tunnled inside of GRE to see if this works better; Cisco TAC seems to be more recpetive in supporting MPLS issues rather than L2TPv3 over native IP. Let me know if you run into different conclusions as I've been struggling with this issue for a few years now. Good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ge Moua wrote: Yep, ran into that to; on the upstream layer-3 hop from hosts do something like tcp-mss adjust 1300 which will ensure tcp packets haver enough head-room for l2tpv3 headers. With UDP traffic, this get more tricky; I haven't done this yet but one can adjust max segment size on end-station hosts to something like 1300 (which of course would affect all protocol types); there are open source tools to do this, but downside is that all the end-station hosts need to touched for consistency; i suppose I'm too lazy : - ( Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: How did you deal with MTU issues from l2tpv3? In our testing we would see packets drop instead of fragmenting where they should... I've been meaning to followup on this as we have some great l2tpv3 deployments waiting in the wings... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ge Moua Sent: Thursday, June 18, 2009 10:44 AM To: Ziv Leyes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2TPv3 and VLANs How do I make this happen on the HQ router? Each l2tp tunnel will have its own vc: sh l2tun all You obviously have thoughts this all out as your logic for how it will and should work is sound. We are doing a very similar setup over here at the UofMn and this is working well for us. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ziv Leyes wrote: Hi, I'm trying to make sure this following scenario can work. 3 remote sites, one is the HQ which has a switch that handles 2 vlans, let's say vlan 10 and vlan 20. The other two branches needs to be connected to the HQ and have a flat LAN between them and the HQ, but each branch to it's own vlan, branch 1 to vlan 10 and branch 2 to vlan 20. They must NOT see each other's traffic. Every site has a switch and a router (C2801 I think) Is it possible to do? If yes, then I was thinking about L2TPv3, but in this case I'd need to make two different xconnections between HQ--Branch 1 and HQ--Branch 2. How do I make this happen on the HQ router? I was thinking to bring the vlans via a trunk from the switch and then finishing them on sub-interfaces with dot1q and then xconnecting the sob-interface to each l2tp tunnel to each respective branch. Is it correct or there is a better way? Will this work? Thanks in advance for your help Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and VLANs
RTP, video streaming, h.323, the like; nothing really breaks, just spongy response if the pipe is saturated. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: Thanks... we don't want to touch each workstation - would involve way too much time for our installations...;) With UDP traffic, does anything normally break that comes to mind on larger MTU? I can't think of anything hence why I'm asking... Cheers, Paul -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: June 18, 2009 11:33 AM To: Paul Stewart Cc: 'Ziv Leyes'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2TPv3 and VLANs Yep, ran into that to; on the upstream layer-3 hop from hosts do something like tcp-mss adjust 1300 which will ensure tcp packets haver enough head-room for l2tpv3 headers. With UDP traffic, this get more tricky; I haven't done this yet but one can adjust max segment size on end-station hosts to something like 1300 (which of course would affect all protocol types); there are open source tools to do this, but downside is that all the end-station hosts need to touched for consistency; i suppose I'm too lazy : - ( Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: How did you deal with MTU issues from l2tpv3? In our testing we would see packets drop instead of fragmenting where they should... I've been meaning to followup on this as we have some great l2tpv3 deployments waiting in the wings... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ge Moua Sent: Thursday, June 18, 2009 10:44 AM To: Ziv Leyes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2TPv3 and VLANs How do I make this happen on the HQ router? Each l2tp tunnel will have its own vc: sh l2tun all You obviously have thoughts this all out as your logic for how it will and should work is sound. We are doing a very similar setup over here at the UofMn and this is working well for us. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Ziv Leyes wrote: Hi, I'm trying to make sure this following scenario can work. 3 remote sites, one is the HQ which has a switch that handles 2 vlans, let's say vlan 10 and vlan 20. The other two branches needs to be connected to the HQ and have a flat LAN between them and the HQ, but each branch to it's own vlan, branch 1 to vlan 10 and branch 2 to vlan 20. They must NOT see each other's traffic. Every site has a switch and a router (C2801 I think) Is it possible to do? If yes, then I was thinking about L2TPv3, but in this case I'd need to make two different xconnections between HQ--Branch 1 and HQ--Branch 2. How do I make this happen on the HQ router? I was thinking to bring the vlans via a trunk from the switch and then finishing them on sub-interfaces with dot1q and then xconnecting the sob-interface to each l2tp tunnel to each respective branch. Is it correct or there is a better way? Will this work? Thanks in advance for your help Ziv This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can you apply crypto map to SVI
Yes, this should work contigent on hw plaform. If you do a sh cry engine do you see an active crypto engine in sw or hw? If not then the crypto commands will never be invoked even though legal. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi All, Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI. Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it. interface vlan 10 crypto map MY-MAP Or do you need to apply the crypto map to a physical interface? I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can you apply crypto map to SVI
Maybe; I've seen a situation with the me-6524 with the crypto commands available but functionality disabled. What hardware platform are you running? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi Ge, Yes I see an active crypto engine in software. core1#sh cry engine configuration crypto engine name: unknown crypto engine type: software serial number: 00016956 crypto engine state: installed crypto engine in slot: N/A platform: Cisco Software Crypto Engine Encryption Process Info: input queue size: 500 input queue top: 0 input queue bot: 0 input queue count: 0 Crypto Adjacency Counts: Lock Count: 0 Unlock Count: 0 crypto lib version: 17.0.0 ipsec lib version: 2.0.0 Does this mean that if the crypto map is applied to the SVI that the IPSEC tunnel should be working (considering my IPSEC config is all good). Thanks. Andy -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Tuesday, 16 June 2009 7:03 PM To: Andy Saykao Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Can you apply crypto map to SVI Yes, this should work contigent on hw plaform. If you do a sh cry engine do you see an active crypto engine in sw or hw? If not then the crypto commands will never be invoked even though legal. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi All, Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI. Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it. interface vlan 10 crypto map MY-MAP Or do you need to apply the crypto map to a physical interface? I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can you apply crypto map to SVI
I think on the 6500 with Sup720 you may need a IPSec VAM or SPA card for IPSec functionality to be active; I wonder if this is the same on the 7606; you should open a case with Cisco and ask the quesiton. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi Ge, This is being implemented on a Cisco 7606 (SUP720) running 12.2(18)SXF16. Thanks. Andy -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Wednesday, 17 June 2009 2:15 PM To: Andy Saykao Cc: cisco-nsp@puck.nether.net Subject: Re: Can you apply crypto map to SVI Maybe; I've seen a situation with the me-6524 with the crypto commands available but functionality disabled. What hardware platform are you running? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi Ge, Yes I see an active crypto engine in software. core1#sh cry engine configuration crypto engine name: unknown crypto engine type: software serial number: 00016956 crypto engine state: installed crypto engine in slot: N/A platform: Cisco Software Crypto Engine Encryption Process Info: input queue size: 500 input queue top: 0 input queue bot: 0 input queue count: 0 Crypto Adjacency Counts: Lock Count: 0 Unlock Count: 0 crypto lib version: 17.0.0 ipsec lib version: 2.0.0 Does this mean that if the crypto map is applied to the SVI that the IPSEC tunnel should be working (considering my IPSEC config is all good). Thanks. Andy -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Tuesday, 16 June 2009 7:03 PM To: Andy Saykao Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Can you apply crypto map to SVI Yes, this should work contigent on hw plaform. If you do a sh cry engine do you see an active crypto engine in sw or hw? If not then the crypto commands will never be invoked even though legal. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Andy Saykao wrote: Hi All, Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI. Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it. interface vlan 10 crypto map MY-MAP Or do you need to apply the crypto map to a physical interface? I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Opensource tool to measure Jitter for VoIP
smokeping supports latency metrics out of the box; add plugins for jitter easy to install (debian based *nix) apt-get install smokeping Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Kasper Adel wrote: Hello, I'm looking for a way to measure Jitter for a VoIP network and i cant get my hands on IXIA or any fancy tool like that so i'm asking if anyone used any open source tool specifically for the matter. IPerf is an option but i've never used it, so can you guys point me if i can be used and what are the tests that i can try with it, my skills on *nix and these tools is similar to my skills with Chinese poetry ;) Thanks, Kas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 performance over gig?
I've done testing for both: * no encryption: ~ 980Mb * encryption ~ 240 Mb Performance dependent on router platform (in my case 7203 w/ NSE-100) Encryption was on 7206 w/ NPE-G1 VAM2+ Conclusion, performance limited to hardware used and not layer-1 link speed. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Chris Fournier wrote: Does anyone use L2TPv3 over a gig link, and what is the performance overhead introduced? I've seen some numbers at the Cisco website, but these seem to reference encryption versus encapsulation. Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 performance over gig?
The (2) scenarios is: * L2TPv3 vc w/ no ecryption vs. * L2TPv3 vc w/ IPSec encryption (encapsulated inside of) One can also do layer-2 VPN with MPLS, eg, AToM (EoMPLS), but I think the initial thread was about L2TPv3 (layer-2 VPN inside native IP). Persoanally I like the AToM/EoMPLS (or even VPLS) approach with the many-to-many connections flexibility (vs. one-to-one connection limitation with L2TPv3). We have about a half-dozen sites on L2TPv3 but have considered AToM/EoMPLS. Just in case your wondering Cisco TAC has far more in-depth expertise w/ MPLS flavors as I've been told; when you run into issues. Good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Aaron wrote: What does that have to do with L2TPv3? On Thu, Jun 4, 2009 at 11:09, Ge Moua moua0...@umn.edu mailto:moua0...@umn.edu wrote: I've done testing for both: * no encryption: ~ 980Mb * encryption ~ 240 Mb Performance dependent on router platform (in my case 7203 w/ NSE-100) Encryption was on 7206 w/ NPE-G1 VAM2+ Conclusion, performance limited to hardware used and not layer-1 link speed. Regards, Ge Moua | Email: moua0...@umn.edu mailto:moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Chris Fournier wrote: Does anyone use L2TPv3 over a gig link, and what is the performance overhead introduced? I've seen some numbers at the Cisco website, but these seem to reference encryption versus encapsulation. Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP Tunneling Question
What seems to be gaining popularity is a GRE-like tunnel with IPSec encapsulation; Cisco calls this IPSec VTI; caveat is that equipment in question may need to be Csico based. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Charles Wyble wrote: All, I'm looking to setup a VPN with a couple colocation providers who are friends of mine, and have some under utilized address space. They are supporting some security research I am doing (a darknet/honeynet). [1] I am exploring different options to utilize that IP space on my lab servers. How do folks typically accomplish IP tunneling? IPSEC tunnels? Do you use GRE? What about OpenVPN? I can easily setup any of the above mentioned approaches as howtos abound. Just wondering if there is anything to consider for this scenario to reduce overhead and packet molestation as much as possible. Thanks. [1] If more information is desired please see my blog at http://cnwccxx.blogspot.com/ I'll be posting there on various visualization tools and methodologies etc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] network simulator
If I understand you correctly you prefer a s/w virtual environment (VM) that can simulate multiple switches; doing trunking (802.1 ?) and switch access ports. Maybe preferably if this was akin to a Cisco switch with its breadth of IOS command; which probably do exist as a proprietary tool for in-house Cisco developers. Well, I've done something similar if not exact to the summary above for a training lab for firewall simulation. Here is my setup: hw: * x86 Dual Xeon 2.6 Ghz / 4Gb RAM / 200 Gb HDD sw: + (Virtualization Sw) Xen 3.3.1 running on CentOS 5.3 + fed (1) 802.1q trunk (with 16 Vlans) from upstream Cisco3750 switch * (16) VMs running Ubuntu 9.04 that acts as end hosts per Vlans and broadcast domain + fed (2) switch access ports * (1) for mgmt of Host VM (CentOS 5.3) * (1) for another guest VM (Ubuntu 9.04) The net effect is that the Xen environment acts like a switch if fed with 802.1q trunk. I'm sure there are more elegant ways of doing what you ask, but this setup works pretty effectively for my needs. Good luck. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Holemans Wim wrote: I'm looking for a (free) network simulator that allows me to simulate a small network (20 switches) with different vlans on it. I want to test different scenario's : what happens if this switch goes down or that link goes down, how do the packets flow in each scenario for the different vlans... Anyone has a good reference to such a product ? Free would be nice but is no absolute condition. Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 LNS mode
One could send this over vanilla crypto IPSec; IPSec is routable. We are doing this over here. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Gabor Ivanszky wrote: Hello, is there any possibility to route(L3 process) Ethernet encapsulated IP packets arriving at a Cisco router in a L2TPv3 tunnel? In other words, is it possible to configure a Cisco box in LNS role in an Ethernet L2TPv3 setup? L2TP Network Server (LNS) If a given L2TP session is terminated at the L2TP node and the encapsulated network layer (L3) packet processed on a virtual interface, we refer to this L2TP node as an L2TP Network Server (RFC3931) Actually i'd like to implement (a) LAC-LNS Reference Model: On one side, the LAC receives traffic from an L2 circuit, which it forwards via L2TP across an IP or other packet-based network. On the other side, an LNS logically terminates the L2 circuit locally and routes network traffic to the home network. The action of session establishment is driven by the LAC (as an incoming call) or the LNS (as an outgoing call). +-+ L2 +-++-+ | |--| LAC |.[ IP ].| LNS |...[home network] +-+ +-++-+ remote system |-- emulated service --| |--- L2 service | (RFC3931) Practically an Ethernet interface with an xconnect setting on LAC side, and something like an IP tunnel interface on the LNS side. The obvious interface Tunnel1 tunnel mode l2tpv3 doesn't exist. cheers, Gabor ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
We use Radiator over here to manage over 6,000 cisco devices; works pretty good on server class hardware. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services luismi wrote: Hi all, I am looking for an open source solution to deploy some radius in our network. The primary goal is to connect to those radius to provide auth services: - The VPN Concentrators and vpn accounts (we would move all the vpn accounts info to the radius) - Validate ip http auth-proxy users Radius service should be able to be managed using a web interface. I don't really mind if there is a proper web interface of if we need to install webadmin. It also must support accounting. And it would be great if it is possible to have the back-end into MySQL. I was checking FreeRadius and Radiator. Any other options? All comments are welcome. Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: TCL Book recommendation for Cisco EEM
The monkey book was what I started with. Very detailed with pretty good intro. http://oreilly.com/catalog/expect/chapter/ch03.html Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Justin Shore wrote: Does anyone have any suggestions on a good book on TCL scripting for Cisco's EEM? As a complete TCL novice, a good TCL intro would be good. I can probably use existing EEM examples to learn the intricacies of using TCL for Cisco I think, unless someone knows of a book that covers that too. http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] l2tpv3 config - MTU question
We've got about a half-dozen sites deployed on this, with about 1000 user base total, and it's running most fine, caveats: * watch out for VTP as thiere may be some out of order packets that causes VTP convergence to fail; run the CE side in vtp transparent mode and add vlan manually * another trick we've been think about is adjusting MTU on the end workstations * mtu 1472 works fine as defrag/frag will happen on the pe/ce equipment; no worries with running high cpu on end-workstation due to frag/defrag operations * clear ip tra sh ip tra will show frag stat on routers hope this helps. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: Thanks - yes, absolutely and I can figure that into the equation. Been reading a lot of discussions in archives and Google about this. I want to ensure that however/where we deploy this that we can provide a full 1500 MTU *without* having desktops make MTU adjustments basically at the expense of fragmentation and CPU (which we can account for). No matter what I've tried so far I can't get a ping through our pair of test routers larger than 1472 though yet This avoids websites being unreachable (Microsoft comes to mind) and other MTU annoyances we've encountered over time... Paul -Original Message- From: Ge Moua [mailto:moua0...@umn.edu] Sent: Thursday, February 26, 2009 11:50 AM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] l2tpv3 config - MTU question I was tackling a similar issue over here too, I think it may have to do with the fact that l2tpv3 and ethernet headers are taking some of the mtu allocation. Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Paul Stewart wrote: Hi folks. I've setup a pair of 1841's back to back for testing l2tpv3 deployment for a client.. FastE0/0 from each 1841 is connected to one another at 10.0.0.0/24 - each router has a loopback of 192.168.254.1 and .2 - OSPF is running and am able to successfully ping each other's loopback with redistributed subnets etc.. Configured each router to look like this: pseudowire-class test encapsulation l2tpv3 sequencing both ip local interface Loopback0 interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0 duplex auto speed auto interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 192.168.254.2 1234 pw-class test Have a notebook hooked up to each FastE0/1 port and assigned 172.16.0.1 and .2 on them. I can ping back and forth proving connectivity etc. My problem/question is how to get a packet of 1500 bytes to transverse the link - obviously fragmented but that's ok.In the real-world deployment of this setup we are limited to 1500 MTU in most situations and will presume no mini-jumbo support anywhere (from a config perspective at least). In my first config I had Path MTU discovery enabled and could only ping up to 1440 bytes. With that disabled I can now ping to 1472 but not beyond. With Path MTU turned on it looked like this: site2#sh l2tun session all %No active L2F tunnels L2TP Session Information Total tunnels 1 sessions 1 Session id 53211 is up, tunnel id 32076 Call serial number is 129330 Remote tunnel name is site1 Internet address is 192.168.254.1 Session is L2TP signalled Session state is established, time since change 00:26:44 114 Packets sent, 116 received 30446 Bytes sent, 29032 received Last clearing of show vpdn counters never Receive packets dropped: out-of-order: 0 total:0 Send packets dropped: exceeded session MTU: 1 total:1 Session vcid is 1234 Session Layer 2 circuit, type is Ethernet, name is FastEthernet0/1 Circuit state is UP Remote session id is 22201, remote tunnel id 12358 Session PMTU enabled, path MTU is 1500 bytes DF bit on, ToS reflect disabled, ToS value 0, TTL value 255 No session cookie information available UDP checksums are disabled SSS switching enabled Sequencing is on Ns 114, Nr 116, 0 out of order packets received Unique ID is 1 %No active PPTP tunnels Upon looking further I could see the DF bit on which I believe would explain the 1440 byte limit I hit. But with that disabled I am puzzled or missing something as to why I cannot fragment packets up to full 1500? What I am missing here? Do I need to make MTU adjustments towards the FastE0/1 interface to force fragmentation before the l2tpv3 tunnel? Thanks in advance, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https
