Re: [c-nsp] logging suppress duplicates

2020-09-28 Thread Ian Henderson 
On 28 Sep 2020, at 1:38 pm, Eugene Grosbein  wrote:
> 
> Is it possible to enable suppression of duplicate lines in the logging buffer?
> Less preferably, disable this kind of messages altogether if it ends with "by 
> snmp" or even "from X.X.X.X by snmp”.

The term you’re looking for to filter logs in the buffer is ‘logging 
discriminator’.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco4k and assync serial

2015-11-10 Thread Ian Henderson 
On 10 Nov 2015, at 9:29 PM, Saku Ytti  wrote:
> That is, no way to get assync ports on Cisco4k. So when Cisco29xx gets
> EOLd, there is no way to build OOB network with Cisco?

Buy OpenGear. :)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spanning Tree works great - except when it doesn't

2015-10-16 Thread Ian Henderson 
On 16 Oct 2015, at 11:23 AM, Lee  wrote:
> Does anyone know of a program that will check all of the trunk ports
> on switches for vlans allowed + vlans allowed and active on both sides
> of a trunk port?

Netdisco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Alternate to TOR (4948)

2015-04-15 Thread Ian Henderson 
On 15 Apr 2015, at 9:08 am, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 
 Nexus 3000's ? (Option to do VPC with multiple 3000's in one rack back to 
 core/agg switches?)

Just installed two 3048’s to replace a Cat65k/Sup2. Configured vPC with LACP 
towards switches, ESX, Filers and Windows machines. Very happy with them, very 
good price. Haven’t thrashed them particularly hard - just simple L2 - but its 
seems to ‘just work’.

Rgds,


- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OOB Device for remote DC's

2014-09-02 Thread Ian Henderson 
On 2 Sep 2014, at 11:52 am, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 We historically have just used Cisco 2511's with standard modem attached, but 
 are finding it increasingly difficult to source modems - Can anyone recommend 
 an alternative(reliable) OOB device? (Built in modem + 4G as backup?)

Can’t recommend OpenGear highly enough. The IM7200 offers dual power, dual 
Ethernet, 3G/4G, Wifi, PSTN, 8/16/32/48 serial, software selectable cable 
rollover, OpenVPN, SSH, Linux under the hood, great support, the list goes on.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transparent WAN Encryption

2014-02-03 Thread Ian Henderson 
On 4 Feb 2014, at 10:30 am, Benny Amorsen benny+use...@amorsen.dk wrote:

 Does that actually work over WAN links that are not just plain optical
 paths? I have been wondering if you can get MacSec to work over EoMPLS.

It ‘just worked’ in the lab over EoMPLS, but I haven’t experienced it in 
production.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transparent WAN Encryption

2014-02-02 Thread Ian Henderson 
On 3 Feb 2014, at 8:10 am, Antonio Soares amsoa...@netcabo.pt wrote:

 I'm looking for the simplest way to do it. Most customers have L2
 connections between Data Centers. The edge device controlled by the customer
 is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on,
 need a router in the edge. This implies modification of the customer's
 topologies. L2 encryption seems the perfect solution and it seems there are
 several options on the market.

What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2 
encryption.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/swmacsec.html#wp1334072
 says:

This example shows how to configure Cisco TrustSec authentication in manual 
mode on an interface:
Switch# configure terminal
Switch(config)# interface tengiigabitethernet 1/1/2
Switch(config-if)# cts manual 
Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null 
no-encap
Switch(config-if-cts-manual)# no propagate sgt
Switch(config-if-cts-manual)# exit 
Switch(config-if)# end

(Its a copy and paste, even the typos ;)).

Rgds,


- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mac Security

2013-10-20 Thread Ian Henderson 
On 20/10/2013, at 10:39 PM, naresh reddy nareshbt...@yahoo.com wrote:

 is it possible to use macsec taffic for a non supported switch

Yep, MacSec just looks like another protocol on top of Ethernet. I had it 
running in the lab between two 4500s with an EoMPLS VC between them. Keep MTU 
in mind.

4507R+E/Sup7E[ce1] -- 7606/Sup32[pe1] --MPLS-- 7606/Sup32[pe2] -- 
4507R+E/Sup7E[ce2]

interface GigabitEthernet1/1
 description EoMPLS to ce2
 no switchport
 ip address 10.2.2.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip ospf network point-to-point
 ip ospf dead-interval minimal hello-multiplier 5
 ip ospf 1 area 0
 cts manual 
  no propagate sgt
  sap pmk DEADBEEF 
mode-list gcm-encrypt   
end


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How to tell what routes are not in CEF and follow DEFAULT path?

2013-07-02 Thread Ian Henderson 
On 03/07/2013, at 6:19 AM, Jeffrey G. Fitzwater jf...@princeton.edu wrote:

 I would like to find out what routes are NOT in my route table and therefore 
 follow the DEFAULT path to 0.0.0.0.

Take a copy of the DFZ BGP table from 
http://archive.routeviews.org/oix-route-views/, take a copy from your router, 
cut out the routes column, then diff them to see what routes you don't have?

I'm assuming you're doing this as a precursor to removing the default route, to 
verify that you have an entire DFZ table?

Rgds,



- I.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS to vPC - vPC to Etherchannel

2013-03-19 Thread Ian Henderson 
On 17/03/2013, at 11:23 AM, Jeff Kell jeff-k...@utc.edu wrote:

 We had been doing PAgP on Cisco-to-Cisco, but leaning toward LACP today
 for anything that supports it. 

In our VSS clusters (Sup2T), we're using PAgP where possible, and LACP to 
everything else. PAgP offers dual-active detection for VSS that LACP can't. 
Yes, I'd love to have one protocol that worked for everything. No, its never 
going to happen. 

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Switch lights rapid blinking

2013-01-29 Thread Ian Henderson 
On 29/01/2013, at 6:17 AM, Michael Sprouffske msprouff...@yahoo.com wrote:

 Can someone please point me in the right direction to correct this issue.  I 
 came into a network that is using the default vlan and for about 2 weeks now, 
 every switch and port is rapidly blinking.  I looked at wireshark and don't 
 seen anything out of the ordinary.  I also checked for loops in the network 
 and don't see any.  Is there some tool I can use to track down what is 
 causing this?  I'm running cisco 2960's all over.


I don't have any proof, but I've got a feeling that newer Cisco kit have 
'slowed' the blinking, so that even at much higher pps, the rate of blinking is 
the same. Maybe this is making it look worse than it really is?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPDN stop dialins

2012-10-16 Thread Ian Henderson 
On 16/10/2012, at 6:09 PM, Ali Sumsam ali+cisco...@eintellego.net wrote:

 Can I stop getting more connections to my LNS without dropping the existing
 ones by removing accept-dialin from the config.

The command you're looking for is 'vpdn softshut'.

http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/vpdn_tunnel_mgmt.html#wp1089078
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS archive in addition to RANCID

2012-10-10 Thread Ian Henderson 
On 10/10/2012, at 8:16 PM, Phil Mayers p.may...@imperial.ac.uk wrote:

 TBH I'm not really sure what you're asking.

Yep, sorry was a bit of a brain dump. :) Thanks for your comments. This 
basically tells me that archive doesn't have any super awesome features that we 
don't already get from RANCID, and that its not completely solid yet (re 6500). 
Syslog command logging though is 100 times more convenient than TACACS for 
short term requirements, while TACACS+gzip+disk storage sorts out the long 
term/compliance requirements.

 Really? We use a home-grown system for this, and back up 1200 devices every 
 hour.

At the moment, ~rancid/var lives on NFS, and the machine does a bunch of other 
things that chew resources. I've got plans on improving this, but one disaster 
at a time. :)

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS archive in addition to RANCID

2012-10-09 Thread Ian Henderson 
Hi folks,

I'm working on updating our base templates using some more modern features and 
am considering if IOS' built in configuration archiver/change logger have a 
place in our network.

Is anybody using the config archiver in addition to/in place of RANCID?
Syslog command logging in addition to/in place of TACACS?
Thoughts on pros/cons?
Are you using EEM to catch config changes that aren't followed by a 'wr mem'?
Any other neat tricks?

archive
 log config
  record rc
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
 path tftp://tftp/Config-Archive/$h-$t
 write-memory

My thoughts so far:

* RANCID is a single solution that works for all vendors and all versions of 
IOS, no need for separate dirty hacks per vendor, but new vendor/device type 
maintenance can be tricky.

* With a sizeable RANCID installation, collection interval needs to be pushed 
out to 4 hours plus, which means we could miss changes within the interval. 

* RANCID does automated diff, having a directory full of router-datetime files 
isn't as easy to manipulate.

* TACACS command logging catches commands performed outside config mode.

* Having two methods ensures that if one method breaks, we still have useful 
logs/archives. This is particularly nice in our environment - if someone 
deploys hardware without following procedure of adding it to the database that 
runs RANCID, it still gets config collection (plus they get a bonus larting, 
but thats another story…).

Any additional insight?

Rgds,




- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OSPFv3 in VRF

2012-08-18 Thread Ian Henderson 
Hi folks,

Does anyone have any updated news from Cisco on when OSPFv3 will be supported 
within a VRF (lite, no MPLS) on the Sup2T? The most recent info I can find is 
from April.

TIA,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NETCONF replacing SNMP

2012-03-29 Thread Ian Henderson 
Hi folks,

We've recently deployed some 4500/Sup7Es - pretty cool box, but we've run into 
problems with our network monitoring system. With the dual core architecture of 
the Sup7E, SNMP no longer returns correct CPU utilisation values. Cisco 
suggested using the old school SNMP MIB for the 7500 and similar, but it 
doesn't return multiple counters.

root@monitor1:~# snmpwalk -v2c -c com switch1 .1.3.6.1.4.1.9.9.109.1.1.1.1.5
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.3000 = Gauge32: 17
root@monitor1:~#

The TAC lodged a bug for this (CSCti07144), but that doesn't really help me 
now. Had a chat with a few of the folks at Cisco Live in Melbourne last week, 
the general consensus is that bugs in SNMP won't be fixed anymore, and that we 
should be using NETCONF.

OK, cool, I'm happy with that, but I can't actually find very much useful stuff 
about NETCONF at all. We're a Nagios/OSS/homegrown shop, so I've got no 
problems integrating it, but it still seems very much at the here's an 
prototype library stage.

Are there any monitoring packages that actually do it? Is anyone using it as a 
general NMS platform for things like CPU  x%?

Thanks all,



- I. 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Interpreting DOM outputs

2012-01-02 Thread Ian Henderson 
On 01/01/2012, at 3:52 AM, Robert Hass wrote:

 Tx Power '-4.9' better than '-6.9' (i.e. signal is stronger if TX
 Power is '-4.9' comparing to '-6.9')

This brilliant NANOG talk will help explain power loss over fibre, amongst 
other optical topics.

http://www.nanog.org/meetings/nanog48/presentations/Sunday/RAS_opticalnet_N48.pdf



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface

2012-01-01 Thread Ian Henderson 
On 01/01/2012, at 4:33 PM, Eric Rosenberry wrote:

 When pinging the loopback IP's of these devices from the Internet, one
 responds as expected (from the IP of the loopback), and the other (.255)
 responds from a *different* IP address (one of it's interface IP's rather
 than the loopback IP).

Yep, ran into this one a few years ago. Its not just ping, SNMP does it too. 
TAC support request tool is offline at the moment, so I can't look up the bug 
ID, but we eventually just made a rule to never use .255/32 for loopbacks 
(along with .0/31 and .254/31 to avoid Windows users complaining about failed 
traceroutes…).

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Telnet session dropped

2011-12-27 Thread Ian Henderson 
On 27/12/2011, at 8:08 AM, Roy wrote:

 I use RANCID ton a number of routers.  About five days ago, it started 
 failing on three routers.  If I manually connect to these routers, it seems 
 to work for a minute or so and then the telnet session gets disconnected.  
 The disconnect only occurs during a data transfer such as show conf

If it only dies on large command outputs, its an MTU problem.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Large number of arp entries on 2960G

2011-10-02 Thread Ian Henderson 
On 03/10/2011, at 1:09 PM, John Elliot wrote:

 interface vlan11 - all entries appear to be random IP's, in that they are 
 routes(IP's) learned from upstream bgp peering sessions and also some from 
 our internal ospf...none of these bgp sessions or ospf are running in dot1q 
 vlan11

Smells like one of the devices is doing Proxy ARP. This is usually bad, 
particularly if its trying to ARP for all hosts on the Internet - will drive up 
CPU and memory usage.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyone using 2960-C or 3560-C compact catalyst switches?

2011-09-27 Thread Ian Henderson 
On 22/09/2011, at 11:20 PM, Herro91 wrote:

 Wondering if anyone out there is using 2960C or 3560C and has feedback on
 them? We are considering them for different environments where we need
 dedicated switches, but a max of 8-10 ports is all week - 24 ports is way
 overkill, not to mention the cost on the 3750s.

I've got a 3560CG-8PC-S on my desk. Runs like a trooper, been very pleased with 
it. Its quiet, it fits into an office environment, its solidly built. 

Our main fleet of switches are 3560-48PS, so I'm a little concerned that it may 
not behave exactly the same when testing some of the more esoteric dot1x 
features, due to the C running EX train, while the larger units run SE. This is 
just a niggle though, I haven't found any actual issues.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME 3600X questions

2011-09-02 Thread Ian Henderson 
On 02/09/2011, at 5:45 PM, Arie Vayner (avayner) wrote:

 Why do you want to do this?
 What is the objective?
 
 If these are 2 back-to-back switches, why not just switch?

A 'very long patch panel' (whatever comes in, goes out) service? Have done this 
with both QinQ/L2PT (3750G) and EoMPLS (Junpier EX4200).
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA VPN with Local CA on the ASA

2011-08-17 Thread Ian Henderson 
On 18/08/2011, at 2:54 AM, Jay Nakamura wrote:

 information they store.  But don't have the budget nor resources to
 keep up the current RSA SecureID server which is a bit overkill for
 them.  They thought certificate based auth will be not as good as
 SecureID but better than just user/pass.

There are one-time-password solutions other than SecureID. Check out yubico.com 
- simple, open source software, cheap hardware ($25USD per user), install your 
own AES keys (avoids the recent SecureID hack).
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] authentication host-mode multi-auth configuration on cisco 2960

2011-07-14 Thread Ian Henderson 
On 15/07/2011, at 3:05 AM, pamela pomary wrote:

 I want to be able to authenticate the IP Phone via MAC address by-pass and
 authenticate the PC that connects to the LAN port of the IP Phone via dot1x
 using authentication host-mode multi-auth. How can I achieve that. 

Use 'host-mode multi-domain' for a phone plus PC. 'multi-auth' is for using a 
dumb switch (multiple devices, only one of which will be authenticated to open 
the entire port).



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] L2 Ethernet bridging over GRE issues

2011-01-27 Thread Ian Henderson 
On 28/01/2011, at 5:17 AM, Roger Wiklund wrote:

 I've setup a GRE tunnel from Router A to Router B.
 I've configured bridging between Tunnel0 and LAN interface on Router A
 and Router B

While this is possible, its ten times easier and more reliable to use L2TPv3.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Console server

2011-01-01 Thread Ian Henderson 
On 02/01/2011, at 2:58 PM, Aaron wrote:

 You can get SSH for 2511. Use 12.0s.

And be prepared to wait a day or two for your session to connect. 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Backup Interface IPv6 - why is Cisco sleeping?

2010-12-15 Thread Ian Henderson 
On 15/12/2010, at 1:54 AM, Garry wrote:

 I'm really starting to
 wonder whether we're the only ones on this earth still using a dual
 switch config for our routers for redundancy purposes ...

So you're using backup interface for two Ethernet interfaces, both facing the 
same switched network? Cool - haven't seen backup interfaces since they were 
used to dial ISDN terminal adaptors. Is anyone else out there doing this? Out 
of curiosity, what kind of failover time do you get for IPv4? Does it swap the 
MAC address too? 

While I'm on the topic, what are folk's thoughts on setting up a BVI on a 
router connecting to two separate switches in the same switched network? Its 
always seemed a bit hacky to me. What are the performance implications on a CPU 
based platform (7200, etc)?

Of course, a routing protocol with link state would be optimal, but you've got 
to plug those server kids in somewhere. :)

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] New Cisco website

2010-09-25 Thread Ian Henderson 
Its blue now. The front page is pretty, but, yet again, Cisco have ignored some 
of the biggest problems on their site.

- The login cookie doesn't actually work. Login on the front page doesn't log 
you in to ordering support. This happens on various different tools/pages.

- Pages even one level deep from the front page haven't been reskinned.

- Its slow as hell.

- Downloads are impossible to get to, and complicated.

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters

2010-06-02 Thread Ian Henderson 

On Wed, 2 Jun 2010, Youssef Bengelloun-Zahr wrote:


   User-Name = *CONS2.IX1 ### Login failed*


Do you have 'no exec' configured under the async line stanza on CONS1 and 
CONS2? The config you posted is for CONS3, which does have it configured.



line 33 64
 exec-timeout 0 0
 no exec
 transport input all
 escape-character 3
 stopbits 1


Rgds,


- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] USB to Serial Converter recommendation

2010-04-21 Thread Ian Henderson 

On Wed, 21 Apr 2010, Chris Boyd wrote:

+1 for the USA-19HS.  Had mine about 4 years now, and it just keeps 
working despite rattling around in my bag all that time.


Agreed, same. I prefer screen over minicom though - 'screen 
/dev/tty.KeySeriail1' and it just works.


Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 3560 leaking broadcasts

2010-03-09 Thread Ian Henderson 


Hi folks,

Has anyone ever seen broadcasts leaking from an SVI into a layer 3 
interface on a 3560?


We've got a managed Ethernet link between a 3560G-48TS (Auckland, 
12.2(50)SE1 IP Services) and a 3750G-24TS (Sydney, 12.2(53)SE IP Services) 
configured as a /31 layer 3 interface on both sides. The link runs OSPF in 
area 64, and PIM sparse mode. Both Sydney and Auckland have a number of 
SVIs.


[Hosts] -- VLAN 11 -- SVI11[Sydney]L3 -- /31 link -- L3[Auckland]

Sydney config:
interface GigabitEthernet1/0/25
 description Auckland:Gi0/47
 no switchport
 ip address x.x.x.193 255.255.255.254
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip ospf cost 50
 speed nonegotiate
 priority-queue out
 service-policy input SET-DSCP-TRUST

Auckland config:
interface GigabitEthernet0/47
 description Sydney:Gi1/0/25
 no switchport
 ip address x.x.x.192 255.255.255.254
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip ospf cost 200
 speed 100
 duplex full
 priority-queue out
 service-policy input SET-DSCP-TRUST

On the Auckland 3560, OSPF constantly reports a mismatched area ID, even 
though the area 64 session is up. PIM shows two neighbors, even though its 
a point to point link. The IP address listed in both messages is the 
Sydney 3750's Vlan11 address.


Mar 10 19:53:14.662 NZDT: %OSPF-4-ERRRCV: Received invalid packet:
mismatch area ID, from backbone area must be virtual-link but not found
from x.x.x.138, GigabitEthernet0/47

Auckland#show ip pim nei
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
  P - Proxy Capable, S - State Refresh Capable
Neighbor  InterfaceUptime/ExpiresVer   DR
Address
Prio/Mode
x.x.x.138 GigabitEthernet0/47  02:25:20/00:01:20 v21 / S P
x.x.x.193 GigabitEthernet0/47  02:25:21/00:01:37 v21 / DR S P

Some debugging revealed something odd - when performing 'show mac- address 
' on the internally assigned VLAN for Gi1/0/25 on Sydney, I see MAC 
addresses listed against VLAN 11.


Sydney#show vlan int usage

VLAN Usage
 
1006 GigabitEthernet1/0/3
1007 GigabitEthernet1/0/25

Sydney#show mac- vlan 1007
  Mac Address Table
---

VlanMac Address   TypePorts
---   -
 All0100.0ccc.STATIC  CPU
 All0100.0ccc.cccdSTATIC  CPU
 All0180.c200.STATIC  CPU
 All0180.c200.0001STATIC  CPU
 All0180.c200.0002STATIC  CPU
 All0180.c200.0003STATIC  CPU
 All0180.c200.0004STATIC  CPU
 All0180.c200.0005STATIC  CPU
 All0180.c200.0006STATIC  CPU
 All0180.c200.0007STATIC  CPU
 All0180.c200.0008STATIC  CPU
 All0180.c200.0009STATIC  CPU
 All0180.c200.000aSTATIC  CPU
 All0180.c200.000bSTATIC  CPU
 All0180.c200.000cSTATIC  CPU
 All0180.c200.000dSTATIC  CPU
 All0180.c200.000eSTATIC  CPU
 All0180.c200.000fSTATIC  CPU
 All0180.c200.0010STATIC  CPU
 All..STATIC  CPU
  110012.80bf.1718DYNAMIC Gi1/0/24
  110012.80bf.1743DYNAMIC Gi1/0/24
  110015.c695.b495DYNAMIC Gi1/0/1
  110015.c6fa.1e35DYNAMIC Gi1/0/24
Total Mac Addresses for this criterion: 24

Sydney#show run int vlan11
Building configuration...

Current configuration : 185 bytes
!
interface Vlan11
 description ASA Network
 ip address x.x.x.138 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-mode
 ip ospf cost 5
end

I quickly threw it together in the lab and couldn't ping between a host on 
the VLAN and Auckland, so suspect its broadcast/multicast traffic only.


Hunting around the network, this appears to happen on every 3560, 3560E, 
and 3750 I could find. 6500 Sup720 doesn't seem to be impacted. Other than 
the error message (which is uncommon, most links are in the same OSPF 
area) and the PIM neighbors (new rollout), I can't see anything thats 
actually causing a problem. Although I'm concerned if there's a broadcast 
storm, we may exhaust bandwidth on routed links.


So, has anyone seen this before? Is it a bug or design limitation on the 
3560/3750 platform? Is there any other way to make layer 3 interfaces 
work other than a hardware upgrade?


Thanks,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DS3 over STM1

2010-02-27 Thread Ian Henderson 

On Tue, 12 Jan 2010, Ian Henderson wrote:

The new carrier has provisioned a 45Mbit clear channel service with a 
DS3 at the remote site, and a channelised STM1 at the head office. I 
can't seem to find a combination of router/card/mux to make this work.


For the archives, we got this working using an Adtran Opti-6100 for about 
$5k AUD. It uses an E3M3B card to connect to the head office PA-2T3+, with 
an OMM3VIR card to connect to the carrier's STM1. Mapping the VC3 to the 
physical DS3 interface is simply a matter of selecting the inbound circuit 
on the left side of the screen, and the outbound circuit on the right side 
of the screen.


Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DS3 over STM1

2010-01-12 Thread Ian Henderson 


Hi all,

I'm in the process of moving one of our remote offices from one carrier to 
another. At the moment we have an L3VPN terminating GigE at the remote 
end on a 7301 and DS3 on a G1 with PA-2T3 at the head office. Link does 
10Mbit about half split between voice and data.


The new carrier has provisioned a 45Mbit clear channel service with a DS3 
at the remote site, and a channelised STM1 at the head office. I can't 
seem to find a combination of router/card/mux to make this work.


- Cisco 7200 with PA-MC-STM1 can't channelise larger than E1.

- Cisco 7600 with SPA-1XCHSTM1/OC3 can do it according to the spec sheet 
for the SPA, but is incredibly over-speced and pricey.


- Adtran Opti-3 is SONET/OC3 only (but I can't find confirmation of this).

- Juniper M7i with STM1 IQ PIC can't channelise larger than E1.

- Juniper M7i with OC3 IQ PIC can channelise DS3, but doesn't do SDH 
framing for STM1.


- The carrier suggested re-engineering the service to deliver 21 E1s and 
run MLPPP over them. The data sheet for the PA-MC-T3-EC indicates MLPPP is 
only possible in hardware up to 12 T1s. I doubt MLPPP in software would 
perform at all, let alone perform well.


I've never worked with channelised services more complicated than DS0s in 
an E1, so I've got a few questions:


- Has anyone ever done this? What config/hardware did you use?

- Are there any muxes/converters/router interfaces that can do this at the 
~20Mbit end of the market?


- Does the Adtran support intermixing of SONET and SDH (DS3 over STM1)?

Many thanks,




- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PXE not working on Cat2948

2010-01-08 Thread Ian Henderson 

On Fri, 8 Jan 2010, Jens Neu wrote:

Anyone seen this before? Any hints where to start looking? The switch 
looks as follows:


Sounds like you need to enable spanning-tree portfast on the interfaces 
towards the PXE clients. This reduces the link up delay from 50 seconds to 
about 3. If the switch doesn't forward traffic quickly enough, the NIC may 
time out and decide PXE is unavailable.


Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco VPN and 64 bit Windows

2009-12-09 Thread Ian Henderson 

On Wed, 9 Dec 2009, Marc Haber wrote:


What are the (dis)advantages of anyconnect?


- It works in more places than IPSec - mostly hotels with dodgy firewalls.

- Its easier to configure for the user. Send them to a URL, enter username 
and password, client downloads, installs, configures itself.


- I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple 
only just got around to including IPSec under Snow Leopard, and have had 
it on the iPhone for ages. But getting the Apples of the world to include 
Cisco SSL? By then we'll have yet another VPN technology. The Windows 
client is a bit better.


- Modifying VPN filter lists using the IPSec client on the ASA was 
instant. Anyconnect/SSL requires a reconnect for access-list changes to 
apply.


Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Metro Ethernet Switches

2009-11-24 Thread Ian Henderson 

On Tue, 24 Nov 2009, Mohammad Khalil wrote:

the tacacs could not work well as it was in the previous image even 
though i had the same configuration any thoughts ?


Try adding the plaintext key again ('tacacs-server key xxx'). I've seen 
some IOS upgrades need it re-obfuscated to make it work. Just copy/pasting 
the existing obfuscated key won't work.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BPDU Guard issue

2009-11-03 Thread Ian Henderson 

On Tue, 3 Nov 2009, Stanly Johns wrote:

Is it possible for a BPDU guard enabled switch port to get disabled 
without connecting any other device than the IP Phone and a PC ? I had 
to do a shut and no shut to bring it up !


I've run into this - Virtualbox uses Windows bridging to handle 
networking which runs spanning-tree. Google shows the answer as:


You can prevent the Bridge from forwarding packets by editing the 
registry. In your favorite registry editor, navigate to the following key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP

Create a new DWORD value and name it DisableForwarding. Double click the 
new entry and set its value to 1. You'll need to reboot to apply the 
change. You can disable the Spanning Tree Algorithm in a similar manner, 
by creating a DWORD value in the same key called DisableSTA and setting 
its value to 1.


http://articles.techrepublic.com.com/5100-22_11-5569815.html via 
http://forums.virtualbox.org/viewtopic.php?f=6t=6264start=0.


Rgds,




- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TCP throughput /WAN delay simulation with back to back routers

2009-08-19 Thread Ian Henderson 

On Wed, 19 Aug 2009, Thilak T wrote:

I am trying to test TCP throughput with different variables. I want to 
simulate a delay of aprox 45msec between two test PCs connected two bat 
to back routers . How do we introduce an artificial delay where in the 
actual delay is on 2-3 msec.Using cisco routers.?


Riverbed introduced us to the Network Nightmare www.networknightmare.net. 
Its a neat little appliance using the FreeBSD dummynet stuff, without 
having to maintain it. Incredibly easy to use, although its pricey if 
you've got the time/expertise to setup dummynet.


Their website is truly awful, but ordering/delivery was fast/easy.

Rgds,



- I.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS XR BFD

2009-07-03 Thread Ian Henderson 
Nick 'tarantul' Novikov wrote on 2009-07-03:

 The question arises, why IOS XR can't run BFD with internal BGP peers
 (as old school IOS)?

Because its assumed you're already using an IGP with which you can use it?


--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Automatically Synchronize IOS Router Configurations?

2009-04-22 Thread Ian Henderson 
Felix Nkansah wrote on 2009-04-23:

 Among other things, their requirement is for their HSRP or GLBP routers
 to automatically synchronize their running configurations.

You could avoid the problem entirely, but still meet the objective by using VSS?

Rgds,



- I.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Not Allowing Vlan 1 on trunk ports

2009-01-18 Thread Ian Henderson 
Hitesh Vinzoda wrote on 2009-01-18:

 Is there a way to supress vlan 1 from passing from a trunk link coz i
 m not able to shutdown the L2 vlan 1.

It depends on the platform and IOS version. If it works, you'll be able to just 
use a 'switchport trunk allowed vlan 2,5,6-8' or similar. If that command 
fails, it will tell you to include VLAN 1 and 1002-1005.

For example, this is on an a 2950-24 running 12.1(9)EA1. A more modern IOS 
would work as intended (only trunking VLAN 2, 3, 4, 5):

switch-1(config)#int f0/1
switch-1(config-if)#switchport trunk allowed vlan 2-5
Command rejected: Bad VLAN allowed list.
VLANs 1,1002-1005 are required.
switch-1(config-if)#



Rgds,



- I.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 9000

2008-11-12 Thread Ian Henderson 
Pete Templin wrote on 2008-11-12:

 What vendor would think that operators would _want_ side to back?

One that wants operators to purchase the larger, more expensive chassis? :)





- I.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] /31 network

2008-07-02 Thread Ian Henderson 
Vikas Sharma wrote on 2008-07-02:

 has anyone used /31 network instead of /30? I believe this is
 recommended to use /31 network? Need expert comments.

Works fine. Just don't use x.x.x.0/31 or x.x.x.254/31 otherwise you'll get 
complaints from Windows users that traceroute no longer works.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] service unsupported-linecard

2007-11-09 Thread Ian Henderson 
Kevin Graham  wrote on Saturday, 10 November 2007 7:44 AM:

   starting with the Cisco Catalyst 4500 with Cisco IOS Software
   Release 12.2(40)SG, the Supervisor Engine 6-E offers Quack
   support, which detects, disables, and logs counterfeit
   components. 

And what an awesome feature name.

-- 
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Small 1U-2U DC powered fixed configuration switch

2007-08-21 Thread Ian Henderson 
Patrick Muldoon mailto:[EMAIL PROTECTED] wrote on Wednesday, 22 August
2007 1:51 AM:

 I thought the number of NNI Ports you can use is dependent upon
 image.  I think METROIPACCESS removes the limit.

We have a nubmer of ME-3400G-12CS-D running METROIPACCESS with all 12
ports set to NNI just fine.

But for the original question, I'd suggest 2950-DC if you can order it.

-- 
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Adequate RAM in 7206VXR/NPE-G1?

2007-04-15 Thread Ian Henderson 
Rick Kunkel mailto:[EMAIL PROTECTED] wrote on Saturday, 14 April 2007
6:43 AM:

 Another GigE port is taken by a 100 Mbps Ethernet connection ot the
 Internet. 
 
 We get full routes from the upstream connected to the above port.

So there's only one Internet connection, right? Then why waste a whole
pile of RAM on routing tables you don't need? Just configure the session
to filter them until you need them in the future (second Internet link,
etc). Or do you need to send a full table to one of your customers?

Rgds,





- I.

-- 
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/