Re: [c-nsp] Physical Network TAP devices

2017-07-19 Thread Juergen Marenda 
For the 1G thing, we use this one

http://www.pandacomdirekt.com/en/products/wdm/transponder-cards/267-gbps/2-c
hannel-up-to-267gbps-3r.html

With that, we can put loops in (missing at for example alcatel SAS)
Do the medias-conversion (wdm/singlemode to cooper or whatever the next
device is.

You can program the output of any of the four ports to be the input of one
of the four.

So, we have 1 port line , 2 port our router , two port with gig output for
each direction,
So we can tap 1G full duplex and put it to whatever collecting device (silk
?)

Also, we use it as an STM1 Switch for our last 155MBit line 
(switch the line to one or another router, so we do not need the power
consuming atm-switch any more)

Juergen.

PS Hope this was not too much advertising ?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVST+ with arista box

2017-03-06 Thread Juergen Marenda 

Either configure MST everywhere, once, same configuration;
Keep trunk vlan-assignement in sync with that
and never try to change to avoid problems.

So design your MST instances well; 
or stay on Cisco pvst+ with only Cisco switches.
(caveat: some switches really want to have vlans mentioned in the MST
instance config 
configured which may be above their vlan limit count.)

Everything else give headache, white hair falling out too early, ...

Just my $0.01 ... white hair on the floor,

Juergen.
-Ursprüngliche Nachricht-
Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von
james list
Gesendet: Montag, 6. März 2017 21:41
An: cisco-nsp NSP
Betreff: [c-nsp] PVST+ with arista box

Dear experts,
I'm looking for hands on experience in interconnecting a huge cisco network
(>400 vlan) running PVST+ with some arista boxes which in principle as
default uses MST but in theory could interact with Cisco proprietary PVST+.

Despite the arista document which confirm the interop, has anybody ever done
something similar?
If yes any outcome?

Thanks in advance

Cheers
James
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco One Licensing

2017-03-03 Thread Juergen Marenda 

> Some day, when I'm finally giving up on networking, I'll change to the
dark side and apply for a job in >the license-model creation business unit
for one of the big network vendors.
>
> gert

I am thinking about creating special electric connectors, 
say, the upcoming IPv8-Connector; forcing it to be _the_ world-wide standard
(even star fleet must use them) and getting a golden nose with the
licence-fees.

Only well-educated technicians are allowed to handle them,
so education courses and certification business boosts.

Finaly, my book "the IPv8-Connector for dummies" will be a best-seller.

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF LSA Type 3 / 5 question ...

2017-02-16 Thread Juergen Marenda 

On Fri, Feb 3, 2017 at 1:05 PM, Bryan Holloway  wrote:
> > Imagine an ABR bordering areas 0 and 1 which is summarizing 10.0.0.0/8 
> > to the backbone.> 
> >
>> Downstream is a router running OSPF with the ABR. On that router is a 
> > static route to yet another device that does not support OSPF. Let's 
>>  say that static route is 10.100.0.0/24.
> 
> Am I correct in understanding the redistribution is in area 1?
> 
> If so, this link may help: https://learningnetwork.cisco.com/thread/102826
> 
> The idea is to turn area 1 into an NSSA area, so the static would be a
type 7, and you could then drop the type 5 LSAs on the ABR.

> The idea is cool, but I am not sure whether I would really want this in
production.
> 
> BGP instead of areas anyone?

Ospf reacts much faster than bgp, iff you have some sort of
redundancy/backup line.
You may also want to inject default into the totally-stubby-not-so-stubby
area,
And implement some sort of prefix filtering on both sides.

Just my 0.01$

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] strange crypto map on C891f

2017-01-09 Thread Juergen Marenda 
Just for later reference

After opening a TAC case, 
They found the old bug CSCsq07109, and
my case increased the number of devices effected dramatically.
The old one did show up during boot, mine does not, 
so they created the new also just cosmetic BUG CSCvc69129 for it.

Thus spoke Nikolas Geyer [n...@neko.id.au]:
> 
> It's used for internal crypto self tests during boot up, there was a bug
about it about 18 months ago making it visible like you are seeing but I
don't recall it affecting 15.4.
> 
> Log a case with TAC.

> > On 28 Dec 2016, at 6:53 AM, Juergen Marenda <c...@marenda.net> wrote:
> > That are Cisco C891F-K9 (revision 1.0) devices running 
> > c800-universalk9-mz.SPA.154-3.M6a.bin
> > 
> > ursamajor#sh crypto map
> >Interfaces using crypto map NiStTeSt1:
> > [...]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] strange crypto map on C891f

2016-12-27 Thread Juergen Marenda 

Hi,

i just migrated a pair of 1812's to C891f with ipsec-tunnels
and found a (even in show run all) not configured crypto-map
called NiStTeSt1 :

That are Cisco C891F-K9 (revision 1.0) devices
running c800-universalk9-mz.SPA.154-3.M6a.bin

ursamajor#sh crypto map
Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "x" 100 ipsec-isakmp 
[...]

ursamajor#conf t
no crypto map NiStTeSt1
end
ursamajor#sh crypto map
Crypto Map IPv4 "x" 100 ipsec-isakmp 
[...]

Ok that seems to work, now I have to ask for timeslot 
To reload (after a wr mem) to see weather it re-appears...

Very strange.
Any experience with this ?
An other Back-Door ?

Thank you for some insights,

Juergen.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] c7301 and hot-swapping of PAs?

2016-11-10 Thread Juergen Marenda 
Hi Gert,

> I know I used to know this, but my memory is aging faster than the
hardware... can PAs in a 7301 (= 1RU / 7200 / NPE-G1) be hot-plugged or not?

According to the install guide, they can be hot-plugged:

"Online insertion and removal (OIR) Allows you to add, replace, or remove
port adapters with minimal interruption of the system"

From
http://www.cisco.com/c/en/us/td/docs/routers/7300/install_and_upgrade/7301/7
301_install_and_config_guide/7301icg/5418o.html

Hope this help's,

Juergen.
--

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird throughput issue

2016-07-24 Thread Juergen Marenda 

Check MTU on the links provided, probably some (vlan-/mpls-/...)tags does
not fit.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 9000 Upgrade Expectations

2016-07-13 Thread Juergen Marenda 
Because of 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160525-ipv6
asr9k: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz66542

it should be 5.3.4.1 or for the brave 6.1.1.16 
but I cannt see it for download (but 5.3.3 two times ! )

... waiting for a fix of severity-2 BUG for more than 6 weeks ...
... nice to read that for oldstyle IOS, it may be fixed in IOS XVI.IV (will
arrive A.D. MMXX ?)

Workaround with ACLs reduces the Number of Layer3 (boteh ipv4 and IPv6) SVI
interfaces on my cat4900M
to less than 300 (out of TCAM resources...) just for the basics.

I am desperately disappointed .

Just my 0.01 $,

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 drops despite policy-map

2016-06-06 Thread Juergen Marenda 

Start at Layer 0+1...
Sure that the links are all full-duplex , esp. to the test-loop ?
If half-duplex, then youll see collisions.
(and autoneg'ed an both sides shows same result, on all links ?)

(just as a starting point, before checking higher levels
 And doing days off dbugging: eliminate bad cable/transiever...)

Juergen.

> [...]
> It’s a pretty simple topology.  Gi0/0/22 on each A920 is connected to an Exfo 
> test set.  Gi0/0/23 on each A920 is connected to the other.  I’ve got an 
> EoMPLS PW connecting Gi0/0/22 on both devices.
>
> Exfo Tester - gi0/0/22 - ASR920-1 - gi0/0/23 - gi0/0/23 - ASR920-2 - gi0/0/22 
> - Exfo Loopback
> 
> The Exfo transmitted 45469372 packets during the test, and I’m seeing output 
> drops on ASR920-1 Gi0/0/23.
> 
> There’s no other traffic going across this box, except for ISIS and BFD, but 
> I highly doubt this would contribute to 2.1 million dropped packets.
> [...]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR4431 memory usage

2016-06-04 Thread Juergen Marenda 
> Thanks Juergen 
> - Did you notice any significant increase in ram utilisation once you
enabled the 2 full tables?  
> (i.e. ours is currently sitting at ~83%, base conf)or did memory usage
not change that much
> (i.e. it was "reallocated" from other processes)

One Pair of them:
46.9% (1.62 GB) of 3.46 GB used
47.0% (1.63 GB) of 3.46 GB used
started after reload at 37% and increases 1% per month 
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version
15.5(1)S1, RELEASE SOFTWARE (fc1)

Other Pair:
37.6% (1.30 GB) of 3.47 GB used
36.2% (1.25 GB) of 3.47 GB used
few variations +-1% since last reload 9 months ago 
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version
15.4(3)S3, RELEASE SOFTWARE (fc1)

Third set:
40.7% (1.41 GB) of 3.47 GB used
40.7% (1.41 GB) of 3.47 GB used
started with 39,7 5 month ago, so 0,2% grow per month 
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version
15.4(3)S4, RELEASE SOFTWARE (fc3) 

Looks like I must check the first pair.
Why the heck is it running a ...1... release
while all were installed with 15.4(3)S_latest_
... found ... Customer did that upgrade by himself.

Juergen



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip virtual-reassembly drop-fragments

2016-06-03 Thread Juergen Marenda 
Ok, i found a document stating that "ip virtual..." is good for DDOS
prevention 
http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/
and does not help in reassembling in memory-efficient way 
what I learned from reading Cisco-doc when I first saw that command
appearing on my router's configs.
May be that this is evolution of functionality.

Nevertheless, 
having it active on route-only routers (without "drop-fragments")
does have (massive) negative impact on the traffic between 
(for example) the firwalls behind those routers
using ipsec-tunnels (sending ip/esp packets, often fragmented )
(PMTU does not help since that is no ip/tcp traffic).

Seeing this (also in setups with no connection to the internet so "DDOS" is
not there) 
brought me to the recommendation to disable that feature.

Sorry for any confusion I may have created,

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip virtual-reassembly drop-fragments

2016-06-03 Thread Juergen Marenda 
Reassembling ipv4 pakets inside the router is only needed for fragmented
packets with the router as destination; in the ipv4 world, the target host
is responsible for reassembling the fragmented pakets,
even when this happens on a router between an not on the source host.

(for example, if an ipsec encapsulated packet got too big with the
additional infos, the destination router which will de-ipsec it must first
reassemble it. (global settable ipsec behavior)
On GRE-Tunnels, the ip fragments will be delivered to the destination host,
which must reassemble it.

To help with fragment-ddos, configuring a mechanism not involed will not
help;
so you may want to use ACLs or the IOS firewall. See for example 

http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-g
re/8014-acl-wp.html

(not special for GRE even when the name suggests it)

Juergen.

-Ursprüngliche Nachricht-
Von: Satish Patel [mailto:satish@gmail.com] 
Gesendet: Freitag, 3. Juni 2016 03:01
An: c...@marenda.net
Cc: Nick Hilliard; Cisco Network Service Providers
Betreff: Re: AW: [c-nsp] ip virtual-reassembly drop-fragments

Sorry typo it was "Internet"

We are getting many IP fragment DDoS so I was planning to use on outside
interface to drop all IP fragmented packet. 

--
Sent from my iPhone

> On Jun 2, 2016, at 10:44 AM, Juergen Marenda <c...@marenda.net> wrote:
> 
> 
> Satish Patel wrote:
>> is it safe to put on internap facing interface?
>> 
>> ip virtual-reassembly drop-fragments
> 
> what's an "internap"?
> 
> s/ap/et/
> 
> Yes it is safe, but
> 
> "no ip virtual-reassembly"
> is the best thing you can do, on every interface, and look form time 
> to time and after reloads weather it reappears.
> 
> "virtual-reassembly" should "reassembly" fragments (in a special, 
> memory conserving way) So dropping fragments in that context must be 
> an april's first joke.
> 
> Having too few resources,
> the theoretically good idea behind "virtual-reassembly" does not work 
> very well (in practice) esp. when it should be usefull.
> 
> Using the "no" form on every interface where it appears automagically 
> When you configure nat, crypto, ... did help us to solve many problems.
> 
> Juergen.
> 
> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR4431 memory usage

2016-06-02 Thread Juergen Marenda 
Have several ISR4431 with minimum two full tables (but no default),
without problems, migrated from 7201 and [23]8xx'er 

(but memory-eater "soft-reconfiguration" is no longer in use)

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip virtual-reassembly drop-fragments

2016-06-02 Thread Juergen Marenda 

Satish Patel wrote:
> is it safe to put on internap facing interface?
> 
> ip virtual-reassembly drop-fragments

what's an "internap"?

s/ap/et/

Yes it is safe, but

"no ip virtual-reassembly"
is the best thing you can do, on every interface, 
and look form time to time and after reloads weather it reappears.

"virtual-reassembly" should "reassembly" fragments (in a special, memory
conserving way)
So dropping fragments in that context must be an april's first joke.

Having too few resources, 
the theoretically good idea behind "virtual-reassembly" does not work very
well (in practice) 
esp. when it should be usefull.

Using the "no" form on every interface where it appears automagically
When you configure nat, crypto, ... did help us to solve many problems.

Juergen.
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 vs ASR1001-x

2016-04-30 Thread Juergen Marenda 

Even a 3COM 4200G is called a "layer 3 switch"
(but it's very limited : 
 " 32 static routes
8 IP  interfaces
  Hardware based routing" 
 (from an ancient datasheet)

That's just marketing clouds ... tons of features, often mutex;
so they will not fly as a cloud should.

(The mentioned device and it's successors work quite well
for their target market as "full manageable" L2 device .)

Today, a bridge with some hardware-speed-up is called a "switch" even if it
does only store-and-forward;
"switch" was the name for such a device with "cut through" and minimal
Number of Ethernet-frame bits delay (6 Octets for the destination-MAC plus
some bits for setup up the path to the output port).

A L3 Switch would be a similar device, looking into L3 info 
 which is "later" in the paket (and sometimes on variable place to
complicate this)
so the minimum delay ( with real switching - not store-and-forward ) must be
higher.

Everything else forwarding on L3 (per "store and forward") should be just
called "router" 
even when it's quite fast due to high CPU or hardware-based acceleration.

just my 0.01 $

Juergen.

-Ursprüngliche Nachricht-
Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von
sth...@nethelp.no
Gesendet: Freitag, 29. April 2016 12:36
An: mark.ti...@seacom.mu
Cc: cisco-nsp@puck.nether.net
Betreff: Re: [c-nsp] ASR920 vs ASR1001-x

> > ASR920 is more like a switch.
> Not really - it's actually a router.
> It just looks like a switch.

Interesting - one of our local Cisco distributors, in a meeting with us and
with Cisco people present, repeatedly called ASR920 a Layer 3 switch.
With no protest from the Cisco representatives.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SFP compatibility

2016-02-04 Thread Juergen Marenda 
Most SFP's (esp. Older one for "low" speed) are fixed frequency,
So they will not get in sync.

An "GIG" SFP syncs at approx. 1.25 GHz and will not operate at FastEthernet
Speed.

OK, there _are_ multi-frequency SFP's, 1G SAN+2GSAN +1GE for example,
but yoru device will not set the Clock to FastEthernet on the normal Gig-SFP
.
So the will not get in sync, and only see the light.

-Ursprüngliche Nachricht-
Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von
Wilmer
Gesendet: Donnerstag, 4. Februar 2016 03:06
An: cisco-nsp@puck.nether.net
Betreff: [c-nsp] SFP compatibility

Hey Guys,

Probably a stupid question, but I can't find an obvious answer on Cisco.

Are the following SFP's able to be used to together:

One device is using at GLC-FE-100EX & the other end is using
a 1000BASE-LX/LH (Single Mode fibre).

I "think" these SFP's are compatible with each other.. But if someone can
confirm this it would be great.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-19 Thread Juergen Marenda 
The crypto-work gets done on the CPU in software,
and the CPUs on those switches are not very strong.

(data traffic is forwarded by the hardware,
 only some special pakets (STP, CDP, ...) disturb the CPU;
while management traffic must be handled by the CPU)

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Does Cisco 3845 support EHWIC-1GE-SFP-CU ?

2015-09-08 Thread Juergen Marenda 
3845 does not support EHWIC .
ISR(-1) maximum H-WIC, never E-H-WIC.

The build-in ethernet Ports are sufficient to overload that box.
Use a NM-FE[12] to get an dedicated FastEthernet-management port.

Also keep in mind that most ethernet-WICs 
or low-density-etherswitch-wic's may have deficits in MTU, VLAN-Tagging, ...
So read the datasheet and release notes first carefully 
and then don’t bay.

Just my 0.01$,

Juergen.

-Ursprüngliche Nachricht-
Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag von
Zahid Khan
Gesendet: Dienstag, 8. September 2015 17:00
An: cisco-nsp@puck.nether.net
Betreff: [c-nsp] Does Cisco 3845 support EHWIC-1GE-SFP-CU ?

Hi Folks,

Can anybody please help me to find whether Cisco 3800 series routers support
EHWIC-1GE-SFP-CU card?

--
Regards,

Zahid Khan

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BVI Configuration on 1600 Access Points

2015-08-26 Thread Juergen Marenda 


 What I want to achieve is creating a BVI Interface in separate VLAN (our
Management VLAN 232 in this specific case) so that the AP is tagging all
packets with the respective VLAN 232. However, after doing the configuration
the AP is not reachable on the configured IP address. 
 The AP is connected to a 2960 switch and the port configured as trunk. As
soon as I configure the native vlan to 232 on the trunk port the management
IP of the AP becomes reachable. This indicates that the AP is not tagging
the packets at all.
 
 [...]
 
 So, what am I missing?  It might be something completely trivial, and feel
free to slap me if this is the case ;)

Cisco AP's are not routers but bridges.
The are managed only on the (untagged) interface.

Just configure your mgmt-vlan as native vlan on the switchport,
and tag all wlan-vlans, then everything will work fine.

(... and you may also use the default int bvi1 as mgmt interface for the ap,
 My good old AP1131's did insist on that) .

...No reason to slap you instead of the vendor.

Just my 0.01 $

Juergen Marenda.
--

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] %NTP: Multicast peer 224.0.1.1 does not exist

2015-08-24 Thread Juergen Marenda 
 It's c7200p-advipservicesk9-mz.124-24.T8.bin

Have you checked that the clock of your NPE-G2/7201 is in sync,

# sh ntp status
# sh ntp asso

without having an accurate time, it will not send any ntp time-info

--
Juergen Marenda

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Can ASA 5550 do BGP

2013-02-11 Thread Juergen Marenda 
On Mon, Feb 11, 2013 at 09:21:46PM +0100, Peter Rathlev wrote:
 On Mon, 2013-02-11 at 18:58 +, pamela pomary wrote:
  Quick one. I have just read from Cisco's support community that
  generally ASA's dont do BGP. I want to verify if that is the case or
  there is tweak to get it to do BGP :) . We have ASA 5550 software
  version 8.2(3) which we possibly want to use as a border/edge router
  with our ISP.
 
 I'm pretty certain the ASA doesn't do any BGP. The FWSM supports BGP
 Stub Routing though it's very limited (bordering to useless).
 
 http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/ip_f.html#wpxref74349
 

pix and asa did and do not route very well.

Use Cisco Router IOS with ACL etc. works much better.

This is my very personal opinion,
Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] can not configure modem by router

2012-11-17 Thread Juergen Marenda 
On Sat, Nov 17, 2012 at 02:22:58PM +0330, s m wrote:
 hello guys
 
 i wanna connect a modem to a 2800 router by AUX port. this is my
 configuration:
 modem InOut
 modem autoconfigure discovery
 transport input all
 stopbits 1
 speed 38400
 flowcontrol hardware
 
 the speed value changes because mode autoconfigure discovery is set.
 
 i used blue console cable RJ45 to DB9 for connecting AUX port to modem.

use the black cable or the supplied 9-to-25 CON-MODEM-adapter.
the light-blue cable is to connect to a PC-AT Serial Port.

Or crimp an RJ45 Plug reverse on the router's end of the cable .

Or use a NULLmodemcable beetween Modem and DB9 con .

You should be able to telnet ip-of-your-router 2001 ,
authenticate at router, and then speak with the modem.

If you connect PC with Hyperterm instead of the modem,
and this works, then it will not work with the modem,
and you need to get/build a fitting cable, see above.


[...]
 i read when the connection is correct, modem hardware stats should be CTS
  not noCTS. moreover i can not do reverse telnet to modem.

YOur cabling is wrong, both sides SEND and RECIVE Lines are connected together
(RS232 i must be shorit-ciruit proof, +-12 V...)
 
 please let me know how i should fix it and configure my modem by  AT
 commands.

Hope this helps,

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SFP high power alarm

2012-08-21 Thread Juergen Marenda 
On Tue, Aug 21, 2012 at 06:05:32PM +0200, Gert Doering wrote:
 Hi,
 
 On Tue, Aug 21, 2012 at 12:26:50PM +, John Brown wrote:
  Put a real optical power meter on the fibers and adjust with pads as
  needed to get your levels within specs.
 
 That's *RX* power.  Not TX power.  TX power is something that is measured
 inside the SFP - an the question how can TX power go high is a valid
 one.


From an X2-Datasheet:

VII. DOM Parameters

Values Parametermin. max. Unit

Transponder Temperature Monitor Accuracy 1) -5 +5 °C
Laser Bias Current Monitor Accuracy 2) -10 +10 %
Transmit Power Monitor Accuracy 3) -3 +3 dB
Receive Power Monitor Accuracy 3) -3 +3 dB

1) 0 to 70°C case temperature.
2) 0 to 12.5 mA.
3) -8.2 dBm to +0.5 dBm

... so that may be just a measurement error.

An other SFP+ shows +-2dB TX or RX Power Monitor Accurancy,
and +-10% TX BIAS Accurancy.

Did not find an explanation of how optical modules
determine optical output power, some kind of
handshake with the remote side , increasing output power
so that the remote side _sees_ sufficient light?

But *cleaning* the fibers and plugs is a very good idea(TM),
with (too much) power the reciever gets blind;
somtimes the dirt beetween fiber-fiber ore fiber-optics
get grilled/emailed onto the glas.

--
Juergen

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Loop/Unreachable problem with C6500/SUP720

2012-08-08 Thread Juergen Marenda 

(proxy-) ARP on wrong Interface / vlan ?
You have random /32 more specific host-routes,
compare mac-address table and arp-cache
for the current wrong routed ip.

Or are the ip's those found as ospf router-id ?

Hope this help's,

Juergen

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Densmore
 Sent: Wednesday, August 08, 2012 8:04 PM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Loop/Unreachable problem with C6500/SUP720
 
 On 8/8/2012 10:29 AM, Xu Hu wrote:
  If yes, it is a normal behaviour.
 
 Hi,
 
 Can you explain in what circumstance this would be normal?  
 IIRC, OSPF 
 has an AD of 110 and iBGP 200, so even if the routes weren't 
 known via 
 connected, how would they randomly compete for space in the FIB?  I 
 don't have OSPF or BGP running on any SVIs, so this is an honest 
 question, not snarkiness, since I may find myself in this scenario in 
 the not too distant future, albeit on 7600s rather than 
 6500s.  Pointers 
 to docs would be great.
 
 Thanks,
 
 TD
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600 svi's not showing in and out bit counts that isee on corresponding phy int

2012-08-08 Thread Juergen Marenda 


on 4900M

!
int vlan NNN
 counter 
!

did help 
(yes i know the 4900M ist not a metro switch)

Mit freundlichen Gru?en 
Kind regards 
Veuillez agreer mes salutations distinguees 
Met vriendelijke groet 

Juergen.

 Try to set the load-interval to 30s, then check again.
 Xu Hu
 
 On 8 Aug, 2012, at 21:54, Aaron aar...@gvtc.com wrote:
  anybody know why me3600 svi doesn't seem to show in and out 
 bit counts that
  the underlying phy int shows?  all svi's (10,11,13) are 
 in a vrf running
  over mpls l3vpn
  
  3600#sh int vl 10 | in 30 sec
  30 second input rate 2000 bits/sec, 3 packets/sec
  30 second output rate 1000 bits/sec, 3 packets/sec
  
  3600#sh int g0/1 | in 30 sec
  30 second input rate 402000 bits/sec, 359 packets/sec
  30 second output rate 6157000 bits/sec, 613 packets/sec
[...]

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pppoe server

2011-06-28 Thread Juergen Marenda 
 
On the lower-price end,
the 3845 has 1200 as maximum recommended number of l2tp tunnels or sessions;
(cisco application note l2tp support for the cisco 800, 1800, 2800, 3800
integrated service routers )
or a 7206VXR with NPEg1
or the 1HE NPEg2 called 7201 will terminate 8000 sessions
(mircom report and datasheet at cisco.com)

But they have 2/3/4 GE Interfaces, resp., not 10GE,
and second source Memeory to max the NPE-G1 out is now rare.

Juergen.

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bruce 
 D. Sidlinger
 Sent: Tuesday, June 28, 2011 7:51 AM
 To: K bharathan
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] pppoe server
 
 ASR1000 is the current preferred solution, or so my 
 salesperson tells me.
 
 For various telcos I currently use Cisco 1s for PPPoE but 
 in the future will change to the new little ASR.
 
 -Bruce
 
 
 On Jun 28, 2011, at 12:36 AM, K bharathan kbhara...@gmail.com wrote:
 
  hi all
  which cisco router can be used for pppoe server (about 1200 
 customers)
  
  -bharathan
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Boot from TFTP

2011-06-26 Thread Juergen Marenda 

Hello Jay,
 
Here is a link for the different linear Flash cards from Cisco.

http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00800a7515.shtml

PCMCIA Filesystem Compatibility Matrix and Filesystem Information

...
The Flash disk is more flexible than linear Flash memory because the Flash disk 
has controller circuitry that allows it to emulate a hard disk and that 
automatically maps out bad blocks and performs automatic block erasure. 
Further, the Flash disk provides the capability to allocate noncontiguous 
sectors, which eliminates the need for the squeeze command (previously required 
with linear Flash memory cards).
...


From ancient
http://www.cisco.com/en/US/docs/ios/11_3/configfun/configuration/guide/fcmemory.html

...
You can delete and undelete a file up to 15 times.
...

i think this is what i remembered as delete 8/9 times i my post.



I personally tried 16 MByte Linear Flash Card from a 7206vxr/NPE300/IO-1FE
and 4 MByte Linear Flash card from 1603R on my newton MP110,
they both did not work there. (also not in casio zoomer).

Compactflash-ATA Disks with (mechanix only) PCMCIA Adapter 
may work on 7206VXR or not due to different disk-controller chip-sets
in the compact-flash (windows-xp showed me the controller-type
when inserting into Laptop) so i could sort and swap them 
with my digicam's compact-flashcards.

Even when formatted on the target router, 
a 7206VXR may mutter not formatted in this router .



just plugged a Cisco 32M Compactflash from an 1812 into my laptop:

STI Flash 8.0.0
Properties Filesystem FAT
Capacity 31.973.376 Bytes
(keine FDISK Partitionstabelle no tapllicable)

Hope this help's,

Juergen.

 -Original Message-
 From: Murphy, Jay, DOH [mailto:jay.mur...@state.nm.us] 
 Sent: Friday, June 24, 2011 11:33 PM
 To: j...@ilk.net; 'Scott Voll'
 Cc: cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] Boot from TFTP
 
 Juergen, 
 
 Könnten Sie bitte mir helfen... can you point me to the 
 source of this information, since some networks have legacy 
 devices, and different classes of flash file systems.
 
 Dankt meinem freund,
 
 ~Jay Murphy 
 Sr. IP Network Specialist
 NM State Government
  
 IT Services Division
 PSB – IP Network Management Center
 Santa Fé, New México 87505 
 Bus. Ph.: 505.827.2851
 We move the information that moves your world. 
 “Engineering is about finding the sweet spot between what's 
 solvable and what isn't.
 “Good engineering demands that we understand what we’re doing 
 and why, keep an open mind, and learn from experience.”
   
   
 Radia Perlman
 If human beings are perceived as potentials rather than 
 problems, as possessing strengths instead of weaknesses, as 
 unlimited rather than dull and unresponsive, then they thrive 
 and grow to their capabilities.
   
   
  
 ? Please consider the environment before printing e-mail
 
 
 -Original Message-
 From: Juergen Marenda [mailto:j...@ilk.net] 
 Sent: Friday, June 24, 2011 3:19 PM
 To: Murphy, Jay, DOH; 'Scott Voll'
 Cc: cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] Boot from TFTP
 
 
 no, the compact flash cards have dos filesystems,
 squeeze is not needed and not offered by the ios
 on those filesystems. Esp. after format squeeze on the compactflash
 is not needed. 
 
 The old , linear fast PCMCIA FLASH Cards (but not compatible with 
 the Newton :-( as a former form of ip* was named) )
 did also not need squeeze but you had to delete a file 8? 9 ? times
 to free the blocks, or use squeeze if offerde by yoru IOS.
  Even though you reformat the CompactFlash card, you will need 
  to use squeeze to recoup the memory space.
  
  ~Jay Murphy 
  Sr. IP Network Specialist
  NM State Government
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Boot from TFTP

2011-06-24 Thread Juergen Marenda 

You need some RAM...
The (first) image in FLASH will be loaded started and uncompresses itself.
It reads the config file and, after configuring some of the interfaces,
loads the indicated IOS thru tftp into RAM to uncompress and start it.

So you need RAM for two IOS's unziped...
or a smaller, older, not full-featured Image for booting purposes
(for some mashines exist boot-helper images).

Why dont you

- boot device
  and get ip address 
  ...int gig 0/0
  ip address dhcp
  no shut
- ping tftp server 
(ok)
- format flash:  to clear it
  or delete some big files (not the vlan.dat ) to make sufficient space
  for the wanted IOS
- copy tftp:/ip/file flash:/file
- reload from flash
- (probably you want to delete or update the LIST of boot system and boot
config
   cammands, if there is more than 1 of each they all will get executed.)

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
 Sent: Friday, June 24, 2011 10:24 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Boot from TFTP
 
 OK... I'm in a pinch and I need to upgrade a 2821 to a newer 
 ISO and don't
 have time to get a new Flash card.
 
 So i'm trying to boot from TFTP.  But I keep getting a file 
 to large error
 
 %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned 
 DHCP address
 10.14.1.53, mask 255.255.255.0, hostname Router
 
 %SYS-6-READ_BOOTFILE_FAIL: tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read 
 failed -- Not
 enough space.
 
 %SYS-6-READ_BOOTFILE_FAIL: tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read 
 failed -- Not
 enough space.
 
 %SYS-6-READ_BOOTFILE_FAIL: tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read 
 failed -- Not
 enough space.
 
 %SYS-3-IMAGE_TOO_BIG: 'tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin' is too large for
 available memory (51691544 bytes).
 %SYS-6-READ_BOOTFILE_FAIL: tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read 
 failed -- Not
 enough space.
 
 
 Config looks like this:  boot system tftp://
 10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin
 
 Memory needed is 512mb  I have Cisco 2821 (revision 53.50) with
 776192K/10240K bytes of memory.  so I should have enough ram.
 
 What am I missing?
 
 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Boot from TFTP

2011-06-24 Thread Juergen Marenda 

No,

boot system does not copy to flash,
it loads file to RAM amd starts it.
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev
 Sent: Friday, June 24, 2011 10:41 PM
 To: Scott Voll
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Boot from TFTP
 
 On Fri, 2011-06-24 at 13:23 -0700, Scott Voll wrote:
  %SYS-3-IMAGE_TOO_BIG: 'tftp://
  10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin' is too 
 large for
  available memory (51691544 bytes).
  %SYS-6-READ_BOOTFILE_FAIL: tftp://
  10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read failed
  -- Not enough space.
  
  
  Config looks like this:  boot system tftp://
  10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin
  
  Memory needed is 512mb  I have Cisco 2821 (revision 53.50) with
  776192K/10240K bytes of memory.  so I should have enough ram.
 
 I'm guessing it's the flash. You probably have 51691544 bytes left on
 the flash device. The image is 64562864 bytes.
 
 -- 
 Peter
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Boot from TFTP

2011-06-24 Thread Juergen Marenda 

no, the compact flash cards have dos filesystems,
squeeze is not needed and not offered by the ios
on those filesystems. Esp. after format squeeze on the compactflash
is not needed. 

The old , linear fast PCMCIA FLASH Cards (but not compatible with 
the Newton :-( as a former form of ip* was named) )
did also not need squeeze but you had to delete a file 8? 9 ? times
to free the blocks, or use squeeze if offerde by yoru IOS.
 Even though you reformat the CompactFlash card, you will need 
 to use squeeze to recoup the memory space.
 
 ~Jay Murphy 
 Sr. IP Network Specialist
 NM State Government

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
 Sent: Friday, June 24, 2011 2:54 PM
 To: j...@ilk.net
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Boot from TFTP
 
 Thats what I was forgetting.. I knew there was was 
 something.  I'll see
 if I can find a Boot helper image to replace the full blown 
 one that is
 currently on the flash.
 
 Thanks
 
 Scott
 
 On Fri, Jun 24, 2011 at 1:47 PM, Juergen Marenda j...@ilk.net wrote:
 
 
  You need some RAM...
  The (first) image in FLASH will be loaded started and 
 uncompresses itself.
  It reads the config file and, after configuring some of the 
 interfaces,
  loads the indicated IOS thru tftp into RAM to uncompress 
 and start it.
 
  So you need RAM for two IOS's unziped...
  or a smaller, older, not full-featured Image for booting purposes
  (for some mashines exist boot-helper images).
 
  Why dont you
 
  - boot device
   and get ip address
   ...int gig 0/0
   ip address dhcp
   no shut
  - ping tftp server
  (ok)
  - format flash:  to clear it
   or delete some big files (not the vlan.dat ) to make 
 sufficient space
   for the wanted IOS
  - copy tftp:/ip/file flash:/file
  - reload from flash
  - (probably you want to delete or update the LIST of boot 
 system and boot
  config
cammands, if there is more than 1 of each they all will 
 get executed.)
 
   -Original Message-
   From: cisco-nsp-boun...@puck.nether.net
   [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll
   Sent: Friday, June 24, 2011 10:24 PM
   To: cisco-nsp@puck.nether.net
   Subject: [c-nsp] Boot from TFTP
  
   OK... I'm in a pinch and I need to upgrade a 2821 to a newer
   ISO and don't
   have time to get a new Flash card.
  
   So i'm trying to boot from TFTP.  But I keep getting a file
   to large error
  
   %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned
   DHCP address
   10.14.1.53, mask 255.255.255.0, hostname Router
  
   %SYS-6-READ_BOOTFILE_FAIL: tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read
   failed -- Not
   enough space.
  
   %SYS-6-READ_BOOTFILE_FAIL: tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read
   failed -- Not
   enough space.
  
   %SYS-6-READ_BOOTFILE_FAIL: tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read
   failed -- Not
   enough space.
  
   %SYS-3-IMAGE_TOO_BIG: 'tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin' is 
 too large for
   available memory (51691544 bytes).
   %SYS-6-READ_BOOTFILE_FAIL: tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin File read
   failed -- Not
   enough space.
  
  
   Config looks like this:  boot system tftp://
   10.14.1.108/c2800nm-advipservicesk9-mz.151-3.T1.bin
  
   Memory needed is 512mb  I have Cisco 2821 (revision 53.50) with
   776192K/10240K bytes of memory.  so I should have enough ram.
  
   What am I missing?
  
   Scott
   ___
   cisco-nsp mailing list  cisco-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/cisco-nsp
   archive at http://puck.nether.net/pipermail/cisco-nsp/
  
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dot11Radio0 ipv6 command

2011-06-22 Thread Juergen Marenda 

Sorry, 
but I do not see the difference beetween IPv4 and IPv6 Behaviour here.

As far as i remember you put the LAN-Interface vlan1
and the radio-(sub-)interface into the same bridge-group
and configure the IPv4 (or Ipv6) on the bvi interface
to emulate the normal behaviour of home-customer-CPE's.

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/