[c-nsp] Nexus 7000 MPLS
Hi, I see the Nexus 7000 does MPLS now (perhaps for some time?). Is there anyone out there using MPLS on these and cares to comment about their experience? I'm particularly interested in RSVP, L3VPN support using OSPF as the PE/CE protocol, any scalability issues, possibly some interop w/ Juniper MX, and of course stability. All on and off list replies very much appreciated. :) Thanks Kris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performance Of www.cisco.com
Tassos Chatzithomaoglou wrote: Someone heard all of you and made www.cisco.com extra-light! Ha. Some kind of s/t//g error perhaps. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 vs MX experience?
Hi, We're looking at 7600 + RSP720 platform and the MX from Juniper for our MPLS needs and I was interested in hearing feedback from people about their experiences - both positive and negative - with either platforms. Whatever is selected will be used both as Ps and PEs w/ all 10GE on the core side. This is a fairly large (continental) deployment, and it will set the standard internationally for this customer. Main use will be for IP VPN and EoMPLS, but VPLS may show up in the future too. Looks like they both will work for our needs. So what it really comes down to is important things like *stability*, support experience, etc. Please contact me off list if you'd rather not express something in public. Feedback is very much appreciated. :) Cheers Kris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP as core routing protocol on MPLS network
Hi, I've been trying to find out the implications of using EIGRP to distribute the loopbacks for a BGP/MPLS network instead of the usual OSPF or ISIS. But either it isn't a very well covered topic or my Google-foo is seriously bad. I've lab'ed it up in a very simple environment and for typical Layer 3 BGP/MPLS VPN applications everything seems to work fine as expected, LDP continues distributing labels, and VPN packets are label switched across the network. However, I assume the caveats are around using features that use OSPF/ISIS for transporting additional information or for signalling, e.g. perhaps taffic engineering info. Given there is no information on this on Google I guess it isn't supported and the recommendation is simply don't do it. But I'm curious, so has anyone done this in a production environment for any reason, or has anything enlightening to say on the matter? Cheers Kris PS: before anyone asks Why on earth would you want to do that!? I don't particularly, but I'd like to know about it for arguments sake. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Providing 3rd party access to logs (syslog)
Joy of security logs You don't make much mention about what monitoring/alerting/reporting you're needing to do or what the scale of this is, but I'm guessing small...? For a managed security service of lots of firewalls with more customers coming online, some sort of SEM might be nice that'll take care of all of this (and it's a selling point to your customers). I've done a lot of SEM both on Unix using custom scripts/logsurfer/etc., some custom SQL databases with simple front ends, and more recently a lot using ArcSight (unfortunately with a lot of database customisation for reporting). It really does make life easier to have it all in one place and be able to query it. If this is a one off then maybe something free like OSSIM might fit the bill (but I've never used it). If all they need is plain log files for occasional audit purposes, give them a mechanism to securely fetch them, or provide them once a month on cd with your report. And be careful not to go overboard splitting it up too much, you can use grep to break out just the severities/days/etc. If you want searching, throw it in a database each night. Also, might want to think about whether you really want to give customers real-time views of logs as opposed to reports, this will depend on what they're like and how you've sold the service to them. (If they have a picky internal security department that thinks they could do a better job than you it can get annoying.) Other links: http://www.loganalysis.org/ and of course http://www.sans.org/reading_room/ Cheers Kris Dale Shaw wrote: Hi all, This may be a bit off topic, but I figure the cisco-nsp brains trust will have been there, done that already. Has anyone had a requirement to provide 3rd parties with access to log files? I have a requirement to provide access to firewall log files (syslogged) to a security group within an enterprise. Logs held on the logging server will be sorted into a directory hierarchy based on the logging device's name, year, date, day and then severity (or something similar). They will likely be compressed. I figure this could be as simple as setting up a web server on the log server and enabling directory listings / browsing on the virtual directories. Has anyone come across a nicer solution? Perhaps something that provides (for example) search capabilities and results filtering, and real time log watching (ala tail) through a web interface? The log server OS has not been decided yet. It's likely to be Linux or Windows Server. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
