Re: [c-nsp] CSRv & VXLAN

[Luan Nguyen]

While we are on this...
Is OTV still Cisco Proprietary? And still ASR1K and Nexus 7K support from
Cisco side?
Wouldn't it better to use L2TPv3 - and MACSEC if need to?

On Thu, Sep 24, 2015 at 2:40 PM, Luis Anzola  wrote:

> Find below a very handy guide for the CSR1Kv and OTV:
>
>
> http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/DRaaS/CSR/CSR/CSR5.html
>
>
>
> On Thu, Sep 24, 2015 at 2:22 PM, Mohammad Khalil 
> wrote:
>
> > Hi
> > I have simulated this on gns3
> > http://eng-mssk.blogspot.com/2015/09/otv-example.html?m=1
> >
> > It might give you a hint
> >
> > BR,
> > Mohammad
> >
> >
> > Sent from Samsung Mobile
> >
> >
> >  Original message 
> > From: Steve Mikulasik 
> > Date:24/09/2015 20:45 (GMT+02:00)
> > To: Luis Anzola 
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] CSRv & VXLAN
> >
> > Yeah after some further reading I think you are right. I'll extend the
> > question to include OTV on the CSRv platform. Any experiences would be
> > greatly appreciated.
> >
> >
> > -Original Message-
> > From: Luis Anzola [mailto:anzo...@gmail.com ]
> > Sent: Thursday, September 24, 2015 11:22 AM
> > To: Steve Mikulasik 
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] CSRv & VXLAN
> >
> > I would look at OTV instead. It's a technology developed specifically for
> > DCI implementations and brings very important benefits with it.
> >
> > Luis
> >
> > Sent from my iPhone
> >
> > > On Sep 24, 2015, at 12:56 PM, Steve Mikulasik <
> steve.mikula...@civeo.com>
> > wrote:
> > >
> > > Anyone have any experience with VXLAN on the CSRv? I need to span L2
> > traffic across hosted datacetners (can't use a physical device unless it
> > installs on x86 hardware) and was wondering if this is the way to go on
> > this platform.
> > >
> > >
> > >
> > > ___
> > > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)

[Luan Nguyen]

Nice...thanks 5.3.1 is nice.
though i don't think people will have access to the file exchange? the
public link only has 5.1.2

On Mon, Aug 17, 2015 at 2:00 PM, Tim Densmore 
tdensm...@tarpit.cybermesa.com wrote:


 https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv


 On 8/17/2015 11:54 AM, Skeeve Stevens wrote:

 Hi all,

 I need to do some lab testing with XR for a ASR9001...   Does anyone know
 where the XRv image is... I've looked everywhere... I think my search-foo
 is broken today :(

 ...Skeeve

 *Skeeve Stevens - Founder  The Architect* - eintellego Networks Pty Ltd
 Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com

 Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve

 Facebook: eintellegonetworks http://facebook.com/eintellegonetworks ;
 Twitter: eintellego https://twitter.com/eintellego

 LinkedIn: /in/skeeve http://linkedin.com/in/skeeve ; Expert360: Profile
 https://expert360.com/profile/d54a9


 Elastic Fabrics - Elastic Engineers - Elastic ISPs - Elastic Enterprises
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)

[Luan Nguyen]

That's the file exchange link...same like the other.
I just thought that file exchange is a place where cisco publish not for
the general public images to you...that link works for me as well.

Regards,
-Luan

On Mon, Aug 17, 2015 at 2:44 PM, Roland Dobbins via cisco-nsp 
cisco-nsp@puck.nether.net wrote:

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 -- Forwarded message --
 From: Roland Dobbins rdobb...@arbor.net
 To: cisco-nsp@puck.nether.net
 Cc:
 Date: Tue, 18 Aug 2015 01:37:48 +0700
 Subject: Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)
 On 18 Aug 2015, at 1:36, Luan Nguyen wrote:

  Thanks Harold...but from the link that Roland sent...there's nothing
  there...

 Don't know what to tell you, it works for me.

 Try this one:

 
 https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv
 

 ---
 Roland Dobbins rdobb...@arbor.net


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)

[Luan Nguyen]

Thanks Harold...but from the link that Roland sent...there's nothing
there...

Regards,
-Luan

On Mon, Aug 17, 2015 at 2:20 PM, Harold Ritter (hritter) hrit...@cisco.com
wrote:

 Hi Luan,

 CCO has more than just 5.1.2. It also has 5.1.1, 5.2.0 and 5.3.0.

 Regards,

 Harold


 Le 2015-08-17 14:08, « cisco-nsp on behalf of Luan Nguyen »
 cisco-nsp-boun...@puck.nether.net on behalf of lngu...@opsource.net a
 écrit :

 Nice...thanks 5.3.1 is nice.
 though i don't think people will have access to the file exchange? the
 public link only has 5.1.2
 
 On Mon, Aug 17, 2015 at 2:00 PM, Tim Densmore 
 tdensm...@tarpit.cybermesa.com wrote:
 
 
 
 
 https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-
 XRv
 
 
  On 8/17/2015 11:54 AM, Skeeve Stevens wrote:
 
  Hi all,
 
  I need to do some lab testing with XR for a ASR9001...   Does anyone
 know
  where the XRv image is... I've looked everywhere... I think my
 search-foo
  is broken today :(
 
  ...Skeeve
 
  *Skeeve Stevens - Founder  The Architect* - eintellego Networks Pty
 Ltd
  Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com
 
  Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve
 
  Facebook: eintellegonetworks http://facebook.com/eintellegonetworks
 ;
  Twitter: eintellego https://twitter.com/eintellego
 
  LinkedIn: /in/skeeve http://linkedin.com/in/skeeve ; Expert360:
 Profile
  https://expert360.com/profile/d54a9
 
 
  Elastic Fabrics - Elastic Engineers - Elastic ISPs - Elastic
 Enterprises
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CCIE Party pickup line

[Luan Nguyen]

In the Washington DC area, there's the HOV slug-lines where you can pick up
people for HOV, is there one for CCIE Party? :)
We have a big team going this year and not enough CCIEs to get all
in...anyone going solo, kindly drop me an email offlist? :)

Thanks.
Regards,
-lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR1000v Loopback interface

[Luan Nguyen]

Hello,
anyone use the loopback interface on the ASR 1000v to terminate VPN/DMVPN
tunnel? How does the loopback interface on the ASR1000v related to the
VMWare resources? say if i already have the max 10 vnics mapped to 10
gigethernet interfaces on the asr1000v, how does the loopback interface
come into play?

On aside note, if i want to go with the checkpoint r77.20 gaia, can i
terminate the vpn tunnel on the loopback - assuming i use a public ip
address on it.

Thanks.
Regards,
-lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Packet Fragmentation

[Luan Nguyen]

If you're lucky to have a provider like NTT, who supports 5000 MTU within
their backbone, for site to site vpn, you could just jack up your MTU
setting on all tunnel-related interfaces to say 5000 MTU and avoid
fragmentation altogether.

On Thu, Feb 12, 2015 at 2:15 PM, Roland Dobbins rdobb...@arbor.net wrote:

 On 13 Feb 2015, at 1:45, Brian Christopher Raaen wrote:

  The fragmentation is unavoidable as this involves VPNs and the
 applications can't be adjusted to try smaller sized frames.


 If you're using the router as a VPN concentrator for users and you're
 talking about fragmentation of in-tunnel traffic, you should be able to
 adjust the MTU and/or MSS for the software clients connecting to the VPN
 concentrator downwards in order to account for tunnel overhead.

 If you're using the router for a site-to-site VPN, you can adjust the MTU
 downwards for the relevant interface(s) on the relevant router(s) to
 account for tunnel overhead.

 Jared was talking about the MSS of TCP traffic encapsulated within the
 tunnels, not the tunnel traffic itself (IPSEC wrapped in UDP/1?).

 ---
 Roland Dobbins rdobb...@arbor.net
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Primer for IOS-XR

[Luan Nguyen]

Best place to be:
https://supportforums.cisco.com/community/5996/xr-os-and-platforms
Document tab as well as Blog tab will get you expert at IOS-XR in no time.

On Tue, Dec 16, 2014 at 10:49 AM, Scott Granados sc...@granados-llc.net
wrote:

 Good morning,

 I have recently been exposed to some of the ASR hardware for the first
 time and while I’m well versed in standard IOS I haven’t done much work
 with XR.  Can anyone suggest a good pointer for getting up to speed.  I’m
 most specifically interested in the new policy construction and building
 policies for BGP routing control.  I googled for an IOS to IOS-XR
 translator as possibly a starting point and there seemed to be some
 internal resources but nothing public facing.  Any such package exist to do
 conversions and give me a starting point?  Any help would be most
 appreciated.  I’ve found some documents on the new policy structure but
 nothing that doesn’t assume I already have a baseline in XR.  Any pointers
 would be most appreciated.

 Thanks
 Scott



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] QSFP 40G breakout cable

[Luan Nguyen]

Hi folks,

Anyone from the northern VA area has a couple extra of these? I'd like to
borrow for a couple days to see if they work in other vendors' equipment?
Believe it or not, Cisco' s one is much cheaper.

Thanks!

rg/lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Using Cisco Learning Credits for ccie lab

[Luan Nguyen]

Hi folks,

Can you use Cisco Learning Credits for ccie lab payment? seems like you
can't but not sure if your Cisco Account Manager can do something about
that?
Also, where do people get exam voucher from? Is that something your Cisco
Account team can provide?
We have some Cisco Learning Credits, and I am trying to find some
creative ways of using that for the lab :)
Some boot camps will pay for  your lab fee after you attend them?

Thanks.

-br/lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?

[Luan Nguyen]

People do this all the time: GRE/IPSEC back up to MPLS VPN.
Lots of service providers have managed service that does this for you.
With modern hardware, fragmentation shouldn't be a big deal. Most providers
have end to end jumbo frame so just need to be mindful of who does and who
don't.
Good luck.


On Wed, Oct 9, 2013 at 11:30 AM, JP Senior seni...@bennettjones.com wrote:

 Hey, all.
 I'm looking at an option to consolidate and reduce complexity of a
 multi-provider L3VPN network in a way that lets me also use internet-based
 VPNs for backup.  Right now I have dual provider uplinks at all of my sites
 to provide me inter-office WAN connectivity.

 DMVPN is a nice and easy option where I can have everything run in a
 single routing domain, drasticially simplifying my network topology.

 Has anyone experience with a network running in such a design?  I am
 concerned about increased latency, and worse, packet overhead.  I'm not
 sure I'll be able to get jumbos on these providers, so I'll have to deal
 with ipsec/gre overhead.  I don't do anything crazy blocking with ICMP, but
 I'm still hesitant to move forward with such a design.

 -JP Senior

 The contents of this message may contain confidential and/or privileged
 subject matter. If this message has been received in error, please contact
 the sender and delete all copies. Like other forms of communication,
 e-mail communications may be vulnerable to interception by unauthorized
 parties. If you do not wish us to communicate with you by e-mail, please
 notify us at your earliest convenience. In the absence of such
 notification, your consent is assumed. Should you choose to allow us to
 communicate by e-mail, we will not take any additional security measures
 (such as encryption) unless specifically requested.

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ASA 8.4.7

[Luan Nguyen]

Hi folks,

With the newest advisory for the ASA:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

We are thinking of going uniform with Cisco ASA 8.4.7. Looking at the
Resolved Caveats, lots of them got fixed:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp631223
Has anyone been running 8.4.7 with good success? I am just looking for
minimal NAT, mostly Remote Access VPN and a few hundred site to site VPN.

Thanks.

-Luan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (xr on a server)

[Luan Nguyen]

Did someone get a chance to download whatever under XRv? it's page not
available currently.

If i remember correctly, my SE said you have to pay for it.
Beta is going right now and the list is long i was told. You have a better
chance of getting it from being leaked out then get on the beta.

Was thinking with titanium out, csr1000v, nexus1000v all available, now XRv
is out? all you need to do is piece them together yourself to get a poor
man VIRL.


On Thu, Oct 3, 2013 at 11:18 AM, Aaron aar...@gvtc.com wrote:

 Oh yeah !  it will be very sweet



 Aaron



 From: Oliver Garraux [mailto:oli...@g.garraux.net]
 Sent: Thursday, October 03, 2013 9:55 AM
 To: Lane Wigley (lwigley)
 Cc: Aaron; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] XRv (xr on a server)



 I will be really really interested to see what they do pricing wise on
 VIRL.
 Hope its nothing crazy, I would love to be able to mess around with XR and
 NX-OS in the lab.



 Oliver




 -

 Oliver Garraux
 Check out my blog:  blog.garraux.net
 Follow me on Twitter:  twitter.com/olivergarraux



 On Thu, Oct 3, 2013 at 10:18 AM, Lane Wigley (lwigley) lwig...@cisco.com
 wrote:

 I think this is what you're looking for - VIRL

 http://www.cisco.com/web/solutions/netsys/CiscoLive/virl/index.html
 http://www.youtube.com/watch?v=nsbzHmwUz6I

 Targeted for Dec/Jan I think.

 - Lane



 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Aaron
 Sent: Thursday, October 03, 2013 10:08 AM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] XRv (xr on a server)

 What do y'all know about this ?  I understand this is IOS XR on a nix
 server
 virtual machine or something like that.



 I'd like to get it on a few servers in my lab.  Where do I get/download it
 ?



 Aaron

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (xr on a server)

[Luan Nguyen]

Seriously doubt that it would be free.


On Thu, Oct 3, 2013 at 11:02 AM, Jason Lixfeld ja...@lixfeld.ca wrote:

 This should be free.

 On 2013-10-03, at 10:55 AM, Oliver Garraux oli...@g.garraux.net wrote:

  I will be really really interested to see what they do pricing wise on
  VIRL.  Hope its nothing crazy, I would love to be able to mess around
 with
  XR and NX-OS in the lab.
 
  Oliver
 
  -
 
  Oliver Garraux
  Check out my blog:  blog.garraux.net
  Follow me on Twitter:  twitter.com/olivergarraux
 
 
  On Thu, Oct 3, 2013 at 10:18 AM, Lane Wigley (lwigley) 
 lwig...@cisco.comwrote:
 
  I think this is what you're looking for - VIRL
 
  http://www.cisco.com/web/solutions/netsys/CiscoLive/virl/index.html
  http://www.youtube.com/watch?v=nsbzHmwUz6I
 
  Targeted for Dec/Jan I think.
 
  - Lane
 
 
  -Original Message-
  From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
  Aaron
  Sent: Thursday, October 03, 2013 10:08 AM
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] XRv (xr on a server)
 
  What do y'all know about this ?  I understand this is IOS XR on a nix
  server virtual machine or something like that.
 
 
 
  I'd like to get it on a few servers in my lab.  Where do I get/download
 it
  ?
 
 
 
  Aaron
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] asr1001 4 full bgp feed

[Luan Nguyen]

Do you know if you can do IPSEC with that as well? Or you would need
additional $10K IPSEC license?
Can it also do limited NAT? If so, what is the number before you add the 2M
license?
Can you run 1 RP2 with XE while the other IOS? Assuming they do have IOS
for ASR and features compatible (bug crash resistance)
Can you have just one ESP with 2 RP, or need 2 ESP as well? If the RP
crashes, current ESP dies as well?
I am using 1013.

Thanks in advance.

Regards,

Luan
On Aug 1, 2013 4:19 AM, Adam Vitkovsky adam.vitkov...@swan.sk wrote:

  Given the relentless growth of the global v4 table,
  I wouldn't feel comfortable with a FIB capability of 512K.
  How long do you think that'll suffice?

 Well looking at the weekly GRT report for past few weeks it's roughly 41
 weeks.
 456943,
 457245,
 458665,
 459588,
 460435,


 adam

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Bad console port - Cisco ASA 5540

[Luan Nguyen]

Hi folks,

I have a couple of ASA 5540s that I couldn't console into: the cursor just
blinks. I tried all the baud rates listed but still no joy. These, I won't
be able to RMA them.
Any tricks to get the console to work?

Thanks in advance.

Regards,

-lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T rate limit

[Luan Nguyen]

Hi Mack,

Thanks for the suggestion. It's the VLAN for the ACE module - so nowhere to
put that command.

Regards,

-Luan


On Mon, Apr 22, 2013 at 12:47 PM, Mack McBride mack.mcbr...@viawest.comwrote:

 Did you use the 'mls qos vlan-based' command?

 Mack

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Luan Nguyen
 Sent: Sunday, April 21, 2013 10:04 AM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Sup2T rate limit

 Hi folks,

 From what I've been reading, I could do the following to rate limit a vlan
 to 100M

 class-map match-all rate match any policy-map rate class rate police
 1 3200 conform transmit exceed drop int vlan99 service-policy
 input rate

 But show policy-map interface vlan99 detail doesn't show any statistic and
 show int vlan99 always has ~500M input which I want to police to 100M.

 It's running:s2t54-ipservicesk9-mz.SPA.150-1.SY1.bin

 Thanks!

 -lmn
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup2T rate limit

[Luan Nguyen]

Hi folks,

From what I've been reading, I could do the following to rate limit a vlan
to 100M

class-map match-all rate match any policy-map rate class rate police
1 3200 conform transmit exceed drop int vlan99
service-policy input rate

But show policy-map interface vlan99 detail doesn't show any statistic and
show int vlan99 always has ~500M input which I want to police to 100M.

It's running:s2t54-ipservicesk9-mz.SPA.150-1.SY1.bin

Thanks!

-lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnel over Internet

[Luan Nguyen]

People run all sorts of routing protocols over the IPSEC/GRE tunnel
successfully (yeah, IPSEC to be more secure)...must be some configuration
errors then...

r/g

-lmn

On Thu, Dec 6, 2012 at 12:46 PM, Chris Lane clane1...@gmail.com wrote:

 We are working on setting up a test where we run a GRE tunnel across the
 Internet, put OSPF between the tunnel and inject routes.

 I can get OSPF to form an adjacency but i cannot get routes to
 redistribute, nor inject by a network statement.

 Anyone do such ? Any help or suggestions would be great.

 Thanks

 --
 //CL
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FDDI card for 7200 VXR

[Luan Nguyen]

Hi folks,

Anyone  has a FDDI PA VIP2 card for the 7200VXR series router that I can
buy?

Thanks.

-Luan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FDDI card for 7200 VXR

[Luan Nguyen]

Thanks guys.
I guess I have to look into buying a 7200 as well.

Regards,

-Luan

On Thu, Oct 28, 2010 at 2:25 PM, Mikael Abrahamsson swm...@swm.pp.sewrote:

 On Thu, 28 Oct 2010, Luan Nguyen wrote:

  Hi folks,

 Anyone  has a FDDI PA VIP2 card for the 7200VXR series router that I can
 buy?


 FDDI is not supported on the VXR afaik (only the non-VXR). VIP2 is 7500.

 http://www.cisco.com/en/US/ts/fn/000/fn3028.html

 Background

 When port adaptors without the Arbiter EPLD upgrade are installed in a 7200
 VXR router, they will not operate properly. The down-version Port Adapters
 will not be recognized, will fail diagnostics and will not pass traffic. Not
 all port adapters are upgradeable or supported in the 7200 VXR router.

 The Cisco 7200 VXR routers support all port adapters supported on the Cisco
 7200, except for following:

 FDDI Port Adapters:

*

  PA-F-MM
*

  PA-F-SM
*

  PA-F/FD-MM
*

  PA-F/FD-SM


 --
 Mikael Abrahamssonemail: swm...@swm.pp.se

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FDDI card for 7200 VXR

[Luan Nguyen]

Ah, glad you brought that up.  I was looking into a FDDI to Fast Ethernet
converter: http://www.data-connect.com/RAD_AMC-101.htm
http://www.data-connect.com/RAD_AMC-101.htmWonder if anyone uses those
kind of converter and how reliable are they?
I have a FDDI hand off.

Regards,

-Luan

On Thu, Oct 28, 2010 at 3:19 PM, Justin M. Streiner strei...@cluebyfour.org
 wrote:

 On Thu, 28 Oct 2010, Luan Nguyen wrote:

  I guess I have to look into buying a 7200 as well.


 Not knowing your situation or needs, would it make more sense to replace
 the FDDI gear with something that speaks Ethernet?


 jms
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mysterious tunnel interfaces

[Luan Nguyen]

I have those ISR2 (M1) as well as ASR1002 running DMVPN and don't have those
ghost tunnels.  Must be for some other services such as multicast.
Try to remove them with no interface tunnel 0, and I think the router will
tell you why you couldn't.

Regards,

-Luan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Wednesday, August 11, 2010 8:53 PM
To: cisco-nsp
Subject: [c-nsp] Mysterious tunnel interfaces

I was working on a ISR 1941 with 15.0(1)M2.  I am running DMVPN on it
and using one tunnel interface.  (Tunnel 1).  No other tunnel
interfaces are configured on the router.  However when I do show int
summary I get this;

#sh int summary

 *: interface is up
 IHQ: pkts in input hold queue IQD: pkts dropped from input queue
 OHQ: pkts in output hold queueOQD: pkts dropped from output queue
 RXBS: rx rate (bits/sec)  RXPS: rx rate (pkts/sec)
 TXBS: tx rate (bits/sec)  TXPS: tx rate (pkts/sec)
 TRTL: throttle count

  Interface  IHQ   IQD  OHQ   OQD  RXBS RXPS  TXBS TXPS TRTL

* GigabitEthernet0/0   0 00 0  60005  600050
  GigabitEthernet0/1   0 00 0 00 000
* Serial0/0/0  0 00 0  30003  200020
  NVI0 0 00 0 00 000
* Tunnel0  0 00 0 00 000
* Tunnel1  0 0010  10002  100020
* Tunnel2  0 00 0 00 000
* Tunnel3  0 00 0 00 000

I thought may be something got left behind while I was monkeying
around in it so I reloaded the router and the tunnel 0,2,3 are still
there and it says it's up.   None of those interfaces are in the
startup or running-config.

What is going on here?  My other routers with similar config on a 1841
with 12.4(15)T* doesn't have this issue.  It doesn't seem to be
affecting the routing of traffic but it's really bothering me.

-Jay
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5358 (20100811) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5358 (20100811) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
  

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5360 (20100812) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5360 (20100812) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Network mapping...again

[Luan Nguyen]

If money is not an issue, then I would suggest OPNET NetMapper. We had them
come in and did a demo.  We like it.

Regards,

-lmn

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger
Sent: Thursday, August 12, 2010 1:11 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Network mapping...again

We're looking for a dynamic network mapping tool that does not require
a large amount of hand-holding and manpower to manage. I don't care if
this is a free or paid product. Ideally, I'd like something that
autodiscovers the network including L2 and L3 devices, then
intelligently maps them. I used to use Network Node Manager for this
at another job years ago and I liked how it handled mapping. It did
require a few tweaks to get right, but it worked very well. Something
like that would be pretty handy, but we don't need NNM. We just need
the mapping part.

We have too many tools that already require a lot of time to maintain.
I don't want to add another one that is going to take a lot of time. A
reasonable amount of time is expected. I just don't want anything over
time consuming. This is a fairly large network with a large number of
routers and switches, all Cisco.

I just need something that works, and works well, preferably out of
the box. I don't have time to build a grow-your-own solution or piece
together open source stuff.

Any thoughts?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5360 (20100812) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5360 (20100812) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5360 (20100812) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Zone Based Firewall default-class

[Luan Nguyen]

Maybe class-default only allow traffic initiate from the zone and not return
traffic?  Check your log again...
Try your Or, and try upgrade to T3 see if that makes a different.


--
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
--


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Friday, July 09, 2010 4:08 PM
To: cisco-nsp
Subject: [c-nsp] Zone Based Firewall default-class

I have a strange problem with ZBFW or I am just missing something obvious.

3845 running 12.4(24)T advipservices

I am trying to apply a firewall rule between two entities.  Since I am
not 100% sure what all traffic is passing through the two, I wanted to
write rules for what I know and pass anything I don't know but log it
so I can find out if that's suppose to be there or not.


policy-map type inspect InPMAP
 class type inspect GeneralInCMAP
  inspect
 class class-default
  pass log

policy-map type inspect OutPMAP
 class type inspect GeneralOutCMAP
  inspect
 class class-default
  pass log


zone security Inside
zone security Other

zone-pair security Other-to-Inside source Other destination Inside
 service-policy type inspect InPMAP
zone-pair security Inside-to-Other source Inside destination Other
 service-policy type inspect OutPMAP

However, once I apply the zone, I get this

Jul  9 15:04:51 192.168.1.253 266: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 =
172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default)
Jul  9 15:04:51 192.168.1.253 267: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 =
192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default)

So, one direction, it's passing traffic as intended but the other
direction it's dropping it on class-default

What am I doing wrong?  Or do I need to create a class-map that allows
everything and pass it in that class?

Is this a bug?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5266 (20100709) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Redistributing External EIGRP routes through MPLS vpn

[Luan Nguyen]

Just put this into Dynamips and didn't have any problem at all.

CE1#
router eigrp 1
 no auto-summary
 !
 address-family ipv4 vrf BLUE
 redistribute bgp 1 metric 1 1 1 1 1
 network 10.10.10.254 0.0.0.0
 no auto-summary
 autonomous-system 1
 exit-address-family

PE1#
router eigrp 1
 no auto-summary
 !
 address-family ipv4 vrf BLUE
 network 10.10.10.254 0.0.0.0
 no auto-summary
 autonomous-system 1
 exit-address-family


router bgp 1
!
 address-family ipv4 vrf BLUE
 redistribute eigrp 1
 no auto-summary
 no synchronization
 exit-address-family

Maybe check the EIGRP configuration to see if you have thing like eigrp stub
connected :)

-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
-


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon
Sent: Monday, May 17, 2010 8:19 PM
To: shims...@cisco.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Redistributing External EIGRP routes through MPLS vpn

Metric Must Be Configured for Routes from Other Autonomous Systems and 
Non-EIGRP Networks

Yes, it is.

Native EIGRP VRF to VRF Redistribution Is Not Supported

Not what I am trying to do.

Thanks,

Joe

Shimol Shah wrote:
 Are you sure you are not running into restriction cited in below section
 of the CCO document ?


http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/fteipece.htm
l#wp1027175


 Shimol Shah


 On 5/17/10 2:57 PM, Joe Maimon wrote:
 Hey All,

 Seems like I have run into a difficulty where CE#1 external EIGRP routes
 (redistribute connected/redistribute static) are learned by PE#1,
 redistributed to PE#2, but not redistributed to CE#2

 CE - PE, EIGRP

 PE - PE, MPLS/BGP

 The workaround is to use network statements, making the EIGRP routes on
 the CE internal. Those redistribute fine and show up on CE#2 as internal.

 Am I missing something and is there a simple clean way to redistribute
 from CE#1 to CE#2 external EIGRP routes?

 Thanks,

 Joe
 ___
 cisco-nsp mailing list cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5123 (20100518) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5123 (20100518) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DMVPN scalability question on the 28XX ISR's

[Luan Nguyen]

Like someone else said, if you don't have to run dynamic routing protocol,
then ODR or static would do wonder.  In this case, a dual hub
(loadshare/backup) for 1000+ spokes would be just fine.
With EIGRP, you could safely do 500+ spokes per ASR.  A few years back,
either Cisco did some tests and found that only a few...2,3 nodes fail when
they tried to bring up 500 tunnels at the same time on 7206VXR platform if I
recall correctly.
I've done 300+ spokes EIGRP on a 7206VXR before and never had any problem.

A 2851 with SSL-2 VPN card could push ~35M of DMVPN/IPSEC traffic.  Of
course, if you do QOS, Zone Based Firewall...etc, any additional feature,
then performance will degrade a lot.

What kind of software do you folks use to provision/manage bigger size
DMVPN? Way back, I used Cisco IP Solution Center. 


-Luan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Engelhard
Sent: Monday, April 19, 2010 8:06 PM
To: rod...@cisco.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's

Any suggestion for 2000+ spokes with 4 headends? Headends will be  
ASR100x. We think to put Loadbalancer (ACE) in front of ASR to spread  
DMVPN traffic. Is it design wise?


Sent from my iPhone

On 2010/04/19, at 23:28, Rodney Dunn rod...@cisco.com wrote:

 My suggestion is to run code that support dynamic BGP neighbors at  
 the hub and run BGP over the mGRE to the spokes. ..or followed by  
 EIGRP.

 Rodney


 On 4/18/10 7:14 AM, Anton Kapela wrote:

 On Apr 17, 2010, at 8:54 PM, Erik Witkop wrote:

 We are considering DMVPN for a WAN network with (92) Cisco 870  
 remote routers and (2) Cisco 2851 headend routers. My concern is  
 around the scalability of the 92 connections to each 2851.  
 Assuming we have AIM modules in each 2851 router, do you think  
 that would be sized properly.

 While you have a chance, it'd be wise to toss in as much DRAM as  
 the 2851 can take. The reasons are many, but mostly you'll want  
 plenty (i.e. 20+ megabytes) of free ram to cover your needs  
 during transient conditions -- i.e. when all the ipsec endpoints  
 flap, timeout, then re-establish, or perhaps when 400 ospf spoke  
 neighbors timeout, flap, and re-stablish. If memory serves,  
 advipservices 12.4t and 15.0 on 28xx leaves a bit less than 100  
 megs free after booting (on a 256m box); expect another 20 to 30m  
 consumed when you have protocols + ipsec endpoints + full config up  
 and active. Probably safe with 256, but it's not worth risking a  
 surprise reload (that more dram could have prevented).

 My overall experience using DMVPN (i.e. mGRE + ipsec tunnel  
 protection) has been positive, and I find that usually boxes with  
 AIM-VPN or SA's (on 7200's I've used the SA-VAM and its cousins) is  
 the first 'wall' often hit -- i.e. max number of concurrent crypto  
 sessions is reached *well before* the platform maximum IDB limit is  
 reached. This means the first thing you should investigate is how  
 many sessions your installed AIM can support -- it may be far less  
 than you expected, and less than you require.

 As for GRE and encaps processing on the 28xx, this seems to be  
 nearly the same perf (without fragment processing considered) as  
 native IP forwarding on the box. In practice, I see 80+ mbits  
 usable (or 9 to 12 kpps) out of an 1841 doing GRE or IPIP encaps  
 without crypto -- and 2851 will usually push 100mbit+ doing same.  
 Again, the per-session crypto performance and max-session count  
 will be determined by the AIM, so YMMV, etc.

 Generally, the Cisco guidelines for DMVPN are sane, and my  
 experiences don't (so far) run counter to them. One definite wall  
 that I'd recommend you find before deployment is how many protocol  
 neighbors you can have up (i.e. ospf, isis, or eigrp neighbors),  
 flap, and re-establish in a timeframe you're happy with. That is to  
 say, I highly recommend lab'ing up a config that emulates 100, 200,  
 300, etc OSPF neighbor sessions between the 28xx's -- you'll want  
 to know for certain that your routers can both support/hold up the  
 number of neighbors you need, *and* recover in a timely fashion  
 after they flap. So, while your platform may be more than adequate  
 for your given WAN-facing bandwidth needs to the spoke sites, you  
 may actually find that your 2851 cpu is under-whelming when  
 endpoints flap/register/converge -- depending, again, on the scale  
 you're taking things to.

 -Tk
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DMVPN scalability question on the 28XX ISR's

[Luan Nguyen]

I wouldn't say not recommended by Cisco though.  The DMVPN design guide is 
pretty old (2008) 
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_3.html
I wish that Cisco would update that with ASR and ISR2 information and design 
guidance.  That's a very good document and the performance numbers are quite 
accurate.
When I first worked with DMVPN, most of the designs were dual hubs, dual cloud 
with EIGRP.  I was tempted with BGP as well, but mostly in a lab environment 
since operation folks didn't want to support it. 
Today, I believe the drive is toward single cloud, with tier layered...etc. 
I am using single cloud DMVPN design for a 3 hubs spoke-to-spoke TLS network 
with EIGRP and it has been working great.  Then again, the number of spokes is 
way  2000.

-Luan


-Original Message-
From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org] 
Sent: Wednesday, April 21, 2010 2:04 PM
To: Luan Nguyen; 'Engelhard'; rod...@cisco.com; Erik Witkop
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's

On Wed, 21 Apr 2010 06:35:37 -0700, Luan Nguyen l...@netcraftsmen.net  
wrote:

 In this case, a dual hub (loadshare/backup) for 1000+ spokes would be
 just fine.

Single-hub, dual-cloud scales and performs and converges better
than dual-hub, single-cloud and are not even recommended by Cisco.
Therefore, I would stick to the dynamic routing protocol approach.

-- 
Octavio.

__ Information from ESET NOD32 Antivirus, version of virus signature 
database 5047 (20100421) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature 
database 5047 (20100421) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cost community alternatives

[Luan Nguyen]

Try using the offset list command.

Regards,

-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pan vangels
Sent: Monday, April 12, 2010 1:57 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] cost community alternatives



If 1) ebgp is used as PE-CE protocol, 2) eigrp is used into customer's
network, and 3) a backdoor link exists between CE routers, is there any way
of external eigrp routes coming from ebgp into eigrp to be prefered over
normal eigrp routes advertised through the backdoor link?
Distance command would do the trick but this has to be defined on all
internal customer routes.
On the other way cost community is not extendable over an ebgp session...

Thnx,
Pan
  
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 5021 (20100412) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 3750 High CPU

[Luan Nguyen]

This link should provide some guidance regarding HULC running process.
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note091
86a00807213f5.shtml


-Luan


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane
Sent: Wednesday, April 07, 2010 3:17 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco 3750 High CPU

Hello,

I have all the sudden taken extremely high CPU:
sh proc cpu sorted | e 0.0
CPU utilization for five seconds: 99%/27%; one minute: 95%; five minutes:
92%
 PID Runtime(ms)   Invoked  uSecs   5Sec   1Min   5Min TTY Process
 251 2985921 15274 195490 39.29% 11.05%  6.01%   0 hulc running
con
 171   630974187 249381380   2530 10.38%  9.27%  9.45%   0 Spanning Tree

 117   133871232 301668428443  4.63%  8.34%  9.47%   0 Hulc LED
Process
  68 3766455 374577924 10  4.15%  3.66%  3.20%   0 HLFM address
lea
 137   221859624  12599002  17609  2.39%  2.02%  2.05%   0 PI MATM Aging
Pr
 168   175580828 496683600353  1.91%  3.89%  2.90%   0 IP Input

  52 8324282 665636083 12  0.79%  0.43%  0.35%   0 Fifo Error
Detec

I know this isn't much but could anyone offer assistance?

Thanks
Chris



-- 
//CL
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VAM2+ Performance

[Luan Nguyen]

The DMVPN design guide has better numbers:
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_4_Pha
se2.html
Yours sounds about right if you meant 40Mbps of encrypted traffic.
Typically, not sure about the G1, but with the G2/VAM2+ combination, IMIX
would get you ~80Mbps GRE/IPSEC with ~90%CPU
The VSA has much better performance BTW.

Regards,

-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
-


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares
Sent: Wednesday, March 17, 2010 2:05 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VAM2+ Performance

Hello group,

Does anyone have access to real world performance values for the VAM2+ ? I
have a router hitting the 50% with 40 Mbps of traffic. It
has a NPE-G1 an it is running 12.4M. I also have ACLs and QOS.

The VAM2+ data sheet mentions up to 280 Mbps:

http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_bulletin0900ae
cd80205255.html

I have about 8 kpps being encrypted. It's a P2P GREoIPSEC scenario.


Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (RS/SP)
amsoa...@netcabo.pt

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4952 (20100317) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

[Luan Nguyen]

What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this is
the case, then if at one site MPLS goes down, it starts to use IPSEC tunnel,
when packets get to the other side, the default route to MPLS VPN is still
there so packets will get routed back into the MPLS cloud. You need more
specific routes advertised so that when MPLS lost, it will withdraw the
route and IPSEC will kick in.  Just a default won't work unless you'll be
doing some creative conditional advertising in the BGP or some fancy EEM
scripting...or maybe using ip sla to withdraw route...which might be a
little more complicated than need be.

Even with specific routes, you still have lots of decision to make like
whether to switch everything to use IPSEC tunnels once just ONE MPLS
connection goes down or only that site.  Then you have to make sure not
running into asymmetric routing...etc.
With GNS3/Dynagen, you could probably test this whole thing out in your
labtop.

---
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
---

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc
Sent: Tuesday, January 26, 2010 4:20 PM
To: Cisco-nsp
Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Team,

This questions was put out there before in another chain but I wasn't able
to figure out the best solution.  We have multiple campuses connecting to an
MPLS VPN cloud running BGP internally.  At some locations we have backup ISP
services and an IPSec VPN tunnel over that.  Currently BGP provides a
default route to each campus as external BGP / Pref 40 / Metric 0.  Our
backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
campus and our main datacenter.  What is the best way to achieve this? 

Thanks,

//LeBlanc



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4807 (20100126) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

[Luan Nguyen]

At the remote site, yes, if MPLS goes down, the default route over the IPSEC
tunnel will kick in.  But at HQ, does it know how to get back to the remote
site?  Does it also have a default route out of MPLS or does it have
specific subnets from all remotes?  What then if HQ goes down? Remotes only
has default route out of MPLS so they will continue to look for the way home
that way.
Back when I was at VzB managed services, it's EIGRP over the DMVPN/IPSEC
tunnel backing up BGP MPLS.  Too bad I didn't use Dynagen, else I would just
shoot over to you my dot net file.

-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[AIM/YIM/GTalk] luancnc
-


-Original Message-
From: Jason LeBlanc [mailto:jasonlebl...@gmail.com] 
Sent: Tuesday, January 26, 2010 7:48 PM
To: Luan Nguyen
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
Internet

Current topology is pretty simple.  ATT drops an MPLS circuit either PPP
Multilink Bundled T1's or an Ethernet hand off.  On another interface we
generally have an ethernet hand off from another ISP.  We run BGP to move
all the traffic around on one 172.x.x.x/30's and then our LAN is on
10.x.x.x.  We have an outside IP address on another ethernet port which is
the IPSEC termination point.  BGP from our main campus injects a default
route which we receive.  Currently we just manually added static 0.0.0.0
routes out the tunnel interfaces with a metric of 32000.  So when BGP drops
off we will route over the IPSEC VPN Tunnel back home.

Headquarters 172.1.1.1/30 -- ATTMPLS 172.1.1.2/30 -- 
 
ATTMPLS 172.2.2.1/30 -- Remote Campus 172.2.2.2/30 (running BGP) --
10.1.1.1/24
 
ISP-X Ethernet 200.1.1.1/30 -- Remote Campus 200.1.1.2/30 -- IPSEC VPN
Tunnel.1 10.1.1.20/24 -- Headquarters Tunnel.1 10.1.1.21/24

BGP Provides default route
Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000

It is my assumption that if the traffic cant get to its destination because
BGP has lost it our backup link the IPSEC VPN with the higher metric will
become the new default route.


On Jan 26, 2010, at 4:44 PM, Luan Nguyen wrote:

 What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this
is
 the case, then if at one site MPLS goes down, it starts to use IPSEC
tunnel,
 when packets get to the other side, the default route to MPLS VPN is still
 there so packets will get routed back into the MPLS cloud. You need more
 specific routes advertised so that when MPLS lost, it will withdraw the
 route and IPSEC will kick in.  Just a default won't work unless you'll be
 doing some creative conditional advertising in the BGP or some fancy EEM
 scripting...or maybe using ip sla to withdraw route...which might be a
 little more complicated than need be.
 
 Even with specific routes, you still have lots of decision to make like
 whether to switch everything to use IPSEC tunnels once just ONE MPLS
 connection goes down or only that site.  Then you have to make sure not
 running into asymmetric routing...etc.
 With GNS3/Dynagen, you could probably test this whole thing out in your
 labtop.
 
 ---
 Luan Nguyen
 Chesapeake NetCraftsmen, LLC.
 [Web] http://www.netcraftsmen.net
 ---
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc
 Sent: Tuesday, January 26, 2010 4:20 PM
 To: Cisco-nsp
 Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
 
 Team,
 
 This questions was put out there before in another chain but I wasn't able
 to figure out the best solution.  We have multiple campuses connecting to
an
 MPLS VPN cloud running BGP internally.  At some locations we have backup
ISP
 services and an IPSec VPN tunnel over that.  Currently BGP provides a
 default route to each campus as external BGP / Pref 40 / Metric 0.  Our
 backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
 BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
 campus and our main datacenter.  What is the best way to achieve this? 
 
 Thanks,
 
 //LeBlanc
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 __ Information from ESET NOD32 Antivirus, version of virus
signature
 database 4807 (20100126) __
 
 The message was checked by ESET NOD32 Antivirus.
 
 http://www.eset.com
 
 
 


__ Information from ESET NOD32 Antivirus, version of virus signature
database 4808 (20100126) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive

Re: [c-nsp] Cisco NAC - SSO Issues

[Luan Nguyen]

I would suggest opening a TAC case.
Also, for NAC related problem, the cleanacc...@listserv.muohio.edu would be
a better place to ask questions.

Regards,

--
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares
Sent: Tuesday, September 15, 2009 10:20 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco NAC - SSO Issues

I found a matching bug in the meanwhile but the workaround does not work:

+
CSCsk46672 Bug Details
CAS stops listening on 8910 after threads in CLOSE_WAIT state

Symptom:
Agent fails to perform ADSSO

Conditions:
CAS no longer listening to tcp port 8910 because 50 threads are already in
CLOSE_WAIT state

Workaround:
Under Device Management  Clean Access Servers  CAS  Windows Auth
Click UPDATE on SSO service to flush the CLOSE_WAIT states
+ 

The box i'm troubleshooting is running release 4.0.5.


Regards,

Antonio Soares, CCIE #18473 (RS)
amsoa...@netcabo.pt

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares
Sent: terça-feira, 15 de Setembro de 2009 13:57
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco NAC - SSO Issues

Hello group,

I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the
CAS and i need to find a way to restart the SSO service
(TCP:8910) without restarting the whole box. Disabling the option Enable
Agent-Based Windows Single Sign-On with Active Directory
(Kerberos) in the CAM does not do the job. I think that after clearing
these TCP stuck sessions, Single Sign-On will work again.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (RS)
amsoa...@netcabo.pt


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4426 (20090915) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4426 (20090915) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT Global to FVRF

[Luan Nguyen]

I think the problem is because your VRF Red doesn't have route to the LAN.
If [LAN] is switch, then you could try to create a route in VRF Red for the
LAN network with the next hop is the IP address of the switch.

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gary T. Giesen
Sent: Thursday, August 20, 2009 11:19 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] NAT Global to FVRF

I've got a customer that requires localized Internet access from their
DMVPN router (they currently receive a default route over the VPN).

Their router is setup with the customer (inside) network in the global
routing table, and their Internet connection sits inside a Front door
VRF (FVRF). Has anyone done this, and have a working config? I've
tried all manner of options but have yet to be successful NAT'ing
between the global inside and outside FVRF.


[ LAN ] ---[ CPE ]--- [ Internet ]
Global  ---   VRF RED
  NAT


GG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Route redistribution and selection

[Luan Nguyen]

You might want to check this link out:
http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP

Regards,

---
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
--

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon
Sent: Thursday, August 13, 2009 9:04 AM
To: cisco-nsp
Subject: [c-nsp] Route redistribution and selection

We are having a problem where routes originated by the customer because 
of their backup paths are preventing the mpls bgp routes from being 
installed and used on the PE.

Customer has an eigrp routed network.

We are hosting a bgp mpls network for the customer.

At the Customer's HQ PE router, we talk eigrp to the customer.

The customer has an alternate path to the sites served by the bgp mpls 
network.

We allow redistribution of eigrp routes into bgp to advertise to the 
mpls bgp sites. This includes the sites known prefixes themselves, due 
to the potential for the backup path becoming the better/only one.

We redistribute the bgp routes for the mpls sites into eigrp.

Normally this is a fairly common setup and works very well, and has for 
quite some time with this customer.

However, on one PE we have been having issues where the customer backup 
path eigrp routes are installed into the PE routing table, the bgp 
routes show the originated via eigrp routes as the best and used path 
our of both the local originated via eigrp and the P mpls bgp learned route.

The current fix is to flap the customer eigrp connection or have the 
customer withdraw the backup path routes.

The P routers and the PE routers are an ebgp connection. The eigrp route 
has an admin distance of 170 and the ebgp route when installed has an 
admin distance of 20.

We have tried setting the weight, local preference, metric of the mpls P 
  router prefixes to cause the route to be preferred over the 
redistributed locally from eigrp route.

The PE router running rsp-jk9o3sv-mz.124-18a.bin

Any insight would be greatly appreciated.

Thanks,

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Internet Web Caching Solution

[Luan Nguyen]

WAAS and ACNS are two different animals.  WAAS is double-ended (there has to
be a device at both ends) and ACNS is single-ended, acting as a caching
device (though it can have information pushed to it from a central manager).

Typically - WAAS between remote site and central site; ACNS between remote
site and the Internet, or as a push client receiving content from a central
site.

Hope that help.

Regards,

--
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
-


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah
Sent: Thursday, August 13, 2009 9:41 AM
To: Cisco certification; cisco-nsp@puck.nether.net
Subject: [c-nsp] OT: Internet Web Caching Solution

Hi,
I am looking for a web caching and acceleration platform.

The Cisco Cache Engines were replaced by the Content Engines which has also
been replaced with the WAE running ACNS software.

The datasheets on ACNS seem to imply caching and acceleration of multimedia
traffic between branch offices and central office, with ACNS appliances at
both ends.

That is not what I am looking for. I want a one-site appliance for Internet
web traffic caching only.

Many thanks for your clarification.

Felix
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE/NAT ?

[Luan Nguyen]

No? 
I remember doing overlapping RFC1918 sites for GRE/IPSEC VPN.

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
---


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rodney Dunn
Sent: Friday, July 31, 2009 11:40 AM
To: Jeff Kell
Cc: cisco-nsp
Subject: Re: [c-nsp] GRE/NAT ?

No.



Jeff Kell wrote:
 The GRE question reminded me of a nagging thought...
 
 Can you NAT traffic inside GRE? 
 
 Jeff
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE/NAT ?

[Luan Nguyen]

So you are talking about NAT after GRE?  You certainly could NAT and then
GRE-encapsulated the NATTED traffic?

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net



-Original Message-
From: Rodney Dunn [mailto:rod...@cisco.com] 
Sent: Friday, July 31, 2009 12:09 PM
To: Luan Nguyen
Cc: 'cisco-nsp'
Subject: Re: [c-nsp] GRE/NAT ?

There is no code that does translation of the inner ip frame that I'm 
aware of.

Rodney



Luan Nguyen wrote:
 No? 
 I remember doing overlapping RFC1918 sites for GRE/IPSEC VPN.
 
 Regards,
 
 
 Luan Nguyen
 Chesapeake NetCraftsmen, LLC.
 http://www.netcraftsmen.net
 ---
 
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rodney Dunn
 Sent: Friday, July 31, 2009 11:40 AM
 To: Jeff Kell
 Cc: cisco-nsp
 Subject: Re: [c-nsp] GRE/NAT ?
 
 No.
 
 
 
 Jeff Kell wrote:
 The GRE question reminded me of a nagging thought...

 Can you NAT traffic inside GRE? 

 Jeff
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DMVPN and OSPF

[Luan Nguyen]

Care to post the configuration?  So maybe some of us who think that this
problem is interesting could plug it into dynamips and check it out for you?
Have you tried to remove the configuration and put it back?  Maybe add a few
loopback interfaces and advertise them?

Regards,

---
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Thursday, July 30, 2009 1:55 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] DMVPN and OSPF

Looking back on tickets, it seems like this problem started happening
after upgrading from 12.4(15)T5 to 12.4(24)T.  Before the upgrade, it
was running solid for a year.

I have tried 12.4(24)T1 but that doesn't seem to have any effect.  I
can't go below 12.4(20)T because we want to deploy IOS content
filtering.


 On Thu, Jul 30, 2009 at 7:48 AM, Rodney Dunnrod...@cisco.com wrote:


 Jay Nakamura wrote:

 Did you force the DR to be the hub by setting the priority?

 Yes.  And confirmed.

 I forgot, did you set it to broadcast or multipoint?

 broadcast

 I'd suggest you look at the packet capture feature and get a trace when
 it's
 down.

 Is this what you are referring to?


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1049404


 No this one:


http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Utilizing_the_
New_Packet_Capture_Feature



 There is no tech onsite and it's a little far so I can't do it at the
 moment but if I can't figure out anything else, that will be the next
 step.

 Do you see the LSA's in the database?

 I believe it was blank.  It's working now after a reboot so I can't
 check but I will check next time it happens.


 Ok. That is the starting point if the neigbors are not flapping.


 Can you ping 224.0.0.5 and get a response?

 Are the neighbors flapping?

 It didn't flap at all.  Routes just disappeared.  Well, that's not
 100% true.  The backup hub VPN connection went down and it wouldn't
 come up.  I could ping the primary hub tunnel IP when the routes were
 gone but none of the other DMVPN peer IP.


 Almost always issues like this are with packet loss. You have to make
sure
 the multicast traffic can traverse the cloud and that requires
replication
 at the hub..and the spoke if you are doing a single spoke tunnel with
dual
 hubs.



 Jay Nakamura wrote:

 Has anyone seen this symptom?

 1841, advanced IP feature set
 DMVPN spoke and OSPF over the DMVPN

 Running 12.4(24)T

 Periodically, the router looses all it's OSPF routes and stays that
 way.  Clearing the DMVPN or OSPF process does nothing.  It recreates
 the OSPF session with neighbor but it still has no routes.  It can't
 seem to re-connect to the backup DMVPN hub either.

 Router still routes to the static default route for internet traffic
 and everything else seems normal.  Just can't get to the VPN network.

 It's really not doing anything fancy other than DMVPN and OSPF.
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7206VXRG2 performance question

[Luan Nguyen]

NPEG2 and VAM+ could do 60Mbps VPN throughput.
NPEG2 and VSA could do 160Mbps VPN throughput.  
These are with 500 bytes packet.
If you need more throughput, might want to go with the ASR1002.  Not that
much more expensive than the 7206VXR NPEG2/VSA combo.
Regarding design, you should go with DMVPN/EIGRP.  You could do direct
spoke-spoke communication as well.

Regards,

-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel
Sent: Tuesday, July 28, 2009 4:17 PM
To: rod...@cisco.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 7206VXRG2 performance question

I'll try to provide more details regarding the desired setup (opinions
in favour/against it are welcomed).

As I said, roughly half of the spokes will connect to hub1 while the
other half will connect to hub2. As all servers are in hub1, spokes
connecting to hub2 will reach the servers via a dedicated link between
hub1 and hub2. Hub2 is also a DR site, so this link will also be used
for replicating some of hub1's content there.

Regarding connectivity, spokes will connect to the hubs via two
providers (P1 an P2). The connections will use the provider's internal
network, not over the Internet. So, a spoke will have one tunnel (T1)
to hub1 via P1, one tunnel (T2) to hub1 via P2, one tunnel (T3) to
hub2 via P1 and one tunnel (T4) to hub2 via P2. Depending on which hub
the spoke will connect to, either T1 and T2 will be used (per flow
load balancing) or T3 and T4. Should a hub become unavailable, the
spokes connected to it will failover to the other one, so either hub
must be able to handle all spokes simultaneously.

Regarding bandwidth, I doubt it will exceed 10 mbit/s per provider in
the hubs. Spokes will probably have 128kbps and 256kbps per provider.

I read a bit about VTIs and the most appropriate setup seems to be
with static VTIs on the spokes and dynamic VTIs on the hubs. However,
there are some notes in the document[1] saying that routing with DVTIs
is not supported and SVTI remote to DVTI interfaces are not supported
(I dont know what this means).

Spokes will indeed have static link speeds (values mentioned above are
CIR). If I understand correctly the link you gave, I would need two
nhrp groups (one for 128kbps and the other one for 256kbps) which I
will further divide as required. Besides that, we'll also need shaping
to limit the outgoing physical interface to 10 mbps (or whatever we'll
get from the provider). The spokes would then be configured with the
proper nhrp-group.

So, as I said in the original message, my main concern is whether or
not the 7206 will be able to handle this, but, from the replies I got,
I understand it shouldn't be a problem.

Gabriel

[1]
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_v
irt_tunnl.html#wp1110852

On Sun, Jul 26, 2009 at 6:17 AM, Rodney Dunnrod...@cisco.com wrote:
 For those low rates a 7206VXR with a NPE-G2 would be a plenty.

 You should look at dynamic VTI's I think it is to get per spoke QOS.

 You don't need an external box especially if your link speeds at the
spokes
 are static.

 There are different ways to do per spoke QOS but it's a bit more complex
 with dmvpn.


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tun
nel_qos.html

 Rodney



 Gabriel wrote:

 Hi all,

 the company I work for is involved in a WAN redesing process, so we
 got in touch with a few Cisco partners to help us. We're considering a
 dual-hub and spoke topology (about 100 spokes, more in the future)
 with both hubs active (half of the spokes will connect to one hub, the
 other half to the other).

 As I said, we contacted some Cisco partners (as we don't have the
 necessary expertise to do this on our own) and one of them recommended
 that, besides using the 7206 (with NPE-G2 and VSA) as the hub router,
 we should also get a SCE1010 box to handle the QoS.

 One of the aspects I'd like your feedback on is whether this SCE box
 is required or not (from the docs and design guides I read, it was
 only present in SP networks). I'll try to give more details (please
 let me know if they are relevant or not and what others have I
 missed):

 - DMVPN (although one tunnel/branch was also suggested) over IPSec
 - spokes connect to hubs via two providers (with per-flow load-balancing)
 - hub bandwith will probably not exceed 10 mbit/provider
 - spoke bandwith will be 256kbps/provider for roughly half of the
 spokes and 128kbps/provider for the other half
 - EIGRP as routing protocol
 - no VoIP at the moment, but it could appear sometime in the future

 Traffic is not latency-sensitive (as I said, no VoIP yet) and will be
 split into four QoS classes (in the future, others might appear).

 So, based on the above, can you comment on the capabilities

Re: [c-nsp] ASA Static Translations / DNS Doctoring

[Luan Nguyen]

Static mapping means one to one.  You could do port mapping.

I have an internal web server that need to be accessible from the public
internet so I would do *static (inside,outside) 208.x.x.25 192.168.100.10
netmask 255.255.255.255 dns*.
What do you need to do?

Regards,

---
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
-

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store
Sent: Friday, July 17, 2009 12:47 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASA Static Translations / DNS Doctoring

Hi All,

I'm trying to do DNS doctoring on an asa and for specific reasons I need to
map several different (public) outside IP's the one inside ip as shown
below.

*static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
dns*
*static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255
dns*
**
However, upon entering the second rule, the asa says ERROR: duplicate of
existing static. I realize this is for a one to one translation. As I am
not an expert with the ASA, does anyone know how I can accomplish this in a
different manor??

My only other option is to point all of my domains to the same (public)
outside IP, but this is my LAST option as it breaks alot more things that
would take alot more time to fix. Any help is appeciated.

Thanks,
Clue
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA Static Translations / DNS Doctoring

[Luan Nguyen]

Very creative use of secondary addresses! :)

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andrew Yourtchenko
Sent: Friday, July 17, 2009 2:28 PM
To: Clue Store
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASA Static Translations / DNS Doctoring

On Fri, 17 Jul 2009, Clue Store wrote:

 Hi All,

 I'm trying to do DNS doctoring on an asa and for specific reasons I need
to
 map several different (public) outside IP's the one inside ip as shown
 below.

 *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255
 dns*
 *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255
 dns*

With static (inside,outside) AddrPublic AddrPrivate netmask 
255.255.255.255 dns in the config,

you're saying:

1) when anyone tries to talk to AddrPublic from the outside, they will get
to AddrPrivate on the inside
2) when AddrPrivate tries to talk to anyone on the outside, it will be seen
there as AddrPublic
3) the DNS response containing AddrPrivate or AddrPublic, depending on 
where it is arriving, will have this address translated accordingly. (so 
the DNS server on the outside replying AddrPublic to someone on inside, 
will have this translated to AddrPrivate; and inside DNS server which 
replies the AddrPrivate to the outside, will have it translated to 
AddrPublic.)

The (3) is what the dns keyword turns on when it is present.

The symmetry of the behaviour prevents having 'many to one' behaviour 
that you are looking for - because then it would encounter the conflict or 
unpredictability when going outbound.

The simplest way around is to grab a few secondary 
rfc1918 addresses and assign them to the host and do the mapping between 
those and the public addresses.

For your /27 case, having 30 secondaries does not look terribly exciting, 
but assuming the host can survive that, it should do the trick.

cheers,
andrew

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Global Route Leaking on same PE

[Luan Nguyen]

You could also use a GRE tunnel for the connection as well.
Jeff is right that this topic keeps coming up every so often.  I wonder why
Cisco won't just make this easier for people.

--
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
--

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ivan Pepelnjak
Sent: Tuesday, June 16, 2009 1:24 PM
To: 'Clue Store'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Global Route Leaking on same PE

The last time I've seen discussion on this topic, you had to have an
external back-to-back connection between a VRF interface and a global
interface. 

 -Original Message-
 From: Clue Store [mailto:cluest...@gmail.com] 
 Sent: Tuesday, June 16, 2009 4:18 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Global Route Leaking on same PE
 
 Hi All,
 
 Looked through the archives but couldn't find anything about 
 this specific issue. I'm trying to leak a route from the 
 global table on a PE to an iterface that is on the same PE 
 but I get the folowwing when I try to just point it to a loopback.
 
 ip route vrf test 64.193.x.x 255.255.255.248 192.168.222.1 
 global %Invalid next hop address (it's this router)
 
 Also tried to point it to just the interface and it says vpn 
 routes have to be pointed to next-hop addresses. Anyone have 
 some clue how to get this to work where the traffic never 
 leaves the same PE and makes a look around the network??
 
 TIA
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T

[Luan Nguyen]

You could put Fa0 into a VLAN and use that for the cable modem connection.
There's no option for no switchport and turn it into a layer 3 interface.

Regards,


-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Lange
Sent: Wednesday, April 15, 2009 10:10 AM
To: Cisco NSP
Subject: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T

I'm looking for some configuration examples for a Cisco 871w in a
dual-wan environment. Physically the box only has one of the ports
labelled for a WAN port but is it possible to configure one of the other
ports as another external interface? Internally they all just show up as
FastEthernet ports 0-4.

One port would be DSL with PPPOE and the other would be simple DHCP
(cable modem).

Version:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version
12.4(24)T

Regards,
-- 
John Lange
http://www.johnlange.ca

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T

[Luan Nguyen]

Basically you should look for reliable static routing using object tracking
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx
.html

An ICMP echo probe is created to monitor the GW of the primary interface.
The probe sends an ICMP echo every 5 seconds, and runs indefinitely:

ip sla 2147483647
 icmp-echo x.x.x.x(GW) source-ip x.x.x.x1 [PRIMARY ADDRESS]
 timeout 1000
 frequency 5
ip sla schedule 2147483647 life forever start-time now

An object tracking rule is created to track the echo probe with a delay of
20 seconds - in case of just link flapping and not a real failure:
!
track 300 rtr 2147483647 reachability
 delay down 20
!
A route map is created to send the ICMP echo packets out the primary WAN
interface only when it is up but sends the packets to a null0 interface when
the primary interface fails.
!
ip access-list extended object-track
 permit icmp host x.x.x.x1 host x.x.x.x
!
route-map OT permit 300
 match ip address object-track
 set ip next-hop x.x.x.x
 set interface Null0
!
A default route is set out the primary interface. Another default route is
set out the secondary interface but at a higher cost.

ip route 0.0.0.0 0.0.0.0 x.x.x.x track 300
ip route 0.0.0.0 0.0.0.0 y.y.y.y 250
!

HTH.

Regards,


-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Lange
Sent: Wednesday, April 15, 2009 11:02 AM
To: 'Cisco NSP'
Subject: Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T

On Wed, 2009-04-15 at 10:24 -0400, Luan Nguyen wrote:
 You could put Fa0 into a VLAN and use that for the cable modem
 connection.

Ok, that's what I figured would work.

Any suggestions for how to make the dual-wan work in a type of fail-over
setup? All of my searching turns up plenty of hits for hardware failover
(dual-PIX setups) but I can't find any example configs for dual-wan on a
single device. I must be using the wrong search terms?

I'm fairly new to cisco and am not certified so any hints as to which
IOS commands/configs can be used to detect fail-over would be great.

Thanks,
-- 
John Lange
http://www.johnlange.ca

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco AnyConnect - cisco 877

[Luan Nguyen]

There's a configuration guide here:
http://www.cisco.com/en/US/products/ps6496/products_configuration_example091
86a0080720346.shtml
According to, 877 should be supported.

Regards,


-
Luan Nguyen
Chesapeake NetCraftsmen, LLC
[Web] http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of almog ohayon
Sent: Wednesday, March 18, 2009 10:33 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] cisco AnyConnect - cisco 877

Hi Everyone,Does anyone know if Cisco AnyConnect supported in cisco 877
router ??
I know that Cisco AnyConnect is supported in Cisco ASA.

This is my Details:
877 version: flash:c870-advipservicesk9-mz.124-24.T.bin

WebVpn Config :

webvpn gateway SSLVPNGW1
 ip address x.x.x.x port 443
 http-redirect port 80
 ssl trustpoint TP-self-signed-1899766392
 logging enable
 inservice
 !
webvpn context SSLVPN
 ssl authenticate verify all
 !

 !
 policy group policy_1
   functions svc-enabled
   hide-url-bar
   svc address-pool Intranet
   svc default-domain test.com
   svc keep-client-installed
   svc dpd-interval gateway 30
   svc rekey method new-tunnel
   svc dns-server primary 4.2.2.2
   svc wins-server primary 4.2.2.2
   citrix enabled
 default-group-policy policy_1
  gateway SSLVPNGW1
 max-users 10
 logging enable
 inservice
!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7206 NON VXR

[Luan Nguyen]

NPE-225 I think is the max you could go.

Regards,


-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Samantha (Regional
Connect)
Sent: Tuesday, March 17, 2009 12:22 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 7206 NON VXR

Hey Guys

 

What is the max processor board I can use with a non vxr chasis?

 

 

Thanks

 

Samantha

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL

[Luan Nguyen]

Instead of an external link with 2 physical ports, you could try to create a
GRE tunnel with 2 loopback interfaces.

interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback10
 ip address 10.10.100.1 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding NSP
 ip address 172.16.1.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 10.10.100.1
!
interface Tunnel2
 ip address 172.16.1.2 255.255.255.0
 tunnel source Loopback10
 tunnel destination 10.10.10.1


Then run OSPF...etc.  I haven't try static route, but pretty sure it would
work.

router ospf 100 vrf NSP
 router-id 10.10.10.1
 log-adjacency-changes
 redistribute bgp 65535 subnets
 network 10.10.10.1 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
!
router ospf 1
 router-id 10.10.100.1
 log-adjacency-changes
 network 10.10.100.1 0.0.0.0 area 0
 network 172.16.1.2 0.0.0.0 area 0

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
[Mobile] 703-953-9116
+

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Fitzwater
Sent: Monday, February 23, 2009 10:56 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL

This question was posted earlier, before I opened ticket with CISCO.

Router is 6500 with 720-CXL running SXI code.


1.  I have router A which is used to connect to our three ISPs ( two  
I1s and  one I2 connection with full BGP), and also receives all our  
internal campus traffic via RIP default path.Router A announces  
default to campus.

2. I now need to add a new special ESNET.GOV ISP which cannot be used  
by the majority of our campus except for two subnets.   These two  
subnets will still have access to the other three ISPs for normal path  
selection but have the option of choosing an ESNET route if needed.

3. So the original thinking was to create the VRF for ESNET which  
would have its own ESNET route table and tell the two special subnets  
(using route-map match subs, set vrf ) to check the ESNET table first  
and if route is not in table then fall thru to global.

4. I can't just have one route table that includes the ESNET routes,  
because ESNET announces some more specific routes and there may be  
hosts that normally use the I1 path to these DSTs, but now see a more  
specific path and try to use it and fail because it is not allowed by  
ESNET outbound ACL.



I have BGP peering working in VRF ( can see prefixes from ESNET in VRF  
table), but cannot announce our two subnet prefixes because they do  
not show up in VRF route table.  So getting static back to global  
would fix this and other issue with DEFAULT to global.   When I try to  
add static routes they never show up because the next hop is not  
present in VRF table or the command fails stating that...  Invalid  
next-hop address (it's this router).



I was hoping that just adding a static DEFAULT in VRF pointing to  
global would do everything I needed, but cannot get it to work even  
after trying all permutations of the command.  ip route vrf vrf-esnet  
0.0.0.0 0.0.0.0 0.0.0.0 global



Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3  
10.10.10.10 global   Loopback3 was created with RFC-1918 IP and had  
vrf forwarding added on this loopback.  This also failed.


Creating an internal path between the VRF router and the global router  
is stopping all this from working.

I have a ticket open with CISCO but they are saying I have to add an  
external link with two physical ports on vrf.   This will not work for  
us.


Does anybody know how to get statics working between VRF and global  
table,  if its even possible.


Really stuck!



Jeff Fitzwater
OIT Network Systems
Princeton University

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] AIM-SSL-3 card on 2811

[Luan Nguyen]

Hi folks,

 

Anyone tried the SSL-3 VPN encryption card on a 2800 series before?

 

Thanks.

 

Luan Nguyen

Chesapeake NetCraftsmen, LLC.

[W] http://www.netcraftsmen.net http://www.netcraftsmen.net/ 

[M] l...@netcraftsmen.net

[Blog] http://cnc-networksecurity.blogspot.com/

 

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices

[Luan Nguyen]

Going a bit further...how's about looking at those benchmarking RFCs
http://www.ietf.org/html.charters/bmwg-charter.html

In particular
http://www.ietf.org/rfc/rfc2544.txt
for the 1861 and
http://www.ietf.org/rfc/rfc3511.txt
for the ASA

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers
Sent: Tuesday, January 20, 2009 8:06 AM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices

Ziv Leyes wrote:
 Ok, let me be more specific When we buy devices for our own use, we
 just open it, plug it, and start using them, if there are any
 problems, we call the provider and they fix the problem (RMA or
 whatever) In this case, we're going to sell the equipment as a kind
 of turn-key project, and the customer asked us to provide them with
 our ATP, which we don't really use for ourselves, so I'd like to
 implement one sort of testing procedure from now on for this type of
 cases. We're going to attach this to a legal statement so we can't
 just type some BS there and that's it, we want to actually implement
 it, and if we write we do a,b,c,d then we'll going to do a,b,c,d
 procedure for real. I was thinking some of you guys may already use
 this kind of test routines and can help me creating one. I don't need
 some really serious stuff, I can imagine I'll check the delivery
 status of the package, open it, check all the contents that need to
 be there are there, to plug the device and see it works, perhaps load
 some configuration, plug the hardware that is planned to hold if any
 (HWICS and so), perform some soft and hard reboots, see the device
 responds, there are links on all interfaces, and pack it back exactly
 as it was. The problem is I don't know how exactly write it down on a
 kind of form that there's a checkbox for each test. Does anybody have
 some ready to go stuff?

Well, it's going to depend very much on the kind of equipment.

For example, a mandatory step when we get anything for our 6500s is a 
complete run passing all GOLD tests (including the disruptive tests). We 
maintain a spare chassis specifically for this.

I don't know if ASA5510 and 1861 have diagnostics, but I don't think so. 
In that case, you're probably going to want something like:

  * Build a standard config involving (at least) your ASA  18xx router, 
which all or a large subset of the features are enabled

  * For each pair of devices you distribute, load the standard config on 
and run some test traffic

  * Leave it powered up for long enough to count as burn in i.e. 7 days?

So you'd write something like:

Party X will undertake to:

  * Unpack all equipment and check inventory
  * Check that equipment will power up
  * Load on a standard config, which tests:
* OSPF routing
* BGP routing
* Packet forwarding
* IPSec
* Coffee making
  * Run test traffic for 48 hours, to ensure the devices compare to a 
known-good platform
  * Leave the config running for 7 days, to eliminate early-life failure

...before shipping to Customer Y
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Forcing dhcp lease renewal

[Luan Nguyen]

Things point to Cradlepoint don't they?  I've used Digi ConnectPort with
lots of success.
Or go with the 3G-Wireless HWIC card or ask VzW for a static IP address.
The last thing would be to use object tracking in conjunction with EEM to
solve your problem.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bob Tinkelman
Sent: Friday, January 16, 2009 11:35 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Forcing dhcp lease renewal

For a cisco router with an interface like this:
   interface FastEthernet0/1
description Verizon EVDO via Cradlepoint CBA250
ip address dhcp

I'm looking for a way to force the router to issue a dhcp
lease renewal request.

I can do this manually, for example via
   config term
int fa0/1
shut
no shut
exit
but I'm looking for a way to trigger this automatically.


(Or possibly I'm trying to solve a problem in the wrong way.)



Background:

We have a good many customers with T1 or multi-T1 service,
and with fall-back routing configured over a cheap path,
typically a dynamic-ip cable-modem service or dsl.  Our
configs use a combination of gre-tunnels (to preserve
customer-site address ranges) and sometimes object tracking
and policy routing (often to direct web requests to a
higher-speed cable-modem service in cases where NATing is
acceptable).  We've been doing this for a good while and
have a set of configs that provide pretty solid service.

I have been testing, in a lab environment, a configuration
to do the same thing with Verizon's EVDO service using a
Cradlepoint CBA250 (Cellular Broadband Adapter).  It's not a
router; just a pass-through device.

The same configuration that we use with dynamic-ip cable-
modems works.  However, several times/day, things break.

Output of show interface, show dhcp lease, etc., show
that the cisco router doesn't think anything's changed.  The
interface has the same dhcp-assigned ip address and default
gateway.  But the default gateway is no longer pingable.

Doing a clear int Fa0/1 doesn't help.  A shut and no
shut will cause the router to issue a new dhcp request, get
a new (and different) ip address and gateway, and start
working again.


My current working hypothesis is that the EVDO link between
the CBA250 and Verizon was interrupted, possibly very
briefly, that Verizon noticed and invalidated the dhcp
lease, but that no indication of this reached the router.

It's a weak hypothesis.  I'm bothered by the fact we've
never seen this problem with similar cable-modem setups,
e.g., with Time Warner and with Cablevision.  I've sent
email to supp...@cradlepoint.com even though I really don't
see how their equipment could be involved.



I could use object tracking to discover when the link over
EVDO stops working.  But I'm not sure what do to with that
info.  Is there a way to force a new dhcp request to go out
based on object tracking?  (To date, I've used object
tracking mostly to enable/disable specific ip route
commands.)


I have the strong feeling that I'm trying to solve this in
the wrong way, and that if I really understood what was
going wrong, I'd be working in a different direction.

So, any hints would be much appreciated

- Bob
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC

[Luan Nguyen]

From what you said about the process CPU 99/96, the routers aren't doing
anything processed intensive.  Assuming that was what you meant:  CPU
utilization for five seconds: 99/96.
Getting 35Mbs VPN throughput for the 2811 with AIM-VPN/SSL-2 is best case
scenario for that model already.  You could try to use IPSEC Profile
configuration instead of the legacy crypto-map on the WAN interface, and try
different IOS to see if you get improvement.  That might improve throughput
a bit:  minimal if at all.
If you need more VPN throughput, I would suggest try different hardware
platform.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Kent
Sent: Tuesday, January 06, 2009 9:45 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC

I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2
running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7.  I've got them
back-to-back, configured as shown below.

With a single file transfer (tcp) through the boxes I am able to jam
the processor at 99%/96%, which tells me I must be missing something.

I checked and the ip tcp adjust-mss 1360 is working, so it is not
fragmentation that is the culprit.  I do get about 35Mbs throughput,
but I'm bugged that the main cpu is jammed.  I did check sh cry eng
acc stat and see that the HW module is being used, but I would have
thought that the actual 2811 cpu would be only modestly busy.

Am I missing anything here?

Thanks,
-mark

---

 crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 5
  lifetime 300
 !
 crypto isakmp key foo address 10.10.10.2 no-xauth
 !
 crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac 
 !
 crypto map GREVPN local-address FastEthernet0/0
 !
 ip access-list extended TUNNEL
  permit gre host 10.10.10.1 host 10.10.10.2
 !
 crypto map GREVPN 20 ipsec-isakmp 
  set peer 10.10.10.2
  set transform-set GREVPN 
  match address TUNNEL
 ! 
 interface Tunnel0
  ip address 192.0.2.1 255.255.255.252
  ip mtu 1476
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel destination 10.10.10.2
 ! 
 interface FastEthernet0/0
  description x-conn to other 2811
  ip address 10.10.10.1 255.255.255.252
  crypto map GREVPN
  crypto ipsec fragmentation before-encryption
 ! 
 interface FastEthernet0/1
  ip address test1 network, test2 is on other 2811
 ! 
 ip route test2 network 192.0.2.2

---

 2811-expt-TWO#sh cry engine acc stat

 Device:   AIM-VPN/SSL-2
 Location: AIM Slot: 0
 Virtual Private Network (VPN) Module in slot : 0
 Statistics for Hardware VPN Module since the last clear
  of counters 42 seconds ago
  126270 packets in  126270 packets out

   127941213 bytes in 124977694 bytes out

3006 paks/sec in   3006 paks/sec out

   23865 Kbits/sec in 23312 Kbits/sec out

   42555 packets decrypted83715 packets encrypted

 5854456 bytes before decrypt 119123238 bytes encrypted

 2790517 bytes decrypted  125150696 bytes after encrypt

   0 packets decompressed 0 packets compressed

   0 bytes before decomp  0 bytes before comp

   0 bytes after decomp   0 bytes after comp

   0 packets bypass decompr   0 packets bypass
compres
   0 bytes bypass decompres   0 bytes bypass
compressi
   0 packets not decompress   0 packets not
compressed
   0 bytes not decompressed   0 bytes not compressed

   1.0:1 compression ratio1.0:1 overall
   4 commands out 4 commands
acknowledged 
 Last 5 minutes: 
   53276 packets in   53276 packets out

1268 paks/sec in   1268 paks/sec out

10792372 bits/sec in   10542446 bits/sec out

 1178581 bytes decrypted   50240550 bytes encrypted

  235716 Kbits/sec decrypted   10048110 Kbits/sec encrypted

   1.0:1 compression ratio1.0:1 overall

 Errors:
ppq full errors :0   ppq rx errors   :0
cmdq full errors:0   cmdq rx errors  :0
ppq down errors :0   cmdq down errors:0
no buffer   :0   replay errors   :0
dest overflow   :0   authentication errors   :0
Other error :0   Raw Input Underrun  :0
IPSEC

Re: [c-nsp] Cisco Software Client - Router VPN issue.

[Luan Nguyen]

Create ACL 101 permit 10.0.0.0 0.0.0.255 any
Then under the  crypto isakmp client configuration group SomeVPN
Add ACL 101

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Networkers
Sent: Monday, January 05, 2009 10:38 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco Software Client - Router VPN issue.

I¹m trying to solve a problem with setting up the remote VPN access using
the Cisco VPN software client.  I have gotten it to the point where a user
can remotely tunnel to the router from their Doze PC, log in, receive an
IP in the 10.x.x.x network, and ping something on the 192.168.100.x
network.

However, they can¹t surf to the outside internet over that tunneld
connection. 

I¹ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn¹t get NATed properly, but
I¹m unsure on what to do to the config to fix this.  Normal 192.168.100.x
Ethernet-connected PCs in the home office can surf and do everything just
fine.

Can someone offer a tidbit?

Thanks!
Chris


aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
username somebody password 0 my_password
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SomeVPN
 key my_key
 pool ourpool
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec transform-set trans2 esp-des esp-sha-hmac
crypto ipsec transform-set trans3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set trans3
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
 description Office LAN
 ip address 192.168.100.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Serial0/0
 ip address my_ip 255.255.255.252
 ip nat outside
 crypto map intmap
!
ip local pool ourpool 10.0.0.1 10.0.0.254
ip default-gateway upstream_ip
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended NATRules
 deny   ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
route-map nonat permit 11
 match ip address NATRules
!
end






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Software Client - Router VPN issue.

[Luan Nguyen]

Uhm, that's split-tunneling.
If you want to use internet at the router site then follow this guide:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a008073b06b.shtml

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen
Sent: Monday, January 05, 2009 12:09 PM
To: 'Networkers'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Software Client - Router VPN issue.

Create ACL 101 permit 10.0.0.0 0.0.0.255 any
Then under the  crypto isakmp client configuration group SomeVPN
Add ACL 101

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[W] http://www.netcraftsmen.net
[M] l...@netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/




-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Networkers
Sent: Monday, January 05, 2009 10:38 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco Software Client - Router VPN issue.

I¹m trying to solve a problem with setting up the remote VPN access using
the Cisco VPN software client.  I have gotten it to the point where a user
can remotely tunnel to the router from their Doze PC, log in, receive an
IP in the 10.x.x.x network, and ping something on the 192.168.100.x
network.

However, they can¹t surf to the outside internet over that tunneld
connection. 

I¹ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn¹t get NATed properly, but
I¹m unsure on what to do to the config to fix this.  Normal 192.168.100.x
Ethernet-connected PCs in the home office can surf and do everything just
fine.

Can someone offer a tidbit?

Thanks!
Chris


aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
username somebody password 0 my_password
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SomeVPN
 key my_key
 pool ourpool
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec transform-set trans2 esp-des esp-sha-hmac
crypto ipsec transform-set trans3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set trans3
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
 description Office LAN
 ip address 192.168.100.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Serial0/0
 ip address my_ip 255.255.255.252
 ip nat outside
 crypto map intmap
!
ip local pool ourpool 10.0.0.1 10.0.0.254
ip default-gateway upstream_ip
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended NATRules
 deny   ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
route-map nonat permit 11
 match ip address NATRules
!
end






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HWIC-4T1/E1

[Luan Nguyen]

controller T1 0/2/0
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/1
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/2
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/3
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
interface Serial0/2/0:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
! 
interface Serial0/2/1:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
!
interface Serial0/2/2:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
!
interface Serial0/2/3:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn

Didn't do a whole lot with QOS...etc, but it looks like any other serial
T1/E1 interfaces.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 19, 2008 11:27 AM
To: 'Cisco-nsp'
Subject: [c-nsp] HWIC-4T1/E1

Does anyone have any of the new quad-T1 HWICs (HWIC-4T1/E1) in 
production?  I've got some questions for anyone with knowledge of the unit.

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/product_data_sheet
0900aecd80710c77.html

Are they configured like the MFTs (with the controller config separate) 
or are they like the WICs (with the service-module config)?

How are the 4 interfaces numbered?  Se0/1/0-4:0?

Are there any special limitations with the HWIC-4T1 that anyone knows 
of?  We'll be doing MLPPP on them and some QoS (possibly spanning 
multiple HWIC-4T1s in a single chassis).  They look to be decent units.

Besides researching them to make sure that they'll work for us, I'm 
writing a template config for them and need to know how they're 
configured and numbered.

Thanks
  Justin
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 32 bit ASN

[Luan Nguyen]

Here's an old post on this topic:
http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html
Also, I heard it's going to be implemented beginning 12.5T

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares
Sent: Wednesday, December 17, 2008 7:31 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 32 bit ASN

Hello group,

Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ?
I didn't find this feature on Feature Navigator. It's
quite strange the fact no information seems to be available. RIPE will start
assigning 32-bit ASN's in 1/1/2009.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (RS)
amsoa...@netcabo.pt

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rate limiting but on packet count not bandwidth

[Luan Nguyen]

Maybe give storm-control with pps keyword a try.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
2.2_25_see/configuration/guide/swtrafc.html#wp1241484

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Primoz Jeroncic
Sent: Wednesday, December 17, 2008 10:01 AM
To: Cisco Mailing list
Subject: [c-nsp] Rate limiting but on packet count not bandwidth

Hi guys

Does anyone have any idea if rate limiting traffic based on packet
count would be possible on Cat3550/3560/3570 or any Cisco router?
I would need to limit some users which don't generate much of
traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec).

So is there some option to limit their fraffic to let's say 5000packets/sec
regardless on bandwidth they use?

Thanks for help.

Have fun,
Primoz Jeroncic
Support - IP Connectivity  Routing
---
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2   fax:  +386 1 562 18 55   |   1 + 1 = 3
1236 Trzin  primoz(at)softnet.si | for larger values of 1
Slovenija   http://flea.softnet.si/
---

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS-VPN migration

[Luan Nguyen]

Let me try thinking out loud :)
There BGP support for IP prefix import into VRF table:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm
l
You could use static routes as well.
For dynamic, some people create two tunnels, same router, same subnet,
sourced from different loopbacks.  With one tunnel interface in the vrf, one
in the global routing table


ip vrf CUSTOMER1
rd 
route-target export 
route-target import 
!
interface Tunnel100
description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE
bandwidth 5
ip vrf forwarding CUSTOMER1
ip address 172.31.254.254 255.255.255.252  
load-interval 30  
tunnel source x.x.x.x
tunnel destination y.y.y.y
!
interface Tunnel200
description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1
bandwidth 5
ip address 172.31.254.253 255.255.255.252  
ip virtual-reassembly  
load-interval 30  
tunnel source y.y.y.y
tunnel destination x.x.x.x

If you have a lot of customers (a lot of VRFs), then maybe try DMVPN
configuration with the global being the hub and each spokes in their own
unique VRF...just a thought :)

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Durack
Sent: Wednesday, December 17, 2008 10:54 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] MPLS-VPN migration

Looking for some creative ideas on how best to accomplish this:

We are migrating a traditional enterprise-style IP network to an
MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
essentially done (it's a purely PE-PE network, no P routers anywhere.)

All customer networks are still in the global table. I need to
migrate them into VPN groups, but maintain full reachability between
global and VRFs during the migration. Route-leaking will be configured
between VRFs, and at a later stage some kind of firewall will be
employed between VPNs. The hard part is getting everything into the
VPNs first (without anyone noticing too much :-)

Ideally I'd like to bring up BGP sessions between the global table and
VRFs on each PE. I notice I can do BGP sessions between VRFs, but
can't quite wrap my head around global-VRF BGP. Is this even
possible?

Thanks for thinking about it.

Tim:
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS-VPN migration

[Luan Nguyen]

You could run routing protocol inside the (DMVPN) tunnel like OSPF and
redistribute using MP-BGP.

router ospf 1 vrf CUSTOMER1  ---VRF instance of OSPF
network [tunnel interface ip network] area 0
redistribute bgp 65535 subnets route-map redis-bgp-vrf-CUSTOMER1-to-ospf  
!
Router ospf 2
Network [tunnel interface ip network] area 0
!
router bgp 65535
address-family ipv4 vrf CUSTOMER1
redistribute ospf 1 vrf CUSTOMER1 route-map redis-ospf-to-bgp-vrf

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: Tim Durack [mailto:tdur...@gmail.com] 
Sent: Wednesday, December 17, 2008 1:21 PM
To: Luan Nguyen
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] MPLS-VPN migration

On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen l...@netcraftsmen.net wrote:
 Let me try thinking out loud :)
 There BGP support for IP prefix import into VRF table:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm
 l
 You could use static routes as well.

Looked at that. Trouble is the static routes have to specify next-hop,
which isn't going to be very scalable for directly-connected VLAN
interfaces.

 For dynamic, some people create two tunnels, same router, same subnet,
 sourced from different loopbacks.  With one tunnel interface in the vrf,
one
 in the global routing table


 ip vrf CUSTOMER1
 rd
 route-target export
 route-target import
 !
 interface Tunnel100
 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE
 bandwidth 5
 ip vrf forwarding CUSTOMER1
 ip address 172.31.254.254 255.255.255.252
 load-interval 30
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
 !
 interface Tunnel200
 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1
 bandwidth 5
 ip address 172.31.254.253 255.255.255.252
 ip virtual-reassembly
 load-interval 30
 tunnel source y.y.y.y
 tunnel destination x.x.x.x

And point statics at the tunnel? I guess that could work.

I was hoping to do something along the lines of:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_i
d_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073

But it looks like this only works for VRF-VRF BGP sessions, not
VRF-GLOBAL.

Tim:

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS SRND

[Luan Nguyen]

Have you looked at the Data Center Design Guide?
http://www.cisco.com/en/US/netsol/ns743/networking_solutions_program_home.ht
ml
There's this one:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dc_servchas
/service-chassis_design.html
And this one:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5
/DCI_SRND.pdf
Which give lots of design guides on VSS.

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pavel Skovajsa
Sent: Monday, November 17, 2008 10:24 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VSS SRND

Hello all,

does anybody have a clue when the VSS Block SRND is going to be
published on Design Zone? The Enterprise Campus 3.0 Architecture
(http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html)
states that:


Most campus environments will gain the greatest advantages of a
virtual switch in the distribution layer. For details on the design of
the virtual switching distribution block see the upcoming virtual
switch distribution block design, http://www.cisco.com/go/srnd.


This has been there for almost 6 months now, and still no VSS SRND

Thanks,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs

[Luan Nguyen]

Usually, when I use VRF-Lite with hub site DMVPN, it's because I need to
backhaul all spokes traffic (send them a default route through the tunnel)
and don't want to use policy base routing at the spoke sites.
I have to put the LAN(s) and tunnel interface(s) on the spoke into a VRF and
leave the WAN in the global so the spoke could have 2 default routes, one
for the global to establish DMVPN/IPSEC connection to hubs and other spokes,
and one in the VRF to send all LAN traffic to the hub for say...central
Internet access.
Hubs' tunnels would usually be put into a VRF.

If you have a few customers and want to consolidate them into a single hub
router, then I would just add the tunnels into their own VRFs, the spokes
can be left alone.  Depends on the routing protocol you use, and what access
you want to give, you need to route inter/intra VRFs accordingly at the hub.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Danielsen
Sent: Monday, November 17, 2008 11:01 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs


Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I
have some difficulties getting it to work, HUB is a 7200VXR - Spokes are
2841 All configuration examples I can find are with HUB and Spoke running
VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite
support, I asume that Spoke configurations will not change, due to that the
only place i need vrf-lite support is on the HUB Any clues, Hints,
whitepapers, Thanks in advance /ped_dk
_
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP Question

[Luan Nguyen]

Neighbor allowas-in

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stephens, Jamie A
Sent: Thursday, November 06, 2008 9:18 AM
To: cisco-nsp
Subject: [c-nsp] BGP Question

Is there a command to allow received routes from the same AS #? 

E-MAIL CONFIDENTIALITY NOTICE: 

 

 

 

The contents of this e-mail message and 
any attachments are intended solely for the 
addressee(s) and may contain confidential 
and/or legally privileged information. If you 
are not the intended recipient of this message 
or if this message has been addressed to you 
in error, please immediately alert the sender
 by reply e-mail and then delete this message 
and any attachments. If you are not the 
intended recipient, you are notified that 
any use, dissemination, distribution, copying, 
or storage of this message or any attachment 
is strictly prohibited.








___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 881 3G Router Experiences

[Luan Nguyen]

Basically just another DHCP interface IP-wise.
Here's a sample configuration for DMVPN/IPSEC I used for 1841 3G-EVDO.
I used it as a primary connection as well as backup connection.

interface Dialer1
 ip address negotiated
ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer string cdma
 dialer persistent
 dialer-group 1
!
interface Cellular0/1/0
 ip address negotiated
ip virtual-reassembly
 encapsulation ppp
 dialer in-band
 dialer pool-member 1
 dialer-group 1
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key test address x.x.x.x
crypto isakmp keepalive 10 4 periodic
!
!
crypto ipsec transform-set cisco esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile cisco
 set transform-set cisco
 set pfs group5
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map 10.0.0.1 x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 99 
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 100
tunnel source dialer1
tunnel mode gre multipoint
tunnel key 10
tunnel protection ipsec profile cisco

You could use IPSEC tunnel mode without DMVPN as well, just make sure the other 
side configured for dynamic crypto map.

Regards,


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, November 06, 2008 3:57 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco 881 3G Router Experiences

Hi,

is anybody here using a Cisco 881 3G Router with IPSEC and can share his 
experiences/config with me ?


Cheers

Anton

Anton Schweitzer
Senior Specialist BS Projekt  Service 
Customer Design

o2 (Germany) GmbH  Co.OHG
Georg Brauchle-Ring 23-25, D-80992 München
Tel  +49(0)89-2442-5794
Mobil +49(0)176-23407715
Fax  +49(0)89-2442-4281
[EMAIL PROTECTED]

Telefónica o2 Germany GmbH  Co. OHG • Georg-Brauchle-Ring 23-25 • 80992 
München • Deutschland • www.o2.com/de

Ust.-Id.-Nr. DE 811 889 638. Amtsgericht München HRA 70343. 
Gesellschafter: Telefónica o2 Germany Management GmbH. Amtsgericht München 
HRB 109061 und 
Telefónica o2 Germany Verwaltungs GmbH. Amtsgericht München HRB 121389, 
beide ebenda.
Geschäftsführer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. 
Antonio Botas Banuelos. Andrea Folgueiras. André Krause. Lutz Schüler. 
Carsten Wreth.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PIX 6.x Site2Site with dynamic IP?

[Luan Nguyen]

Just change your A end to use dynamic map.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a0080094680.shtml


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of William
Sent: Thursday, November 06, 2008 6:04 AM
To: cisco-nsp
Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP?

Hi Chaps,

I use to have a VPN tunnel running between two sites using Cisco Pix
6.x, the B end now has a dynamic IP address every time the router
reloads which means the tunnel has gone down and to get it back up we
have to reconfigure a ISAKMP key and change our config here on the A
end.

Is there a way I can get round this? the router infront of our B-end
PIX is not Cisco nor is it under our control. My client downgraded
their Internet Service package which also meant that they now have a
dynamic IP address :(

Thanks for your time.

W
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP

[Luan Nguyen]

Maybe try using the global commands 
no vpn-addr-assign local
no vpn-addr-assign aaa
vpn-addr-assign dhcp


And under tunnel-group COMPANY-TUNNEL-GROUP general-attributes
 Add:  default-group-policy COMPANY-REMOTE-ACCESS

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruno Filipe
Sent: Wednesday, November 05, 2008 10:37 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP

Hi there,...

Can u guys help me understand why the dhcp is not providing addressing
information to the VPN Clients...If I use a local pool, I can connect and
get addressing info

Here's my config:

asa# wr t
: Saved
:
ASA Version 7.0(7) 
!
hostname asa
domain-name domain.co.ao
enable password shhh encrypted
names
dns-guard
!
interface Ethernet0/0
 description 100BASETX to LAN Switch
 nameif inside
 security-level 100
 ip address 192.168.91.254 255.255.255.0 
!
interface Ethernet0/1
 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET)
 nameif outside
 security-level 0
 ip address xxx.xxx.xx.xxx 255.255.255.252 
!
interface Ethernet0/2
 description FOR FUTURE USE
 nameif dmz
 security-level 5
 ip address xxx.xxx.xx.xxx 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd s encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq
smtp 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq
pop3 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq
https 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq
3389 
pager lines 24
logging timestamp
logging buffer-size 16384
logging buffered critical
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask
255.255.255.255 
static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask
255.255.255.255 
static (inside,outside) tcp interface https 192.168.91.112 https netmask
255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask
255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.216.54.229 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 1
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy COMPANY-REMOTE-ACCESS internal
group-policy COMPANY-REMOTE-ACCESS attributes
 dhcp-network-scope 192.168.91.150
 webvpn
username some.name password EB4ztYh0SYsdhnHI encrypted
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
http server enable
http 192.168.91.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac 
crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set
GENIUS-TRANSFORM-SET
crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP
crypto map COMPANY-CRYPTO-MAP interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra
tunnel-group COMPANY-TUNNEL-GROUP general-attributes
 dhcp-server 192.168.91.254
tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh xxx.xxx.xx.x 255.255.255.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.91.150

Re: [c-nsp] ipsec over gre with nhrp

[Luan Nguyen]

You have to use tunnel protection profile instead.
Get rid of the local-address, and put these in:

crypto isakmp policy 3000
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key test address 165.254.97.2
crypto isakmp keepalive 10 4 periodic
!
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile foo
 set transform-set TEST
 set pfs group5
!
Int tun202
No crypto map
tunnel protection ipsec profile foo

Then route over the tunnel accordingly...intstead of using ACL to match
traffic.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

(blog) http://ccie-security.blogspot.com/
(e) [EMAIL PROTECTED]
(aim/yahoo): luancnc



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob Tinkelman
Sent: Wednesday, November 05, 2008 5:05 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ipsec over gre with nhrp

I'm doing something that I thought I'd done before, but am
running into problems and need a sanity check.

I have 2 customer site routers, each configured for main
access via T1 and backup Internet access via a cable-modem
service with a dynamic ip address.

They also have an ipsec vpn to route internal (192.168/16 and
10/8) nets between the two sites, using crypto maps on the
T1 serial ports in the standard way.

All that works.

I wanted to provide a backup to the ipsec VPN using the cable
modem ports, and proceeded as follows:

  o  I configured a multi-point tunnel with both customer sites
 using nhrp to connect to one of my routers.  [This works.
 the routers can ping either other over the tunnel.]  
 This was done because otherwise the routers, each with a
 dynamic ip address, would have trouble finding each other.

  o  I mimic'd the ipsec vpn on the T1 serial interfaces, building
 a similar one on the tunnel interfaces.  [This didn't work,
 and it's pretty clear why.]


Here are the relevant portions of the config.  [I'm willing to
share more, but wanted to keep this post managable.]

Interface housing the cable-modem:

  | CT-gw#sho run int fa0/1 
  | Building configuration...
  | 
  | Current configuration : 186 bytes
  | !
  | interface FastEthernet0/1
  |  description Cable modem connection
  |  ip address dhcp
  |  ip access-group from-cablemodem in
  |  ip nat outside
  |  ip virtual-reassembly
  |  duplex auto
  |  speed auto
  | end
  | CT-gw#

The address dhcp-assigned by the carrier:

  | CT-gw#sho int fa0/1 | inc Internet address
  |   Internet address is 192.168.1.64/24
  | CT-gw#

The tunnel interface:

  | CT-gw#sho run int t202
  | Building configuration...
  | 
  | Current configuration : 729 bytes
  | !
  | interface Tunnel202
  |  description Dynamic multi-point ISPnet-customer tunnel
  |  bandwidth 1000
  |  ip address 69.48.189.23 255.255.255.0
  |  ip access-group from-world in
  |  no ip redirects
  |  ip mtu 1416
  |  ip nat inside
  |  ip nhrp authentication redacted
  |  ip nhrp map multicast 165.254.97.2
  |  ip nhrp map multicast 165.254.147.2
  |  ip nhrp map 69.48.189.1 165.254.97.2
  |  ip nhrp map 69.48.189.2 165.254.147.2
  |  ip nhrp network-id redacted
  |  ip nhrp holdtime 300
  |  ip nhrp nhs 69.48.189.1
  |  ip nhrp nhs 69.48.189.2
  |  ip nhrp server-only
  |  ip virtual-reassembly
  |  no ip route-cache cef
  |  no ip route-cache
  |  no ip mroute-cache
  |  delay 1000
  |  tunnel source FastEthernet0/1
  |  tunnel mode gre multipoint
  |  tunnel key redacted
  |  crypto map CLINTON-TU-202-MAP
  | end
  | CT-gw#

The tunnel is working:

  | CT-gw#ping 69.48.189.24
  | 
  | Type escape sequence to abort.
  | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds:
  | !
  | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144
ms
  | CT-gw#

  | CT-gw#tr 69.48.189.24
  | 
  | Type escape sequence to abort.
  | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24)
  | 
  |   1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28
msec
  |   2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec *  136 msec
  | CT-gw#

The crypto map is defined like this:

  | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP
  | crypto map CLINTON-TU-202-MAP local-address Tunnel202
  | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp 
  |  set peer 69.48.189.24
  |  set transform-set TRANSFORM-SET-FL 
  |  match address CT-inside-to-FL-inside
  | !

But it's not working.  

It looks like it's using the wrong ip address for the local
address of the crypto map.

It's using the dhcp-assigned address of Fa0/1, when I'd thought
it should be using the address of Tu202.

   | CT-gw#sho crypto map int t202
 | Crypto Map: CLINTON-TU-202-MAP idb: Tunnel202 local address:
192.168.1.64
   | 
   | Crypto Map CLINTON-TU-202-MAP 1 ipsec-isakmp
   | Peer = 69.48.189.24
   | Extended IP access list CT-inside-to-FL-inside
   | access-list CT-inside-to-FL-inside permit ip

Re: [c-nsp] HWIC-3G-* experience?

[Luan Nguyen]

We've been having good results with Verizon.
Couple months ago, they got EVDO backup to Internet and MPLS as well - for
VPN products, and in the process of making the backend systems ready to roll
out.  No permanent IP yet and the IP are from Verizon Wireless.  So, even
though they might say it's directly from the MPLS cloud, they still have to
route around and around in their networks since Internet and MPLS are from
Verizon Business.

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derick Winkworth
Sent: Tuesday, November 04, 2008 6:39 AM
To: Seth Mattinen
Cc: cisco-nsp
Subject: Re: [c-nsp] HWIC-3G-* experience?

(1) We've had good experience with this.  Decent throughput, but high
amount of jitter/latency.  Its just another internet access method at
this point... it works fine.


Really its about the carrier...


(2) Cables and antennas as needed for getting the signal required can be
expensive if you go through the wrong channels (like Cisco... don't do it!)

(3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited
usage.  They offer great deals on cables and antennas.  They also do
free site-surveys, noone else does that we talked to.

(4) ATT.  Variable bill rates.  ATT can work something out through
their account reps where you will never be charged more than a certain
amount every month, but its supposed to be for backup only so if you
use it frequenty... you can go through your sales rep to make sure you
don't get locked out or whatever.  Right now, they offer a service to
back-up MPLS circuits, but they manage the endpoint at your site... this
is their ANIRA product.  You configure VRRP on your router and they
configure it on theirs.  You configure whatever tracking you want so
that when a failure occurs, ATT's ANIRA router takes over and gets you
back to the cloud (through the internet though)...

(5) Verizon. No variable billing.  The best throughput with
dual-antennas.  They also offer internet-to-MPLS backup like ATT and
Sprint, but you get to manage the endpoint.

(6) There is no direct-to-VRF type MPLS backup at this time, but all
three carriers are rolling it out from what I understand.  When this
occurs, the card will come up direct to the MPLS cloud.  Until then, its
VPN tunnel to somewhere over the internet.  Permanent IP is available. 
Some of them can create private subnets on the internet for you... you
get a public IP in a /27 or something and it can only talk to other IPs
in that /27.

hmmm...






Seth Mattinen wrote:
 Does anyone have any experience with the HWIC-3G-* cards in real life?
 I'm considering emergency access plans using these as opposed to
 traditional methods, and I'd be interested in any success or horror
 stories before jumping in.

 ~Seth
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 


 No virus found in this incoming message.
 Checked by AVG - http://www.avg.com 
 Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008
4:59 PM

   
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Order-of-operations question about adjust-mss and crypto...

[Luan Nguyen]

The MSS tells the maximum data a host will accept in an TCP/IP datagram.
Each side reports the value to the other side and the sending will abide by
it.  It's all before encryption.
So typically like you said, people put ip tcp adjust-mss 1360 on the group
member LAN interface and also set ip mtu 1400 on the WAN side hoping for
PMTUD to work its magic.
Putting both on the WAN interface should work as well, though, I don't quite
understand the backside is MPLS statement :)...the packet has to be
originated from somewhere.
There's a very good paper here on Fragmentation
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800d6979.shtml#t3


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

(blog) http://ccie-security.blogspot.com/
(e) [EMAIL PROTECTED]
(aim/yahoo): luancnc



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Derick Winkworth
Sent: Friday, October 31, 2008 11:52 AM
To: Rodney Dunn
Cc: cisco-nsp@puck.nether.net
Subject: [c-nsp] Order-of-operations question about adjust-mss and
crypto...

If you apply the ip tcp adjust-mss command on an interface that has a
crypto statement on it...

Does it perform the MSS adjustment on outbound packets before they are
encrypted?  
Does it perform the MSS adjustment on inbound packets after they are
decrypted?

I know that this is typically placed on a tunnel interface or, for instance,
on an ethernet interface of a remote VPN site or something... but I have a
case where we have many GET encryped sub-interfaces (each in their own VRF)
which are the only logical IP interfaces on the box.  The backside is MPLS
so there is no place to put the statement there...  so I was just going to
apply it to the interfaces where the crypto maps are.. not sure if this will
work.

I'll probably have to lab it up I'm guessing.

Derick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ctr+break sequence and Cisco 3500

[Luan Nguyen]

http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_reco
very09186a0080094184.shtml


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
(e) [EMAIL PROTECTED]
(aim/yahoo): luancnc



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of snort bsd
Sent: Tuesday, October 28, 2008 8:24 PM
To: cisco-nsp
Subject: [c-nsp] ctr+break sequence and Cisco 3500

Hi all:

I might not have done hundreds times but certainly did a lot of times. But
not this time. trying to breaking a cisco 3550 since lost password. I tried
sequence of ctrl+break but not working for me. it just reboots back to
normal working status. Then I just tried ctrl+b and not working either.
checked with Cisco web page and I don't see anything special. Did i miss
something here or just this Cisco 3550 has something special for password
recovery?


Thanks


  Search 1000's of available singles in your area at the new Yahoo!7
Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

[Luan Nguyen]

Is it a Verizon circuit?
We have a T1 circuit with Verizon and have the same problem.  We have a
point to point circuit, so one side has clocking set to internal to provide
the clocking and the other side feeds from the line.
I wrote the problem up at http://ccie-security.blogspot.com/
But basically, it will be up for a some hours then down, then I call them to
test and it's good again.  Sometime it's good just by unplug the cable and
plug it back.  Like you, we changed everything and that didn't help. 
Finally, we talked to a knowledgeable Verizon tester and he mentioned the
rate on the line is ~17 which is high.  It should be around 0 or negative.
He said that's because of mismatch clocking between our hardware and the
central office crossover equipment. The normal tester won't look at this,
they only do the loopback pattern testing, so you should ask them about the
rate of your line.
They swapped one smart jack, but that didn't help, so they will swap the
other today.  Hopefully that will do it.
Good information here about troubleshooting T1
http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access
seqNum=61


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt
Sent: Wednesday, October 15, 2008 7:31 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port

Hi All,

  I have an 8 port PA-8T serial card in a router.  The card has an
octopus cable that is plugged into a rack of card DSU's.  Most
of the DSU's have T1's into them.

  One T1 has developed a problem where it runs for a few hours
and then the router serial interface it is on goes down.  When
it's down, from the carrier side the carrier can issue a loop
command to the CSU on the port, and the CSU will loop up, and
the carrier can run patterns on it all day long just fine.

  I have replaced both the 8 port card and the DSU card in the
rack on that specific port with no change.

  If I momentararily flip the loopback switch on the DSU to throw a loop
towards the carrier, facing away from the router, when the switch
returns the router port enables and the T1 runs for a few more
hours just fine.  I didn't believe this when I first saw it,
but I've done it several times since.  I actually don't think the
looping has anything to do with anything though - if I pull the
DSU card and replace it, the circuit comes back up also.

  So I went and moved the T1 to another DSU and port on the router and
inserted a physical loopback plug into the problem DSU network port.  The
router port of course sees this as a looped port now.

  My question, is there a way I can configure the router port
so that I can throw a massive amount of (bogus, naturally)
traffic to it, and the traffic will go out the port, through the
DSU, loopback through the hard loopback plug, then come back
into the router and go into the bit bucket?

 If I simply assign something like IP 127.0.0.5/30 to the port and
throw a ton of traffic to 127.0.0.6, will the packets actually
go out the port?  Or will the router see that the port is looped
and just discard the traffic?

Ted

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

[Luan Nguyen]

It's on fiber.  I asked if we could get network timing from them, but they
said no, not on this type of circuit. 
Also, this circuit has been working for years with the same setting :)

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roy
Sent: Wednesday, October 15, 2008 10:36 AM
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

Just because its a point to point circuit doesn't mean one side has to
have internal clocking.  This is only true if the circuit is copper all
the way.   There are lots of reasons that the telco would have its own
equipment installed on the circuit and you would need network timing.

Roy

Luan Nguyen wrote:
 Is it a Verizon circuit?
 We have a T1 circuit with Verizon and have the same problem.  We have a
 point to point circuit, so one side has clocking set to internal to
provide
 the clocking and the other side feeds from the line.
 I wrote the problem up at http://ccie-security.blogspot.com/
 But basically, it will be up for a some hours then down, then I call them
to
 test and it's good again.  Sometime it's good just by unplug the cable and
 plug it back.  Like you, we changed everything and that didn't help. 
 Finally, we talked to a knowledgeable Verizon tester and he mentioned the
 rate on the line is ~17 which is high.  It should be around 0 or negative.
 He said that's because of mismatch clocking between our hardware and the
 central office crossover equipment. The normal tester won't look at this,
 they only do the loopback pattern testing, so you should ask them about
the
 rate of your line.
 They swapped one smart jack, but that didn't help, so they will swap the
 other today.  Hopefully that will do it.
 Good information here about troubleshooting T1

http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access
 seqNum=61


 Luan Nguyen
 Chesapeake NetCraftsmen, LLC.
 www.NetCraftsmen.net

 ...
   

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

[Luan Nguyen]

They claimed they don't provide clocking on point to point circuit...not
even for testing sake!  We did played around with both side getting network
timing, with switching the side providing clocking, with both going
internal...etc, but nothing worked.  It only works for some hours after they
break in the circuit for testing.

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lamar Owen
Sent: Wednesday, October 15, 2008 10:37 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

On Wednesday 15 October 2008 10:22:17 Luan Nguyen wrote:
 Is it a Verizon circuit?
 We have a T1 circuit with Verizon and have the same problem.  We have a
 point to point circuit, so one side has clocking set to internal to
provide
 the clocking and the other side feeds from the line.

Have you tried setting the clock to line on the side where you have the
clock 
set to internal?  Some point to point T1's still need both CPE's to have 
clock set to line.

I don't have a point to point T1, but I do have a point to point OC3, and in

that case clock must be set to line on both ends, as the network provides
the 
clock.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
http://www.pari.edu
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

[Luan Nguyen]

Paul,

Thanks.
We do have one side set to internal and the other to line and did forget
about it for years.
I believe one side of our circuit is encapsulated in a DS3, since one tester
said they couldn't loop since they had to loop the whole DS3.
The other side must be just a regular T1 and they are cross connected by the
DACS at the central office.  Verizon said they have to be in sync.
Something must have happen for them to be out of sync after all these years.

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: Paul G. Timmins [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 15, 2008 12:03 PM
To: Luan Nguyen; Roy
Cc: cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port

Most modern sonet gear does not provide clocking to individual DS1s
running it. The only reason clocking ever existed on point to point
circuits was that the older gear couldn't avoid being an active
participant in the circuit. It's possible the carrier you're using has
upgraded the equipment, and where it was once providing the clocking
(which it couldn't avoid previously), it's now on gear that can now act
indistinguishably from a straight piece of wire (of course, it has to
follow T1 line encoding and framing, but beyond that..).

I've seen this plenty over the last 5 years as carriers upgrade, and
roll DS3s onto newer gear. One night, the clocking gets funky, and you
have to enable clock, which was causing problems before, but now works
fine.

(Of course, we don't feel it as much, because we are syncing our gear
off the BITS in our CO, so we'd be in sync with the ILEC whether we
provide clocking or not, so we just provide clocking on our end of all
loops, and slave the customer sites.)
 
It's also possible for two devices set to clock off line to work for a
while, without anyone providing external clock. Since there's not really
a clock signal per se, but just a directive that says whether your
internal source is authorative, or whether you should be sending your
own frames in sync with the frames you're getting off the line, both
devices can feed off of each other (a device without line clock will
fall back to internal clock, and start sending frames. The other device
will see the clock signal on the line, and sync with it. Then the
original device sees the framing on the line, and syncs with that. The
devices then sync off whatever each other are sending. Because this
isn't precise (but can be precise enough), it's possible for the line
to work for a while like that, until power blips, line hits, or random
cosmic noise cause the whole thing to fall apart).

Anyway, the network has to actively participate in the circuit to
provide clock, and the field has been running away from this for
years. Set one side to line clock, and one to internal, and forget it.
It's a single line of config. :)

-Paul

PS: I'm using the term providing clock because that's what we're
calling it in this thread. The way you should actually think about it
though, is using your own clock reference, or using the reference coming
from the line. In the PSTN world, everyone provides clock (uses their
own clock reference) and you don't trust the line clock from anywhere.
Because your clock references are in sync with each other (because
you're syncing off a cesium reference, using GPS, or CDMA, or you have a
BITS T1 from the local LEC, or some combination of those) everything
works flawlessly (insofar as that's possible in real life). CPE aren't
expected to have their own stratum 1 reference clock, so they just trust
the line signal. If you're connecting CPE to CPE, you're going to have
to provide your own reference clock, and it doesn't have to be stratum 1
since you're not interfacing with anyone else (unless you're passing
through some real old DACS or Mux gear that actively participates in the
circuit, rather than just encapsulating it in a DS3 and sending it on
its way through the network) it doesn't have to be in sync.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Luan Nguyen
 Sent: Wednesday, October 15, 2008 10:51 AM
 To: 'Roy'
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
 
 It's on fiber.  I asked if we could get network timing from 
 them, but they
 said no, not on this type of circuit. 
 Also, this circuit has been working for years with the same setting :)
 
 Luan Nguyen
 Chesapeake NetCraftsmen, LLC.
 www.NetCraftsmen.net
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Roy
 Sent: Wednesday, October 15, 2008 10:36 AM
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
 
 Just because its a point to point circuit doesn't mean one side has to
 have internal clocking.  This is only true if the circuit is 
 copper all
 the way.   There are lots of reasons

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

[Luan Nguyen]

-Original Message-
From: Ted Mittelstaedt [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 15, 2008 12:01 PM
To: Luan Nguyen; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port



 -Original Message-
 From: Luan Nguyen [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 15, 2008 7:22 AM
 To: 'Ted Mittelstaedt'; cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port


 Is it a Verizon circuit?
 We have a T1 circuit with Verizon and have the same problem.  We have a
 point to point circuit, so one side has clocking set to internal
 to provide
 the clocking and the other side feeds from the line.
 I wrote the problem up at http://ccie-security.blogspot.com/
 But basically, it will be up for a some hours then down, then I
 call them to
 test and it's good again.  Sometime it's good just by unplug the cable and
 plug it back.  Like you, we changed everything and that didn't help.
 Finally, we talked to a knowledgeable Verizon tester and he mentioned the
 rate on the line is ~17 which is high.  It should be around 0 or negative.
 He said that's because of mismatch clocking between our hardware and the
 central office crossover equipment.

Luan,

  We have several spans going through Verizon.  One thing I have
found is that Verizon uses different make and model of NIUs at the
remote sites.  The newest make and model of NIU they use (I have it
documented somewhere but I cannot find it) is not compatible with
certain make and model of CSU/DSUs.  I found that out with one
of our customer spans that was the first span delivered through
one of these newer NIUs.  We fortunately never standardized on
DSU/CSUs (I get them off Ebay nowadays for cents on the dollar)
and I have always favored use of -external- DSU's coupled to a
serial port on the router rather than the integrated Cisco WIC
with DSU.  So with that span I had 5 different
make and model DSU's to experiment with.

  The problem I believe is that certain DSU's are particular
on the frequency clock they slave to.  If the clock is too far
off frequency from what the CSU/DSU thinks it is supposed to be,
even if the CSU is set to slave clock from the span, it will slip
anyway.

  Unfortunately I wish it were that simple with my own problem.
In my instance, the spans are actually going into a m13 mux
from the DSU bank (most are, at any rate)  So it is consistent
environment on all spans going into the router.

Ted


Ted,

I was also told by one of the tech that their NIU isn't compatible with the
VWIC card we have in the router.
But our circuit has been working for years.  I tested 4 different types of
Wan Interface Cards and none worked.
Verizon somehow agreed to replace their NIUs at both ends.  And that seems
to work so far. 3 hours and counting...

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Fwd: NAT in VRF

[Luan Nguyen]

Yes you can.  I used to do that with 2 VRF-Lites on 2 DMVPN tunnels.
Platform doesn't make any different.


Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gary Roberton
Sent: Thursday, October 09, 2008 7:28 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Fwd: NAT in VRF

-- Forwarded message --
From: Gary Roberton [EMAIL PROTECTED]
Date: Wed, Oct 8, 2008 at 10:13 AM
Subject: NAT in VRF
To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net


Can someone please confirm for me that you can have the same IP address in
different VRFs natted to different destinations.  In other words;

217.1.1.1 nat to 10.1.1.1 in VRF A
217.1.1.1 nat to 192.168.1.1 in VRF B

I can't see any reason why not.

What about if using VRF-Lite on a 3845, does that make any difference?

Its a funny question but I have been asked this and have no access to the
kit to prove it working and I have to have a solid answer.

Thanks.

Gary
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)

[Luan Nguyen]

You could encrypt the GRE tunnel.  Everything traverse the tunnel will get
encrypted.
On CORE-DIA-1

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key cisco address 172.16.0.98
crypto isakmp keepalive 10 4 periodic
!
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile foo
 set transform-set TEST
 set pfs group5
!
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.252
 ip mtu 1420  
 ip tcp adjust-mss 1436
 mpls ip
 mpls mtu 1508
 keepalive 1 3
 tunnel source FastEthernet0/0
 tunnel destination 172.16.0.98
 tunnel protection ipsec profile foo

Just the reverse on the other side.

You, and the original poster, could do IPSEC encryption between CEs of the
MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3
suggestion :))
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7
180/product_data_sheet0900aecd80582067.html.  
The CE-to-CE routing remains the same, with added security.



-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt
Sent: Sunday, October 05, 2008 3:01 PM
To: cisco-nsp
Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)

For simplicity's sake let's say that i have 2 7206VXRs running
advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed
plus a L2 feed between them. Each one is a PE, and running L3VPNs for
customers. I use OSPF as an IGP. Everything's working great, but I want to
build VPN failover in case the L2 feed between them goes down.

Since the backup is a L3 service, MPLSoGRE seems the best option for me. 
  At the same time, I want to encrypt ***at least the customer vrf
traffic*** when it uses the L3 MPLSoGRE path.  I'm no wiz with IPSec
unfortunately an am struggling to understand the process.

I've got the GRE Tunnels up and failing over but can't seem to understand
how to encrypt the customer data.  See attached configs. 
Anyone have any pointers?  See
http://markmail.org/message/lob467v2oxc6my5x for original thread


onward through the fog,
Christopher Hunt

 Original Message 
Subject:[c-nsp] MPLS and IPSEC co-workingLink to this message
From:   Oliver Boehmer (oboehmer) ([EMAIL PROTECTED])
Date:   08/16/2007 09:31:25 AM
List:   net.nether.puck.cisco-nsp

 Andris Zarins  wrote on Thursday, August 16, 2007 1:44 PM:
 
 Hi,
 
 Network setup is pretty trivial - three routers running MPLS (LDP
 full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
asking to secure that infrastructure by running IPSEC (3DES). As far  as I
know, I can not run LDP over Tunnel interfaces, and crypto-maps  will not
help also. Concept of running IPSEC between CPEs doesn't  make sense, as
there are no CPEs :(Question is - is VRF-Lite plus back-to-back
connectivity, like option  A for inter AS MPLS, the only viable option I
have, or Im missing  something and there are other, more scalable ways to
do it?

well, you can run MPLSoGRE at least on SW-based platforms (like the 7200),
haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over
L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps..

Not a complete solution, I know..

oli


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SA-VAM2+ usage problem?

[Luan Nguyen]

On average, the VAM2+ should be able to do ~60Mbps VPN traffic (on a 7206VXR
NPEG2)
Maybe try to use IPSEC profile configuration instead of the legacy interface
crypto map configuration.  
And also, try a different IOS.  There should be at least a 12.4.15T7 out
there I believe.



-
Luan Nguyen
Senior Network Engineer
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

-


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nemeth Laszlo
Sent: Tuesday, September 30, 2008 9:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] SA-VAM2+ usage problem?

Hello,

I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with 
SA-VAM2+ modules.

I have a tunnel interface between this routers. If I make a ~24Mbit/sec 
traffic into this tunnel, the routers CPU's goes to 90%. It was the 
performance without VAM2+ too. So the VAM2+ modul doesn't use?

Our routers config same, only the IP addresses different. The Tunnel 
interface very important, because i run an OSPF protokoll into them.

vpn0# sh pas vam interface
VPN Acceleration Module Version II+ in slot : 1
Statistics for Hardware VPN Module since the last clear
of counters 4294967 seconds ago
988980327 packets in   988980327 packets out
302199518411 bytes in  318057273220 bytes out
  230 paks/sec in230 paks/sec out
  562 Kbits/sec in   592 Kbits/sec out
0 pkts compressed  0 pkts not compressed
0 bytes before compress0 bytes after compress
1.0:1 compression ratio1.0:1 overall
   526096 commands out526096 commands acknowledged
Last 5 minutes:
 2854900 packets in 2854900 packets out 

9516 paks/sec in   9516 paks/sec out 

24058078 bits/sec in   25240088 bits/sec out 


In this last line the 24058078 bit/s traffic is normal, it is the 
aggregated traffic on my tunnel0 interface. But the 562 Kbit/sec in 
and 592 Kbits/sec out is to small, i think it should ~24000 Kbit/sec.

Config:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key abcabc address 192.168.1.1
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set vpn-standard esp-3des esp-sha-hmac
!
crypto map vpnmap 20 ipsec-isakmp
  set peer 192.168.1.1
  set transform-set vpn-standard
  match address VPN
!
interface Tunnel0
  description VPN0-VPN1
  ip address 10.0.0.1 255.255.255.252
  ip ospf cost 100
  load-interval 30
  keepalive 2 2
  tunnel source 192.168.0.1
  tunnel destination 192.168.1.1
!
interface GigabitEthernet0/1.2
  description VPN1
  encapsulation dot1Q 2
  ip address 192.168.0.1
  no ip redirects
  no ip proxy-arp
  ip nat outside
  no ip virtual-reassembly
  crypto map vpnmap
!
ip access-list extended VPN
  permit gre host 192.168.0.1 host 192.168.1.1


Any idea?

Thanks!

Regards,
Laszlo
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP-VPN CE-PE local pref problem

[Luan Nguyen]

Try changing the route-map to:

route-map ipvpn_0001 permit 10
 set extcommunity soo 894:1
 set local-preference 90

instead of:

route-map ipvpn_0001 permit 10
 set extcommunity soo 894:1

route-map ipvpn_0001 permit 20
 set local-preference 90

Luan



-
Luan Nguyen
Senior Network Engineer
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

-


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Tech
Sent: Tuesday, September 30, 2008 2:55 PM
To: David Freedman; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem

Here you go

PE1#sh ip bgp vpnv4 rd 894:1 5.14.93.0
BGP routing table entry for 894:1:5.14.93.0/24, version 222
Paths: (3 available, best #2, table ipvpn_0001)
  Advertised to update-groups:
 1
  65535
    5.14.95.244 (metric 11) from 5.14.95.244 (5.14.95.244)
  Origin IGP, metric 0, localpref 100, valid, internal
  Extended Community: SoO:894:1 RT:894:2
  mpls labels in/out 26/23
  65535
    5.14.93.222 from 5.14.93.222 (5.14.93.253)
  Origin IGP, metric 0, localpref 100, valid, external, best
  Extended Community: SoO:894:1 RT:894:2
  mpls labels in/out 26/nolabel
  65535, (received-only)
    5.14.93.222 from 5.14.93.222 (5.14.93.253)
  Origin IGP, metric 0, localpref 100, valid, external
  mpls labels in/out 26/nolabel


PE2#sh ip bgp vpnv4 rd 894:1 5.14.93.0
BGP routing table entry for 894:1:5.14.93.0/24, version 237
Paths: (3 available, best #1, table ipvpn_0001)
  Advertised to update-groups:
 1
  65535
    5.14.93.226 from 5.14.93.226 (5..14.93.254)
  Origin IGP, metric 0, localpref 100, valid, external, best
  Extended Community: SoO:894:1 RT:894:2
  mpls labels in/out 23/nolabel
  65535, (received-only)
    5.14.93.226 from 5.14.93.226 (5.14.93.254)
  Origin IGP, metric 0, localpref 100, valid, external
  mpls labels in/out 23/nolabel
  65535
    5.14.95.243 (metric 11) from 5.14.95.243 (5.14.95.243)
  Origin IGP, metric 0, localpref 100, valid, internal
  Extended Community: SoO:894:1 RT:894:2
  mpls labels in/out 23/26

inbound route-map from CE2 to PE2
route-map ipvpn_0001 permit 10
 set extcommunity soo 894:1

route-map ipvpn_0001 permit 20
 set local-preference 90
!



- Original Message 
From: David Freedman [EMAIL PROTECTED]
To: cisco-nsp@puck.nether.net
Sent: Tuesday, September 30, 2008 5:51:55 PM
Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem

can you post show ip bgp vpnv4 rd rd x.x.x.x/y from both PEs ? for
the prefix in question?

Dave

Mark Tech wrote:
 Hi
 I have set up a dual homed IP-VPN network between 2 PE's and 2 CE's using 
SoO - thas all working fine. 

I have added an inbound route-map to the 'backup' PE and CE to reduce
the local preference in order to make the other PE and CE the preferred
gateways.
 
 CE1PE1 primary
 |                  |
 CE2PE2 backup
 
 The CE local pref works fine, however on the PE side, local pref doesn't
seem to have any affect,

i.e. I have reduced the local pref to 90 on the backup link, however if
I check the routing in the backup PE, nothing seems to have changed. Can
I just check that local pref actually works across an MP-BGP environment?
 
 If so I must be doing something wrong
 
 Regards
 
 Mark
 
 
      
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SA-VAM2+ usage problem?

[Luan Nguyen]

Oh yeah,
Fragmentation definitely is problematic.  When a packet has to be splitted
into two fragments to accommodate a smaller interface MTU and one of these
fragment packets is large enough that it needs to be fragmented again after
it has been encrypted. The IPSec peer has to reassemble this packet before
decryption. This double fragmentation increases latency and lowers
throughput. Also, reassembly is process-switched, so there is a CPU hit on
the receiving router whenever this happens.
I usually put ip mtu 1420 on the tunnel interface to compensate for GRE +
IPSEC tunnel mode, and that seems to work great.  But one of my senior
engineer, Marty, told me that ip tcp adjust-mss works better because it also
compensates when the host implements PMTUD (sets DF) but then ignores the
ICMP packet-too-big response from the router.  And only the TCP SYN packets
have to be modified, not every packet.  Moreover, you don't have to worry
much about UDP-based apps since almost all of them always select a segment
size much smaller than a 1500 MTU.  The old default was 512 bytes (576 IP
packet).  Some apps improve throughput by upping that to 1024 bytes.
The byte sizes are true for TCP as well.  The smaller packet size you go,
the worse throughput gets.  If your traffic is around 100 - 200 bytes or
less, you are lucky to get 20Mbps at 90% CPU :)

Luan


-
Luan Nguyen
Senior Network Engineer
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

-


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev
Sent: Tuesday, September 30, 2008 2:07 PM
To: Nemeth Laszlo
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SA-VAM2+ usage problem?

Hi Laszlo,

On Tue, 2008-09-30 at 15:55 +0200, Nemeth Laszlo wrote:
 I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with 
 SA-VAM2+ modules.
 
 I have a tunnel interface between this routers. If I make a ~24Mbit/sec 
 traffic into this tunnel, the routers CPU's goes to 90%. It was the 
 performance without VAM2+ too. So the VAM2+ modul doesn't use?

We currently have a NPE-G1 with SA-VAM2 (not +) doing more or less the
same thing, and it uses ~20% CPU doing about 20 mbit/s through the
tunnel. As far as I can see it's 50/50 interrupt and process routing,
probably the GRE part that's handled in the slow path. I'm not sure, but
a GRE configuration like this and CEF might not be best friends.

When you send the 24mbit/s traffic, what does you show cpu say? The
7201 should be an NPE-G2, so you shouldn't get worse results than the
above.

We use 12.4 mainline (IP IPSEC 3DES) by the way, that may make a
difference.

 Our routers config same, only the IP addresses different. The Tunnel 
 interface very important, because i run an OSPF protokoll into them.
 
 vpn0# sh pas vam interface
 VPN Acceleration Module Version II+ in slot : 1
   Statistics for Hardware VPN Module since the last clear
   of counters 4294967 seconds ago
 988980327 packets in   988980327 packets out
 302199518411 bytes in  318057273220 bytes out
   230 paks/sec in230 paks/sec out
   562 Kbits/sec in   592 Kbits/sec out
 0 pkts compressed  0 pkts not compressed
 0 bytes before compress0 bytes after compress
 1.0:1 compression ratio1.0:1 overall
526096 commands out526096 commands acknowledged
   Last 5 minutes:
  2854900 packets in 2854900 packets out 
 9516 paks/sec in   9516 paks/sec out 
 24058078 bits/sec in   25240088 bits/sec out 
 
 In this last line the 24058078 bit/s traffic is normal, it is the 
 aggregated traffic on my tunnel0 interface. But the 562 Kbit/sec in 
 and 592 Kbits/sec out is to small, i think it should ~24000 Kbit/sec.

I think the small numbers are the averages since you last cleared
counters. Are they still too small?

 interface Tunnel0
   description VPN0-VPN1
   ip address 10.0.0.1 255.255.255.252
   ip ospf cost 100
   load-interval 30
   keepalive 2 2
   tunnel source 192.168.0.1
   tunnel destination 192.168.1.1
 !
 interface GigabitEthernet0/1.2
   description VPN1
   encapsulation dot1Q 2
   ip address 192.168.0.1
   no ip redirects
   no ip proxy-arp
   ip nat outside
   no ip virtual-reassembly
   crypto map vpnmap
 !

Fragmetation could be problematic too, so we use ip tcp adjust-mss on
both the inside interface and the tunnel interface to compensate for the
GRE + IPSec overhead.

Regards,
Peter

Re: [c-nsp] Propagating a default route...

[Luan Nguyen]

Perhaps set a static route for xx.xx.xx.xx (where you get your default
route) in your server?


-
Luan Nguyen
Senior Network Engineer
Mobile:  703-953-9116
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net

-



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kell
Sent: Tuesday, September 30, 2008 3:56 PM
To: cisco-nsp
Subject: [c-nsp] Propagating a default route...

Having an issue with BGP... 

I have a border router that can't do full feeds (6500/Sup2) so it is
taking partials (upstream customers).  I am trying to make decisions
on which upstream to use as a default route.  For traffic shaping
purposes, I have a server that acts as an eBGP peer to get the path
information to different destinations.  With the path information, I can
look at the AS path for the destination and determine which upstream is
the BGP-preferred peer.

This works great when I have the paths, but I need the current default
to trickle down to the shaping server.

If I do a straightforward bgp peer x.x.x.x default-originate then the
server gets a default with MY AS number, which is not what I want.  I
want the currently selected default upstream's AS.

The border router is getting a default from the upstreams, and the route
shows up properly with the upstream AS path:

Network  Next HopMetric LocPrf Weight Path
 * 0.0.0.0  xx.xx.xx.xx  0 0  i

I want this to propagate down to the shaping server, but it doesn't show
up (unchanged if I remove default-originate).

I'm not doing any outbound filtering to the shaping server.

I'm already doing no synch but it doesn't help.  I think I'm missing
another bit or two.

Ring any bells?

Jeff
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ?

[Luan Nguyen]

Usually I find that client VPN log along with Concentrator log are enough.
You could try to use Wireshark on the client machine for more detail
information.

Luan



-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wilkinson, Alex
Sent: Tuesday, September 23, 2008 8:27 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible
?

Hi all,

From the _client_ perspective can anyone recommend any tools/techniques to
debug
Cisco VPN client problems ? (they drive me mad). These are mostly Windows
based
clients connecting to a cisco vpn concentrator. I tend to trawl through
event logs
and client vpn logs and really have no real success with debugging.

The VPN client really feels like a black box :(

Any hot tips with how to debug VPN clients not being able to connect into a
vpn
concentrator (from the _client_ perspective) ?

Thanks!

 -aW

IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the CRIMES
ACT 1914.  If you have received this email in error, you are requested to
contact the sender and delete the email.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE over IPSec

[Luan Nguyen]

Justin,

You could try the following:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address j.j.j.j
!
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer j.j.j.j
 set transform-set 3dessha
 set pfs group1
 match address remote
!
ip access-list extended remote
 permit gre host y.y.y.y host z.z.z.z
!
interface tunnel0
ip address x.x.x.x
tunnel source y.y.y.y
tunnel destination z.z.z.z
!
interface WAN
ip address y.y.y.y
crypto map vpn
!
router eigrp 1
network x.x.x.x
network LAN

Where j.j.j.j is the ASA address and z.z.z.z is your router behind it.

-Luan


-
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore
Sent: Friday, September 19, 2008 5:04 PM
To: 'Cisco-nsp'
Subject: [c-nsp] GRE over IPSec

I'm trying to figure out if a router can push a GRE tunnel over top of 
an IPSec tunnel that's originated on the same router, through an ASA 
terminating the other end of the IPSec tunnel and to another IOS router 
behind the ASA.  I've seen this done with an ASA at both sites in front 
of the local router but I've never seen it done with the router 
originating the IPsec tunnel.  Is this possible?  Any tips on how to 
accomplish this?  I'm thinking that the tunnel destination should be IOS 
router at the remote site which should also match the ACL for traffic to 
a given destination (the remote end of the tunnel).  I'm not sure what 
the order of operations would be though so I'm not sure if the GRE 
tunnel would end up in the IPSec tunnel.

I want to deploy 800-series wifi routers at remote sites (COs, large 
cabinets, etc) and have them VPN back to our HQ's ASAs and a second 
backup site.  I'd like to run a routing protocol out to them to give 
them 2 paths into our network over hte 2 tunnels, preferably OSPF in 
this case.  My thought was a simple pair of GRE tunnels through the 
IPSec tunnels.  I could always place an IOS router at the HQ and use it 
to terminate IPSec-encrypted GRE tunnels.  That would add more cost 
though.  I already have one at the backup site though.

Suggestions?  Thanks
  Justin


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco NAC

[Luan Nguyen]

First try Cisco:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.
html
http://cisconac.blogspot.com/

One of my coworker's blog - he's excellent with NAC deployment.
http://cnc-networksecurity.blogspot.com/

Mailing list:  
http://listserv.muohio.edu/scripts/wa.exe?A0=cleanaccess

-Luan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Fischer
Sent: Tuesday, September 16, 2008 6:29 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco NAC

Does anyone here use the Cisco NAC product?  Is there a mailing list of
which anyone knows specifically for Cisco NAC?  User's group?  Online
community?  Any assistance in directing me toward any of these resources
would be genuinely appreciated.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Using CA certificates and pre-shared keys on the same box

[Luan Nguyen]

You could try to configure 2 ISAKMP profiles:  one use CA, one use
pre-shared.  Then configure 2 IPSEC profiles accordingly.

-Luan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 10, 2008 10:07 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Using CA certificates and pre-shared keys on the same box

Hi,

I have a 2851 working as a hub for remote VPN sites using CA
certificates. I want to add other remotes which are using pre-shared
keys as their authentication method.

Is it possible to configure the hub router to support both the CA
trustpoint and per-shared keys?

 

Kind regards

 

Nasir Shaikh 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Advertising NAT pool using OSPF on the ASA

[Luan Nguyen]

Hello,

 

According to this document:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgna
t.html#wp1042725

If you NAT to a pool of address, then this pool of address will be advertise
to the upstream router automatically.

I have the set up:   Router5---outside-ASA-insideRouter6, running
OSPF between ASA and Router5.

I just can't get the global pool advertise to Router1 using OSPF.  Anyone
done this before and know how?

 

ASA(config)#show run router ospf

router ospf 1

 network 10.10.10.1 255.255.255.255 area 0

 network 192.168.1.1 255.255.255.255 area 0

 log-adj-changes

!

ASA(config)# show int ip brief

Interface  IP-Address  OK? Method Status
Prot

ocol

GigabitEthernet0/0 192.168.1.1 YES manual up
up

GigabitEthernet0/1 172.16.1.1  YES manual up
up

GigabitEthernet0/2 unassigned  YES unset  administratively down
down

GigabitEthernet0/3 10.10.10.1  YES manual up
up

Management0/0  unassigned  YES unset  administratively down
down

ASA(config)# show run static

static (inside,outside) 192.168.2.9 172.16.1.9 netmask 255.255.255.255

ASA(config)# show run global

global (outside) 1 192.168.2.10-192.168.2.253 netmask 255.255.255.0

ASA(config)# show run nat

nat (inside) 1 0.0.0.0 0.0.0.0

 

 

R5#show ip route ospf

 10.0.0.0/24 is subnetted, 3 subnets

O   10.10.10.0 [110/11] via 192.168.1.1, 00:17:28, GigabitEthernet0/1

 

 

R6#ping 5.5.5.5

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

.

 

R5(config)#

*Jun 12 15:53:17.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10

*Jun 12 15:53:19.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10

*Jun 12 15:53:21.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10

*Jun 12 15:53:23.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10

*Jun 12 15:53:25.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10

R5#show ip route 192.168.2.0

% Network not in table

 

How do I advertise 192.168.2.0/24 to R5 using OSPF?

 

Thanks.

 

Luan

http://63.210.18.237/luan/

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Analog Dial backup AND dialin management using the same external modem

[Luan Nguyen]

Hello,

Anyone using an analog modem connected to an AUX port for dial backup?  In
case your T1 primary link fails?  The hard part is:  Can you use that modem
for dialin to manage your router when not using the Dial backup?

 

 

Thanks.

 

Luan Nguyen

http://63.210.18.237/luan/

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACL making me insane

[Luan Nguyen]

Established key word match on ACK and RST i think.  When someone first
contact your webserver, there is nothing established about it i don't think
:P
I, as a matter of choice, stay away from establish and always allow matching
counter flows in the ACL.

-lmn


On Tue, Jun 3, 2008 at 1:58 PM, Enno Rey [EMAIL PROTECTED] wrote:

 Hi,

 On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
  The problem is when someone contacted your protectedserver, you need to
  allow the counter flow of that.
  For example, you need to have:  permit tcp host PROTECTEDSERVER eq 80 any
 gt
  1024  so that the web counter flow will work (counter flow of this line:
  permit tcp any host PROTECTEDSERVER eq 80)

 this is not correct as there's the tcp any any established rule which
 should (and does) permit that.

 thanks,

 Enno







 
  -lmn
 
  On Tue, Jun 3, 2008 at 1:23 PM, Skeeve Stevens [EMAIL PROTECTED]
 wrote:
 
  
   Hey all,
  
   Got an issue with the below ACL.  The inbound to the PROTECTEDSERVER is
   working ok.. port 80 is allowed, RDP from one trusted machine.
   But. on the outbound, with the deny ip any any active (notice the !),
 the
   inbound wont work, nor can the server get out.
  
   What am I missing?
  
   Basically what I want to do is deny all, allow only certain things..
  
   .Skeeve
  
   !
   no ip access-list extended FWCUST_XXX_IN
   ip access-list extended FWCUST_XXX_IN
remark Inbound Firewall rules for XXX Services
permit tcp any host PROTECTEDSERVER established
permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
permit tcp any host PROTECTEDSERVER eq 80
permit icmp any any
deny   ip any any
   !
   no ip access-list extended FWCUST_XXX_OUT
   ip access-list extended FWCUST_XXX_OUT
remark Outbound Firewall rules for XXX Services
   permit tcp any any established
permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
permit icmp any any
permit tcp host PROTECTEDSERVER any eq domain
permit udp host PROTECTEDSERVER any eq domain
permit tcp host PROTECTEDSERVER any eq 80
permit tcp host PROTECTEDSERVER any eq 21
permit udp host PROTECTEDSERVER any eq 20
   ! deny   ip any any
   !
   !
   !
   interface GigabitEthernet0/2.402
ip access-group FWCUST_XXX_OUT in
ip access-group FWCUST_XXX_IN out
   !
   end
   !
  
   --
   Skeeve Stevens, RHCE
   [EMAIL PROTECTED] / www.skeeve.org
   Cell +61 (0)414 753 383 / skype://skeeve
  
   eintellego - [EMAIL PROTECTED] - www.eintellego.net
   --
   I'm a groove licked love child king of the verse
   Si vis pacem, para bellum
  
  
   ___
   cisco-nsp mailing list  cisco-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/cisco-nsp
   archive at http://puck.nether.net/pipermail/cisco-nsp/
  
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

 --
 Enno Rey

 ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
 Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
 PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

 Handelsregister Heidelberg: HRB 7135
 Geschaeftsfuehrer: Roland Fiege, Enno Rey
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EIGRP vs BGP route selection

[Luan Nguyen]

You have to have EIGRP redistribute into BGP as well?
Once in the BGP table, local redistribute routes will have a weight of 32768
which will be prefered over the EBGP weight of 0.  I remember reading over
at the Netpro forum and someone said that it's a racing condition:  EIGRP
converge faster and get there first.
You either does the TAC suggestion or you could use route-map to set things
to influence EIGRP redistributed routes to lower priority.  But you have to
do it though.
If you don't do anything and just clear eigrp and the BGP route get in the
routing table, later if that link fails, EIGRP will be in there and won't
get out even if the link comes back up.

-lmn

On Thu, May 22, 2008 at 2:21 PM, Uddin, Tahir 
[EMAIL PROTECTED] wrote:

 Hi All,

 I am summarizing an issue I am seeing, wondering if anyone might have
 some input on this.

 In the following topology, I have a floating static route (distance 250)
 redistributed into EIGRP on R1 which sends the redistributed route to R2
 which sends it to R3. R4 sees the EIGRP route from R3 and an EBGP route
 from R4. I would have thought that R3 would pick the EBGP route since
 EBGP as a protocol has a admin distance of 20 as opposed to the EIGRP
 admin distance of 170 but I see the EIGRP route in the routing table of
 R3. Based on TACs recommendation, we ended up using a route map that
 applies a higher weight to the EBGP route to make it more preferable.
 Shouldn't R3 use the EBGP route by default because it has lower admin
 distance compared to redistributed EIGRP.



StaticEIGRP
 EIGRP  EBGP

 10.10.10.0/24
 -R1R2---
 -R3R4---10.10.10.0/24



 Thanks






 -
 The information contained in this transmission may be privileged and
 confidential and is intended only for the use of the person(s) named
 above. If you are not the intended recipient, or an employee or agent
 responsible
 for delivering this message to the intended recipient, any review,
 dissemination,
 distribution or duplication of this communication is strictly prohibited.
 If you are
 not the intended recipient, please contact the sender immediately by reply
 e-mail
 and destroy all copies of the original message. Please note that we do not
 accept
 account orders and/or instructions by e-mail, and therefore will not be
 responsible
 for carrying out such orders and/or instructions.  If you, as the intended
 recipient
 of this message, the purpose of which is to inform and update our clients,
 prospects
 and consultants of developments relating to our services and products,
 would not
 like to receive further e-mail correspondence from the sender, please
 reply to the
 sender indicating your wishes.  In the U.S.: 1345 Avenue of the Americas,
 New York,
 NY 10105.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP with yourself...

[Luan Nguyen]

Very interesting.  I have a problem with having an ethernet in global doing
NAT over a VRF, and the vrf doesn't know how to get to the ethernet LAN
segment in the global.
I was thinking of just doing: ip route vrf whatever 1.1.1.0 255.255.255.0
3.3.3.3 global, where 3.3.3.3 is just some bogus nonexistence address (just
to dump the packets destined for 1.1.1.0 out into the global since you can't
put ethernet0 global because you can't do VPN route to a  non-point-to-point
interface)
I can imagine us using this dynamic route exchanger way when needing to
move lots of routes.

-lmn

On Thu, Apr 24, 2008 at 5:19 PM, Asbjorn Hojmark - Lists [EMAIL PROTECTED]
wrote:

  Now it trying to have an iBGP-session with itself,

 How strange. Normally it'll complain that it can't peer with
 itself.

  a thing I normally can't configure. :-)

 That actually is possible: Set up two loopbacks, create a tunnel
 between the loopbacks, and peer over that tunnel with one end of
 the BGP session in a VRF (vpnv4).

 (I did that recently to get routes from the global table into a
 VRF. It's annoying there's no good way to do that on a single
 router).

 -A

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2801 bandwidth limiting

[Luan Nguyen]

I would say you need to use CBWFQ for this.
Create an ACL match everything or whatever interested you out of your
network and assigned to a class-map, then create a policy map
policy-map out
class out
bandwidth 10M
shape peak 13M
interface WAN
service out out

-lmn

On Thu, Apr 24, 2008 at 6:48 PM, Dan Letkeman [EMAIL PROTECTED] wrote:

 Bizarre response.  It just so happens that it's a shared
 connection and there is more than 10 available now, and will be
 getting 20+ in the future.

 :)

 On Thu, Apr 24, 2008 at 5:23 PM, Adam Armstrong [EMAIL PROTECTED] wrote:
 
  Dan Letkeman wrote:
 
   Hello,
  
   We have changed our internet connection over from 4 dsl lines to one
   connection.  We have a 25mbit connection provided by a neighboring
   company and we have an agreement with them that we will only use
   10mbit bursting to 12 or 13mbit.  What would I need to do on our 2801
   to limit our bandwidth to 10 bursting to 13?
  
  
   What a bizarre arrangement! If you had just taken 10mbit you could have
  just done speed 10 :)
 
   adam.
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BFD state remains in AdminDown

[Luan Nguyen]

Don't think that 12.4.15T3 has VRF support for BFD.
Maybe try 12.2.33SRC (depends on what kind of routers you have)
I had a configuration like that and didn't work for me. Mine isn't a PE-CE
kind so didn't bother with SRC code.

-lmn

On Wed, Feb 27, 2008 at 11:34 PM, Stephen Fulton [EMAIL PROTECTED]
wrote:

 I have BFD configured between two routers, both running 12.4(15)T3.  On
 router A, BFD cycles between INIT and DOWN.  On router B, the state
 remains AdminDown.  Here are the configs for both interfaces:

 -- snip --

 Router A:

 interface FastEthernet0/0.1000
  encapsulation dot1Q 1000
  ip vrf forwarding CUSTOMER
  ip address 10.248.1.1 255.255.255.248
  no ip redirects
  ip ospf hello-interval 2
  ip ospf dead-interval 6
  ip ospf priority 255
  ip ospf bfd
  bfd interval 50 min_rx 50 multiplier 5
  no cdp enable
 end


 Router B:

 interface FastEthernet0/0
  bandwidth 1544
  ip address 10.248.1.2 255.255.255.248
  no ip redirects
  ip ospf hello-interval 2
  ip ospf dead-interval 6
  ip ospf bfd
  duplex full
  speed 10
  bfd interval 50 min_rx 50 multiplier 5
  no cdp enable
 end

 -- snip --

 And here is the output from sh bfd neighbors detail for both:

 -- snip --

 Router A:

 Sheridan#sh bfd neighbors 10.248.1.2 details

 OurAddr   NeighAddr LD/RD  RH/RS  Holddown(mult)  State Int
 10.248.1.110.248.1.2 7/3Down  4108 (5 )   Init
 Fa0/0.1000
 Local Diag: 1, Demand mode: 0, Poll bit: 0
 MinTxInt: 100, MinRxInt: 100, Multiplier: 5
 Received MinRxInt: 100, Received Multiplier: 5
 Holddown (hits): 4108(102), Hello (hits): 1000(567)
 Rx Count: 619, Rx Interval (ms) min/max/avg: 744/1092/879 last: 892 ms ago
 Tx Count: 773, Tx Interval (ms) min/max/avg: 1/1000/704 last: 424 ms ago
 Elapsed time watermarks: 0 8 (last: 4)
 Registered protocols: OSPF
 Last packet: Version: 1- Diagnostic: 0
  State bit: Down   - Demand bit: 0
  Poll bit: 0   - Final bit: 0
  Multiplier: 5 - Length: 24
  My Discr.: 3  - Your Discr.: 0
  Min tx interval: 100- Min rx interval: 100
  Min Echo interval: 5


 Router B:

 OurAddr   NeighAddr LD/RD  RH/RS  Holddown(mult)  State Int
 10.248.1.210.248.1.1 3/0Down  0(0 )   Down  Fa0/0
 Local Diag: 0, Demand mode: 0, Poll bit: 0
 MinTxInt: 100, MinRxInt: 100, Multiplier: 5
 Received MinRxInt: 0, Received Multiplier: 0
 Holddown (hits): 0(0), Hello (hits): 1000(515)
 Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: 1351524 ms ago
 Tx Count: 516, Tx Interval (ms) min/max/avg: 756/1000/879 last: 168 ms ago
 Elapsed time watermarks: -1 0 (last: 0)
 Registered protocols: OSPF
 Last packet: Version: 1- Diagnostic: 0
  State bit: AdminDown  - Demand bit: 0
  Poll bit: 0   - Final bit: 0
  Multiplier: 0 - Length: 0
  My Discr.: 0  - Your Discr.: 0
  Min tx interval: 0- Min rx interval: 0
  Min Echo interval: 0

 -- snip --

 I'm out of ideas, and there is nothing in the bug toolkit.. Suggestions?

 -- Stephen
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] What is pv in show ip arp?

[Luan Nguyen]

My guess would be private-vlan
Can you do a show vlan private-vlan and see?

-lmn

On Thu, Feb 21, 2008 at 10:30 AM, Christian Bering [EMAIL PROTECTED] wrote:

 Hi all,

 When a show ip arp shows the following:

 Protocol  Address  Age (min)  Hardware Addr   Type   Interface
 Internet  172.31.7.25 0   000c.dbf5.fa00  ARPA   Vlan15 pv
 3030

 What does pv 3030 indicate?

 Thanks,
 --
 Regards
  Christian Bering
  IP engineer, nianet a/s
  Phone: (+45) 7020 8730
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] redundant VPNs

[Luan Nguyen]

1800/2800 should have no problem handling T1 VPN.  Use AIM-SSL1/SSL2
encryption cards for them.  Tag on Zone-base FW and IOS IPS and your
customer should feel safe :)

-lmn

On Feb 20, 2008 11:48 AM, Adam Greene [EMAIL PROTECTED] wrote:

 Hi,

 A customer of ours has two sites, one with an 1800 the other with a 2800.
 There's a point-to-point T1 connecting the locations. The two locations also
 have a backup link through my network via DSL.

 The customer wants to establish a VPN between the two locations over the
 ptp T1, and a backup VPN over the DSL lines in case the ptp T1 goes down.

 I should be able to rely on the 1800/2800 for this, shouldn't I? I can add
 sonicwalls on each end if needed, but I think the routers should be able to
 handle it alone. What do you think?

 Thanks,
 Adam
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EIGRP redistribution between 2 VRFs

[Luan Nguyen]

Thank you guys.  Work wonderfully.  Stand-alone BGP...exactly what i need in
this situation.

-lmn

On Fri, Feb 15, 2008 at 8:56 AM, Oliver Boehmer (oboehmer) 
[EMAIL PROTECTED] wrote:

 Jeff Kell  wrote on Friday, February 15, 2008 2:46 PM:

  Michael Lyngbøl wrote:
  On 14.02.2008 16:06:03 -0500, Luan Nguyen wrote:
 
  Say i have VRF RED one one of the interface, and VRF BLUE on another
  interface.  And i need to run EIGRP on both of them.  They have
  their own ASN and don't want to change them.  How do i send routes
  learned from RED into BLUE and vice versa?
 
  Import the proper route-targets in VRF RED and VRF BLUE.
  You can also just import+export from/to one of the VRFs. Might need
  to attach import/export maps to filter which routes you'd like to
  import/export.
 
  That's the general idea, but it's not quite that simple (I wish it
  was!).   Or at least I could not get it to actually work with
  import/export alone.
 
  You must run iBGP for the import/export to actually work (at least on
  Catalyst hardware as CE/PE, IOS 12.2) and have iBGP redistributing
  your EIGRP instances, e.g.:
 
  router bgp 9
   !
   address-family ipv4
   redistribute connected
   exit-address-family
   !
   address-family ipv4 vrf RED
   redistribute connected
   redistribute eigrp [reds-ASN]
   exit-address-family
   !
   address-family ipv4 vrf BLUE
   redistribute connected
   redistribute eigrp [blues-ASN]
   exit-address-family
 
  If you subsequently want your red/blue EIGRP's to redistribute their
  respective imported routes further, you'll need to redistribute BGP
  within the EIGRP instances as well.
 
  Of course if all this extra stuff is NOT needed, I'd love to hear
  about it.  It took the import/export plus mutual redistribution in my
  case to get it to work as desired, and I ran out of patience before
  trying to selective remove bits here and there to see which ones were
  NOT part of the solution.

 You are doing the right thing, you need to enable BGP (no neighbors
 needed) as import/export is only possible via BGP. Don't think you need the
 redist connected within ipv4-AF (the first address-family), but the rest
 is fine and required for this to work.

oli
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] EIGRP redistribution between 2 VRFs

[Luan Nguyen]

Hello,

Say i have VRF RED one one of the interface, and VRF BLUE on another
interface.  And i need to run EIGRP on both of them.  They have their own
ASN and don't want to change them.  How do i send routes learned from RED
into BLUE and vice versa?  From the command line, EIGRP doesn't allow
redistribution of EIGRP from VRF.

Sample config is something like this:
router eigrp 1
 passive-interface default
 no passive-interface Tunnel0
 no auto-summary
 !
 address-family ipv4 vrf RED
  network 10.0.0.0 0.0.1.255
  no auto-summary
  autonomous-system 1
 exit-address-family
!
router eigrp 2
 passive-interface default
 no passive-interface tunnel1
 no auto-summary
 !
 address-family ipv4 vrf BLUE
  network 10.1.1.1 0.0.0.0
  no auto-summary
  autonomous-system 1
 exit-address-family


DMVPNSite1R1(config-router-af)#redistribute eigrp 1 ?
  metric Metric for redistributed routes
  route-map  Route map reference
  cr

No VRF option there, unlike say OSPF

DMVPNSite1R1(config-router-af)#redistribute ospf 1 ?
  match  Redistribution of OSPF routes
  metric Metric for redistributed routes
  route-map  Route map reference
  vrfVPN Routing/Forwarding Instance
  cr

Is there a way to advertise routes between them?

TIA

-lmn
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BFD aware VRF

[Luan Nguyen]

I have bgp running between PE and CE.
So on the PE, you do:
router bgp 
address-family ipv4 vrf whatever
neighbor y.y.y.y fall-over bfd
Do the same for the CE under bgp.
Then on the link between CE and PE, configured the bfd interval...etc.  That
should work.

The problem is my CE is a 1841 with a Channelized T1/PRI port and even with
the latest 12.4.15T3, i can't put the bfd command under the serial
interface!  Without interface level bfd command, bfd won't work.  Hello?
I did try with an ethernet link between PE and CE, and bfd config looks
good.

-lmn


On Feb 4, 2008 11:47 AM, Vikas Sharma [EMAIL PROTECTED] wrote:

 Hi,

 Anyone have configured VRF aware BFD? If yes pls let me know how?

 Regards
 Vikas Sharma
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] c7600 and VPLS

[Luan Nguyen]

Anyone knows when can the 7200VXR support VPLS?

thanks.

-lmn

On Jan 29, 2008 9:22 AM, Dennis Dubbelman [EMAIL PROTECTED] wrote:

 For supporting VPLS on a 7600, OSM or ES20 linecards are needed on the
 Core facing interfacces. Those cards will handle the label push and pop
 for SVI based interfaces.

 You can use your defined hardware as a MPLS Access node and terminate
 your PW on a VPLS based 7600 router. This router must terminate the
 incoming PW's over a OSM or ES20 linecard.

 Cheers,,
 Dennis Dubbelman

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of MKS
 Sent: dinsdag 29 januari 2008 15:02
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] c7600 and VPLS

 Hi

 I'm a bit confused about hardware support for VPLS and cisco 7600.

 If I have only LAN cards e.g. 6724 customer facing and 6704 core facing
 does that mean that I have no VPLS support or just not H-VPLS ?

 Can I run some topology of VPLS with only LAN cards (full mesh,
 hub-spoke, partial mesh).

 Regards
 MKS
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] c7600 and VPLS

[Luan Nguyen]

Not ever?

Thanks.

-lmn

On Jan 29, 2008 11:32 AM, Mohacsi Janos [EMAIL PROTECTED] wrote:




 On Tue, 29 Jan 2008, Luan Nguyen wrote:

  Anyone knows when can the 7200VXR support VPLS?


 AFAK VPLS is not supported on 7200VXR.
 Regards,
Janos


 
  thanks.
 
  -lmn
 
  On Jan 29, 2008 9:22 AM, Dennis Dubbelman [EMAIL PROTECTED] wrote:
 
  For supporting VPLS on a 7600, OSM or ES20 linecards are needed on the
  Core facing interfacces. Those cards will handle the label push and pop
  for SVI based interfaces.
 
  You can use your defined hardware as a MPLS Access node and terminate
  your PW on a VPLS based 7600 router. This router must terminate the
  incoming PW's over a OSM or ES20 linecard.
 
  Cheers,,
  Dennis Dubbelman
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of MKS
  Sent: dinsdag 29 januari 2008 15:02
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] c7600 and VPLS
 
  Hi
 
  I'm a bit confused about hardware support for VPLS and cisco 7600.
 
  If I have only LAN cards e.g. 6724 customer facing and 6704 core facing
  does that mean that I have no VPLS support or just not H-VPLS ?
 
  Can I run some topology of VPLS with only LAN cards (full mesh,
  hub-spoke, partial mesh).
 
  Regards
  MKS
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS PE to PE over GRE/IPIP

[Luan Nguyen]

If you don't have mpls then using GRE between PEs would be okay.
Do some thing like:
int tun1
ip address 1.1.1.1
tunnel source x.x.x.x
tunnel dest y.y.y.y

y.y.y.y is the other PE backbone facing ip, reachable by x.x.x.x
then advertise your loopback address through the tunnel using whatever you
like...eigrp, ospf, static route.  Loopback is mbgp peering point.
Then just do your normal configs.

-lmn

On Jan 28, 2008 2:49 PM, Masood Ahmad Shah [EMAIL PROTECTED] wrote:

 I'm in process to connect two or more Provider Edge router using GRE/IPIP
 tunnels. What were your experiences? If the answer is yes than I would
 love
 to ask how do you connect a PE to another PE using the GRE/IPIP tunnel
 interfaces. Keeping in mind that I'm going to carry multiple customers
 traffic (VRF BGP-VPN) between these PEs.



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/