Re: [c-nsp] CSRv & VXLAN
While we are on this... Is OTV still Cisco Proprietary? And still ASR1K and Nexus 7K support from Cisco side? Wouldn't it better to use L2TPv3 - and MACSEC if need to? On Thu, Sep 24, 2015 at 2:40 PM, Luis Anzolawrote: > Find below a very handy guide for the CSR1Kv and OTV: > > > http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/DRaaS/CSR/CSR/CSR5.html > > > > On Thu, Sep 24, 2015 at 2:22 PM, Mohammad Khalil > wrote: > > > Hi > > I have simulated this on gns3 > > http://eng-mssk.blogspot.com/2015/09/otv-example.html?m=1 > > > > It might give you a hint > > > > BR, > > Mohammad > > > > > > Sent from Samsung Mobile > > > > > > Original message > > From: Steve Mikulasik > > Date:24/09/2015 20:45 (GMT+02:00) > > To: Luis Anzola > > Cc: cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] CSRv & VXLAN > > > > Yeah after some further reading I think you are right. I'll extend the > > question to include OTV on the CSRv platform. Any experiences would be > > greatly appreciated. > > > > > > -Original Message- > > From: Luis Anzola [mailto:anzo...@gmail.com ] > > Sent: Thursday, September 24, 2015 11:22 AM > > To: Steve Mikulasik > > Cc: cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] CSRv & VXLAN > > > > I would look at OTV instead. It's a technology developed specifically for > > DCI implementations and brings very important benefits with it. > > > > Luis > > > > Sent from my iPhone > > > > > On Sep 24, 2015, at 12:56 PM, Steve Mikulasik < > steve.mikula...@civeo.com> > > wrote: > > > > > > Anyone have any experience with VXLAN on the CSRv? I need to span L2 > > traffic across hosted datacetners (can't use a physical device unless it > > installs on x86 hardware) and was wondering if this is the way to go on > > this platform. > > > > > > > > > > > > ___ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)
Nice...thanks 5.3.1 is nice. though i don't think people will have access to the file exchange? the public link only has 5.1.2 On Mon, Aug 17, 2015 at 2:00 PM, Tim Densmore tdensm...@tarpit.cybermesa.com wrote: https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv On 8/17/2015 11:54 AM, Skeeve Stevens wrote: Hi all, I need to do some lab testing with XR for a ASR9001... Does anyone know where the XRv image is... I've looked everywhere... I think my search-foo is broken today :( ...Skeeve *Skeeve Stevens - Founder The Architect* - eintellego Networks Pty Ltd Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve Facebook: eintellegonetworks http://facebook.com/eintellegonetworks ; Twitter: eintellego https://twitter.com/eintellego LinkedIn: /in/skeeve http://linkedin.com/in/skeeve ; Expert360: Profile https://expert360.com/profile/d54a9 Elastic Fabrics - Elastic Engineers - Elastic ISPs - Elastic Enterprises ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)
That's the file exchange link...same like the other. I just thought that file exchange is a place where cisco publish not for the general public images to you...that link works for me as well. Regards, -Luan On Mon, Aug 17, 2015 at 2:44 PM, Roland Dobbins via cisco-nsp cisco-nsp@puck.nether.net wrote: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Forwarded message -- From: Roland Dobbins rdobb...@arbor.net To: cisco-nsp@puck.nether.net Cc: Date: Tue, 18 Aug 2015 01:37:48 +0700 Subject: Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k) On 18 Aug 2015, at 1:36, Luan Nguyen wrote: Thanks Harold...but from the link that Roland sent...there's nothing there... Don't know what to tell you, it works for me. Try this one: https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv --- Roland Dobbins rdobb...@arbor.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS XRv (Virtual ASR9k)
Thanks Harold...but from the link that Roland sent...there's nothing there... Regards, -Luan On Mon, Aug 17, 2015 at 2:20 PM, Harold Ritter (hritter) hrit...@cisco.com wrote: Hi Luan, CCO has more than just 5.1.2. It also has 5.1.1, 5.2.0 and 5.3.0. Regards, Harold Le 2015-08-17 14:08, « cisco-nsp on behalf of Luan Nguyen » cisco-nsp-boun...@puck.nether.net on behalf of lngu...@opsource.net a écrit : Nice...thanks 5.3.1 is nice. though i don't think people will have access to the file exchange? the public link only has 5.1.2 On Mon, Aug 17, 2015 at 2:00 PM, Tim Densmore tdensm...@tarpit.cybermesa.com wrote: https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS- XRv On 8/17/2015 11:54 AM, Skeeve Stevens wrote: Hi all, I need to do some lab testing with XR for a ASR9001... Does anyone know where the XRv image is... I've looked everywhere... I think my search-foo is broken today :( ...Skeeve *Skeeve Stevens - Founder The Architect* - eintellego Networks Pty Ltd Email: ske...@eintellegonetworks.com ; Web: eintellegonetworks.com Phone: 1300 239 038 ; Cell +61 (0)414 753 383 ; Skype: skeeve Facebook: eintellegonetworks http://facebook.com/eintellegonetworks ; Twitter: eintellego https://twitter.com/eintellego LinkedIn: /in/skeeve http://linkedin.com/in/skeeve ; Expert360: Profile https://expert360.com/profile/d54a9 Elastic Fabrics - Elastic Engineers - Elastic ISPs - Elastic Enterprises ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CCIE Party pickup line
In the Washington DC area, there's the HOV slug-lines where you can pick up people for HOV, is there one for CCIE Party? :) We have a big team going this year and not enough CCIEs to get all in...anyone going solo, kindly drop me an email offlist? :) Thanks. Regards, -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR1000v Loopback interface
Hello, anyone use the loopback interface on the ASR 1000v to terminate VPN/DMVPN tunnel? How does the loopback interface on the ASR1000v related to the VMWare resources? say if i already have the max 10 vnics mapped to 10 gigethernet interfaces on the asr1000v, how does the loopback interface come into play? On aside note, if i want to go with the checkpoint r77.20 gaia, can i terminate the vpn tunnel on the loopback - assuming i use a public ip address on it. Thanks. Regards, -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet Fragmentation
If you're lucky to have a provider like NTT, who supports 5000 MTU within their backbone, for site to site vpn, you could just jack up your MTU setting on all tunnel-related interfaces to say 5000 MTU and avoid fragmentation altogether. On Thu, Feb 12, 2015 at 2:15 PM, Roland Dobbins rdobb...@arbor.net wrote: On 13 Feb 2015, at 1:45, Brian Christopher Raaen wrote: The fragmentation is unavoidable as this involves VPNs and the applications can't be adjusted to try smaller sized frames. If you're using the router as a VPN concentrator for users and you're talking about fragmentation of in-tunnel traffic, you should be able to adjust the MTU and/or MSS for the software clients connecting to the VPN concentrator downwards in order to account for tunnel overhead. If you're using the router for a site-to-site VPN, you can adjust the MTU downwards for the relevant interface(s) on the relevant router(s) to account for tunnel overhead. Jared was talking about the MSS of TCP traffic encapsulated within the tunnels, not the tunnel traffic itself (IPSEC wrapped in UDP/1?). --- Roland Dobbins rdobb...@arbor.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Primer for IOS-XR
Best place to be: https://supportforums.cisco.com/community/5996/xr-os-and-platforms Document tab as well as Blog tab will get you expert at IOS-XR in no time. On Tue, Dec 16, 2014 at 10:49 AM, Scott Granados sc...@granados-llc.net wrote: Good morning, I have recently been exposed to some of the ASR hardware for the first time and while I’m well versed in standard IOS I haven’t done much work with XR. Can anyone suggest a good pointer for getting up to speed. I’m most specifically interested in the new policy construction and building policies for BGP routing control. I googled for an IOS to IOS-XR translator as possibly a starting point and there seemed to be some internal resources but nothing public facing. Any such package exist to do conversions and give me a starting point? Any help would be most appreciated. I’ve found some documents on the new policy structure but nothing that doesn’t assume I already have a baseline in XR. Any pointers would be most appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QSFP 40G breakout cable
Hi folks, Anyone from the northern VA area has a couple extra of these? I'd like to borrow for a couple days to see if they work in other vendors' equipment? Believe it or not, Cisco' s one is much cheaper. Thanks! rg/lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Using Cisco Learning Credits for ccie lab
Hi folks, Can you use Cisco Learning Credits for ccie lab payment? seems like you can't but not sure if your Cisco Account Manager can do something about that? Also, where do people get exam voucher from? Is that something your Cisco Account team can provide? We have some Cisco Learning Credits, and I am trying to find some creative ways of using that for the lab :) Some boot camps will pay for your lab fee after you attend them? Thanks. -br/lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
People do this all the time: GRE/IPSEC back up to MPLS VPN. Lots of service providers have managed service that does this for you. With modern hardware, fragmentation shouldn't be a big deal. Most providers have end to end jumbo frame so just need to be mindful of who does and who don't. Good luck. On Wed, Oct 9, 2013 at 11:30 AM, JP Senior seni...@bennettjones.com wrote: Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco ASA 8.4.7
Hi folks, With the newest advisory for the ASA: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa We are thinking of going uniform with Cisco ASA 8.4.7. Looking at the Resolved Caveats, lots of them got fixed: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp631223 Has anyone been running 8.4.7 with good success? I am just looking for minimal NAT, mostly Remote Access VPN and a few hundred site to site VPN. Thanks. -Luan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (xr on a server)
Did someone get a chance to download whatever under XRv? it's page not available currently. If i remember correctly, my SE said you have to pay for it. Beta is going right now and the list is long i was told. You have a better chance of getting it from being leaked out then get on the beta. Was thinking with titanium out, csr1000v, nexus1000v all available, now XRv is out? all you need to do is piece them together yourself to get a poor man VIRL. On Thu, Oct 3, 2013 at 11:18 AM, Aaron aar...@gvtc.com wrote: Oh yeah ! it will be very sweet Aaron From: Oliver Garraux [mailto:oli...@g.garraux.net] Sent: Thursday, October 03, 2013 9:55 AM To: Lane Wigley (lwigley) Cc: Aaron; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] XRv (xr on a server) I will be really really interested to see what they do pricing wise on VIRL. Hope its nothing crazy, I would love to be able to mess around with XR and NX-OS in the lab. Oliver - Oliver Garraux Check out my blog: blog.garraux.net Follow me on Twitter: twitter.com/olivergarraux On Thu, Oct 3, 2013 at 10:18 AM, Lane Wigley (lwigley) lwig...@cisco.com wrote: I think this is what you're looking for - VIRL http://www.cisco.com/web/solutions/netsys/CiscoLive/virl/index.html http://www.youtube.com/watch?v=nsbzHmwUz6I Targeted for Dec/Jan I think. - Lane -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Thursday, October 03, 2013 10:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] XRv (xr on a server) What do y'all know about this ? I understand this is IOS XR on a nix server virtual machine or something like that. I'd like to get it on a few servers in my lab. Where do I get/download it ? Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (xr on a server)
Seriously doubt that it would be free. On Thu, Oct 3, 2013 at 11:02 AM, Jason Lixfeld ja...@lixfeld.ca wrote: This should be free. On 2013-10-03, at 10:55 AM, Oliver Garraux oli...@g.garraux.net wrote: I will be really really interested to see what they do pricing wise on VIRL. Hope its nothing crazy, I would love to be able to mess around with XR and NX-OS in the lab. Oliver - Oliver Garraux Check out my blog: blog.garraux.net Follow me on Twitter: twitter.com/olivergarraux On Thu, Oct 3, 2013 at 10:18 AM, Lane Wigley (lwigley) lwig...@cisco.comwrote: I think this is what you're looking for - VIRL http://www.cisco.com/web/solutions/netsys/CiscoLive/virl/index.html http://www.youtube.com/watch?v=nsbzHmwUz6I Targeted for Dec/Jan I think. - Lane -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Thursday, October 03, 2013 10:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] XRv (xr on a server) What do y'all know about this ? I understand this is IOS XR on a nix server virtual machine or something like that. I'd like to get it on a few servers in my lab. Where do I get/download it ? Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr1001 4 full bgp feed
Do you know if you can do IPSEC with that as well? Or you would need additional $10K IPSEC license? Can it also do limited NAT? If so, what is the number before you add the 2M license? Can you run 1 RP2 with XE while the other IOS? Assuming they do have IOS for ASR and features compatible (bug crash resistance) Can you have just one ESP with 2 RP, or need 2 ESP as well? If the RP crashes, current ESP dies as well? I am using 1013. Thanks in advance. Regards, Luan On Aug 1, 2013 4:19 AM, Adam Vitkovsky adam.vitkov...@swan.sk wrote: Given the relentless growth of the global v4 table, I wouldn't feel comfortable with a FIB capability of 512K. How long do you think that'll suffice? Well looking at the weekly GRT report for past few weeks it's roughly 41 weeks. 456943, 457245, 458665, 459588, 460435, adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bad console port - Cisco ASA 5540
Hi folks, I have a couple of ASA 5540s that I couldn't console into: the cursor just blinks. I tried all the baud rates listed but still no joy. These, I won't be able to RMA them. Any tricks to get the console to work? Thanks in advance. Regards, -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T rate limit
Hi Mack, Thanks for the suggestion. It's the VLAN for the ACE module - so nowhere to put that command. Regards, -Luan On Mon, Apr 22, 2013 at 12:47 PM, Mack McBride mack.mcbr...@viawest.comwrote: Did you use the 'mls qos vlan-based' command? Mack -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Sunday, April 21, 2013 10:04 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Sup2T rate limit Hi folks, From what I've been reading, I could do the following to rate limit a vlan to 100M class-map match-all rate match any policy-map rate class rate police 1 3200 conform transmit exceed drop int vlan99 service-policy input rate But show policy-map interface vlan99 detail doesn't show any statistic and show int vlan99 always has ~500M input which I want to police to 100M. It's running:s2t54-ipservicesk9-mz.SPA.150-1.SY1.bin Thanks! -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup2T rate limit
Hi folks, From what I've been reading, I could do the following to rate limit a vlan to 100M class-map match-all rate match any policy-map rate class rate police 1 3200 conform transmit exceed drop int vlan99 service-policy input rate But show policy-map interface vlan99 detail doesn't show any statistic and show int vlan99 always has ~500M input which I want to police to 100M. It's running:s2t54-ipservicesk9-mz.SPA.150-1.SY1.bin Thanks! -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE tunnel over Internet
People run all sorts of routing protocols over the IPSEC/GRE tunnel successfully (yeah, IPSEC to be more secure)...must be some configuration errors then... r/g -lmn On Thu, Dec 6, 2012 at 12:46 PM, Chris Lane clane1...@gmail.com wrote: We are working on setting up a test where we run a GRE tunnel across the Internet, put OSPF between the tunnel and inject routes. I can get OSPF to form an adjacency but i cannot get routes to redistribute, nor inject by a network statement. Anyone do such ? Any help or suggestions would be great. Thanks -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FDDI card for 7200 VXR
Hi folks, Anyone has a FDDI PA VIP2 card for the 7200VXR series router that I can buy? Thanks. -Luan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FDDI card for 7200 VXR
Thanks guys. I guess I have to look into buying a 7200 as well. Regards, -Luan On Thu, Oct 28, 2010 at 2:25 PM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Thu, 28 Oct 2010, Luan Nguyen wrote: Hi folks, Anyone has a FDDI PA VIP2 card for the 7200VXR series router that I can buy? FDDI is not supported on the VXR afaik (only the non-VXR). VIP2 is 7500. http://www.cisco.com/en/US/ts/fn/000/fn3028.html Background When port adaptors without the Arbiter EPLD upgrade are installed in a 7200 VXR router, they will not operate properly. The down-version Port Adapters will not be recognized, will fail diagnostics and will not pass traffic. Not all port adapters are upgradeable or supported in the 7200 VXR router. The Cisco 7200 VXR routers support all port adapters supported on the Cisco 7200, except for following: FDDI Port Adapters: * PA-F-MM * PA-F-SM * PA-F/FD-MM * PA-F/FD-SM -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FDDI card for 7200 VXR
Ah, glad you brought that up. I was looking into a FDDI to Fast Ethernet converter: http://www.data-connect.com/RAD_AMC-101.htm http://www.data-connect.com/RAD_AMC-101.htmWonder if anyone uses those kind of converter and how reliable are they? I have a FDDI hand off. Regards, -Luan On Thu, Oct 28, 2010 at 3:19 PM, Justin M. Streiner strei...@cluebyfour.org wrote: On Thu, 28 Oct 2010, Luan Nguyen wrote: I guess I have to look into buying a 7200 as well. Not knowing your situation or needs, would it make more sense to replace the FDDI gear with something that speaks Ethernet? jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mysterious tunnel interfaces
I have those ISR2 (M1) as well as ASR1002 running DMVPN and don't have those ghost tunnels. Must be for some other services such as multicast. Try to remove them with no interface tunnel 0, and I think the router will tell you why you couldn't. Regards, -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Wednesday, August 11, 2010 8:53 PM To: cisco-nsp Subject: [c-nsp] Mysterious tunnel interfaces I was working on a ISR 1941 with 15.0(1)M2. I am running DMVPN on it and using one tunnel interface. (Tunnel 1). No other tunnel interfaces are configured on the router. However when I do show int summary I get this; #sh int summary *: interface is up IHQ: pkts in input hold queue IQD: pkts dropped from input queue OHQ: pkts in output hold queueOQD: pkts dropped from output queue RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec) TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec) TRTL: throttle count Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL * GigabitEthernet0/0 0 00 0 60005 600050 GigabitEthernet0/1 0 00 0 00 000 * Serial0/0/0 0 00 0 30003 200020 NVI0 0 00 0 00 000 * Tunnel0 0 00 0 00 000 * Tunnel1 0 0010 10002 100020 * Tunnel2 0 00 0 00 000 * Tunnel3 0 00 0 00 000 I thought may be something got left behind while I was monkeying around in it so I reloaded the router and the tunnel 0,2,3 are still there and it says it's up. None of those interfaces are in the startup or running-config. What is going on here? My other routers with similar config on a 1841 with 12.4(15)T* doesn't have this issue. It doesn't seem to be affecting the routing of traffic but it's really bothering me. -Jay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5358 (20100811) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5358 (20100811) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5360 (20100812) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5360 (20100812) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network mapping...again
If money is not an issue, then I would suggest OPNET NetMapper. We had them come in and did a demo. We like it. Regards, -lmn -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger Sent: Thursday, August 12, 2010 1:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Network mapping...again We're looking for a dynamic network mapping tool that does not require a large amount of hand-holding and manpower to manage. I don't care if this is a free or paid product. Ideally, I'd like something that autodiscovers the network including L2 and L3 devices, then intelligently maps them. I used to use Network Node Manager for this at another job years ago and I liked how it handled mapping. It did require a few tweaks to get right, but it worked very well. Something like that would be pretty handy, but we don't need NNM. We just need the mapping part. We have too many tools that already require a lot of time to maintain. I don't want to add another one that is going to take a lot of time. A reasonable amount of time is expected. I just don't want anything over time consuming. This is a fairly large network with a large number of routers and switches, all Cisco. I just need something that works, and works well, preferably out of the box. I don't have time to build a grow-your-own solution or piece together open source stuff. Any thoughts? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5360 (20100812) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5360 (20100812) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5360 (20100812) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Zone Based Firewall default-class
Maybe class-default only allow traffic initiate from the zone and not return traffic? Check your log again... Try your Or, and try upgrade to T3 see if that makes a different. -- Luan Nguyen Chesapeake NetCraftsmen, LLC. -- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Friday, July 09, 2010 4:08 PM To: cisco-nsp Subject: [c-nsp] Zone Based Firewall default-class I have a strange problem with ZBFW or I am just missing something obvious. 3845 running 12.4(24)T advipservices I am trying to apply a firewall rule between two entities. Since I am not 100% sure what all traffic is passing through the two, I wanted to write rules for what I know and pass anything I don't know but log it so I can find out if that's suppose to be there or not. policy-map type inspect InPMAP class type inspect GeneralInCMAP inspect class class-default pass log policy-map type inspect OutPMAP class type inspect GeneralOutCMAP inspect class class-default pass log zone security Inside zone security Other zone-pair security Other-to-Inside source Other destination Inside service-policy type inspect InPMAP zone-pair security Inside-to-Other source Inside destination Other service-policy type inspect OutPMAP However, once I apply the zone, I get this Jul 9 15:04:51 192.168.1.253 266: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 = 172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default) Jul 9 15:04:51 192.168.1.253 267: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 = 192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default) So, one direction, it's passing traffic as intended but the other direction it's dropping it on class-default What am I doing wrong? Or do I need to create a class-map that allows everything and pass it in that class? Is this a bug? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing External EIGRP routes through MPLS vpn
Just put this into Dynamips and didn't have any problem at all. CE1# router eigrp 1 no auto-summary ! address-family ipv4 vrf BLUE redistribute bgp 1 metric 1 1 1 1 1 network 10.10.10.254 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family PE1# router eigrp 1 no auto-summary ! address-family ipv4 vrf BLUE network 10.10.10.254 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family router bgp 1 ! address-family ipv4 vrf BLUE redistribute eigrp 1 no auto-summary no synchronization exit-address-family Maybe check the EIGRP configuration to see if you have thing like eigrp stub connected :) - Luan Nguyen Chesapeake NetCraftsmen, LLC. - -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Monday, May 17, 2010 8:19 PM To: shims...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Redistributing External EIGRP routes through MPLS vpn Metric Must Be Configured for Routes from Other Autonomous Systems and Non-EIGRP Networks Yes, it is. Native EIGRP VRF to VRF Redistribution Is Not Supported Not what I am trying to do. Thanks, Joe Shimol Shah wrote: Are you sure you are not running into restriction cited in below section of the CCO document ? http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/fteipece.htm l#wp1027175 Shimol Shah On 5/17/10 2:57 PM, Joe Maimon wrote: Hey All, Seems like I have run into a difficulty where CE#1 external EIGRP routes (redistribute connected/redistribute static) are learned by PE#1, redistributed to PE#2, but not redistributed to CE#2 CE - PE, EIGRP PE - PE, MPLS/BGP The workaround is to use network statements, making the EIGRP routes on the CE internal. Those redistribute fine and show up on CE#2 as internal. Am I missing something and is there a simple clean way to redistribute from CE#1 to CE#2 external EIGRP routes? Thanks, Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5123 (20100518) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5123 (20100518) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
Like someone else said, if you don't have to run dynamic routing protocol, then ODR or static would do wonder. In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. With EIGRP, you could safely do 500+ spokes per ASR. A few years back, either Cisco did some tests and found that only a few...2,3 nodes fail when they tried to bring up 500 tunnels at the same time on 7206VXR platform if I recall correctly. I've done 300+ spokes EIGRP on a 7206VXR before and never had any problem. A 2851 with SSL-2 VPN card could push ~35M of DMVPN/IPSEC traffic. Of course, if you do QOS, Zone Based Firewall...etc, any additional feature, then performance will degrade a lot. What kind of software do you folks use to provision/manage bigger size DMVPN? Way back, I used Cisco IP Solution Center. -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Engelhard Sent: Monday, April 19, 2010 8:06 PM To: rod...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's Any suggestion for 2000+ spokes with 4 headends? Headends will be ASR100x. We think to put Loadbalancer (ACE) in front of ASR to spread DMVPN traffic. Is it design wise? Sent from my iPhone On 2010/04/19, at 23:28, Rodney Dunn rod...@cisco.com wrote: My suggestion is to run code that support dynamic BGP neighbors at the hub and run BGP over the mGRE to the spokes. ..or followed by EIGRP. Rodney On 4/18/10 7:14 AM, Anton Kapela wrote: On Apr 17, 2010, at 8:54 PM, Erik Witkop wrote: We are considering DMVPN for a WAN network with (92) Cisco 870 remote routers and (2) Cisco 2851 headend routers. My concern is around the scalability of the 92 connections to each 2851. Assuming we have AIM modules in each 2851 router, do you think that would be sized properly. While you have a chance, it'd be wise to toss in as much DRAM as the 2851 can take. The reasons are many, but mostly you'll want plenty (i.e. 20+ megabytes) of free ram to cover your needs during transient conditions -- i.e. when all the ipsec endpoints flap, timeout, then re-establish, or perhaps when 400 ospf spoke neighbors timeout, flap, and re-stablish. If memory serves, advipservices 12.4t and 15.0 on 28xx leaves a bit less than 100 megs free after booting (on a 256m box); expect another 20 to 30m consumed when you have protocols + ipsec endpoints + full config up and active. Probably safe with 256, but it's not worth risking a surprise reload (that more dram could have prevented). My overall experience using DMVPN (i.e. mGRE + ipsec tunnel protection) has been positive, and I find that usually boxes with AIM-VPN or SA's (on 7200's I've used the SA-VAM and its cousins) is the first 'wall' often hit -- i.e. max number of concurrent crypto sessions is reached *well before* the platform maximum IDB limit is reached. This means the first thing you should investigate is how many sessions your installed AIM can support -- it may be far less than you expected, and less than you require. As for GRE and encaps processing on the 28xx, this seems to be nearly the same perf (without fragment processing considered) as native IP forwarding on the box. In practice, I see 80+ mbits usable (or 9 to 12 kpps) out of an 1841 doing GRE or IPIP encaps without crypto -- and 2851 will usually push 100mbit+ doing same. Again, the per-session crypto performance and max-session count will be determined by the AIM, so YMMV, etc. Generally, the Cisco guidelines for DMVPN are sane, and my experiences don't (so far) run counter to them. One definite wall that I'd recommend you find before deployment is how many protocol neighbors you can have up (i.e. ospf, isis, or eigrp neighbors), flap, and re-establish in a timeframe you're happy with. That is to say, I highly recommend lab'ing up a config that emulates 100, 200, 300, etc OSPF neighbor sessions between the 28xx's -- you'll want to know for certain that your routers can both support/hold up the number of neighbors you need, *and* recover in a timely fashion after they flap. So, while your platform may be more than adequate for your given WAN-facing bandwidth needs to the spoke sites, you may actually find that your 2851 cpu is under-whelming when endpoints flap/register/converge -- depending, again, on the scale you're taking things to. -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN scalability question on the 28XX ISR's
I wouldn't say not recommended by Cisco though. The DMVPN design guide is pretty old (2008) http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_3.html I wish that Cisco would update that with ASR and ISR2 information and design guidance. That's a very good document and the performance numbers are quite accurate. When I first worked with DMVPN, most of the designs were dual hubs, dual cloud with EIGRP. I was tempted with BGP as well, but mostly in a lab environment since operation folks didn't want to support it. Today, I believe the drive is toward single cloud, with tier layered...etc. I am using single cloud DMVPN design for a 3 hubs spoke-to-spoke TLS network with EIGRP and it has been working great. Then again, the number of spokes is way 2000. -Luan -Original Message- From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org] Sent: Wednesday, April 21, 2010 2:04 PM To: Luan Nguyen; 'Engelhard'; rod...@cisco.com; Erik Witkop Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN scalability question on the 28XX ISR's On Wed, 21 Apr 2010 06:35:37 -0700, Luan Nguyen l...@netcraftsmen.net wrote: In this case, a dual hub (loadshare/backup) for 1000+ spokes would be just fine. Single-hub, dual-cloud scales and performs and converges better than dual-hub, single-cloud and are not even recommended by Cisco. Therefore, I would stick to the dynamic routing protocol approach. -- Octavio. __ Information from ESET NOD32 Antivirus, version of virus signature database 5047 (20100421) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5047 (20100421) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cost community alternatives
Try using the offset list command. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pan vangels Sent: Monday, April 12, 2010 1:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cost community alternatives If 1) ebgp is used as PE-CE protocol, 2) eigrp is used into customer's network, and 3) a backdoor link exists between CE routers, is there any way of external eigrp routes coming from ebgp into eigrp to be prefered over normal eigrp routes advertised through the backdoor link? Distance command would do the trick but this has to be defined on all internal customer routes. On the other way cost community is not extendable over an ebgp session... Thnx, Pan _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5021 (20100412) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750 High CPU
This link should provide some guidance regarding HULC running process. http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note091 86a00807213f5.shtml -Luan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane Sent: Wednesday, April 07, 2010 3:17 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 3750 High CPU Hello, I have all the sudden taken extremely high CPU: sh proc cpu sorted | e 0.0 CPU utilization for five seconds: 99%/27%; one minute: 95%; five minutes: 92% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 251 2985921 15274 195490 39.29% 11.05% 6.01% 0 hulc running con 171 630974187 249381380 2530 10.38% 9.27% 9.45% 0 Spanning Tree 117 133871232 301668428443 4.63% 8.34% 9.47% 0 Hulc LED Process 68 3766455 374577924 10 4.15% 3.66% 3.20% 0 HLFM address lea 137 221859624 12599002 17609 2.39% 2.02% 2.05% 0 PI MATM Aging Pr 168 175580828 496683600353 1.91% 3.89% 2.90% 0 IP Input 52 8324282 665636083 12 0.79% 0.43% 0.35% 0 Fifo Error Detec I know this isn't much but could anyone offer assistance? Thanks Chris -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VAM2+ Performance
The DMVPN design guide has better numbers: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_4_Pha se2.html Yours sounds about right if you meant 40Mbps of encrypted traffic. Typically, not sure about the G1, but with the G2/VAM2+ combination, IMIX would get you ~80Mbps GRE/IPSEC with ~90%CPU The VSA has much better performance BTW. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. - -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, March 17, 2010 2:05 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VAM2+ Performance Hello group, Does anyone have access to real world performance values for the VAM2+ ? I have a router hitting the 50% with 40 Mbps of traffic. It has a NPE-G1 an it is running 12.4M. I also have ACLs and QOS. The VAM2+ data sheet mentions up to 280 Mbps: http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_bulletin0900ae cd80205255.html I have about 8 kpps being encrypted. It's a P2P GREoIPSEC scenario. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4952 (20100317) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
What's the topology? One CPE terminating MPLS and IPSEC tunnel? If this is the case, then if at one site MPLS goes down, it starts to use IPSEC tunnel, when packets get to the other side, the default route to MPLS VPN is still there so packets will get routed back into the MPLS cloud. You need more specific routes advertised so that when MPLS lost, it will withdraw the route and IPSEC will kick in. Just a default won't work unless you'll be doing some creative conditional advertising in the BGP or some fancy EEM scripting...or maybe using ip sla to withdraw route...which might be a little more complicated than need be. Even with specific routes, you still have lots of decision to make like whether to switch everything to use IPSEC tunnels once just ONE MPLS connection goes down or only that site. Then you have to make sure not running into asymmetric routing...etc. With GNS3/Dynagen, you could probably test this whole thing out in your labtop. --- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net --- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc Sent: Tuesday, January 26, 2010 4:20 PM To: Cisco-nsp Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Team, This questions was put out there before in another chain but I wasn't able to figure out the best solution. We have multiple campuses connecting to an MPLS VPN cloud running BGP internally. At some locations we have backup ISP services and an IPSec VPN tunnel over that. Currently BGP provides a default route to each campus as external BGP / Pref 40 / Metric 0. Our backup IPSec is in as a Static / Pref 20 / Metric 32000. When we lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the campus and our main datacenter. What is the best way to achieve this? Thanks, //LeBlanc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4807 (20100126) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
At the remote site, yes, if MPLS goes down, the default route over the IPSEC tunnel will kick in. But at HQ, does it know how to get back to the remote site? Does it also have a default route out of MPLS or does it have specific subnets from all remotes? What then if HQ goes down? Remotes only has default route out of MPLS so they will continue to look for the way home that way. Back when I was at VzB managed services, it's EIGRP over the DMVPN/IPSEC tunnel backing up BGP MPLS. Too bad I didn't use Dynagen, else I would just shoot over to you my dot net file. - Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net [AIM/YIM/GTalk] luancnc - -Original Message- From: Jason LeBlanc [mailto:jasonlebl...@gmail.com] Sent: Tuesday, January 26, 2010 7:48 PM To: Luan Nguyen Cc: 'Cisco-nsp' Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Current topology is pretty simple. ATT drops an MPLS circuit either PPP Multilink Bundled T1's or an Ethernet hand off. On another interface we generally have an ethernet hand off from another ISP. We run BGP to move all the traffic around on one 172.x.x.x/30's and then our LAN is on 10.x.x.x. We have an outside IP address on another ethernet port which is the IPSEC termination point. BGP from our main campus injects a default route which we receive. Currently we just manually added static 0.0.0.0 routes out the tunnel interfaces with a metric of 32000. So when BGP drops off we will route over the IPSEC VPN Tunnel back home. Headquarters 172.1.1.1/30 -- ATTMPLS 172.1.1.2/30 -- ATTMPLS 172.2.2.1/30 -- Remote Campus 172.2.2.2/30 (running BGP) -- 10.1.1.1/24 ISP-X Ethernet 200.1.1.1/30 -- Remote Campus 200.1.1.2/30 -- IPSEC VPN Tunnel.1 10.1.1.20/24 -- Headquarters Tunnel.1 10.1.1.21/24 BGP Provides default route Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000 It is my assumption that if the traffic cant get to its destination because BGP has lost it our backup link the IPSEC VPN with the higher metric will become the new default route. On Jan 26, 2010, at 4:44 PM, Luan Nguyen wrote: What's the topology? One CPE terminating MPLS and IPSEC tunnel? If this is the case, then if at one site MPLS goes down, it starts to use IPSEC tunnel, when packets get to the other side, the default route to MPLS VPN is still there so packets will get routed back into the MPLS cloud. You need more specific routes advertised so that when MPLS lost, it will withdraw the route and IPSEC will kick in. Just a default won't work unless you'll be doing some creative conditional advertising in the BGP or some fancy EEM scripting...or maybe using ip sla to withdraw route...which might be a little more complicated than need be. Even with specific routes, you still have lots of decision to make like whether to switch everything to use IPSEC tunnels once just ONE MPLS connection goes down or only that site. Then you have to make sure not running into asymmetric routing...etc. With GNS3/Dynagen, you could probably test this whole thing out in your labtop. --- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net --- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason LeBlanc Sent: Tuesday, January 26, 2010 4:20 PM To: Cisco-nsp Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet Team, This questions was put out there before in another chain but I wasn't able to figure out the best solution. We have multiple campuses connecting to an MPLS VPN cloud running BGP internally. At some locations we have backup ISP services and an IPSec VPN tunnel over that. Currently BGP provides a default route to each campus as external BGP / Pref 40 / Metric 0. Our backup IPSec is in as a Static / Pref 20 / Metric 32000. When we lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the campus and our main datacenter. What is the best way to achieve this? Thanks, //LeBlanc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4807 (20100126) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4808 (20100126) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive
Re: [c-nsp] Cisco NAC - SSO Issues
I would suggest opening a TAC case. Also, for NAC related problem, the cleanacc...@listserv.muohio.edu would be a better place to ask questions. Regards, -- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Tuesday, September 15, 2009 10:20 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco NAC - SSO Issues I found a matching bug in the meanwhile but the workaround does not work: + CSCsk46672 Bug Details CAS stops listening on 8910 after threads in CLOSE_WAIT state Symptom: Agent fails to perform ADSSO Conditions: CAS no longer listening to tcp port 8910 because 50 threads are already in CLOSE_WAIT state Workaround: Under Device Management Clean Access Servers CAS Windows Auth Click UPDATE on SSO service to flush the CLOSE_WAIT states + The box i'm troubleshooting is running release 4.0.5. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: terça-feira, 15 de Setembro de 2009 13:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco NAC - SSO Issues Hello group, I'm troubleshooting a NAC issue. I see lot's of CLOSE_WAIT sessions on the CAS and i need to find a way to restart the SSO service (TCP:8910) without restarting the whole box. Disabling the option Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) in the CAM does not do the job. I think that after clearing these TCP stuck sessions, Single Sign-On will work again. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4426 (20090915) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT Global to FVRF
I think the problem is because your VRF Red doesn't have route to the LAN. If [LAN] is switch, then you could try to create a route in VRF Red for the LAN network with the next hop is the IP address of the switch. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gary T. Giesen Sent: Thursday, August 20, 2009 11:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT Global to FVRF I've got a customer that requires localized Internet access from their DMVPN router (they currently receive a default route over the VPN). Their router is setup with the customer (inside) network in the global routing table, and their Internet connection sits inside a Front door VRF (FVRF). Has anyone done this, and have a working config? I've tried all manner of options but have yet to be successful NAT'ing between the global inside and outside FVRF. [ LAN ] ---[ CPE ]--- [ Internet ] Global --- VRF RED NAT GG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Route redistribution and selection
You might want to check this link out: http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP Regards, --- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Maimon Sent: Thursday, August 13, 2009 9:04 AM To: cisco-nsp Subject: [c-nsp] Route redistribution and selection We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Internet Web Caching Solution
WAAS and ACNS are two different animals. WAAS is double-ended (there has to be a device at both ends) and ACNS is single-ended, acting as a caching device (though it can have information pushed to it from a central manager). Typically - WAAS between remote site and central site; ACNS between remote site and the Internet, or as a push client receiving content from a central site. Hope that help. Regards, -- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net - -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 9:41 AM To: Cisco certification; cisco-nsp@puck.nether.net Subject: [c-nsp] OT: Internet Web Caching Solution Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE/NAT ?
No? I remember doing overlapping RFC1918 sites for GRE/IPSEC VPN. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net --- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rodney Dunn Sent: Friday, July 31, 2009 11:40 AM To: Jeff Kell Cc: cisco-nsp Subject: Re: [c-nsp] GRE/NAT ? No. Jeff Kell wrote: The GRE question reminded me of a nagging thought... Can you NAT traffic inside GRE? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE/NAT ?
So you are talking about NAT after GRE? You certainly could NAT and then GRE-encapsulated the NATTED traffic? Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: Rodney Dunn [mailto:rod...@cisco.com] Sent: Friday, July 31, 2009 12:09 PM To: Luan Nguyen Cc: 'cisco-nsp' Subject: Re: [c-nsp] GRE/NAT ? There is no code that does translation of the inner ip frame that I'm aware of. Rodney Luan Nguyen wrote: No? I remember doing overlapping RFC1918 sites for GRE/IPSEC VPN. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net --- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rodney Dunn Sent: Friday, July 31, 2009 11:40 AM To: Jeff Kell Cc: cisco-nsp Subject: Re: [c-nsp] GRE/NAT ? No. Jeff Kell wrote: The GRE question reminded me of a nagging thought... Can you NAT traffic inside GRE? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN and OSPF
Care to post the configuration? So maybe some of us who think that this problem is interesting could plug it into dynamips and check it out for you? Have you tried to remove the configuration and put it back? Maybe add a few loopback interfaces and advertise them? Regards, --- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Thursday, July 30, 2009 1:55 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DMVPN and OSPF Looking back on tickets, it seems like this problem started happening after upgrading from 12.4(15)T5 to 12.4(24)T. Before the upgrade, it was running solid for a year. I have tried 12.4(24)T1 but that doesn't seem to have any effect. I can't go below 12.4(20)T because we want to deploy IOS content filtering. On Thu, Jul 30, 2009 at 7:48 AM, Rodney Dunnrod...@cisco.com wrote: Jay Nakamura wrote: Did you force the DR to be the hub by setting the priority? Yes. And confirmed. I forgot, did you set it to broadcast or multipoint? broadcast I'd suggest you look at the packet capture feature and get a trace when it's down. Is this what you are referring to? http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html#wp1049404 No this one: http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Utilizing_the_ New_Packet_Capture_Feature There is no tech onsite and it's a little far so I can't do it at the moment but if I can't figure out anything else, that will be the next step. Do you see the LSA's in the database? I believe it was blank. It's working now after a reboot so I can't check but I will check next time it happens. Ok. That is the starting point if the neigbors are not flapping. Can you ping 224.0.0.5 and get a response? Are the neighbors flapping? It didn't flap at all. Routes just disappeared. Well, that's not 100% true. The backup hub VPN connection went down and it wouldn't come up. I could ping the primary hub tunnel IP when the routes were gone but none of the other DMVPN peer IP. Almost always issues like this are with packet loss. You have to make sure the multicast traffic can traverse the cloud and that requires replication at the hub..and the spoke if you are doing a single spoke tunnel with dual hubs. Jay Nakamura wrote: Has anyone seen this symptom? 1841, advanced IP feature set DMVPN spoke and OSPF over the DMVPN Running 12.4(24)T Periodically, the router looses all it's OSPF routes and stays that way. Clearing the DMVPN or OSPF process does nothing. It recreates the OSPF session with neighbor but it still has no routes. It can't seem to re-connect to the backup DMVPN hub either. Router still routes to the static default route for internet traffic and everything else seems normal. Just can't get to the VPN network. It's really not doing anything fancy other than DMVPN and OSPF. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXRG2 performance question
NPEG2 and VAM+ could do 60Mbps VPN throughput. NPEG2 and VSA could do 160Mbps VPN throughput. These are with 500 bytes packet. If you need more throughput, might want to go with the ASR1002. Not that much more expensive than the 7206VXR NPEG2/VSA combo. Regarding design, you should go with DMVPN/EIGRP. You could do direct spoke-spoke communication as well. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel Sent: Tuesday, July 28, 2009 4:17 PM To: rod...@cisco.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7206VXRG2 performance question I'll try to provide more details regarding the desired setup (opinions in favour/against it are welcomed). As I said, roughly half of the spokes will connect to hub1 while the other half will connect to hub2. As all servers are in hub1, spokes connecting to hub2 will reach the servers via a dedicated link between hub1 and hub2. Hub2 is also a DR site, so this link will also be used for replicating some of hub1's content there. Regarding connectivity, spokes will connect to the hubs via two providers (P1 an P2). The connections will use the provider's internal network, not over the Internet. So, a spoke will have one tunnel (T1) to hub1 via P1, one tunnel (T2) to hub1 via P2, one tunnel (T3) to hub2 via P1 and one tunnel (T4) to hub2 via P2. Depending on which hub the spoke will connect to, either T1 and T2 will be used (per flow load balancing) or T3 and T4. Should a hub become unavailable, the spokes connected to it will failover to the other one, so either hub must be able to handle all spokes simultaneously. Regarding bandwidth, I doubt it will exceed 10 mbit/s per provider in the hubs. Spokes will probably have 128kbps and 256kbps per provider. I read a bit about VTIs and the most appropriate setup seems to be with static VTIs on the spokes and dynamic VTIs on the hubs. However, there are some notes in the document[1] saying that routing with DVTIs is not supported and SVTI remote to DVTI interfaces are not supported (I dont know what this means). Spokes will indeed have static link speeds (values mentioned above are CIR). If I understand correctly the link you gave, I would need two nhrp groups (one for 128kbps and the other one for 256kbps) which I will further divide as required. Besides that, we'll also need shaping to limit the outgoing physical interface to 10 mbps (or whatever we'll get from the provider). The spokes would then be configured with the proper nhrp-group. So, as I said in the original message, my main concern is whether or not the 7206 will be able to handle this, but, from the replies I got, I understand it shouldn't be a problem. Gabriel [1] http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_v irt_tunnl.html#wp1110852 On Sun, Jul 26, 2009 at 6:17 AM, Rodney Dunnrod...@cisco.com wrote: For those low rates a 7206VXR with a NPE-G2 would be a plenty. You should look at dynamic VTI's I think it is to get per spoke QOS. You don't need an external box especially if your link speeds at the spokes are static. There are different ways to do per spoke QOS but it's a bit more complex with dmvpn. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_per_tun nel_qos.html Rodney Gabriel wrote: Hi all, the company I work for is involved in a WAN redesing process, so we got in touch with a few Cisco partners to help us. We're considering a dual-hub and spoke topology (about 100 spokes, more in the future) with both hubs active (half of the spokes will connect to one hub, the other half to the other). As I said, we contacted some Cisco partners (as we don't have the necessary expertise to do this on our own) and one of them recommended that, besides using the 7206 (with NPE-G2 and VSA) as the hub router, we should also get a SCE1010 box to handle the QoS. One of the aspects I'd like your feedback on is whether this SCE box is required or not (from the docs and design guides I read, it was only present in SP networks). I'll try to give more details (please let me know if they are relevant or not and what others have I missed): - DMVPN (although one tunnel/branch was also suggested) over IPSec - spokes connect to hubs via two providers (with per-flow load-balancing) - hub bandwith will probably not exceed 10 mbit/provider - spoke bandwith will be 256kbps/provider for roughly half of the spokes and 128kbps/provider for the other half - EIGRP as routing protocol - no VoIP at the moment, but it could appear sometime in the future Traffic is not latency-sensitive (as I said, no VoIP yet) and will be split into four QoS classes (in the future, others might appear). So, based on the above, can you comment on the capabilities
Re: [c-nsp] ASA Static Translations / DNS Doctoring
Static mapping means one to one. You could do port mapping. I have an internal web server that need to be accessible from the public internet so I would do *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255 dns*. What do you need to do? Regards, --- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net - -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Clue Store Sent: Friday, July 17, 2009 12:47 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA Static Translations / DNS Doctoring Hi All, I'm trying to do DNS doctoring on an asa and for specific reasons I need to map several different (public) outside IP's the one inside ip as shown below. *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255 dns* *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255 dns* ** However, upon entering the second rule, the asa says ERROR: duplicate of existing static. I realize this is for a one to one translation. As I am not an expert with the ASA, does anyone know how I can accomplish this in a different manor?? My only other option is to point all of my domains to the same (public) outside IP, but this is my LAST option as it breaks alot more things that would take alot more time to fix. Any help is appeciated. Thanks, Clue ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA Static Translations / DNS Doctoring
Very creative use of secondary addresses! :) Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andrew Yourtchenko Sent: Friday, July 17, 2009 2:28 PM To: Clue Store Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Static Translations / DNS Doctoring On Fri, 17 Jul 2009, Clue Store wrote: Hi All, I'm trying to do DNS doctoring on an asa and for specific reasons I need to map several different (public) outside IP's the one inside ip as shown below. *static (inside,outside) 208.x.x.25 192.168.100.10 netmask 255.255.255.255 dns* *static (inside,outside) 208.x.x.26 192.168.100.10 netmask 255.255.255.255 dns* With static (inside,outside) AddrPublic AddrPrivate netmask 255.255.255.255 dns in the config, you're saying: 1) when anyone tries to talk to AddrPublic from the outside, they will get to AddrPrivate on the inside 2) when AddrPrivate tries to talk to anyone on the outside, it will be seen there as AddrPublic 3) the DNS response containing AddrPrivate or AddrPublic, depending on where it is arriving, will have this address translated accordingly. (so the DNS server on the outside replying AddrPublic to someone on inside, will have this translated to AddrPrivate; and inside DNS server which replies the AddrPrivate to the outside, will have it translated to AddrPublic.) The (3) is what the dns keyword turns on when it is present. The symmetry of the behaviour prevents having 'many to one' behaviour that you are looking for - because then it would encounter the conflict or unpredictability when going outbound. The simplest way around is to grab a few secondary rfc1918 addresses and assign them to the host and do the mapping between those and the public addresses. For your /27 case, having 30 secondaries does not look terribly exciting, but assuming the host can survive that, it should do the trick. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Global Route Leaking on same PE
You could also use a GRE tunnel for the connection as well. Jeff is right that this topic keeps coming up every so often. I wonder why Cisco won't just make this easier for people. -- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net -- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ivan Pepelnjak Sent: Tuesday, June 16, 2009 1:24 PM To: 'Clue Store'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Global Route Leaking on same PE The last time I've seen discussion on this topic, you had to have an external back-to-back connection between a VRF interface and a global interface. -Original Message- From: Clue Store [mailto:cluest...@gmail.com] Sent: Tuesday, June 16, 2009 4:18 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Global Route Leaking on same PE Hi All, Looked through the archives but couldn't find anything about this specific issue. I'm trying to leak a route from the global table on a PE to an iterface that is on the same PE but I get the folowwing when I try to just point it to a loopback. ip route vrf test 64.193.x.x 255.255.255.248 192.168.222.1 global %Invalid next hop address (it's this router) Also tried to point it to just the interface and it says vpn routes have to be pointed to next-hop addresses. Anyone have some clue how to get this to work where the traffic never leaves the same PE and makes a look around the network?? TIA ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T
You could put Fa0 into a VLAN and use that for the cable modem connection. There's no option for no switchport and turn it into a layer 3 interface. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Lange Sent: Wednesday, April 15, 2009 10:10 AM To: Cisco NSP Subject: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T I'm looking for some configuration examples for a Cisco 871w in a dual-wan environment. Physically the box only has one of the ports labelled for a WAN port but is it possible to configure one of the other ports as another external interface? Internally they all just show up as FastEthernet ports 0-4. One port would be DSL with PPPOE and the other would be simple DHCP (cable modem). Version: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T Regards, -- John Lange http://www.johnlange.ca ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T
Basically you should look for reliable static routing using object tracking http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx .html An ICMP echo probe is created to monitor the GW of the primary interface. The probe sends an ICMP echo every 5 seconds, and runs indefinitely: ip sla 2147483647 icmp-echo x.x.x.x(GW) source-ip x.x.x.x1 [PRIMARY ADDRESS] timeout 1000 frequency 5 ip sla schedule 2147483647 life forever start-time now An object tracking rule is created to track the echo probe with a delay of 20 seconds - in case of just link flapping and not a real failure: ! track 300 rtr 2147483647 reachability delay down 20 ! A route map is created to send the ICMP echo packets out the primary WAN interface only when it is up but sends the packets to a null0 interface when the primary interface fails. ! ip access-list extended object-track permit icmp host x.x.x.x1 host x.x.x.x ! route-map OT permit 300 match ip address object-track set ip next-hop x.x.x.x set interface Null0 ! A default route is set out the primary interface. Another default route is set out the secondary interface but at a higher cost. ip route 0.0.0.0 0.0.0.0 x.x.x.x track 300 ip route 0.0.0.0 0.0.0.0 y.y.y.y 250 ! HTH. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Lange Sent: Wednesday, April 15, 2009 11:02 AM To: 'Cisco NSP' Subject: Re: [c-nsp] Dual WAN on Cisco IOS 12.4(24)T On Wed, 2009-04-15 at 10:24 -0400, Luan Nguyen wrote: You could put Fa0 into a VLAN and use that for the cable modem connection. Ok, that's what I figured would work. Any suggestions for how to make the dual-wan work in a type of fail-over setup? All of my searching turns up plenty of hits for hardware failover (dual-PIX setups) but I can't find any example configs for dual-wan on a single device. I must be using the wrong search terms? I'm fairly new to cisco and am not certified so any hints as to which IOS commands/configs can be used to detect fail-over would be great. Thanks, -- John Lange http://www.johnlange.ca ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco AnyConnect - cisco 877
There's a configuration guide here: http://www.cisco.com/en/US/products/ps6496/products_configuration_example091 86a0080720346.shtml According to, 877 should be supported. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of almog ohayon Sent: Wednesday, March 18, 2009 10:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco AnyConnect - cisco 877 Hi Everyone,Does anyone know if Cisco AnyConnect supported in cisco 877 router ?? I know that Cisco AnyConnect is supported in Cisco ASA. This is my Details: 877 version: flash:c870-advipservicesk9-mz.124-24.T.bin WebVpn Config : webvpn gateway SSLVPNGW1 ip address x.x.x.x port 443 http-redirect port 80 ssl trustpoint TP-self-signed-1899766392 logging enable inservice ! webvpn context SSLVPN ssl authenticate verify all ! ! policy group policy_1 functions svc-enabled hide-url-bar svc address-pool Intranet svc default-domain test.com svc keep-client-installed svc dpd-interval gateway 30 svc rekey method new-tunnel svc dns-server primary 4.2.2.2 svc wins-server primary 4.2.2.2 citrix enabled default-group-policy policy_1 gateway SSLVPNGW1 max-users 10 logging enable inservice ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NON VXR
NPE-225 I think is the max you could go. Regards, - Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Samantha (Regional Connect) Sent: Tuesday, March 17, 2009 12:22 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7206 NON VXR Hey Guys What is the max processor board I can use with a non vxr chasis? Thanks Samantha ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF and STATIC ROUTE to GLOBAL
Instead of an external link with 2 physical ports, you could try to create a GRE tunnel with 2 loopback interfaces. interface Loopback0 ip address 10.10.10.1 255.255.255.0 ! interface Loopback10 ip address 10.10.100.1 255.255.255.0 ! interface Tunnel1 ip vrf forwarding NSP ip address 172.16.1.1 255.255.255.0 tunnel source Loopback0 tunnel destination 10.10.100.1 ! interface Tunnel2 ip address 172.16.1.2 255.255.255.0 tunnel source Loopback10 tunnel destination 10.10.10.1 Then run OSPF...etc. I haven't try static route, but pretty sure it would work. router ospf 100 vrf NSP router-id 10.10.10.1 log-adjacency-changes redistribute bgp 65535 subnets network 10.10.10.1 0.0.0.0 area 0 network 172.16.1.1 0.0.0.0 area 0 ! router ospf 1 router-id 10.10.100.1 log-adjacency-changes network 10.10.100.1 0.0.0.0 area 0 network 172.16.1.2 0.0.0.0 area 0 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ [Mobile] 703-953-9116 + -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Monday, February 23, 2009 10:56 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VRF and STATIC ROUTE to GLOBAL This question was posted earlier, before I opened ticket with CISCO. Router is 6500 with 720-CXL running SXI code. 1. I have router A which is used to connect to our three ISPs ( two I1s and one I2 connection with full BGP), and also receives all our internal campus traffic via RIP default path.Router A announces default to campus. 2. I now need to add a new special ESNET.GOV ISP which cannot be used by the majority of our campus except for two subnets. These two subnets will still have access to the other three ISPs for normal path selection but have the option of choosing an ESNET route if needed. 3. So the original thinking was to create the VRF for ESNET which would have its own ESNET route table and tell the two special subnets (using route-map match subs, set vrf ) to check the ESNET table first and if route is not in table then fall thru to global. 4. I can't just have one route table that includes the ESNET routes, because ESNET announces some more specific routes and there may be hosts that normally use the I1 path to these DSTs, but now see a more specific path and try to use it and fail because it is not allowed by ESNET outbound ACL. I have BGP peering working in VRF ( can see prefixes from ESNET in VRF table), but cannot announce our two subnet prefixes because they do not show up in VRF route table. So getting static back to global would fix this and other issue with DEFAULT to global. When I try to add static routes they never show up because the next hop is not present in VRF table or the command fails stating that... Invalid next-hop address (it's this router). I was hoping that just adding a static DEFAULT in VRF pointing to global would do everything I needed, but cannot get it to work even after trying all permutations of the command. ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 0.0.0.0 global Also tried ip route vrf vrf-esnet 0.0.0.0 0.0.0.0 loopback3 10.10.10.10 global Loopback3 was created with RFC-1918 IP and had vrf forwarding added on this loopback. This also failed. Creating an internal path between the VRF router and the global router is stopping all this from working. I have a ticket open with CISCO but they are saying I have to add an external link with two physical ports on vrf. This will not work for us. Does anybody know how to get statics working between VRF and global table, if its even possible. Really stuck! Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AIM-SSL-3 card on 2811
Hi folks, Anyone tried the SSL-3 VPN encryption card on a 2800 series before? Thanks. Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net http://www.netcraftsmen.net/ [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices
Going a bit further...how's about looking at those benchmarking RFCs http://www.ietf.org/html.charters/bmwg-charter.html In particular http://www.ietf.org/rfc/rfc2544.txt for the 1861 and http://www.ietf.org/rfc/rfc3511.txt for the ASA Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, January 20, 2009 8:06 AM To: Ziv Leyes Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Acceptance Test Procedure for New Cisco Devices Ziv Leyes wrote: Ok, let me be more specific When we buy devices for our own use, we just open it, plug it, and start using them, if there are any problems, we call the provider and they fix the problem (RMA or whatever) In this case, we're going to sell the equipment as a kind of turn-key project, and the customer asked us to provide them with our ATP, which we don't really use for ourselves, so I'd like to implement one sort of testing procedure from now on for this type of cases. We're going to attach this to a legal statement so we can't just type some BS there and that's it, we want to actually implement it, and if we write we do a,b,c,d then we'll going to do a,b,c,d procedure for real. I was thinking some of you guys may already use this kind of test routines and can help me creating one. I don't need some really serious stuff, I can imagine I'll check the delivery status of the package, open it, check all the contents that need to be there are there, to plug the device and see it works, perhaps load some configuration, plug the hardware that is planned to hold if any (HWICS and so), perform some soft and hard reboots, see the device responds, there are links on all interfaces, and pack it back exactly as it was. The problem is I don't know how exactly write it down on a kind of form that there's a checkbox for each test. Does anybody have some ready to go stuff? Well, it's going to depend very much on the kind of equipment. For example, a mandatory step when we get anything for our 6500s is a complete run passing all GOLD tests (including the disruptive tests). We maintain a spare chassis specifically for this. I don't know if ASA5510 and 1861 have diagnostics, but I don't think so. In that case, you're probably going to want something like: * Build a standard config involving (at least) your ASA 18xx router, which all or a large subset of the features are enabled * For each pair of devices you distribute, load the standard config on and run some test traffic * Leave it powered up for long enough to count as burn in i.e. 7 days? So you'd write something like: Party X will undertake to: * Unpack all equipment and check inventory * Check that equipment will power up * Load on a standard config, which tests: * OSPF routing * BGP routing * Packet forwarding * IPSec * Coffee making * Run test traffic for 48 hours, to ensure the devices compare to a known-good platform * Leave the config running for 7 days, to eliminate early-life failure ...before shipping to Customer Y ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forcing dhcp lease renewal
Things point to Cradlepoint don't they? I've used Digi ConnectPort with lots of success. Or go with the 3G-Wireless HWIC card or ask VzW for a static IP address. The last thing would be to use object tracking in conjunction with EEM to solve your problem. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bob Tinkelman Sent: Friday, January 16, 2009 11:35 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Forcing dhcp lease renewal For a cisco router with an interface like this: interface FastEthernet0/1 description Verizon EVDO via Cradlepoint CBA250 ip address dhcp I'm looking for a way to force the router to issue a dhcp lease renewal request. I can do this manually, for example via config term int fa0/1 shut no shut exit but I'm looking for a way to trigger this automatically. (Or possibly I'm trying to solve a problem in the wrong way.) Background: We have a good many customers with T1 or multi-T1 service, and with fall-back routing configured over a cheap path, typically a dynamic-ip cable-modem service or dsl. Our configs use a combination of gre-tunnels (to preserve customer-site address ranges) and sometimes object tracking and policy routing (often to direct web requests to a higher-speed cable-modem service in cases where NATing is acceptable). We've been doing this for a good while and have a set of configs that provide pretty solid service. I have been testing, in a lab environment, a configuration to do the same thing with Verizon's EVDO service using a Cradlepoint CBA250 (Cellular Broadband Adapter). It's not a router; just a pass-through device. The same configuration that we use with dynamic-ip cable- modems works. However, several times/day, things break. Output of show interface, show dhcp lease, etc., show that the cisco router doesn't think anything's changed. The interface has the same dhcp-assigned ip address and default gateway. But the default gateway is no longer pingable. Doing a clear int Fa0/1 doesn't help. A shut and no shut will cause the router to issue a new dhcp request, get a new (and different) ip address and gateway, and start working again. My current working hypothesis is that the EVDO link between the CBA250 and Verizon was interrupted, possibly very briefly, that Verizon noticed and invalidated the dhcp lease, but that no indication of this reached the router. It's a weak hypothesis. I'm bothered by the fact we've never seen this problem with similar cable-modem setups, e.g., with Time Warner and with Cablevision. I've sent email to supp...@cradlepoint.com even though I really don't see how their equipment could be involved. I could use object tracking to discover when the link over EVDO stops working. But I'm not sure what do to with that info. Is there a way to force a new dhcp request to go out based on object tracking? (To date, I've used object tracking mostly to enable/disable specific ip route commands.) I have the strong feeling that I'm trying to solve this in the wrong way, and that if I really understood what was going wrong, I'd be working in a different direction. So, any hints would be much appreciated - Bob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC
From what you said about the process CPU 99/96, the routers aren't doing anything processed intensive. Assuming that was what you meant: CPU utilization for five seconds: 99/96. Getting 35Mbs VPN throughput for the 2811 with AIM-VPN/SSL-2 is best case scenario for that model already. You could try to use IPSEC Profile configuration instead of the legacy crypto-map on the WAN interface, and try different IOS to see if you get improvement. That might improve throughput a bit: minimal if at all. If you need more VPN throughput, I would suggest try different hardware platform. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Kent Sent: Tuesday, January 06, 2009 9:45 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] site-to-site vpn, ipsec-gre, 2811/HSEC I'm experimenting with a pair of cisco 2811 with the AIM-VPN/SSL-2 running C2800NM-ADVIPSERVICESK9-M, 12.4(9)T7. I've got them back-to-back, configured as shown below. With a single file transfer (tcp) through the boxes I am able to jam the processor at 99%/96%, which tells me I must be missing something. I checked and the ip tcp adjust-mss 1360 is working, so it is not fragmentation that is the culprit. I do get about 35Mbs throughput, but I'm bugged that the main cpu is jammed. I did check sh cry eng acc stat and see that the HW module is being used, but I would have thought that the actual 2811 cpu would be only modestly busy. Am I missing anything here? Thanks, -mark --- crypto isakmp policy 10 encr aes authentication pre-share group 5 lifetime 300 ! crypto isakmp key foo address 10.10.10.2 no-xauth ! crypto ipsec transform-set GREVPN esp-aes esp-sha-hmac ! crypto map GREVPN local-address FastEthernet0/0 ! ip access-list extended TUNNEL permit gre host 10.10.10.1 host 10.10.10.2 ! crypto map GREVPN 20 ipsec-isakmp set peer 10.10.10.2 set transform-set GREVPN match address TUNNEL ! interface Tunnel0 ip address 192.0.2.1 255.255.255.252 ip mtu 1476 ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel destination 10.10.10.2 ! interface FastEthernet0/0 description x-conn to other 2811 ip address 10.10.10.1 255.255.255.252 crypto map GREVPN crypto ipsec fragmentation before-encryption ! interface FastEthernet0/1 ip address test1 network, test2 is on other 2811 ! ip route test2 network 192.0.2.2 --- 2811-expt-TWO#sh cry engine acc stat Device: AIM-VPN/SSL-2 Location: AIM Slot: 0 Virtual Private Network (VPN) Module in slot : 0 Statistics for Hardware VPN Module since the last clear of counters 42 seconds ago 126270 packets in 126270 packets out 127941213 bytes in 124977694 bytes out 3006 paks/sec in 3006 paks/sec out 23865 Kbits/sec in 23312 Kbits/sec out 42555 packets decrypted83715 packets encrypted 5854456 bytes before decrypt 119123238 bytes encrypted 2790517 bytes decrypted 125150696 bytes after encrypt 0 packets decompressed 0 packets compressed 0 bytes before decomp 0 bytes before comp 0 bytes after decomp 0 bytes after comp 0 packets bypass decompr 0 packets bypass compres 0 bytes bypass decompres 0 bytes bypass compressi 0 packets not decompress 0 packets not compressed 0 bytes not decompressed 0 bytes not compressed 1.0:1 compression ratio1.0:1 overall 4 commands out 4 commands acknowledged Last 5 minutes: 53276 packets in 53276 packets out 1268 paks/sec in 1268 paks/sec out 10792372 bits/sec in 10542446 bits/sec out 1178581 bytes decrypted 50240550 bytes encrypted 235716 Kbits/sec decrypted 10048110 Kbits/sec encrypted 1.0:1 compression ratio1.0:1 overall Errors: ppq full errors :0 ppq rx errors :0 cmdq full errors:0 cmdq rx errors :0 ppq down errors :0 cmdq down errors:0 no buffer :0 replay errors :0 dest overflow :0 authentication errors :0 Other error :0 Raw Input Underrun :0 IPSEC
Re: [c-nsp] Cisco Software Client - Router VPN issue.
Create ACL 101 permit 10.0.0.0 0.0.0.255 any Then under the crypto isakmp client configuration group SomeVPN Add ACL 101 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Networkers Sent: Monday, January 05, 2009 10:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco Software Client - Router VPN issue. I¹m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can¹t surf to the outside internet over that tunneld connection. I¹ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn¹t get NATed properly, but I¹m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Software Client - Router VPN issue.
Uhm, that's split-tunneling. If you want to use internet at the router site then follow this guide: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a008073b06b.shtml Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Monday, January 05, 2009 12:09 PM To: 'Networkers'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco Software Client - Router VPN issue. Create ACL 101 permit 10.0.0.0 0.0.0.255 any Then under the crypto isakmp client configuration group SomeVPN Add ACL 101 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. [W] http://www.netcraftsmen.net [M] l...@netcraftsmen.net [Blog] http://cnc-networksecurity.blogspot.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Networkers Sent: Monday, January 05, 2009 10:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco Software Client - Router VPN issue. I¹m trying to solve a problem with setting up the remote VPN access using the Cisco VPN software client. I have gotten it to the point where a user can remotely tunnel to the router from their Doze PC, log in, receive an IP in the 10.x.x.x network, and ping something on the 192.168.100.x network. However, they can¹t surf to the outside internet over that tunneld connection. I¹ve taken a look at some sample configs on the Cisco site but they all seem to be similar to this. My thinking is that the dial pool doesn¹t get NATed properly, but I¹m unsure on what to do to the config to fix this. Normal 192.168.100.x Ethernet-connected PCs in the home office can surf and do everything just fine. Can someone offer a tidbit? Thanks! Chris aaa new-model ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! username somebody password 0 my_password ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group SomeVPN key my_key pool ourpool ! crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto ipsec transform-set trans2 esp-des esp-sha-hmac crypto ipsec transform-set trans3 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set trans3 ! crypto map intmap client authentication list userauthen crypto map intmap isakmp authorization list groupauthor crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic dynmap ! interface FastEthernet0/0 description Office LAN ip address 192.168.100.100 255.255.255.0 ip nat inside no ip mroute-cache ! interface Serial0/0 ip address my_ip 255.255.255.252 ip nat outside crypto map intmap ! ip local pool ourpool 10.0.0.1 10.0.0.254 ip default-gateway upstream_ip ip nat inside source route-map nonat interface Serial0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! ip access-list extended NATRules deny ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any ! access-list 2 permit 10.0.0.0 0.0.0.255 access-list 2 permit 192.168.100.0 0.0.0.255 ! route-map nonat permit 11 match ip address NATRules ! end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HWIC-4T1/E1
controller T1 0/2/0 cablelength long 0db channel-group 1 timeslots 1-24 ! controller T1 0/2/1 cablelength long 0db channel-group 1 timeslots 1-24 ! controller T1 0/2/2 cablelength long 0db channel-group 1 timeslots 1-24 ! controller T1 0/2/3 cablelength long 0db channel-group 1 timeslots 1-24 ! interface Serial0/2/0:1 ip address negotiated ip access-group publicIn in ip virtual-reassembly encapsulation ppp crypto map vpn ! interface Serial0/2/1:1 ip address negotiated ip access-group publicIn in ip virtual-reassembly encapsulation ppp crypto map vpn ! interface Serial0/2/2:1 ip address negotiated ip access-group publicIn in ip virtual-reassembly encapsulation ppp crypto map vpn ! interface Serial0/2/3:1 ip address negotiated ip access-group publicIn in ip virtual-reassembly encapsulation ppp crypto map vpn Didn't do a whole lot with QOS...etc, but it looks like any other serial T1/E1 interfaces. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Friday, December 19, 2008 11:27 AM To: 'Cisco-nsp' Subject: [c-nsp] HWIC-4T1/E1 Does anyone have any of the new quad-T1 HWICs (HWIC-4T1/E1) in production? I've got some questions for anyone with knowledge of the unit. http://www.cisco.com/en/US/prod/collateral/modules/ps5949/product_data_sheet 0900aecd80710c77.html Are they configured like the MFTs (with the controller config separate) or are they like the WICs (with the service-module config)? How are the 4 interfaces numbered? Se0/1/0-4:0? Are there any special limitations with the HWIC-4T1 that anyone knows of? We'll be doing MLPPP on them and some QoS (possibly spanning multiple HWIC-4T1s in a single chassis). They look to be decent units. Besides researching them to make sure that they'll work for us, I'm writing a template config for them and need to know how they're configured and numbered. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Here's an old post on this topic: http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html Also, I heard it's going to be implemented beginning 12.5T Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, December 17, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 32 bit ASN Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rate limiting but on packet count not bandwidth
Maybe give storm-control with pps keyword a try. http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1 2.2_25_see/configuration/guide/swtrafc.html#wp1241484 Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Primoz Jeroncic Sent: Wednesday, December 17, 2008 10:01 AM To: Cisco Mailing list Subject: [c-nsp] Rate limiting but on packet count not bandwidth Hi guys Does anyone have any idea if rate limiting traffic based on packet count would be possible on Cat3550/3560/3570 or any Cisco router? I would need to limit some users which don't generate much of traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec). So is there some option to limit their fraffic to let's say 5000packets/sec regardless on bandwidth they use? Thanks for help. Have fun, Primoz Jeroncic Support - IP Connectivity Routing --- Softnet d.o.o. tel: +386 1 562 31 40 | Borovec 2 fax: +386 1 562 18 55 | 1 + 1 = 3 1236 Trzin primoz(at)softnet.si | for larger values of 1 Slovenija http://flea.softnet.si/ --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
Let me try thinking out loud :) There BGP support for IP prefix import into VRF table: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm l You could use static routes as well. For dynamic, some people create two tunnels, same router, same subnet, sourced from different loopbacks. With one tunnel interface in the vrf, one in the global routing table ip vrf CUSTOMER1 rd route-target export route-target import ! interface Tunnel100 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE bandwidth 5 ip vrf forwarding CUSTOMER1 ip address 172.31.254.254 255.255.255.252 load-interval 30 tunnel source x.x.x.x tunnel destination y.y.y.y ! interface Tunnel200 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1 bandwidth 5 ip address 172.31.254.253 255.255.255.252 ip virtual-reassembly load-interval 30 tunnel source y.y.y.y tunnel destination x.x.x.x If you have a lot of customers (a lot of VRFs), then maybe try DMVPN configuration with the global being the hub and each spokes in their own unique VRF...just a thought :) Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Durack Sent: Wednesday, December 17, 2008 10:54 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS-VPN migration Looking for some creative ideas on how best to accomplish this: We are migrating a traditional enterprise-style IP network to an MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is essentially done (it's a purely PE-PE network, no P routers anywhere.) All customer networks are still in the global table. I need to migrate them into VPN groups, but maintain full reachability between global and VRFs during the migration. Route-leaking will be configured between VRFs, and at a later stage some kind of firewall will be employed between VPNs. The hard part is getting everything into the VPNs first (without anyone noticing too much :-) Ideally I'd like to bring up BGP sessions between the global table and VRFs on each PE. I notice I can do BGP sessions between VRFs, but can't quite wrap my head around global-VRF BGP. Is this even possible? Thanks for thinking about it. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS-VPN migration
You could run routing protocol inside the (DMVPN) tunnel like OSPF and redistribute using MP-BGP. router ospf 1 vrf CUSTOMER1 ---VRF instance of OSPF network [tunnel interface ip network] area 0 redistribute bgp 65535 subnets route-map redis-bgp-vrf-CUSTOMER1-to-ospf ! Router ospf 2 Network [tunnel interface ip network] area 0 ! router bgp 65535 address-family ipv4 vrf CUSTOMER1 redistribute ospf 1 vrf CUSTOMER1 route-map redis-ospf-to-bgp-vrf Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: Tim Durack [mailto:tdur...@gmail.com] Sent: Wednesday, December 17, 2008 1:21 PM To: Luan Nguyen Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS-VPN migration On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen l...@netcraftsmen.net wrote: Let me try thinking out loud :) There BGP support for IP prefix import into VRF table: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm l You could use static routes as well. Looked at that. Trouble is the static routes have to specify next-hop, which isn't going to be very scalable for directly-connected VLAN interfaces. For dynamic, some people create two tunnels, same router, same subnet, sourced from different loopbacks. With one tunnel interface in the vrf, one in the global routing table ip vrf CUSTOMER1 rd route-target export route-target import ! interface Tunnel100 description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE bandwidth 5 ip vrf forwarding CUSTOMER1 ip address 172.31.254.254 255.255.255.252 load-interval 30 tunnel source x.x.x.x tunnel destination y.y.y.y ! interface Tunnel200 description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1 bandwidth 5 ip address 172.31.254.253 255.255.255.252 ip virtual-reassembly load-interval 30 tunnel source y.y.y.y tunnel destination x.x.x.x And point statics at the tunnel? I guess that could work. I was hoping to do something along the lines of: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_i d_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073 But it looks like this only works for VRF-VRF BGP sessions, not VRF-GLOBAL. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS SRND
Have you looked at the Data Center Design Guide? http://www.cisco.com/en/US/netsol/ns743/networking_solutions_program_home.ht ml There's this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dc_servchas /service-chassis_design.html And this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5 /DCI_SRND.pdf Which give lots of design guides on VSS. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Skovajsa Sent: Monday, November 17, 2008 10:24 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VSS SRND Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. This has been there for almost 6 months now, and still no VSS SRND Thanks, Pavel Skovajsa ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs
Usually, when I use VRF-Lite with hub site DMVPN, it's because I need to backhaul all spokes traffic (send them a default route through the tunnel) and don't want to use policy base routing at the spoke sites. I have to put the LAN(s) and tunnel interface(s) on the spoke into a VRF and leave the WAN in the global so the spoke could have 2 default routes, one for the global to establish DMVPN/IPSEC connection to hubs and other spokes, and one in the VRF to send all LAN traffic to the hub for say...central Internet access. Hubs' tunnels would usually be put into a VRF. If you have a few customers and want to consolidate them into a single hub router, then I would just add the tunnels into their own VRFs, the spokes can be left alone. Depends on the routing protocol you use, and what access you want to give, you need to route inter/intra VRFs accordingly at the hub. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Danielsen Sent: Monday, November 17, 2008 11:01 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+worldmkt=en-USform=QBRE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Question
Neighbor allowas-in Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephens, Jamie A Sent: Thursday, November 06, 2008 9:18 AM To: cisco-nsp Subject: [c-nsp] BGP Question Is there a command to allow received routes from the same AS #? E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 881 3G Router Experiences
Basically just another DHCP interface IP-wise. Here's a sample configuration for DMVPN/IPSEC I used for 1841 3G-EVDO. I used it as a primary connection as well as backup connection. interface Dialer1 ip address negotiated ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer string cdma dialer persistent dialer-group 1 ! interface Cellular0/1/0 ip address negotiated ip virtual-reassembly encapsulation ppp dialer in-band dialer pool-member 1 dialer-group 1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key test address x.x.x.x crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set cisco esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile cisco set transform-set cisco set pfs group5 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 ip nhrp authentication donttell ip nhrp map 10.0.0.1 x.x.x.x ip nhrp map multicast x.x.x.x ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 100 tunnel source dialer1 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile cisco You could use IPSEC tunnel mode without DMVPN as well, just make sure the other side configured for dynamic crypto map. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 06, 2008 3:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 881 3G Router Experiences Hi, is anybody here using a Cisco 881 3G Router with IPSEC and can share his experiences/config with me ? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt Service Customer Design o2 (Germany) GmbH Co.OHG Georg Brauchle-Ring 23-25, D-80992 München Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 [EMAIL PROTECTED] Telefónica o2 Germany GmbH Co. OHG • Georg-Brauchle-Ring 23-25 • 80992 München • Deutschland • www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht München HRA 70343. Gesellschafter: Telefónica o2 Germany Management GmbH. Amtsgericht München HRB 109061 und Telefónica o2 Germany Verwaltungs GmbH. Amtsgericht München HRB 121389, beide ebenda. Geschäftsführer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. André Krause. Lutz Schüler. Carsten Wreth. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX 6.x Site2Site with dynamic IP?
Just change your A end to use dynamic map. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a0080094680.shtml Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Sent: Thursday, November 06, 2008 6:04 AM To: cisco-nsp Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? Hi Chaps, I use to have a VPN tunnel running between two sites using Cisco Pix 6.x, the B end now has a dynamic IP address every time the router reloads which means the tunnel has gone down and to get it back up we have to reconfigure a ISAKMP key and change our config here on the A end. Is there a way I can get round this? the router infront of our B-end PIX is not Cisco nor is it under our control. My client downgraded their Internet Service package which also meant that they now have a dynamic IP address :( Thanks for your time. W ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP
Maybe try using the global commands no vpn-addr-assign local no vpn-addr-assign aaa vpn-addr-assign dhcp And under tunnel-group COMPANY-TUNNEL-GROUP general-attributes Add: default-group-policy COMPANY-REMOTE-ACCESS Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno Filipe Sent: Wednesday, November 05, 2008 10:37 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd s encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 1 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150
Re: [c-nsp] ipsec over gre with nhrp
You have to use tunnel protection profile instead. Get rid of the local-address, and put these in: crypto isakmp policy 3000 encr aes 256 authentication pre-share group 5 crypto isakmp key test address 165.254.97.2 crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile foo set transform-set TEST set pfs group5 ! Int tun202 No crypto map tunnel protection ipsec profile foo Then route over the tunnel accordingly...intstead of using ACL to match traffic. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (blog) http://ccie-security.blogspot.com/ (e) [EMAIL PROTECTED] (aim/yahoo): luancnc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Tinkelman Sent: Wednesday, November 05, 2008 5:05 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ipsec over gre with nhrp I'm doing something that I thought I'd done before, but am running into problems and need a sanity check. I have 2 customer site routers, each configured for main access via T1 and backup Internet access via a cable-modem service with a dynamic ip address. They also have an ipsec vpn to route internal (192.168/16 and 10/8) nets between the two sites, using crypto maps on the T1 serial ports in the standard way. All that works. I wanted to provide a backup to the ipsec VPN using the cable modem ports, and proceeded as follows: o I configured a multi-point tunnel with both customer sites using nhrp to connect to one of my routers. [This works. the routers can ping either other over the tunnel.] This was done because otherwise the routers, each with a dynamic ip address, would have trouble finding each other. o I mimic'd the ipsec vpn on the T1 serial interfaces, building a similar one on the tunnel interfaces. [This didn't work, and it's pretty clear why.] Here are the relevant portions of the config. [I'm willing to share more, but wanted to keep this post managable.] Interface housing the cable-modem: | CT-gw#sho run int fa0/1 | Building configuration... | | Current configuration : 186 bytes | ! | interface FastEthernet0/1 | description Cable modem connection | ip address dhcp | ip access-group from-cablemodem in | ip nat outside | ip virtual-reassembly | duplex auto | speed auto | end | CT-gw# The address dhcp-assigned by the carrier: | CT-gw#sho int fa0/1 | inc Internet address | Internet address is 192.168.1.64/24 | CT-gw# The tunnel interface: | CT-gw#sho run int t202 | Building configuration... | | Current configuration : 729 bytes | ! | interface Tunnel202 | description Dynamic multi-point ISPnet-customer tunnel | bandwidth 1000 | ip address 69.48.189.23 255.255.255.0 | ip access-group from-world in | no ip redirects | ip mtu 1416 | ip nat inside | ip nhrp authentication redacted | ip nhrp map multicast 165.254.97.2 | ip nhrp map multicast 165.254.147.2 | ip nhrp map 69.48.189.1 165.254.97.2 | ip nhrp map 69.48.189.2 165.254.147.2 | ip nhrp network-id redacted | ip nhrp holdtime 300 | ip nhrp nhs 69.48.189.1 | ip nhrp nhs 69.48.189.2 | ip nhrp server-only | ip virtual-reassembly | no ip route-cache cef | no ip route-cache | no ip mroute-cache | delay 1000 | tunnel source FastEthernet0/1 | tunnel mode gre multipoint | tunnel key redacted | crypto map CLINTON-TU-202-MAP | end | CT-gw# The tunnel is working: | CT-gw#ping 69.48.189.24 | | Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: | ! | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 ms | CT-gw# | CT-gw#tr 69.48.189.24 | | Type escape sequence to abort. | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) | | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 msec | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec | CT-gw# The crypto map is defined like this: | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP | crypto map CLINTON-TU-202-MAP local-address Tunnel202 | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp | set peer 69.48.189.24 | set transform-set TRANSFORM-SET-FL | match address CT-inside-to-FL-inside | ! But it's not working. It looks like it's using the wrong ip address for the local address of the crypto map. It's using the dhcp-assigned address of Fa0/1, when I'd thought it should be using the address of Tu202. | CT-gw#sho crypto map int t202 | Crypto Map: CLINTON-TU-202-MAP idb: Tunnel202 local address: 192.168.1.64 | | Crypto Map CLINTON-TU-202-MAP 1 ipsec-isakmp | Peer = 69.48.189.24 | Extended IP access list CT-inside-to-FL-inside | access-list CT-inside-to-FL-inside permit ip
Re: [c-nsp] HWIC-3G-* experience?
We've been having good results with Verizon. Couple months ago, they got EVDO backup to Internet and MPLS as well - for VPN products, and in the process of making the backend systems ready to roll out. No permanent IP yet and the IP are from Verizon Wireless. So, even though they might say it's directly from the MPLS cloud, they still have to route around and around in their networks since Internet and MPLS are from Verizon Business. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derick Winkworth Sent: Tuesday, November 04, 2008 6:39 AM To: Seth Mattinen Cc: cisco-nsp Subject: Re: [c-nsp] HWIC-3G-* experience? (1) We've had good experience with this. Decent throughput, but high amount of jitter/latency. Its just another internet access method at this point... it works fine. Really its about the carrier... (2) Cables and antennas as needed for getting the signal required can be expensive if you go through the wrong channels (like Cisco... don't do it!) (3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited usage. They offer great deals on cables and antennas. They also do free site-surveys, noone else does that we talked to. (4) ATT. Variable bill rates. ATT can work something out through their account reps where you will never be charged more than a certain amount every month, but its supposed to be for backup only so if you use it frequenty... you can go through your sales rep to make sure you don't get locked out or whatever. Right now, they offer a service to back-up MPLS circuits, but they manage the endpoint at your site... this is their ANIRA product. You configure VRRP on your router and they configure it on theirs. You configure whatever tracking you want so that when a failure occurs, ATT's ANIRA router takes over and gets you back to the cloud (through the internet though)... (5) Verizon. No variable billing. The best throughput with dual-antennas. They also offer internet-to-MPLS backup like ATT and Sprint, but you get to manage the endpoint. (6) There is no direct-to-VRF type MPLS backup at this time, but all three carriers are rolling it out from what I understand. When this occurs, the card will come up direct to the MPLS cloud. Until then, its VPN tunnel to somewhere over the internet. Permanent IP is available. Some of them can create private subnets on the internet for you... you get a public IP in a /27 or something and it can only talk to other IPs in that /27. hmmm... Seth Mattinen wrote: Does anyone have any experience with the HWIC-3G-* cards in real life? I'm considering emergency access plans using these as opposed to traditional methods, and I'd be interested in any success or horror stories before jumping in. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008 4:59 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Order-of-operations question about adjust-mss and crypto...
The MSS tells the maximum data a host will accept in an TCP/IP datagram. Each side reports the value to the other side and the sending will abide by it. It's all before encryption. So typically like you said, people put ip tcp adjust-mss 1360 on the group member LAN interface and also set ip mtu 1400 on the WAN side hoping for PMTUD to work its magic. Putting both on the WAN interface should work as well, though, I don't quite understand the backside is MPLS statement :)...the packet has to be originated from somewhere. There's a very good paper here on Fragmentation http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00 800d6979.shtml#t3 Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (blog) http://ccie-security.blogspot.com/ (e) [EMAIL PROTECTED] (aim/yahoo): luancnc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derick Winkworth Sent: Friday, October 31, 2008 11:52 AM To: Rodney Dunn Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] Order-of-operations question about adjust-mss and crypto... If you apply the ip tcp adjust-mss command on an interface that has a crypto statement on it... Does it perform the MSS adjustment on outbound packets before they are encrypted? Does it perform the MSS adjustment on inbound packets after they are decrypted? I know that this is typically placed on a tunnel interface or, for instance, on an ethernet interface of a remote VPN site or something... but I have a case where we have many GET encryped sub-interfaces (each in their own VRF) which are the only logical IP interfaces on the box. The backside is MPLS so there is no place to put the statement there... so I was just going to apply it to the interfaces where the crypto maps are.. not sure if this will work. I'll probably have to lab it up I'm guessing. Derick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ctr+break sequence and Cisco 3500
http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_reco very09186a0080094184.shtml Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (e) [EMAIL PROTECTED] (aim/yahoo): luancnc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snort bsd Sent: Tuesday, October 28, 2008 8:24 PM To: cisco-nsp Subject: [c-nsp] ctr+break sequence and Cisco 3500 Hi all: I might not have done hundreds times but certainly did a lot of times. But not this time. trying to breaking a cisco 3550 since lost password. I tried sequence of ctrl+break but not working for me. it just reboots back to normal working status. Then I just tried ctrl+b and not working either. checked with Cisco web page and I don't see anything special. Did i miss something here or just this Cisco 3550 has something special for password recovery? Thanks Search 1000's of available singles in your area at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151pid=1011 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
Is it a Verizon circuit? We have a T1 circuit with Verizon and have the same problem. We have a point to point circuit, so one side has clocking set to internal to provide the clocking and the other side feeds from the line. I wrote the problem up at http://ccie-security.blogspot.com/ But basically, it will be up for a some hours then down, then I call them to test and it's good again. Sometime it's good just by unplug the cable and plug it back. Like you, we changed everything and that didn't help. Finally, we talked to a knowledgeable Verizon tester and he mentioned the rate on the line is ~17 which is high. It should be around 0 or negative. He said that's because of mismatch clocking between our hardware and the central office crossover equipment. The normal tester won't look at this, they only do the loopback pattern testing, so you should ask them about the rate of your line. They swapped one smart jack, but that didn't help, so they will swap the other today. Hopefully that will do it. Good information here about troubleshooting T1 http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access seqNum=61 Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ted Mittelstaedt Sent: Wednesday, October 15, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port Hi All, I have an 8 port PA-8T serial card in a router. The card has an octopus cable that is plugged into a rack of card DSU's. Most of the DSU's have T1's into them. One T1 has developed a problem where it runs for a few hours and then the router serial interface it is on goes down. When it's down, from the carrier side the carrier can issue a loop command to the CSU on the port, and the CSU will loop up, and the carrier can run patterns on it all day long just fine. I have replaced both the 8 port card and the DSU card in the rack on that specific port with no change. If I momentararily flip the loopback switch on the DSU to throw a loop towards the carrier, facing away from the router, when the switch returns the router port enables and the T1 runs for a few more hours just fine. I didn't believe this when I first saw it, but I've done it several times since. I actually don't think the looping has anything to do with anything though - if I pull the DSU card and replace it, the circuit comes back up also. So I went and moved the T1 to another DSU and port on the router and inserted a physical loopback plug into the problem DSU network port. The router port of course sees this as a looped port now. My question, is there a way I can configure the router port so that I can throw a massive amount of (bogus, naturally) traffic to it, and the traffic will go out the port, through the DSU, loopback through the hard loopback plug, then come back into the router and go into the bit bucket? If I simply assign something like IP 127.0.0.5/30 to the port and throw a ton of traffic to 127.0.0.6, will the packets actually go out the port? Or will the router see that the port is looped and just discard the traffic? Ted ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
It's on fiber. I asked if we could get network timing from them, but they said no, not on this type of circuit. Also, this circuit has been working for years with the same setting :) Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy Sent: Wednesday, October 15, 2008 10:36 AM Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port Just because its a point to point circuit doesn't mean one side has to have internal clocking. This is only true if the circuit is copper all the way. There are lots of reasons that the telco would have its own equipment installed on the circuit and you would need network timing. Roy Luan Nguyen wrote: Is it a Verizon circuit? We have a T1 circuit with Verizon and have the same problem. We have a point to point circuit, so one side has clocking set to internal to provide the clocking and the other side feeds from the line. I wrote the problem up at http://ccie-security.blogspot.com/ But basically, it will be up for a some hours then down, then I call them to test and it's good again. Sometime it's good just by unplug the cable and plug it back. Like you, we changed everything and that didn't help. Finally, we talked to a knowledgeable Verizon tester and he mentioned the rate on the line is ~17 which is high. It should be around 0 or negative. He said that's because of mismatch clocking between our hardware and the central office crossover equipment. The normal tester won't look at this, they only do the loopback pattern testing, so you should ask them about the rate of your line. They swapped one smart jack, but that didn't help, so they will swap the other today. Hopefully that will do it. Good information here about troubleshooting T1 http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access seqNum=61 Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
They claimed they don't provide clocking on point to point circuit...not even for testing sake! We did played around with both side getting network timing, with switching the side providing clocking, with both going internal...etc, but nothing worked. It only works for some hours after they break in the circuit for testing. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamar Owen Sent: Wednesday, October 15, 2008 10:37 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port On Wednesday 15 October 2008 10:22:17 Luan Nguyen wrote: Is it a Verizon circuit? We have a T1 circuit with Verizon and have the same problem. We have a point to point circuit, so one side has clocking set to internal to provide the clocking and the other side feeds from the line. Have you tried setting the clock to line on the side where you have the clock set to internal? Some point to point T1's still need both CPE's to have clock set to line. I don't have a point to point T1, but I do have a point to point OC3, and in that case clock must be set to line on both ends, as the network provides the clock. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
Paul, Thanks. We do have one side set to internal and the other to line and did forget about it for years. I believe one side of our circuit is encapsulated in a DS3, since one tester said they couldn't loop since they had to loop the whole DS3. The other side must be just a regular T1 and they are cross connected by the DACS at the central office. Verizon said they have to be in sync. Something must have happen for them to be out of sync after all these years. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: Paul G. Timmins [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2008 12:03 PM To: Luan Nguyen; Roy Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port Most modern sonet gear does not provide clocking to individual DS1s running it. The only reason clocking ever existed on point to point circuits was that the older gear couldn't avoid being an active participant in the circuit. It's possible the carrier you're using has upgraded the equipment, and where it was once providing the clocking (which it couldn't avoid previously), it's now on gear that can now act indistinguishably from a straight piece of wire (of course, it has to follow T1 line encoding and framing, but beyond that..). I've seen this plenty over the last 5 years as carriers upgrade, and roll DS3s onto newer gear. One night, the clocking gets funky, and you have to enable clock, which was causing problems before, but now works fine. (Of course, we don't feel it as much, because we are syncing our gear off the BITS in our CO, so we'd be in sync with the ILEC whether we provide clocking or not, so we just provide clocking on our end of all loops, and slave the customer sites.) It's also possible for two devices set to clock off line to work for a while, without anyone providing external clock. Since there's not really a clock signal per se, but just a directive that says whether your internal source is authorative, or whether you should be sending your own frames in sync with the frames you're getting off the line, both devices can feed off of each other (a device without line clock will fall back to internal clock, and start sending frames. The other device will see the clock signal on the line, and sync with it. Then the original device sees the framing on the line, and syncs with that. The devices then sync off whatever each other are sending. Because this isn't precise (but can be precise enough), it's possible for the line to work for a while like that, until power blips, line hits, or random cosmic noise cause the whole thing to fall apart). Anyway, the network has to actively participate in the circuit to provide clock, and the field has been running away from this for years. Set one side to line clock, and one to internal, and forget it. It's a single line of config. :) -Paul PS: I'm using the term providing clock because that's what we're calling it in this thread. The way you should actually think about it though, is using your own clock reference, or using the reference coming from the line. In the PSTN world, everyone provides clock (uses their own clock reference) and you don't trust the line clock from anywhere. Because your clock references are in sync with each other (because you're syncing off a cesium reference, using GPS, or CDMA, or you have a BITS T1 from the local LEC, or some combination of those) everything works flawlessly (insofar as that's possible in real life). CPE aren't expected to have their own stratum 1 reference clock, so they just trust the line signal. If you're connecting CPE to CPE, you're going to have to provide your own reference clock, and it doesn't have to be stratum 1 since you're not interfacing with anyone else (unless you're passing through some real old DACS or Mux gear that actively participates in the circuit, rather than just encapsulating it in a DS3 and sending it on its way through the network) it doesn't have to be in sync. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luan Nguyen Sent: Wednesday, October 15, 2008 10:51 AM To: 'Roy' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port It's on fiber. I asked if we could get network timing from them, but they said no, not on this type of circuit. Also, this circuit has been working for years with the same setting :) Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roy Sent: Wednesday, October 15, 2008 10:36 AM Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port Just because its a point to point circuit doesn't mean one side has to have internal clocking. This is only true if the circuit is copper all the way. There are lots of reasons
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
-Original Message- From: Ted Mittelstaedt [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2008 12:01 PM To: Luan Nguyen; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2008 7:22 AM To: 'Ted Mittelstaedt'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port Is it a Verizon circuit? We have a T1 circuit with Verizon and have the same problem. We have a point to point circuit, so one side has clocking set to internal to provide the clocking and the other side feeds from the line. I wrote the problem up at http://ccie-security.blogspot.com/ But basically, it will be up for a some hours then down, then I call them to test and it's good again. Sometime it's good just by unplug the cable and plug it back. Like you, we changed everything and that didn't help. Finally, we talked to a knowledgeable Verizon tester and he mentioned the rate on the line is ~17 which is high. It should be around 0 or negative. He said that's because of mismatch clocking between our hardware and the central office crossover equipment. Luan, We have several spans going through Verizon. One thing I have found is that Verizon uses different make and model of NIUs at the remote sites. The newest make and model of NIU they use (I have it documented somewhere but I cannot find it) is not compatible with certain make and model of CSU/DSUs. I found that out with one of our customer spans that was the first span delivered through one of these newer NIUs. We fortunately never standardized on DSU/CSUs (I get them off Ebay nowadays for cents on the dollar) and I have always favored use of -external- DSU's coupled to a serial port on the router rather than the integrated Cisco WIC with DSU. So with that span I had 5 different make and model DSU's to experiment with. The problem I believe is that certain DSU's are particular on the frequency clock they slave to. If the clock is too far off frequency from what the CSU/DSU thinks it is supposed to be, even if the CSU is set to slave clock from the span, it will slip anyway. Unfortunately I wish it were that simple with my own problem. In my instance, the spans are actually going into a m13 mux from the DSU bank (most are, at any rate) So it is consistent environment on all spans going into the router. Ted Ted, I was also told by one of the tech that their NIU isn't compatible with the VWIC card we have in the router. But our circuit has been working for years. I tested 4 different types of Wan Interface Cards and none worked. Verizon somehow agreed to replace their NIUs at both ends. And that seems to work so far. 3 hours and counting... Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fwd: NAT in VRF
Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. Platform doesn't make any different. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Roberton Sent: Thursday, October 09, 2008 7:28 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Fwd: NAT in VRF -- Forwarded message -- From: Gary Roberton [EMAIL PROTECTED] Date: Wed, Oct 8, 2008 at 10:13 AM Subject: NAT in VRF To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Can someone please confirm for me that you can have the same IP address in different VRFs natted to different destinations. In other words; 217.1.1.1 nat to 10.1.1.1 in VRF A 217.1.1.1 nat to 192.168.1.1 in VRF B I can't see any reason why not. What about if using VRF-Lite on a 3845, does that make any difference? Its a funny question but I have been asked this and have no access to the kit to prove it working and I have to have a solid answer. Thanks. Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread)
You could encrypt the GRE tunnel. Everything traverse the tunnel will get encrypted. On CORE-DIA-1 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key cisco address 172.16.0.98 crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile foo set transform-set TEST set pfs group5 ! ! interface Tunnel0 ip address 10.0.0.2 255.255.255.252 ip mtu 1420 ip tcp adjust-mss 1436 mpls ip mpls mtu 1508 keepalive 1 3 tunnel source FastEthernet0/0 tunnel destination 172.16.0.98 tunnel protection ipsec profile foo Just the reverse on the other side. You, and the original poster, could do IPSEC encryption between CEs of the MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3 suggestion :)) http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7 180/product_data_sheet0900aecd80582067.html. The CE-to-CE routing remains the same, with added security. - Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Hunt Sent: Sunday, October 05, 2008 3:01 PM To: cisco-nsp Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) For simplicity's sake let's say that i have 2 7206VXRs running advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed plus a L2 feed between them. Each one is a PE, and running L3VPNs for customers. I use OSPF as an IGP. Everything's working great, but I want to build VPN failover in case the L2 feed between them goes down. Since the backup is a L3 service, MPLSoGRE seems the best option for me. At the same time, I want to encrypt ***at least the customer vrf traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec unfortunately an am struggling to understand the process. I've got the GRE Tunnels up and failing over but can't seem to understand how to encrypt the customer data. See attached configs. Anyone have any pointers? See http://markmail.org/message/lob467v2oxc6my5x for original thread onward through the fog, Christopher Hunt Original Message Subject:[c-nsp] MPLS and IPSEC co-workingLink to this message From: Oliver Boehmer (oboehmer) ([EMAIL PROTECTED]) Date: 08/16/2007 09:31:25 AM List: net.nether.puck.cisco-nsp Andris Zarins wrote on Thursday, August 16, 2007 1:44 PM: Hi, Network setup is pretty trivial - three routers running MPLS (LDP full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is asking to secure that infrastructure by running IPSEC (3DES). As far as I know, I can not run LDP over Tunnel interfaces, and crypto-maps will not help also. Concept of running IPSEC between CPEs doesn't make sense, as there are no CPEs :(Question is - is VRF-Lite plus back-to-back connectivity, like option A for inter AS MPLS, the only viable option I have, or Im missing something and there are other, more scalable ways to do it? well, you can run MPLSoGRE at least on SW-based platforms (like the 7200), haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps.. Not a complete solution, I know.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SA-VAM2+ usage problem?
On average, the VAM2+ should be able to do ~60Mbps VPN traffic (on a 7206VXR NPEG2) Maybe try to use IPSEC profile configuration instead of the legacy interface crypto map configuration. And also, try a different IOS. There should be at least a 12.4.15T7 out there I believe. - Luan Nguyen Senior Network Engineer Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nemeth Laszlo Sent: Tuesday, September 30, 2008 9:55 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SA-VAM2+ usage problem? Hello, I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with SA-VAM2+ modules. I have a tunnel interface between this routers. If I make a ~24Mbit/sec traffic into this tunnel, the routers CPU's goes to 90%. It was the performance without VAM2+ too. So the VAM2+ modul doesn't use? Our routers config same, only the IP addresses different. The Tunnel interface very important, because i run an OSPF protokoll into them. vpn0# sh pas vam interface VPN Acceleration Module Version II+ in slot : 1 Statistics for Hardware VPN Module since the last clear of counters 4294967 seconds ago 988980327 packets in 988980327 packets out 302199518411 bytes in 318057273220 bytes out 230 paks/sec in230 paks/sec out 562 Kbits/sec in 592 Kbits/sec out 0 pkts compressed 0 pkts not compressed 0 bytes before compress0 bytes after compress 1.0:1 compression ratio1.0:1 overall 526096 commands out526096 commands acknowledged Last 5 minutes: 2854900 packets in 2854900 packets out 9516 paks/sec in 9516 paks/sec out 24058078 bits/sec in 25240088 bits/sec out In this last line the 24058078 bit/s traffic is normal, it is the aggregated traffic on my tunnel0 interface. But the 562 Kbit/sec in and 592 Kbits/sec out is to small, i think it should ~24000 Kbit/sec. Config: crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key abcabc address 192.168.1.1 ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set vpn-standard esp-3des esp-sha-hmac ! crypto map vpnmap 20 ipsec-isakmp set peer 192.168.1.1 set transform-set vpn-standard match address VPN ! interface Tunnel0 description VPN0-VPN1 ip address 10.0.0.1 255.255.255.252 ip ospf cost 100 load-interval 30 keepalive 2 2 tunnel source 192.168.0.1 tunnel destination 192.168.1.1 ! interface GigabitEthernet0/1.2 description VPN1 encapsulation dot1Q 2 ip address 192.168.0.1 no ip redirects no ip proxy-arp ip nat outside no ip virtual-reassembly crypto map vpnmap ! ip access-list extended VPN permit gre host 192.168.0.1 host 192.168.1.1 Any idea? Thanks! Regards, Laszlo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP-VPN CE-PE local pref problem
Try changing the route-map to: route-map ipvpn_0001 permit 10 set extcommunity soo 894:1 set local-preference 90 instead of: route-map ipvpn_0001 permit 10 set extcommunity soo 894:1 route-map ipvpn_0001 permit 20 set local-preference 90 Luan - Luan Nguyen Senior Network Engineer Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tech Sent: Tuesday, September 30, 2008 2:55 PM To: David Freedman; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem Here you go PE1#sh ip bgp vpnv4 rd 894:1 5.14.93.0 BGP routing table entry for 894:1:5.14.93.0/24, version 222 Paths: (3 available, best #2, table ipvpn_0001) Advertised to update-groups: 1 65535 5.14.95.244 (metric 11) from 5.14.95.244 (5.14.95.244) Origin IGP, metric 0, localpref 100, valid, internal Extended Community: SoO:894:1 RT:894:2 mpls labels in/out 26/23 65535 5.14.93.222 from 5.14.93.222 (5.14.93.253) Origin IGP, metric 0, localpref 100, valid, external, best Extended Community: SoO:894:1 RT:894:2 mpls labels in/out 26/nolabel 65535, (received-only) 5.14.93.222 from 5.14.93.222 (5.14.93.253) Origin IGP, metric 0, localpref 100, valid, external mpls labels in/out 26/nolabel PE2#sh ip bgp vpnv4 rd 894:1 5.14.93.0 BGP routing table entry for 894:1:5.14.93.0/24, version 237 Paths: (3 available, best #1, table ipvpn_0001) Advertised to update-groups: 1 65535 5.14.93.226 from 5.14.93.226 (5..14.93.254) Origin IGP, metric 0, localpref 100, valid, external, best Extended Community: SoO:894:1 RT:894:2 mpls labels in/out 23/nolabel 65535, (received-only) 5.14.93.226 from 5.14.93.226 (5.14.93.254) Origin IGP, metric 0, localpref 100, valid, external mpls labels in/out 23/nolabel 65535 5.14.95.243 (metric 11) from 5.14.95.243 (5.14.95.243) Origin IGP, metric 0, localpref 100, valid, internal Extended Community: SoO:894:1 RT:894:2 mpls labels in/out 23/26 inbound route-map from CE2 to PE2 route-map ipvpn_0001 permit 10 set extcommunity soo 894:1 route-map ipvpn_0001 permit 20 set local-preference 90 ! - Original Message From: David Freedman [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, September 30, 2008 5:51:55 PM Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem can you post show ip bgp vpnv4 rd rd x.x.x.x/y from both PEs ? for the prefix in question? Dave Mark Tech wrote: Hi I have set up a dual homed IP-VPN network between 2 PE's and 2 CE's using SoO - thas all working fine. I have added an inbound route-map to the 'backup' PE and CE to reduce the local preference in order to make the other PE and CE the preferred gateways. CE1PE1 primary | | CE2PE2 backup The CE local pref works fine, however on the PE side, local pref doesn't seem to have any affect, i.e. I have reduced the local pref to 90 on the backup link, however if I check the routing in the backup PE, nothing seems to have changed. Can I just check that local pref actually works across an MP-BGP environment? If so I must be doing something wrong Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SA-VAM2+ usage problem?
Oh yeah, Fragmentation definitely is problematic. When a packet has to be splitted into two fragments to accommodate a smaller interface MTU and one of these fragment packets is large enough that it needs to be fragmented again after it has been encrypted. The IPSec peer has to reassemble this packet before decryption. This double fragmentation increases latency and lowers throughput. Also, reassembly is process-switched, so there is a CPU hit on the receiving router whenever this happens. I usually put ip mtu 1420 on the tunnel interface to compensate for GRE + IPSEC tunnel mode, and that seems to work great. But one of my senior engineer, Marty, told me that ip tcp adjust-mss works better because it also compensates when the host implements PMTUD (sets DF) but then ignores the ICMP packet-too-big response from the router. And only the TCP SYN packets have to be modified, not every packet. Moreover, you don't have to worry much about UDP-based apps since almost all of them always select a segment size much smaller than a 1500 MTU. The old default was 512 bytes (576 IP packet). Some apps improve throughput by upping that to 1024 bytes. The byte sizes are true for TCP as well. The smaller packet size you go, the worse throughput gets. If your traffic is around 100 - 200 bytes or less, you are lucky to get 20Mbps at 90% CPU :) Luan - Luan Nguyen Senior Network Engineer Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Tuesday, September 30, 2008 2:07 PM To: Nemeth Laszlo Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SA-VAM2+ usage problem? Hi Laszlo, On Tue, 2008-09-30 at 15:55 +0200, Nemeth Laszlo wrote: I have two 7201 (c7200p-advipservicesk9-mz.124-15.T3.bin) routers with SA-VAM2+ modules. I have a tunnel interface between this routers. If I make a ~24Mbit/sec traffic into this tunnel, the routers CPU's goes to 90%. It was the performance without VAM2+ too. So the VAM2+ modul doesn't use? We currently have a NPE-G1 with SA-VAM2 (not +) doing more or less the same thing, and it uses ~20% CPU doing about 20 mbit/s through the tunnel. As far as I can see it's 50/50 interrupt and process routing, probably the GRE part that's handled in the slow path. I'm not sure, but a GRE configuration like this and CEF might not be best friends. When you send the 24mbit/s traffic, what does you show cpu say? The 7201 should be an NPE-G2, so you shouldn't get worse results than the above. We use 12.4 mainline (IP IPSEC 3DES) by the way, that may make a difference. Our routers config same, only the IP addresses different. The Tunnel interface very important, because i run an OSPF protokoll into them. vpn0# sh pas vam interface VPN Acceleration Module Version II+ in slot : 1 Statistics for Hardware VPN Module since the last clear of counters 4294967 seconds ago 988980327 packets in 988980327 packets out 302199518411 bytes in 318057273220 bytes out 230 paks/sec in230 paks/sec out 562 Kbits/sec in 592 Kbits/sec out 0 pkts compressed 0 pkts not compressed 0 bytes before compress0 bytes after compress 1.0:1 compression ratio1.0:1 overall 526096 commands out526096 commands acknowledged Last 5 minutes: 2854900 packets in 2854900 packets out 9516 paks/sec in 9516 paks/sec out 24058078 bits/sec in 25240088 bits/sec out In this last line the 24058078 bit/s traffic is normal, it is the aggregated traffic on my tunnel0 interface. But the 562 Kbit/sec in and 592 Kbits/sec out is to small, i think it should ~24000 Kbit/sec. I think the small numbers are the averages since you last cleared counters. Are they still too small? interface Tunnel0 description VPN0-VPN1 ip address 10.0.0.1 255.255.255.252 ip ospf cost 100 load-interval 30 keepalive 2 2 tunnel source 192.168.0.1 tunnel destination 192.168.1.1 ! interface GigabitEthernet0/1.2 description VPN1 encapsulation dot1Q 2 ip address 192.168.0.1 no ip redirects no ip proxy-arp ip nat outside no ip virtual-reassembly crypto map vpnmap ! Fragmetation could be problematic too, so we use ip tcp adjust-mss on both the inside interface and the tunnel interface to compensate for the GRE + IPSec overhead. Regards, Peter
Re: [c-nsp] Propagating a default route...
Perhaps set a static route for xx.xx.xx.xx (where you get your default route) in your server? - Luan Nguyen Senior Network Engineer Mobile: 703-953-9116 Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kell Sent: Tuesday, September 30, 2008 3:56 PM To: cisco-nsp Subject: [c-nsp] Propagating a default route... Having an issue with BGP... I have a border router that can't do full feeds (6500/Sup2) so it is taking partials (upstream customers). I am trying to make decisions on which upstream to use as a default route. For traffic shaping purposes, I have a server that acts as an eBGP peer to get the path information to different destinations. With the path information, I can look at the AS path for the destination and determine which upstream is the BGP-preferred peer. This works great when I have the paths, but I need the current default to trickle down to the shaping server. If I do a straightforward bgp peer x.x.x.x default-originate then the server gets a default with MY AS number, which is not what I want. I want the currently selected default upstream's AS. The border router is getting a default from the upstreams, and the route shows up properly with the upstream AS path: Network Next HopMetric LocPrf Weight Path * 0.0.0.0 xx.xx.xx.xx 0 0 i I want this to propagate down to the shaping server, but it doesn't show up (unchanged if I remove default-originate). I'm not doing any outbound filtering to the shaping server. I'm already doing no synch but it doesn't help. I think I'm missing another bit or two. Ring any bells? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ?
Usually I find that client VPN log along with Concentrator log are enough. You could try to use Wireshark on the client machine for more detail information. Luan - Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilkinson, Alex Sent: Tuesday, September 23, 2008 8:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Debugging Cisco VPN Client Software ... Is it even possible ? Hi all, From the _client_ perspective can anyone recommend any tools/techniques to debug Cisco VPN client problems ? (they drive me mad). These are mostly Windows based clients connecting to a cisco vpn concentrator. I tend to trawl through event logs and client vpn logs and really have no real success with debugging. The VPN client really feels like a black box :( Any hot tips with how to debug VPN clients not being able to connect into a vpn concentrator (from the _client_ perspective) ? Thanks! -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE over IPSec
Justin, You could try the following: crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address j.j.j.j ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer j.j.j.j set transform-set 3dessha set pfs group1 match address remote ! ip access-list extended remote permit gre host y.y.y.y host z.z.z.z ! interface tunnel0 ip address x.x.x.x tunnel source y.y.y.y tunnel destination z.z.z.z ! interface WAN ip address y.y.y.y crypto map vpn ! router eigrp 1 network x.x.x.x network LAN Where j.j.j.j is the ASA address and z.z.z.z is your router behind it. -Luan - Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Friday, September 19, 2008 5:04 PM To: 'Cisco-nsp' Subject: [c-nsp] GRE over IPSec I'm trying to figure out if a router can push a GRE tunnel over top of an IPSec tunnel that's originated on the same router, through an ASA terminating the other end of the IPSec tunnel and to another IOS router behind the ASA. I've seen this done with an ASA at both sites in front of the local router but I've never seen it done with the router originating the IPsec tunnel. Is this possible? Any tips on how to accomplish this? I'm thinking that the tunnel destination should be IOS router at the remote site which should also match the ACL for traffic to a given destination (the remote end of the tunnel). I'm not sure what the order of operations would be though so I'm not sure if the GRE tunnel would end up in the IPSec tunnel. I want to deploy 800-series wifi routers at remote sites (COs, large cabinets, etc) and have them VPN back to our HQ's ASAs and a second backup site. I'd like to run a routing protocol out to them to give them 2 paths into our network over hte 2 tunnels, preferably OSPF in this case. My thought was a simple pair of GRE tunnels through the IPSec tunnels. I could always place an IOS router at the HQ and use it to terminate IPSec-encrypted GRE tunnels. That would add more cost though. I already have one at the backup site though. Suggestions? Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco NAC
First try Cisco: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home. html http://cisconac.blogspot.com/ One of my coworker's blog - he's excellent with NAC deployment. http://cnc-networksecurity.blogspot.com/ Mailing list: http://listserv.muohio.edu/scripts/wa.exe?A0=cleanaccess -Luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Fischer Sent: Tuesday, September 16, 2008 6:29 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco NAC Does anyone here use the Cisco NAC product? Is there a mailing list of which anyone knows specifically for Cisco NAC? User's group? Online community? Any assistance in directing me toward any of these resources would be genuinely appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Using CA certificates and pre-shared keys on the same box
You could try to configure 2 ISAKMP profiles: one use CA, one use pre-shared. Then configure 2 IPSEC profiles accordingly. -Luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 10, 2008 10:07 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Using CA certificates and pre-shared keys on the same box Hi, I have a 2851 working as a hub for remote VPN sites using CA certificates. I want to add other remotes which are using pre-shared keys as their authentication method. Is it possible to configure the hub router to support both the CA trustpoint and per-shared keys? Kind regards Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Advertising NAT pool using OSPF on the ASA
Hello, According to this document: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgna t.html#wp1042725 If you NAT to a pool of address, then this pool of address will be advertise to the upstream router automatically. I have the set up: Router5---outside-ASA-insideRouter6, running OSPF between ASA and Router5. I just can't get the global pool advertise to Router1 using OSPF. Anyone done this before and know how? ASA(config)#show run router ospf router ospf 1 network 10.10.10.1 255.255.255.255 area 0 network 192.168.1.1 255.255.255.255 area 0 log-adj-changes ! ASA(config)# show int ip brief Interface IP-Address OK? Method Status Prot ocol GigabitEthernet0/0 192.168.1.1 YES manual up up GigabitEthernet0/1 172.16.1.1 YES manual up up GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 10.10.10.1 YES manual up up Management0/0 unassigned YES unset administratively down down ASA(config)# show run static static (inside,outside) 192.168.2.9 172.16.1.9 netmask 255.255.255.255 ASA(config)# show run global global (outside) 1 192.168.2.10-192.168.2.253 netmask 255.255.255.0 ASA(config)# show run nat nat (inside) 1 0.0.0.0 0.0.0.0 R5#show ip route ospf 10.0.0.0/24 is subnetted, 3 subnets O 10.10.10.0 [110/11] via 192.168.1.1, 00:17:28, GigabitEthernet0/1 R6#ping 5.5.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: . R5(config)# *Jun 12 15:53:17.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10 *Jun 12 15:53:19.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10 *Jun 12 15:53:21.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10 *Jun 12 15:53:23.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10 *Jun 12 15:53:25.675: ICMP: echo reply sent, src 5.5.5.5, dst 192.168.2.10 R5#show ip route 192.168.2.0 % Network not in table How do I advertise 192.168.2.0/24 to R5 using OSPF? Thanks. Luan http://63.210.18.237/luan/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Analog Dial backup AND dialin management using the same external modem
Hello, Anyone using an analog modem connected to an AUX port for dial backup? In case your T1 primary link fails? The hard part is: Can you use that modem for dialin to manage your router when not using the Dial backup? Thanks. Luan Nguyen http://63.210.18.237/luan/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL making me insane
Established key word match on ACK and RST i think. When someone first contact your webserver, there is nothing established about it i don't think :P I, as a matter of choice, stay away from establish and always allow matching counter flows in the ACL. -lmn On Tue, Jun 3, 2008 at 1:58 PM, Enno Rey [EMAIL PROTECTED] wrote: Hi, On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote: The problem is when someone contacted your protectedserver, you need to allow the counter flow of that. For example, you need to have: permit tcp host PROTECTEDSERVER eq 80 any gt 1024 so that the web counter flow will work (counter flow of this line: permit tcp any host PROTECTEDSERVER eq 80) this is not correct as there's the tcp any any established rule which should (and does) permit that. thanks, Enno -lmn On Tue, Jun 3, 2008 at 1:23 PM, Skeeve Stevens [EMAIL PROTECTED] wrote: Hey all, Got an issue with the below ACL. The inbound to the PROTECTEDSERVER is working ok.. port 80 is allowed, RDP from one trusted machine. But. on the outbound, with the deny ip any any active (notice the !), the inbound wont work, nor can the server get out. What am I missing? Basically what I want to do is deny all, allow only certain things.. .Skeeve ! no ip access-list extended FWCUST_XXX_IN ip access-list extended FWCUST_XXX_IN remark Inbound Firewall rules for XXX Services permit tcp any host PROTECTEDSERVER established permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389 permit tcp any host PROTECTEDSERVER eq 80 permit icmp any any deny ip any any ! no ip access-list extended FWCUST_XXX_OUT ip access-list extended FWCUST_XXX_OUT remark Outbound Firewall rules for XXX Services permit tcp any any established permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3 permit icmp any any permit tcp host PROTECTEDSERVER any eq domain permit udp host PROTECTEDSERVER any eq domain permit tcp host PROTECTEDSERVER any eq 80 permit tcp host PROTECTEDSERVER any eq 21 permit udp host PROTECTEDSERVER any eq 20 ! deny ip any any ! ! ! interface GigabitEthernet0/2.402 ip access-group FWCUST_XXX_OUT in ip access-group FWCUST_XXX_IN out ! end ! -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP vs BGP route selection
You have to have EIGRP redistribute into BGP as well? Once in the BGP table, local redistribute routes will have a weight of 32768 which will be prefered over the EBGP weight of 0. I remember reading over at the Netpro forum and someone said that it's a racing condition: EIGRP converge faster and get there first. You either does the TAC suggestion or you could use route-map to set things to influence EIGRP redistributed routes to lower priority. But you have to do it though. If you don't do anything and just clear eigrp and the BGP route get in the routing table, later if that link fails, EIGRP will be in there and won't get out even if the link comes back up. -lmn On Thu, May 22, 2008 at 2:21 PM, Uddin, Tahir [EMAIL PROTECTED] wrote: Hi All, I am summarizing an issue I am seeing, wondering if anyone might have some input on this. In the following topology, I have a floating static route (distance 250) redistributed into EIGRP on R1 which sends the redistributed route to R2 which sends it to R3. R4 sees the EIGRP route from R3 and an EBGP route from R4. I would have thought that R3 would pick the EBGP route since EBGP as a protocol has a admin distance of 20 as opposed to the EIGRP admin distance of 170 but I see the EIGRP route in the routing table of R3. Based on TACs recommendation, we ended up using a route map that applies a higher weight to the EBGP route to make it more preferable. Shouldn't R3 use the EBGP route by default because it has lower admin distance compared to redistributed EIGRP. StaticEIGRP EIGRP EBGP 10.10.10.0/24 -R1R2--- -R3R4---10.10.10.0/24 Thanks - The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please reply to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP with yourself...
Very interesting. I have a problem with having an ethernet in global doing NAT over a VRF, and the vrf doesn't know how to get to the ethernet LAN segment in the global. I was thinking of just doing: ip route vrf whatever 1.1.1.0 255.255.255.0 3.3.3.3 global, where 3.3.3.3 is just some bogus nonexistence address (just to dump the packets destined for 1.1.1.0 out into the global since you can't put ethernet0 global because you can't do VPN route to a non-point-to-point interface) I can imagine us using this dynamic route exchanger way when needing to move lots of routes. -lmn On Thu, Apr 24, 2008 at 5:19 PM, Asbjorn Hojmark - Lists [EMAIL PROTECTED] wrote: Now it trying to have an iBGP-session with itself, How strange. Normally it'll complain that it can't peer with itself. a thing I normally can't configure. :-) That actually is possible: Set up two loopbacks, create a tunnel between the loopbacks, and peer over that tunnel with one end of the BGP session in a VRF (vpnv4). (I did that recently to get routes from the global table into a VRF. It's annoying there's no good way to do that on a single router). -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 bandwidth limiting
I would say you need to use CBWFQ for this. Create an ACL match everything or whatever interested you out of your network and assigned to a class-map, then create a policy map policy-map out class out bandwidth 10M shape peak 13M interface WAN service out out -lmn On Thu, Apr 24, 2008 at 6:48 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Bizarre response. It just so happens that it's a shared connection and there is more than 10 available now, and will be getting 20+ in the future. :) On Thu, Apr 24, 2008 at 5:23 PM, Adam Armstrong [EMAIL PROTECTED] wrote: Dan Letkeman wrote: Hello, We have changed our internet connection over from 4 dsl lines to one connection. We have a 25mbit connection provided by a neighboring company and we have an agreement with them that we will only use 10mbit bursting to 12 or 13mbit. What would I need to do on our 2801 to limit our bandwidth to 10 bursting to 13? What a bizarre arrangement! If you had just taken 10mbit you could have just done speed 10 :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD state remains in AdminDown
Don't think that 12.4.15T3 has VRF support for BFD. Maybe try 12.2.33SRC (depends on what kind of routers you have) I had a configuration like that and didn't work for me. Mine isn't a PE-CE kind so didn't bother with SRC code. -lmn On Wed, Feb 27, 2008 at 11:34 PM, Stephen Fulton [EMAIL PROTECTED] wrote: I have BFD configured between two routers, both running 12.4(15)T3. On router A, BFD cycles between INIT and DOWN. On router B, the state remains AdminDown. Here are the configs for both interfaces: -- snip -- Router A: interface FastEthernet0/0.1000 encapsulation dot1Q 1000 ip vrf forwarding CUSTOMER ip address 10.248.1.1 255.255.255.248 no ip redirects ip ospf hello-interval 2 ip ospf dead-interval 6 ip ospf priority 255 ip ospf bfd bfd interval 50 min_rx 50 multiplier 5 no cdp enable end Router B: interface FastEthernet0/0 bandwidth 1544 ip address 10.248.1.2 255.255.255.248 no ip redirects ip ospf hello-interval 2 ip ospf dead-interval 6 ip ospf bfd duplex full speed 10 bfd interval 50 min_rx 50 multiplier 5 no cdp enable end -- snip -- And here is the output from sh bfd neighbors detail for both: -- snip -- Router A: Sheridan#sh bfd neighbors 10.248.1.2 details OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 10.248.1.110.248.1.2 7/3Down 4108 (5 ) Init Fa0/0.1000 Local Diag: 1, Demand mode: 0, Poll bit: 0 MinTxInt: 100, MinRxInt: 100, Multiplier: 5 Received MinRxInt: 100, Received Multiplier: 5 Holddown (hits): 4108(102), Hello (hits): 1000(567) Rx Count: 619, Rx Interval (ms) min/max/avg: 744/1092/879 last: 892 ms ago Tx Count: 773, Tx Interval (ms) min/max/avg: 1/1000/704 last: 424 ms ago Elapsed time watermarks: 0 8 (last: 4) Registered protocols: OSPF Last packet: Version: 1- Diagnostic: 0 State bit: Down - Demand bit: 0 Poll bit: 0 - Final bit: 0 Multiplier: 5 - Length: 24 My Discr.: 3 - Your Discr.: 0 Min tx interval: 100- Min rx interval: 100 Min Echo interval: 5 Router B: OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 10.248.1.210.248.1.1 3/0Down 0(0 ) Down Fa0/0 Local Diag: 0, Demand mode: 0, Poll bit: 0 MinTxInt: 100, MinRxInt: 100, Multiplier: 5 Received MinRxInt: 0, Received Multiplier: 0 Holddown (hits): 0(0), Hello (hits): 1000(515) Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: 1351524 ms ago Tx Count: 516, Tx Interval (ms) min/max/avg: 756/1000/879 last: 168 ms ago Elapsed time watermarks: -1 0 (last: 0) Registered protocols: OSPF Last packet: Version: 1- Diagnostic: 0 State bit: AdminDown - Demand bit: 0 Poll bit: 0 - Final bit: 0 Multiplier: 0 - Length: 0 My Discr.: 0 - Your Discr.: 0 Min tx interval: 0- Min rx interval: 0 Min Echo interval: 0 -- snip -- I'm out of ideas, and there is nothing in the bug toolkit.. Suggestions? -- Stephen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] What is pv in show ip arp?
My guess would be private-vlan Can you do a show vlan private-vlan and see? -lmn On Thu, Feb 21, 2008 at 10:30 AM, Christian Bering [EMAIL PROTECTED] wrote: Hi all, When a show ip arp shows the following: Protocol Address Age (min) Hardware Addr Type Interface Internet 172.31.7.25 0 000c.dbf5.fa00 ARPA Vlan15 pv 3030 What does pv 3030 indicate? Thanks, -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redundant VPNs
1800/2800 should have no problem handling T1 VPN. Use AIM-SSL1/SSL2 encryption cards for them. Tag on Zone-base FW and IOS IPS and your customer should feel safe :) -lmn On Feb 20, 2008 11:48 AM, Adam Greene [EMAIL PROTECTED] wrote: Hi, A customer of ours has two sites, one with an 1800 the other with a 2800. There's a point-to-point T1 connecting the locations. The two locations also have a backup link through my network via DSL. The customer wants to establish a VPN between the two locations over the ptp T1, and a backup VPN over the DSL lines in case the ptp T1 goes down. I should be able to rely on the 1800/2800 for this, shouldn't I? I can add sonicwalls on each end if needed, but I think the routers should be able to handle it alone. What do you think? Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP redistribution between 2 VRFs
Thank you guys. Work wonderfully. Stand-alone BGP...exactly what i need in this situation. -lmn On Fri, Feb 15, 2008 at 8:56 AM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Jeff Kell wrote on Friday, February 15, 2008 2:46 PM: Michael Lyngbøl wrote: On 14.02.2008 16:06:03 -0500, Luan Nguyen wrote: Say i have VRF RED one one of the interface, and VRF BLUE on another interface. And i need to run EIGRP on both of them. They have their own ASN and don't want to change them. How do i send routes learned from RED into BLUE and vice versa? Import the proper route-targets in VRF RED and VRF BLUE. You can also just import+export from/to one of the VRFs. Might need to attach import/export maps to filter which routes you'd like to import/export. That's the general idea, but it's not quite that simple (I wish it was!). Or at least I could not get it to actually work with import/export alone. You must run iBGP for the import/export to actually work (at least on Catalyst hardware as CE/PE, IOS 12.2) and have iBGP redistributing your EIGRP instances, e.g.: router bgp 9 ! address-family ipv4 redistribute connected exit-address-family ! address-family ipv4 vrf RED redistribute connected redistribute eigrp [reds-ASN] exit-address-family ! address-family ipv4 vrf BLUE redistribute connected redistribute eigrp [blues-ASN] exit-address-family If you subsequently want your red/blue EIGRP's to redistribute their respective imported routes further, you'll need to redistribute BGP within the EIGRP instances as well. Of course if all this extra stuff is NOT needed, I'd love to hear about it. It took the import/export plus mutual redistribution in my case to get it to work as desired, and I ran out of patience before trying to selective remove bits here and there to see which ones were NOT part of the solution. You are doing the right thing, you need to enable BGP (no neighbors needed) as import/export is only possible via BGP. Don't think you need the redist connected within ipv4-AF (the first address-family), but the rest is fine and required for this to work. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP redistribution between 2 VRFs
Hello, Say i have VRF RED one one of the interface, and VRF BLUE on another interface. And i need to run EIGRP on both of them. They have their own ASN and don't want to change them. How do i send routes learned from RED into BLUE and vice versa? From the command line, EIGRP doesn't allow redistribution of EIGRP from VRF. Sample config is something like this: router eigrp 1 passive-interface default no passive-interface Tunnel0 no auto-summary ! address-family ipv4 vrf RED network 10.0.0.0 0.0.1.255 no auto-summary autonomous-system 1 exit-address-family ! router eigrp 2 passive-interface default no passive-interface tunnel1 no auto-summary ! address-family ipv4 vrf BLUE network 10.1.1.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family DMVPNSite1R1(config-router-af)#redistribute eigrp 1 ? metric Metric for redistributed routes route-map Route map reference cr No VRF option there, unlike say OSPF DMVPNSite1R1(config-router-af)#redistribute ospf 1 ? match Redistribution of OSPF routes metric Metric for redistributed routes route-map Route map reference vrfVPN Routing/Forwarding Instance cr Is there a way to advertise routes between them? TIA -lmn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD aware VRF
I have bgp running between PE and CE. So on the PE, you do: router bgp address-family ipv4 vrf whatever neighbor y.y.y.y fall-over bfd Do the same for the CE under bgp. Then on the link between CE and PE, configured the bfd interval...etc. That should work. The problem is my CE is a 1841 with a Channelized T1/PRI port and even with the latest 12.4.15T3, i can't put the bfd command under the serial interface! Without interface level bfd command, bfd won't work. Hello? I did try with an ethernet link between PE and CE, and bfd config looks good. -lmn On Feb 4, 2008 11:47 AM, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Anyone have configured VRF aware BFD? If yes pls let me know how? Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c7600 and VPLS
Anyone knows when can the 7200VXR support VPLS? thanks. -lmn On Jan 29, 2008 9:22 AM, Dennis Dubbelman [EMAIL PROTECTED] wrote: For supporting VPLS on a 7600, OSM or ES20 linecards are needed on the Core facing interfacces. Those cards will handle the label push and pop for SVI based interfaces. You can use your defined hardware as a MPLS Access node and terminate your PW on a VPLS based 7600 router. This router must terminate the incoming PW's over a OSM or ES20 linecard. Cheers,, Dennis Dubbelman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MKS Sent: dinsdag 29 januari 2008 15:02 To: cisco-nsp@puck.nether.net Subject: [c-nsp] c7600 and VPLS Hi I'm a bit confused about hardware support for VPLS and cisco 7600. If I have only LAN cards e.g. 6724 customer facing and 6704 core facing does that mean that I have no VPLS support or just not H-VPLS ? Can I run some topology of VPLS with only LAN cards (full mesh, hub-spoke, partial mesh). Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c7600 and VPLS
Not ever? Thanks. -lmn On Jan 29, 2008 11:32 AM, Mohacsi Janos [EMAIL PROTECTED] wrote: On Tue, 29 Jan 2008, Luan Nguyen wrote: Anyone knows when can the 7200VXR support VPLS? AFAK VPLS is not supported on 7200VXR. Regards, Janos thanks. -lmn On Jan 29, 2008 9:22 AM, Dennis Dubbelman [EMAIL PROTECTED] wrote: For supporting VPLS on a 7600, OSM or ES20 linecards are needed on the Core facing interfacces. Those cards will handle the label push and pop for SVI based interfaces. You can use your defined hardware as a MPLS Access node and terminate your PW on a VPLS based 7600 router. This router must terminate the incoming PW's over a OSM or ES20 linecard. Cheers,, Dennis Dubbelman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MKS Sent: dinsdag 29 januari 2008 15:02 To: cisco-nsp@puck.nether.net Subject: [c-nsp] c7600 and VPLS Hi I'm a bit confused about hardware support for VPLS and cisco 7600. If I have only LAN cards e.g. 6724 customer facing and 6704 core facing does that mean that I have no VPLS support or just not H-VPLS ? Can I run some topology of VPLS with only LAN cards (full mesh, hub-spoke, partial mesh). Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS PE to PE over GRE/IPIP
If you don't have mpls then using GRE between PEs would be okay. Do some thing like: int tun1 ip address 1.1.1.1 tunnel source x.x.x.x tunnel dest y.y.y.y y.y.y.y is the other PE backbone facing ip, reachable by x.x.x.x then advertise your loopback address through the tunnel using whatever you like...eigrp, ospf, static route. Loopback is mbgp peering point. Then just do your normal configs. -lmn On Jan 28, 2008 2:49 PM, Masood Ahmad Shah [EMAIL PROTECTED] wrote: I'm in process to connect two or more Provider Edge router using GRE/IPIP tunnels. What were your experiences? If the answer is yes than I would love to ask how do you connect a PE to another PE using the GRE/IPIP tunnel interfaces. Keeping in mind that I'm going to carry multiple customers traffic (VRF BGP-VPN) between these PEs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/