Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Yea it is hot-swappable. You must install the Switch Fabric Module in either slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can install a standby Switch Fabric Module. The module first installed functions as the primary module. When you install two Switch Fabric Modules at the same time, the module in slot 5 acts as the primary module, and the module in slot 6 acts as the backup. If you reset the module in slot 5, the module in slot 6 becomes the primary module. Regards, Masood Blog: http://weblogs.com.pk/jahil/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ben Steele Sent: Monday, February 09, 2009 4:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an impact? Howdy, I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), and I want to know if the modules go from using Bus only backplane to crossbar as soon as the module initiates or whether a reload would actually be required for this. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF not propagating - But for only one route...?
To redistribute static routes to subnets of classful networks you use redistribute static subnets under the ospf router configuration. Regards, Masood Blog: http://weblogs.com.pk/jahil/ redistributing statics/connected networks. For some reason 1 static route will not redistribute from the switch to the router and vice versa, redistribute connected redistribute static ip route 10.95.18.0 255.255.255.0 10.95.11.9 ! this is the problem route Have you tried 'redistribute static subnets'? No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.233 / Virus Database: 270.10.16/1926 - Release Date: 1/30/2009 5:31 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Per packet load balancing with low latency applications
Using CRTP along with MLPPP will have positive impact on your voice and low latency issues. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Provo Sent: Thursday, January 15, 2009 5:33 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Per packet load balancing with low latency applications On Thu, Jan 15, 2009 at 12:25:18PM +, William wrote: Hello list, I've been looking at using per packet load balancing with a couple of serial links to use with a low latency market data application, in all the cisco docs they seem to mention how VoIP/Video applications may chuck their dummy out with packets arriving out of sequence. My question is what would cause the packets to arrive out of sequence? And has anyone been in my position before? what was the outcome? If these are wide-area links, latecy can vary due to grooming or other re-provisioning. If they are protected links, expect at some point during their life to switch ntependently and wind up with differing latencies. Per packet is going to be used because there will only be one machine on each end of the link talking to each other. Look at link-layer aggregation methods (mlpp for ptp, LAG for ether, etc) or getting a bigger pipe instead. Simple is good. Any more information/real life experiences on the matter are welcome. In my experience, per-packet always kills goodput. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP default-originate route
The default route is not announced to BGP neighbors, even if it's in the IP routing table and BGP table. This was true in old IOS releases, 12.4 and 12.2SRC announce BGP default route like any other network. To announce a default route to a BGP neighbor, you can configure neighbor default-originate. More information about the BGP default route by IVAN (truly geek) http://wiki.nil.com/BGP_default_route Regards, Masood -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Ingram Sent: Thursday, January 15, 2009 11:16 PM To: Brad Hedlund; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP default-originate route Thanks Would anyone from the SP area like to add any comments? From: Brad Hedlund [mailto:brhed...@cisco.com] Sent: Wed 1/14/2009 12:49 PM To: Scott Ingram; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP default-originate route On 1/14/09 11:19 AM, Scott Ingram sing...@clayton.com wrote: I think to keep it simple all I want is to do one site primary and the other standby only. Scott, I'm sure the SP guys will jump in at this point but that should be a fairly straight forward setup, where the standby site's PE is configured to crank up the metric for the default route from that location, such as padding ASN or manipulating MED, or any other BGP setting. Cheers, Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org http://www.internetworkexpert.org/ IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] JUNOS funny or bad poetry
JUNOS guys promise they would not make it boring! If you don't want to configure something on JUNOS, spend some time with JUNOS haiku. http://weblogs.com.pk/jahil/archive/2009/01/07/juniper-junos-funny-poetry.as px ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
You can also use JUNOS olive. http://juniper.cluepon.net/index.php/Olive Regards, Masood -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Cory Ayers Sent: Sunday, December 21, 2008 1:45 AM To: Ang Kah Yik Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RSP4 as route server? - seeking suggestions and opinions I've only been recently tasked with looking into possible (re)uses for this box so I'm not sure how it managed to handle 2 sets of full routes either. 256M RAM will barely handle one BGP feed filtered to /23 (140k routes) The first thing that came to mind when tasked with this was actually Quagga/OpenBGPD. There appears to be a discussion on Linux Gigabit routers on the NANOG-ML but the discussion seems skewed towards forwarding performance rather than BGP scalability. If you're just looking for data gathering, go with Quagga. We've got an old SOHO box (533Mhz, 512M RAM, 512M Flash drive) running a lean install of Fedora with 8 BGP feeds (somewhat filtered) inbound, and another session to route-views. This replaced a 7200 NPE-300 w/256M that couldn't keep up a few years back. Cory ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Conditional BGP
A nice book on BGP Practical BGP By Russ White Regards, Masood BLOG: http://www.weblogs.com.pk/jahil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Boolootian Sent: Wednesday, September 24, 2008 6:06 AM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Conditional BGP 2) View the NANOG presentation archives. Several come to mind; I'll try to compile a list of suggestions, or just browse away. Search the presentation archive for Smith and BGP. Philip Smith's BGP tutorials are outstanding. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT - 802.3an - 10Gig over Cat 6a
I would recommended Juniper MX or EX Switches; it's time to enjoy line rate along with stable network operating system (JUNOS) + application/services ( MPLS, VPLS, QiQ etc) :) Regards, Masood BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brad Henshaw Sent: Tuesday, September 16, 2008 8:51 AM To: Simon Hamilton-Wilkes; cisco-nsp@puck.nether.net Cc: [EMAIL PROTECTED] Subject: Re: [c-nsp] OT - 802.3an - 10Gig over Cat 6a Simon Hamilton-Wilkes wrote: SMC Tigerswitch 10g is the only thing I can see out there, $23 K for 20 ports in 1U. Extreme also have the X650. Not sure about availability. Regards, Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 7507 vs ssg 550
You can't replace Cisco 7500 with SSG550 (Firewall); Coz POS (OC3) is currently not available for SSG platform; Second SSG can run screenos only not JUNOS; screenos is the operating system for integrated Firewall/IPSec VPN solutions. Third SSG purpose-built security appliance, I would definitely not recommend SSG. T1, E1, Serial, DS3, Fe and SFP (copper or fiber) the only available interfaces for SSG devices. I would also recommend not replacing 7500 with just another idiot 7200 (software router, policy (route-maps), access-list, tunnels or a simple debugging will hang up the router). If you really need Gig throughput along with tunnels and policy routing; you need to consider line/wire rate router; it can be Cisco 76XX (be careful while selecting modules) or all juniper M/T Series routers along with AS PIC (go 4 M7i or M10i). Regards, Masood -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arie Vayner (avayner Sent: Wednesday, September 17, 2008 12:03 PM To: Faisal Muzammil; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco 7507 vs ssg 550 Faisal, Why don't you take a look at a 7200/NPE-G2 (or even a 7201, which is a 1RU version of it). http://www.cisco.com/en/US/products/hw/routers/ps341/index.html http://www.cisco.com/en/US/prod/collateral/routers/ps341/product_data_sh eet0900aecd8047177b.html http://www.cisco.com/en/US/products/ps7253/index.html The advantage of changing to this kind of device is that it would be a natural upgrade from 7500 (which is a very old model...). All the configs should most likely transfer as a simple copy paste. Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Faisal Muzammil Sent: Tuesday, September 16, 2008 12:52 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 7507 vs ssg 550 Hi, We have a cisco 7507 router for our wan and are thinking of replacing it with juniper ssg 550. Currently we have 1 GEIP interface on the lan side of 7507 and 1 POS(STM/OC3) interface on the wan side. We have a few IP IP tunnels established and are running BGP over the wan and OSPF on the lan side. We also have the need of using PBRs. The main reason behind this change is that we are going to outgrow our STM capacity and need to upgrade to higher bandwidth on the wan side. hence similarly we will need to have a better option on the lan side instead of GEIP due to the limitation of 200mbps aggregate throughput on it. Thanks in advance for your suggestions regards Famz _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS PE Routers for a Mobile Carrier?
MPLS VPN, TE and QoS, If all you need in one BOX than better you go for Juniper M Series. Juniper M10i or M120/320. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saku Ytti Sent: Sunday, August 03, 2008 1:41 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS PE Routers for a Mobile Carrier? On (2008-08-02 20:20 +), Felix Nkansah wrote: I am working on an MPLS proposal for a mobile carrier (with 2mil+ customers). I need to decide on what routers to use as PE and P for their backhaul between 5 sites. I am torn between proposing the Cisco ASR 1000 OR the Cisco 7600 series as PE/P. Please let me know what your expert opinion is on this matter. They require MPLS VPN, TE, and QoS. You should find out very carefully if or not you can live with LAN card limitations. Without knowing specific of your QoS requirements, it's very likely that you are terminating customers to subinterfaces, effectively requiring HQoS which LAN cards do not do. Other limitations that pop in my mind are, no vlan local significance, no IPv6/uRPF (and chassis wide strict or loose in IPv4), no IPv6 CoPP, no TOS byte transparency, either you lose up-to /128 lookup or L4 lookups in IPv6. If you find out that you can't live with LAN cards, the main attraction of 7600/6500 goes away and you have much more options to choose from. ASR1k, MX, M, GSR, CRS. But if you are aware of all the catches with LAN interfaces and can live/workaround them, it's very good value to your money. However, in my book they suite much better LSR/P role than LER/PE role. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPPoE tunnel and Firewall
Im really getting confused while adding firewall for DSL subscribers. I want to protect my PPPoE subscriber from malicious traffic. Adding a firewall between DSLAMs and BRAS is kinda confused for me. The final topology is going to be like CPEß--DSLAMß---àFirewallß--BRAS---Ineternet From CPE to BRAS is PPPoE tunnel. The question Can firewall protect PPPoE customers from malicious traffic while sitting in transparent mode in front of BRAS. I wonder , firewall will skip the PPPoE tunnels traffic. If yes, than how do you guys protect BRAS internal traffic from one subscriber to another. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF on Secondary IP addresses.
Can OSPF establish as neighbors on secondary addresses? Do not have any luck unless the OSPF network interface is primary. Any ideas why and how do we go around this? What if a ROUTERA is connected to a wireless bridge which is serving multiple sites . Or there can be many other situation when you need to build adjacency on secondary IP address instead of primary IP. Oops I can't find any parameter (when I configure secondary address on Cisco Router) like preferred/primary . thanks to juniper guys for providing it ;) J Thanks in advance. Regards, Masood Ahmad Shah - ROUTERA interface FastEthernet1 ip address 2.100.220.113 255.255.255.248 ip address 2.100.220.97 255.255.255.248 secondary ip address 2.100.230.81 255.255.255.248 secondary no ip redirects no ip directed-broadcast ! router ospf 100 log-adjacency-changes area 3.3.3.102 stub no-summary network 2.100.230.80 0.0.0.7 area 3.3.3.102 -- ROUTERB interface Ethernet0 ip address 2.100.230.86 255.255.255.248 ! router ospf 100 log-adjacency-changes area 3.3.3.102 stub passive-interface BRI0 network 2.100.230.80 0.0.0.7 area 3.3.3.102 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550-48 - 3560-48TS-E migration?
The thing I'm missing is, it does not support Policy-Based Routing (PBR) when forwarding IPv6 traffic:( The software supports IPv4 PBR only when the dual-ipv4-and-ipv6 routing template is configured. Here is the link for more on dual-ipv4-ipv6: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_25_see/configuration/guide/swsdm.html#wp1077854 Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Lewis Sent: Thursday, May 15, 2008 7:24 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 3550-48 - 3560-48TS-E migration? Having just gone past the end of software maintenance date for the 3550, and with the need to start at least looking at supporting IPv6 on our customer aggregation switches in the not so distant future, I suppose it's time to seriously consider the 3560-48TS as a replacement / upgrade path for our 3550-48's. With the 3550-48's, we've been getting away with configuring generally all or nearly all the FE interfaces as routed ports using the default SDM template, and not run into any problems, even though this template is allegedly optimized for 8 routed interfaces. Can the 3560-48TS be used similarly without getting into software forwarding? I'd love to hear from someone using the 3560-48TS in a mixed v4/v6 environment with 48 routed ports, since cisco's docs that I've found so far don't seem to suggest how likely this is to work. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss.
I have written blog to your asked question about Netflow packets collecting/forwarding issue... http://weblogs.com.pk/jahil/archive/2008/05/02/how-to-netflow-with-csico-650 0.aspx Regards, Masood A Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: Thursday, May 01, 2008 7:47 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. Somewhat related to this thread, Is there some sort of 'magic' you have to do with a Sup720 to get it to export flows egress and ingress? It appears that there is quite a bit of traffic missing from the NetFlow data (most of it infact)... I simply applied ip route-cache flow to the layer3 vlans of interest and then setup the export commands as documented. Are there other steps required? Thanks, -Drew -Original Message- From: Aaron Glenn [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 30, 2008 7:44 PM To: Drew Weaver Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. On Wed, Apr 30, 2008 at 5:54 AM, Drew Weaver [EMAIL PROTECTED] wrote: So, what are folks using these days for NetFlow analysis (software?) nfsen and pmacct. excellent open source products. aaron.glenn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
If you really need a firewall thn you must go for Netscreen. Netscreen is a truly firewall with pretty nice/stable packet inspection engine and pretty nice GUI/Command line interface. A single box (netscreen 500) will work like a charm for packet inspection, attack prevention and vpn tunnels termination. Oh yea you will not face any issue like icmp response packets or tcp flags... mtr is working fine too :) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 04, 2008 12:39 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jarrod Friedland Sent: Friday, April 04, 2008 03:18 To: cisco-nsp@puck.nether.net Subject: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series) Hi All I wonder if anyone can offer me some sound professional opinion in terms of using a Check Point FW device v Cisco PIX (ASA 5500 Series) Devices. Currently we are using Checkpoint Devices however, I have an opportunity to possible include a pix device in our mix, however all my reading thus far seems to be more based on personal opinion than operational pro's and con's. Im looking for info in relation to can do's and cannots - Administration comparisons etc. If you are able to offer some insight but would like to take this offline, please let me know and I can send you my direct contact details. Since we're using both checkpoint asas, here's what I think about them. We only use them for ipsec (enduser site to site) and packet filtering. All kinds of protocol inspection run on seperate proxies, where they belong. Checkpoint has a great log viewer, but that's just about all I can say in their favor. They don't know how to apply rulesets to interfaces, just globally. Setting up vpns is a pain because they like to send out strange subnet configs. They're horribly expensive (we ran them on Nokia's, whose network cards do not support autoneg btw). Their support is pretty terrible as well. They also need arcane changes to their backend firewall database whenever something doesn't go as expected. Cisco ASAs are pretty cheap and have reasonable performance, but has lots of strange quirks. They don't decrement TTL by default (and I still haven't found a way to decrement it over vpn connections), handling icmp errors is a black art (still haven't gotten mtr working through asa's), do strange things with your tcp MSS, don't send out RSTs to denied connections, and other such fun stuff. Most of there can be configured to work correctly, but they're far from the default. Cisco's central management tool (Cisco Security Manager) is pretty horrible, I guess the lag is about 1 year between when the ASA gets a new feature and when Security Manager learns how to use it. On the other hand, the free gui (asdm) is pretty decent, and unliky checkpoint it comes with a cli. Software updates fixes don't get released as often as checkpoint, which I consider a downside for the ASAs. I still think ASAs are a step up from checkpoint gear, but neither are great. I'm seriously considering netscreens for my next rollouts. If I ever manage to convince the upper echelons here, I'd go with pf on either openbsd freebsd. // nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS pirating requests
Oh yea what is an IOS? April fool's day :) kidding IOS (Internet Operating System) is the software used on the vast majority of cisco systems routers and all current Cisco network switches. Oh don't ask what is an operating system :) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziv Leyes Sent: Wednesday, April 02, 2008 6:30 PM To: [EMAIL PROTECTED]; Jon Lewis; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS pirating requests What's an IOS anyway??? Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 4:16 PM To: Jon Lewis; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS pirating requests How do you do an IOS upgrade? :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Jon Lewis [EMAIL PROTECTED] Is it just me, or are others on the list getting daily requests from complete strangers along the lines of I saw your post to cisco-nsp about a particular IOS version...could you send me a copy of that IOS? Ok...maybe it's not daily...but I have gotten two in the past two days. For those who haven't asked yet, I'll save you some time. The answers are no, and if you want an IOS upgrade, talk to cisco. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7606(SUP32) 12.2(33)SRB2 arp-table problem.
Well, By default cisco IOS keeps learned ARP entries for 3 hours 59 minutes.. There might be some network scanner (worm or virus) around and scanning your network all the time. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrey O.Sokolov Sent: Monday, March 17, 2008 1:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7606(SUP32) 12.2(33)SRB2 arp-table problem. Good day! Cisco7606 with sup32, IOS 12.2(33)SRB2, c7600s3223_rp-ADVIPSERVICESK9-M On this device are fifteen vlan-interfaces. One interface have netmask /24 Three interface have netmask more than /30 Two of this interfaces are ospf-interface in different areas. Spontaneously (interval is from some minutes to some hours) this device transmit from two interface (one of them - ospf-interface) icmp who-has request to ALL device's in networks. This interfaces has not change his link-status before there comes this situation. Example: 15:22:39.18 arp who-has XXX.YYY.ZZZ.81 tell XXX.YYY.ZZZ.1 15:22:39.001018 arp who-has XXX.YYY.ZZZ.103 tell XXX.YYY.ZZZ.1 15:22:39.002017 arp who-has XXX.YYY.ZZZ.155 tell XXX.YYY.ZZZ.1 15:22:39.003018 arp who-has XXX.YYY.ZZZ.119 tell XXX.YYY.ZZZ.1 15:22:39.004018 arp who-has XXX.YYY.ZZZ.100 tell XXX.YYY.ZZZ.1 15:22:39.005018 arp who-has XXX.YYY.ZZZ.156 tell XXX.YYY.ZZZ.1 15:22:39.006018 arp who-has XXX.YYY.ZZZ.84 tell XXX.YYY.ZZZ.1 15:22:39.007018 arp who-has XXX.YYY.ZZZ.117 tell XXX.YYY.ZZZ.1 15:22:39.008018 arp who-has XXX.YYY.ZZZ.87 tell XXX.YYY.ZZZ.1 15:22:39.009018 arp who-has XXX.YYY.ZZZ.86 tell XXX.YYY.ZZZ.1 15:22:39.010018 arp who-has XXX.YYY.ZZZ.118 tell XXX.YYY.ZZZ.1 15:22:39.011018 arp who-has XXX.YYY.ZZZ.135 tell XXX.YYY.ZZZ.1 15:22:39.012018 arp who-has XXX.YYY.ZZZ.97 tell XXX.YYY.ZZZ.1 15:22:39.013018 arp who-has XXX.YYY.ZZZ.157 tell XXX.YYY.ZZZ.1 15:22:39.014018 arp who-has XXX.YYY.ZZZ.149 tell XXX.YYY.ZZZ.1 15:22:39.015018 arp who-has XXX.YYY.ZZZ.141 tell XXX.YYY.ZZZ.1 15:22:39.016018 arp who-has XXX.YYY.ZZZ.115 tell XXX.YYY.ZZZ.1 15:22:39.017018 arp who-has XXX.YYY.ZZZ.154 tell XXX.YYY.ZZZ.1 15:22:39.018018 arp who-has XXX.YYY.ZZZ.150 tell XXX.YYY.ZZZ.1 15:22:39.019017 arp who-has XXX.YYY.ZZZ.109 tell XXX.YYY.ZZZ.1 15:22:39.020018 arp who-has XXX.YYY.ZZZ.128 tell XXX.YYY.ZZZ.1 15:22:39.021018 arp who-has XXX.YYY.ZZZ.125 tell XXX.YYY.ZZZ.1 15:22:39.022018 arp who-has XXX.YYY.ZZZ.132 tell XXX.YYY.ZZZ.1 15:22:39.023017 arp who-has XXX.YYY.ZZZ.133 tell XXX.YYY.ZZZ.1 15:22:39.024017 arp who-has XXX.YYY.ZZZ.144 tell XXX.YYY.ZZZ.1 15:22:39.025017 arp who-has XXX.YYY.ZZZ.148 tell XXX.YYY.ZZZ.1 15:22:39.026018 arp who-has XXX.YYY.ZZZ.151 tell XXX.YYY.ZZZ.1 15:22:39.027017 arp who-has XXX.YYY.ZZZ.45 tell XXX.YYY.ZZZ.1 15:22:39.028031 arp who-has XXX.YYY.ZZZ.88 tell XXX.YYY.ZZZ.1 15:22:39.029018 arp who-has XXX.YYY.ZZZ.56 tell XXX.YYY.ZZZ.1 15:22:39.030017 arp who-has XXX.YYY.ZZZ.90 tell XXX.YYY.ZZZ.1 15:22:39.031018 arp who-has XXX.YYY.ZZZ.168 tell XXX.YYY.ZZZ.1 15:22:39.032020 arp who-has XXX.YYY.ZZZ.169 tell XXX.YYY.ZZZ.1 15:22:39.033021 arp who-has XXX.YYY.ZZZ.172 tell XXX.YYY.ZZZ.1 15:22:39.034017 arp who-has XXX.YYY.ZZZ.190 tell XXX.YYY.ZZZ.1 15:22:39.035018 arp who-has XXX.YYY.ZZZ.165 tell XXX.YYY.ZZZ.1 15:22:39.036017 arp who-has XXX.YYY.ZZZ.159 tell XXX.YYY.ZZZ.1 15:22:39.037017 arp who-has XXX.YYY.ZZZ.184 tell XXX.YYY.ZZZ.1 15:22:39.038018 arp who-has XXX.YYY.ZZZ.189 tell XXX.YYY.ZZZ.1 15:22:39.039017 arp who-has XXX.YYY.ZZZ.188 tell XXX.YYY.ZZZ.1 15:22:39.040017 arp who-has XXX.YYY.ZZZ.216 tell XXX.YYY.ZZZ.1 15:22:39.041017 arp who-has XXX.YYY.ZZZ.171 tell XXX.YYY.ZZZ.1 15:22:39.042018 arp who-has XXX.YYY.ZZZ.205 tell XXX.YYY.ZZZ.1 15:22:39.043017 arp who-has XXX.YYY.ZZZ.233 tell XXX.YYY.ZZZ.1 15:22:39.044017 arp who-has XXX.YYY.ZZZ.236 tell XXX.YYY.ZZZ.1 15:22:39.045017 arp who-has XXX.YYY.ZZZ.239 tell XXX.YYY.ZZZ.1 15:22:39.046018 arp who-has XXX.YYY.ZZZ.170 tell XXX.YYY.ZZZ.1 15:22:39.047017 arp who-has XXX.YYY.ZZZ.197 tell XXX.YYY.ZZZ.1 15:22:39.048018 arp who-has XXX.YYY.ZZZ.187 tell XXX.YYY.ZZZ.1 15:22:39.049017 arp who-has XXX.YYY.ZZZ.173 tell XXX.YYY.ZZZ.1 15:22:39.050017 arp who-has XXX.YYY.ZZZ.200 tell XXX.YYY.ZZZ.1 15:22:39.051017 arp who-has XXX.YYY.ZZZ.175 tell XXX.YYY.ZZZ.1 15:22:39.052017 arp who-has XXX.YYY.ZZZ.174 tell XXX.YYY.ZZZ.1 15:22:39.053017 arp who-has XXX.YYY.ZZZ.223 tell XXX.YYY.ZZZ.1 15:22:39.054017 arp who-has XXX.YYY.ZZZ.201 tell XXX.YYY.ZZZ.1 15:22:39.055017 arp who-has XXX.YYY.ZZZ.179 tell XXX.YYY.ZZZ.1 15:22:39.056017 arp who-has XXX.YYY.ZZZ.180 tell XXX.YYY.ZZZ.1 15:22:39.057017 arp who-has XXX.YYY.ZZZ.203 tell XXX.YYY.ZZZ.1 15:22:39.058018 arp who-has XXX.YYY.ZZZ.207 tell XXX.YYY.ZZZ.1 15:22:39.059017 arp who-has XXX.YYY.ZZZ.178 tell XXX.YYY.ZZZ.1 15:22:39.060017 arp who-has XXX.YYY.ZZZ.204 tell XXX.YYY.ZZZ.1 15:22:39.061017 arp who-has XXX.YYY.ZZZ.206 tell XXX.YYY.ZZZ.1 15:22:39.062017 arp who-has XXX.YYY.ZZZ.232 tell XXX.YYY.ZZZ.1 15:22
Re: [c-nsp] MST operation...
Have you configured the following attributes, # spanning-tre mst root # spanning-tre mst priority # spanning-tre mst pre-standard If you already have configured/played with the above commands than I would ask for the output of ... # show spantree mst X active (where x is your instance number) # show spantree summary mst # show spantree mst configuration # show spantree statistics mst mod/port instance ( mod/port the one connected to secondary switch) Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Fischer Sent: Tuesday, April 01, 2008 7:58 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MST operation... I am running (2) Cat6509-E's with Sup720-3B's running IOS. They are connected via layer 2 by a (2)10GigE port-channel. Spanning tree is configured via MST with 3 instances - instance 0 (default), instance 1 (roots all odd-numbered VLANs to switch 1 - priority 4096), and instance 2 (roots all even-numbered VLANs to switch 2) - pretty simple configuration. Switch 2 is the secondary for odd-numbered VLANs (priority 8192), and the same is true for switch 1 on the even-numbered VLANs All was well, but we recently upgraded the code from 12.2(18)SXF12a to 12.2(18)SXF13 to address vulnerabilities Cisco published - not a quantum leap in terms of code revision. Now, the root of MST0 is properly situated, but both switches think they are the root for MST1 and MST2. I cannot, as yet, link this change in the operation of spanning-tree to the code upgrade - this is in a lab scenario for the time being. Debugging of spanning-tree events, root, and bpdu's revealed nothing occurring across the port-channel. The operation of the Port-channel seems to be fine from all reports on the switch. Even had a couple of CCIE's at the VAR look at it, and nothing jumped out at them as to being obvious. The switches were rebooted a couple times, and the MST configuration was cleared, and re-entered into the switch. Show spanning-tree MST detail reveals that packets are being exchanged between the two switches on MST 0 over the port-channel, but on MST's 1 2, but switches show transmits, but 0 receives across the port-channel. This has me a bit baffled, and thought I'd throw it out to this forum to see if anyone has seen similar behavior. Any and all insight and assistance in getting to the root cause of this (pun intended) is most sincerely appreciated. Regards, Steve Fischer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] concentrator issues since PUBLIC interface move
Whenever you change a subnet (network); you need to check to check/update the following.. Update your routing table accordingly. Update concentrator or between router access lists. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Ingram Sent: Monday, March 31, 2008 3:50 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] concentrator issues since PUBLIC interface move since I moved the public interface to another subnet I'm having issues with all my site to site vpn's that were active prior to the move. I went to all the remote sites and changed my address and reset each site. Now I have all sites connected however, TX data only. I'm running code 4.x on the concentrator and all other remote client access is ok just the site to site VPNs. IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
Normally people would put like show below.. WAN-Router-Firewall--LAN-Switch Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Monday, March 24, 2008 9:55 PM To: Cisco NSPs Subject: [c-nsp] External Firewall I'm interested in adding a firewall to a network I admin at work. The gateway router on the network is a 7200 NPE-G1. What I want to know is whether I have to route all of my packets through my external firewall, or is there a way to have the firewall set state in the router to enable it to route packets in a session without the further involvement of the firewall? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel
Well, router is 7507 running with 12.4(16) rsp-jk9o3sv-mz.124-16.bin... I believe that 12.4 enterprise image is supporting such features... Is there any special release to get the advantages of multipoint L2TPV3 tunnel over 7500 or 7200... Regards, Masood Ahmad shah -Original Message- From: Oliver Boehmer (oboehmer) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 12:23 PM To: Masood Ahmad Shah; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel Masood Ahmad Shah wrote on Monday, February 04, 2008 11:47 PM: Is there any low end Cisco router for the multipoint L2TPV3 tunnel to configure MPLS VPN over IP Tunnel. I just can't buy Cisco 12000 only for the multipoint L2TPV3 tunnel. I was expecting a support of tunnel mode l2tpv3 in Cisco 7500 but I just can't see it. :( according to www.cisco.com/go/fn, the MPLS VPNs over IP Tunnels feature is available in recent 12.0S on 7200, 7500, 10700 and GSR. Which release are you using? The command syntax is tunnel mode l3vpn l2tpv3 multipoint on the tunnel.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPPoE L2 timeout recovery
It is very clear your Cisco DSL route sends PPPoE Active Discovery Initiation (PADI) frames to the ISP with no response. The PADI frame is the first in a series of PPPoE call-setup frames. If your ISP does not respond with a PPPoE Active Discovery Offer (PADO), PPPoE negotiation does not succeed. The only solution for this problem is to contact your ISP or check your line stability. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Gurtz Sent: Tuesday, February 05, 2008 12:25 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] PPPoE L2 timeout recovery I have a 3640A with a WIC1-ADSL residing in an NM-1FE1R2W. IOS is 12.4(13b) Periodically, about every month or two, the dsl link will drop and debugging output shows: ... Sending PADI: vc=0/35 ... padi timer expired Doing a shut no shut on atm2/0 seems to bring the line up back up and it then works fine for another month or two until I have to do it again. The amount of traffic doesn't seem to trigger this behavior. The shut no shut seems to cause a line retrain on this platform since the CD light goes out after the shut. Is this necessarily an ISP problem, or is there something I might be missing on my end like overflowing some NAT table or something? Any other config I should provide? ~JasonG -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF router gets separated from a broadcast domain
Is there any low end Cisco router for the multipoint L2TPV3 tunnel to configure MPLS VPN over IP Tunnel. I just can't buy Cisco 12000 only for the multipoint L2TPV3 tunnel. I was expecting a support of tunnel mode l2tpv3 in Cisco 7500 but I just can't see it. :( Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multipoint L2TPV3 tunnel / MPLS VPN over IP Tunnel
Is there any low end Cisco router for the multipoint L2TPV3 tunnel to configure MPLS VPN over IP Tunnel. I just can't buy Cisco 12000 only for the multipoint L2TPV3 tunnel. I was expecting a support of tunnel mode l2tpv3 in Cisco 7500 but I just can't see it. :( Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISDN backup for MPLS CE Router
I believe that you side is CE --- PE. One thing is very important to know that you must reach your PE in appropriate manners while connecting using ISDN circuit.. If you want to use automatic failover and just can't run routing protocols..you can use IPSLA monitor If you can't use routing protocol your choice is IP SLA monitor. How to IPSLA: ip sla monitor 1 type echo protocol ipIcmpEcho primary-link-reachable-ip source-ipaddr switch-source-ip timeout 1500 threshold 2000 frequency 3 Start Monitring: ip sla monitor schedule 1 life forever start-time now Tracking: track 1 rtr 1 reachability Secondary Route: ip route 0.0.0.0 0.0.0.0 secondary-gateway track 1 Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zitouni Rachid Sent: Tuesday, January 22, 2008 8:45 PM To: Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ISDN backup for MPLS CE Router Hi, Use dialer watch: http://www.cisco.com/en/US/tech/tk801/tk379/technologies_configuration_examp le09186a0080094143.shtml On CE : you will need your default route to PE to be suppressed when CE-PE link fail somewhere = dynamic routing is the easier way to do it Obviously, your Head Office CE will need to know that the link between branch office CE and PE went down HiH Rachid De : Ali, Rijas: BB UAE (IT) [mailto:[EMAIL PROTECTED] Envoyé : mardi 22 janvier 2008 14:34 À : Zitouni Rachid; cisco-nsp@puck.nether.net Objet : RE: [c-nsp] ISDN backup for MPLS CE Router The CE will have ISDN WIC and it should dial out to my Head Office ISDN Aggregator (Cisco 3845) when the default route from ISP is missing. After this if at all there is a problem in MPLS cloud ( either ETH going down / route missing )from service provider data will flow Via ISDN . ALI RIJAS -Original Message- From: Zitouni Rachid [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 5:19 PM To: Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ISDN backup for MPLS CE Router Just to make sure I understand your topology : ISDN will be CE-PE or CE-CE ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ali, Rijas: BB UAE (IT) Envoyé : mardi 22 janvier 2008 14:05 À : cisco-nsp@puck.nether.net Objet : [c-nsp] ISDN backup for MPLS CE Router Hi Friends, Most of my branches connect to MPLS service provider using a ETH port on my CE. I am thinking of having a ISDN Backup for the MPLS VPN Link. Since ETH its very rare that the interface go down, So I have to look for the default route that ISP gives to my CE and if not available I will have to start ISDN. Please help me with some of your experience or documentation. ALI RIJAS This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e
Re: [c-nsp] ISDN backup for MPLS CE Router
The question is, What your service provider suggest? Do they provide multiple eBGP sessions for CE, if yes they might want you to use it instead of static route and you might end with load balancing, route filtering so and soWell If you are going to use redundant eBGP you need to make it sure that you are getting correct next-hop interface while running with ISDN backup and vice versa... The easiest way you use static route for backup interface if it is being supported :) Yea You can use Dialer watch as well as IPSLA or dialer watch along with IPSLA... Regards, Masood Ahmad Shah -Original Message- From: Ali, Rijas: BB UAE (IT) [mailto:[EMAIL PROTECTED] Sent: Thursday, January 31, 2008 7:17 PM To: Masood Ahmad Shah; Zitouni Rachid; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ISDN backup for MPLS CE Router Friend, My CE has e-BGP with service provider PE. If the MPLS link is down or some routing issue with in MPLS cloud, my CE will dial in to my ISDN 3845 aggregator in my HO. If the link comes back / BGP is UP with PE , my CE should disconnect ISDN and work normally . I am not planning for ISDN redundancy with MPLS service provider. should I go with Dialer watch / IPSLA ? ALI RIJAS Network - Consultant Barclays Bank PLC 1st Floor, Building 4, Emaar Business Park, Sheikh Zayed Road, PO Box. 1891, Dubai, UAE (Dir): +971 4 3626703 (Mob): +971 50 6525497 (Fax): +971 4 3663133 (Email): [EMAIL PROTECTED] Weekend: Friday Saturday Registered Office in England: Registered No. 1026167, Registered Office: 1 Churchill Place London E145HP -Original Message- From: Masood Ahmad Shah [mailto:[EMAIL PROTECTED] Sent: Thursday, January 31, 2008 5:41 PM To: 'Zitouni Rachid'; Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ISDN backup for MPLS CE Router I believe that you side is CE --- PE. One thing is very important to know that you must reach your PE in appropriate manners while connecting using ISDN circuit.. If you want to use automatic failover and just can't run routing protocols..you can use IPSLA monitor If you can't use routing protocol your choice is IP SLA monitor. How to IPSLA: ip sla monitor 1 type echo protocol ipIcmpEcho primary-link-reachable-ip source-ipaddr switch-source-ip timeout 1500 threshold 2000 frequency 3 Start Monitring: ip sla monitor schedule 1 life forever start-time now Tracking: track 1 rtr 1 reachability Secondary Route: ip route 0.0.0.0 0.0.0.0 secondary-gateway track 1 Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zitouni Rachid Sent: Tuesday, January 22, 2008 8:45 PM To: Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ISDN backup for MPLS CE Router Hi, Use dialer watch: http://www.cisco.com/en/US/tech/tk801/tk379/technologies_configuration_examp le09186a0080094143.shtml On CE : you will need your default route to PE to be suppressed when CE-PE link fail somewhere = dynamic routing is the easier way to do it Obviously, your Head Office CE will need to know that the link between branch office CE and PE went down HiH Rachid De : Ali, Rijas: BB UAE (IT) [mailto:[EMAIL PROTECTED] Envoyé : mardi 22 janvier 2008 14:34 À : Zitouni Rachid; cisco-nsp@puck.nether.net Objet : RE: [c-nsp] ISDN backup for MPLS CE Router The CE will have ISDN WIC and it should dial out to my Head Office ISDN Aggregator (Cisco 3845) when the default route from ISP is missing. After this if at all there is a problem in MPLS cloud ( either ETH going down / route missing )from service provider data will flow Via ISDN . ALI RIJAS -Original Message- From: Zitouni Rachid [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 5:19 PM To: Ali, Rijas: BB UAE (IT); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ISDN backup for MPLS CE Router Just to make sure I understand your topology : ISDN will be CE-PE or CE-CE ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ali, Rijas: BB UAE (IT) Envoyé : mardi 22 janvier 2008 14:05 À : cisco-nsp@puck.nether.net Objet : [c-nsp] ISDN backup for MPLS CE Router Hi Friends, Most of my branches connect to MPLS service provider using a ETH port on my CE. I am thinking of having a ISDN Backup for the MPLS VPN Link. Since ETH its very rare that the interface go down, So I have to look for the default route that ISP gives to my CE and if not available I will have to start ISDN. Please help me with some of your experience or documentation. ALI RIJAS This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system
[c-nsp] MPLS PE to PE over GRE/IPIP
I'm in process to connect two or more Provider Edge router using GRE/IPIP tunnels. What were your experiences? If the answer is yes than I would love to ask how do you connect a PE to another PE using the GRE/IPIP tunnel interfaces. Keeping in mind that I'm going to carry multiple customers traffic (VRF BGP-VPN) between these PEs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Top 10 Network Engineering Tools
Here are the key network tools any network engineer shouldn't be without :) Packet sniffing (ethereal, tcpdump) terminal/console (v100) ping traceroute arp hping (ip spoofing, flooding to test your link or firewall and packet manipulation send custom ICMP, UDP and TCP packets) nslookup ssh (I don't like telnet anymore) nmap (TCP/UDP port scanner) gogle (www.google.com) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Jackson Sent: Tuesday, January 29, 2008 1:23 AM To: Cisco Subject: [c-nsp] Top 10 Network Engineering Tools Hey all, Myself and a coworker are trying to get together a list of the top ten tools any network engineer shouldn't be without. We're looking for vendor neutral tools. So what do you all think are the most haves? Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MAC address from cisco IOS switches
I don't have any problem with below Cisco snmp query while retrieving learned mac table from a Cisco switch. snmpwalk -v2c -c nexsecure 192.168.0.1 RFC1213-MIB::atPhysAddress I suggest you must run with -v2c instead of -v 1 Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Prabhu Gurumurthy Sent: Tuesday, January 29, 2008 1:51 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MAC address from cisco IOS switches All, We have close to 15 2960 switches connected to twin 3750's with 15+ VLANs in the domain. 3750's are stacked and it is the VTP server with 2960's being client. There are no switches acting in transparent mode. I want to get the MAC addresses from 3750's and 2960 using SNMP, instead of logging into each switch and looking up mac address using sh mac address-table. I looked through Cisco website and stumbled upon this website: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080 1c9199.shtml This document deals only with Catalyst not IOS. Is there a easy way to get MAC entries using SNMP on IOS switch. BTW I am using pgurumur-vm-openbsd (OpenBSD): [~] 10.200.3.0: [1500]$ snmpget -v 1 -c silver4ro c2960-04 sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 10-May-07 16:43 by antonino when I query RFC1213-MIB::atPhysAddress I am getting the following entries but not the entire list pgurumur-vm-openbsd (OpenBSD): [~] 10.200.3.0: [1498]$ snmpwalk -v 1 -c silver4ro c2960-04 1.3.6.1.2.1.3.1.1.2 RFC1213-MIB::atPhysAddress.93.1.10.42.166.19 = Hex-STRING: 00 1C 0F A6 63 44 RFC1213-MIB::atPhysAddress.93.1.10.57.93.1 = Hex-STRING: 00 1C 0F A6 63 44 RFC1213-MIB::atPhysAddress.93.1.10.57.93.20 = Hex-STRING: 00 1C 0F 9D 26 41 RFC1213-MIB::atPhysAddress.93.1.10.57.166.241 = Hex-STRING: 00 1C 0F A6 63 44 RFC1213-MIB::atPhysAddress.93.1.10.200.1.253 = Hex-STRING: 00 1C 0F A6 63 44 sh mac address-table: Mac Address Table --- VlanMac Address TypePorts --- - All0100.0ccc.STATIC CPU All0100.0ccc.cccdSTATIC CPU All0180.c200.STATIC CPU All0180.c200.0001STATIC CPU All0180.c200.0002STATIC CPU All0180.c200.0003STATIC CPU All0180.c200.0004STATIC CPU All0180.c200.0005STATIC CPU All0180.c200.0006STATIC CPU All0180.c200.0007STATIC CPU All0180.c200.0008STATIC CPU All0180.c200.0009STATIC CPU All0180.c200.000aSTATIC CPU All0180.c200.000bSTATIC CPU All0180.c200.000cSTATIC CPU All0180.c200.000dSTATIC CPU All0180.c200.000eSTATIC CPU All0180.c200.000fSTATIC CPU All0180.c200.0010STATIC CPU All..STATIC CPU 1000c.30fa.d6c0DYNAMIC Gi0/48 1001c.0fa6.6306DYNAMIC Gi0/48 7001c.0fa6.6306DYNAMIC Gi0/48 64001c.0fa6.6306DYNAMIC Gi0/48 64001c.0fa6.6342DYNAMIC Gi0/48 93001c.0fa6.6300DYNAMIC Gi0/48 93001c.0fa6.6306DYNAMIC Gi0/48 93001c.0fa6.6344DYNAMIC Gi0/48 136000b.46f4.b740DYNAMIC Gi0/48 136000b.5fb6.4760DYNAMIC Gi0/48 136000c.30fa.d6c0DYNAMIC Gi0/48 1360010.7b9b.d840DYNAMIC Gi0/48 1360014.a850.dfbdDYNAMIC Gi0/48 136001c.0fa6.6306DYNAMIC Gi0/48 136001c.0fa6.6347DYNAMIC Gi0/48 1360030.4882.79afDYNAMIC Gi0/3 41000b.46f4.b741DYNAMIC Gi0/48 410010.7b9b.d861DYNAMIC Gi0/48 41001c.0fa6.6306DYNAMIC Gi0/48 41001c.0fa6.6341DYNAMIC Gi0/48 44000c.30fa.d6c0DYNAMIC Gi0/48 44001c.0fa6.6306DYNAMIC Gi0/48 44001c.0fa6.634aDYNAMIC Gi0/48 450004.23a6.467cDYNAMIC Gi0/48 450019.b9ea.ed0cDYNAMIC Gi0/48 45001c.0fa6.6306DYNAMIC Gi0/48 45001c.0fa6.634bDYNAMIC Gi0/48 450030.bd71.5c67DYNAMIC Gi0/48 90.747c.a0a7DYNAMIC Gi0/48 900004.23a6.37c3DYNAMIC Gi0/48 900005.1bbd.8500DYNAMIC Gi0/48 900007.4d22.7c70DYNAMIC Gi0/48 900008.744f.d97dDYNAMIC Gi0/48 90000b.db78.d8bcDYNAMIC Gi0/48 90000b.db7d.2f55DYNAMIC Gi0/48 90000d.565e.ef7dDYNAMIC Gi0/48 90000d.566e.3780DYNAMIC Gi0/48 90000d.5692.b1fbDYNAMIC Gi0/48 90000d.5699.1e48DYNAMIC Gi0/48 90000d.5699.41d3DYNAMIC Gi0/48 90000d.56be.89ceDYNAMIC Gi0/48
Re: [c-nsp] OT: CCVP Bootcamp in Dubai, India or South Africa
I suggest you consult to ipexpert.com. They are going well for such trainings since years... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Felix Nkansah Sent: Friday, January 25, 2008 7:11 PM To: Cisco certification; cisco-nsp@puck.nether.net Subject: [c-nsp] OT: CCVP Bootcamp in Dubai, India or South Africa HI, I am interested in a CCVP-level hands-on bootcamp in Dubai, India or South Africa. My sponsor is interested in a training with a lot of hands-on exposure. Has any of you gotten experience taking up training in this area in any of the locations specified. Please let me know which training institute. Regards, Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need clarification..
A simple google search will get you back with millions :) below mentioned link is one of them http://www.petri.co.il/csc_how_router_interfaces_get_their_names_on_cisco_ro uters.htm Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bbe bie Sent: Thursday, January 24, 2008 5:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] need clarification.. hi...what is the different between fastEthernet3/0/0 with fastEthernet0/3. is it same.??im still confuse.. looking forward to hear from u..thanks Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Snmp restart on router
Yea, Absolutely correct, if you do no snmp community string the UDP listener exist and it has been verified by using ip socket and show proc cpu | inc SNMP... I tried to find some other ways but no luck The only answer is to restart router device. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tolstykh, Andrew Sent: Saturday, January 19, 2008 3:17 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Snmp restart on router This is not the case, removing and reapplying the SNMP community string wont reset the SNMP process. Even on the modular IOS attempting to restart the SNMP process will take down additional core processes. The answer that I got from my SE was no, clean SNMP process restart is not possible. HTH, Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: Friday, January 18, 2008 10:51 AM To: 'Gabriel Mateiciuc'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Snmp restart on router If you want to restart SNMP process on Cisco router, you can use commands as listed below... no snmp-server community whatever-it-is snmp-server community whatever-it-is by doing this you will have restarted snmp process :) Why you want to restart SNMP process? Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabriel Mateiciuc Sent: Friday, January 18, 2008 9:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Snmp restart on router Does anyone know if/how the snmp process can be restarted ? Gabriel Mateiciuc Academia de Studii Economice Departamentul Reţele Echipa Infrastructura +40 (21) 3191900 x 122 +40 (21) 3191901 x 122 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Snmp restart on router
If you want to restart SNMP process on Cisco router, you can use commands as listed below... no snmp-server community whatever-it-is snmp-server community whatever-it-is by doing this you will have restarted snmp process :) Why you want to restart SNMP process? Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabriel Mateiciuc Sent: Friday, January 18, 2008 9:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Snmp restart on router Does anyone know if/how the snmp process can be restarted ? Gabriel Mateiciuc Academia de Studii Economice Departamentul Reţele Echipa Infrastructura +40 (21) 3191900 x 122 +40 (21) 3191901 x 122 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Concentrator and DHCP server problem
It should work fine as long as the relay and filters are configured properly. I'm writing the steps which works fine for me. 1. From the VPN Concentrator console, select Configuration System IP Routing DHCP Relay. Select the Enabled check box to activate DHCP relay, and enter the forwarding IP address and subnet mask. 2. From the VPN Concentrator console, select Configuration Policy Management Traffic Management Assign Rules to Filter. In the resulting screen (shown below), move the DHCP In and DHCP Out rules from Available Rules to Current Rules in Filter. While reviewing your debug logs I can see that your dhcp server address has been configured 172.28.32.13 instead of your listed dhcp server address 172.28.33.13; might be typo error :) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of wasim hasan Sent: Sunday, January 13, 2008 9:00 PM To: cisco-nsp@puck.nether.net Cc: [EMAIL PROTECTED] Subject: [c-nsp] Concentrator and DHCP server problem Dear all my vpn concentrator is not able to give ip to remote access vpn client. concentrator is acting as dhcp rely agent. Concentrator priviate interface is connected with a pix firewall dmz who is also acting as dhcp rely for some other networks in its dmz. concentrator is able to ping dhcp and all the connectivity is okay. i m getting following errors while client tries to connect with concentrator.\ 1033 01/13/2008 16:48:33.780 SEV=9 DHCPDBG/29 RPT=5452 DHCP poll timeouts routine entered 1034 01/13/2008 16:48:33.780 SEV=9 DHCPDBG/30 RPT=5452 DHCP poll stats: callbacks 0, active CBs 0, total CBs 1 1035 01/13/2008 16:48:34.670 SEV=9 DHCPDBG/15 RPT=44 DHCP task: Timeout type 0, msg 0x7049db8 1036 01/13/2008 16:48:34.670 SEV=8 DHCPDBG/36 RPT=30 DHCP no response to DISCOVER sent to 172.28.32.13 (xid 3684789027) 1037 01/13/2008 16:48:34.670 SEV=7 DHCPDBG/40 RPT=30 DHCP attempt to get next server failed (xid 3684789027) 1038 01/13/2008 16:48:34.670 SEV=9 DHCPDBG/28 RPT=194 DHCP restart servers routine entered 1039 01/13/2008 16:48:34.670 SEV=9 DHCPDBG/38 RPT=45 DHCP obtained first server 172.28.32.13 port 67 (xid 3684789027) 1040 01/13/2008 16:48:34.670 SEV=8 DHCPDBG/46 RPT=45 DHCP sending DISCOVER to server 172.28.32.13 port 67 (xid 3684789027) kindly help me out. I cant disable dhcp rely on pix bcz other subnet will suffer. my dhcp server is working fine and assigning ip to rest of all my network. please help me out. dhcp server address is 172.28.33.13 pix dmz ip 172.28.95.2 concentrator 172.28.95.95 static (inside,edn) 172.28.32.13 172.28.32.13 netmask 255.255.255.255 access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.32.0 255.255.255.0 access-list nonat extended permit ip 172.28.92.0 255.255.255.0 172.28.37.0 255.255.255.0access-list nonat extended permit ip 172.28.32.0 255.255.255.0 172.28.37.0 255.255.255.0access-list nonat extended permit ip 172.28.64.0 255.255.255.0 172.28.37.0 255.255.255.0nat (inside) 0 access-list nonat dhcp filter is applied on concentrator public interface. DHCP rely is enable. Regards, Wasim Hassan Wateen Telecom Sr. Executive OM Cell: +242-6281124 +242-7066846 _ Put your friends on the big screen with Windows VistaR + Windows LiveT. http://www.microsoft.com/windows/shop/specialoffers.mspx?ocid=TXT_TAGLM_CPC_ MediaCtr_bigscreen_012008 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS on CAT5500
Someday ago I was talking to one of my Juniper friend and he was saying that you can't use one Cisco box as P and PE simultaneously though you can use Juniper. If it worked and work like a charm, please share your experience. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Price Sent: Saturday, January 19, 2008 12:10 AM To: Phil Bedard Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS on CAT5500 PE1 to P is 100mb link which supports Jumbo frames no problem. The 5500 also acts as a PE for a few of our COLO customers so It needs to Be running MPLS while I transition the WAN links from PE1 to PE2 Hope that makes sense.. Brandon Price Sterling Communications Inc. /31 --- The Subnet Formally Known as Unusable -Original Message- From: Phil Bedard [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:57 AM To: Brandon Price Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS on CAT5500 What is the PE1 to P link? I would try very hard to not use the 5500 as a P router. Maybe MPLSoGRE would work? Or using the 5505 as a bridge? If they are both Ethernet, then just trunk things through. Phil On Jan 18, 2008, at 12:46 PM, Brandon Price wrote: Guys, I apologize if this is a lame-brain question but I am new to MPLS... We have a pretty simple MPLS VPN setup comprised of the following 3 routers: PE1 -- P - PE2 PE2 is a new router we are transitioning customers to. PE1 is 7206VXR 12.4(17) PE2 is CAT6513/SUP720-3B 12.2(18)SXF12 the P router is a Cat5500 catos6.4(23a) / RSM ios12.2(46a) the P to PE2 link is a 1GB link on a WS-X5410 blade. According to cisco's Catalyst Jumbo Frame documentation this blade does not support a larger mtu than 1500. However if you enable dot1q trunking yet transmit on the native VLAN the switch will accept an additional 4 bytes. My question is, since the P router will always be the penultimate hop in this layout ? will having room for just 1 label be sufficient? Also the RSM in the cat5500 only supports TDP for label distribution ? Any potential drawbacks to this? Thanks, Brandon Price Sterling Communications Inc. /31 --- The Subnet Formally Known as Unusable ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stress testing.
you can test (SYN flood and ICMP) using hping www.hping.org. Whenever I configure a firewall I always use this tool. Hmm BGP testing I never come across this before. If you found one please share. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.P. Racine Sent: Thursday, January 17, 2008 8:46 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Stress testing. Does anyone have any links to network stress testing ( SYN Flood / BGP or ICMP ) tools that will compile on a linux AMD 64 architecture? Thanks! -- J.P. Racine [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump on ios?
Well, All in all Cisco needs to improve packet sniffing tools on their platforms. What would you do if you come from juniper and used to use [EMAIL PROTECTED] monitor traffic detail interface em0 no-resolve print-ascii Address resolution is OFF. Listening on em0, capture size 1514 bytes 12:58:43.311620 In IP (tos 0x0, ttl 128, id 25379, offset 0, flags [none], proto: UDP (17), length: 78) 192.168.10.101.137 192.168.10.255.137: UDP, length 50 0x 0050 da36 e12f 0800 4500...P.6./..E. 0x0010 004e 6323 8011 40c7 c0a8 0a65 c0a8[EMAIL PROTECTED] 0x0020 0aff 0089 0089 003a ec0a fc36 0110 0001...:...6 0x0030 2044 4244 4a44 4343 4f44...DBDJDCCOD 0x0040 4244 4744 4943 4f44 4244 4143 4f44 4244BDGDICODBDACODBD 0x0050 4144 4443 4143 4100 0020 0001 ADDCACA. I strongly suggest an integrated tool to debug IP payloads (like tcpdump). They also need to work on dependencies and only platform specific features, why the heck I need to disable something to get another thing or I need to buy a new router just for a feature :) Also I suggest a feature such as commit and rollback n can really make backing out of changes a no brainer. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aamer Akhter (aakhter) Sent: Sunday, January 13, 2008 1:31 AM To: Saku Ytti; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] tcpdump on ios? Hi Folks, It really depends on what the intent is. If the intent is to track flows transiting the router, then these debug commands are (IMHO) not the best way. Eg, a problem with debug cef is going to be not all packets are CEF switched (eg PBR, MPLS). These are really meant to troubleshoot the specific switching/forwarding system(s) I think the original poster was looking for only tracking of flows, not interested in payload gathering etc (so the tcpdump in the subject line might be conveying more than actually required). For that purpose, NetFlow should suffice. For specifically creating pcap files on the router, IP router traffic export (RTE) has been mentioned. RTE can create pcap files on a remote tftp or locally (disk,usb etc). The limitation there is that it is only available on certain platforms and there it only captures TCP traffic. I'm trying to help prioritize the case for supporting non-TCP traffic so if there is solid interest please drop me an email. SPAN and lawful intercept (LI) are also options providing you're on the right platform and an image that has LI. Regards, -- Aamer Akhter / [EMAIL PROTECTED] Ent Commercial Systems, cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Saku Ytti Sent: Saturday, January 12, 2008 1:30 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] tcpdump on ios? On (2008-01-12 10:42 -0500), Luan Nguyen wrote: But on a simple router, to track down a problem for a few seconds... no logging console logging buffer debugging no ip route-cache on interfaces access-list to match or set interface condition debug ip packet detail access-list (dump). would do fine? Since new CEF code in 12.2S, in software platforms using CEF for switching you can debug CEF switched packets virtually for free (as well as mirror, which was already mentioned in the thread earlier). Debugging is not surprisingly 'debug ip cef packet ..'. Thanks, -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump on ios?
On juniper router you can use monitor traffic interface . AFAK with Cisco you need to mirror a port and put it to some linux or windows box along with packet sniffer tools ether-real, tcpdump so and so... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matthew zeier Sent: Saturday, January 12, 2008 2:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] tcpdump on ios? I'm trying to track down an issue and recall some method to watch traffic going through a router based on an ACL. Can't recall the syntax though. help? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump on ios?
Oh, don't use it on production router with high number of packets. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott McGrath Sent: Saturday, January 12, 2008 2:14 AM To: matthew zeier Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] tcpdump on ios? debug ip packet - BE VERY CAREFUL with this one matthew zeier wrote: I'm trying to track down an issue and recall some method to watch traffic going through a router based on an ACL. Can't recall the syntax though. help? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump on ios?
Ruter IP Traffic Export can be used only on switching platform, you can't use with distributed platform; sniffing machine must be on same LAN and should be in router arp table. Debug ip packet even using access-list sometime sucks. I strongly suggest, free up a switch port and attach a machine to it the one running packet sniffer tool. Mirror router switch port to sniffer machine and sniff whatever you want t. Oh sorry for writing about Juniper; I was just working on it a while ago :) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Prall Sent: Saturday, January 12, 2008 2:19 AM To: 'matthew zeier'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] tcpdump on ios? Either Router IP Traffic Export (RITE) http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c /part30/h_rawip.htm Or debug condition ? then the appropriate debugs such as debug ip packet or interface. David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matthew zeier Sent: Friday, January 11, 2008 4:05 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] tcpdump on ios? I'm trying to track down an issue and recall some method to watch traffic going through a router based on an ACL. Can't recall the syntax though. help? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP soft reconfiguration inbound
I have had experienced that sometime BGP session goes down/up if you add or remove soft-reconfiguration inbound. I will try to check this tonight if I get time. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Tuesday, December 18, 2007 7:29 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP soft reconfiguration inbound On Tue, 2007-12-18 at 12:30 +, Mohamed Ahmad wrote: Hi guys, I was wondering what was the effect of disabling soft-reconfiguration inbound on our neighbor statement with our provider (basically a live network). I was looking at the ram usage and it's been going up slowly. We currently receive full table from our provider but filter to get only default (I know we can get them to just send a default but we might remove filter in the future to get full routes on an upgraded router). Any ill effects of removing the soft-reconfiguration inbound? Many thanks, This shouldn't reset your BGP session, so you should be able to do it on a live network. I've only tested it on our CE-boxes (C3560) so I don't know for sure though. Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU Issue on QinQ Eth link with MPLS
Well, better you check current MTU settings using command # sh interfaces | inc MTU And cheers :) Yes of course you need to adjust routers MTU as well; if you are running with MPLS or gre Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 03, 2008 9:19 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MTU Issue on QinQ Eth link with MPLS Quoting Matt Carter [EMAIL PROTECTED]: Catalyst 2950/2955 Series http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration _example09186a008010edab.shtml#c5 You can classify the Catalyst 2950/2955 Series switches into two major groups, where one supports baby giants (up to 1530 bytes), but the other does not. However, this refers to traffic that flows through the switch. Packets destined to the management (VLAN) interface can support only 1500 bytes. These models of 2950 switches support only 1500 bytes: WS-C2950-12 WS-C2950-24 WS-C2950-48 WS-C2950C-24 WS-C2950T-24 These models of 2950/2955 switches support up to 1530 bytes: WS-C2950G-12-EI WS-C2950G-24-EI WS-C2950G-24-EI-DC WS-C2950G-48 WS-C2950G-48-EI All models of 2950 LRE Series switches All models of 2955 Series switches Thanks Matt - Do the models that support baby giants do it natively, or must I issue the system mtu 1530 in global conf? Must I also adjust the mtu on the 7200's FE Ints? - This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tunnel a VLAN across the WAN?
Reference: http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note091 86a00807213f5.shtml The General Routing Encapsulation (GRE) tunnel is not supported by the Cisco Catalyst 3750 Series Switches. Even though this feature can be configured with CLI, the packets can be neither switched by hardware, nor by software, which increases the CPU utilization. Note: Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing in the Catalyst 3750. Even for this, packets cannot be switched with hardware. The packets routed through this tunnel must be switched through software. The larger number of packets forwarded through this tunnel increases CPU utilization. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Ollie Sent: Thursday, January 03, 2008 9:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Tunnel a VLAN across the WAN? Is there a way using 3750's to tunnel a VLAN across my WAN? The people that run the cafeterias are installing cash registers on two different campuses that supposedly need to be on the same L2 VLAN. AFAIK they are only running IP but I may be wrong on that. I have 3750's on either end that can terminate the tunnels. I've never done anything like this so I'm not sure what to search for (the search terms that occurred to me didn't result in anything that looked useful). Yes, I know it's a bit of a silly idea but I didn't choose the cash registers and they just dropped this in my lap five minutes ago and wanted it done ASAP :(. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Scheduling daily reload
Why the heck your service provider (upstream ISP) not using ppp keepalives. They should use ppp keepalives on their BRAS. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, January 02, 2008 2:54 PM To: Eric Helm Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload Hi, On Tue, Jan 01, 2008 at 09:13:23PM -0600, Eric Helm wrote: I've seen this happen with PPPoX connections when either the ISP makes a config change that causes the BRAS to disconnect the PPP session and for whatever reason the CPE doesn't receive the disconnect message so the PPP session remains active and thus never re-negotiates a new session. PPP keepalives will nicely take care of this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Happy New Year !
Happy New year Wish to clear CCIE this year. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hash!!! Sent: Monday, December 31, 2007 5:38 PM To: cisco-nsp@puck.nether.net; 'certification Cisco' Subject: [c-nsp] Happy New Year ! GS, Hoping that this new year leads you towards path of new found glories.much higher than CCIE ;) Enjoy! ..Hash ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Something like MTR, but forced path
You can't do this by using pooling or interval based monitoring system. You need to work on syslog or event based traps. I believe that your equipment at both end is Cisco. You must track reachable IPs and generate syslog or event traps if the next hope or whatever IP is unreachable. Here is an example Here what you want to monitor: ip sla monitor 1 type echo protocol ipIcmpEcho 192.168.75.3 source-ipaddr 192.168.3.254 timeout 2000 threshold 2500 frequency 3 Here I'm defining time domain: ip sla monitor schedule 1 life forever start-time now Here I'm starting track: track 123 rtr 1 reachability You will find logs as show below on every event. *Dec 19 12:53:19.204 PKT: %TRACKING-5-STATE: 123 rtr 1 reachability Up-Down *Dec 19 12:53:24.204 PKT: %TRACKING-5-STATE: 123 rtr 1 reachability Down-Up For same you can also use Cisco Embedded Event Manager http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home. html Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tuc at T-B-O-H.NET Sent: Wednesday, December 19, 2007 6:38 PM To: Ed Ravin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Something like MTR, but forced path On Tue, Dec 18, 2007 at 09:01:50PM -0500, Tuc at T-B-O-H.NET wrote: I'm basically looking for something I can run on Unix and give me a curses view of IPs I give it to ping at the same time. You could use Mon: http://mon.wiki.kernel.org/index.php/Main_Page (Info deleted for brevity) Curses MTR bolds the lettering when it has a ping loss which I want to catch my eye. In my shop, we have Mon set to write to our terminals when it has something important to tell us. As an FYI, the problem I have is I'm having connection losses between my site and the wireless WISP's gateway. I think the packet is getting to the backhaul link at the site here, but not to the other end of the backhaul here. I want to run a set of pings [...] That sounds like a job for Smokeping: http://oss.oetiker.ch/smokeping/ (Info deleted for brevity) I want something formalized since sending pings that just show a loss somewhere in the middle don't mean anything. I've done that with Smokeping - tell Smokeping to ping everything in a particular path. Lining up the resulting graphs with records of service outages is usually very informative. I appreciate your reply. I actually have smokeping running on both ends, but I'm looking for something that can run in an xterm while I'm writing email and I can see it actually pinging live. The others are snapshots of the network, not real time. If it pings every 5 minutes, for 20 seconds, and the next 270 seconds the network is down, then comes back, the utilities are going to show 100% up. Unless the intermittent issue happens during the polling cycle, we won't see it. I'm running into the problem of the WISP seeing the graphing show 100% up, while I'm sitting here with 64 second chunks of network disappearing. I also can't prove its ONLY my site happening, since I am only at this one site. I wanted something that I could leave running in a screen on one of his DD-WRT installed Buffalo (SIGH... That lawsuit sucks) routers. Thanks, Tuc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bridging two VLANs together
Well, If I understand you are talking about inter-vlan bridging. Yes it should work fine. You may need to add bridge 2 protocol ieee It's bridge protocol global configuration command to define the type fo STP. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Wednesday, December 12, 2007 9:15 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Bridging two VLANs together We have a unique situation where our transport equipment can't bridge the traffic between two endpoints, so we would like to dump off each link's VLAN onto our router (7609-S with WS-X6748-GE-TX blades) where it can perform the bridging. Any reason why the following configuration wouldn't work? interface GigabitEthernet1/31 description Customer networks switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 221-222 switchport mode trunk end interface Vlan221 description Site 1 no ip address bridge-group 2 bridge-group 2 spanning-disabled ! interface Vlan222 description Site 2 no ip address bridge-group 2 bridge-group 2 spanning-disabled ! Some of you might ask why not put the endpoints in the same VLAN, but the endpoints don't maintain an MAC address table so there's nothing to make them exchange traffic with each other. Regards, Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] parallel tunnels / different traffic classes
Does Cisco IOS support multiple parallel tunnels carrying different traffic classes for a long time. If the answer is yes, please share some experience. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] default route behavoir
Yes that's the answer. If you can't use routing protocol your choice is IP SLA monitor. How to IPSLA: ip sla monitor 1 type echo protocol ipIcmpEcho primary-link-reachable-ip source-ipaddr switch-source-ip timeout 1500 threshold 2000 frequency 3 Start Monitring: ip sla monitor schedule 1 life forever start-time now Tracking: track 1 rtr 1 reachability Secondary Route: ip route 0.0.0.0 0.0.0.0 secondary-gateway track 1 Not tested, but it should work fine :) Cheers, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Granados Sent: Wednesday, December 12, 2007 4:17 AM To: Matlock, Kenneth L; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] default route behavoir I forget if it's supported as well but you could use object tracking in the IP SLA features to track a far end device for whether it's reached or not and flop routes in the event one is not reached. (in place of an IGP) This works great for DSL backup, something similar should work here. - Original Message - From: Matlock, Kenneth L [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, December 11, 2007 3:10 PM Subject: Re: [c-nsp] default route behavoir Currently both routes are equal cost, so the first packet (or flow, can't remember which off the top of my head) takes the first route, and the next packet (or flow) takes the 2nd route, and the 3rd packet (or flow) takes the 1st route, etc. In order to do it, you can change the metric on the non-preferred route so it's only used if the other route is unavailable. ip route 0.0.0.0 0.0.0.0 10.50.6.2 ip route 0.0.0.0 0.0.0.0 10.50.5.24 2 now, keep in mind that the switch will only determine that 10.50.6.2 is down if the interface that 10.50.6.2 is connected changes state to down. If the state doesn't change, that route's still valid even if 10.50.6.2 is no longer responding. In order to solve that, you need to run a dynamic protocol between this 3560 and the upstream routers/switches. (I don't know off the top of my head if/what the 3560 supports). Ken Matlock Network Analyst (303) 467-4671 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman Sent: Tuesday, December 11, 2007 4:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] default route behavoir Hello, I'm unsure how the default route behavior is supposed to be on a 3560 switch. I have a remote office that is connected with two wireless links to a main building. Right now I have this in my configuration for redundancy, but it is using both links and just randomly taking either one. ip route 0.0.0.0 0.0.0.0 10.50.6.2 ip route 0.0.0.0 0.0.0.0 10.50.5.24 Is there a way to tell the switch to only use 10.50.6.2 and not use 10.50.5.24 unless 10.50.6.2 is down? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] default route behavoir
Well, Cisco 3560 support IP SLA. The following Cisco routers and switches support IP SLA. http://download.dartware.com/contrib/probes/Cisco_IP_SLA_Probe_Users_Guide.d oc Regards, Masood Ahmad Shah -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 12, 2007 6:32 AM To: Masood Ahmad Shah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] default route behavoir On Wed, Dec 12, 2007, Masood Ahmad Shah wrote: Yes that's the answer. If you can't use routing protocol your choice is IP SLA monitor. Does this actually work on the 3560? The last I checked the commands were supported but they did nothing.. Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ATM Interface (range pvc feature)
I'm configuring C3660 for PPPoE subscribers. I'm just trying to use feature range [range-name] pvc start-vpi/start-vci end-vpi/end-vci under ATM interface configurations. Router(config)#interface atM 1/0.4 multipoint Router(config-subif)# Here I can't find range command. Router(config-subif)# I tried different IOS version 12.2 and 12.3, but it did not help. I'm running now with c3660-telcoentk9-mz.123-22.bin. It would be nice, If someone can confirm the support of range command under ATM interface in 3600 series routers. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf external route showing as updated quite so often in routing table
OSPF router support the ability to set the LSA refresh time on non-DNA LSAs. If you are in a normal environment that the admin does this to decrease the number of LSA refreshes versus the drastic steps to using DNA LSAs. What is LSA refresh time? Is it same on all routers? Did you change it somewhere or on some router? Regards, Masood Ahmad Shah http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kumar, Prashanth Sent: Thursday, November 29, 2007 8:16 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ospf external route showing as updated quite so often in routing table I have a situation where all ospf external routes on multiple cisco routers showing update time refreshed. It is as if the routing table for those routes are updated 4 to 10 sec ago. I don't think Routes are flapping as some of routes are only one hop away. I am wondering if there is something in network causing this or is it a IOS issue. I checked this on bunch of cisco 65xx and 38xx. All are showing the same symptom. Any help would be appreciated. Routers are running different IOS ver 12.2 line. There is no network issue or high cpu I have noticied on all these routers. Thx Prashanth If I do a show ip route xx#sh ip route 159.153.4.4 Routing entry for 159.153.4.4/32 Known via ospf 1, distance 110, metric 202, type extern 1 Redistributing via bgp 64700 Last update from 10.21.252.41 on GigabitEthernet0/0, 00:00:04 ago Routing Descriptor Blocks: * 10.21.252.41, from 10.14.0.24, 00:00:04 ago, via GigabitEthernet0/0 Route metric is 202, traffic share count is 1 After 10 sec xx#sh ip route 159.153.4.4 Routing entry for 159.153.4.4/32 Known via ospf 1, distance 110, metric 202, type extern 1 Redistributing via bgp 64700 Last update from 10.21.252.41 on GigabitEthernet0/0, 00:00:00 ago Routing Descriptor Blocks: * 10.21.252.41, from 10.14.0.24, 00:00:00 ago, via GigabitEthernet0/0 Route metric is 202, traffic share count is 1 But show ip ospf database external 159.153.4.4 shows LSA age incrementing Type-5 AS External Link States Routing Bit Set on this LSA LS age: 627 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 159.153.4.4 (External Network Number ) Advertising Router: 10.14.0.24 LS Seq Number: 8000ECE2 Checksum: 0x6323 Length: 36 Network Mask: /32 Metric Type: 1 (Comparable directly to link state metric) TOS: 0 Metric: 110 Forward Address: 0.0.0.0 External Route Tag: 0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ATM Switching Design Issue
Just to let you guys know... I got the answer, from a pure circuit standpoint, no; And it can't be considered a cross connect. I would need external MUX/DACS system to do that. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: Saturday, December 01, 2007 1:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ATM Switching Design Issue I want to use Cisco 3660 for atm aggregation. Like I have two IMA 4 port E1 Port adapter modules, ATM OC3, multimode Port adapter, 1 port and they all comes in the same chassis Cisco 3660. I want to know is it possible with Cisco 3660, Does 3660 support it if the answer is yes then how can I make cross connect between multiple IMA interfaces and OC3 interface in single chassis; and then further I can connect that OC3 interface to upstream OC3 router. ---Cisco3660 ---|---Cisco 7507 4 E1 - \ atm crossconnect ATM IMA --ATMOC3-|ATM-OC3 4 E1 / ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ATM Switching Design Issue
I want to use Cisco 3660 for atm aggregation. Like I have two IMA 4 port E1 Port adapter modules, ATM OC3, multimode Port adapter, 1 port and they all comes in the same chassis Cisco 3660. I want to know is it possible with Cisco 3660, Does 3660 support it if the answer is yes then how can I make cross connect between multiple IMA interfaces and OC3 interface in single chassis; and then further I can connect that OC3 interface to upstream OC3 router. ---Cisco3660 ---|---Cisco 7507 4 E1 - \ atm crossconnect ATM IMA --ATMOC3-|ATM-OC3 4 E1 / ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dialup problems on a AS5300
http://www.cisco.com/warp/public/108/mica-hw-ts-17882.html Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Tuesday, November 27, 2007 4:16 AM To: 'Cisco-nsp' Subject: [c-nsp] Dialup problems on a AS5300 We appear to be having dialup issues on one of our AS5300s. Unfortunately they are not covered under a SmartNet (and can't be added to a contract beginning Summer 06). I've been hoping these things would keep on working until we could kill our dialup offering but apparently this one may be shooting craps on us. I am not a access server buff and I'm not really sure what to look for. I see 47 modems marked as bad, 18 stuck in the download pending state, and 35 active out of 192 modems. Our average success rate has dropped to 79%. Some modems not yet marked as bad are down to 5x% success. I'll send the 'sh modem' to anyone interested off list (too long for here). This problem was believed to have been solved this AM before I got to the office by our CO guys. They disconnected each of the circuits, let it error out, and then reconnected. They thought this fixed the problem. I believe they simply kicked off the live customers, thus fixing the busy signal issue. Does anyone have any ideas what I can check? What causes the 5300 to think a modem is bad and is it really, in fact, bad? I'm rather stumped on this one. I hate to take the spare 5300 out of our primary POP to replace it because it died in the Spring during a physical move in the CO. We had to buy a grey-market PRI module to get it back online since you can't buy new or refurb parts anymore. These things had been powered up and running for numerous years until this Spring when we redid both POPs and moved them around. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port Traceroute utility?
UNIX: http://michael.toren.net/code/tcptraceroute/ Windows: http://tracetcp.sourceforge.net/ Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Charles Sent: Wednesday, November 07, 2007 12:03 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Port Traceroute utility? This is going to sound weird, but I am looking for a utility that will let me tracroute on a specific port to see if and where a port is being blocked on a network... I run into issues where customers have ACLs on their network (that they don't know about) and it is causing network failures... (usually TFTP...)... Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GE over copper port adapter for a 7206VXR
Not Cat5... You need to have Cat 5e or Cat 6... Simple Cat 5 will not work for 1000BaseT Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Chan Sent: Wednesday, October 10, 2007 4:14 AM To: Vincent Aniello Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] GE over copper port adapter for a 7206VXR I think a 1000BaseTX Cat5 UTP GBIC can be used. On 10/9/07, Vincent Aniello [EMAIL PROTECTED] wrote: Does Cisco offer a Gigabit Ethernet over copper port adapter for a Cisco 7206VXR chassis? I have a NPE-G1 processor in the router, which comes with 3 GE over copper ports, but I need to add one more. The PA-GE card seems to only accept fiber connections. Any help would be appreciated. Thanks. --Vincent Disclaimer: Any references to Pipeline performance contained herein are based on historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee. Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] single interface multiple VRF
Is it Possible to have 2 or more VRF tables existing on one single Interface Eth/Serial. If the answer is yes, how do you guys do that. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] single interface multiple VRF
I know if you use VRF-Lite you binds logical interfaces to a VRF (normally one WAN-interface and one LAN-interface). If there is only one WAN-link, it must be divided into sub-interfaces (with F/R, channel-groups, Vlans etc). The same applies to single LAN-ports. Is it correct? How exactly you guys use VRF when you bound to terminate all of your client on single or two interfaces along with GRE tunnel IP Source and Destination VRF membership. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: Friday, October 05, 2007 3:01 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] single interface multiple VRF Is it Possible to have 2 or more VRF tables existing on one single Interface Eth/Serial. If the answer is yes, how do you guys do that. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Swtich Broadcast/Multicast
Switch Model: 3550 Some of the ports on the Switch is experiencing Broadcast and Multicast problems. I want to configure it so that broadcasts do not take more than 30% of the bandwidth and Multicast does not take more than 20% of the bandwidth. For broadcast traffic, the port should forward again when it falls below 25%. For Multicast traffic, the port should forward again when it falls below 15%. Please suggest recommended settings. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Swtich Broadcast/Multicast
I have come to this solution and I hope things will get smooth by using these interface mode commands storm-control broadcast level 30 25 storm-control broadcast level 25 15 what do you guys suggest? Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: Tuesday, September 25, 2007 6:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Swtich Broadcast/Multicast Switch Model: 3550 Some of the ports on the Switch is experiencing Broadcast and Multicast problems. I want to configure it so that broadcasts do not take more than 30% of the bandwidth and Multicast does not take more than 20% of the bandwidth. For broadcast traffic, the port should forward again when it falls below 25%. For Multicast traffic, the port should forward again when it falls below 15%. Please suggest recommended settings. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU settings/GRE tunnel
Please always CC to mailing list so others can see it and share their experience/thoughts Regards, Masood Ahmad Shah -Original Message- From: Nick Kraal [mailto:[EMAIL PROTECTED] Sent: Friday, September 21, 2007 10:54 PM To: Masood Ahmad Shah Subject: Re: [c-nsp] MTU settings/GRE tunnel Thanks Masood for the advice. We got stuck bing time accessing some internal web servers. Narrowed this down to MTU/MSS issues. Adjusting the MSS helped out a lot. Will try the other pointers given. Much appreciated and regards, -nick/ Masood Ahmad Shah wrote: use 'ip tcp adjust-mss 1400' on a router seeing traffic in the clear to force MSS to 1400 so IP datagram size to 1420 (of course 1400 is just a guess), this will cover all TCP traffic. Set ip mtu 1500 on GRE tunnel interface (yes 1500 bytes).. Reasoning: - - GRE encapsulation clears the DF bit UNLESS 'tunnel path-mtu-discovery' is set on the tunnel interface (if turned on the tunnel MTU will be dynamically adjusted upon receipt of ICMP) - - IPsec encapsulation copies the DF and adjusts the path MTU upon receipt of ICMP UNLESS 'crypto ipsec df-bit clear/set' is configured in the crypto map - - router will fragment when forwarding to any interface whose MTU is smaller than the received IP packet. This happens often when forwarding to a GRE tunnel whose MTU is 1476 per default... The last point forces the router to drop all 1500-bytes packets and to send an ICMP message when a DF packet is received. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kraal Sent: Thursday, September 20, 2007 12:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MTU settings/GRE tunnel Dear all, We are setting up tunnels within our network, and are using some previous documented configurations for this. We will use this to enable virtual P2P BGP sessions to isolate certain parts of our routing table. Cheap, temporary, and fast. interface Tunnel0 ip address 192.168.100.9 255.255.255.252 no ip unreachables no ip proxy-arp ip mtu 1524 tunnel source Loopback1 tunnel destination 10.10.10.10 Is there any information/advice/rule-of-thumb on setting the MTU size on the tunnel interface? Thanks in advance, -nick/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7507 IOS ver. recommendation: 12.0S or 12.2S or whatever?
It's just not new features. New release contains new features and bug fixes from an older version. FYI.. I'm mentioning some of the 12.0 bugs URL:- http://seclists.org/bugtraq/1998/Dec/0117.html http://www.cisco.com/en/US/products/products_security_advisory09186a00808399 d0.shtml try googling for more. Regards, Masood Ahmad Shah From: Aaron [mailto:[EMAIL PROTECTED] Sent: Saturday, September 22, 2007 12:36 AM To: Masood Ahmad Shah Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7507 IOS ver. recommendation: 12.0S or 12.2S or whatever? Unless there are features you need in 12.4, use 12.0. And make sure all your cards are vips to get the benifits of dcef. 12.0(32)SY is pretty good. Aaron On 9/21/07, Masood Ahmad Shah [EMAIL PROTECTED] wrote: Rule of thumb ...keep new updates.. Latest is 12.4 (16) for 7507... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 21, 2007 4:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7507 IOS ver. recommendation: 12.0S or 12.2S or whatever? Hi folks, Please, I need your advice. Which IOS ver. is mostly recommended for 7507 running mostly as an ethernet customer access router? Our hardware configs are: 7507, dual RSP4 256D/32+F, VIP2-50s w/ PA-FE-TXs, old serials (FSIPs). Our feature config is a standard provider package: lots ISL/dot1q customer subintefaces, dCEF, BGP4, netflow ver. 5 , ACLs. And a little bit of some service stuff that we can switch off if needed for moving to the right image: NAT, GRE, NBAR, rate-limit, traffic-shaper. So, we are IPv4 only, no IPv6, no MPLS, no non-IP stuff. Today I noticed our cybuses are upto ~100mbps load, so dCEF is definitely not working for us, that's the reason why we should switch IOS version. Also, it turned out today our dCEF really suffer from named-ACLs bug. Oh, yes. Please, advise. Thank you, indeed. -- Ilia Zubkov, CIO, Educational Network Ltd. Phone: +7 (495) 988-8990 Cell: +7 (985) 139-7739 Web: http://www.edunet.ru/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU settings/GRE tunnel
use 'ip tcp adjust-mss 1400' on a router seeing traffic in the clear to force MSS to 1400 so IP datagram size to 1420 (of course 1400 is just a guess), this will cover all TCP traffic. Set ip mtu 1500 on GRE tunnel interface (yes 1500 bytes).. Reasoning: - - GRE encapsulation clears the DF bit UNLESS 'tunnel path-mtu-discovery' is set on the tunnel interface (if turned on the tunnel MTU will be dynamically adjusted upon receipt of ICMP) - - IPsec encapsulation copies the DF and adjusts the path MTU upon receipt of ICMP UNLESS 'crypto ipsec df-bit clear/set' is configured in the crypto map - - router will fragment when forwarding to any interface whose MTU is smaller than the received IP packet. This happens often when forwarding to a GRE tunnel whose MTU is 1476 per default... The last point forces the router to drop all 1500-bytes packets and to send an ICMP message when a DF packet is received. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kraal Sent: Thursday, September 20, 2007 12:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MTU settings/GRE tunnel Dear all, We are setting up tunnels within our network, and are using some previous documented configurations for this. We will use this to enable virtual P2P BGP sessions to isolate certain parts of our routing table. Cheap, temporary, and fast. interface Tunnel0 ip address 192.168.100.9 255.255.255.252 no ip unreachables no ip proxy-arp ip mtu 1524 tunnel source Loopback1 tunnel destination 10.10.10.10 Is there any information/advice/rule-of-thumb on setting the MTU size on the tunnel interface? Thanks in advance, -nick/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ATM + 7505
Well, I don't think one can connect ATM25 with OC3 interface coz the chipset being used for ATM 25 is different. The only thing left is ATM25 chipset module or interface, I don't know exactly; if it exist or not Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sridhar Ayengar Sent: Thursday, September 20, 2007 8:26 PM To: Cisco NSPs Subject: [c-nsp] ATM + 7505 Is there any way to hook an ATM25 device to a 7505? Or a 7206VXR? Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cap'ing each host/ip to bw limits
Packeteer packet shaper is bestGo for it... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Bedard Sent: Thursday, September 13, 2007 9:08 PM To: matthew zeier Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cap'ing each host/ip to bw limits Well you can limit the bandwidth based on application, such that peer to peer or ftp downloads are not maxing out all of your available bandwidth.There are some good NAC (network access control) inline devices from places like Elacoya or Packeteer which can limit on per- user and per-application, if you need that kind of granularity. Phil On Sep 13, 2007, at 11:54 AM, matthew zeier wrote: So I wonder if there's an alternative method to prevent over saturation (or at least reduce it's impact on everyone else)... Phil Bedard wrote: Yes, unless they are static IP addresses and you configure policing for every single individual IP, but that doesn't sound like much fun... Phil On Sep 13, 2007, at 9:29 AM, matthew zeier wrote: Phil Bedard wrote: What platform are you using? The 6500/7600 w/SUP720 can do per- user microflow policing, which would probably accomplish what you are after. As for the router type platforms like the 7200/GSR I'm not aware of any such feature outside of dial profiles. 3845 so I'm guessing I'm out of luck here. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] gigabit ports/modules for 7507 and 7513 routers
Supported GE modules are GEIP and GEIP+... Maximum data throughput 350 Mbps to 400n Mbps. It can vary in some circumstanz. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: Thursday, August 09, 2007 9:22 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] gigabit ports/modules for 7507 and 7513 routers On Wednesday 08 August 2007 06:05, Howard Leadmon wrote: On that topic, does anyone know what type of real world throughput one should be able to get on the onboard GE ports? I know they aren't limited by the PCI bus, as they are built in, but can they be run full bore, or anything close to it? On a slightly similar note, the 7201 FAQ suggests the 4th Gig-E port directly hangs off the PCI-X bus and can reach wire speed for all packet sizes... This would be interesting (if actually possible), but wonder how much of this would be affected by (or would affect) the CPU. We are planning to deploy some 7201's in the network, and would like to test this when we receive them. If anyone else has already had the pleasure, please share. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 7500 CPU SDRAM/Packet SDRAM
Can someone describe the functions and difference between CPU SDRAM and Packet SDRAM for platform 7500. Also the difference of SRAM and DRAM for same platform. Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] automatically enable debugs after a reload
For example, to enable debugging of incoming SSH connections, use the following EEM applet: event manager applet EnableDebugging event syslog occurs 1 pattern %SYS-5-RESTART action 1.0 cli command enable action 2.0 cli command debug ip ssh For versions of IOS that don't support EEM but do support the config command 'do', you could modify the config off of the router and add a 'do debug...' command to the end then copy the config back directly into the startup-config. It's messy I know, but it does work. Regards, Masood Ahmad Shah Nexlinx BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tassos Chatzithomaoglou Sent: Tuesday, August 21, 2007 4:22 PM To: Oliver Boehmer (oboehmer) Cc: cisco-nsp Subject: Re: [c-nsp] automatically enable debugs after a reload I'm trying to check if CSCed45578 applies to our case, but the first tests show that the proposed workaround doesn't work. -- Tassos Oliver Boehmer (oboehmer) wrote on 21/8/2007 8:25 πμ: Tassos Chatzithomaoglou wrote on Monday, August 20, 2007 6:54 PM: I'm trying to troubleshoot an issue which appears just after a reload and i need to have some debugs enabled as soon as the router boots up. Is there a way i can enable some debugs before a reload and keep them active after the reload? PS: I tried the EEM functionality (event syslog %SYS-5-RESTART, action cli debug) which works fine, but i was hoping for something easier and maybe safer (am i really catching the data starting from the best possible moment?) There is no formal way to enable debugs right after reload, but next to the EEM solution, you could add the below lines to your startup-config (via copy remote-location startup-config) to achieve the same, but we can't be sure that this will necessarily catch all debugs right from the start. [...] ! enable Radius accounting right after startup config is parsed privilege exec level 1 debug radius ! do debug radius ! [...] Guess it really depends on what you need to do.. Which problem are you trying to solve? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204vxr freeze-up question
Well, I strongly recommend replacing radio unit with another device. There are some legacy gigabit intel chipset cards and they have problem while transmitting even octets to Cisco GE interfaces. The workaround was to update intel NIC drivers. If you believe that you have intel card than I guess you can't update the drivers for your radio unit and you may need to consult with vendor. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Wednesday, August 22, 2007 11:44 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7204vxr freeze-up question Here's output from a sh controller during the outage state: Interface GigabitEthernet3/0(idb 0x6363B6DC) Hardware is WISEMAN 2.1, network connection mode is auto network link is up loopback type is none startup time: 176602 usec GBIC type is 1000BaseSX idb-lc_ip_turbo_fs=0x606372F4, ip_routecache=0x11(dfs=0/mdfs=0), max_mtu=1528 fx1000_ds(tx)=0x6363CE6C(0x6363CE6C), registers(tx)=0x3D80(0x3D80), cu rr_intr=0 rx cache size=2000, rx cache end=1872, rx_nobuffer=0 FX1000 registers: CTRL =0x18180005, STATUS=0x000F FCAL =0x00C28001, FCAH =0x0100, FCT =0x8808, FCTTV =0x16E3 RCTL =0x00428032, RDBAL0=0x2000B000, RDBAH0=0x, RDLEN0=0x0800 RDH0 =0x0038, RDT0 =0x0037, RDTR0 =0x, IMS =0x02D6 TCTL =0x000400FA, TIPG =0x00A0080A, TQC =0x, TDBAL =0x2000C000 TDBAH =0x, TDLEN =0x1000, TDH =0x00BA, TDT =0x00BA TXCW =0xC1A0, RXCW =0xCC0041A0, FCRTL =0x80001200, FCRTH =0xAFF0 RDFH =0x14D7, RDFT =0x14D7, TDFH =0x03A7, TDFT =0x03A7 RX=normal, enabled TX=normal, enabled Device status=full-duplex, link up, tx clock, rx clock AN status=done(RF:0 , PAUSE:3 ), SYNC'ed, rx idle stream, rx invalid symbols, rx idle char GBIC registers: Register 0x00: 01 07 01 00 00 00 01 00 Register 0x08: 00 00 00 01 0D 00 00 00 Register 0x10: 32 16 00 00 41 47 49 4C Register 0x18: 45 4E 54 20 20 20 20 20 Register 0x20: 20 20 20 20 00 00 00 00 Register 0x28: 51 46 42 52 2D 35 36 38 Register 0x30: 39 20 20 20 20 20 20 20 Register 0x38: 30 30 30 30 00 00 00 58 Register 0x40: 00 1A 00 00 30 31 31 30 Register 0x48: 31 36 30 38 32 36 34 31 Register 0x50: 38 36 34 35 30 31 31 30 Register 0x58: 31 36 30 30 00 00 00 D8 PartNumber: QFBR-5689 PartRev: F SerialNo: 0110160826418645 Options: 0 Length(9um/50um/62.5um): 000/500/220 Date Code: 01101600 Gigabit Ethernet Codes: 1 PCI configuration registers: bus_no=6, device_no=0 DeviceID=0x1000, VendorID=0x8086, Command=0x0116, Status=0x0200 Class=0x02/0x00/0x00, Revision=0x03, LatencyTimer=0xFC, CacheLineSize=0x10 BaseAddr0=0x4904, BaseAddr1=0x, MaxLat=0x00, MinGnt=0xFF SubsysDeviceID=0x1000, SubsysVendorID=0x8086 Cap_Ptr=0x Retry/TRDY Timeout=0x PMC=0x00210001 PMCSR=0x Software MAC address filter(hash:length/addr/mask/hits): need_af_check = 0 0x00: 0 .. .. 0 0xC0: 0 0100.0ccc. .. 0 0xD0: 0 0007.8420.e854 .. 0 FX1000(type=0x98) Internal Statistics: rxring(128)=0x2000B000, shadow=0x6363D310, head=56, rx_buf_size=512 txring(256)=0x2000C000, shadow=0x6363D53C, head=186, tail=186 tx_int_txdw=0, tx_int_txqe=0, rx_int_rxdmt0=0, rx_int_rxt0=0 tx_count=0, txring_full=0, rx_max=0, filtered_pak=0 rx_overrun=0, rx_seq=0, reg_read=0, reg_write=0 rx_count=128, throttled=1, enabled=1, disabled=1 rx_no_enp=0, rx_discard=0, link_reset=0, pci_rev=3 tbl_overflow=0, chip_state=2, tx_nonint_done=0, tx_limited=0 reset=5(init=0, check=0, restart=4, pci=0), auto_restart=1 tx_carrier_loss=1, fatal_tx_err=0, tx_stucks_count=1 isl_err=0, wait_for_last_tdt=0, ctrl=1885, ctrl0=1895 rx_stucks_count=2, rdtr_fpd=3 HW addr filter: 0x6363DD68, ISL disabled, Promiscuous mode multicast Entry= 0: Addr=0007.8420.E854 Entry= 1: Addr=.. Entry= 2: Addr=.. Entry= 3: Addr=.. Entry= 4: Addr=.. Entry= 5: Addr=.. Entry= 6: Addr=.. Entry= 7: Addr=.. Entry= 8: Addr=.. Entry= 9: Addr=.. Entry=10: Addr=.. Entry=11: Addr=.. Entry=12: Addr=.. Entry=13: Addr=.. Entry=14: Addr=.. Entry=15: Addr=.. FX1000 Statistics (PA3) CRC error0 Symbol error 0 Missed Packets 0 Single Collision 0 Excessive Coll 0 Multiple Coll0 Late Coll0 Collision0 Defer497 Receive Length 0 Sequence Error 0 XON RX 0
Re: [c-nsp] E1 controller - clock problems with 'line' fine with 'internal'
Circuits from the SAME carrier can generally share a clock because the carrier will generally have a single clock source for all their circuits. If you have 3 E1 from the same carrier, on one of the E1's you would configure clock source primary and the rest could be clock source internal, because the internal clock would be synced to the primary line. You can also configure each interface as clock source line which is the default. All E1's need a clock source, either your end or their end, and if this is a carrier circuit, than they provide the clock and you need either clock source line or clock source primary on one E1, and clock source internal on the others. Regards, Masood Ahmad Shah Nexlinx BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ras Sent: Wednesday, August 22, 2007 5:14 PM To: c-nsp Subject: [c-nsp] E1 controller - clock problems with 'line' fine with 'internal' I've recently run into a slightly strange problem with one of my E1 circuits. We operate a hub-and-spoke setup, where a number of lines terminate into a single aggregation router on our side, and into a bunch of different locations/CPEs on the remote end. For all these lines, we have always had 'clock source line' for the E1 controller on both the aggregation router and the CPE routers. This has worked fine and the controllers show no errors. I've just commissioned a new line into the same aggregation router, exactly the same equipment on the CPE side (2811, VWIC2-1MFT-G703), exactly the same equipment on PE side (2811, VWIC2-2MFT-G703). But this time, we were seeing continuous 'Slip Secs' (top marks to whoever made that term up incidentally), which were also showing up as 'Errored Secs' (but crucially, never 'Errored Secs'). After much investigation and a VWIC/chassis swap later, we were in exactly the same position. I think tried configuring the aggregation controller (just for that one port) with 'clock source internal' and bang all the errors disappeared completely. It's now been running well over 48h without a single errored second, versus 1 second per second before. For reference, the aggregation router now has: controller E1 0/0/1 framing NO-CRC4 clock source internal channel-group 0 timeslots 1-31 and the CPE has: controller E1 0/1/0 framing NO-CRC4 channel-group 0 timeslots 1-31 Has anyone seen anything like this before and/or know what might cause this? My telco insists that they've tested the circuit end to end and it's working as expected (and to be fair, it is now..) Thanks, Ras ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7204vxr freeze-up question
Well, which IOS version you run? I know there are some issues with Intel chipset while it gets connected into cisco GBIC. I strongly suggest updating driver of NIC (if there is), upgrade IOS or change your NIC to check it out... Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Greene Sent: Wednesday, August 15, 2007 8:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7204vxr freeze-up question Hi, I'm running into an issue with a 7204VXR/NPE-300 router with 128MB RAM. A 1000Base-SX GBIC is plugged into one of the slots (not sure of the part # of the card into which the GBIC plugs). We were running some dueling gateways speed tests with the router (packet stream is sent via iPerf to router A, which forwards it to router B, which forwards it back to router A, which forwards it back to router B, until TTL is decremented to 0). Soon after I start sending 75Mbps - 80Mbps of traffic to the router's gig interface via iPerf, the gig interface stops sending / receiving any traffic whatsoever. The CLI of the router remains up, the gig interface reports it is up / up, memory and cpu utilization remain low. No logs are generated. Traffic on other interfaces is unaffected. I shut / no shut the gigabit interface, but traffic still refuses to pass. Only a reload of the router rectifies the issue. I wonder if there is a debug command that could provide some insight into the problem. At this point I am suspecting a hardware issue (GBIC, card, or backplane). Thanks for any insights Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS over Tunnels
VPLS uses edge routers that can learn, bridge and replicate on a VPN basis. These routers are connected by a full mesh of tunnels, enabling any-to-any connectivity. Here's the URL... http://www.cisco.com/en/US/products/ps6648/products_ios_protocol_option_home .html Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 12:34 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS over Tunnels Hello, Trying to find some doc about implementing VPLS over TE Tunnels. Something similar to Implementing MPLS VPN over TE Tunnels http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a 0080125b01.shtml Tks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco PIX VPN address pool
You may need to play with dhcpd lease things... dhcpd lease 3600 Regards, Masood Ahmad Shah BLOG: http://www.weblogsl.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Saturday, July 28, 2007 12:58 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco PIX VPN address pool Pix 605. Two questions: I have a small reserved set of addresses set in the PIX for a few people who use IPSEC VPN. At least one of the users keeps disconnecting. I believe what it happening is that the user is just closing the VPN client software and not disconnecting first. The big issue with this is that even though the sessions appear to close properly, the IP address is not returned as free to the pool. This is keeping other users from being able to VPN in because the pool has been exhausted. The only way that I've figured out to free these addresses is to do a reload on the PIX. Is there some command I can use to expire the lease on an address immediately? Example: Pool is set as 10.10.10.64-10.10.10.70 Four clients login, getting assigned .64, .65, .66, and .67 in order of connection. .65 connection is lost in whatever weird way that's happening. The client reconnects, but is assigned .68. He loses conn again, reconnects, and is assigned .69. Two different clients now attempt to login, the first is assigned .70 and the second cannot get an address because .65 and .68 are locked and not returned to the pool for use. Also, which of the many timeouts control the lease time for a VPN pool? I have the following in the config that might be relevant: Arp timeout 14400 Timeout xlate 1:00:00 Timeout conn 1:00:00 Half-closed 0:10:00 Isakmp policy lifetime 28800 Vpngroup idle-time 2400 Vpngroup max-time 14400 Dhcpd lease 3600 Dhcpd ping_timeout 750 Thanks, Scott Klassen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7507 GEIP Controller
I have strange issue with 7507. I have added a new GEIP controller into it. By adding this GEIP controller the CPU usage has been increased up to 20%. The strange thing is that CPU usage is always normal + 20% and there is no traffic on this interface ( even if interface is shutdown the usage remains same ). And if there is traffic it's same J I can't see the process taking this high CPU utilization if I look into CPU usage stats. What the heck has happened to this? J Here are CPU stats: Router# #show proc cpu | excl 0.00%__0.00%__0.00% CPU utilization for five seconds: 15%/13%; one minute: 15%; five minutes: 13% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 5 518320 41974 12348 0.00% 0.11% 0.11% 0 Check heaps 20 66004924869 71 0.08% 0.01% 0.00% 0 IPC Seat Manager 22 204088 1466063139 0.00% 0.03% 0.02% 0 ARP Input 317080 1609 4400 0.98% 1.44% 0.59% 2 Virtual Exec 52 117672 5843 20138 0.00% 0.02% 0.00% 0 Per-minute Jobs 73 3586004 17990635199 0.82% 0.60% 0.49% 0 IP Input 189 38964213398182 0.00% 0.01% 0.00% 0 IP SNMP 191 56184104952535 0.00% 0.01% 0.00% 0 SNMP ENGINE 196 160560 1397067114 0.08% 0.01% 0.00% 0 BGP Router 197 49200250208196 0.00% 0.01% 0.00% 0 BGP I/O IOS version: IOS Version 12.4(3a) Controller Router# sh ver | inc GEIP 1 GEIP controller (1 GigabitEthernet). 1 GEIP controller (1 GigabitEthernet) Regards, Masood Ahmad Shah ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7507 GEIP Controller
Thanks for your reply..I have not tried without cable, I will check it. Does cable effects even if the interface is shutdown? Why I can't see the process taking this high cpu usage while I do show proc cpu etcc.? Here is the output for show diag, show stacks and show align Router#show diag 5 ( this is GEIP controller slot ) Slot 5: Physical slot 5, ~physical slot 0xA, logical slot 5, CBus 1 Microcode Status 0x4 Master Enable, LED, WCS Loaded Board is analyzed Pending I/O Status: None EEPROM format version 1 GEIP controller, HW rev 2.02, board revision A0 Serial number: 27588119 Part number: 73-2167-05 Test history: 0x00RMA number: 00-00-00 Flags: cisco 7000 board; 7500 compatible EEPROM contents (hex): 0x20: 01 21 02 02 01 A4 F6 17 49 08 77 05 00 00 00 00 0x30: 50 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 Slot database information: Flags: 0x4 Insertion time: 0x33C0 (4d00h ago) Controller Memory Size: 128 MBytes DRAM, 4096 KBytes SRAM PA Bay 0 Information: Gigabit-Ethernet PA, 1 ports EEPROM format version 1 HW rev 1.01, Board revision A0 Serial number: 29339093 Part number: 73-3144-05 --Boot log begin-- Cisco IOS Software, VIP Software (SVIP-DW-M), Version 12.4(3a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Fri 30-Sep-05 07:50 by hqluong Image text-base: 0x6001104C, data-base: 0x6072 Port Statistics for unclassified packets is not turned on. --Boot log end-- Router# #show stacks Minimum process stacks: Free/Size Name 2340/3000 RSP memory size check 11280/12000 DHCPD Receive 5340/6000 Inspect Init Msg 59136/6 script background loader 5224/6000 CDP Protocol 5028/6000 Clock Server 11004/12000 Router Init 3220/12000 Init 4184/6000 Update prst 4976/6000 DIB error message 5152/6000 RADIUS INITCONFIG 5188/6000 DRMI Master Reg. Slave Process 5136/6000 CEF Reloader 5312/6000 MDFS Reload 34844/36000 TCP Command 5332/6000 BGP Accepter 4892/6000 BGP Open 2276/3000 Rom Random Update Process 9236/12000 IPS SDF Loader 8220/12000 Virtual Exec 8220/12000 Exec 10884/12000 SSH Process Interrupt level stacks: LevelCalled Unused/Size Name 1 2213677378 6892/9000 Network Interrupt 2 5585183 7676/9000 Network Status Interrupt 3 0 8692/9000 OIR interrupt 4 0 9000/9000 PCMCIA Interrupt 5 171491 8596/9000 Console Uart 6 0 9000/9000 Error Interrupt 786692017 8604/9000 NMI Interrupt Handler Router# #show align No alignment data has been recorded. No spurious memory references have been recorded. Regards, Masood Ahmad Shah -Original Message- From: Rodney Dunn [mailto:[EMAIL PROTECTED] Sent: Thursday, July 26, 2007 1:14 AM To: Masood Ahmad Shah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7507 GEIP Controller What does 'sh diag' say and sh stack and show align. It's as if interrupts are getting sent to the RSP for some reason. Does the same thing happen if no cables are attached. 'sh diag'? On Thu, Jul 26, 2007 at 12:47:43AM +0500, Masood Ahmad Shah wrote: I have strange issue with 7507. I have added a new GEIP controller into it. By adding this GEIP controller the CPU usage has been increased up to 20%. The strange thing is that CPU usage is always normal + 20% and there is no traffic on this interface ( even if interface is shutdown the usage remains same ). And if there is traffic it's same J I can't see the process taking this high CPU utilization if I look into CPU usage stats. What the heck has happened to this? J Here are CPU stats: Router# #show proc cpu | excl 0.00%__0.00%__0.00% CPU utilization for five seconds: 15%/13%; one minute: 15%; five minutes: 13% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 5 518320 41974 12348 0.00% 0.11% 0.11% 0 Check heaps 20 66004924869 71 0.08% 0.01% 0.00% 0 IPC Seat Manager 22 204088 1466063139 0.00% 0.03% 0.02% 0 ARP Input 317080 1609 4400 0.98% 1.44% 0.59% 2 Virtual Exec 52 117672 5843 20138 0.00% 0.02% 0.00% 0 Per-minute Jobs 73 3586004 17990635199 0.82% 0.60% 0.49% 0 IP Input 189 38964213398182 0.00% 0.01% 0.00% 0 IP SNMP 191 56184104952535 0.00% 0.01% 0.00% 0 SNMP ENGINE 196 160560 1397067114 0.08% 0.01% 0.00% 0 BGP Router 197 49200250208196 0.00% 0.01% 0.00% 0 BGP I/O IOS version: IOS Version 12.4(3a
Re: [c-nsp] PPPoE issues // ACS provide the same IP.
Well, it prevents customers from obtaining IPs, which is good not bad. What I suggest better you use NAS to allocate IPs instead ACS. If you really want to you ACS to assign IPs than you may need to check duplicate pools entry for the same network. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Wednesday, July 25, 2007 4:05 AM To: 'Robert Blayzor'; nsp Subject: Re: [c-nsp] PPPoE issues // ACS provide the same IP. Right, it doesn't fix the problem, but in the meantime it prevents customers from obtaining duplicate IPs, which is also bad. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Blayzor Sent: Tuesday, July 24, 2007 3:46 PM To: nsp Subject: Re: [c-nsp] PPPoE issues // ACS provide the same IP. Frank Bulk wrote: One way to perhaps prevent a duplicate IP is to try the undocumented ppp ipcp unique-address in your Virtual Template. That's what we use on our 7206VXR. That doesn't fix the problem, it will just prevent the duplicate IP session from setting up. The right answer is to fix the broken AAA server giving out the same IP address for multiple sessions. Easier yet, if possible, set the pool up in the router and let it control giving out dynamic addresses. You can just use a static pool in the virtual-template or tell it which pool to use from the AAA server. -- Robert Blayzor INOC [EMAIL PROTECTED] http://www.inoc.net/~rblayzor/ Earth is 98% full...please delete anyone you can. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 851
http://www.cisco.com/warp/public/794/827pppoe_client.html cheers :) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aman Chugh Sent: Friday, June 22, 2007 6:34 PM To: Peter Walker Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco 851 Thanks peter for replying , I did do some research on this prior to sending it out on the list. What I was looking for was a sample config to see if I need to configure the PPOE client on the router and creating a dialer interface or not as I would be using a external dsl modem as well,I am not sure where the PPOE username and password configuration would be done it I have an external dsl modem and static IP on the Modem' wan interface. Aman On 6/22/07, Peter Walker [EMAIL PROTECTED] wrote: --On 21 June 2007 20:49 +0530 Aman Chugh [EMAIL PROTECTED] wrote: All, I need to connect a Cisco 851 at remote location to the central office 2801 router connected to the internet Aman I am a little surprised that you sent a question to this list before looking at Cisco's support site. If you looked at www.cisco.com - support - documentation - Networking technology documentation : Security and VPN - IPSec - Configuration examples and technotes you would have found over 150 examples of how to configure VPNs involving cisco kit. The section IPSec on Router to Router has a bunch of examples that might help. Is there any good document for creating site to site vpn between two locations, Yes also what all features are available with 851 along with ios firewall and vpn, I do have a static ip from remote site ISP. www.cisco.com - products ... I think you get the idea Also www.cisco.com/go/fn Aman Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails
The caveat with DHCP snooping is that you must establish a trust relationship with downstream DHCP snoopers on a trunk port: Switch(config-if)# ip dhcp relay information trusted Regards, Masood Ahmad Shah Nexlinx http://www.weblogs.com.pk/jahil/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Hennigan Sent: Wednesday, July 18, 2007 11:24 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] DHCP snooping with PIX 7.22 as dhcp server fails I have a network with a 3550 switch behind a PIX. The PIX is acting as the DHCP server on its inside interface. We had an incident with a rogue DHCP server on the LAN. Turning on DHCP snooping on the switch causes the PIX to stop handing out leases. I'm new to DHCP snooping configs, this is probably something simple I've overlooked in the configuration, I've RTFM to no avail. Switch is Version 12.2(37)SE1, PIX is 7.2(2) Switch config: ! ip dhcp snooping vlan 1 ip dhcp snooping ! ! interface FastEthernet0/48 description PIX inside switchport mode access spanning-tree portfast ip dhcp snooping trust ! sw1#sh ip dhcp snoop Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 1 DHCP snooping is configured on the following Interfaces: Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled InterfaceTrusted Rate limit (pps) --- FastEthernet0/48 yes unlimited PIX config: dhcpd dns x.x.x.x y.y.y.y dhcpd domain foo.com ! dhcpd address 192.168.100.50-192.168.100.200 inside dhcpd dns y.y.y.y z.z.z.z interface inside dhcpd domain foo.com interface inside dhcpd enable inside PIX debug shows the following on receipt of a DHCP request: DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. DHCPD: inconsistent relay information. DHCPD: relay information option exists, but giaddr is zero. DHCPD: Unable to load workspace. Turning off snooping on the switch brings it back operational. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches
Before the local proxy ARP feature can be used, the IP proxy ARP feature must be enabled :) Well, there is another problem, In network configurations that have the DHCP server and dhcp clients in different network segments, the ip-helper feature enables forwarding the DHCP requests to the server. However, if the local-proxy-arp feature is configured on that same IP interface, the clients will have problems obtaining an IP addresses from the DCHP server, mistakenly thinking there is an IP address duplication on the network. This happens because the dhcp client OS TCP/IP stack implementation sends a gratuitous ARP to the network with it's assigned address, in order to verify that there is no IP address conflict. The router's proxy-arp function responds to that request with the address stored in it's ARP table during DHCP negotiation, causing the client to display an error message warning about another station using the same address it was assigned. workaround disable ip local-proxy-arp Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ [EMAIL PROTECTED] wrote: Hi, Alan, Did you try to disable ICMP redirects? (no ip redirects on the VLAN interface)? ip local-proxy-arp seems to be the beast . can anyone disuade? with this, coupled with DAI and a better L3 ACL on the VLAN you should be able to block any nefarious L3 attacks whilst reporting them etc. oh. a word of warning to those implementing this...by default if there are a dozen or so ARP spoofs in a short space of time, then it'll trigger a port error - arpspoof - which can be auto reset with an errdisable recovery - or you can avoid by setting no limit on the arpspoof count. this could bite if the interface was a trunk feed from a whole building/subnet/campus ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup2, PFC2 and MSFC2 Access/Distribution aggregation
This thread is related to access/distribution layer VLAN aggregation on a single switch. I'm looking into purchasing 6500s switch. I'm implementing this for a company with about some corporate clients. I'm planning on using the inter-vlan routing, access-lists, 100s of static routes, 1000s of sessions, bridged IP traffic, IP based syn sessions limit , mirror/span port and ids/ips (if possible), separate VLANs for different clients and all clients are allowed to communicate with each other- so, routing between them and more to prevent layer 2 floods. I hope to hear from anyone out there who have had experience with the equipment listed below as I'm gonna purchase this one. Supervisor Engine 2,Policy Feature Card 2 (PFC2),Multilayer Switch Feature Card 2 (MSFC2) and SFM2 (optional) What do you guys suggest? Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4908-L3 Core Layer
I just got worried about 4908-L3 to use in core layer. I have some doubts.. Is 4908-L3 support route-maps along with access-list? I'm gonna process 200Mbps traffic while applying access-list and route-maps along with 1000 of static routes.. Please suggest if someone have good/bad experience with this. Regards, Masood A Shah BLOG: http://www.weblogs.com.pk/jahil/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/