[c-nsp] 10G Cisco router

2023-05-31 Thread harbor235 via cisco-nsp 
Hi all,

Looking for a Cisco CPE that can do up to 2Gbps, basic routing nothing
fancy.

4451 w/2Gbps license and 2xSM-X's could do the trick, thoughts, better
choice?

Needs to be Cisco , eng group is finicky

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP network design considerations

2022-10-14 Thread harbor235 via cisco-nsp 
I hear what your saying but NTP is an active attack vector, I don't trust
outside resources implicitly and traffic segmentation is a prudent measure
especially if you are getting internet time. Now if you have your own
stratum1 then I understand your point more.


Mike

On Fri, Oct 14, 2022 at 10:45 AM Gert Doering  wrote:

> Hi,
>
> On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> > How are you integrating NTP into your infrastructures? Is it part of your
> > management network(s)?
>
> NTP servers (appliances from Meinberg and regular FreeBSD servers,
> basically)
> are just sitting "on the Internet" and our machines sync to them, and
> monitor their relative times (= so if one is misbehaving, NTP will
> do the right thing on its own, and monitoring will tell us so we can
> fix it).
>
> The machines protect themselves by local iptables rules for SSH/https,
> and in-band by NTP access rules ("serve time to everyone, serve larger
> responses only to management systems, do not believe anyone").
>
> I've never understood this obsession on filtering things that are intended
> to be put out in the wild.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NTP network design considerations

2022-10-14 Thread harbor235 via cisco-nsp 
To all,

How are you integrating NTP into your infrastructures? Is it part of your
management network(s)?
In the past it used to be that the management network was a flat network,
now we deploy north of the FW security zone management network and south of
the FW security zone management network. In this case the stratum 1 time
sync is from an org within my company but outside of my division. I want to
isolate the NTP infrastructure via a FW  interface for traffic isolation
and inspection.

I am curious how others are segmenting flows/traffic in their management
networks to isolate traffic flows. mngmt VRFs, vlans, L3 interfaces,
etc Specifically how are you dealing with NTP infrastructure that all
infrastructure obtains time from?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [j-nsp] SRTBH

2022-07-13 Thread harbor235 
thanks for the input

Mike

On Thu, Jul 7, 2022 at 10:20 AM Jeff Haas  wrote:

> In circumstances where the routing table can help you mitigate an attack,
> including things that use uRPF, it'll usually scale significantly better
> that flowspec.  This is primarily because flowspec is just a distributed
> way of programming the firewall, and firewalls on transit routers have many
> dimensions where they don't scale nicely.
>
> That said, the firewall on many of our platforms for "block these sources"
> should scale nicely ... but doesn't in flowspec if you have rules that
> interleave.  The interleaving rules interfere with firewall optimization.
>
> The issue above motivates the flowspec v2 work happening in IETF,
> particularly the user-ordered rules.
>
> -- Jeff
>
>
> On 7/7/22, 10:02 AM, "juniper-nsp on behalf of Gert Doering via
> juniper-nsp"  juniper-...@puck.nether.net> wrote:
>
> [External Email. Be cautious of content]
>
>
> Hi,
>
> On Thu, Jul 07, 2022 at 08:41:56AM -0400, harbor235 via juniper-nsp
> wrote:
> > Since Flowspec arrived, are there any uses for SRTBH?
>
> Scaling?
>
> My understanding of flowspec is that it is typically implemented by
> programming ACL TCAM, while SRTBH is routing table lookup, so
> "some 10.000 lines" vs. "2-4 million".
>
> OTOH, SRTBH is all-or-nothing, not "only port 80"...
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if
> you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
>
> Juniper Business Use Only
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SRTBH

2022-07-07 Thread harbor235 
Since Flowspec arrived, are there any uses for SRTBH?

Anyone using TrinityCyber, them use a different approach to IDS and is not
strictly signature based but more TTPs? Write up appear to be good, curious
if anyone is using their products?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Test Labs

2021-11-03 Thread harbor235 
Hi all,

Anybody out there integrating production environments (real-time service
delivery), test, and development labs into a single architecture? I do not
like this idea if it is avoidable.  I understand supposed savings, but the
cost of an unplanned event negates the implied savings.

thoughts?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Third party optics

2021-09-07 Thread harbor235 
How are your organizations dealing with Cisco equipment and usage of third
party optics?
  1) Cisco or "third party"?
   2) Cisco policy regarding third party components?

Is it worth the risk?



*https://www.cisco.com/c/en/us/products/warranties/warranty-doc-c99-740959.html#_Toc81362530
*


*Mike*
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco life cycle strategy

2020-11-19 Thread harbor235 
Hello,

What is your replacement strategy for Cisco gear reaching EOL milestones?

I prefer not to replace at the end of SW maintenance releases but prefer
the end of vulnerability/Security support. My assumption is by then all the
major bugs and fixes should be remedied/ fixed by then and the software
should be stable.

Last days for hardware replacement continue through the end of the service
contract. I would like to get as much investment protection as possible,
not to mention the potential of disruption of infrastructure services


thoughts? strategies?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Core - distrubution

2020-09-09 Thread harbor235 
How are you IP'ng your connector networks between core and distribution?
Public space or private? I do not like the potential overlap with
management networks and I cannot DNS mike connector networks making my
traceroutes look pretty.

I also like loopbacks publicly routable as well? Some organizations use
RFC1918 netwblocks for connector networks and loopbacks, is it just
preference or am I missing other reasons not to use 1918?

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] remote VPN chaining (nested)

2020-03-25 Thread harbor235 
Hi,

Has anyone established a remote access vpn inside another remote access vpn?

Does it work? any challenges, do you need the same VPN client?

thanks in advance,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [j-nsp] IPv6 hardening

2019-12-30 Thread harbor235 
Thanks for the follow up Rob, I have really loved your site over the years,
first started using the site while at Digex in late 90s early 2000s.

Mike

On Mon, Dec 30, 2019 at 2:08 PM Rabbi Rob Thomas  wrote:

> Dear Mike,
>
> > Does anyone have any updated router hardening guidelines, some of the
> sites
> > I reference have not been updated for some time. e.g. www.team-cymru.org
>
> Funny you should mention that.  :)  I’m in the midst of updating all of
> our Juniper templates, though I don’t expect to be done until circa mid
> January.  2020, to be clear.  I will keep you posted!
>
> Be well,
> Rob.
> --
> Rabbi Rob Thomas   Team Cymru
>"It is easy to believe in freedom of speech for those with whom we
> agree." - Leo McKern
>
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IPv6 hardening

2019-12-30 Thread harbor235 
Does anyone have any updated router hardening guidelines, some of the sites
I reference have not been updated for some time. e.g. www.team-cymru.org


thanks in advance,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Nexus 5k ISSU

2019-11-01 Thread harbor235 
Hi everyone,

What are your experiences with Nexus5K ISSU and VPCs.  Do you see service
interruptions? ISSU is never quite ISSU. During role changes and/or VPCs
reforming I see short duration losses. Is this standard?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Datacenter management

2019-10-10 Thread harbor235 
Hi noggers,

I have a UCS/Bladeserver that i want to understand how management traffic
is handled to and from VMs. The UCS/Bladeserver has a dedicated management
interface and can be connected to the management network for configuration
purposes. My question is how is management taken care of for VMs?

Is it best practice to present a separate vnic for vnic management to each
VM? This alows for layer2 segmentation from the primary service delivery
vnic. The layer3 interface for the vnic management is a firewall or similar
and can interface with the backend management network. This allows for
segmentation and isolation of the forwarding plance and the management
plane.

The other option is to collapse all layer2 networks into a single layer2
domain which is not a good idea.

How do you handle VM management?

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NFV

2019-09-23 Thread harbor235 
Looking for real word experiences virtualizing router and firewall services
with rates above 1Gbps on x86 platforms. Most testing I have been involved
with virtualizing routers and firewalls, performance drops
dramatically above 1Gbps.

Connections per second are critical for a firewall in particular, can a
virtual firewall handle high connections per second as appliances?

Anyone experience good results at 10GigE with a virtual firewall?

Where do you draw the line for router based virtualization?



Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Ipv6 address plan

2018-10-11 Thread harbor235 
Gents,

I have a green field IPv6 infrastructure that I am standing up, I plan on
allocating unique IPv6 net block ranges for infrastructure nets
(loopbacks/routerid, pt-to-pts), service delivery allocations (customer
services), North of the security boundary layer, south of security boundary
layer etc .

Any other best practices learned from your IPv6 deployments that would
assist on my deployment?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SMTP hard bounce

2018-07-22 Thread harbor235 
No I did consciously post to a Cisco NSP mailing list because unlike
yourself there are many
top notch professional with varied experience on this list that also like
to help out.

Your posts are always thoughtful, nothing better to do I assume?


Mike

On Sun, Jul 22, 2018 at 1:16 PM, Gert Doering  wrote:

> Hi,
>
> On Sun, Jul 22, 2018 at 01:02:19PM -0400, harbor235 wrote:
> > Can anyone clarify if hard bounce messages types can singularly be
> > configured to soft bounce (e.g Soft_bounce=yes, postfix) or is it an all
> or
> > nothing configuration change.
>
> I'm fairly sure there is a Cisco solution to your problem (Ironport ESA).
>
> Oh, wait, you were not consciously posting to a *Cisco* NSP mailing list?
>
> Maybe there is a reason why your mails get classified as SPAM...
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SMTP hard bounce

2018-07-22 Thread harbor235 
Hi Noggers,

Can anyone clarify if hard bounce messages types can singularly be
configured to soft bounce (e.g Soft_bounce=yes, postfix) or is it an all or
nothing configuration change.

Also, is there any definitive guide to improve your Internet mailer
reputation?
steps to correct, I am aware of mxtoolbox, talosintelligence.com.

Office365 is killing me with 550s!!


help,


thanks

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GRE Tunnel

2018-06-13 Thread harbor235 
Has anybody configured a GRE tunnel between a Cisco router and a NSX Edge?

I am going to give it a try, hopefully someone can confirm its possible?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] two routing engines

2018-03-08 Thread harbor235 
In a HA configuration (dual rail) do I really need two route processors per
chassis? What does the extra cost really get me?  ISSU that does not always
work?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] highly available ipsec vpn

2018-02-09 Thread harbor235 
I will be using ASRs, route based VPNs with VTIs.


Mike

On Thu, Feb 8, 2018 at 6:13 PM, Jeff Orr <jeffb...@gmail.com> wrote:

> We use HA VPN (HSRP) for our IPSEC based business partners. It has worked
> well for years, but I’m only partly happy.
>
> We have built our data centers to be as independent as possibly. Minimal
> OTV, routed mainframe, separate internal and external up space. However,
> with HA VPN, I have to have L2 stretch & advertise the specific/24 out if
> both DCs.
>
> The main benefit is our partners only setup one tunnel and neither side
> has to work about DR. Internally we use RRI into our IGP to steer traffic
> to the proper router.
>
> On Thu, Feb 8, 2018 at 5:34 PM harbor235 <harbor...@gmail.com> wrote:
>
>> I am looking to implement a highly available IPSEC route based VPN.
>> Traditionally I would bring up multiple tunnels with multiple BGP peers in
>> a dual router setup.
>>
>> IPSEC HSRP design appears to be the flavor of the day, failover times
>> appear to be lengthy compared to failover times via BGP. IS anyone using
>> the HSRP HA setup? Are your experiences good or bad? Has the BGP route
>> based IPSEC VPN design fallen from grace?
>>
>>
>> Mike
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] highly available ipsec vpn

2018-02-08 Thread harbor235 
I am looking to implement a highly available IPSEC route based VPN.
Traditionally I would bring up multiple tunnels with multiple BGP peers in
a dual router setup.

IPSEC HSRP design appears to be the flavor of the day, failover times
appear to be lengthy compared to failover times via BGP. IS anyone using
the HSRP HA setup? Are your experiences good or bad? Has the BGP route
based IPSEC VPN design fallen from grace?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE30 Config

2016-08-16 Thread harbor235 
In bridge mode the ACE does not participate in spanning-tree, it forwards
BPDUs merging the two vlans.(101 & 102)  So a spanning-tree recalc will
occur for vlan the merged vlan, ~50 seconds. So the cmds are safe but there
will be a brief outage, is that what you meant?

Setting the default route on the rservers to the vlan 102 GW address will
ensure traffic flows through the ACE.


Mike

On Tue, Aug 16, 2016 at 8:21 AM, Chris Knipe <sav...@savage.za.org> wrote:

> Thanks Mike.
>
> There's no existing svclc's on the 6500, so vlan-group 10 is unused.  I
> was mainly concerned that the 6500 would stop switching VLAN101 after it's
> been assigned to the svclc.
>
> Just wanted to get confirmation on that before I drop all my traffic
> accidentally :-)
>
> On Tue, Aug 16, 2016 at 2:20 PM, harbor235 <harbor...@gmail.com> wrote:
>
>> Config looks good for the 6500 portion of the config as long as the vlans
>> you have specified for vlan-group 10 are unused?
>> I also assume you have created the vlans as well?
>>
>> Mike
>>
>> On Tue, Aug 16, 2016 at 8:07 AM, Chris Knipe <sav...@savage.za.org>
>> wrote:
>>
>>> Hi Guys,
>>>
>>> Quick question... I'm about to install my first ACE30 into a 6500
>>> (SUP720)... Just a quick question about the svclc if I may...
>>>
>>> I already have VLAN101 with all my rservers (currently in production,
>>> being
>>> fed from a old LB we'll be replacing with the ACE30).
>>>
>>> I created  a new VLAN102 which will be used for the customer facing leg
>>> of
>>> the ACE...
>>>
>>> Config:
>>> svclc vlan-group 10 101,102
>>> svclc module 1 vlan-group 10
>>> svclc multiple-vlan-interfaces
>>>
>>> Are those commands safe?  I'm not sure whether or not the switch will
>>> drop
>>> traffic to VLAN101 which is currently doing some 2Gbps in traffic.
>>>
>>> --
>>>
>>> Regards,
>>> Chris
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>
>
> --
>
> Regards,
> Chris Knipe
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE30 Config

2016-08-16 Thread harbor235 
Config looks good for the 6500 portion of the config as long as the vlans
you have specified for vlan-group 10 are unused?
I also assume you have created the vlans as well?

Mike

On Tue, Aug 16, 2016 at 8:07 AM, Chris Knipe  wrote:

> Hi Guys,
>
> Quick question... I'm about to install my first ACE30 into a 6500
> (SUP720)... Just a quick question about the svclc if I may...
>
> I already have VLAN101 with all my rservers (currently in production, being
> fed from a old LB we'll be replacing with the ACE30).
>
> I created  a new VLAN102 which will be used for the customer facing leg of
> the ACE...
>
> Config:
> svclc vlan-group 10 101,102
> svclc module 1 vlan-group 10
> svclc multiple-vlan-interfaces
>
> Are those commands safe?  I'm not sure whether or not the switch will drop
> traffic to VLAN101 which is currently doing some 2Gbps in traffic.
>
> --
>
> Regards,
> Chris
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] outdoor rating

2015-05-27 Thread harbor235 
Anybody have experience with network devices in covered areas not directly
exposed to the elements but exposed to external temperature variations?

Do I need an enclosure or is there exterior models that cam withstand the
elements?
 Google-fu revealed Cisco 3010.


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] multicast routing tabel

2015-05-13 Thread harbor235 
Thanks, your responses jogged my memory!


Mike

On Wed, May 13, 2015 at 6:07 AM, Mikael Abrahamsson swm...@swm.pp.se
wrote:

 On Tue, 12 May 2015, harbor235 wrote:

  I want to ensure that enabling multicast does not overwhelm my router
 memory resources, does anyone know how to estimate memory requirements for
 multicast?


 What memory are you talking about? What platform is this? There are
 multiple kinds of memory and different platforms work differently.

 --
 Mikael Abrahamssonemail: swm...@swm.pp.se

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] multicast routing tabel

2015-05-12 Thread harbor235 
I want to ensure that enabling multicast does not overwhelm my router
memory resources, does anyone know how to estimate memory requirements for
multicast?

Specifics:
PIM Sparse mode, Auto RP feature enabled, and 24 RPs. I realize that this
is a function of  sources and streams. I want to estimate the added memory
consumption.


thanks in advance,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Input Errors And CRC Errors

2013-09-18 Thread harbor235 
I am curious in regards to which supervisor you are using with this
configuration? I have a ws-x6516-GBIC I would like to use
with a 720-3B and would like to verify it can be used. My card has a DFC3
daughter card that has been installed, I am in the process
of removing that card and my fingers are crossed that it will work.

Any thoughts would be appreciated, it appears that it should work.



Mike


On Thu, Sep 12, 2013 at 8:31 AM, Armin Kneip a...@ghostnet.de wrote:

 Hi,

 then are all on the same ASIC. As a example output for WS-X6516A-GBIC
 and WS-X6724-SFP


 Regards,

 Armin Kneip


 nc#sh int gi 1/1 cap
 GigabitEthernet1/1
   Model: WS-X6516A-GBIC
   Type:  1000BaseSX
   Speed: 1000
   Duplex:full
   Trunk encap. type: 802.1Q,ISL
   Trunk mode:on,off,desirable,nonegotiate
   Channel:   yes
   Broadcast suppression: percentage(0-100)
   Flowcontrol:   rx-(off,on,desired),tx-(off,on,desired)
   Membership:static
   Fast Start:yes
   QOS scheduling:rx-(1p1q4t), tx-(1p2q2t)
   QOS queueing mode: rx-(cos), tx-(cos)
   CoS rewrite:   yes
   ToS rewrite:   yes
   Inline power:  no
   SPAN:  source/destination
   UDLD   yes
   Link Debounce: yes
   Link Debounce Time:yes
   Ports on ASIC: 1-8
   Remote switch uplink:  yes
   Dot1x: yes
   Port-Security: yes



 nc#sh int gi 2/1 cap
 GigabitEthernet2/1
   Model: WS-X6724-SFP
   Type:  1000BaseSX
   Speed: 1000
   Duplex:full
   Trunk encap. type: 802.1Q,ISL
   Trunk mode:on,off,desirable,nonegotiate
   Channel:   yes
   Broadcast suppression: percentage(0-100)
   Flowcontrol:   rx-(off,on,desired),tx-(off,on,desired)
   Membership:static
   Fast Start:yes
   QOS scheduling:rx-(1q8t), tx-(1p3q8t)
   QOS queueing mode: rx-(cos), tx-(cos)
   CoS rewrite:   yes
   ToS rewrite:   yes
   Inline power:  no
   SPAN:  source/destination
   UDLD   yes
   Link Debounce: yes
   Link Debounce Time:yes
   Ports-in-ASIC (Sub-port ASIC) : 1-24 (1-12)
   Remote switch uplink:  no
   Dot1x: yes
   Port-Security: yes


 On 12.09.2013 14:19, Harry Hambi wrote:
  Hi Armin,
  Below is the output of the sh int capabilities coomand
 
   Model: VS-SUP2T-10G
  Type:  10Gbase-LR
  Speed: 1
  Duplex:full
  Trunk encap. type: 802.1Q
  Trunk mode:on,off,desirable,nonegotiate
  Channel:   yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:   rx-(off,on),tx-(off,on)
  Membership:static
  Fast Start:yes
  QOS scheduling:rx-(8q4t), tx-(1p7q4t)
  QOS queueing mode: rx-(cos,dscp), tx-(cos,dscp)
  CoS rewrite:   yes
  ToS rewrite:   yes
  Inline power:  no
  Inline power policing: no
  SPAN:  source/destination
  UDLD   yes
  Link Debounce: yes
  Link Debounce Time:yes
  Ports on ASIC: 4
  Remote switch uplink:  no
  Port-Security: yes
  Dot1x: yes
 
  Not sure I understand the output. I'me I right in saying there are 4
 ports on each Asics?
  The card in question is a 5 port sup card.
 
 
  Rgds
  Harry
 
  Harry Hambi BEng(Hons)  MIET  Rsgb
 
  -Original Message-
  From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Armin Kneip
  Sent: 12 September 2013 12:10
  To: cisco-nsp@puck.nether.net
  Subject: Re: [c-nsp] Input Errors And CRC Errors
 
  Hi Harry,
 
  show interfaces gi 7/1 capabilities
 
  shows the ASIC.
 
 
  Regards,
 
  Armin Kneip
 
 
  On 12.09.2013 12:51, Harry Hambi wrote:
  Hi All,
  Trying to diagnose a problem on a 6509 chasis, port showing input and
  CRC errors on one end of the link. The link is a Tengigabit I'me going
 to try the follwing:
  Change fibre
  Change Gbic, if errors are still showing try changing port.
  Change to a different port on the switch.how do I make sure that I
 am moving to a different ASICS as well? How do I determine port/Asic
 mapping?, is there a sh command that may help?. Any help appreciated.
 
  Rgds
  Harry
 
  Harry Hambi BEng(Hons)  MIET  Rsgb
 
 
 
  
  http://www.bbc.co.uk
  This e-mail (and any attachments) is confidential and may contain
  personal views which are not the views of the BBC unless specifically
 stated.
  If you have received it in
  error, please delete it from your system.
  Do not use, copy or disclose the
  information in any way nor act in reliance on it and notify the sender
  immediately.
  Please note that the BBC monitors e-mails sent or

Re: [c-nsp] Vlan Mapping

2013-09-12 Thread harbor235 
Thank you for the reply Quinn, can I perform unique vlan mappings per
interface as well?

e.g.   port 1 ---  map vlan 1 to 11,   port 2 --- map vlan 2 to vlan 12

both ports are on the same port group ASIC.



Mike


On Wed, Sep 11, 2013 at 3:05 PM, quinn snyder snyd...@gmail.com wrote:

 configuration is applied per port group on each linecard.
 however -- each interface (and subsequent 'show' commands) have an
 enable/disable knob so that mapping can occur on some (but not all)
 interfaces.

 q.

 -= sent via iphone. please excuse spelling, grammar, and brevity =-

 On Sep 11, 2013, at 11:02, harbor235 harbor...@gmail.com wrote:

  I am trying to understand the VLAN mapping feature specifically on the
  7600. I read a bit but would like confirmation on how it works once
  implemented.
 
 
  When the feature is enabled it effects all ports on the linecard port
 ASIC,
  so it is linecard dependent.
 
  My Question:
 
  1) Do all ports have to be engaged in VLAN mapping in the port ASIC group
  once
 enabled? or only trunk ports perform the actual VLAN mapping, access
  ports would
 not and the configuration for vlan mapping is hidden/disabled?
 
  2) In a port ASIC group can I perform VLAN mapping from/to unique VLANS
 or
  am i confined to the same vlans per port ASIC group?
 
 
 
  Mike
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Vlan Mapping

2013-09-11 Thread harbor235 
I am trying to understand the VLAN mapping feature specifically on the
7600. I read a bit but would like confirmation on how it works once
implemented.


When the feature is enabled it effects all ports on the linecard port ASIC,
so it is linecard dependent.

My Question:

1) Do all ports have to be engaged in VLAN mapping in the port ASIC group
once
enabled? or only trunk ports perform the actual VLAN mapping, access
ports would
not and the configuration for vlan mapping is hidden/disabled?

 2) In a port ASIC group can I perform VLAN mapping from/to unique VLANS or
am i confined to the same vlans per port ASIC group?



Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Level3 L2VPN service

2013-08-15 Thread harbor235 
Anybody have any experiences they want to share with Level3's L2VPN service?

I am looking for performance, stability, and support issues?



thank you,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VPN Exchange

2013-06-26 Thread harbor235 
I wanted to start a discussion around the design of a VPN Exchange in a
MPLS environment. For a particular organization that may possess numerous
L3VPNs is there a standard design practice for inter VPN traffic flows?
Obviously any such exchange would be a natural security enforcement point
as well as other network services ( Internet, security, DMZ, IDS/IDP, etc
..) given that each VPN may have their own security requirements,
preferences etc .


Is anyone doing this now?



thanks,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7600 SUP720-3B PBR

2013-05-02 Thread harbor235 
Right, I saw that one, not sure exactly what it means, does it require
DFCs, we do not have DFCs so thats why I am a little gun shy.


Mike

On Tue, Sep 18, 2012 at 1:04 PM, Steven Raymond
sraym...@acedatacenter.comwrote:

 On Sep 18, 2012, at 10:56 AM, harbor235 wrote:

 My google fu has not turned up anything definitive on the 7600 PBR
 performance, is it done in hardware
 or is it down in software? With or without DFCs. Can anyone provide any
 insight into sup720 PBR performance?



 http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/layer3.html

 •The Policy Feature Card (PFC) and any Distributed Feature Cards (DFCs)
 provide hardware support for policy-based routing (PBR) for route-map
 sequences that use the match ip address, set ip next-hop, and ip default
 next-hop PBR keywords.

 I haven't actually tried it, but guess it would do okay. There a few
 caveats listed there.




blank.gif___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] InfoBlox

2013-04-24 Thread harbor235 
I am being told that InfoBlox management is restricted to one interface
only. For example,
once the management GUI is bound to an interface all management traffic is
now bound to
that same interface only, e.g. SNMP, SYSLOG, SSH, etc ..

I am hoping this is not the case and this is configurable like any other
*NIX box? Can
anyone fill in the gaps for me?


thanks,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] InfoBlox

2013-04-24 Thread harbor235 
My thoughts are that this group is very knowledgeable about all networking
topics and it makes sense to me
that someone may have ran across this issue.

Mike


On Wed, Apr 24, 2013 at 10:08 AM, Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Wed, Apr 24, 2013 at 09:08:40AM -0400, harbor235 wrote:
  I am being told that InfoBlox management is restricted to one interface
  only.

 Cisco is selling InfoBlox gear now?

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DNS amplification

2013-03-16 Thread harbor235 
Can anyone provide insight into how to defeat DNS amplification attacks?


thanks,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] mac flap

2013-03-05 Thread harbor235 
I hope someone has seen something like this:

 %SW_MATM-4-MACFLAP_NOTIF: Host .. in vlan 111 is flapping
between port Fa0/15 and port Fa0/8


Fa0/15 and F0/8 are server ports,the servers connected to the ports are
sending Ethernet frames destined to the all zero's mac address.
What is it DHCP? BOOTP? It is isolated to three ports only, if I move one
of the affected servers to a different port the behavior follows.
Unconfigured virtualized servers may broadcast to the all zeros?
Misconfiguration on the server? network boot enabled? Not likely
since a static IP is assigned and the servers are active, vmware, vbox, etc
.. not installed

My logs are filed with these messages, I could disable the mac change
notification but i would like to understand what is going on.

tcpdump:

23:22:54.620303 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46
23:22:55.628724 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 162
23:22:59.449619 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46
23:23:00.579483 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46
23:23:02.635356 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46
23:23:05.362423 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46
23:23:05.962898 00:00:00:00:00:00  00:00:00:00:00:00 Null Information,
send seq 0, rcv seq 0, Flags [Command], length 46



thanks in advance,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] low cost reliable optics

2013-02-23 Thread harbor235 
Anyone know of any low cost reliable alternatives to the
Cisco-WS-G5483-GBIC?


thanks,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CDP interoperability

2012-12-10 Thread harbor235 
Aivars,

Best practice would be to remove VLAN 1 from the list of trunked VLANs.



Mike

On Mon, Dec 10, 2012 at 10:39 AM, Aivars aiv...@ml.lv wrote:

   Hi,

   I thought that CDP essence is to help understand what device you
   have at the other end of the wire no matter what. You just plug one
   end of the cable into one box and the other end into another and
   you get your CDP neighbors. Besides other side usage like in IP
   phone communication with switches this is why anybody would use CDP.
   Right?

   Up until this morning I also thought that CDP frames are always sent
   untagged. This is the way I would do it. Well, I was wrong. Actually
   on Catalyst switches CDPs are sent in vlan 1. If you make some other
   vlan native on a trunk port, CDPs are sent with dot1q tag 1. vlan
   dot1q tag native will also do the same trick.

   Now imagine a brand new shiny IOS-XR box, ASR9k for example. If it
   has no subinterface configuration with encapsulation dot1q 1, CDP
   will be broken. It will send CDPs with no tag and Catalyst will be
   happy about it. It will show ASR as CDP neighbor. ASR instead
   doesn't now what a hell tag 1 means and drop these frames.

   Cisco thinks - this is expected behavior.

   What do you guys think? Is this a bug or a feature? Should it remain
   as it is?

   Aivars

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] EX2200 and 3550

2012-12-10 Thread harbor235 
Has anyone connected a Juniper EX series switch with a Cisco switch (I have
a 3550)?

Do you use a standard crossover cable? MDIX?

Any Layer 2 issues with RSTP and PVST+?

Any specific configuration required to make it work?

Stability?


thanks in advance,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Level 3 issues

2012-11-28 Thread harbor235 
Can anyone shed some light on the Level 3 issues ? I see the Level3
NTT interchange is experiencing issues, anyone else having problems?


Miek
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] custom fiber cables

2012-11-10 Thread harbor235 
Can anyone point me to a reputable custom fiber patch supplier,
looking for an Internet based company with quick response times.


thanks,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] custom fiber cables

2012-11-10 Thread harbor235 
I have a couple runs of 150 and 350 feet, I assume they need to be made
custom?

Mike

On Sat, Nov 10, 2012 at 8:48 AM, Gerry Boudreaux ge...@tape.net wrote:

 We have had great service and fast turn-around from
 http://www.fiberall.com/

 Hope this helps.

 G

 On Nov 10, 2012, at 07:23 , harbor235 harbor...@gmail.com wrote:

  Can anyone point me to a reputable custom fiber patch supplier,
  looking for an Internet based company with quick response times.
 
 
  thanks,
 
  Mike
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] server room clearances

2012-09-26 Thread harbor235 
Can anyone tell me the requirements for rack clearances in all directions
when building server rooms (too small for datacenter size)
I  seem to remember 3 feet in any direction? Of course you have equipment
loading and unloading so front and back clearances
may be different?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 7600 SUP720-3B PBR

2012-09-18 Thread harbor235 
My google fu has not turned up anything definitive on the 7600 PBR
performance, is it done in hardware
or is it down in software? With or without DFCs. Can anyone provide any
insight into sup720 PBR performance?

My feeling is if we enable PBR it may negatively impact the box, assume PBR
related bandwidth to exceed 100M


thanks in advance,


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] flowd

2012-05-23 Thread harbor235 
Installed fllowd, from debug I see that am receiving V9 records, however
flow records are not
being written to /var/log/flowd. Has anyone experienced this or could you
offer up
any suggestions?

thanx,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ISRG2

2012-03-30 Thread harbor235 
I am having the hardest time finding docs on ISRG2 performance comparisons
for the 3900 and
the 3900E models. I am interested in the 3925/3925E, Before anyone
lmgtfy.com's typical marketing
data I found, there are slot differences, built-in LAN interfaces
differences, etc ...One uses the SPE100 and the
other the SPE200 but what are the performance numbers, comparisons?


thanx in advance,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 RA filter on Layer 2 switch with edge ports configured as trunk

2012-03-08 Thread harbor235 
Herro91 (what kind of name is that?),

Looks like the ASA 1000v and the Nexus 1000v should be able to do this as
part
of a clear data center strategy for Cisco. But .

IPV6 ACLs are still not supported on the *1000v products, doh 

Your best bet may be to police the vlans on the switches that connect the
L3 interface for each vlan (VACL, PVLAN) as well as use any safeguards
available on the L3 interface, ACLs, PVLANs, RA-guard etc ..

Cisco is dropping the ball again !!!


Mike

On Mon, Mar 5, 2012 at 9:37 PM, Herro91 herr...@gmail.com wrote:

 Hi,

 Trying to figure out a solution on how to implement an IPv6 Traffic Filter
 to block RA messages on a 4948 that is configured as an L2 switch. More
 specifically the edge ports are configured as trunks to an ESX host which
 has many VMs (Windoze, Linux, etc). Given the trunk port config, I know I
 could do a VACL, but those lack direction (input/output) so it seems like a
 non-starter

 Appreciate any thoughts/advice
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches

2012-02-10 Thread harbor235 
I am sure it will do V6, but is the hardware optimized for V6?
V6 hardware forwarding and TCAMs able to handle the tens of millions of
routes
expected. Perhaps there will be incremental updates so they can soak us
thoroughly

So, will it do V6 well is the real question?

Mike



2012/2/10 Łukasz Bromirski luk...@bromirski.net

 On 2012-02-10 19:58, Gert Doering wrote:

  What about IPv6?


 It's a Sup7E in a box. Expect the same features and caveats.

 --
 There's no sense in being precise when |   Łukasz Bromirski
  you don't know what you're talking |  jid:lbromir...@jabber.org
  about.   John von Neumann |http://lukasz.bromirski.net

 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches

2012-02-10 Thread harbor235 
As far as the tens of millions of routes comment goes, my thoughts
are along the lines of no real hardware out there designed for V6
from the get go. Its all old V4 designed hardware retro-fitted for V6
with a few exceptions.

My rant did proceed with thoughts on the edge forgetting it was a switch
  ;{

Whoa, I seem to have missed something.  Last time I checked, we're
at about 8000, and if we grow with the same speed (which is unlikely,
but still) it will take about 30 more years to reach tens of millions...

Outside the US there will be substantially more commitment to V6 and at a
quicker pace, the PAC RIM comes to mind. So when it goes it will not be at
the
same pace. I guess my complaint is there WILL BE incremental updates
relatively soon. So

This means I agree it will not have tens of millions V6 route capabilities,
even at the edge.




Mike


On Fri, Feb 10, 2012 at 4:39 PM, Simon Lockhart si...@slimey.org wrote:

 On Fri Feb 10, 2012 at 01:31:12PM -0800, Sachin Gupta (sagupta) wrote:
  Full IPv6 support at FCS. What I mean by full is feature parity with
  Supervisor Engine 7-E on Catalyst 4500 platform.
 
  [SNIP]

 Sachin,

 Can I just publicly thank you (and the other Cisco employees who post to
 cisco-nsp) for your openness and willingness to answer questions on this
 list.

 I find it very helpful and greatly appreciate it.

 Simon
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] inter-VRF routing

2012-02-03 Thread harbor235 
Take a look into importing routes from one vrf into another using an import
map.

check out a previous thread:

http://puck.nether.net/pipermail/cisco-nsp/2005-November/025500.html
https://supportforums.cisco.com/thread/2097252

Mike

On Fri, Feb 3, 2012 at 9:00 AM, Covalciuc Piotr pkovalc...@gmail.comwrote:

 Hello,

 I've created multiple VRFs on Cisco 4510. I need to configure the routing
 between VRFs. Cisco recommends using BGP and 'route-target import/export'.

 But, my IOS version don't support BGP.

 Is it possible to configure the inter-VRF routing using static routes? Or
 maybe there are others solutions?

 Thank you,
 Peter
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 2811 performance issue - dual(new) isp

2011-12-19 Thread harbor235 
The provider is using compression to get you the 50/5 number. The 2811
represents the true bandwidth allocation.

Did they ask you to go to a provider site to optimize your laptop?
Verizon did that to me, they told me I have 25 symteric although
I only get 8 symetric when I use my *NIX box to validate.

Mike

On Mon, Dec 19, 2011 at 1:06 PM, Adam Atkinson gh...@mistral.co.uk wrote:

 I saw a 2811 flattened recently by MTU / MSS issues, so
 would be curious to see show ip traffic

 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyconnect force upgrade

2011-12-19 Thread harbor235 
http://lmgtfy.com/?q=cisco+anyconnect+software+Upgrade

I have always wanted to do this!!!   Not trying to be mean  ;-}

Mike

On Mon, Dec 19, 2011 at 1:38 PM, Scott Voll svoll.v...@gmail.com wrote:

 easy question I'm sure. How do you turn off the feature on the ASA that
 forces the upgrade of anyconnect?

 TIA

 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 2811 performance issue - dual(new) isp

2011-12-19 Thread harbor235 
Vinny,

I agree, now that I think about it, it would not be compression but my *NIX
box does support
auto scaling, that has be available for some time. I also am familiar with
stack tuning and have done
so on my box. However, most modern stacks do not require as much as the old
days, again, I agree.
I am curious what the optimizer really does?

Perhaps it is increasing the tcp/udp send and receive buffers to achieve
the desired results for the test. I do remember
that I also did not get the results they stated unless I used their speed
test tool. I just ran the test again
and on my 25/25 I received 2/2. Verizon optimizer is only availble for

Guess I will have to grab a packet capture and find out what really is
going on. I just never received the results they indicated
I would receive.

Ha!!, found this:

*What does the Broadband Tuner do exactly?*

The installer increases the default values for the size of the TCP send and
receive buffers. With larger buffers more data can be in transit at once. A
startup configuration file is also updated so that these changes will
persist across restarts.

The system parameters are sysctl variables that are set as follows:
net.inet.tcp.sendspace: 131072
net.inet.tcp.recvspace: 358400
kern.ipc.maxsockbuf: 512000

This change has a system wide effect and is applied even if the network is
not high speed connection with a high latency, with the exception of modem
connections for which the system uses small default TCP buffer sizes.

thanx,

Mike




On Mon, Dec 19, 2011 at 5:21 PM, Vinny Abello vi...@abellohome.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Mike,

 I don't believe Verizon FiOS uses compression. Neither would the Windows
 machine plugged directly into the hand off, so it would not compress or
 decompress data in communicating with Verizon's hardware. Compression of an
 entire link is CPU intensive and doesn't scale well, especially at higher
 speeds. I think it would be much much easier for Verizon to provide more
 bandwidth than to provide more hardware with faster CPU's to aggregate all
 the customers. Compression can take place between web servers and web
 browsers, but that has nothing to do with the ISP's speed.

 The Verizon speed optimizer turns on TCP 1323 extensions, adjusts the TCP
 receive window and adjusts the MTU to 1492. None of these things involve
 compression. Most of them involve enabling settings in the operating system
 (which should be on by default in newer versions of Windows) to take
 advantage of the size of the pipe. They are also transparent to routers in
 the middle (except the MTU) including the 2811. I think the optimizer is
 mostly for older versions of Windows. I'm suspecting you are seeing slow
 throughput on your *nix box because it may not have 1323 extensions enabled
 to support window scaling and selective acknowledgements... or perhaps you
 just have a simple duplex mismatch somewhere. It's very difficult to scale
 the bandwidth without these things especially when latency is introduced.
 You might want to look into seeing if a sysctl or similar knob can turn
 them on and try again. All the recent *nix OS's I have seem to have this
 enabled already by default.

 The last thing I heard about ISP's and compression was from years ago
 using that Propel software which was for dial-up and slower broadband
 connections. The compression was lossy though and would decrease the
 quality of most images. If I remember correctly, there are speed tests out
 there that will run with highly compressible vs uncompressible data for
 contrast just to verify. I'm sure there could be some oddball compression
 things being done out there by some ISPs, but Verizon FiOS isn't one of
 them based on all the information I've come across over the years since
 I've followed their roll out.

 On the topic of the 2811, what features are enabled? This can have a huge
 impact on throughput. With just straight IP routing and firewall features
 enabled, I used to get 40 to 50Mbps out of an 1841 without any problems.
 This was of course maximizing the MTU size to achieve this. IPS features
 usually drag the speed down quite a bit as do a lot of types of protocol
 inspection. It's all about PPS rather than Mbps. The closer to the MTU the
 packet size is, the higher throughput you'll achieve. 5000 pps @64 bytes vs
 5000 pps @1500 bytes is pretty much the same to the router for just packet
 forwarding, but the difference is 320Kbps vs 7.5Mbps when it comes to
 throughput.

 - -Vinny

 On 12/19/2011 1:21 PM, harbor235 wrote:
  The provider is using compression to get you the 50/5 number. The 2811
  represents the true bandwidth allocation.
 
  Did they ask you to go to a provider site to optimize your laptop?
  Verizon did that to me, they told me I have 25 symteric although
  I only get 8 symetric when I use my *NIX box to validate.
 
  Mike
 
  On Mon, Dec 19, 2011 at 1:06 PM, Adam Atkinson gh...@mistral.co.uk
 wrote:
 
  I saw a 2811

[c-nsp] software

2011-12-04 Thread harbor235 
I would love to take all my denied syslog events and summarize the attacks.
Does anyone know of open source that can do that?  I am not talking about
summarizing
the log messages but for instance the attempts on port 5060, SQL injection,
etc 

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA - Configuring Accounting for Network Access

2011-10-31 Thread harbor235 
Assuming you have a recent version of code (8.2.1 and up) you should enable
netflow version 9
support. This will give you a five tuple of releveant flow
information: Protocol,
Src Address, Src Port, Destination Address, Destination Port, perhaps
netflow coupled with user info via accounting will
provide you with what you need.

Mike

On Mon, Oct 31, 2011 at 12:38 PM, Antonio Soares amsoa...@netcabo.ptwrote:

 Hello group,

 I have a customer that was using a Web Proxy to monitor user access to the
 internet. Now the customer is asking me if the ASA can help him monitor the
 users access to the internet because the proxy is not working. He wants to
 know which users are accessing which sites. The only feature I was able to
 find that could help the client is Network Access Accounting:


 http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guid
 e/access_fwaaa.html#wp1151104

 I made a test in my lab and basically the ASA sends information about the
 source-ip:source-port-destination-ip:destination-port to the aaa server.
 This should be enough but it is not very practical. The customer wants some
 nice real time graphics showing him what users are doing. Do we have any
 solution without replacing the ASA with something else ? Is this just me or
 the reporting capabilities of the ASA are very basic ?


 Thanks.

 Regards,

 Antonio Soares, CCIE #18473 (RS/SP)
 amsoa...@netcabo.pt
 http://www.ccie18473.net




 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] two bgp sesion on one router

2011-08-23 Thread harbor235 
Depends, if the two ISP peers were located at two different POPs and your
layer one connectivity
was diverse this would help your AS in more failure scenarios than a single
threaded design. Of course
I would also diversify the connections onto different linecards/slots as
well.

Mike



On Tue, Aug 23, 2011 at 7:58 AM, Robert Raszuk rob...@raszuk.net wrote:

 Hi zaidoon,

 Nope - I would not recommend that.

 Your better choice is to peer between loopbacks and use
 disable-connected-check knob or BGP multihop.

 Two sessions will cause you to get the same paths two times wasting a
 bit of control plane memory and CPU inbound processing - but that's
 about it. On the peer's side update generation would be the same as your
 peer would only copy at replication. But better is to have single
 session IMHO.

 Cheers,
 R.

  Is it  recommended to terminate
   two bgp session on 12000 xr that  peering with the same isp on the same
 router how
  to handle full routing table ? Any clues
 
  Zaid
 
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] two bgp sesion on one router

2011-08-23 Thread harbor235 
Robert,

That's why I replied it depends, I wanted to ensure Zaidoon was aware of
scenarios
where it was appropriate.

Mike

On Tue, Aug 23, 2011 at 9:02 AM, Robert Raszuk rob...@raszuk.net wrote:

 Well of course.

 But I assumed that the question is about connecting the given pair of
 ASBRs over parallel physical links between them.

 R,

  Depends, if the two ISP peers were located at two different POPs and your
  layer one connectivity
  was diverse this would help your AS in more failure scenarios than a
 single
  threaded design. Of course
  I would also diversify the connections onto different linecards/slots as
  well.
 
  Mike
 
 
 
  On Tue, Aug 23, 2011 at 7:58 AM, Robert Raszuk rob...@raszuk.net
 wrote:
 
  Hi zaidoon,
 
  Nope - I would not recommend that.
 
  Your better choice is to peer between loopbacks and use
  disable-connected-check knob or BGP multihop.
 
  Two sessions will cause you to get the same paths two times wasting a
  bit of control plane memory and CPU inbound processing - but that's
  about it. On the peer's side update generation would be the same as your
  peer would only copy at replication. But better is to have single
  session IMHO.
 
  Cheers,
  R.
 
  Is it  recommended to terminate
   two bgp session on 12000 xr that  peering with the same isp on the
 same
  router how
  to handle full routing table ? Any clues
 
  Zaid


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Layer connection

2011-06-25 Thread harbor235 
So here is my scenario, I have a primary Internet gateway service at
location X
and a backup gateway service at location Y. To add resiliency to my design I
am
thinking about adding a layer 2 device into the mix at location X that uses
a large
SP layer 2 service connecting the two sites at layer2. This layer 2
connection allows me to speak
Ethernet to the remote POP extending my iBGP mesh and providing added
resiliency
in certain failure scenarios.

My question is has anyone used such a service? Does it work well? any
issues?
My initial thoughts: does a remote failure at the POP result in a link down
status
on the other end of the L2 circuit? How is spanning-tree (if its on) behave
when endpoints
are potentially 100's of miles apart? convergence issues? spanning-tree
tweaking?

thanks as always,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 10 GigE traffic generator

2011-05-31 Thread harbor235 
Anyone tested a reliable 10 GigE traffic generator capable of layer 2-7
that can also simulate client server type conenctions? I have purchased
one such simulator with mixed results, hopefully someone in the community
has had success somewhere else?

thanx in advanced,

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] setup for LAN party

2011-04-21 Thread harbor235 
Did you really daisy chain your switches like that?


mike

On Thu, Apr 21, 2011 at 10:36 AM, Martin T m4rtn...@gmail.com wrote:

 I have a following setup:
 http://img534.imageshack.us/img534/7190/lanparty.png

 I can manage all the switches + Cisco 2801 router. Cisco 7206VXR is
 managed by university IT staff- they will allocate an IP address with
 DHCP server to Cisco 2801 Fa0/1. In total, there are 200 hosts in the
 LAN divided between 8 switches. Main communication will take place
 between the hosts via switches and only Internet traffic will move
 over the WS-C2950T-24[Fa0/1] - [Fa0/0]Cisco2801 link. Internet
 connection provided by ISP is 40Mbps.


 The main question is how to allocate guaranteed bandwidth to
 WWW-server(~3-4Mbps). There is a camera connected to WWW-server, which
 will broadcast the live stream from the event to justin.tv(or similar
 site). Is it possible to configure Cisco 2801 in such manner, that 10%
 of all Internet traffic is guaranteed to WWW-server+camera and rest is
 for all the hosts in the LAN?


 regards,
 martin
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sftp Hanging Cisco 3660 (HSRP active)

2011-04-14 Thread harbor235 
Sounds like an mtu issue.

mike

On Thu, Apr 14, 2011 at 12:48 PM, Bunny Singh jump2fl...@yahoo.com wrote:




I'm having a problem with incoming SfTP hanging.  I can see the

 initial handshake occuring but directory listing not coming and giving
 timeout, Users trying access our sftp server from public, I am getting the
 possitive resulting by running (using 'telnet servername 22'). But when i
 try to connect sftp from command prompt or through Filezilla then i am
 getting time out and no directory showing. This is happening only when my
 3660 is a active hsrp router, and same sftp service will work fine when my
 4948 is active hsrp router.

 Actually I'm running two cisco devices (One is  3660  second is 4948 with
 BGP peering with 2 ISPs. we are running HSRP. I have web servers behind
 these routers and they seem to be behaving just fine.  I'm at a loss as to
 what could be causing this problem.  I've put known good sftp server on the
 same network and had the same issue with it as well.  When I trying to
 connect through our native network ,it works fine, no delay after the
 initial handshake.   Any ideas as to what could be causing this or what I
 should look at?


 Regards
 Singh
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3800 stuck in rommon

2010-06-16 Thread harbor235 
Thanx for all the replies,  I kicked off xmodem last night and when i cam
back in this morning the IOS was on the flash. I am not sure why I could not
tftpdnld the image with a tftp server that supports large file tansfers, but
at least the router is up.

thanx again,

harbor235

On Tue, Jun 15, 2010 at 10:54 PM, Christopher J. Wargaski
war...@gmail.comwrote:

 Hey--

   Can you connect the card to your workstation or laptop? I recently
 worked on a project that required multiple 3845 routers. I upgraded
 the IOS and placed a base config each flash card with my laptop (flash
 card reader with a USB interface on it).

   Windows XP saw the flash card as another drive and let me read and
 write to it.

 cjw


4. 3800 stuck in rommon (harbor235)
  Date: Tue, 15 Jun 2010 13:54:51 -0400
  From: harbor235 harbor...@gmail.com
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] 3800 stuck in rommon
  Message-ID:
 aanlktinojwxvl_evqka3h098hvumxac0vx3ymgryc...@mail.gmail.com
  Content-Type: text/plain; charset=ISO-8859-1
 
  I have a 3825 stuck in rommon, I am using a 2800 PCMCIA card in flash,
  the original is missing, I have assumed filesystems are compatable and
 that
  I
  can use the 2800 PCMCIA. I setup a tftp server to download a new IOS
 image,
  the download
  starts with no problem, the image is transferring fine, then near the end
 I
  get a timeout.
 
  My questions:
 
  1) Are the 2800 and 3800 using compatible filesystems?
  2) How do I get a new IOS image on the PCMCIA, I do not have another
 3800.
 
  There are some old files on the card, I never get to the part where
 ROMMON
  erases the flash.
  Any help would be appreciated.
 
  harbor235 ;}
 
 
  --

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 3800 stuck in rommon

2010-06-15 Thread harbor235 
I have a 3825 stuck in rommon, I am using a 2800 PCMCIA card in flash,
the original is missing, I have assumed filesystems are compatable and that
I
can use the 2800 PCMCIA. I setup a tftp server to download a new IOS image,
the download
starts with no problem, the image is transferring fine, then near the end I
get a timeout.

My questions:

1) Are the 2800 and 3800 using compatible filesystems?
2) How do I get a new IOS image on the PCMCIA, I do not have another 3800.

There are some old files on the card, I never get to the part where ROMMON
erases the flash.
Any help would be appreciated.

harbor235 ;}
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3800 stuck in rommon

2010-06-15 Thread harbor235 
The entire contents of the flash is erased, or so says the dialogue when you
initiate tftpdnld. It is a 64M compact flash card.
The cf card reader sounds interesting .

Xmodem is ongoing, this will be very painful,

harbor235
On Tue, Jun 15, 2010 at 2:45 PM, Peter Rathlev pe...@rathlev.dk wrote:

 On Tue, 2010-06-15 at 13:54 -0400, harbor235 wrote:
  I setup a tftp server to download a new IOS image, the download starts
  with no problem, the image is transferring fine, then near the end I
  get a timeout.

 And it's not just because the flash card has too little available space?

 --
 Peter



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3800 stuck in rommon

2010-06-15 Thread harbor235 
The CF card is 64 MB and the image is approx 40MB so that can't be it.

I can use the USB port for booting if my rommon version supports it, it does
not ;-{

Can I upgrade rommon from rommon? I am still looking via cisco.com, I tried
rommon-pref,
ot sure how to use that.

I kicked off xmodem, hopefully it will be done tomorrow morning!

I found reference that 2800 and the 3800 support class B and C file-systems,
so

There is also a tftpdnld switch that allows you to copy it directly to DRAM
and boot not
copying to flash, that did not work either.


I appreciate all the help, the initial tftpdnld should have worked, IOS
size, checksum, etc  all good ...


harbor235 ;}



On Tue, Jun 15, 2010 at 4:40 PM, Andriy Bilous andriy.bil...@gmail.comwrote:

 iirc 3825 has an USB socket which is accessible from rommon and if I am not
 mistaken you could boot from it.

 On Tue, Jun 15, 2010 at 9:09 PM, harbor235 harbor...@gmail.com wrote:

 The entire contents of the flash is erased, or so says the dialogue when
 you
 initiate tftpdnld. It is a 64M compact flash card.
 The cf card reader sounds interesting .

 Xmodem is ongoing, this will be very painful,

 harbor235
 On Tue, Jun 15, 2010 at 2:45 PM, Peter Rathlev pe...@rathlev.dk wrote:

  On Tue, 2010-06-15 at 13:54 -0400, harbor235 wrote:
   I setup a tftp server to download a new IOS image, the download starts
   with no problem, the image is transferring fine, then near the end I
   get a timeout.
 
  And it's not just because the flash card has too little available space?
 
  --
  Peter
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Getting serial number for 3640s

2010-02-23 Thread harbor235 
It is supported with 12.3 for sure ..

On Tue, Feb 23, 2010 at 3:01 PM, Steven Pfister spfis...@dps.k12.oh.uswrote:

 Is that supported by 3640? We may have old versions of IOS... it doesn't
 seem to be recognized by any of the ones I've tried.

 Steve Pfister
 Technical Coordinator,
 The Office of Information Technology
 Dayton Public Schools
 115 S. Ludlow St.
 Dayton, OH 45402

 Office (937) 542-3149
 Cell (937) 673-6779
 Direct Connect: 137*131747*8
 Email spfis...@dps.k12.oh.us


  Nick Hilliard n...@inex.ie 2/23/2010 2:57 PM 
  On 23/02/2010 19:27, Steven Pfister wrote:
  I've going over a customer's inventory, and I'm having some trouble with
  serial numbers. How do you get the serial number for a 3640 router? I
  usually look for the processor board ID in 'sho ver', but that's not
  matching what's  listed in the inventory.

 show inventory?

 Nick
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 ns-interval 12.2(33)SRE ASA 8.2(2)

2010-01-13 Thread harbor235 
Tim,

I got the following of from Cisco pertaining to your error message;


ExplanationAnother router on the link has sent router advertisements
with parameters that conflict with this router.

Recommended ActionVerify that all IPv6 routers on the link have the same
parameters in the router advertisement for hop-limit, managed-config-flag,
other-config-flag, reachable-time and ns-interval. Also verify that
preferred and valid lifetimes for the same prefix advertised by several
routers are the same. Enter the *show ipv6 interface* command to list the
parameters per interface.
mike

On Wed, Jan 13, 2010 at 7:31 AM, Timothy Arnold 
timothy.arn...@uksolutions.co.uk wrote:

 Hi Guys,
 I'm hoping there is someone out there who knows a bit more about IPv6 that
 I do :)

 Enabled ipv6 between the Cisco 7600 running 12.2(33)SRE and a pair of Cisco
 ASA firewalls running 8.2(2) (in HA). I get the following from the 7600

 %IPV6-3-CONFLICT: Router FE80::21A:E2FF:FE68:50AA on Vlan2008 has
 conflicting ND settings

 show ipv6 routers show the only real difference is the retransmit time.
 On the 7600, it is 0ms (which I understand to be unspecified rather than
 0) and on the ASA the default is 1000.

 cr1-sdf2.uk#show http://cr1-sdf2.uk/#show ipv6 routers vlan2008
 Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min, CONFLICT
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800

 colofw1/act# show ipv6 routers
 Router fe80::21b:dff:fee5:ae00 on outside, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  Reachable time 0 msec, Retransmit time 0 msec
  Prefix 2a02:298:0:4::/112 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800

 Adding the following configuration to the 7600 corrects the issue:

 ipv6 nd ns-interval 1000

 cr1-sdf2.uk(config-if)#do show ipv6 routers vlan2008
 Router FE80::21A:E2FF:FE68:50AA on Vlan2008, last update 0 min
  Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
  HomeAgentFlag=0, Preference=Medium
  Reachable time 0 msec, Retransmit time 1000 msec
  Prefix 2A02:298:0:4::/112 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800

 Both ends are now the same and no conflict occurs. Any ideas why it's
 complaining? I thought that the unspecified nature of ns-interval means that
 it would accept the 1000 milliseconds from the other end?

 Thanks
 Tim



 Timothy Arnold
 Senior Engineer, Operations (Network, Security  Facilities Group),
 UKSolutions

 Telephone: 0845 004 1333, option 2
 Email: timothy.arn...@uksolutions.co.uk
 Web: www.uksolutions.co.ukhttp://www.uksolutions.co.uk/
 UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in
 England Number 3036806
 This email must be read in conjunction with the legal  service notices on
 http://www.uksolutions.co.uk/disclaimer.html
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT-Device with authentication ?

2009-12-16 Thread harbor235 
The cisco ASA proxy authentication would authenticate you prior to being
NAT'd, if that fails you are prevented from gaining external access. Thsi
can be accomplished for any application you wish. I am sure most if not all
enterprise class firewalls have this feature.

Mike




On Wed, Dec 16, 2009 at 9:59 AM, David Freedman david.freed...@uk.clara.net
 wrote:

 did you look at VLAN segregation pre/post authentication with either
 802.1x (integrated auth) or VMPS (external auth)?

 Dave.

 Andreas Mueller wrote:
 
  Hello,
 
  are there any (cisco)-NAT-devices which enable the NAT after the user
  has done some kind of authentication - which is checked against a
  radius-server or an active directory for example ? What I need is like a
  captive portal connected to a NAT-device.
  The scenario I try to have is: The user will get its IP-address from a
  private IP-range via DHCP after connecting his computer to the network..
  With this address he should be able to connect to services within his
  internal network. But to connect to computers outside his network he
  should authenticate himself.
 
  thanks for hints  greetings,
 
  Andreas
 
 
  
  
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MPLS - collapsed P PE

2009-12-01 Thread harbor235 
Is anyone out there utilizing a collapsed P/PE in thier MPLS networks?
Do you regret deploying the architecture and what are the problem areas if
any?

I assume it's a dollar issue and as long as you have minimal PE to CE
aggregation
this is the way to go. However, if you need to scale this solution then the
price per CE port
can get costly on the single platform. Adding PE is cheaper than adding a P
!!
Can you migrate to a seperate P and PE easily ?


thanx

Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Strange Pix Firewall issue. Proxy Arp

2009-10-01 Thread harbor235 
Or, the devices on the inside network have an incorrect mask


mike

On Wed, Sep 30, 2009 at 11:00 PM, David White, Jr. (dwhitejr) 
dwhit...@cisco.com wrote:

 Hi Brad,

 The below static would not cause the behavior you describe.
 Are you sure you don't have another static (outside,inside)...
 statement which covers the network range of the inside network?

 As a temporary workaround you can most likely disable proxy-arps on the
 inside interface via 'sysopt noproxyarp inside'.

 Sincerely,

 David.


 Brad Case wrote:
  Hi there,
 
  I am having a very strange isse on a Pix firewall:
 
  The following is configured:
 
  nameif vlan2512 INSIDE security22
  nameif vlan2100 OUTSIDE security20
 
  ip address INSIDE 192.168.35.129 255.255.255.128 standby 192.168.35.130
  ip address OUTSIDE 192.168.35.1 255.255.255.128 standby 192.168.35.2
 
  # Identity NAT statement:
 
  static (INSIDE,OUTSIDE) 192.168.35.128 192.168.35.128 netmask
  255.255.255.128
 
  With the above configuration I am getting a strange thing happening with
  proxy arp. If a server on the INSIDE interface does a ARP request for an
 IP
  in the same subnet range as the INSIDE interface for an IP address other
  than 192.168.35.129 or 192.168.35.130, the firewall is replying to it.
  Can
  anybody explain the reason why this behaviour would be occuring with the
  above?
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] modular code for the 6500

2009-09-24 Thread harbor235 
Is anyone out there using 6500 modular code? Is it stable? I have a 6509
with 720-3B, I would like
to use the modualr code but also do not want instability, any
thoughts/experiences would be appreciated.

mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12k GRP Images?!?

2009-08-20 Thread harbor235 
They are still there, 12.0(32)SY9 is the latest. There is a S as well but it
is not as well deployed.
I was looking today, go figure.

mike

On Thu, Aug 20, 2009 at 4:49 PM, Michael K. Smith - Adhost 
mksm...@adhost.com wrote:

 Hello:

 Does anyone know what happened to the 12.0S GRP images?  The software
 navigator only shows PRP images.

 Regards,

 Mike

 --
 Michael K. Smith - CISSP, GISP
 Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com
 w: +1 (206) 404-9500 f: +1 (206) 404-9050
 PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Management Vlan VS Vlan1

2009-08-19 Thread harbor235 
I would not use VLAN for disabled ports either, create a PARK vlan and
reassign all
unused diabled ports to the PARK vlan. That wy vlan 1 has no chance to be
mistakenly
activated.

mike

On Wed, Aug 19, 2009 at 3:02 AM, Seth Mattinen se...@rollernet.us wrote:

 shadow floating wrote:
  Hi All,
  I just have a question, as we know that Cisco preserve VLAN 1 for
  management issues and network management needed protocols like CDP,
  VTP  and the like, and all access from other VLANs to this VLAN should
  be restricted except from the management VLAN, as for our network, we
  are implementing a new management VLAN on a VLAN id other than 1
  according to some consultant's advice, my question is : is there any
  benefit of migrating the management (all managing and managed devices)
  to another VLAN other than VLAN1 ??...won't in this case we have to
  protect two VLANs (VLAN 1 and the new management VLAN)?...or is there
  a real benefit in the migration of the management VLAN, as for my
  knowledge...VLAN 1 can not be disabled or even pruned on trunk links?
 
  appreciating your comments
  thanks alot
 

 I don't use VLAN 1 at all anywhere. Except for the disabled ports.

 ~Seth
  ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MST spanning-tree

2009-07-23 Thread harbor235 
When adding ports to a spanning-tree instance, spanning-tree discovers and
eliminates
loops in the topology. What your are experiencing is an as designed
feature of spanning tree.

You can segment your layer2 domain via PVST/PVST+ or you can segment your
layer 2 domain
using MST via customer spanning-tree instances, infrastructure spanning-tree
instances, MST regions,
etc ... I believe the max MST SPT instances per device is 65, the answer is
to segement where possible and to group vlans onto a region or MST SPT
instance to minimizes downtime. So one device, or pair of devices,
could support upto 65 seperate MST SPT instances (65 customers).

Mike



On Thu, Jul 23, 2009 at 1:34 PM, Steven Fischer sfischer1...@gmail.comwrote:

 When we relocated our data center, we opted to deploy MST as the
 spanning-tree protocol, given that our data center is almost exclusively
 layer 2, we have a lot of vlans, and that number is only going to grow.  We
 have two spanning-tree MST instances, 1 and 2, and each contains the vlans
 that are either odd (instance 1), or even (instance 2).

 It seems that we can create VLANs with no issue, and by default, those
 VLANs
 are placed in the default instance, instance 0.  This really isn't a
 problem, but when we move the VLAN into its proper instance, a
 spanning-tree
 recalc appears to occur, the duration of which is long enough to interrupt
 data transfers that may be going on at the time.  Other than returning to
 PVST/PVST+, is there a way to avoid this recalc taking out half the VLANs
 in
 the data center for 30 seconds when adding it to the proper instance?  Will
 our planned migration to VSS mitigate this to any degree, and if so, how
 much?

 --
 To him who is able to keep you from falling and to present you before his
 glorious presence without fault and with great joy
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CE routes

2009-07-15 Thread harbor235 
I see, PE to CE routing protocols are segmented from PE to P routing
protocols. So for PE to PE traffic,
the ingress LSR only needs to know how to route to the egress PE router via
IGP label, once there the VPN label   forwards traffic to the proper VRF.
The next -hop for the desination route comes into play once at the egress
PE?

Mike



On Tue, Jul 14, 2009 at 3:02 PM, Ivan Pepelnjak i...@ioshints.info wrote:

 CE-PE subnets are part of VRF and thus cannot be inserted into the core
 IGP,
 only in MP-BGP. It's way easier (and more scalable) to redistribute them
 than to list them in the per-VRF BGP configuration.

 Ivan

 http://www.ioshints.info/about
 http://blog.ioshints.info/

  -Original Message-
  From: harbor235 [mailto:harbor...@gmail.com]
  Sent: Tuesday, July 14, 2009 6:51 PM
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] CE routes
 
  I was just reading best practices for MPLS implementations
  regarding CE to CE connectivity issues, specifically, CE to
  CE pings. The document stated that redistributing connected
  PE routes into BGP was the preferred method to ensure CE to
  CE ping success as well as other connectivity issues. This
  will inject the route for the PE to CE interface into BGP.I
  am not sure I agree,  why not explicitly define which
  networks to advertise in the IGP, an IGP in MPLS networks is
  supposed to hold all infrastructure routes anyway. Are these
  interfaces considered infrstructure or customer interfaces?
  One reason may be to reduce the number of infrastructure
  routes in the IGP because of the potential for many CE to PE
  interfaces, let BGP handle the large number of routes?
 
  I am curious which method is employed in the wild, also I am
  not sure all connected routes should be advertised from the
  PE, e.g. management/infrastructure interfaces etc ...
 
  What are your thoughts and how is it being done?
 
  mike
 
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CE routes

2009-07-14 Thread harbor235 
I was just reading best practices for MPLS implementations regarding CE to
CE connectivity issues,
specifically, CE to CE pings. The document stated that redistributing
connected PE routes into BGP was
the preferred method to ensure CE to CE ping success as well as other
connectivity issues. This will inject
the route for the PE to CE interface into BGP.I am not sure I agree,  why
not explicitly define which networks to advertise
in the IGP, an IGP in MPLS networks is supposed to hold all infrastructure
routes anyway. Are these interfaces considered
infrstructure or customer interfaces? One reason may be to reduce the number
of infrastructure routes in the IGP because of the
potential for many CE to PE interfaces, let BGP handle the large number of
routes?

I am curious which method is employed in the wild, also I am not sure all
connected routes
should be advertised from the PE, e.g. management/infrastructure interfaces
etc ...

What are your thoughts and how is it being done?

mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Network Perefromance

2009-06-17 Thread harbor235 
I am definitely aware of IP SLA and also agree that it is very useful,
however, this customer's network is Juniper so I will be
unable to uitlize that feature.

MTR looks like it is doable, however, it uses icmp. I doubt that you can get
an accurate picture of the network using
icmp, can it be programed to use TCP or  udp and vary the packet size?

mike

On Tue, Jun 16, 2009 at 4:35 PM, Matthew Huff mh...@ox.com wrote:

 We are a Cisco shop, so we use ip sla feature of newer IOS releases with
 CiscoWorks LMS. Netflow is useful for trafic monitoring, but for latency
 and
 jitter, the cisco featureset is really nice.

 For example, between two of our voice gateway boxes (running sip trunking
 between them) in NY  SF:

 rtr-nyvoip#show ip sla statistics aggregated 1
 IPSLAs aggregated statistics

 IPSLA operation id: 1
 Start Time Index: .16:15:07.749 EDT Tue Jun 16 2009
 Type of operation: udp-jitter
 Voice Scores:
 MinOfICPIF: 11  MaxOfICPIF: 11  MinOfMOS: 4.6   MaxOfMOS: 4.6
 RTT Values:
Number Of RTT: 18000RTT Min/Avg/Max: 91/91/96
 milliseconds
 Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0
 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0
 milliseconds
 Jitter Time:
Number of SD Jitter Samples: 17982
Number of DS Jitter Samples: 17982
Source to Destination Jitter Min/Avg/Max: 0/1/4 milliseconds
Destination to Source Jitter Min/Avg/Max: 0/1/4 milliseconds
 Packet Loss Values:
Loss Source to Destination: 0   Loss Destination to Source:
 0
Out Of Sequence: 0  Tail Drop: 0
Packet Late Arrival: 0  Packet Skipped: 0
 Number of successes: 18
 Number of failures: 0

 Start Time Index: .15:15:07.749 EDT Tue Jun 16 2009
 Type of operation: udp-jitter
 Voice Scores:
 MinOfICPIF: 11  MaxOfICPIF: 11  MinOfMOS: 4.6   MaxOfMOS: 4.6
 RTT Values:
Number Of RTT: 6RTT Min/Avg/Max: 91/91/103
 milliseconds
 Latency one-way time:
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0
 milliseconds
Destination to Source Latency one way Min/Avg/Max: 0/0/0
 milliseconds
 Jitter Time:
Number of SD Jitter Samples: 59940
Number of DS Jitter Samples: 59940
Source to Destination Jitter Min/Avg/Max: 0/1/11 milliseconds
Destination to Source Jitter Min/Avg/Max: 0/1/7 milliseconds
 Packet Loss Values:
Loss Source to Destination: 0   Loss Destination to Source:
 0
Out Of Sequence: 0  Tail Drop: 0
Packet Late Arrival: 0  Packet Skipped: 0
 Number of successes: 60
 Number of failures: 0

 The config is:

 ip sla responder
 ip sla logging traps
 ip sla 1
  udp-jitter x.x.x.x 12420 source-ip x.x.x.x codec g729a
 ip sla schedule 1 life forever start-time now


 
 Matthew Huff   | One Manhattanville Rd
 OTA Management LLC | Purchase, NY 10577
 http://www.ox.com  | Phone: 914-460-4039
 aim: matthewbhuff  | Fax:   914-460-4139



  -Original Message-
  From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
  boun...@puck.nether.net] On Behalf Of harbor235
  Sent: Tuesday, June 16, 2009 3:46 PM
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] Network Perefromance
 
  I wanted to ping everyone on tools they were using to understand the
  performace of their
  network, specifically, measuring packet loss, latency, and jitter.
 
  mike
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Network Perefromance

2009-06-16 Thread harbor235 
I wanted to ping everyone on tools they were using to understand the
performace of their
network, specifically, measuring packet loss, latency, and jitter.

mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7507 - 12.4.23 - bgp_cpu2timeout message

2009-03-28 Thread harbor235 
Greg,

I looked up the message and it appears to be a cosmetic bug.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprofforum=Network%20Infrastructuretopic=WAN%2C%20Routing%20and%20SwitchingtopicID=.ee71a06CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40
^1%40%40.2cd25b2a/1#selected_message

mike

On Sat, Mar 28, 2009 at 12:51 AM, Gregory Boehnlein da...@nacs.net wrote:

 One of our core routers was upgraded to 12.4.23 a few hours ago, and since
 the upgrade, we have been seeing the following message in our log files.

 Mar 27 23:32:15.570 EDT: bgp_cpu2timeout: seconds: 3, slot: 3 for 5:
 51%
 and 1: 27%

 I can't really find any specific references to this error message on the
 7500 anywhere on the net, but I did see someone posting here about having
 the issue on a 7206-VXR. Anyone have any clues as to wether this is a
 benign
 message?

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] network management

2009-03-25 Thread harbor235 
I am looking to gather information on what metrics NOCs collect for a tier 2
, tier 3 personnel for WAN status and performance monitoring.

I feel the following are useful, any additional info on beneficial metrics
will be helpful.

Interface/Node availability
latency/jitter on major network paths as well as other requested links
(define threshholds for nominal, impacted, severly impacted)
overall WAN availbility
network path availability
interface utilizations (thresholds defined)
top sources (netflow,sflow)
top As(netflow,sflow)
top talkers   (netflow,sflow)
packet loss (how is packet loss done, is it done from a probing perspective
or collecting interace stats?)


Just off the top of my head, i am looking to quantify/identify a well
perfroming network as well a problem network.

mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] learned routes disappear

2009-02-06 Thread harbor235 
Most likely the 5 routes are not reachable. If you just added the routes via
a supernet advertisement
and they do not exist elsewhere, either locally  connected or learned via an
IGP this behavior will happen.
This is normal and the correct way for BGP to operate.

mike

On Fri, Feb 6, 2009 at 12:47 PM, Paul A ra...@meganet.net wrote:

 Thanks Walter.

 I really didn't want to mess with debug as it's a production router and I
 would have to do this late night, hopefully without crashing it. I really
 was hoping someone ran into this issue before.

 FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
 other is from router A to router B on loop0
 So I think that's fine.

 -Original Message-
 From: Walter Keen [mailto:walter.k...@rainierconnect.net]
 Sent: Friday, February 06, 2009 12:40 PM
 To: Paul A
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] learned routes disappear

 I would turn on debugging and see if 1:15m corresponds to one of the BGP
 nexthop scanning or other events.  Don't leave debugging on any longer
 than needed on production systems.  If you can replicate in a lab
 scenario, that would be ideal.  One thing that looks odd, is that you
 have 2 different update-source interfaces listed on RouterA's neighbor
 configuration for RouterB


 Paul A wrote:
  Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
  into this.
 
 
 
  I have two routers, router A and router B doing bgp.
 
 
 
  Router A is advertising 5 routes to router B, when the session 1st comes
 up,
  router B has 5 routes received from router A. After 1:15 min the learned
  routes on router B disappear.
 
 
 
 
 
  Router A
 
  Learns the routes from one of my bgp customers.
 
 
 
  neighbor 2xx.xx.xx.xx description xxx
 
   neighbor 2xx.xx.xx.xx update-source FastEthernet1/43
 
   neighbor 2xx.xx.xx.xx default-originate
 
   neighbor 2xx.xx.xx.xx prefix-list PxxPL-IN in
 
   neighbor 2xx.xx.xx.xx route-map PLIN in
 
   neighbor 2xx.xx.xx.xx filter-list 109 in
 
   neighbor 2xx.xx.xx.xx filter-list 2 out
 
   neighbor 2xx.xx.xx.xx remote-as xxx
 
   neighbor 2xx.xx.xx.xx update-source Loopback0
 
   neighbor 2xx.xx.xx.xx next-hop-self
 
 
 
  it advertises them to the configured neighbor on router A
 
 
 
  neighbor 216.xxx update-source Loopback0
 
   neighbor 216.xxx next-hop-self
 
   neighbor 216.xxx filter-list 1 in
 
   neighbor 216.xxx filter-list 1 out
 
 
 
  If I clear the bpg session or when the session 1st comes up on router B,
 I
  see the routes but then they disappear after 1:15 min.
 
 
 
  Thanks PA
 
 
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 

 No virus found in this incoming message.
 Checked by AVG - www.avg.com
 Version: 8.0.233 / Virus Database: 270.10.18/1936 - Release Date: 02/05/09
 11:34:00

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Ring Protocol

2009-02-03 Thread harbor235 
I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
connect
multiple buildings via a high speed 10G backbone. Does Cisco offer any
products in this
area? The ONS is too expensive, looking for something smaller that is
Ethernet based.


mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ring Protocol

2009-02-03 Thread harbor235 
Thank you for all your replies, that was exactly what I was looking for.

mike

On Tue, Feb 3, 2009 at 7:37 PM, Rubens Kuhl rube...@gmail.com wrote:

 A little bird from C whispered me the following:

 I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
 failover), as well as this you have support for it on the larger devices
 like the 7600.

 4924 support for REP started in 12.2(44)SG -

 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_bulletin_c25_468227.html

 7600 has supported REP since 12.2(33)SRC -

 http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html
 

 I stand corrected.


 Rubens

 On Tue, Feb 3, 2009 at 10:06 PM, Rubens Kuhl rube...@gmail.com wrote:
  I don't think Cisco currently have an 10G ethernet ring offer. It
  might come up when REP (Resilient Ethernet Protocol) gets implemented
  in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
  If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
  Etherchannel, perhaps ?
 
  Outside of Cisco-land, Extreme, Foundry and Force 10 seems to have
  currently shipping solutions.
 
 
  Rubens
 
 
 
  On Tue, Feb 3, 2009 at 9:21 PM, harbor235 harbor...@gmail.com wrote:
  I am looking to deploy a Ethernet Ring topology in a campus. The ring is
 to
  connect
  multiple buildings via a high speed 10G backbone. Does Cisco offer any
  products in this
  area? The ONS is too expensive, looking for something smaller that is
  Ethernet based.
 
 
  mike
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/