howdy ho all,
thanx to thise who sent through suggestions to how to get the IPSEC to
work
- the ideas were :- try mode transport
:- dont use wilcard for the secret
so i changed the hub and spoke as follows :-
crypto ipsec transform-set 3DES_MD5 esp-aes esp-md5-hmac
mode
[EMAIL PROTECTED] wrote:
FWIW I did manage to get this to match by telling it to match an
ASCII space instead ie .*selectx20.* however this is more of a hack
for my original request so I will still chase up with TAC.
i haven't looked at the ACE source code / firmware, but it may well be
Hi guys
Is it just me, or did option to put ACL for outbound traffic on L3 port
of Catalyst c3560, really dissapear in Advanced IP Services 12.2.44.SE2
IOS?
I have option for inbound packets, but no outbound anymore. Funny
thing is, that configuration left from old IOS is still there, and
Hi, all. At me is Cisco Catalyst 4507 Sup V. In logs I constantly see next
lines:
...
Aug 25 09:30:29: Created spanning tree port Gi7/21 (18977BF8) for tree VLAN0178
(18B8B968)
Aug 25 09:30:29: Enabling spanning tree port: GigabitEthernet7/21 (18977BF8)
Aug 25 09:30:29: RSTP(178): initializing
Hi All,
Did any one has tested securing voip with ssl vpn?
Regards,
Vikas Sharma
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Lala Lander [EMAIL PROTECTED] writes:
I am looking for information on Web Caches.
http://www.ircache.net/ and http://www.web-cache.com/ are good starting
points.
Bjørn
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Hello,
We have several customers that our having problems every time a storm
goes through.
Our national telco company seems to offer no lightning protection on
their lines, and every storm causes a line outage and burns up the
attached wic.
We've made sure the chassis are grounded , but would
We use them and have never experienced problems as long as you keep in the tcam
space.
With too many routes/acls ecc they punt to cpu.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian
MacNevin
Sent: venerdì 15 agosto 2008 6.00
To:
COPP is done in hardware
ACL on VTY/SNMP is software as far as I remember
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Fitzwater
Sent: mercoledì 13 agosto 2008 22.17
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 6500 snmp and vty acls ?
Does
Hi all,
I am trying to find the right IOS version to use on
7200s w/ NPE-400/NPE-G1 that both support UBR+ and
QoS (service policies) on a per-vc basis.
Today we use 12.2(16)B2 to terminate ATM PVCs (from xDSL
lines) on these routers, it works fine. But this (old) version
lacks QoS support.
Hi,
I have a kind of problem at the moment which I'll try to explain here.
Diagram:
sw1 with 4 * GE-- 4 * GE @ r1 @ 10GE-- 10GE @ r2 4 * GE-- 4 * GEsw2
sw1 + sw2 = 6509 with 6748 blades
r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE xenpaks
on 6704 10GE blades
On sw1 +2
hi,
is there any exact/rough number of acl which doesn't impact the cpu?
or how can we check/make sure that the cpu will not be impacted if the
traffic increasing?
Thanks.
./rendo
On Mon, Aug 25, 2008 at 7:51 PM, Brian Turnbow [EMAIL PROTECTED] wrote:
We use them and have never experienced
Maarten Moerman wrote:
Hi,
I have a kind of problem at the moment which I'll try to explain here.
Diagram:
sw1 with 4 * GE-- 4 * GE @ r1 @ 10GE-- 10GE @ r2 4 * GE-- 4 * GEsw2
sw1 + sw2 = 6509 with 6748 blades
r1 + r2 = 7604 with 6748 blades, and their interconnects are on 10GE
Maarten Moerman wrote on Monday, August 25, 2008 3:54 PM:
Hi,
I have a kind of problem at the moment which I'll try to explain here.
Diagram:
sw1 with 4 * GE-- 4 * GE @ r1 @ 10GE-- 10GE @ r2 4 * GE-- 4 *
GEsw2
sw1 + sw2 = 6509 with 6748 blades
r1 + r2 = 7604 with 6748 blades,
On 8/25/08 4:07 PM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote:
I've never done xconnect on a port-channel, but you could remove the
channel on r1 and r2 and just configure regular EoMPLS PWs between
each of the four GigE links. Channeling is then only performed on sw1
and sw2.. I
On 8/25/08 4:05 PM, Antal Gergely [EMAIL PROTECTED] wrote:
definitly
sh etherchannel load-balance
and set ipv4 with : port-channel load-balance src-dst-mixed-ip-port
all the 4 boxes should support src-dst-mixed-ip-port
Those commands do not work on the 6509's, but only on the 7604's
The SDM template documentation has guidelines.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swsdm.html
-Original Message-
From: [EMAIL PROTECTED] [mailto:cisco-nsp-
[EMAIL PROTECTED] On Behalf Of rendo
Sent: Monday,
* rendo:
is there any exact/rough number of acl which doesn't impact the cpu?
or how can we check/make sure that the cpu will not be impacted if the
traffic increasing?
According to the docs, if you run it in the router profile, the ACL
TCAM has 1,000 entries. There should be a (hidden)
In order to use qos on atm pvc you need to use abr/vbr/cbr
UBR and + are for best effort services offering no bandwidth guarantee so you
cannot utilize the service policy
That said we mainly use 12.2(31)SB11
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Just some thoughts:
I believe the the acls are hardware based in with the pfc3 (I don't believe that
the software version makes this difference), but I do believe they are hardware
based unless you add things like logging.
This may help you with the pfc3
On Mon, Aug 25, 2008 at 04:07:48PM +0200, Oliver Boehmer (oboehmer) wrote:
Maarten Moerman wrote on Monday, August 25, 2008 3:54 PM:
Hi,
I have a kind of problem at the moment which I'll try to explain here.
Diagram:
sw1 with 4 * GE-- 4 * GE @ r1 @ 10GE-- 10GE @ r2 4 * GE-- 4
Maybe try to put in an ACL or could use netflow for this as well...
ip access-list extend check_packets_in
permit esp any any
permit udp any eq isakmp any eq isakmp
permit ip any any
interface dialer 1
ip access-group check_packets_in in
To see if ESP coming in to your spoke router.
-Luan
Brian Turnbow wrote:
Hello,
We have several customers that our having problems every time a storm
goes through.
Our national telco company seems to offer no lightning protection on
their lines, and every storm causes a line outage and burns up the
attached wic.
We've made sure the chassis
-- Forwarded message --
From: Hash Aminu [EMAIL PROTECTED]
Date: Sat, Aug 16, 2008 at 11:09 AM
Subject: Limiting Broadcast and Multicast
To: cisco-nsp@puck.nether.net
*
**Hi guys
My network has a huge L2 broadcast coming from the clients connected
(through DSLAMs)the
Thanks for the response.
They are external csus but they are telco property and they don't want us to
touch them.
We have asked several times that they install protection coming into the
building but no go...
They install a remote powered integrated shdsl modem/csu in an all plastic
housing
A little correction on my answer, VTP does not use the Native VLAN :-)
Here is what I found regarding the use of VTP and VLAN1:
The Case of VLAN 1
You cannot apply VTP pruning to VLANs that need to exist everywhere and that
need to be allowed on all switches in the campus, in order to be able to
Can you identify what the broadcasts are? Might be better to filter out
the crap that isn't needed via ACL than apply a storm control that'll
affect lots of things - DHCP, ARP, etc.
Chuck
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hash Aminu
rendo wrote:
hi,
is there any exact/rough number of acl which doesn't impact the cpu?
or how can we check/make sure that the cpu will not be impacted if the
traffic increasing?
Try: show platform tcam utilization
~Seth
___
cisco-nsp mailing
Hi,
I'm a colleague of Maarten also looking into this problem.
Egress traffic from the router to the switch is going through one
interface of the port-channel on both sides.
Egress traffic from the switch to the router is load-balanced fine.
I think the problem we have is because of the
I've come across something odd. I think that this is just a simple
oversight on my part, hopefully another set of eyes will catch this for me.
I've got a 2621 running 12.2(46a) that I'm using to terminate a few VPN
tunnels. Right now, I have three point to point tunnels up, and working
I'm doing a simlar config with IOS:
12.4(15)T6
I wonder if you need the T code train for this:
Router(config)#crypto isakmp client configuration ?
address-pool Set network address for client
browser-proxy Set browser proxy attributes for client
group Set group profile
Yes, I think that should work, but I only have a 2621 router and it
looks like those options are not available on that router/ios. Do you
have any other ideas?
Dan.
On Sun, Aug 24, 2008 at 12:12 AM, Arie Vayner (avayner)
[EMAIL PROTECTED] wrote:
Dan,
Take a look at Enhanced Object Tracking:
Hello Tom:
Here is a configuration snippet from 12.1 which *should* work, provided you
have the right train, etc. etc.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml
Regards,
Mike
-Original Message-
From: [EMAIL PROTECTED]
On Mon, 2008-08-25 at 12:36 -0500, Dan Letkeman wrote:
On Sun, Aug 24, 2008 at 12:12 AM, [EMAIL PROTECTED] wrote:
Take a look at Enhanced Object Tracking:
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_eot.html
Yes, I think that should work, but I only have a 2621
Hi,
I suggest you take a look at our clustered UltraBand cache,
http://www.peerapp.com/
UltraBand cache is a combined HTTP/P2P cache for service providers,
supporting progressive download Flash video (e.g. YouTube) and software
downloads over HTTP, among other things, as well as URL filtering
Hi Michel,
You may have been right the first time there. I think VTP does indeed
use the native vlan, not necessarily vlan 1. DTP is also sent on the
native vlan, untagged and tagged in its case.
Paul.
Michel Grossenbacher wrote:
A little correction on my answer, VTP does not use the Native
Paul, indeed DTP is sent over the native VLAN, but VTP is pretty sure still
over VLAN 1. I did a trace and mixed VTP with DTP, hence I said its using
the native VLAN. But after I did some more traces the VTP packets did not
show any VLAN informations anymore (actually they never did I only hit the
Hi all,
i´m having problem with my SP(run MPLS/BGP) where the the time to
converge networks is so high (10 minutes) and they say that are
working and will be fix in 3 months aprox.
I want anything to do convergence faster for me.
I read about IP SLA, but do not find doc related IP SLA x dynamic
Sounds like you actually want to run a tunnel across each SP and use an IGP
through the tunnels to decide which one is up/working etc
Dean
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz
Sent: 25 August 2008 21:13
To: cisco-nsp
Subject:
On Mon, 2008-08-25 at 16:11 -0500, Dan Letkeman wrote:
It's a 2621 with (C2600-IO3-M), Version 12.3(26).
Do you have an example config to track a router connected to the 2621?
I would like to track and remove route's to the four adsl
modem/router/nat boxes that I have connected to the 2621.
Apologies but both my emails yesterday were via a webmail client that kept
deleting special characters, including \'s
I did get this to work by \'ing a rather than \'ing %
So the string that worked for me was: .*select\ .* to achieve filtering of
select%20 in a url.
On a side note I still had
I honestly haven't spent enough time with it yet to know all the details
but maybe check PfR (aka: OER) to see if can help you out.
Rodney
On Mon, Aug 25, 2008 at 09:53:41PM +0100, Dean Smith wrote:
Sounds like you actually want to run a tunnel across each SP and use an IGP
through the tunnels
Hi guys,
I've got an unused PIX 515e lying around here. Just wondering if there
is any way to configure ip address on the subinterfaces (like ASA style)?
Reason being, is if i can't configure ip address on each subinterfaces,
then i will need to get a router to do routing...
Nimal
You can upgrade the 515e, assuming you have the flash/memory to do so,
to the latest 7, and 8 pix trains.
The number of vlans/subinterfaces really depends on your license. The
restrictions do transmit up through the upgrade process.
--Pete
On Mon, Aug 25, 2008 at 11:18 PM, Nimal David
I've got an unused PIX 515e lying around here. Just wondering if
there is any way to configure ip address on the subinterfaces
(like ASA style)?
You can't configure subinterfaces like on the ASA but you can do VLAN trunks
which achieves the same thing.
Ref: http://tinyurl.com/5mtnt2
B.
Howdy ho,
Maybe try to put in an ACL or could use netflow for this as well...
ip access-list extend check_packets_in
permit esp any any
permit udp any eq isakmp any eq isakmp
permit ip any any
interface dialer 1
ip access-group check_packets_in in
To see if ESP coming in to your spoke router.
46 matches
Mail list logo