Tony,
I agree that I chose the wrong wording here. It should have read, the ACL
you're concerned with is inbound on the outside interface. Otherwise, the
configlet is fine.
I find the netmask option to be irrelevant, unless you're falling on obvious
bit boundaries within the same class or
2009/7/22 Ivan Pepelnjak i...@ioshints.info:
You're probably looking for the ip ospf database-filter all out command.
And how the summary LSA with 0/0 would get to the spoke router if that
is filtered out?
(assuming nssa scenario in OP's hub n'spoke topology)
Best Regards,
-mat
Hey Ryan,
That seems to be working, thanks. So if I want to allow more ports we do
it the same way right?
access-list myaccesslist ext permit tcp any host 58.66.76.88 eq SIP
access-list myaccesslist ext permit upd any host 58.66.76.88 eq SIP
Thanks,
Kiran
-Original Message-
From: Ryan
Kiran,
That's right. If you run into issues trying to pass SIP through your firewall,
you may need to look at the default service policy. There are some protocol
inspection rules enabled by default that might affect the passing of SIP
traffic.
-ryan
-Original Message-
From:
I think both of you have a point here, no need to fight...
I also tend to adopt habits that make me type less, but not before I make sure
to get the desired result and not some awkward cisco bad interpretation to what
I mean...
I prefer to not use the proper way to save configurations
copy
Chris,
Quick walk through... The Secondary RP ToFab FIA reports that it is
having difficulty accessing the fabric and thus IPC fails (since it
travels via the fabric), secondary is unable to therefore initiate and
respond to active-secondary keepalives, Active RP unsuccessfully
attempts
Hi Ryan,
I have the below config in the protocol inspection rules, do you think
this is enough?
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class
Kirian,
That looks like the default. You had mentioned SIP in your ACL, so that's why
I brought this up. If you're doing PAT based sip, you may have to disable the
SIP inspection, depending on who your SIP provider is.
Otherwise, you should be good to go.
-ryan
-Original Message-
Hi,
I have a set of access switches (3750s), which are purely in a layer 2 setup,
i.e. connect uplink to core 6509s, which are setup as root and backup
spanning-tree roots.
I need to connect another set of switches to the above 3750s in a migration,
but would like to be able to test
I need more information that just if the peer went up or down ... we're
doing conditional BGP advertisements and I need to track the timing of the
advertisements related to the drop of the peer ... thanks for the suggestion
though!
- Original Message -
From: Michael Costello
Will give it a try, Shimol. Thanks!
- Original Message -
From: Shimol Shah ( Cisco ) shims...@cisco.com
To: Adam Greene maill...@webjogger.net
Cc: cisco-nsp@puck.nether.net
Sent: Monday, July 20, 2009 5:50 PM
Subject: Re: [c-nsp] persistent debug
Not tried it myself but below has
what i need to setup SMS server ??
for example in case of any event (critical one obtained through log) i want SMS
to be sent from a server to a certain list of mobile numbers
Thanks
_
With Windows Live, you can organize, edit,
On 22/07/2009 14:59, Mohammad Khalil wrote:
what i need to setup SMS server ??
for example in case of any event (critical one obtained through log) i want SMS
to be sent from a server to a certain list of mobile numbers
You need an SMS capable terminal and some software to drive it from your
I'm not sure filtering 'out' would work. Three routers all have one interface,
each connecting to the ABR (which has four interfaces, three to the routers in
area 1 and one in area 0.) If I'm filtering out, The ABR wouldn't know which
routes are on each of the three routers. Right? The
I still use the old command sometimes...hehe.
The mask is important in the PIX/ASA as I've demonstratedespecially for
a person that is new to the area.
Another great example is you put a host mask on a 1 to 1 static but you use
the block mask for a global pool. I've seen tons of people
Your inability to see any value is...again...your opinion. In fact, it's
sort of ironic.
Best practices should be taught correctly especially to people with little
or no experience (the original poster, not Ryan). Once they understand how
Cisco implements features and the gotchas, then they
Has anyone out there experienced any 7206 crashes when they have a
bouncing DS1 on a PA-MC-2T3-EC? We've had 2 crashes in about 3 weeks
time. They've both generated crashinfo files. The first auto-rebooted
itself. Yesterday's did not.
System returned to ROM by error - a SegV exception, PC
On Tue, Jul 21, 2009 at 1:54 PM, Ruben Alvarezr...@opusnet.com wrote:
Now the ABR has all the N2 routes for the three routers. But so
do all three routers, which isn't needed. They only have one interface and
a default route. Is there a way I can ignore all routes in the area except
the
Justin,
Just curious, was the DS1 participating in a routing protocol, and if so did
you have IP event dampening and/or BGP dampening configured?
Cheers,
Brad Hedlund
bhedl...@cisco.com
http://www.internetworkexpert.org
On 7/22/09 11:16 AM, Justin Shore jus...@justinshore.com wrote:
Has
On Wed, 22 Jul 2009, Laurent Geyer wrote:
If you're set on keeping the routers in a NSSA you could simply
disable redistribution into the NSSA area by adding
'no-redistribution' to the area config.
This will effectively keep type 5 LSAs from being advertised into the NSSA.
Realistically it
I know this has been covered, at least in part on this list before, and I
have read those posts. However, I'm still trying to wrap my head around
what is happening internally (or rather on the wire) in the various
scenarios.
Scenario #1
===
10 gig interface (ES20 CXL based) - default
Hi,
On Wed, Jul 22, 2009 at 02:16:29PM -0400, Brandon Applegate wrote:
Scenario 3 really gets me though. Why doesnt it complain and tell me icmp
frag to 9212 or something ? Isnt the frame 9220 when it's all said and
done ? Is the router fragmenting this in software at the 'mpls level' and
Greetings. I have an unusual (perhaps) FWSM application that is not
quite working out as expected, and after several variations from
different angles, still not producing quite the desired result.
I have a 6509 doing VRFs for different campus communities, and since
many of our services /
On Wed, 22 Jul 2009, Gert Doering wrote:
Hi,
On Wed, Jul 22, 2009 at 02:16:29PM -0400, Brandon Applegate wrote:
Scenario 3 really gets me though. Why doesnt it complain and tell me icmp
frag to 9212 or something ? Isnt the frame 9220 when it's all said and
done ? Is the router fragmenting
Hi,
On Wed, Jul 22, 2009 at 02:37:16PM -0400, Brandon Applegate wrote:
I'd bet that the linux box is not sending full-sized 9220 packets, but
fragmenting inside.
[..]
Yes I have my MTU cranked up in linux and am doing all of this
intentionally as a test. Unless tcpdump is lying to me, these
The MLPPP interface was part of a VRF, had an IP and had uRPF
configured. Other than that no L3 IGPs. I do use BGP dampening but I'm
distributing this route into iBGP. MP-BGP to carry the MPLS/VPN vpnv4
routes but not using BGP for ip4 address-family routes. I should also
mention that
Have you tried policy static NATs? Aka if source and destination match ACL
perform static for specified interfaces.
tv
- Original Message -
From: Jeff Kell jeff-k...@utc.edu
To: cisco-nsp cisco-nsp@puck.nether.net
Sent: Wednesday, July 22, 2009 1:31 PM
Subject: [c-nsp] FWSM access
Are the stack members hot swappable ?
Or is it power-cycle time when changing the stack cable configurations?
[Wanting to add a new member...]
Jeff
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Yes the routers in area 1 are set to redistribute connected and static.
They do DSL aggregation and if you can imagine I need some flexibility with
those addresses (approx /20.) I'll move IP pools and /30 -/29 networks from
router to router as customers come and go.
I like how it's setup now
On Wed, 22 Jul 2009, Brandon Applegate wrote:
I know this has been covered, at least in part on this list before, and I
have read those posts. However, I'm still trying to wrap my head around what
is happening internally (or rather on the wire) in the various scenarios.
Scenario #3
You can add a new member with little to worry about. A new, unconfigured
switch should join the stack automatically.
-ryan
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Kell
Sent: Wednesday, July 22, 2009 4:14
Technically I think they are - however, if your existing stack is in production
I would prefer to do the following:
1) Manually update the IOS of the new switch to match the IOS of the existing
members (got hung up here once because the flash didn't have room to hold both
the existing IOS
Thanks. that's sounds like what I want, but it says:
Configure this command on NSSA ABRs only. After you define the NSSA totally
stub area, Area 1 has these characteristics in addition to the NSSA
characteristics:
-No type 3 or 4 summary LSAs are allowed in Area 1. This means no
Yes they are. The biggy to watch out for is when you remove a member. Make
sure the member you want to remove is powered off before removing the stack
cables.
A minor item is to make sure when removing the stack cables to insert the
new switch, make sure you don't isolate one of the in-use
Any suggestions on this?
I'm trying to rate-limit a vlan at X mbit (4 in this case) and seeing
rate-limiting working downstream to the customer but not when traffic is
originating from the customer.
Customer access is via a dot1q trunk (with a switch at the cust. site
handing off untagged
On Wed, Jul 22, 2009 at 4:13 PM, Ruben Alvarezr...@opusnet.com wrote:
A stub area is an area which does not receive external route
advertisements. It may be configured to reduce many route advertisements
into an area when the routing table consists of mostly external routes.
Instead of the
We use Mediawiki. It's easy to customize if you don't like the left
frame. I like the easy editing of wikis, searching, history management,
web based access, etc... With the prevalence of wikipedia and lots of
software projects adopting wikis for documentation, most technical
people should not
Dear Friends ,
I thank you for the suggesstion for NMS tools, base on the suggestion I would
PoC some t of them before implemented in real network. to see the feature.
Regards,
== suryantofang ==
http://suryantofang.wordpress.com
--- Pada Sab, 18/7/09, Pavel Skovajsa
Try this, it's been working for us (after much head bashing)
==
mls qos
class-map match-any customer-networks
match access-group name customer-policer_inbound
match access-group name customer-policer_outbound
policy-map customer-policer
class
Brandon Applegate wrote:
I think I figured (part of) this out. Packets to the router != packets
through the router. Trying to ping something on the far side with
packet size of 9188/9216 gets me the expected icmp frag @ 9212. I still
think I'm going to proclaim that jumbo == 9000 to make it
On Thursday 23 July 2009 04:13:51 am Brandon Applegate
wrote:
I still think I'm
going to proclaim that jumbo == 9000 to make it easier
for server / storage guys to remember anyway :)
We've standardized on 9,000 bytes on all our switches and
routers, especially so because we are both a C J
On Wednesday 22 July 2009 03:36:28 am jack b wrote:
We are looking
to break the collapsed core into a separate core and
distribution layer leaving the 6509's in the distribution
layer and getting a new platform for the core where we
would move our transit providers.
So your new platform
42 matches
Mail list logo