On 02/08/2012 11:38 PM, Dobbins, Roland wrote:
scale. This is why CRS-1/3, ASR9K, GSR/12K, et. al. only support
sampled NetFlow (which is quite statistically accurate).
A related question, more from curiosity than anything:
When providers use sampled netflow, how do they typically deal with
John,
we are considering these nexus switches as a core for a small (for now)
exchange point, so there will definitely be multiple ports talking to
one and vice versa. Let's say the switch would be utilized up to 90% (45
ports in case of 5548, 90 in case of 5596), half of the active ports
Hi,
On Thu, Feb 09, 2012 at 09:44:38AM +, Phil Mayers wrote:
On 02/08/2012 11:38 PM, Dobbins, Roland wrote:
scale. This is why CRS-1/3, ASR9K, GSR/12K, et. al. only support
sampled NetFlow (which is quite statistically accurate).
A related question, more from curiosity than anything:
On 02/09/2012 10:00 AM, Gert Doering wrote:
Do you know for certain that IP x emitted packets Y?
Well, we have an X% confidence bound that...
Then I'll see you in court.
Well, it would be sort of silly to deny that the miscreant did something
if the ISP even saw it *with sampling*.
It's not
Hi,
On Thu, Feb 09, 2012 at 10:17:54AM +, Phil Mayers wrote:
On 02/09/2012 10:00 AM, Gert Doering wrote:
Billing using sampled netflow is more where I see problems arising,
because you know your numbers will not be accurate, but you don't know
how big the error is, and in which direction
HI ,
I am doing loadbalancing of two server on my ace 4710, which is working
fine, Now i have a requirement to do a both side (IN OUT) load
balancing.
The requirement is that the user from Internet will hit the VIP to get
the services from the two real servers, now these two servers
Hello,
Is there are any possibility to use CoPP feature at ME-3600X - 15.1?
Or platform does not support CoPP?
If yes, please send me documentation link.
Thank you.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
On 2012-02-09 10:17, Phil Mayers wrote:
On 02/09/2012 10:00 AM, Gert Doering wrote:
Do you know for certain that IP x emitted packets Y?
Well, we have an X% confidence bound that...
Then I'll see you in court.
Well, it would be sort of silly to deny that the miscreant did
something
if the
On Feb 9, 2012, at 4:44 PM, Phil Mayers wrote:
When providers use sampled netflow, how do they typically deal with issues
where a miscreant simply denies they did it on the basis that
sampling was in use?
ISPs don't typically deal with miscreants, per se, except in terms of blocking
DDoS
On Feb 9, 2012, at 5:17 PM, Phil Mayers wrote:
At (say) 512:1 sampling, they can simply deny they downloaded a 5Gb file, and
claim it was a 10Mb file.
In actuality, NetFlow isn't typically utilized for this type of layer-7
nitpicking, as it's a layer-4 technology (not counting FNF and/or
Hi Jiri,
These total numbers are not a problem, all ports are equal and all
traffic goes to the fabric on every port. You will only see drops in
this scenario if you have bursts of traffic going from many to one port
for a period of time larger than the buffers will allow. Remember, the
Hello all,
Does anyone know of a good way to make a filter (access-list or
whatever) on a Cisco ASA 5510 using a DNS address as the destination
rather than a set of IP addresses?
For example, block any internal hosts from browsing to www.microsoft.com
even though they have several webservers
On Wednesday, February 08, 2012 08:51:53 PM Ghassan Khalil
wrote:
is their any concern that should be highlighted based on
this ? shall there be any good references for this type
of designs please let me know.
We use ASR9010's as P routers in some PoP's and as P/PE
routers in others. Solid
%
CNU-¤,ìÇà[Êg2Æi:`
î',géú)½¾:qöÄAøºÁk·z\2cż_OTÇÍ^ösµSã«·Ù½
ûpðr!Ô¶gÊBàB¤ãOÕ99 Tʧ]ª)W°×æ
Z5GÄùx{ýL¼_tàAì9Û7ñÍïBëe°½Ý¢²à0x÷ôZPUÞâ7Hð
ôÜgíÖ`wÛ$Õ÷q²Aý¥Q6f4Öï,þ4îF`¯¹
;ÝÖîì®vµW¸4\x.°¯ú*h×C²çû:Òý;SÏT¦q·êß
eÛ
JZæ
Steve,
Will this just block URLs or can it block all traffic to a domain? The
latter is what I'm looking for.
Say block ALL traffic (make a domain Dead to me) to google.com (no
ping, nothing to mail.google.com, maps.google.com.. etc.)
Thanks for the quick reply!
--Matthew Park
-Original
Go into your recursive DNS server. Add a blank authoritative forward zone for
google.com. Boom, it's dead to you.
Matthew Huff | 1 Manhattanville Rd
Director of Operations | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff | Fax:
It depends on how you structure your regex but the format we used seemed
pretty effective at blocking all traffic destined for those domains
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Park
Sent: 09 February
Quick and simple configuration using the DNS engine and MPF on the
firewall.
However, I also prefer and recommend Matthew Huff's suggestion about
configuring your recursive/caching resolver to be authoritative for
the domain-label you're looking to filter and setting the records to
127.0.0.1.
I would use the caching resolver idea, but management also wants to have
the activity logged and have e-mail based alerting. I figured that I
could handle on the ASA through SNMP traps.
--Matthew Park
-Original Message-
From: Joseph Karpenko [mailto:karpe...@cisco.com]
Sent: Thursday,
CoPP will be supported in 15.2(2)S, Q2CY12.
-Waris
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of ?? ???
Sent: Thursday, February 09, 2012 1:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ME-3600X - CoPP
I have an imap Server behind an ASA firewall
When I telnet from a server on the inside network to the private IP of the IMAP
server I get correct response with mail server text message.
But when I do the same from a public IP to the Public IP of the same server, I
get different response as the
On 09/02/2012 18:26, Steve McCrory wrote:
It depends on how you structure your regex but the format we used seemed
pretty effective at blocking all traffic destined for those domains
It will certainly block http, but what about https? The popular sites
mentioned (e.g. *.google.com,
On Thu, 9 Feb 2012, Ghassan.khalil wrote:
I have an imap Server behind an ASA firewall
When I telnet from a server on the inside network to the private IP of
the IMAP server I get correct response with mail server text message.
But when I do the same from a public IP to the Public IP of the
On 09/02/2012 19:15, Waris Sagheer (waris) wrote:
CoPP will be supported in 15.2(2)S, Q2CY12.
will the copp policer operate on the data plane, or on the control plane cpu?
Nick
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
If may be the result of the SMTP/ESMTP inspection of the ASA, I'd probably
try removing that and seeing what response you get. I would also look at
DNS resolution of your mail server, as at least with Sendmail, if DNS
(forward/reverse) gets wonky, it can really slow things down..
---
Howard
On Thu February 9 2012 13:59, Ghassan.khalil wrote:
I have an imap Server behind an ASA firewall
When I telnet from a server on the inside network to the private IP of the
IMAP server I get correct response with mail server text message.
But when I do the same from a public IP to the Public
If I redistribute OSPF routes into the MP-BGP/superbackbone from within a
particular VRF, those OSPF routes, which are now BGP routes, get announced to
any BGP speakers inside the same VRF.
Conversely, if I redistribute BGP routes from the MP-BGP/superbackbone into
OSPF within a particular
IOS-XR has the ability to apply a policy to the redistribution command for
both OSPF and BGP so you can filter out the routes you do not want
redistributed.
Is there a reason you can't just configure BGP to advertise aggregates
covering the OSPF routes as opposed to doing mutual
Looks like just up on CCO in the last week:
http://www.cisco.com/en/US/prod/collateral/switches/ps10902/ps12332/data_sheet_c78-696791.html
So finally - a 10G 1RU SFP+ access device. It seem to be targeted at
enterprise aggregation but I imagine would have some appeal in service
provide space
Hi,
Anybody can help on below requirement.
Regards
Daljit Singh
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Daljit Singh
Sent: Thursday, February 09, 2012 3:35 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Both
30 matches
Mail list logo
