On 6/03/2012 4:54 PM, Mark Tinka wrote:
For static routes, assigning a tag to the routes and
referencing that in a route-map which is attached to a BGP
policy will get you what you want. The tag is useful to
ensure you don't end up redistributing more routes into BGP
than you should.
For
On (2012-03-04 11:01 +0200), Saku Ytti wrote:
On (2012-03-03 23:19 +0100), Niccolò Belli wrote:
Is there any news about Catalyst 3560 raguard support?
Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked
about schedule lately.
I'm just going through slide-deck which
Hi,
On Tue, Mar 06, 2012 at 11:18:29AM +0200, Saku Ytti wrote:
On (2012-03-04 11:01 +0200), Saku Ytti wrote:
On (2012-03-03 23:19 +0100), Niccol? Belli wrote:
Is there any news about Catalyst 3560 raguard support?
Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't
On Tuesday, March 06, 2012 05:34:20 PM Enno Rey wrote:
that would be strange as it has been available for
CAT4500 for quite some time now.
That's what I'm thinking - many times, commands that
shouldn't be there are, and vice versa.
So while the plan is not to have the capability in the 3560,
On Tuesday, March 06, 2012 04:29:45 PM Reuben Farrelly
wrote:
WTF? The IPv6 prefix has been matched by the IPv4
specific route-map sequence 10, and the community from
that route map of 38858:2504 'set' on the router. It
should be falling through to sequence 100 on account of
a no-match on
On 6/03/2012 9:46 PM, Mark Tinka wrote:
On Tuesday, March 06, 2012 04:29:45 PM Reuben Farrelly
wrote:
WTF? The IPv6 prefix has been matched by the IPv4
specific route-map sequence 10, and the community from
that route map of 38858:2504 'set' on the router. It
should be falling through to
Dear Josh, to do routing i imagine that you're using some L3 switches
correct? ASA can do router-on-a-stick config?
Regards,
On Tue, Mar 6, 2012 at 12:47 AM, Josh Farrelly j...@base-2.co.nz wrote:
From what you've mentioned there'd likely be no reason you couldn't use an
ASA5510 for the
I'm curious what the default NAT timeouts for IOS-XE are. A lot of the
normal IOS ones are 24 hours, which is WAY too long for dynamic large scale
use. An hour is much more reasonable.
Chuck
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
On 06/03/12 17:51, Chuck Church wrote:
I'm curious what the default NAT timeouts for IOS-XE are. A lot of the
normal IOS ones are 24 hours, which is WAY too long for dynamic large scale
use. An hour is much more reasonable.
As soon IOS NAT sees close/fin or fin/ack bits, it set session to 5
Hi all,
I am somewhat confused/annoyed by the ME 3600X's lack of support for
VLAN mapping.
The ME-C3750 offers this, listing the feature as metro Ethernet
service for obvious reasons. I would go as far as saying that this
is, in fact, a requirement for a device sold as offering ME
capabilities.
On 06/03/2012 14:14, Nikolay Shopik wrote:
As soon IOS NAT sees close/fin or fin/ack bits, it set session to 5 minutes
to expire. So only not proper closed session become there for 24 hours iirc.
that would make a nice nat slot DoS vector. Sounds like on a public facing
device you would want
Hi Riccardo.
The ASA can route between VLANs, though dependant on your configuration and
requirements you can route before the firewalls if you prefer.
Thanks,
Josh Farrelly
On 7/03/2012, at 0:34, Riccardo Giuntoli tag...@gmail.com wrote:
Dear Josh, to do routing i imagine that you're using
what's the source IP of the device sending the join? maybe an RPF issue?
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 2012-03-05 14:10, tao wrote:
Both 6704 and 6708 have two complex of Fabric ASICs.
The 6708 you can see on figure 21 here:
http://www.cisco.com/en/US/__prod/collateral/switches/__ps5718/ps708/prod_white___paper0900aecd80673385.html
On 6/03/2012 10:29 PM, Reuben Farrelly wrote:
Have you tested whether having a dedicated route-map for the
IPv6 session works around this problem?
Yes - it doesn't work around it. I have just replicated the route-map
exactly but removed the IPv4 specific match (seq 10) from the new copy
and
Hello,
I am trying to devise some acl's and am comming from a linux fw
background, which allowed me to split my acl's into seperate tables and
effectively call one from the other. This allowed me to have, say,
'filter everyhting going to/from rfc 1918 space', and combine that with
another
Hello. I have a question regarding the use of policy based routing. I've
always thought of it as a way to selectively change routing in exceptional
circumstances.
I've come across an implementation where it is being used to explicitly set
a next-hop ip for 99% of all traffic headed from an
I apologize if this seems like a rookie question. A colleague and I have a
stance that neither want to budge on. We have a cisco 861w core router for our
internal network and a typical domain server/client access. All of our internal
pc's are part of this domain and our client pc's obtain a
The PBR performance on the 3K is wonderful if you only need it for a few
Mbps. I would always recommend routing over PBR, unless there is just no
other way. My house I use PBR so that certain servers return to the correct
Internet Connection Symmetrically and are NAT'd and Firewalled correctly. I
Technical considerations aside, the answer for that one should come from
company policy regarding byod.
On Wed, Mar 7, 2012 at 1:22 PM, Rich Trinkle rtrin...@heartofiowa.coopwrote:
I apologize if this seems like a rookie question. A colleague and I
have a stance that neither want to budge on.
DHCP servers could care less about who you are. They will give out an
address to just about anyone. Now MBA or 802.1x authentication can be used
to block this. With MBA or 802.1x you could place the authenticated users in
to a different vlan, where all of your domain related information resides.
I would assume you and your CTO (or closest match) would get together
and develop a network/security policy which would define the guidelines
around this.
Regards,
Josh Farrelly.
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On
I'm relatively new to route policies in IOS XR. I have a route policy
on a production router that needs to be replaced. The documentation
doesn't exactly make it clear how to do this properly. Is it as simple
as pasting an entirely new route policy in config mode and committing
it? I see that
On 07/03/2012, at 1:55 PM, Zach Williams wrote:
I'm having a tough time finding best-practices information on the use of
PBR and was wondering what cisco-nsp thought of this setup.
I wouldn't use it at all - other than perhaps for a short term migration issue.
6 months later, debugging will be
On Tue, Mar 6, 2012 at 11:47 PM, Andrew Miehs and...@2sheds.de wrote:
On 07/03/2012, at 1:55 PM, Zach Williams wrote:
I'm having a tough time finding best-practices information on the use of
PBR and was wondering what cisco-nsp thought of this setup.
I wouldn't use it at all - other than
On 07/03/2012, at 3:56 PM, Oliver Garraux wrote:
On Tue, Mar 6, 2012 at 11:47 PM, Andrew Miehs and...@2sheds.de wrote:
Does PBR still cause the performance issues it did in the past, forcing
every packet through the CPU?
Andrew
I think it varies by platform. IIRC, PBR can usually be
From the limited details, it sounds like what you really want is vrf-lite.
Assuming the application traffic can be split into its own subnetwork, stick
them in a VRF whose normal routing table matches what you're forcing via PBR.
On Mar 6, 2012, at 6:55 PM, Zach Williams
27 matches
Mail list logo