Mikael Abrahamsson swm...@swm.pp.se writes:
When 40GE and 100GE was standardized it was taken for granted that
40GE would be used to connect servers and perhaps a little
inter-building backhaul, because of that only up to 10km was
standardized.
Just in case any vendors read this list:
There
Ian Henderson i...@ianh.net.au writes:
What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2
encryption.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/swmacsec.html#wp1334072
says:
Does that actually work over WAN links
Adam Vitkovsky adam.vitkov...@swan.sk writes:
How plausible is that customer will replace your device with theirs without
you noticing it + they crack all the passwords so they can run ISIS, LDP and
BGP sessions with you.
They don't need to do that. Just put a switch between the CE and the
Davide Ambrosi davide.ambr...@trivenet.it writes:
I see that 7600 catalyst modules doesn't support QinQ VLAN termination
(the command encapsulation dot1q outer-vlan second-dot1q inner-vlan)
because they are LAN modules.
The only cheap way to do what you want is to use some other box to
either
Nick Hilliard n...@foobar.org writes:
there's no 128 vlan limit - it's a spanning tree topology limit of 128
instances for pvrst. If you need more than 128 different topologies in a
your network, your network would probably benefit from a redesign. And if
you want to use all 4094 vlans on
Scott Lambert lamb...@lambertfam.org writes:
It turns out that the telco is going to give the DSL to us via QinQ
rather than L2TP as I had assumed. I've been reading up on that
and it doesn't look too bad. I have not figured out the shaping
of the individual client connections, yet. Some
h bagade baga...@gmail.com writes:
I've also tested Cisco router connection on different systems with
different OSes. On Win systems, when I disable the Ethernet card, router
detects it at the time but on FreeBSD systems, when I set interface down,
the router shows Line Protocol as up!
Be
Joe Freeman j...@netbyjoe.com writes:
Now I'm having trouble getting traffic across it. I've got a policy in the
FG that allows any/any between the internal interface and the tunnel (both
ways). Traffic counters aren't incrementing on either policy. I've also
checked my static routes that
Saku Ytti s...@ytti.fi writes:
Out of curiosity. Why are people choosing to run IGP in network borders?
Link-state is complex, expensive and poorly manageable (in terms of
filters/policies/route-map)
Do you need filters/policies/route-maps in a VRF? If a customer messes
up, they only take out
Saku Ytti s...@ytti.fi writes:
It shouldn't be argued this direction, BGP needs no justification, IGP
does.
Fair enough.
We did this decade ago, no one has looked back. Configuring BGP in certain
platforms can be 0 touch on PE. Like if you use 'allow CIDR' in JunOS or 'bgp
listen range
Saku Ytti s...@ytti.fi writes:
I guess vendor could implement this by allowing DHCP default-gw to be
configured as BGP peer. Now you just need to be buying devices for half a
million USD to get PERS/ER done :)
That is an absolutely brilliant idea actually! Scripting should handle
that, no
Saku Ytti s...@ytti.fi writes:
On CMP you can upload images, on on-band RS232 you cannot (most don't even
support anymore and even those which do it's not practical, as it takes
less time time go on-site, short of moon nazis Internet, and while they pay
well, we thought it was unethical to
Łukasz Bromirski luk...@bromirski.net writes:
I saw customer dropping our 4900M after learning the FE0 management
can't be used to route it's default route to the internet for the
rest of multi-10GE customers. True story as they say. No amount
of education at this point can make him change
Covalciuc Piotr pkovalc...@gmail.com writes:
I know, the servers can communicate through local network (10.10.10.x).
I'd like just to know if the communication between local servers can
be established through NATed IP.
If so, how it should be configured on ASA?
I believe this link answers
Thank you all for your answers. This mailing list is always a great
help.
/Benny
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
sth...@nethelp.no writes:
Cisco is the same. The router's job is to forward packets, not to
generate ICMP replies (whether this is due to explicit ping, or for
instance traceroute through the router).
You should *expect* that a modern router will have limitations on
how much control plane
Gert Doering g...@greenie.muc.de writes:
Mmmh. GPU based forwarding? Build a high-end 10Gbit router using
$1000 PC parts? Tempting... :-)
Already been done, http://shader.kaist.edu/packetshader/
The code is not publically available.
/Benny
sth...@nethelp.no writes:
It already exists on some platforms. Lightly edited to hide som details:
sthaug@xxx start shell
% pwd
/var/home/core-remote
% grep 'BGP.*Established to Idle' /var/log/messages | awk '{print $9}'
x.y.4.170
x.y.120.77
sed is there too.
Is there a handy way to
Mounir Mohamed mounirmoha...@gmail.com writes:
For investment protection I recommend Cisco ASR1001, It is an ISP class gear
that allows you to add services as you grow without performance degradation.
Check it out.
http://www.cisco.com/en/US/products/ps10878/index.html
I know I am repeating
Łukasz Bromirski luk...@bromirski.net writes:
The ASR 1001 is hardware-based router that has 4 GE interfaces and
is priced at 17k$ with dual PSUs. The ASR 1001 can with proper license
do 5Gbit/s line-rate, while the 7201 is 1Mpps engine that will slow
down with every feature turned on.
Does
Mack McBride mack.mcbr...@viawest.com writes:
Correct, The security posture is more important.
General consensus is that a subnet is a /64.
More specifics should be used to reduce exposure to attacks.
Links for example are generally assigned as /126 or /127.
It can be an advantage to reserve
man, 15 11 2010 kl. 10:29 +, skrev Tomas Daniska:
it's not only ARP reply that takes into account when talking
operability of such solutions.
At one particular case, we had been hit hard with this clustering
method. Over the time, everything worked as the old switches were
slightly lax
William Cooper wcoope...@gmail.com writes:
On Mon, Oct 25, 2010 at 4:07 PM, Benny Amorsen benny+use...@amorsen.dk
wrote:
Actually it does, in some cases. BGP cannot maintain 2 links to the same
neighbour, and so it does not work if you have redundant links (except
for LACP links
Christopher J. Wargaski war...@gmail.com writes:
It just doesn't make sense to run OSPF when all of the links to the
remote locations will be running BGP.
Actually it does, in some cases. BGP cannot maintain 2 links to the same
neighbour, and so it does not work if you have redundant links
John Neiberger jneiber...@gmail.com writes:
We have an application involving a firewall cluster where the cluster
has a VIP associated with it, but the VIP apparently replies to ARP
requests with a multicast MAC address. The idea, ultimately, is that
both firewalls in the cluster will receive
Gert Doering g...@greenie.muc.de writes:
Now if I had more time :-) it might be worth investigating the (Linux)
streaming server software used, whether it can be changed to invest a bit
more CPU to better smooth out the packets... OTOH, the kernel might
just wreck this, and smear it all
Nick Hilliard n...@foobar.org writes:
From what I remember, the EX4200 has rather small buffers - not terribly
different in size to the 3560/3750 range. This is from memory, so I could
be mistaken. Juniper are rather coy on the topic, which is always a sign
of relative paucity. If the box
sth...@nethelp.no writes:
I would have agreed five to ten years ago. However, nowadays we use
autoneg everywhere with a few well known exceptions (e.g. Cisco 7200
with Fast Ethernet PAs). Autoneg simply gives us less problems.
Autoneg also has the advantage of almost always failing in an
Gert Doering g...@greenie.muc.de writes:
(Unfortunately, design goals for the 2960S/3750X were different than get
this fixed, so the buffer size is the same)
If you want to stick with Cisco, do they have any similar products with
larger buffers? I.e 24 or 48 1000base-T and some SFP/SFP+ uplink
Asbjorn Hojmark - Lists li...@hojmark.org writes:
The supported ones (incl. 3rd party) are listed here:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps10110/data_sheet_c78-568589.html
Are there similar lists for other Cisco switches? I found one, but it
only lists Cisco's own
Nick Hilliard n...@inex.ie writes:
Also, twinax SFP+ are manufacturer-specific. Is it possible to get a
twinax-cable with a Cisco-coded SFP+ at one end and a Procurve-coded
SFP+ at the other?
It's certainly possible to hack one up, if you have transceiver.
Are they compatible though? If I
These days you can get cheap twinax 10G cables with SFP+ at the ends to
connect two Cisco switches or two Procurves. Short distance only of
course, but very cheap.
I would like to connect a Procurve 5406zl which has a SFP+ port to one
of the 10Gbps ports on a Cisco 7600 RSP720-3CXL-10GE.
Twinax
Gert Doering g...@greenie.muc.de writes:
Not that they are willing to ship an IPSEC VPN client for 64 bit windows...
There are vendors other than C and J, and one of them recently lowered
the price for its basic PC client software (available for 64-bit Windows
as well) to 0...
/Benny
Rob Shakir r...@eng.gxn.net writes:
I can confirm that the v1 SPA does _NOT_ support QinQ termination - it
will let you configure it with 'encaps dot1q 400 second-dot1q 200',
but will just fail to do anything. I wish that Cisco would fix it so
that these cards that do not support a feature do
Marian Ďurkovič m...@bts.sk writes:
Yes, if both hosts are connected at the same speed, no extensive buffering
is needed. However, another usage scenario for such switches is speed
downshift, e.g. 1Gbps uplink - 100 Mbps host (or 10 Gbps - 1 Gbps),
where the relation to TCP window size does
Tassos Chatzithomaoglou ach...@forthnet.gr writes:
I had exactly the same experience too. To be honest i was hoping Cisco
would have atleast coded an applet capable of maxing download speed or
splitting the file in multiple parts and downloading all of them
concurrently.
If that improves
Dale Shaw dale.shaw+cisco-...@gmail.com writes:
It's been years since I was armpit deep in IPSec but I am assuming the
encryption key it wants is NOT the ISAKMP pre-shared key.
Nope, it wants the session key used for that particular session. This
can be hard to get, depending on which
David Hughes da...@hughes.com.au writes:
. works like a charm until it doesn't. Any PV based STP will not
work in a dense server virtualisation environment. So these days
that's basically any hosting provider. MST is your only choice and if
you pre-provision your vlan/instance
Matthew Huff mh...@ox.com writes:
Also, with 802.1q framing, you might run into fragmentation on the
non-native VLANs. You may want to adjust the MTU on the virtual
machines if Linux doesn't do it automatically.
Linux, with reasonably modern kernels, automatically allows an extra 4
bytes for
Paul Stewart p...@paulstewart.org writes:
On a related note to the PS below... we have tested lt2tpv3 on a few
different boxes running various IOS images and on each of the devices we did
test we seen the same behavior. This means something is either broke in the
code in my opinion or that
Brad Hedlund brhed...@cisco.com writes:
No, not at all. PFR runs locally on the router and does not rely on any
other routers having PFR enabled (unless you have separated the MC
function). PFR makes traffic engineering decisions based on the traffic
measurements on your routers only. You
Jonathan Brashear jonathan.brash...@hq.speakeasy.net writes:
As an aside, PVST can become an issue when you're scaling up into
dozens/hundreds of VLANs.
The 3560/3750 series supports only 128 PVST instances. I discovered this
the hard way.
/Benny
Elmar K. Bins e...@4ever.de writes:
So, the conclusion is: The mgt port is absolutely useless for me and I
could have saved the money on it. Mgt Ethernet will take one of the
precious ports on the SP, and it will make ACLs and route filtering
necessary, too.
The mgmt port should perhaps be
Elmar K. Bins e...@4ever.de writes:
This forces everyone with out-of-band management and monitoring
equipment to sacrifice one of the power ports for management
and again run ACL based security there. Just like in the olden
days...
It allows the rest of us to get rid of the terminal servers
Charles Wyble char...@thewybles.com writes:
Last time I looked into this (mid last year) the Linux bits weren't
very mature. Not sure how Mikrotik or Vyatta have changed it.
Hopefully they have made things better.
Mikrotik has done their own MPLS/VPLS implementation. You can't really
use
Adam Armstrong li...@memetic.org writes:
I have heard it said that more than 512 VRFs is crazy. more than 1024
*INSANE*.
Why? You want as many customers one one box as possible, to keep costs
and maintenance down. Having an array of PE's at 1/100th of capacity
just because they're limited to
Chris Hills c...@chaz6.com writes:
Radiator /is/ open-source, but it is not free.
The fact that you get the source code doesn't by itself make the
software open-source.
The license may be this one: http://www.open.com.au/license.html but
it says that any click-through license overrides what is
Alex Balashov abalas...@evaristesys.com writes:
There is no reason why you need to waste IP address on the /30s -
who said they have to be public IPs? Just carve out some address
space out of a 10.0.0.0/8 range and use private transport IPs.
You risk that ICMP comes from those addresses.
Kevin Graham [EMAIL PROTECTED] writes:
My biggest single gripe is Cisco's own internal games with them with
product handicapping such as the lack of a 3750E equivalent to the
3650E-12D and a higher-densitity or 'E' version of the 3750G-12S).
(It would also be really nice to see an ISSU
Mark Newton [EMAIL PROTECTED] writes:
The next challenge is to find consumer-grade ADSL2+ CPE which
does IPv6. Can't expect all my residential customers to run out
and buy 877's, right?
Mikrotik Routerboards will do it, admittedly in a prerelease (but hey,
that shouldn't really scare Cisco
Mark Tinka [EMAIL PROTECTED] writes:
I think the only reason folk wouldn't look at the ASR9000
for Metro-E P/PE deployments, at least in the short to
medium term, is because IOS XR might be anaemic when
compared to regular IOS.
Isn't the 7600 likely to be cheaper than the ASR9000 for the
Ben Steele [EMAIL PROTECTED] writes:
As for licenses this one is a little weird, basically adv enterprise is
cheaper than adv ip even though it has all the features of adv ip, seems to
be purely based on ppl not wanting features they will never use available on
an image and Cisco making them
Feature Navigator says that IEEE 802.1Q-in-Q VLAN Tag Termination is
available in asr1000rp1-ipbase.02.01.00.122-33.XNA.bin.
I was certainly worried for a minute there :)
/Benny
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Florian Weimer [EMAIL PROTECTED] writes:
* Bob Snyder:
One issue we ran into was that not all the networking gear we had
could support /126. The vendor's (not Cisco) immature support for
IPv6 could only understand the concept of /128 loopbacks and /64
subnets.
Subnets smaller than /64
Marko Milivojevic [EMAIL PROTECTED] writes:
In our defense (yes, I'm one of those people), some of us may not have
a choice. When we leave for vacation, we must configure auto
responder, if we are using work e-mail for mailing list
subscriptions...
If a mail program sends an autoresponse to
Christian Koch [EMAIL PROTECTED] writes:
im a bit confused by your use of terms in the question...
are you asking about vrf-aware firewalls?
Probably. Most of them seem to only do 250 firewalls per box, or in
the case of the FWSM, per module. What about the service providers
with thousands of
Pavel Skovajsa [EMAIL PROTECTED] writes:
What if the service provider wants to provide centralized firewalled
internet connection to those customers?
Exactly. There must be many ISP's which offer hosted firewalls and
Internet access for their MPLS customers. But how? None of the
solutions seem
Pavel Skovajsa [EMAIL PROTECTED] writes:
does anybody know whether ASA or FWSW is able to firewall qinq packets
in transparent mode? Does anybody have some configs of this?
In short we are a service provider who wants to offer firewall
protection to various customer qinq tunnels.
I don't
Eric Van Tol [EMAIL PROTECTED] writes:
Are /31 subnets valid for an ethernet network nowadays?
See RFC 3021.
Speaking of which, I wish we could redefine the subnet address to be a
usable host address in general. I know the history with zero-broadcast
and all that, but this is 2008...
/Benny
[EMAIL PROTECTED] writes:
racked a lot of 7200's. never had a problem with them drooping
alarmingly. tighten your screws.
It IS a problem with 1U front mounted stuff. Even 3750's suffer from
it.
The solution is to turn the brackets around and move the rack posts
back. This doesn't work very
60 matches
Mail list logo