On 7 May 2018, at 20:04, James Bensley wrote:
Have you opene s a TAC case?
Yes - that's how I'd go about it. If I couldn't take the gear in
question out of service, I'd iACL it in the meantime (should be done,
anyways).
---
Roland Dobbins <rd
it a day.
-------
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
<https://www.cisco.com/c/en/us/support/web/clock-signal.html>
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco
.
The idea is to keep the sampling ratio as low (e.g., 1:100 is a *lower*
sampling ratio than 1:1000) as practicable, given a reasonable balance
of the factors noted above.
---
Roland Dobbins <rdobb...@arbor.
On 6 Jan 2017, at 23:29, Satish Patel wrote:
> What is the appropriate sample rate
Situationally-dependent.
> and is there any impact in performance?
Negligible.
To what are you comparing your flow-derived stats?
---
Roland Dobbins <rdobb...@
template, too?
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 6 Jan 2017, at 6:48, Satish Patel wrote:
> Any thought?
On a smaller box like the 1K, it's likely to be 1:1, yes?
Have you set the active timer to 60s, and the inactive timer to 5s?
---
Roland Dobbins <rdobb...@arb
On 28 Dec 2016, at 11:04, CiscoNSP List wrote:
> So, potentially an option if we went BGP-free "core"?
There are lots of advantages to doing this, IMHO.
-------
Roland Dobbins <rdobb...@arbor.net>
__
, either.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
add up . . . ?
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
,
as well).
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 19 Oct 2016, at 20:21, Stephen Fulton wrote:
I've got an ASR1009X which did not come with blank faceplates for two
ESP and one SIP slot.
Did you knowingly buy it used?
If not, I'd contact both the seller and Cisco.
---
Roland Dobbins <rdobb...@arbor.
On 3 Jun 2016, at 14:10, Saku Ytti wrote:
> But how to deal with that in hostile environment?
+1
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.n
On 3 Jun 2016, at 13:50, Patrick M. Hausen wrote:
so one can employ a TCAM as a route cache in LRU fashion and
process-switch everything new/unknown?
That could get ugly, really quickly.
---
Roland Dobbins <rdobb...@arbor.
On 1 Jun 2016, at 5:08, Mack McBride wrote:
> From prior experience, using 100% and bad things happen.
+1
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.
On 25 Apr 2016, at 16:56, Mark Tinka wrote:
> If you were greenfielding an RR, I'd not go physical in 2016.
+1
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.
y enabling ingress on the relevant
interfaces?
-------
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http:/
offer various types of commercial DDoS mitigation
services. You can ask them about this, and whether customer-triggered
flowspec is an option.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list
, then use S/RTBH to drop attack
sources which are in-policy.
Why don't you just enable both of these functions, and play around with
them? That will give you an idea of how best you can use each one.
---
Roland Dobbins <rdobb...@arbor.
flowspec?
This information is available via search engines.
-------
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
information.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
your edge router to an open-source
collection/analysis system, so that you can see the sources.
But you do know that most UDP reflection/amplification attacks are
high-volume, yes? So, your transit pipe may still be filled up due to
sheer bps.
---
Roland Dobbins
On 27 Apr 2016, at 0:10, Satish Patel wrote:
My ISP not allowing S/RTBH).
You do S/RTBH on your own edge router. You can use BGP just for that
application, irrespective of your actual routing.
---
Roland Dobbins <rdobb...@arbor.
.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
how to use Cisco ACLs to
filter them.
But if you drop *all* non-initial fragments ingressing your network, you
run the risk of messing up large, but legitimate, DNS responses.
So, be careful about dropping non-initial fragments.
---
Roland Dobbins <rd
On 26 Apr 2016, at 18:06, Satish Patel wrote:
> We have never ever seen frag packet on VOIP traffic.
The last I checked, most VoIP setups require DNS, too.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-ns
sco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
-----------
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/li
On 9 Dec 2015, at 20:13, Chuck Church wrote:
QOS seems like a good fit here.
Or why not go a step further, and PACL off everything except necessary
game and DNS (to/from specific rDNS servers) traffic?
---
Roland Dobbins <rdobb...@arbor.
On 10 Dec 2015, at 5:48, Lukas Tribus wrote:
Is that what you mean?
Yes - DAI is a guaranteed self-DoS when someone is actually
ARP-spoofing, heh. There are other means to achieve the same goal.
---
Roland Dobbins <rdobb...@arbor.
On 9 Dec 2015, at 23:20, Laurent Dumont wrote:
> DHCP Snooping, BPDU for STP and IPV6 are all on our list!
Don't forget iACLs, as well.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list
, Root Guard, Loop Guard, and BPDU-Guard should be enabled in a
situationally-appropriate manner.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/m
with dedicated
resolvers. See this .jpg diagram:
<https://app.box.com/s/72bccbac1636714eb611>
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mail
a centralized place to do it.
Logical functional bulkheading is also quite useful from an availability
perspective.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 18 Nov 2015, at 11:18, Waris Sagheer (waris) wrote:
> ASR901 does not support Netflow.
It would be interesting to understand the rationale behind this decision.
Does it support NetFlow in satellite mode with an ASR9K?
Thanks!
---
Roland Dobbins <
your transit edge router
within your own network via iBGP.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive a
to release
an edge router without flow telemetry capabilities . . .
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
a
purportedly sourced from
unadvertised blocks as well as for S/RTBH.
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
a
performance issues.
Allow-default is useful in circumstances where a default is present - it
essentially renders the uRPF 'S/RTBH-only'
---
Roland Dobbins <rdobb...@arbor.net>
___
cisco-nsp mailing list cis
On 3 Sep 2015, at 15:06, Adam Vitkovsky wrote:
> Another option would be to run GLBP on the 16 processing nodes.
Or WCCPv2, if it's supported by the services in question.
---
Roland Dobbins <rdobb...@arb
---
Roland Dobbins rdobb...@arbor.net
---End Message---
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
---
Roland Dobbins rdobb...@arbor.net
---End Message---
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 13 Aug 2015, at 19:07, Nick Cutting wrote:
Mostly folks were using these for Route reflectors I think.
The OP of this thread specifically stated he was using it as an edge
device, however.
---
Roland Dobbins rdobb...@arbor.net
On 13 Aug 2015, at 18:30, Robert Hass wrote:
Everyone know that it's faster but not everybody needs so huge performance.
Until it gets packeted.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco
On 13 Aug 2015, at 19:18, Nick Cutting wrote:
And he received naysayers, rather than real world statistics.
Unsolicited, but well-intentioned, well-informed advice naysaying.
---
Roland Dobbins rdobb...@arbor.net
personally
think it's way too soon to be doing this in production environments.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
telemetry and
collection/analysis tools to determine your optimal traffic engineering
strategy, implement it, and revisit it every so often. There are plenty
of open-source out there.
---
Roland Dobbins rdobb...@arbor.net
or another; I know I have).
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 17 Apr 2015, at 18:16, Jeroen van Ingen wrote:
Anyone with ideas how to dig deeper?
sh fm sum
Reseat the linecard in question?
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp
On 2 Apr 2015, at 17:06, M K wrote:
Whatsup released voice recently , i wonder does Cisco SCE has the
ability to block it ?
Why do you want to block a valuable service WhatsApp users have been
requesting for quite some time?
---
Roland Dobbins rdobb
, as well.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
active/active, instead. DNS, not an
IP address, should be used to reach each active instance of the service
in question.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https
router(s) to
account for tunnel overhead.
Jared was talking about the MSS of TCP traffic encapsulated within the
tunnels, not the tunnel traffic itself (IPSEC wrapped in UDP/1?).
---
Roland Dobbins rdobb...@arbor.net
.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
got it working - great job!
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco
On 9 Feb 2015, at 14:54, Rod James Bio wrote:
If that's the case then his static route wont do anything.
He was trying to do S/RTBH.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp
indicate).
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On 7 Jan 2015, at 19:44, Antoine Monnier wrote:
Maybe traffic from and to the router cannot be processed for Netflow export
That isn't generally true - I'm unsure about VRF-specific contexts.
---
Roland Dobbins rdobb...@arbor.net
-lists.
Here's an example (scroll down to the bottom of the page):
http://www.networkgalaxy.org/2013/07/filtering-routes-in-bgp-using-route.html
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp
On Dec 5, 2014, at 12:49 AM, Jonas Björklund jo...@bjorklund.cn wrote:
Any ideas?
Flow template?
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
NETFLOW on all
EGDE routers.
Which is what I said previously.
;
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http
traceback and detailed peering analysis - are negated by
this approach.
Better to do a partial edge deployment and then expand it over time,
IMHO.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp
/security/asa/asa82/command/reference/cmd_ref/ef.html#wp1927618
The default config is to allow all returned traffic from the 'outside' to the
'inside'.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
established', and a bunch of
UDP-tracking stuff, too.
Someone else will likely be able to give more detailed answers.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
On Oct 10, 2014, at 2:56 AM, Pete Lumbis alum...@gmail.com wrote:
Existing connections skip the ACL check.
Is there a knob/stanza for this? If so, is 'permit established' the default?
--
Roland Dobbins rdobb...@arbor.net
.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net
, you must update them. Surely you have automation in place to
update ACLs when necessary, yes?
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
benefit to doing so (although spoofed traffic costs money
. . .).
And so it goes . . .
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
. . .
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco
and then to
9208 bytes respectively. There is no need to adjust for the vlan tags.
I've heard this referred to as 'dynamic MTU adjustment', though I don't know if
there's actually a formal name for it.
--
Roland Dobbins rdobb
at each end.
The solution is not in-line Ethernet 'surge suppressors', but rather getting
the electrical issue resolved.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
to RFI, etc.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing
router more susceptible to DDoS attacks?
;
Why do you think want to do this, seriously?
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
(the last hop - the destination does not have it) :)
The cure for this is customer education, not making the router more vulnerable
to DDoS attacks, either deliberate or unintentional ones.
;
--
Roland Dobbins rdobb
to point
whatever they're using at that.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
point!
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list
.
OTOH, if they're deployed on networks not under your control, then individual
iACLs/tACLs combined with CoPP is probably the best answer.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
On Aug 7, 2014, at 9:27 PM, Justin M. Streiner strei...@cluebyfour.org wrote:
That becomes a much worse idea if/when IPv6 is involved.
It's a terrible idea for IPv4, too - it breaks PMTU-D.
--
Roland Dobbins rdobb
will minimize the scope of any collateral issues.
But blocking high ports towards your subscribers as a permanent blanket policy
causes problems and isn't the way to permanently resolve issues of this nature.
--
Roland Dobbins rdobb
.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https
to communicate through, heh.
The risk is that you'll end up with subscribers having weird issues which lead
to dissatisfaction, more help-desk calls, and customer churn.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
and MPLS, primarily. On the wireline
broadband edge, they use *DSL and DOCSIS.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
/asr9k_r4-2/netflow/configuration/guide/b_netflow_cg42asr/b_netflow_cg42asr_chapter_00.html
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
it?
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https
On Jun 13, 2014, at 8:27 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
Unless you're trying to block RAs or similar :o(
In that case, one can specify the destination address and drop *all* IPv6
headed for it, yes?
--
Roland
On Jun 13, 2014, at 9:05 PM, Jeffrey G. Fitzwater jf...@princeton.edu wrote:
neither can be applied to outbound on port-channel.
Gotcha. Another case where IPv4 feature parity is lacking . . .
--
Roland Dobbins rdobb
.).
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp
On May 22, 2014, at 3:14 AM, daveb sp...@zitomedia.net wrote:
For nfsen, set your router to export IN and OUT.
This is incorrect. For almost all use-cases, set ingress on all interfaces
handling traffic.
--
Roland Dobbins
topological situations (like various types of tunnels) in which you wouldn't
otherwise be able to get the telemetry.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
the routers in question. You don't want traceback for
outbound/crossbound traffic emanating from your subscribers?
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri
On May 22, 2014, at 8:40 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote:
Can anyone please explain why?
It doesn't give you visibility into your crossbound traffic, for one thing.
--
Roland Dobbins rdobb...@arbor.net
/crossbound
traffic. This means ingress NetFlow on all relevant interfaces.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
topological
issue which precludes its use.
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Equo ne credite, Teucri.
-- Laocoön
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
On May 13, 2014, at 7:23 PM, James Bensley jwbens...@gmail.com wrote:
Thats true, my point is that Cisco aren't allowing oversubscribtion :)
That's an interesting sales strategy.
;
-
Roland Dobbins rdobb...@arbor.net // http
for
ingress netflow.
Concur 100%. The key ifindex should match the flow tabulation directionality.
---
Roland Dobbins rdobb...@arbor.net
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman
Nitin Jain nitin.jain@gmail.com wrote:
Any pointers on which IOS should I try ?
NetFlow is primarily an edge technology. Enable it ingress on your
customer-facing peer-/transit-facing interfaces on the relevant edge
router(s).
---
Roland Dobbins
to the survey which forms the foundation of the report;
as always, we're grateful for your insight and participation, and welcome your
feedback and comments.
Thanks much!
Roland Dobbins rdobb...@arbor.net // http
1 - 100 of 223 matches
Mail list logo