On Tue, Feb 03, 2009 at 07:11:13AM +, Jeffrey Ollie wrote:
This piqued my interest, so I whipped up a quick program to do some
testing. I've attached the resulting program, which when run against
my 6500 running 12.2(33)SXI produces a copy of the running config.
Some things I observed:
Hi,
the PA-MC-STM1 can be configured for SDH or Sonet framing on the controller,
below which the TUG structure (don't know how's that called in Sonet) is
configured. As far as I know (only done SDH for some time) when switching to
Sonet we're in OCx world.
I've no installed PA at hand without
On Tue, Feb 3, 2009 at 3:54 AM, Aaron Riemer arie...@wesenergy.com.au wrote:
Hi guys,
I am trying to work out why I cannot initiate connections to our VPN
clients. ICMP seems to be okay and I can see that there is nothing in
the log indicating the connections are denied. What could I be
Hi,
I am looking for some studies/papers to convince my customer (and
myself) that VLANs can be as secure as physical segments and VRFs also
provide a secure segregation of traffic. A few years back I came across
a post referring to a document on the FBI or the NSA site stating that
VLANs were
Hi all,
I have configured vpn on asa 5520 (software version 7.2). vpnclient
connect to asa and says everything is ok. But i cannot ping any computer
in inside network.
asa is working in router mode, single context. No nat on inside or
outside interface
hostname(config)# interface
Peter Rathlev wrote:
...
What does the log say? Where's the ACLs for the interfaces? Are you sure
the firewall isn't denying the traffic as it does default?
Regards,
Peter
Its hard to find anything in log, because this is a production firewall
and there is a lot of messages in syslog.
if
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
I guess this is a routing problem, since you assign 192.168.0.x to vpn
client which is located on different segment with PIX's own interface.
The pix must response to arp request for 192.168.0.10 to 15 on behalf
of the vpn
Hi everyone,
I've got a couple of questions regarding the use of iBGP and OSPF.
I've got:
rtrA - connected to Internet, and routes some prefixes of my /21 (and v6
/32) to the infrastructure/servers
rtrB - private eBGP peering with another company, and connects some
multihome clients with eBGP
If you're connecting through a natted host to the VPN you might try adding
crypto isakmp nat-traversal 30
I have a fairly similar setup to yours which works just fine.
BR,
Sibbi III
On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote:
Engelhard Labiro wrote:
hostname(config)# ip
Sigurbjörn Birkir Lárusson wrote:
If you're connecting through a natted host to the VPN you might try adding
crypto isakmp nat-traversal 30
I have a fairly similar setup to yours which works just fine.
This solved the problem, thanks!
Another problem is that client sets default gateway to
How many entries can be made with the ip igmp snooping vlan static on a
2960G?
I'm thinking of bringing in two GigE's of video and then grooming them with
that feature down to one GigE.
Besides entries, is this feature implemented in hardware or software, such
that there might be scalability
Brian Spade wrote:
What is the best way to configure OSPF to inject all 50+ SVIs into the
routing domain?
Would you configure network statements for all SVI networks and passive the
interfaces?
Would you configure OSPF on the uplink interfaces only and redistributed
connected to create type-5
but this is an MCS (Mission Critical Site) solution,
i.e. we ordered the same circuit from the same carrier to implement the
solution in aother location for resilliency , and it works fine
P.S. : at some point i had 8% success rate of 100 pings , but after that all
dead
i told the carrier i
Something along these lines if you wanted to just send 10.10.53.0/24 and
10.10.54.0/24 through the VPN tunnel
tunnel-group testgroup general-attributes
default-group-policy testpolicy
group-policy testpolicy internal
group-policy testpolicy attributes
split-tunnel-policy tunnelspecified
have you tried global (outside) 0 interface ?
-Original Message-
From: William wil...@gmail.com
To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
Subject: [c-nsp] VPN PIX 6.x Translation issue
Date: Mon, 2 Feb 2009 10:57:05 -0500
Hi folks!
I currently have a PIX firewall running
Engelhard Labiro wrote:
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
I guess this is a routing problem, since you assign 192.168.0.x to vpn
client which is located on different segment with PIX's own interface.
The pix must response to arp request for 192.168.0.10
Alasdair Gow wrote:
Hi,
It looks like eth0 and eth1 are on the same network.
they need to be on separate networks IIRC.
Cheers,
Ally
sorry about my mistake. interfaces are on diferent networks
maske are 255.255.255.0
___
cisco-nsp mailing list
On Tue, Feb 03, 2009 at 08:10:18AM +, Phil Mayers wrote:
On Tue, Feb 03, 2009 at 07:11:13AM +, Jeffrey Ollie wrote:
This piqued my interest, so I whipped up a quick program to do some
testing. I've attached the resulting program, which when run against
my 6500 running 12.2(33)SXI
Not unless you configure RRI, see
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00809d07de.shtml
BR,
Sibbi
On 3.2.2009 14:33, Eimantas Zdanevičius eiman...@occ.lt wrote:
Engelhard Labiro wrote:
hostname(config)# ip local pool testpool
On Tue, 2009-02-03 at 11:12 +0200, Eimantas Zdanevičius wrote:
I have configured vpn on asa 5520 (software version 7.2). vpnclient
connect to asa and says everything is ok. But i cannot ping any computer
in inside network.
asa is working in router mode, single context. No nat on inside or
On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand
wrote:
For the prefixes at the client access edge that are put
in place statically, I advertise them to the other
internal peers via iBGP. Would it be best to leave it
this way, or to put this address space into the IGP
instead, and
Mark Tinka wrote:
On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand
wrote:
Thanks for the feedback Mark,
For customer aggregation edge routers, prefixes used to
assign /30 (/126 for v6, or whatever you use for this
purpose) point-to-point addresses, as well as assignments
for
Does anyone have some input on security event correlation systems?
Currently reviewing Cisco MARS vs. Q1 Labs QRadar.
Environment information:
Very large DMVPN, IPS's, FW's, CSM.
Thanks,
==
Dean Perrine
___
cisco-nsp mailing
On Tue, 2009-02-03 at 12:30 -0500, Tom Sutherland wrote:
have you tried global (outside) 0 interface ?
Huh? A global-0? What does that do? Does it explicitly _not_ translate
to the interface address of the outside interface? ;-)
Regards,
Peter
___
On Tue, 2009-02-03 at 12:20 -0800, Dean Perrine wrote:
Does anyone have some input on security event correlation systems?
Currently reviewing Cisco MARS vs. Q1 Labs QRadar.
We have a MARS-110 and I must frankly say I'm not impressed. The system
needs a _lot_ of training to be useful and the
One of my fellow engineers needs to understand auto-advertise and
autoneg with regards to Cisco switches.
Can anyone confirm that hard coded speed/duplex settings on a generic
modern Cisco switch, will not prevent the switch port from sending fast
link pulses, advertising the switch port's
On Tue, 3 Feb 2009, Pierre Lamy wrote:
Can anyone confirm that hard coded speed/duplex settings on a generic
modern Cisco switch, will not prevent the switch port from sending fast
link pulses, advertising the switch port's hardcoded speed/duplex
settings so that the device at the other end,
Hi there
Is there a cisco platform / sw out there that can the following (the
critical part being _second-dot1q_)
interface gig3/1.10
encapsulation dot1q 10 second-dot1q 2
interface atm2/0/0
pvc 0/400 l2transport
encapsulation aal5
connect atm-ethvlan atm2/0/0 0/400 gigabitethernet3/1.10
I am looking to deploy a Ethernet Ring topology in a campus. The ring is to
connect
multiple buildings via a high speed 10G backbone. Does Cisco offer any
products in this
area? The ONS is too expensive, looking for something smaller that is
Ethernet based.
mike
Moving the Target Noise Margin or whatever it is called in your DSLAM is a
better plan.
Interleaving has far more to do with sync stability, i.e. it allows the
router some time to respond to changes in the line quality before loosing
the sync, it also increases latency. The more interleaving
Hi,
On Tue, Feb 03, 2009 at 04:35:26PM -0500, Pierre Lamy wrote:
Can anyone confirm that hard coded speed/duplex settings on a generic
modern Cisco switch, will not prevent the switch port from sending fast
link pulses, advertising the switch port's hardcoded speed/duplex
settings so that
A little bird from C whispered me the following:
I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
failover), as well as this you have support for it on the larger devices
like the 7600.
4924 support for REP started in 12.2(44)SG -
Yup, that's exactly the situation. STP will work around some of the
problem caused by this but if you are presenting an etherchannel over
multiple xconnects you can't pick up the link failure of part of the
etherchannel without UDLD. We did some initial proof of concepts with
2900s
I don't think Cisco currently have an 10G ethernet ring offer. It
might come up when REP (Resilient Ethernet Protocol) gets implemented
in the 6500 IOS. It was supposed to be on SXI, but that didn't happen.
If 2G is enough, ME-3400G-12CS-x with 4 SFP uplinks might do Gigabit
Etherchannel, perhaps
Thank you for all your replies, that was exactly what I was looking for.
mike
On Tue, Feb 3, 2009 at 7:37 PM, Rubens Kuhl rube...@gmail.com wrote:
A little bird from C whispered me the following:
I'd take a look at the ME-4924-10GE device (REP Supports ~50ms
failover), as well as this you
i told the carrier i want to have the packets transferred with dot1q
encapsulation, and they replied that they are providing a transparent
environment, reagardless the two ends are access or trunk
Does your carrier support 802.1QinQ or something alike that is able to
transport your dot1q tag?
Hi All,
I'm continuing to try and understand QoS a little better in relation to
applying it to our MPLS VPN network but it seems the more I read about
it the more I'm confused. Not to mention the lack of configuration
examples out there.
I understand that we can provide two QoS solutions for
Sigurbjörn Birkir Lárusson wrote:
Something along these lines if you wanted to just send 10.10.53.0/24 and
10.10.54.0/24 through the VPN tunnel
tunnel-group testgroup general-attributes
default-group-policy testpolicy
group-policy testpolicy internal
group-policy testpolicy attributes
38 matches
Mail list logo