Hi all.
Can someone give me a hint what to use. We have 40 locations with different
users and these location is to be migrated to fiber 20Mb from adsl.
We want to run MPLS on these routers, because there is administration
guest-network etc.
Which router would be efficient for this, I have been
Justin Shore wrote:
andr...@one.net wrote:
I'm getting ready to install some RPS 675's in order to dual cord some
3750's and ran across this in the manual:
Do not use different power sources to power up the RPS and the connected
device. If you connect to separate AC power sources, reset
On Wed, 26 Aug 2009, Arne Larsen / Region Nordjylland wrote:
Which router would be efficient for this, I have been looking on the
2800 3800 series, but I can't seem to find a doc. the describe what
the throughputs is on these boxes.
On Wed, 2009-08-26 at 09:48 +0200, Arne Larsen wrote:
Can someone give me a hint what to use. We have 40 locations with
different users and these location is to be migrated to fiber 20Mb
from adsl.
We want to run MPLS on these routers, because there is administration
guest-network etc.
Which
Hi Arne.
We have 40 locations with different users and these location is to be
migrated to fiber 20Mb from adsl.
How are those fiber accesses going to be delivered, i.e. do you need
devices with optical interfaces?
We want to run MPLS on these routers, because there is administration
Hello,
My understanding of OSPF is being challenged by recent upgrade of some
of our 7600's (running SRD2a now).
Pairs of 7600's are ABR's to totally stubby NSSA areas (area X nssa
no-summary default-information originate). This is supposed to prevent
all external and summary routes reaching
Hi,
On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote:
This company was constantly having problems with what i called broadcast
attacks. The network graphs would show traffic on all interfaces spike
and normally the 100mbit uplink between the switches would saturate and
the
Hi Folks,
Sorry about the OT here, I'm looking to get some feedback regarding
some of the most common application protocols (CIFS, NFSv3,SQL net,
Snapmirror, ndmcopy) used in most Enterprise envrionments and their
behavior in a sub msec campus latency environments vs ~3 msec latency
over 10G
Hi,
Janet Plato pl...@wisc.edu wrote:
I'm finding IPv6 support lacking a few glaring things on 12.2(50)SE2.
Things like the inability to enter an IPv6 address as a target for
a radius server, or a hostname with only a Quad A record as well.
When I ask Cisco, they view these things as
On Wed, 26 Aug 2009, Ash Net wrote:
The reason for performance degradation solely seems to be latency
related since there's tons of b/w available in the lab setup and over
10G lanphy paths. Do people still deploy QOS for better traffic
management on the lanphy interfaces even with no
Hi,
On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote:
The sad part is that no one can get the in production experience of IPv6
because the vendors do not support it. You generally have to make do
with what you can and use Linux as 'duct-tape' for the bits that are
ABR's appear to be injecting both the type 3 and type 7.
AHave I gone mad, or I need to hit back the books?
It depends :) Actually you've asked for it. The no-summary part of NSSA
statement generates type-3 default and the default-information originate
generates type-7 default. See the
Hi,
I recently configured two catalyst 6509 switches into a
VSS cluster. After I experimented issues with unknown unicast, the secondary
chassis reloaded itself with no apparent reason, .
The cluster is configured with two VSL 10G links, one
link is on the supervisor, and the secondary one
Generally, putting each customer into a dedicated layer 3
network segment is a good idea - because half of the attacks
that a hacked server belonging to customer 1 might do to a
server from customer 2 (ARP spoofing, IP address spoofing
[- blaim goes to customer 2], HSRP attacks to the
Hi,
On Wed, Aug 26, 2009 at 02:55:22PM +0200, Ivan Pepelnjak wrote:
Generally, putting each customer into a dedicated layer 3
network segment is a good idea - because half of the attacks
that a hacked server belonging to customer 1 might do to a
server from customer 2 (ARP spoofing, IP
On Wed, 2009-08-26 at 14:09 +0200, Gert Doering wrote:
OTOH - Cisco has working prototypes of SeND, while no other (!) operating
system out there supports it.
OT: JUNOS implements SEND as well, from 9.3 onwards. I've not seen
decent support in any host OS so far.
--Daniel.
On Wed, 26 Aug 2009, Ivan Pepelnjak wrote:
The only disadvantage of this approach is that you waste up to 75% of
the address space (assuming you have one server per customer). If you
want to do some really weird things you could configure mismatched
subnet masks on servers and routers, use
On Wed, Aug 26, 2009 at 6:23 AM, Mikael Abrahamsson swm...@swm.pp.sewrote:
On Wed, 26 Aug 2009, Ash Net wrote:
The reason for performance degradation solely seems to be latency related
since there's tons of b/w available in the lab setup and over 10G lanphy
paths. Do people still deploy QOS
On Wed, 26 Aug 2009, Gert Doering wrote:
So how do you prevent customer A from sending out packets with an IP
address belonging to customer B? (For whatever reason).
Antispoofing ACL on vlan interface? Or if you have an access layer, you
can do your L2.5 access lists there on ingress.
--
Hi,
On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote:
On Wed, 26 Aug 2009, Gert Doering wrote:
So how do you prevent customer A from sending out packets with an IP
address belonging to customer B? (For whatever reason).
Antispoofing ACL on vlan interface?
Won't help
In a dedicated server hosting environment, each customer should have their own
VLAN and subnet. True, it may waste a few IPs, but keep in mind when the
customer expands to two or more servers, they can utilize additional IPs from
their existing VLAN even when the servers are not physically close
Hi,
attended a wonderful talk about IPv6 at Cisco networkers earlier this year.
some good stuff being shownand then they mentioned that all these security
features etc are only in lab and wont be on our IOS for some time :-(
regarding IPv6 support on hardware - at this point in time I've
On Wed, 26 Aug 2009, Gert Doering wrote:
Hi,
On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote:
On Wed, 26 Aug 2009, Gert Doering wrote:
So how do you prevent customer A from sending out packets with an IP
address belonging to customer B? (For whatever reason).
Hi,
On Wed, Aug 26, 2009 at 03:32:13PM +0200, Mikael Abrahamsson wrote:
If you do it like that with local-proxy-arp then you can have multiple
vlans per IP subnet, so you get L2 isolation between customers but you do
not waste any IP addresses.
So how do you prevent customer A from sending
Hi,
On Wed, Aug 26, 2009 at 04:11:28PM +0200, Mikael Abrahamsson wrote:
On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote:
On Wed, 26 Aug 2009, Gert Doering wrote:
So how do you prevent customer A from sending out packets with an IP
address belonging to customer B? (For
RPF check?
-Original Message-
From: Mikael Abrahamsson [mailto:swm...@swm.pp.se]
Sent: Wednesday, August 26, 2009 3:53 PM
To: Gert Doering
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Large networks
On Wed, 26 Aug 2009, Gert Doering wrote:
So how do you prevent
Hi,
* Gert Doering g...@greenie.muc.de [2009-08-26 14:09:25+0200]:
On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote:
The sad part is that no one can get the in production experience of IPv6
because the vendors do not support it. You generally have to make do
with what
On Wed, 26 Aug 2009, Gert Doering wrote:
Ah, pvlans and community vlan stuff. OK, that would work, but still -
lots of effort that is just automatic otherwise.
Well, I think that it's reckless to spend 4 globally routable IP addresses
instead of 1 per customer, when all you do is save a few
Peter,
You might consider the 3560 L3 switch instead; it lacks features but
delivers plenty of raw forwarding performance in a relatively cheap
package. It supports VRF-Lite with the services image and can do
prioritising QoS fine.
Can you elaborate a little more on the QoS portion. It
Hi,
On Wed, Aug 26, 2009 at 04:30:24PM +0200, Mikael Abrahamsson wrote:
On Wed, 26 Aug 2009, Gert Doering wrote:
Ah, pvlans and community vlan stuff. OK, that would work, but still -
lots of effort that is just automatic otherwise.
Well, I think that it's reckless to spend 4 globally
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager Denial
of Service Vulnerabilities
Advisory ID: cisco-sa-20090826-cucm
Revision 1.0
For Public Release 2009 August 26 1600 UTC (GMT
Thanks Guys. Your feedback is greatly appreciated.
On 8/26/09, Tim Durack tdur...@gmail.com wrote:
On Wed, Aug 26, 2009 at 6:23 AM, Mikael Abrahamsson
swm...@swm.pp.sewrote:
On Wed, 26 Aug 2009, Ash Net wrote:
The reason for performance degradation solely seems to be latency
related
In this case I think you could configure Private VLANs, isolating each
customer in the same l3 network segment.
-Mensagem original-
De: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Gert Doering
Enviada em: quarta-feira, 26 de agosto de 2009
Hi,
Leonardo Gama Souza schrieb:
In this case I think you could configure Private VLANs, isolating each
customer in the same l3 network segment.
Private VLANs won't help you with ip-spoofing in the same subnet and
hsrp-attacks and not against arp attacks (but these can be prevented
using
Actually... It did hurt somewhat :-/. Previous IOS that we
were running (7600 SXx and SRBx) were injecting type 7.
However, that behaviour changed with SRD2 and it injects
both. Naturally, type 3 wins.
I wrote the article more than a year ago and the 12.4T behavior at that time
was the
On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote:
RPF check?
won't help for customer A is 10.0.0.1, customer B is
10.0.0.2, your router interface is 10.0.0.254/24.
This is debatable as the host routes point to various L3 interfaces ... I
guess it's time to start another
Well, I think that it's reckless to spend 4 globally routable IP
addresses instead of 1 per customer, when all you do is save a few
minutes of time per installation.
As I said: our customers usually use many more IP addresses
than just one.
And, of course, you're welcome to join us
I'm interested in general, how much IPV6 is actually out there? I'm very
unfamiliar but at my present gig and my last few I never ran in to this
once. Is it actually being used in production?
Thank you
Scott
- Original Message -
From: Ivan Pepelnjak i...@ioshints.info
To: 'Gert
Hi,
On Wed, Aug 26, 2009 at 07:32:15PM +0200, Ivan Pepelnjak wrote:
On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote:
RPF check?
won't help for customer A is 10.0.0.1, customer B is
10.0.0.2, your router interface is 10.0.0.254/24.
This is debatable as the host
Hi,
On Wed, Aug 26, 2009 at 07:33:40PM +0200, Ivan Pepelnjak wrote:
Well, I think that it's reckless to spend 4 globally routable IP
addresses instead of 1 per customer, when all you do is save a few
minutes of time per installation.
As I said: our customers usually use many more
Hi,
On Wed, Aug 26, 2009 at 10:58:23AM -0700, Scott Granados wrote:
I'm interested in general, how much IPV6 is actually out there? I'm very
unfamiliar but at my present gig and my last few I never ran in to this
once. Is it actually being used in production?
It really depends on what you
There will be Lots Of Fun when IPv4 runs out, and whole new markets
of DSL customers (as in India, China, Arabia...) will not be able to
access web sites from vendors that have no IPv6 reachability. Goodby,
sales to that region...
Not gonna happen. Unfortunately there's so much stuff on the
On Wed, 2009-08-26 at 11:06 -0400, Ryan West wrote:
Can you elaborate a little more on the QoS portion. It seems that the
3560 would be fine policing some traffic, but gets cryptic when you
want to start shaping or provide bandwidth allocations. Am I missing
some obvious MQC support?
IMHO
Hi,
On Wed, Aug 26, 2009 at 08:19:20PM +0200, Ivan Pepelnjak wrote:
There will be Lots Of Fun when IPv4 runs out, and whole new markets
of DSL customers (as in India, China, Arabia...) will not be able to
access web sites from vendors that have no IPv6 reachability. Goodby,
sales to
On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote:
I'm suspect that the interface MTU of the 1841 may not go above 1500.
It's even worse, it doesn't seem to support MTU != 1500 at all on the
built in FE interfaces.
Router(config-if)#do sh ip int bri
Interface IP-Address
We've got paying customers who came to us specifically because we
support it. Our last decision for IP transport had IPv6 as a
requirement. YMMV.
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados
Sent:
With some things neutered...
Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version
12.4(22)T1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
rt-02#sh ip int brief
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/1
Hi,
Scott Granados gsgrana...@comcast.net wrote:
I'm interested in general, how much IPV6 is actually out there? I'm very
unfamiliar but at my present gig and my last few I never ran in to this
once. Is it actually being used in production?
Ironically I would suggest Google...which
12.4(20)T or newer should support the MTU change. You still get the error
message, but it does work.
Flint
-
Date: Wed, 26 Aug 2009 20:40:37 +0200
From: Peter Rathlev pe...@rathlev.dk
To: Justin Shore jus...@justinshore.com
Cc: cisco-nsp@puck.nether.net
With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget
HSRP, and most importantly you no longer need NATs that understand every
protocol that runs through it and so remove a possible single point of
failure.
Some of us would disagree rather strongly with one or more of those
We've got paying customers who came to us specifically because we
support it. Our last decision for IP transport had IPv6 as a
requirement. YMMV.
In a slightly different vein, we had IPv6 as a soft requirement
last time we renewed our IP transit agreements. We were able to get
IPv6 from all
Why can we forget about HSRP with IPv6?
With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget
HSRP, and most importantly you no longer need NATs that understand
every
protocol that runs through it and so remove a possible single point of
failure.
You are right.
To be protected against IP spoofing you would need a VACL configured as
well.
Private VLANs won't help you with ip-spoofing in the same subnet and
hsrp-attacks and not against arp attacks (but these can be prevented
using static arp-entries on the l3-device).
Matthias
Hi,
There will be Lots Of Fun when IPv4 runs out, and whole new markets
of DSL customers (as in India, China, Arabia...) will not be able to
access web sites from vendors that have no IPv6 reachability. Goodby,
sales to that region...
6to4 webproxy - i got one... had to for when i ran a
Folks,
Anyone have any luck running overlapping DHCP pools with VRF-lite on 12
.2(33)SXI? It looks like a vrf sub-command under DHCP pool configuration
mode was added in SRC code but I can't confirm or deny support for the SXI
train.
Thanks,
Steve
___
On Aug 26, 2009, at 9:18 PM, sth...@nethelp.no wrote:
With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget
HSRP, and most importantly you no longer need NATs that understand
every
protocol that runs through it and so remove a possible single point
of
failure.
Some of us
On Wed, 26 Aug 2009, Leonardo Gama Souza wrote:
Why can we forget about HSRP with IPv6?
With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget
HSRP, and most importantly you no longer need NATs that understand
every
protocol that runs through it and so remove a possible
--- On Thu, 27/8/09, Justin Shore jus...@justinshore.com wrote:
Be careful with the 1841. Though all the MPLS
commands are technically there, MPLS is not a supported
feature on the 1841. Ie, a code update could remove
the commands altogether and there would be nothing you could
do about
sth...@nethelp.no wrote:
With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget
HSRP, and most importantly you no longer need NATs that understand every
protocol that runs through it and so remove a possible single point of
failure.
Some of us would disagree rather
Hi,
Leonardo Gama Souza leonardo.so...@nec.com.br wrote:
Why can we forget about HSRP with IPv6?
Depending on how 'high' the 'H' is in your HSRP, you can have multiple
routers on the same subnet to provision your default gateway to the
world, the clients *should* just use the responsive one
Ok it's official, I'm asking for the term Deputy to be included in my next
title!
That's just cool!
- Original Message -
From: Mohacsi Janos moha...@niif.hu
To: Leonardo Gama Souza leonardo.so...@nec.com.br
Cc: Alexander Clouter a...@digriz.org.uk; cisco-nsp@puck.nether.net
Sent:
Hi All,
Can anybody confirm if uplinkfast is enabled when you run MST?
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion_example09186a00807b075f.shtml
The spanning tree uplinkfast and backbonefast features are PVST+
features, and it is disabled when you enable MST
Hi,
On Wed, Aug 26, 2009 at 10:17:53PM +0200, Daniel Verlouw wrote:
seconded. And currently there's no way we're gonna live without HSRP/
VRRPv6. Waiting for RA/NUD to timeout is just way too slow (besides,
several OSs behave quirky with multiple default gateways presents).
HSRP with IPv6
Hi,
Daniel Verlouw dan...@bit.nl wrote:
On Aug 26, 2009, at 9:18 PM, sth...@nethelp.no wrote:
[snipped]
No VPNs? What about host-to-host IPSec VPNs (e.g MS DirectAccess)?
I should have said VPN concentrator. Mobile IPv6 and finally the
end-to-end-ness of IPv6 lets use use IPsec
On Wed, 2009-08-26 at 16:06 -0400, Steve Shaw wrote:
Anyone have any luck running overlapping DHCP pools with VRF-lite on
12.2(33)SXI? It looks like a vrf sub-command under DHCP pool
configuration mode was added in SRC code but I can't confirm or deny
support for the SXI train.
I don't know
Hi,
On Wed, Aug 26, 2009 at 08:11:48PM +0200, Ivan Pepelnjak wrote:
Some of us still have to live with reality where IPv6 deployment is
negligible :)
You have it in your hands to change that.
You might. I don't. The only thing I can do is spread the gospel ... But you
know what
On 26/08/2009, at 11:58 PM, Gert Doering wrote:
Which is why we are VERY happy with every customer has a different L3
subnet - and yes, this is wasting a few IPv4 addresses, but since our
customers usually have more than one machine, it's not 75%. Even
so,
the time of IPv4 is past, and we
I'm wondering if any of you have run across a tool that will audit a cisco
configuration file (or files as the case may be) against a standard template?
We have a configuration file repository and just need to be able to report on
those configs as to compliance with our standard device
There are DHCP parameters we rely on every single day.
Phones: Voice VLAN assignment, plus boot server
DNS-Hostname mapping (having the DHCP server dynamically register the
host/device in DNS)
DNS Domain Name
NTP/Time offset
Legacy WINS servers (yes, I have networks unwilling/unable to get rid of
Bracey, John wrote:
I'm wondering if any of you have run across a tool that will audit a cisco
configuration file (or files as the case may be) against a standard template?
We have a configuration file repository and just need to be able to report on
those configs as to compliance with our
David,
Well it is possible to do with Xen too. We just use ebtables to filter
traffic from each VPS. We restrict what comes in and out by the address and
mac. Using vlans, at least for us, per VPS would be killer. We would have
thousands of vlans already just for virtual servers. Right
cisecurity.org I think has RAT. It's a perl script you can customize
for auditing both file and running configs.
Sent from handheld.
On Aug 26, 2009, at 7:07 PM, Bracey, John jbra...@csuchico.edu
wrote:
I'm wondering if any of you have run across a tool that will audit
a cisco
$quoted_author = Shaun R. ;
Well it is possible to do with Xen too. We just use ebtables to filter
traffic from each VPS. We restrict what comes in and out by the address
and mac. Using vlans, at least for us, per VPS would be killer.
Unfortunately VMware's vSwitch (at least up to 3.5,
With the number of virtual servers most of us are hosting you would run out of
VLAN's very quickly. What I do is static route subnets to host nodes and let
the host nodes do the L3 work. This takes care of MAC address conflicts,
spoofing, and many other problems.
--
Randy
www.FastServ.com
Ash Net wrote:
The reason for performance degradation solely seems to be latency
related
since there's tons of b/w available in the lab setup and over 10G
lanphy
paths.
Generally it is latency, yes. Sadly in many cases those expensive WAN
acceleration devices are for the most part, munging
Has anyone seen an issue with a NPE-G2 where insertion or removal of a USB
flashdrive causes the router to crash and reboot?
This happened to one of our routers earlier today.
Cisco IOS Software, 7200 Software (C7200P-IPBASEK9-M), Version 12.4(24)T1,
RELEASE SOFTWARE (fc3)
*Aug 26
76 matches
Mail list logo