On 02/09/2010 08:13 PM, Nick Hilliard wrote:
On 09/02/2010 19:37, Saku Ytti wrote:
I think you've gathered relevant and correct data, I don't think PFC3
supports ARP match in CoPP. So you must use MLS rate-limiter, where you
have to remember that AFAIK this is also for transit ARP which you
On (2010-02-10 09:17 +), Phil Mayers wrote:
I assume that ipv6 nd is sufficiently high up the protocol stack that it
can be managed by copp?
Off the top of my head I think CoPP is run in software for ipv6 traffic.
Actually it is fully supported in hardware, I was also long under
On 9 Feb 2010, at 22:18, Nick Hilliard wrote:
On 09/02/2010 21:30, Saku Ytti wrote:
Oh cool, I wonder if it then was software issue always or if this is
new feature in PFC3C.
I think this was before the pfc3c's time; the original text is here:
According with this link
http://www.packetlife.net/blog/2009/may/25/ip-source-guard-without-dhcp/
It is possible to deploy ip source guard without dhcp environment.
I think it could be interesting for some parts of our network here.
The problem is that the configuration is...
SW(config)#ip
IOS: SXF15a
*ouch*, please upgrade to SXH/I to get event driven BGP
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Hello,
We offer wireless connectivity to about 500 to 1000 user/devices that
authenticate with machine domain credentials via WPA2.
Currently we send this through a HA pair of ASA5520s where the rule for this
traffic essentially is any-any := ok.
Does anyone let this type of traffic directly
On 10/02/10 12:52, scott owens wrote:
Hello,
We offer wireless connectivity to about 500 to 1000 user/devices that
authenticate with machine domain credentials via WPA2.
Currently we send this through a HA pair of ASA5520s where the rule for this
traffic essentially is any-any := ok.
Does
We offer wireless connectivity to about 500 to 1000 user/devices that
authenticate with machine domain credentials via WPA2.
My thought is that our wireless traffic is likely more secure that our plain
wired networks - at this point without 802.1x on lan.
but the wireless signal
Michael-
On Feb 9, 2010, at 10:30 PM, Michael K. Smith wrote:
the cloud is not sufficient for your regulatory needs. However, you can
build your own cloud which we used to call a Wide Area Network.
That's exactly my point if you've been following this thread. Internal IT
*can* build/buy
Brad,
You just made a terrible assumption. :)
Jason
Then you should post from your gmail account.
What difference would that make? We're all adults here.
Cheers,
Brad
--
Brad Hedlund, CCIE #5530
Technology Solutions Architect, Data Center
bhedl...@cisco.com
With IP services on a 3560-E, is it possible to do server load balancing? If
so, any caveat's that I should be aware of? We just need to front end two web
servers (oracle identity management) for http and https (no ssl offloading
needed). I hate to have to buy an ACE just for these two servers
On Thursday 04 February 2010 05:11:49 am Peter Kranz wrote:
So in terms of enabling MPLS on a fully meshed set of
routers running BGP and OSPF..
Here are the general steps I believe;
#conf t
Tag-switching advertise-tags
!
Int g0/0
Mtu 9216
Tag-switching ip
!
Be very
IOS SLB is on the 6500 and 7200. Not on the 3560-E / 3750-E.
Could always use Anycast via a loopback on the servers and let CEF ECMP take
care of it. But this is typically only done for UDP applications. Not sure
if EOT is on the 3560-E for Static Routes, or you could use BGP from the
servers.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort
Encryption Appliance
Advisory ID: cisco-sa-20100210-ironport
Revision 1.0
For Public Release 2010 February 10 1600 UTC (GMT
Thank you both for your inputs. I still cannot share the config since i saw
this in a production network and i'm still trying to
reproduce it in the lab.
But the debug ip routing says it all:
1) When user X connects, he gets ip=10.10.10.166
RT(VRF_X): updating static 10.10.10.166/32 (0x1) via
On Wed, 10 Feb 2010 10:14:00 -0500, you wrote:
With IP services on a 3560-E, is it possible to do server load balancing?
No.
-A
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad. This is
for straight revere-proxy web caches for Oracle WebCache so it uses http/https.
We may have to purchase an ACE appliance. Anyone have any suggestions for a
turnkey (not linux server based, etc) appliance that does
Create a loopback interface on the servers with the VIP. Point a static
route for the VIP at the servers physical address, make the VIP on the same
subnet as the physicals. Let CEF take care of it. You lose a lot of dynamic
capabilities that are available via monitoring. You'll need Enhanced
Yes, it works fine with local pool. In this case, the AC client gets a message
saying no address assigned.
I was able to reproduce the problem in the meanwhile. It makes sense that the
2nd user is not able to establish the session but it
doesn't make sense the 1st looses his connection.
This
From: John Kougoulos k...@intracom.gr
To: scott owens scottowen...@gmail.com
We offer wireless connectivity to about 500 to 1000 user/devices
that authenticate with machine domain credentials via WPA2.
My thought is that our wireless traffic is likely more secure that our
plain wired
Hi,
I've got a setup that could use some tweaking ...
CPE is a 876W, with the 4 wired switch ports (read: VLAN1) and the WLAN
being in a bridge group, LAN ip on the BVI1 interface.
LAN ports are only for designated boxes, while there are select users
that may use the WLAN link to connect. For
Match protocol is nbar, I can never remember which require ip nbar
protocol-discovery on the interface.
Why not use an access-list denying dhcp
deny udp any eq bootpc any eq bootps
David
--
http://dcp.dcptech.com
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
I am currently facing this strange behaviour once again. Nothing
suspicious in terms of CPU:
#sh proc cpu sort | ex 0.00
CPU utilization for five seconds: 7%/3%; one minute: 24%; five minutes: 23%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
123 823552748 891845755
So, are you checking your interfaces for incrementing drop/error counters?
Are you seeing any of this when there is the problem occuring?
(clear counters , sh int summ etc..)
Dave.
What about
Andy B. wrote:
I am currently facing this strange behaviour once again. Nothing
suspicious in terms
On Wed, Feb 10, 2010 at 7:48 PM, David Freedman
david.freed...@uk.clara.net wrote:
So, are you checking your interfaces for incrementing drop/error counters?
Are you seeing any of this when there is the problem occuring?
(clear counters , sh int summ etc..)
I am having input drops all the
I have got a pair of 6509E switches, that we use for our core and they are
connected with fiber ether channels.
The plan is to use the 2nd for a failover core if the 1st has failed. My
testing has failover working fine. But when I add a rate limit command on the
vlan interface it is not
By the way,
I am using Cacti to pull out data from all my routers.
Here is what cacti is reporting when the router is behaving like now:
02/10/2010 07:39:12 PM - SPINE: Poller[0] Host[4] DS[594] WARNING:
SNMP timeout detected [500 ms], ignoring host 'x.x.4.131'
The cacti server is in a
Hello,
User credentials are not cached, machine ones are - of course.
I think windows caches users credentials, so that you can logon to a PC
when there is no network connectivity. I really don't know how WPA2/802.1x
uses domain authentication. Is it Kerberos enabled EAP?
They really
On 10.02.2010 19:04, David Prall wrote:
Match protocol is nbar, I can never remember which require ip nbar
protocol-discovery on the interface.
Tried it (put it in the bvi1 interface), still getting DHCP replies
though .. recognition is working fine, though ...
dhcp 2
On 2010-02-10 19:44, Andy B. wrote:
I am currently facing this strange behaviour once again. Nothing
suspicious in terms of CPU:
Are you still running SXF15a? David advice was already - move to SXI
to stay out of trouble, as SXF train is already EOS and will hit
end of software maintenance by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andy B. wrote:
On Wed, Feb 10, 2010 at 7:48 PM, David Freedman
david.freed...@uk.clara.net wrote:
So, are you checking your interfaces for incrementing drop/error counters?
Are you seeing any of this when there is the problem occuring?
(clear
Andy,
By excluding 0.00 your excluding those that have had 0.00 anywhere in the
time list. Just use sort and look at the top few. Although most likely the
same.
If you have a number of large Ethernet subnets with few systems on them,
then sh ip arp will contain a number of incompletes. If it is
Your drops and flushes counts are the same. A flush is a control plane
packet that pushed to CPU even though the input queue was filled. I don't
believe these two numbers should be the same unless all of the input queue
was filled with these packets.
David
--
http://dcp.dcptech.com
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Prall wrote:
Your drops and flushes counts are the same.
All his drops are flushes, you usually see this when the system and SPD
can't deal I believe, would be interested if the system buffers for the
control plane are getting misses or
On Wed, Feb 10, 2010 at 8:13 PM, David Freedman
david.freed...@uk.clara.net wrote:
- - Hold queue input appropriate (for punt to MSFC), usually set to 4096
for these
I moved from 75 to 2000 yesterday and then tried 4096. The results
were more or less the same.
- - No IGP hello padding (if you
On Wed, Feb 10, 2010 at 8:25 PM, David Freedman
david.freed...@uk.clara.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Prall wrote:
Your drops and flushes counts are the same.
All his drops are flushes, you usually see this when the system and SPD
can't deal I believe,
I think the match interface is looking at where the policy is assigned. I
know the policy isn't supported on the physical interfaces. I have to do all
my QoS on fa4 inbound.
Why not place an acl on the vlan interface for the wired ports. Not sure if
it would be hit first, or if the bvi would
On 10.02.2010 20:30, David Prall wrote:
I think the match interface is looking at where the policy is assigned. I
know the policy isn't supported on the physical interfaces. I have to do all
my QoS on fa4 inbound.
Why not place an acl on the vlan interface for the wired ports. Not sure if
Garry,
Wondering if you could do the wireless and vlan1 as unnumbered to a
loopback. Then they are two distinct interfaces, on the same subnet. Or
could always split the subnet into two distinct /25's instead of a single
/24.
David
--
http://dcp.dcptech.com
-Original Message-
From:
show ip traffic? Anything incrementing in there by a significant amount?
How fast do your drops/flushes increment?
I assume these are 6704s without DFCs? If not, what are those ports?
tv
- Original Message -
From: Andy B. globic...@gmail.com
To: David Freedman
i wouldn't waste money or time on an ace, you could easily get away with
using haproxy or pound
On Wed, Feb 10, 2010 at 8:20 AM, Matthew Huff mh...@ox.com wrote:
Yes, it looks like IOS SLB is only available on the 6500/7600. Too bad.
This is for straight revere-proxy web caches for Oracle
My thought is that our wireless traffic is likely more secure that our
plain wired networks - at this point without 802.1x on lan.
So I think you are in agreement it is ok to just plug into network directly
Well, I wouldn't agree that. (Of course, this is the famously we don't
need no
Here's some of my common aliases. top is the one that you'll probably use
!# Global Aliases (should work on all platforms
!
alias exec ifsum sho int sum | incl ^\*|Interface|: |--
alias exec sib show ip interface brief | exclude (down|unass)
alias exec sid show interface description |
In the process of chasing down an odd problem earlier this week, I ran
up against a grey cloud perhaps someone can clarify.
We had moved an internal NTP-configured interface (loopback) that some
of our gear was configured to use as a reference server.
The disappearance of the /32 route led to
These are great! Thanks Leif
On Feb 10, 2010, at 1:03 PM, Leif Sawyer wrote:
Here's some of my common aliases. top is the one that you'll probably use
!# Global Aliases (should work on all platforms
!
alias exec ifsum sho int sum | incl ^\*|Interface|: |--
alias exec sib show ip
The session of the 1st user remains up and the vpn routes are there. But in the
router the route back to the user is removed. So in
the user's perspective, connectivity is broken and he doesn't have an idea why.
Clearly a bug, don't you think ?
Thanks.
Regards,
Antonio Soares, CCIE #18473
On Wed, 10 Feb 2010 11:00:55 -0800, you wrote:
DTCCAT-CORE01(config-if)# rate-limit input 2096000 128000 128000
conform-action transmit exceed-action drop
^
% Invalid input detected at '^' marker.
The rate-limit command is not
While I would of agreed with you comment, why is it that I am able to put the
rate limit commands on failover 6509 ?
-Original Message-
From: Asbjorn Hojmark - Lists [mailto:li...@hojmark.org]
Sent: Wednesday, February 10, 2010 3:08 PM
To: Leslie Meade
Cc: cisco-nsp@puck.nether.net
Tyson,
TAC SR in progress. I will let you know what they will call this :)
Thanks.
Regards,
Antonio Soares, CCIE #18473 (RS/SP)
amsoa...@netcabo.pt
-Original Message-
From: Tyson Scott [mailto:tsc...@ipexpert.com]
Sent: quinta-feira, 11 de Fevereiro de 2010 0:11
To: 'Antonio
Hi Guys,
Currently we were hitting some high CPU issue. One of the 6509 with SUP720
standing in the core hiked to 96% percent very randomly in the past 72 hours or
even longer. Write memory, SNMP, software switching could be the cause, we
don't know yet. Everything seems working fine now.
Try with the following
ip access-list extended IP-All
permit ip any any[MATCH PREFIXES YOU WANT]
Class-map match-all IP-All
match access-group name IP-All
Policy-map RATE
class IP-All
police cir 2096000 bc 128000 be 128000 conform-action set-dscp-transmit
default
Does any body know where I can get the management software for the Cisco/Fibex
6732? I have had two of them in my warehouse for years, but I can't find the
EMS discs for them.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
52 matches
Mail list logo
