Re: [c-nsp] Smartnet pricing?
Hi Does anyone have a copy of this dossier - i cannot find it in the Internet anymore. http://resources.multiven.com/dossier-3 Best regards Ulrich -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Judah Scott Sent: 2. oktober 2009 01:39 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Smartnet pricing? If you consider support contracts as insurance then it sounds crazy to pay for the years you were not insured. An example is fire insurance: If you buy fire insurance 10 years after a home is built, State Farm isn't going to charge you for the first 10 years. A quick inspection to verify that all hardware is working may be required just to make sure there is no pre-contract damage. -J Scott On Thu, Oct 1, 2009 at 2:03 AM, Adam Armstrong li...@memetic.org wrote: e ninja wrote: Nick, * inline...* On Tue, Sep 29, 2009 at 1:01 PM, Nick Hilliard n...@inex.ie wrote: On 29/09/2009 19:20, e ninja wrote: No it is not right. 1. Anybody that has paid for software, should *never* have to pay for bug fixes. See http://resources.multiven.com/dossier-3 That is an interesting wish-list. Have you considered what it would do to the price of software if vendors were made liable? * So vendors should not be made liable for software that people purchase? When was the last time you happily paid for a brand-new car that won't start? Software is always new because it can't break from over-use.* *Do Microsoft, Apple, HP etc. charge customers for bug fixes in their OS? * I can't imagine the insurance premiums, and the gratuitous law suits. Worse still, open source would be killed by it. * The bill of rights clearly refers to software that is paid for. Open source software is free.* In the UK we have laws stating that products should be fit for the purpose they're sold for (IANAL, though). Perhaps if it was tested in court properly, it would mean bug fixes which would prevent the use of the software safely would have to be provided free? I do, however, suspect that EULAs try to strip away as much legal protection as possible from the customer. I know that if I were to be held liable, I wouldn't ever release anything or contribute anything to open source software. * N/A. If you offer free software that nobody has to purchase, you are not liable for the product.* 2. Forcing people to pay for a service they haven't used is extortionhttp://en.wikipedia.org/wiki/Extortion- a criminal act - seek legal counse Legal counsel would probably argue that if you left your support subscription lapse and then attempted to renew it several years later, that the reason for doing so was because of some failure outside the manufacturer's control, and that you were pulling a fast one. * I'm sure as a smart guy, you know there is no wear-and-tear in software. Therefore, a user cannot 'break' software from over-use. All bugs in proprietary software are inherent from the manufacturer, whether you discover them from day 3 of purchase or 1000 years later.* Think of hardware support as insurance. The cost of providing the service when it finally breaks is spread across the entire lifetime of the contract. If someone has a device unsupported for 5 years, takes out support and it dies 2 years later, the supplier has lost the vast majority of the money they'd have used to pay for the replacement. Now, I don't think this should be the case for simple software upgrades, but I can see why it's the case for hardware replacement contracts. (And I can see why recert exists). adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to limit bandwidth on CISCO switch interfaces
You are probalby looking for this: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swqos.html#wp1253412 regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de From: JA Colmenares sforc...@yahoo.com To: Cisco NSP Forum cisco-nsp@puck.nether.net Date: 01/06/2011 06:00 AM Subject: [c-nsp] How to limit bandwidth on CISCO switch interfaces Sent by: cisco-nsp-boun...@puck.nether.net I need to limit bandwidth on the trunk ports of two connected switches(2960 to 3750). It is currently transmitting at 100 mbps and I want to limit it to 50 mbps How can this be done? can anyone provide any steps or resources to get this done. Thanks Juan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our drug eluting absorbable metal scaffold program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
There is also instance-id R5(config-if)#ipv6 ospf 1 area 0 instance ? 0-255 Instance ID which you could call poor man's plain-text authentication in a desperate attempt to prevent disasters caused by situations like the one Mikael described. Neighbors with different instance-ids won't form adjacencies. Can also be used on broadcast segments. Clearly not a security feature by any means, could be helpfull though. On Wed, Jan 5, 2011 at 10:53 PM, Devon True de...@noved.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete, You could use inbound ACLs or CoPP policies that restrict inbound OSPF traffic from only the neighbors you know about. We have CoPP deployed, but it is not that restrictive today (since our v4 OSPF uses authentication). You could also move to unicast OSPF neighbor relationships to prevent any rogue OSPF speakers from peering. Most of our setups use Ethernet with the network point-to-point command since the routers are directly connected. Can you provide a link about the unicast OSPF neighbor relationship/configuration? My searching skills are failing me. - -- Devon -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0k6GQACgkQWP2WrBTHBS91YQCg6F+OaZJDW620C4i1PNP2M170 MXwAoJ0hABV9ZTqoEc1BRzEN833zos3+ =c4EK -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Hi, On Thu, Jan 06, 2011 at 06:45:48AM +0100, Mikael Abrahamsson wrote: I think it's a mistake of people implementing IPv6 protocols to design them so that they have to rely on IPSEC for their authentication/encryption, at least initially when IPSEC support seems to be quite incomplete for platforms. That's a somewhat philosophical question - IPv6 mandates(!) IPSEC support, so protocol designers are doing the right thing in relying on established crypto infrastructure that's supposed to be already there and well-tested, instead of every one inventing their own scheme again and again. Now, in real life, things tend to not work out that way - OSPFv3 is there, IPSEC for IPv6 isn't. So who's to blaim, the protocol designers, or the vendors that choose to implement only bits and pieces of the protocol suite? But anyway, I seem to remember that OSPF+IPSEC is there on IOS... FN agrees with me: http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesctask=displayfeatureId=2261 IPv6 Security: IPv6 IPSec to Authenticate OSPFv3 http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ospf.html#wp1069880 To use the IPsec AH, you must enable the ipv6 ospf authentication command... Now the interesting question is whether this is available in any reasonable subset of IOS versions... the URL above claims it was added to 12.4(9)T, and doesn't say a word about 12.2SX/12.2SR trains. FN says it was added to 12.3(4)T, but nothing about 12.2SX/R or IOS XR/IOS XE either. So, for the original poster, this won't help. (Please go to your BU and complain that IOS feature distribution sucks big time...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpuMLg4H6uy0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Hi, On Thu, Jan 06, 2011 at 01:11:17AM -0500, Devon True wrote: If anyone knows of a way to do this on a 6500/7600, please let me know. :) Bash your cisco representative with something hard and painful. It's sooo annoying that IPv6 features are randomly scattered around different IOS trains - and whatever hardware you have, the IOS version that supports it will lack one of the IPv6 features all other IOSes have. (Like, BFD for OSPFv3, which *is* in 12.2SR, but not in 12.2SX...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpWpBGw1aiK9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Port profiles
Hi there, I wonder if Cisco supports features like port profiles for interfaces. I would like to configure a profile and then configure an interface to have a certain profile. So when I change the profile all the interfaces with that profile will be reconfigured, Does anyone know if Cisco supports this kind of feature? Thanks in advance. Regards, Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to limit bandwidth on CISCO switch interfaces
That is correct answer, with some hidden side-effects though. srr-queue bandwidth limit requires mls qos to be enabled globally. mls qos by default places queue 1 on ALL egress ports in shaped mode and reserves 1/25 * interface bandwidth = 4Mb/s on the 100Mb/s interface. Shaped queue does NOT shrink with bandwidth limit configured for the interface like one would expect. You either need to reassign weight, as shaping value is always calculated relative to physical bandwidth, or eliminate shaping all together. On Thu, Jan 6, 2011 at 9:54 AM, Jens Neu jens@biotronik.com wrote: You are probalby looking for this: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swqos.html#wp1253412 regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens@biotronik.de From: JA Colmenares sforc...@yahoo.com To: Cisco NSP Forum cisco-nsp@puck.nether.net Date: 01/06/2011 06:00 AM Subject: [c-nsp] How to limit bandwidth on CISCO switch interfaces Sent by: cisco-nsp-boun...@puck.nether.net I need to limit bandwidth on the trunk ports of two connected switches(2960 to 3750). It is currently transmitting at 100 mbps and I want to limit it to 50 mbps How can this be done? can anyone provide any steps or resources to get this done. Thanks Juan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ www.biotronik.com BIOTRONIK SE Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our drug eluting absorbable metal scaffold program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port profiles
There is the smartports macros feature on switches only and it works differently than you described - you have to apply macro to the interface/interface range every time you've changed it and it does not replace but adds the configuration to the existing configuration on the port. On Thu, Jan 6, 2011 at 10:37 AM, Mark Meijerink mark.meijer...@vancis.nl wrote: Hi there, I wonder if Cisco supports features like port profiles for interfaces. I would like to configure a profile and then configure an interface to have a certain profile. So when I change the profile all the interfaces with that profile will be reconfigured, Does anyone know if Cisco supports this kind of feature? Thanks in advance. Regards, Mark ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port profiles
Nexus supports that. -- Tassos Mark Meijerink wrote on 06/01/2011 11:37: Hi there, I wonder if Cisco supports features like port profiles for interfaces. I would like to configure a profile and then configure an interface to have a certain profile. So when I change the profile all the interfaces with that profile will be reconfigured, Does anyone know if Cisco supports this kind of feature? Thanks in advance. Regards, Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Galvanic eletrical / optical fiber switchers for lab. Anyone know where to buy???
I have a lot of positive experience with the MRV MCC family of managed cross connects. http://www.mrv.com/tap/physical-layer/ They have cli and snmp management options and our supported by a bunch of lab management systems to give nice drag and drop topology builders. -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie co...@netech.ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
Have you read the Errata for RFC5952? I'm fairly certain it now says that the digits a-f must be uppercase, except where user derived, though I think this is a fairly recent correction. Bran. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Hilliard Sent: 05 January 2011 18:32 To: Brandon Applegate Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS - ipv6 uppercase in config - why ? On 05/01/2011 16:01, Brandon Applegate wrote: Is there a reason that ipv6 addresses are stored with uppercase letters in config ? yes. See rfc4291, section 2.2, where all of the examples are in upper case. These examples caused people to prefer upper case notation for ipv6 address representation, although there was actually nothing in the document which actually mandated the use of upper case. These recommendations have been updated in rfc5952, which requires (i.e. MUST) that all ipv6 addresses be represented in lower case. This document is standards track, so I guess Cisco is going to have to change at some stage. Given the current low levels of ipv6 deployment, sooner would be a lot less painful than later. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.872 / Virus Database: 271.1.1/3362 - Release Date: 01/05/11 19:34:00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
On 06/01/11 11:58, Brandon Daly wrote: Have you read the Errata for RFC5952? I'm fairly certain it now says that the digits a-f must be uppercase, except where user derived, though I think this is a fairly recent correction. That's an absolutely terrible errata: old-skool assemblers didn't accept lower-case hex digits, neither should we, stop being lazy and hit the shift key. I seriously hope it doesn't make it in on those grounds (I am agnostic on the upper/lower issue per-se, but that's a terrible rationale). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redistribute routes leaked from another VRF?
More or less. You can also define an mdt data group range. When traffic for a particular (s,g) pair exceeds a configurable threshold, a group is picked from this range and that (s,g) transitions to the new group in the default VRF, and PEs with receivers join this group. This means you don't flood high-bandwidth groups to every PE - just to PEs which are interested. I just noticed this in SXI (only just getting there - I'm trying to read through the release notes during morning exercise... could take weeks :( ). This however frightens me, because during that transition it seems as though you're bound to drop a packet somewhere. It's ok if you're IPTV or some other multimedia streaming, but for financial market data that's a no-no of highest order. Plus, GRE encap with MPLS means a recirc through the EARL so you pay the latency penalty twice plus the extra load. And you need jumbo frames to encap at full standard 1500 MTU. I was under the impression that there's no recirc in this case, but I could be wrong and can't find a reference. You may be right - GRE for tunnels requires a recirc, GRE for MVPN might not - the recirc for the tunnel is IIRC because they have to treat the un-encap'ed tunnel packet as if it's a new inbound packet on the tunnel SVI, for mdt they may be able to shortcut it. As for MTU - if you're running MPLS you presumably have jumbos enabled anyway? Doesn't mean your WAN provider gave you enough MTU to fit both headers, though. (One provider I work with has all long-haul capped at 1546, presumably a holdover from fast-enet days) Hence, don't do it if you don't have a really good reason to. I don't, so I don't. Well, the good reason for doing this is if you want multicast in MPLS L3VPNs, surely ;o) I don't want it that badly. :) -bacon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redistribute routes leaked from another VRF?
On 06/01/11 13:15, Jeff Bacon wrote: More or less. You can also define an mdt data group range. When traffic for a particular (s,g) pair exceeds a configurable threshold, a group is picked from this range and that (s,g) transitions to the new group in the default VRF, and PEs with receivers join this group. This means you don't flood high-bandwidth groups to every PE - just to PEs which are interested. I just noticed this in SXI (only just getting there - I'm trying to read through the release notes during morning exercise... could take weeks :( ). This however frightens me, because during that transition it seems as though you're bound to drop a packet somewhere. It's ok if you're IPTV or some other multimedia streaming, but for financial market data that's a no-no of highest order. Very probably. However this ought to only be an issue for streams where listeners are leaving and joining, or the bit-rate is changing to go above below the threshold. (It's worth noting the threshold detection is a bit sluggish as well - on the order of tens of seconds) Obviously it's not optimal in all conditions. As for MTU - if you're running MPLS you presumably have jumbos enabled anyway? Doesn't mean your WAN provider gave you enough MTU to fit both headers, though. (One provider I work with has all long-haul capped at 1546, presumably a holdover from fast-enet days) True. There are other non-MPLS multicast MTU issues though; we've had problems with PIM registered between JunOS and IOS, where IOS fragments the inner packet, JunOS the final outer PIM register. My rule of thumb based on experience here is that multicast with 1400 byte packets is a grey area. Is MVR any use to you? We're investigating a hybrid approach where certain multicast groups are distributed in the a multicast VLAN using MVR and access-lists. This multicast VLAN can then be in the default VRF. There are implications for bidirectional traffic of course, due to the RPF check... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
Have you read the Errata for RFC5952? I'm fairly certain it now says that the digits a-f must be uppercase, except where user derived, though I think this is a fairly recent correction. That's an absolutely terrible errata: old-skool assemblers didn't accept lower-case hex digits, neither should we, stop being lazy and hit the shift key. I seriously hope it doesn't make it in on those grounds (I am agnostic on the upper/lower issue per-se, but that's a terrible rationale). That errata was discussed on IPv6 lists, with agreement that this was *not* acceptable as an errata. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSCP Trust on 67xx cards
On Wed, Jan 5, 2011 at 2:59 PM, Peter Rathlev pe...@rathlev.dk wrote: Correct, the WS-X6708-10GE will do DSCP based scheduling, but AFAIK no other 6500/7600 LAN cards will. 10GE ports on SUP720-10GE and WS-X6716-10GE also have scheduling based on DSCP. I any command on 6500 to look how many packets/octets has been enqueued by each output queue (TX) ? I'm looking for silimar output which I have on Cat3750 series: #sh mls qos int gi1/0/2 statistics | begin ^ output queues enqueued output queues enqueued: queue:threshold1 threshold2 threshold3 --- queue 0: 0 0 0 queue 1: 36285471554671 245515 queue 2: 0 0 0 queue 3: 0 0 0 sh queueing interface X/Y shows me only drops... Robert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSCP Trust on 67xx cards
On 06/01/11 14:23, Robert Hass wrote: On Wed, Jan 5, 2011 at 2:59 PM, Peter Rathlevpe...@rathlev.dk wrote: Correct, the WS-X6708-10GE will do DSCP based scheduling, but AFAIK no other 6500/7600 LAN cards will. 10GE ports on SUP720-10GE and WS-X6716-10GE also have scheduling based on DSCP. I any command on 6500 to look how many packets/octets has been enqueued by each output queue (TX) ? I'm looking for silimar output which I have on Cat3750 series: #sh mls qos int gi1/0/2 statistics | begin ^ output queues enqueued output queues enqueued: queue:threshold1 threshold2 threshold3 --- queue 0: 0 0 0 queue 1: 36285471554671 245515 queue 2: 0 0 0 queue 3: 0 0 0 sh queueing interface X/Y shows me only drops... I don't think this is present in the CLI or over SNMP, which is a shame. You can get some more info from PFC QoS statistics export which is a line-based syslog format giving packet/byte counts by aggregate policer, ingress/egress class-map on port/port-channel/vlan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
Morn' guys (and happy 2011 etc.) ja...@puck.nether.net (Jared Mauch) wrote: 3) You may be able to get something closer to this with the following: Router#sh run partition XXX Doesn't really get you where you want to go. I guess a very good thing'd be if the include were case insensitive. Now - how do we get that feature request into Cisco? (Actually, I really see no reason for case sensitiveness anyhow) Elmar. pgpp4h9Rcctj0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
On 06/01/11 14:14, Elmar K. Bins wrote: Doesn't really get you where you want to go. I guess a very good thing'd be if the include were case insensitive. Well, it's a regexp so: sh blah | inc 2001:[aA]0: ...will work ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Gert, From what I can find support for OSPFv3 Auth on the Sup720 (SX/SR) is roughly set for Q2 CY12. The information that mentioned that was from November so I'd follow up with your account team/SE to see if this has changed at all or to have them build a case to try and move this date up, if at all possible. Pete On Thu, Jan 6, 2011 at 4:30 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Jan 06, 2011 at 06:45:48AM +0100, Mikael Abrahamsson wrote: I think it's a mistake of people implementing IPv6 protocols to design them so that they have to rely on IPSEC for their authentication/encryption, at least initially when IPSEC support seems to be quite incomplete for platforms. That's a somewhat philosophical question - IPv6 mandates(!) IPSEC support, so protocol designers are doing the right thing in relying on established crypto infrastructure that's supposed to be already there and well-tested, instead of every one inventing their own scheme again and again. Now, in real life, things tend to not work out that way - OSPFv3 is there, IPSEC for IPv6 isn't. So who's to blaim, the protocol designers, or the vendors that choose to implement only bits and pieces of the protocol suite? But anyway, I seem to remember that OSPF+IPSEC is there on IOS... FN agrees with me: http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesctask=displayfeatureId=2261 IPv6 Security: IPv6 IPSec to Authenticate OSPFv3 http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ospf.html#wp1069880 To use the IPsec AH, you must enable the ipv6 ospf authentication command... Now the interesting question is whether this is available in any reasonable subset of IOS versions... the URL above claims it was added to 12.4(9)T, and doesn't say a word about 12.2SX/12.2SR trains. FN says it was added to 12.3(4)T, but nothing about 12.2SX/R or IOS XR/IOS XE either. So, for the original poster, this won't help. (Please go to your BU and complain that IOS feature distribution sucks big time...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
On 06/01/11 15:23, Pete Lumbis wrote: Gert, From what I can find support for OSPFv3 Auth on the Sup720 (SX/SR) is roughly set for Q2 CY12. The information that mentioned that was from November so I'd follow up with your account team/SE to see if this has changed at all or to have them build a case to try and move this date up, if at all possible. That's interesting; 2012 is being cited as the ship date for a whole lot of features on the SXn platform, even pretty trivial ones. It's almost like they've frozen development pending a large announcement... ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Galvanic eletrical / optical fiber switchers for lab. Anyone know where to buy???
On Jan 6, 2011, at 6:31 AM, Colin Whittaker wrote: I have a lot of positive experience with the MRV MCC family of managed cross connects. http://www.mrv.com/tap/physical-layer/ They have cli and snmp management options and our supported by a bunch of lab management systems to give nice drag and drop topology builders. We've had good luck with the MRV hardware as well. Did wish it would keep the x-connect up at reboot, they bounce if you need to reset the mgmt card (when it finishes booting that is) due to memory leak, etc. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
Hi, Well, it's a regexp so: sh blah | inc 2001:[aA]0: yep - was going to point this out - shame you cant do nice extended stuff with eg /ff/i etc original poster can have joy with show run | inc 2607:[a-fA-F][a-fA-F]70 alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
Re Phil, p.may...@imperial.ac.uk (Phil Mayers) wrote: Well, it's a regexp so: sh blah | inc 2001:[aA]0: ...will work Although cumbersome, thanks for the hint, nonetheless. Modifiers to the regexp would of course be much easier... Elmar. pgp2igtQsUIe4.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
On Thu, 6 Jan 2011 10:33:04 +0100, you wrote: (Like, BFD for OSPFv3, which *is* in 12.2SR, but not in 12.2SX...) Don't use a LAN platform. LANs don't need BFD :-P -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
100G can be expected in 2011 (or early 2012) for ASR9K and Nexus 7000. AFAIK you cannot expect 40G for 7600. Are there any (public) reasons given for not offering 40G for 7600? Regards //MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Galvanic eletrical / optical fiber switchers for lab. Anyone know where to buy???
I have an apcon in my lab and it's works pretty well. It's modular so you can also do TDM connections. The web interface is pretty simple as well. On Thu, Jan 6, 2011 at 8:59 AM, Eric Hoelzle eric.hoel...@gmail.com wrote: http://www.apcon.com/solutions/?p=lab might be what you are looking for. I've heard positive things about them but have not used them personally. -- Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
On Thu, 6 Jan 2011, MKS wrote: 100G can be expected in 2011 (or early 2012) for ASR9K and Nexus 7000. AFAIK you cannot expect 40G for 7600. Are there any (public) reasons given for not offering 40G for 7600? My assumption is the following: - sup720/rsp720 series backplane connectivity capacity is 40Gbps - there is no known plan from Cisco to have bigger capacity supervisor for 76xx. - Probably not economical to develop 1 port 40GE card - If you need router like capabilities Cisco pushes you to go for ASR9K - Comparing pricewise 76xx with ES cards and ASR9K with low queue cards there is not much difference. Best Regards, Janos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
HI, On Thu, Jan 06, 2011 at 03:31:28PM +, Phil Mayers wrote: It's almost like they've frozen development pending a large announcement... ;o) Sup2T will have all the features you've been waiting for for so long Wanna bet? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpBbbUnmGEKq.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Hi, On Thu, Jan 06, 2011 at 05:28:39PM +0100, Asbjorn Hojmark - Lists wrote: On Thu, 6 Jan 2011 10:33:04 +0100, you wrote: (Like, BFD for OSPFv3, which *is* in 12.2SR, but not in 12.2SX...) Don't use a LAN platform. LANs don't need BFD :-P Yes, I know. Whatever we buy, afterwards we're told that for what we do, this is not the right platform. (I'm not starting either of my standard rants now, even if I'm stringly tempted... new year, new rants. Maybe :-) ). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpmEhfaKy1pO.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
On Thu, Jan 6, 2011 at 6:14 PM, Mohacsi Janos moha...@niif.hu wrote: - sup720/rsp720 series backplane connectivity capacity is 40Gbps Same like Sup-2T new RSP-2T could do it. Wondering if new Sup-2T will be MIPS or PPC. Probably PPC and IOS XE same like Sup7 for 4500. This means Sup-2T can be the same for both - 6500 and 7600 series with exception regarding IOS features - SR release (7600) versus SX release (6500). - there is no known plan from Cisco to have bigger capacity supervisor for 76xx. In fact currently all 7600-S series chassis can provide 80Gbps per slot. From 6500-E chassis only 6509-V-E supports 80Gbps per slot. So 7600 is more capable of 40Gbps for linerate 8x10GE cards for near future. - Probably not economical to develop 1 port 40GE card Like always Cisco can do oversubscribed 1:2 like WS-X6708-10GE :-) Don't forget about local-switching at DFC... We have 7603-S deployed where nearly all traffic (90%) is local switched at 8x10GE card. So oversubscription here is not big deal. - If you need router like capabilities Cisco pushes you to go for ASR9K - Comparing pricewise 76xx with ES cards and ASR9K with low queue cards there is not much difference. But if you already got a lot od 7600-S chassis and ES/ES+ cards then ... it's like 7600 will dropped to lower capacities PE router. Robert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
On Thu, 6 Jan 2011, Robert Hass wrote: On Thu, Jan 6, 2011 at 6:14 PM, Mohacsi Janos moha...@niif.hu wrote: - sup720/rsp720 series backplane connectivity capacity is 40Gbps Same like Sup-2T new RSP-2T could do it. Wondering if new Sup-2T will be MIPS or PPC. Probably PPC and IOS XE same like Sup7 for 4500. This means Sup-2T can be the same for both - 6500 and 7600 series with exception regarding IOS features - SR release (7600) versus SX release (6500). AFAIK SUP-2T is Cat6k only. Best Regards, Janos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
On 2011-01-06 18:59, Robert Hass wrote: - sup720/rsp720 series backplane connectivity capacity is 40Gbps Same like Sup-2T new RSP-2T could do it. Wondering if new Sup-2T will be MIPS or PPC. Probably PPC and IOS XE same like Sup7 for 4500. This means Sup-2T can be the same for both - 6500 and 7600 series with exception regarding IOS features - SR release (7600) versus SX release (6500). Sup2T is targeted currently for 6500. It will run IOS XE. In fact currently all 7600-S series chassis can provide 80Gbps per slot. From 6500-E chassis only 6509-V-E supports 80Gbps per slot. So 7600 is more capable of 40Gbps for linerate 8x10GE cards for near future. No. All -E (6500) and -S (7600) chassis are capable of 80Gbit/s per slot. It's just a matter of switch fabric to use that capability. The current Sups for 6500 and current RSPs for 7600 max out at 2x20Gbit/s per LC, the Sup2T will have 2x40Gbit/s per LC. -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
Mohacsi Janos wrote on 06/01/2011 19:14: On Thu, 6 Jan 2011, MKS wrote: 100G can be expected in 2011 (or early 2012) for ASR9K and Nexus 7000. AFAIK you cannot expect 40G for 7600. Are there any (public) reasons given for not offering 40G for 7600? My assumption is the following: - sup720/rsp720 series backplane connectivity capacity is 40Gbps - there is no known plan from Cisco to have bigger capacity supervisor for 76xx. - Probably not economical to develop 1 port 40GE card If i remember right, a 4x40G card (oversubscribed) is under consideration for the 6500/Sup2T. Also, Nexus will get 6x40G and 2x100G cards, non-oversubscribed. -- Tassos - If you need router like capabilities Cisco pushes you to go for ASR9K - Comparing pricewise 76xx with ES cards and ASR9K with low queue cards there is not much difference. Best Regards, Janos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?
On Thu, Jan 6, 2011 at 7:33 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Jan 06, 2011 at 01:11:17AM -0500, Devon True wrote: If anyone knows of a way to do this on a 6500/7600, please let me know. :) Bash your cisco representative with something hard and painful. It's sooo annoying that IPv6 features are randomly scattered around different IOS trains - and whatever hardware you have, the IOS version that supports it will lack one of the IPv6 features all other IOSes have. (Like, BFD for OSPFv3, which *is* in 12.2SR, but not in 12.2SX...) Use your own government purchase power for that. By providing assistance to your local government to have all the IPv6 features that are really needed for a network in their RFPs, eventually those features will end up in IOS-regex. Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR 9000 Newbie question
We have a couple of new ASR 9k routers in our test lab. None of us have had training on them yet and none of us know IOS-XR yet. One of our engineers is installing the new blades and two of them are coming up with red lights and are staying inactive. We can't figure out how to troubleshoot this in XR. There doesn't seem to be anything in the logs, which is weird. I suggested that he verify that logging is configured. It could be that there are errors, but they're just not being logged. I've got the IOS XR Fundamentals book, but I don't see any commands related to this yet. Any thoughts? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
John, Which cards and which version of IOS-XR is running on the RP's. Typical are the cards supported by the IOS. Show diag is always a good place to start. David -- http://dcp.dcptech.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of John Neiberger Sent: Thursday, January 06, 2011 5:22 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR 9000 Newbie question We have a couple of new ASR 9k routers in our test lab. None of us have had training on them yet and none of us know IOS-XR yet. One of our engineers is installing the new blades and two of them are coming up with red lights and are staying inactive. We can't figure out how to troubleshoot this in XR. There doesn't seem to be anything in the logs, which is weird. I suggested that he verify that logging is configured. It could be that there are errors, but they're just not being logged. I've got the IOS XR Fundamentals book, but I don't see any commands related to this yet. Any thoughts? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
Dumb question. But you powered it with 220 I hope... On Jan 6, 2011 5:29 PM, John Neiberger jneiber...@gmail.com wrote: We have a couple of new ASR 9k routers in our test lab. None of us have had training on them yet and none of us know IOS-XR yet. One of our engineers is installing the new blades and two of them are coming up with red lights and are staying inactive. We can't figure out how to troubleshoot this in XR. There doesn't seem to be anything in the logs, which is weird. I suggested that he verify that logging is configured. It could be that there are errors, but they're just not being logged. I've got the IOS XR Fundamentals book, but I don't see any commands related to this yet. Any thoughts? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
Hi On 7 January 2011 11:22, John Neiberger jneiber...@gmail.com wrote: We have a couple of new ASR 9k routers in our test lab. None of us have had training on them yet and none of us know IOS-XR yet. One of our engineers is installing the new blades and two of them are coming up with red lights and are staying inactive. We can't figure out how to troubleshoot this in XR. There doesn't seem to be anything in the logs, which is weird. I suggested that he verify that logging is configured. It could be that there are errors, but they're just not being logged. On thing that comes to mind is DOA cards. What sort of cards are those? (RP or port cards?) I've got the IOS XR Fundamentals book, but I don't see any commands related to this yet. Any thoughts? Try the following, sh platform summary location all or for brief version sh platform that will tell you if the router knows about the cards at all. kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
On Thu, Jan 6, 2011 at 3:45 PM, John Neiberger jneiber...@gmail.com wrote: On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. These are powered with 220. We're running 3.7.3 code. I'm waiting on a reply from our engineer to get the output of show platform and show diag. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 updates
My assumption is the following: - sup720/rsp720 series backplane connectivity capacity is 40Gbps - there is no known plan from Cisco to have bigger capacity supervisor for 76xx. - Probably not economical to develop 1 port 40GE card - If you need router like capabilities Cisco pushes you to go for ASR9K - Comparing pricewise 76xx with ES cards and ASR9K with low queue cards there is not much difference. Well, stated previously in this tread the 6500 is getting a 40GbE card 40G can be expected in 2011 (or early 2012) for ASR9K, Nexus 7000/5000, Cat 6500. So I can't see any reason for *not* making the same card available for the 7600, well other than pushing the ASR9K platform... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
Unless there is a compelling reason otherwise, you should really be on 4.0.1 on ASR9K. Stuff like the 8-Port 10G cards are not supported in 3.7.3, amongst other limitations you will encounter. - Jared On Jan 6, 2011, at 5:52 PM, John Neiberger wrote: On Thu, Jan 6, 2011 at 3:45 PM, John Neiberger jneiber...@gmail.com wrote: On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. These are powered with 220. We're running 3.7.3 code. I'm waiting on a reply from our engineer to get the output of show platform and show diag. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados sc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to Site VPN using ASA and far end with dynamic peer
Actually, the branch is an old Pix. We also have an environment using a Juniper SRX so I'm not sure this is a good fit. Thanks Scott On Jan 6, 2011, at 4:34 PM, schilling wrote: You have ASA/IOS routers on the branch office, right? Cisco Easy VPN Remote Client might be what you are looking for. You can use client mode or network extension mode according to your need. http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html Schilling On Thu, Jan 6, 2011 at 6:46 PM, Scott Granados sc...@granados-llc.net wrote: Hi, I have a relatively simple question but the examples I find on cisco.com don't seem to do much but confuse me.:) Here's the setup. I have a Cisco ASA with several site to site VPN tunnels terminated to branch offices. All to date have used static IP addressing on both sides so using the tunnel-group a.b.c.d type l2l has been very simple. We now have a branch with PPPOE DSL and dynamic addressing. Could someone provide an example of the ASA side how to accept a VPN site to site session from a remote device using a dynamic IP. What do you use instead of the target tunnel-group / peer address entry? Presently the ASA is running 8.2.x code using a normal dynamic map for remote clients and the standard crypto map entries for each peer. I assume it's some variation on the dynamic map theme but not quite sure how to make that work. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
I found out that these are the 40-port GigE SFP blade and the 8-port 10Gig blades. Cisco advised us to go from 3.7.3 to 3.9.2 for now instead of jumping straight to 4.0.1. We'll give that a whirl tomorrow. I've heard lots of great things about the ASR 9K, but I have to say that IOS-XR is ugly, ugly, ugly. I'm still looking forward to getting some of these bad boys fired up in production, though. The ugliness of the CLI will wear off with familiarity, I'm sure. On Thu, Jan 6, 2011 at 5:07 PM, Jared Mauch ja...@puck.nether.net wrote: Unless there is a compelling reason otherwise, you should really be on 4.0.1 on ASR9K. Stuff like the 8-Port 10G cards are not supported in 3.7.3, amongst other limitations you will encounter. - Jared On Jan 6, 2011, at 5:52 PM, John Neiberger wrote: On Thu, Jan 6, 2011 at 3:45 PM, John Neiberger jneiber...@gmail.com wrote: On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. These are powered with 220. We're running 3.7.3 code. I'm waiting on a reply from our engineer to get the output of show platform and show diag. Thanks! ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
Xr is badass imho. It's more like junos as things are more broken out into hierarchies.. The more you use it the more you will realize. On Jan 6, 2011 9:27 PM, John Neiberger jneiber...@gmail.com wrote: I found out that these are the 40-port GigE SFP blade and the 8-port 10Gig blades. Cisco advised us to go from 3.7.3 to 3.9.2 for now instead of jumping straight to 4.0.1. We'll give that a whirl tomorrow. I've heard lots of great things about the ASR 9K, but I have to say that IOS-XR is ugly, ugly, ugly. I'm still looking forward to getting some of these bad boys fired up in production, though. The ugliness of the CLI will wear off with familiarity, I'm sure. On Thu, Jan 6, 2011 at 5:07 PM, Jared Mauch ja...@puck.nether.net wrote: Unless there is a compelling reason otherwise, you should really be on 4.0.1 on ASR9K. Stuff like the 8-Port 10G cards are not supported in 3.7.3, amongst other limitations you will encounter. - Jared On Jan 6, 2011, at 5:52 PM, John Neiberger wrote: On Thu, Jan 6, 2011 at 3:45 PM, John Neiberger jneiber...@gmail.com wrote: On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. These are powered with 220. We're running 3.7.3 code. I'm waiting on a reply from our engineer to get the output of show platform and show diag. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Newbie question
I'm sure you're right, but the commands just seem unnecessarily convoluted. I'm sure that's probably a side effect of the complexity and flexibility, though. I'm also a total noob at XR, so take what I say with a grain of salt. I'm just stating first impressions. I'm sure we'll be loving it soon. On Thu, Jan 6, 2011 at 9:28 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Xr is badass imho. It's more like junos as things are more broken out into hierarchies.. The more you use it the more you will realize. On Jan 6, 2011 9:27 PM, John Neiberger jneiber...@gmail.com wrote: I found out that these are the 40-port GigE SFP blade and the 8-port 10Gig blades. Cisco advised us to go from 3.7.3 to 3.9.2 for now instead of jumping straight to 4.0.1. We'll give that a whirl tomorrow. I've heard lots of great things about the ASR 9K, but I have to say that IOS-XR is ugly, ugly, ugly. I'm still looking forward to getting some of these bad boys fired up in production, though. The ugliness of the CLI will wear off with familiarity, I'm sure. On Thu, Jan 6, 2011 at 5:07 PM, Jared Mauch ja...@puck.nether.net wrote: Unless there is a compelling reason otherwise, you should really be on 4.0.1 on ASR9K. Stuff like the 8-Port 10G cards are not supported in 3.7.3, amongst other limitations you will encounter. - Jared On Jan 6, 2011, at 5:52 PM, John Neiberger wrote: On Thu, Jan 6, 2011 at 3:45 PM, John Neiberger jneiber...@gmail.com wrote: On Thu, Jan 6, 2011 at 3:44 PM, Chris Evans chrisccnpsp...@gmail.com wrote: Dumb question. But you powered it with 220 I hope... These are all good questions. I'll go ask the engineer who is currently working on this. These are powered with 220. We're running 3.7.3 code. I'm waiting on a reply from our engineer to get the output of show platform and show diag. Thanks! ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] policy and static nat mix?
I've got static NAT's setup for a network IP, and I want to NAT to a different IP for a particular outside subnet specified in an ACL. That IP is already statically nat'd to another device. I've got the ACL crafted, but I'm unclear how to tie it to the outside I want to tie it to. Just to add to the complexity, that IP is already statically nat'd to another inside address, but on a different inside interface Inbound traffic (initiated from the outside) isn't a huge concern, although I'd like to do it for that subnet if possible, inbound return traffic should map back through the NAT (I think). I can't seem to figure out how I can keep both static NAT's but for one /29, specifically NAT to a different IP on the outside interface. Peter -- Peter Serwe http://truthlightway.blogspot.com/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/