[c-nsp] Cisco Ipsec VPN with IPv6
Hello, my name is Lucien and I try to find a solution for the following issue. Actually I have Ipsec Site-to-Site and Remote Access VPN´s from Cisco ASA to ASA and IOS Router to Cisco ASA running very well with IPv4. Now I want try this setup with IPv6 to transport IPv4 and / or IPv6 Traffic over a IPv6 Ipsec Tunnel. I tested successfully this setup with a Site-to-Site setup with ASA-ASA and IOS-Router-ASA. But I can't find a solution to establish that with the Remote-Access setup from IOS-Router to a Cisco ASA. Normally when the ISP assign to the CPE side a fixed IPv6 Prefix this setup will changed to a site-to-site config but my problem is now how can I realize that when the CPE got no fixed IPv6 Prefix and it will changed. Can anyone help on this topic? Many Many Thanks and Best Regards Lucien ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3110g blade switch consle to as2511-rj
The usb console on new cisco routers is simply a rs232-usb convertor built into the router. so when you connect the usb cable to your pc, it see's it as a usb to rs232 convertor device. (after installing cisco driver) I would assume it's the same in this switch, so I would imagine it would be difficult to do what you are proposing (access the console via a console server) until someone releases a USB based console server, this may not be possible. Andrew Jones Alphawest -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Nelson Sent: Tuesday, 2 August 2011 10:15 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 3110g blade switch consle to as2511-rj Any suggestions on how to connect from the USB console port on the Cisco 3110G Blade Switch to the RJ45 ports on a 2511RJ being used as a console server? I thought I understood which adapters I have did tx/rx swaps, but nothing works. The included USB to DB-9 serial cable works fine to a PC, so I know the port works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Alphawest Disclaimer If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact Alphawest immediately by returning the email to postmas...@alphawest.com.au and destroy the original. This email is confidential and may contain privileged client information. Alphawest has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. Alphawest collects, uses and stores information regarding its customers from time to time in accordance with its privacy policy located on www.alphawest.com.au. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MTU - issue while doing VPLS over VPLS!
Dear Sir , we are deploying Cisco metro Switch to create VPLS network as below. PC-Cisco Switch + Cisco switch E1 Link [ service provider] -Cisco Switch + Cisco Switch -internet For E1 link , we are using protocol converter that its Ethernet port only support MTU 1500. That means we have MTU 1500 for backhaul link. Now when we do VPLS or VPLS over VPLS , There are some application not working properly. I want to know , does Cisco Switch fragment the packet at its outer interface of the switch that is connect to E1 link. Or shall we ask Service provider to increase the MTU [ or place protocol converter that support higher MTU] Appreciate if you could help me with proper solution. Dipesh Basnet ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 HFIB bug?
On Monday, August 01, 2011 10:15:30 PM Gert Doering wrote: Maybe try a somewhat less ancient IOS version? From what I can read on this list, SR* before SRD* is not something I'd want to have... Agree - move to SRE4 first (consider what features you currently have in SRB4, however) and see if that resolves your problems. You may want to save your SRB4 configuration before doing the upgrade, as SRE4 is more-than-likely going to move things out or around. Hope you have RANCID :-). Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
On Sunday, July 31, 2011 02:47:38 PM Gert Doering wrote: If you order a cross-city ethernet link from a telco, they usually force duplex/speed settings on their gear and turn off autonegotiation. Funny, we tend to do the opposite these days :-). I can understand closed networks and enterprise/corporate networks still going the hard-coding route, but it'd be interesting to learn if a vast majority of service providers are still doing the same these days (yes, it's still common to find hard-coding in service provider environments as well these days, but I just wonder whether the number is falling, rising or stagnant). I suspect thoughts on this are bound to be academic :-). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU - issue while doing VPLS over VPLS!
we are deploying Cisco metro Switch to create VPLS network as below. PC-Cisco Switch + Cisco switch E1 Link [ service provider] -Cisco Switch + Cisco Switch -internet For E1 link , we are using protocol converter that its Ethernet port only support MTU 1500. That means we have MTU 1500 for backhaul link. Now when we do VPLS or VPLS over VPLS , There are some application not working properly. This is expected. I want to know , does Cisco Switch fragment the packet at its outer interface of the switch that is connect to E1 link. No, why should it? You're doing VPLS which is an L2 technology. Or shall we ask Service provider to increase the MTU [ or place protocol converter that support higher MTU] If you want 1500 bytes plus VPLS, you need a higher MTU through your protocol converters *and* the E1 service provider link. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
On Tue, 2 Aug 2011, Reuben Farrelly wrote: Not to mention it also breaks MDI-X... grrr. It doesn't really, just on some platforms. Just the same way that there is absolutely no reason for the device to stop advertising autoneg capabilities just because 100/full was forced, is there a reason to turn off MDI-X just because duplex and speed was forced. This is a matter of implementation. I feature requested continuing of autoneg being on even though speed and duplex was forced, to Cisco and other vendors 6-8 years ago, and got very little traction back. I'm told some catalyst switches nowadays have this feature. I encourage everybody to require autoneg and auto MDI/MDX to stay on when you do RFQs. It's time this operational nightmare was put out of its misery. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
Hi, On Tue, Aug 02, 2011 at 09:49:23PM +1000, Reuben Farrelly wrote: and by definition fixing the speed and duplex on a switch port means you never see *any* collisions or broken frames on that specific end of the link anyway. Actually, you see CRC errors and Runts. So it can be spotted if you know what to look for :-) (the other end will abort the packet it's busy sending on detection of a late collision, and that will create a garbled packet on the switch side). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgplOUmbJuw9C.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] memory problems on cisco ubr7246vxr?
You need to monitor 'sh proc mem sorted' over time and see which allocating process keeps going up. For reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6f3a.shtml#tshoot2 Then based on that we'll have to determine if it's a bug based on which function in the code is allocating the blocks of memory and them not getting freed back. Rodney On 8/1/11 1:54 PM, Brian Roche wrote: ever since upgrading to 12.2(33)SCD5 on my ubr7246vxr i've noticed that my free processor pool memory (from sh proc mem) decreases over time. for example last week i had 44527612 free 4 hours after a reload and 8 days later it is 31347880. any ideas if this is normal or the best way to troubleshoot this? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] On Behalf Of Mikael Abrahamsson [swm...@swm.pp.se] Sent: Tuesday, August 02, 2011 9:59 PM To: Reuben Farrelly Cc: Gert Doering; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] does duplex mismatch affect UDP throughput? On Tue, 2 Aug 2011, Reuben Farrelly wrote: Not to mention it also breaks MDI-X... grrr. It doesn't really, just on some platforms. Just the same way that there is absolutely no reason for the device to stop advertising autoneg capabilities just because 100/full was forced, is there a reason to turn off MDI-X just because duplex and speed was forced. This is a matter of implementation. I feature requested continuing of autoneg being on even though speed and duplex was forced, to Cisco and other vendors 6-8 years ago, and got very little traction back. I'm told some catalyst switches nowadays have this feature. I encourage everybody to require autoneg and auto MDI/MDX to stay on when you do RFQs. It's time this operational nightmare was put out of its misery. We have had some traction with Telstra when doing migrations from Vendor N to Vendor C. We refused to hard code interface settings and got our account manager involved at 1am in the morning. Turns out that waking someone who probably sleeps less than four hours a night can get things resolved ;) (Not my current employer, but NSW Govt). Damien ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
ATT Metro E services are generally hard set and personally, I generally go this route as well. I find a lot of problems with autonegotiation between vendors. Company J handles this pretty well on their switching and almost always negotiations set up correctly and company C generally in my experience gets it wrong and likes to fall in to half duplex even though the far end is negotiated to full. Never had any issues though after hard setting both sides so it just became a matter of habbit. Maybe its something I should revisit. -Original Message- From: Mark Tinka Sent: Tuesday, August 02, 2011 6:45 AM To: cisco-nsp@puck.nether.net Cc: Gert Doering Subject: Re: [c-nsp] does duplex mismatch affect UDP throughput? On Sunday, July 31, 2011 02:47:38 PM Gert Doering wrote: If you order a cross-city ethernet link from a telco, they usually force duplex/speed settings on their gear and turn off autonegotiation. Funny, we tend to do the opposite these days :-). I can understand closed networks and enterprise/corporate networks still going the hard-coding route, but it'd be interesting to learn if a vast majority of service providers are still doing the same these days (yes, it's still common to find hard-coding in service provider environments as well these days, but I just wonder whether the number is falling, rising or stagnant). I suspect thoughts on this are bound to be academic :-). Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
Hi, On Tue, Aug 02, 2011 at 10:16:41AM -0400, Scott Granados wrote: [..] the far end is negotiated to full. Never had any issues though after hard setting both sides so it just became a matter of habbit. Maybe its something I should revisit. Revisit :-) Nowadays, more vendors have problems with hard settings not quite working (because that code doesn't get tested so well, I'd assume) than in the last century. The notable exception being the Cisco 7200 (single-port) FastEthernet modules (PA and IO-board). Those can not do autoneg at all, and need their counterpart to be hard set. Vendor problems aside, the problems with hard setting is not so much things not working as set up (that usually works) but things get replaced. So, for example, a device breaks, gets replaced by a new one, and the person doing the replacement forgets to set the ethernet port to hard set. Been there, seen that, and *these* problems are much more frequent these days than just set all ends to autoneg. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp0jtWoKGJSN.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
On Tuesday, August 02, 2011 11:01:50 PM Gert Doering wrote: Revisit :-) Nowadays, more vendors have problems with hard settings not quite working (because that code doesn't get tested so well, I'd assume) than in the last century. Agree. Definitely revisit :-). We're a multi-vendor house, Cisco's and Juniper's running amok everywhere, and are yet to hit a speed/duplex issue when auto-neg is turned on for both between both vendors. Our oldest switch is a 2950, but most of the inter-op is done across the newer platforms, across all major switch and router systems from both vendors. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ios based FW
So I'm new to IOS based Firewalls. Can someone kind of check my thinking with them. IOS based firewalls use ACL's to firewall with. To make it stateful, you use the IP inspect commands. Is that that general idea? Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Snmp failed-community question
We are hitting the snmp limit on a few cisco devices. Show Snmp shows a large, and increasing, volume of Failed Community requests. Before I go and find/limit the valid requests, I want to lock down these failed community requests. I was unable to obtain anything useful from debug snmp (headers, packets, requests, sessions). I am assuming what I see in debug snmp packets are only the packets that passed the ACL and security filters. Any suggestions how we can trap/trace these? %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full #show snmp 21662 Unknown community name We have an access-list applied to snmp.. snmp-server engineID local 800903D0032BAC00 snmp-server community {community} RO 69 snmp-server community {community} RW 70 snmp-server ifindex persist snmp-server trap-source Loopback0 access-list 69 permit {ip address} access-list 69 permit {ip address} access-list 69 permit {ip address} access-list 69 deny any log -- Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Snmp failed-community question
On Tue, 2011-08-02 at 12:07 -0400, Ryan Pavely wrote: We are hitting the snmp limit on a few cisco devices. Show Snmp shows a large, and increasing, volume of Failed Community requests. Before I go and find/limit the valid requests, I want to lock down these failed community requests. I was unable to obtain anything useful from debug snmp (headers, packets, requests, sessions). I am assuming what I see in debug snmp packets are only the packets that passed the ACL and security filters. On a 3560G running 12.2(53)SE, it does seem to log packets with a wrong SNMPv2 community when debug snmp packets is active. Something like: 003733: Aug 2 18:28:41.598 CEST: SNMP: Packet received via UDP from 192.0.2.10 on Vlan50 It doesn't specify the community used though. I think you would need a sniffer to get that. What platform do you use? Some devices (e.g. ISR, 6500/7600) can capture traffic locally. Otherwise you could try an inbound interface ACL to log the packets, instead of the SNMP control-plane ACL. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios based FW
Check out the new Zone Based Firewall configuration for IOS Fw feature set. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Voll Sent: Tuesday, August 02, 2011 12:03 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ios based FW So I'm new to IOS based Firewalls. Can someone kind of check my thinking with them. IOS based firewalls use ACL's to firewall with. To make it stateful, you use the IP inspect commands. Is that that general idea? Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
On Tue, Aug 02, 2011 Scott Granadose wrote: Nowadays, more vendors have problems with hard settings not quite working (because that code doesn't get tested so well, I'd assume) than in the last century. The notable exception being the Cisco 7200 (single-port) FastEthernet modules (PA and IO-board). Those can not do autoneg at all, and need their counterpart to be hard set. Vendor problems aside, the problems with hard setting is not so much things not working as set up (that usually works) but things get replaced. So, for example, a device breaks, gets replaced by a new one, and the person doing the replacement forgets to set the ethernet port to hard set. Been there, seen that, and *these* problems are much more frequent these days than just set all ends to autoneg. Carriers probably stick with fixed duplex as a legacy issue. Auto negotiation used to be somewhat iffy. Sun in particular had problems with it in the past. While I've not had problems with Sun for about 8-10 years. Once this gets baked into your network, it's hard to get rid of. It also eliminates the possability of a negtiation issue. If both sides are auto, there is a chance it won't work right. If both are full, it works. You might call this determinalistic provisioning. A good thing to remember is that if you are auto-negotiating, and your side comes up half-duplex, the other side is probably full-duplex no auto-negotiate. Yes, you could be connected to some odd equipment that is actualy running half but, 9 out of 10 times it's configured full-no-auto. Brian Dantzig ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Snmp failed-community question
Funnily enough there is an authenticationFailure trap which contains the address of misbehaving poller (no varbind with community though). http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800a9405.shtml On Tue, Aug 2, 2011 at 6:07 PM, Ryan Pavely para...@nac.net wrote: We are hitting the snmp limit on a few cisco devices. Show Snmp shows a large, and increasing, volume of Failed Community requests. Before I go and find/limit the valid requests, I want to lock down these failed community requests. I was unable to obtain anything useful from debug snmp (headers, packets, requests, sessions). I am assuming what I see in debug snmp packets are only the packets that passed the ACL and security filters. Any suggestions how we can trap/trace these? %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full #show snmp 21662 Unknown community name We have an access-list applied to snmp.. snmp-server engineID local 800903D0032BAC00 snmp-server community {community} RO 69 snmp-server community {community} RW 70 snmp-server ifindex persist snmp-server trap-source Loopback0 access-list 69 permit {ip address} access-list 69 permit {ip address} access-list 69 permit {ip address} access-list 69 deny any log -- Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
Hi, On Tue, Aug 02, 2011 at 11:12:47AM -0500, Dantzig, Brian wrote: It also eliminates the possability of a negtiation issue. If both sides are auto, there is a chance it won't work right. If both are full, it works. You might call this determinalistic provisioning. And that's the point: it's *not* deterministic, as quite frequently the other side isn't aware that something non-default needs to be configured... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpFeImtiisIa.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Snmp failed-community question
Thanks all! Someone else suggested enabling the snmp authfail traps. Good idea. If that doesn't pan out then I can try some interface acl's or another suggestion of a receive acl, however I need to learn more about them. On a 3560G running 12.2(53)SE, it does seem to log packets with a wrong SNMPv2 community when debug snmp packets is active. Something like: 003733: Aug 2 18:28:41.598 CEST: SNMP: Packet received via UDP from 192.0.2.10 on Vlan50 Ahh I didn't realize that. Looking at my 15min the only ips/vlans that are sending packets are my two 'expected' hosts. Neither would be sending an invalid community. We were going to run 'debug snmp packets' for a longer period of time to get a good snapshot of data. What platform do you use? Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI, RELEASE SOFTWARE (fc2) cisco WS-C6509 (R7000) processor (revision 2.0) with 458720K/65536K bytes of memory. Processor board ID SCA0431029G SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Some devices (e.g. ISR, 6500/7600) can capture traffic locally. Interesting.. As I told the other guy my Network Engineer hat has been on the shelf for too long and my intel of current 'debug' tricks is quite dusty. Again thanks for all the replies and ideas. Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6PE
Hello, I'm interested in the 6PE solution to offer IPv6 for customers, for those of you who have checked this solution in production network please share your experiences and what are the hardware and software configurations you have?? Kind regards, Waseem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Snmp failed-community question
On Tue, 2011-08-02 at 14:36 -0400, Ryan Pavely wrote: Looking at my 15min the only ips/vlans that are sending packets are my two 'expected' hosts. Neither would be sending an invalid community. We were going to run 'debug snmp packets' for a longer period of time to get a good snapshot of data. If you only see your trusted hosts, it could be that they're sending something with a wrong community. This could be an invalid context when searching e.g. BRIDGE-MIB. (I.e.: To search VLAN 2 you would use SomeCommunity@2 as the community; you can see all valid communitites and contexts with show snmp community.) Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI, RELEASE SOFTWARE (fc2) Then you have a sniffer already. :-) Try a configuration like this: ip access-list extended Capture-ACL deny ip host 10.0.0.1 any deny ip host 10.0.0.2 any permit udp any any eq snmp ! monitor session 1 type capture filter access-group Capture-ACL source interface Gi2/40 rx ! The two hosts in the ACL would be your normal management stations, which you might not care about. You need to know the inbound interface, but you can specify more than one. With the above configuration you can start the capture from exec mode with e.g. monitor capture start for 100 packets and get a dump of the packets with show monitor capture buffer dump. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 HFIB bug?
I do :) Well... appreciate you all for the help so far, I'll let you know how things come around after the update, if I survive it, as per Mark's read-between-the-line warnings :) On Tue, Aug 2, 2011 at 7:45 AM, Mark Tinka mti...@globaltransit.net wrote: On Monday, August 01, 2011 10:15:30 PM Gert Doering wrote: Maybe try a somewhat less ancient IOS version? From what I can read on this list, SR* before SRD* is not something I'd want to have... Agree - move to SRE4 first (consider what features you currently have in SRB4, however) and see if that resolves your problems. You may want to save your SRB4 configuration before doing the upgrade, as SRE4 is more-than-likely going to move things out or around. Hope you have RANCID :-). Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] does duplex mismatch affect UDP throughput?
On Wednesday, August 03, 2011 12:12:47 AM Dantzig, Brian wrote: It also eliminates the possability of a negtiation issue. If both sides are auto, there is a chance it won't work right. If both are full, it works. You might call this determinalistic provisioning. Our experience has always been the exact opposite, actually. We have had more reliability running auto/auto, as opposed to any other permutation. But then again, this issues runs deep into corporate culture, personal preference, previous experience, e.t.c. I'm almost certain we shall still be talking about this in 50 years from now :-). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6PE
On Wednesday, August 03, 2011 03:55:43 AM waseem thaer wrote: Hello, I'm interested in the 6PE solution to offer IPv6 for customers, for those of you who have checked this solution in production network please share your experiences and what are the hardware and software configurations you have?? It is a valid approach in operationalizing v6 in your network, and has been used quite extensively. But I'd say that if you had the choice, don't run it. 6PE depends on MPLS, which depends on IPv4. If your v4 dies, your MPLS dies, your v6 dies. If your MPLS dies, your v6 dies. Plus, 6PE is yet another tunneling technology through which to run your v6 network. We have 2 large MPLS networks, but have resisted 6PE which always seems easier (and makes the MPLS zealots happy because it's yet another thing MPLS can wrap itself around). Native/dual-stack is always best. If you can do it, prefer that. It's cleaner and less dependent on many other things. But if 6PE is your only option (I don't see how since anything decent enough to run 6PE these days can run native v6), then by all means, go ahead :-). Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3110g blade switch consle to as2511-rj
No, the console cable on a 3110G ends in a serial DB9 female connector. - Original Message - From: Andrew Jones andrew.jo...@alphawest.com.au To: Erik Nelson enelso...@yahoo.com; cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Cc: Sent: Tuesday, August 2, 2011 3:49 AM Subject: RE: [c-nsp] cisco 3110g blade switch consle to as2511-rj The usb console on new cisco routers is simply a rs232-usb convertor built into the router. so when you connect the usb cable to your pc, it see's it as a usb to rs232 convertor device. (after installing cisco driver) I would assume it's the same in this switch, so I would imagine it would be difficult to do what you are proposing (access the console via a console server) until someone releases a USB based console server, this may not be possible. Andrew Jones Alphawest -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Nelson Sent: Tuesday, 2 August 2011 10:15 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 3110g blade switch consle to as2511-rj Any suggestions on how to connect from the USB console port on the Cisco 3110G Blade Switch to the RJ45 ports on a 2511RJ being used as a console server? I thought I understood which adapters I have did tx/rx swaps, but nothing works. The included USB to DB-9 serial cable works fine to a PC, so I know the port works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Alphawest Disclaimer If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact Alphawest immediately by returning the email to postmas...@alphawest.com.au and destroy the original. This email is confidential and may contain privileged client information. Alphawest has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. Alphawest collects, uses and stores information regarding its customers from time to time in accordance with its privacy policy located on www.alphawest.com.au. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] prefixes in AS-Set
As I understand, in case ISP-A would like to peer with ISP-B, the ISP-A usually specifies it's AS-set it will announce to ISP-B? For example in case XS4ALL(xs4all.nl) would like to set up a peering with some other ISP, it will announce AS-ACCESSFORALL, which contains all XS4ALL ASN's. ISP-B should be able to find all those ASN's which are under the AS-set called AS-ACCESSFORAL by: $ whois AS-ACCESSFORALL | grep member members:AS3265 members:AS1200 members:AS5417 members:AS8283 members:AS20689 members:AS33955 $ Now if ISP-B is interested in all the prefixes which are under those ASN's it could do whois -h whois.ripe.net -i origin ASN with every ASN under the AS-ACCESSFORAL and manually write the addresses down or do: peval AS-ACCESSFORALL | sed 's/({//;s/})//;s/, /\n/g' | aggregate -q This last command would give: $ peval AS-ACCESSFORALL | sed 's/({//;s/})//;s/, /\n/g' | aggregate -q 46.21.224.0/20 46.23.80.0/20 62.216.0.0/19 62.251.0.0/17 77.73.16.0/21 80.100.0.0/15 80.126.0.0/15 81.24.0.0/20 82.92.0.0/14 82.161.0.0/16 83.68.0.0/19 83.160.0.0/14 91.200.16.0/22 91.208.34.0/24 94.142.240.0/21 95.129.120.0/21 193.104.193.0/24 193.110.157.0/24 193.111.228.0/24 194.109.0.0/16 194.159.72.0/23 194.159.224.0/21 194.217.220.0/22 195.11.224.0/19 195.64.80.0/20 195.69.144.0/22 195.95.150.0/24 195.173.224.0/19 212.238.0.0/16 213.84.0.0/16 213.222.0.0/19 217.194.16.0/21 $ So in case XS4ALL announces it's AS-set AS-ACCESSFORALL(it seems to be the only AS-set for company XS4ALL) to ISP-B, the latter would receive all those prefixes above over the established BGP session. Have I understood this whole concept correctly? Any additional notes/corrections are most welcome! It's not directly Cisco-related question, but hopefully not off-topic as well :) regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/