I need to patch 2 ASAs into 2 6800 chassis running VSS.
@@@@@@t
@@@
@@@t
@@@
Very nice, your EMM is much better than mine !
-Original Message-
From: Tom Storey [mailto:t...@snnap.net]
Sent: 13 March 2015 18:09
To: Nick Cutting
Cc: cisco-nsp; juniper-...@puck.nether.net
Subject: Re: [c-nsp] Help with an IPSec scenario
For anyone else that wants to do something
I tried to get this to work for weeks, in the end, I used dyn-dns on the
Juniper side, and ran an EMM script on the cisco router (2911 - 15.3) that
looked up the dyn-dys juniper name, then rewrote the tunnel destination, every
5 minutes.
I can't see your config, as it is blocked at my work -
.
There is no such process with static VTI.
Phase1 is fine, then Phase2 fails with debug messages that don't necessary
explain why this won't work.
I don't think Junos supports NHRP, but I could be wrong.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
This question is about how you monitor your neighborship sessions towards
clients (with or without vrfs). Whether it is EIGRP / OSPF / ISIS or BGP - I
am interested in how you are doing this.
For example - EIGRP MIB is an absolute minefield, and I cannot seem to get
Neighbor up / neighbor
Traffic transiting the router will not be logged without debug ip packet, and
also not logged unless you disable CEF and fast switching on the interface that
is processing traffic. This will make your router about 100 times slower.
i.e
interface FastEthernet0/1
no ip route-cache cef
no ip
DHCP always sends the broadcast / relay to both servers.
Whoever answers first will send back to the client, then it is up to the client
to ACK the address that it wants.
IF the MLS adds clients without receiving their ACK, yes I want that address
then that is the bad implementation of DHCP on
...@seacom.mu]
Sent: 03 June 2015 10:27
To: Nick Cutting; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 - ISR4431
On 3/Jun/15 09:11, Nick Cutting wrote:
We are looking at replacing some routers for a client, as they have recently
upgraded to 1Gb internet.
They just take a default
though - but this just the way that cisco
is going.
-Original Message-
From: Reuben Farrelly [mailto:reuben-cisco-...@reub.net]
Sent: 03 June 2015 11:20
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 - ISR4431
On 3/06/2015 7:59 PM, Nick Cutting wrote:
Thank you
Yep, I don't mind at all. :)
Too many times it has been, should've gone cisco in terms of missing features
stability etc.
At least with cisco I know what works and doesn't.
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: 03 June 2015 12:30
To: Nick Cutting
-
From: Lukas Tribus [mailto:luky...@hotmail.com]
Sent: 03 June 2015 09:00
To: Nick Cutting; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] ASR920 - ISR4431
We are looking at replacing some routers for a client, as they have recently
upgraded to 1Gb internet.
They just take a default route
is a requirement.
Would I just need the 6 port gigabit licence - and the chassis for the 920?
Or do I need something to unlock a base set of features cable of speaking BGP
Ipv4 ?
The ISR4431 looks to be 3x as expensive - if I just need the licencing
mentioned above for the 920.
Nick Cutting
.html
Regards,
/Ulrik
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Cutting
Sent: den 3 juni 2015 09:11
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR920 - ISR4431
We are looking at replacing some routers for a client, as they have
Yes, I just checked - It is literally $500 list at greenfield time.
Thanks for the input - I think I'm going more enterprisey on the product
though due to the netflow requirement.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Garry
Sent: 03
netflow, old style, netflow lite, or flexible
netflow.
How far along the roadmap is the feature ? are we talking weeks, months or
years?
From: Waris Sagheer (waris) [mailto:wa...@cisco.com]
Sent: 04 June 2015 04:02
To: Nick Cutting; Garry; cisco-nsp@puck.nether.net
Cc: Vinod Kumar Balasubramanyam
Been running
Version 03.06.02aE
On 3 different stacks, for about 4 months to get around some policy routing
bugs, and QoS bugs.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steve
Mikulasik
Sent: 01 June 2015 21:19
To:
IOS does this all the time - for many features, not just this e.g. tunnel
destinations
Use an EMM script that rewrites the config, and does the lookup on the fly like
every few hours.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lukas
That should be, that the client receives both offers.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Cutting
Sent: 02 June 2015 10:15
To: Mohammad Khalil; Peter Rathlev
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Redundant DHCP
If the feature programs the hardware on the fly - It won't work in GNS3.
QoS and Pfr don't work either.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam
Vitkovsky
Sent: 02 June 2015 12:52
To: Mohammad Khalil
Cc: cisco-nsp@puck.nether.net
, and the same
was true of qos.
Both work fine on the CSRv
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: 02 June 2015 13:10
To: Nick Cutting
Cc: Adam Vitkovsky; Mohammad Khalil; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OSPF per-prefix LFA
Hi,
On Tue, Jun 02
If you like classic IOS
They just released a 2U 6800 - the 6840
The 6840-X can be ordered in the following four SKUs:
16 and 32 ports of 10-Gigabit small form factor pluggable and pluggable plus
(SFP and SFP+)
24 and 40 ports of 10-Gigabit SFP and SFP+ with two 40-Gigabit native uplink
ports
] CSR1000V and CPU usage
On 13 Aug 2015, at 19:07, Nick Cutting wrote:
Mostly folks were using these for Route reflectors I think.
The OP of this thread specifically stated he was using it as an edge device,
however.
---
Roland Dobbins rdobb...@arbor.net
There were some discussions on here a few weeks/months back about some best
practices for running these devices.
Mostly folks were using these for Route reflectors I think.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Roland
Dobbins
Sent:
maintain some monster ACL for all the client Public addresses that
would need to be updated almost daily - how dangerous is it to just allow UDP
port 49 to this device from any source?
We are going to have to add each device to the ACS server anyway.
Any suggestions welcome
Nick Cutting
response - I think I'll get a firewall in there and right some
bullet proof procedures.
-Original Message-
From: Andrew Miehs [mailto:and...@2sheds.de]
Sent: 24 August 2015 12:20
To: Nick Cutting
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] TACACS/ACS on the internet
Not dangerous
Thanks Waris.
Any news on a timeframe for the netflow on the 920?
From: Waris Sagheer (waris) [mailto:wa...@cisco.com]
Sent: 29 July 2015 21:06
To: Fredrik Vöcks
Cc: Nick Cutting; Garry; cisco-nsp@puck.nether.net; Vinod Kumar Balasubramanyam
(vinbalas)
Subject: Re: [c-nsp] *** GMX Spamverdacht
) and memory supports.
Now that BGP is supported on the ASA, has anyone been crazy enough to take in a
full table, or a few thousand routes?
Nick Cutting | Network Engineer
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https
Thank you, you are correct on all points.
No questions - Thank you, you are correct on all points.
-Original Message-
From: Łukasz Bromirski [mailto:luk...@bromirski.net]
Sent: 31 July 2015 12:26
To: Nick Cutting
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASA and BGP
On 31
Just got confirmation that it is ~22,000 routes. 4 gig of ram on a 5515x.
should be fine.
However, I'm worried that no one is doing this, anywhere.
-Original Message-
From: Łukasz Bromirski [mailto:luk...@bromirski.net]
Sent: 30 July 2015 20:28
To: Nick Cutting
Cc: cisco-nsp
debug crypto isakmp
shut the outside interface - then bring it back up
you should see some clues in here, the router debugs are more meaningful than
ASA one's ever were.
also - Try it without NAT first, as this is a LAB
-Original Message-
From: cisco-nsp
:34
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Optics warnings - SR /LH Modules SFP+
On 21/07/2015 10:22, Nick Cutting wrote:
There are connected in a 40 Gig port channel, using 10GBase-SR modules
and 3 metre and 5 metre cables. They have wildly different power
values, and Te5/1 filling
: [c-nsp] Poor speed through GRE tunnel
Message: 6
Date: Thu, 16 Jul 2015 09:54:45 +
From: Nick Cutting ncutt...@edgetg.co.uk
To: a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk, Gert Doering
g...@greenie.muc.de
Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
Subject: Re: [c
Buy cheap 1921's with sec licences - In every case I've deployed these as DMVPN
/ VTI can get GREoIPsec to hit the 85Megabit limit on fast enough internet
connections.
I'm sure without ipsec you could hit 150 Megabits+ (no Ipsec ISR G2 Speed
limits)
-Original Message-
From: cisco-nsp
, to unlock passed the 85 meg limit.
From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
Sent: 16 July 2015 22:06
To: Nick Cutting; Gert Doering
Cc: cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Poor speed through GRE tunnel
What hardware for a Gig connection? :)
(Currently its looking like a pair
for each of these modules? Is this
a faulty module - or do I need use different cables i.e. different types of
OM3. Can anyone point me towards a comprehensive Module - cabling guide ?
Thank you,
Nick Cutting
___
cisco-nsp mailing list cisco-nsp
...@granados-llc.net]
Sent: 03 November 2015 14:44
To: Nick Cutting
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP peering visibility
Route servers are your friend here.
There are things like the U Oregon route server where you basically log in to a
Cisco like prompt and can use all your show
though.
Thank you all
-Original Message-
From: Wycliffe Bahati [mailto:bah...@6telecoms.co.tz]
Sent: 03 November 2015 14:39
To: Mark Tinka
Cc: Nick Cutting; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP peering visibility
Local preference should only affect there internal routing
[mailto:mark.ti...@seacom.mu]
Sent: 03 November 2015 16:33
To: Wycliffe Bahati
Cc: Nick Cutting; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP peering visibility
On 3/Nov/15 16:39, Wycliffe Bahati wrote:
> Local preference should only affect there internal routing but not what you
&g
Plug away :) , I'm going to check out your software
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James
Bensley
Sent: 06 November 2015 20:07
To: Methsri Wickramarathna; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] IEEE 802.1P QoS
of these polices - more just how each individual
technology works.
NIck
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: 03 November 2015 22:26
To: Nick Cutting
Cc: Mark Tinka; Wycliffe Bahati; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP peering visibility
Hi,
On Tue
so a peer level community, however there is no mention of what
exactly the LOCAL_PREF will be, only that is is set to the "PEER LEVEL"
-Original Message-
From: Mark Tinka [mailto:mark.ti...@seacom.mu]
Sent: 03 November 2015 14:31
To: Nick Cutting; cisco-nsp@puck.nether.net
Subject:
Good afternoon,
I've have a datacenter that I have failed over to use our secondary link to the
internet. At this location we only accept a default route from each carrier.
Outbound was simply set with local pref.
Inbound, I'm now sending a load of prepends and a last resort community.
My
I came across a curly one like this a few months back - turned out the STP
handling of native VLan frames VS a non-created but configured native vlan on
the downstream switch port.
The downstream switchport was also configured for native vlan of 999 - BUT
vlan999 was not created in the vlan
Good Old SUP2t in there
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lukas
Tribus
Sent: 15 October 2015 10:10
To: Gavin McBride; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Nexus as MetroE switch?
> Hello all,
>
> I've been
I've never got over the bug that plagues copper SFP's in this model of switch.
They just stop forwarding traffic randomly.
They keep promising a fix - I still haven't seen anything rock solid.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
al Message-
From: oldnick [mailto:oldnick@gmail.com]
Sent: 13 October 2015 19:36
To: Nick Cutting; cisco-nsp@puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
Thank you, Nick. Problem is, there is no static entries on this boxes:
Router
Extendable usually means that there is a static 1-to1 nat AND a port nat on the
same entry, not sure about incomplete though - you must be confusing the router
"The extendable keyword allows the user to configure several ambiguous static
translations, where an ambiguous translations are
202.221.217.114
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Cutting
Sent: 13 October 2015 19:28
To: oldnick; cisco-nsp@puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
Extendable usu
We run multi-tenant Cloud infrastructure for many small clients.
We are using ASA firewall contexts to protect inter-client hosted
communications.
Was thinking of using ASA-V instead of multiple contexts to keep costs down -
and I would more easily be able to automate the provisioning of the
@puck.nether.net
Subject: Re: [c-nsp] TACACS/ACS on the internet
On 24 August 2015 at 10:30, Nick Cutting ncutt...@edgetg.co.uk wrote:
We are going to roll out TACACS soon, on an ACS appliance and I have hundreds
(thousands?) of client devices that need to authenticate back to these
appliances
This is the document you need:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800ia-switch/qa_c67-728684.html
Q.Can a compact switch be connected to an Instant Access client?
A. Yes. A compact switch or any other switch can be connected to an Instant
Access client
I agree - and the very fact that when browsing for routers on cisco's website -
by default for branch routers -as of a few weeks ago - only the 4xxx and the
8xx are shown. It's a multitude of clicks to see the ISRg2's.
Check this link - it's the new router performance sheet, I've been using it
I just had the same conundrum - although I needed gigabit. Mine was between
ASR1k and an ASR920. I had a requirement for netflow - and although on the
roadmap - I couldn't get a date out of cisco for the feature release on the
920. I needed netflow from day1. The chaps here gave me lots of
I cannot think of a game that uses more than 50k in each direction. The game
servers are obviously an aggregate of the amount of clients - Latency is
everything.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chuck
Church
Sent: 09 December
You need to use the show commands to see if the ASR thinks the traffic is
leaving:
What is the output of show flow exporter?
I always find it's something like "SE linux" on the collector, and this stops
you from seeing it in tcpdump.
-Original Message-
From: cisco-nsp
Sorry that should read:
Show flow monitor exporter statistics
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Cutting
Sent: 10 December 2015 08:17
To: dmi...@zhigulinet.ru; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] asr1001x nat
I've got a few 6800's out there now (various ones - 6807 included) and I plan
on buying more.
Good old-fashioned cisco stuff that works, no missing Nexus "features"
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
a.l.m.bu...@lboro.ac.uk
Sent:
I ran into this a few years back - and we did end up doing it. It's basically
because it peer link is totally different to a trunk between two chassis. i.e
don't use it ever unless a downstream VPC link is down.
I can't remember the details, however this post by Brad Hedlund explains
I am pretty sure that you get 2 free - then the next jump is 25
There is a separate license for mobile devices though - so the two free - or
the 25, won't work on cell phones or tablets without the mobile license.
You don't need to worry for windows machines though.
This is a 5506 out of the
My 4431's command outputs look similar to yours - almost the same in fact, and
I've got maybe 1k routes on these and a few vrfs
I think it pre-allocates the RAM like Linux does. 2851 is vastly different
architecture running plain IOS vs XE.
I was under the impression that you needed 8 gigs of
We have a few providers in HK who deliver our public /24's via a /30 RFC 1918
Address.
I'm not 100 percent sure how it breaks the path discovery, I would love to test
this too, as we have a few of these setups in place.
It is very annoying for other reasons, i.e remotely managing the router on
...@puck.nether.net] On Behalf Of Mike
Sent: Tuesday, June 21, 2016 3:42 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Private IP in point to point link on internet
On 06/21/2016 07:37 AM, Nick Cutting wrote:
> We have a few providers in HK who deliver our public /24's via a /30 RFC 1918
> A
That space also "should" be non-routable over the internet - I know a few
sneaky enterprises using it, - wasn’t that carved out for CGN?
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Satish
Patel
Sent: Wednesday, June 22, 2016 4:19 PM
To:
Not sure why you would want to null route a connected route?
If it's in the routing table already, can be candidate for BGP table
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Satish
Patel
Sent: Monday, June 20, 2016 4:52 PM
To: Jason Lixfeld
If you must use VTP in production - use version 3 if you can, they got rid of
the floors that cause the nightmare that Patrick mentioned.
Also remember that VTP and vlan broadcast domains are totally separate - VTP is
just config replication.
-Original Message-
From: cisco-nsp
Your customers are running MPLS between their sites - across L2 MPLS provider
Links?
This is something that I also want to do as an enterprise man, but was always
worried about MTU etc.
Just so I understand - this also causes a hashing issue for the ISP's as the
sources and destinations are
You need to match the traffic of the source and destination, in an ACL in the
route-map.
Yours probably being :
ACL-PBR-SUBNET-A
Permit XX.xx.xx.xx 0.0.0.255 any
route-map FOO permit 10
match ip address ACL-PBR-SUBNET-A
set ip next-hop x.x.x.x
then "debug ip policy" to watch it firing, or
IGP vs EGP protocols, when using
route-maps for routing policy.
Just set the ACL to:
ip access-list extended ACl-PBR-MATCH-ANY
permit ip any any
From: Satish Patel [mailto:satish@gmail.com]
Sent: Thursday, June 23, 2016 2:24 PM
To: Nick Cutting; Cisco Network Service Providers
Subject: Re: [
forwarding
IP: s=150.1.6.6 (local), d=8.8.8.8, len 100, policy rejected -- normal
forwarding
From: Satish Patel [mailto:satish@gmail.com]
Sent: Thursday, June 23, 2016 3:22 PM
To: Nick Cutting
Cc: Cisco Network Service Providers
Subject: Re: [c-nsp] PBR two default gateway
I applied policy
The old saying goes, if you have to implement PBR, either you need more money
(BGP), or your design is wrong (use VRFs)
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul
Sent: Thursday, June 23, 2016 4:31 PM
To: Satish Patel; Cisco Network
Good move
Only the two devices need to support it
ASA will not, Cisco IOS/XR/XE will
But hey I’m probably one of the only humans running BGP on an ASA ))
From: Satish Patel [mailto:satish@gmail.com]
Sent: Friday, June 24, 2016 1:49 PM
To: Brian Turnbow
Cc: Nick Cutting; Cisco Network
In the data sheets for the 6880, they mention a cable that will take 4 SFP+
ports and convert to a QSFP.
Has this cable been released? These datasheets are from 2013, and the 6880 has
been out for some time.
I am looking to connect this to a Dell SAN switch, that has a QSFP handoff, and
was
I have tested Pure routing on this platform a few times using iPerf on a LAN,
and alternatively ookla speedtest on a 1 gig internet handoffs with just BGP
default route
max speeds are 335 Megabits per second - I cannot get it to go faster.
The physical interfaces speeds are 1 gig
Add NAT /
I'm told Dell VLT is very similar to Nexus VPC.
I plan to connect 2 Dell S4820T switches to a VSS'ed 6500 (QSFP+ breakout
cables)
It would be similar to 2 nexus5/7k's connected to a VSS pair.
Or am I a mad man, dancing with inter-vendor prop tech - and would be better
off with a normal LACP
18 January 2016 09:38
To: Nick Cutting; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dell VLT to Cisco VSS
VSS is single control plane so it's all one big chassis, the dell switch would
have no idea it isn't connected to a single 6500 and should work without issues.
VPC is dual control planes
em like OK middle ground. Anybody deploy those?
>> They decent?
>>
>> Thanks,
>>
>> John
>>
>> -Original Message-
>> From: Mack McBride [mailto:mack.mcbr...@viawest.com]
>> Sent: Friday, February 5, 2016 1:37 PM
>> To: John Gaffney <
I use this list for switch buffers - seems pretty accurate to me:
http://people.ucsc.edu/~warner/buffer.html
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tom Hill
Sent: 05 February 2016 15:54
Cc: cisco-nsp@puck.nether.net
Subject: Re:
I asked this same questions a few weeks back - and someone at cisco replied on
this list about the cable being released Q1 2016 - but the software on SUP2T
will not support it until Q3.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lukas
>From cisco to other vendor - (and cisco -> cisco Small BUS)
always make sure that Vlan1 is allowed on any trunk links, as they often expect
the BPDU's on this Vlan. Check that the Juniper doesn't think its ALSO the
root.
-Original Message-
From: cisco-nsp
I love EIGRP, albeit in the enterprise. I think I use almost every feature it
has.
But I guess I would not be buying one of these new 5001 high-speedfire-dogs
anyway.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: 02
The last 1001X I bought, I accidently ordered the 1001 - when I changed my
order, I think the price was the same or almost minimal difference. Cisco
doesn't want people buying the old kit either.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
tablishment.
What you are probably referring to is MSS information which is exchanged during
the 3 way handshake.
> On Wed, Feb 24, 2016 at 12:13 PM, Dan Peachey <d...@peachey.co> wrote:
>
>> On 24/02/2016 10:33, Nick Cutting wrote:
>>
>>> Im an enterprise guy, so this
Im an enterprise guy, so this is what I see for our clients.
I don't have exact info but if for example a TCP sessions stays up between two
end hosts (whether they are routers or windows boxes whatever..) and a path
changes from say a P2P to a routed VPN, quick enough that the tcp session
This is best news I've heard all day. Was going to have to move 55 VPNs by
hand..
I have this for the 5510 - I cannot see a release for the 5505 - will this also
be coming?
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter
Rathlev
Sent:
Thank you
Upgraded )
From: vinny_abe...@dell.com [mailto:vinny_abe...@dell.com]
Sent: 15 February 2016 22:32
To: dwhit...@cisco.com; Nick Cutting; pe...@rathlev.dk;
cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and
IKEv2 Buffer Overflow
I've tested many 3650 and 3850 - they are basically line rate with no CPU hit.
I've got some in datacenters too, routing many SVI's / routed ports.
Check you are also not running features supported in XE code that should only
ever be used on the XE routers i.e tunnels etc.
-Original
Oh and run at least
Version 03.03.05.SE
Or you will run into any number of the broken features / bugs I have come
across.
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David
Wilkinson
Sent: 16 February 2016 11:53
To:
Oh a 3560 not 3650 ;)
Check every interface is running CEF.
sh ip interface | in IP route-cache
I had to debug ip packet detail on a 3750 recently, to see what was being sent
to the CPU - I tracked it down to IP options being sent through the switch that
were being punted to the CPU. You
I've got 2 of the 16 port ones (similarly oversubscribed)
- But I need to be on super latest SUP2T version to get the module recognized.
Will be upgrading IOS this week, Ill let you know how they go
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
Just like a fresh install of windows 95 is better than upgrading from 3.11
It feels cleaner :)
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert
Doering
Sent: 01 March 2016 08:22
To: Tom Hill
Cc: cisco-nsp@puck.nether.net
Subject: Re:
I am also very interested in these switches - Any feedback is monstrously
welcome
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antoine
Monnier
Sent: 10 March 2016 09:08
To: Robert Hass
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp]
I believe the 48 port 10G model with the 40 gig fixed uplinks is not stackable
It has a 640 gig backplane.
-Original Message-
From: Carter, Bill [mailto:wcar...@sentinel.com]
Sent: 10 March 2016 14:28
To: Nick Cutting; Antoine Monnier; Robert Hass
Cc: cisco-nsp@puck.nether.net
Subject
Even on 9.1 - same limit:
mpf-policy-map-class mode commands/options:
<64000-15440> Target Bit Rate (bits per second), the value needs to be
multiple of 8000
This command is not supported on the X models at all.
-Original Message-
From: cisco-nsp
I often use setups like this - I image the cloud based filtering service needs
different IP addresses to differentiate?
Is your below config using the single public address in the internet VRF table
for internet access?
Why not use another address (or two different ones) for the NAT to the
I have seen this before on a 6500
Have a look at this docwiki article:
http://docwiki.cisco.com/wiki/Issue_Description:_Creation_of_a_Secondary_portchannel_%22PortChannel_1_and_1A%22_with_LACP_channel_protocol
-Original Message-
From: cisco-nsp
be sufficient)
>
> Finally I would tend to write " no ip virtual-reassembly " on nearly
> every Interface to disable that miss-feature.
>
> Hope this help's,
>
> Juergen.
>
> -Ursprüngliche Nachricht-
> Von: cisco-nsp [mailto:cisco-nsp-boun...@puck
] On Behalf Of Nick
Cutting
Sent: 16 March 2016 10:37
To: Eugen Şerban; c...@marenda.net
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] NAT problem on ISR 4331
These routers are much closer to ASR than ISR - they have the same feature set.
- e.g. VASI interfaces etc.
Juergen is right about
Traceroutes from ASA / routers use UDP not ICMP
You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute
versions of the message you need - this is my traceroute config I use on client
contexts:
Note these firewalls are non-internet facing so security is less important to
me
We bought a few 4451's but that was before the 4431 came out.
For edge gigabit internet devices (BGP default route only) , when NOT using
ASR1k, we now use ISR4431/K9 + 1 gig throughput license
They are one U, unlike 4451 which is 2U and somehow filled with bricks
-Original Message-
:04
To: Nick Cutting
Cc: Gert Doering; Mark Tinka; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ISR4451 or ASR920
Hi,
On Thu, Mar 31, 2016 at 08:49:05AM +, Nick Cutting wrote:
> We bought a few 4451's but that was before the 4431 came out.
>
> For edge gigabit internet devices (BG
1 - 100 of 261 matches
Mail list logo