[c-nsp] Cisco to Juniper LAG/LACP - Juniper not sending traffic over both links.
Hey networkers, I have 3 sites connected to a service providers MPLS network. Two of those sites (Dallas and LA) are configured as etherchannel/LACP ports with 2 1gig uplinks in them. On our end we have Catalyst 6506-E switches the provider side is Juniper gear (I don't have model info). The issue I am seeing is that on our side we are sending traffic out of both interfaces and appear to be load balancing correctly. The provider (juniper) side is only sending traffic inbound to us over 1 of the links and not using the full etherchannel to load balance in coming bandwidth. On the LA end the juniper routers are seeing two mac addresses learned on that etherchannel - one mac is the SVI and one mac is one of the member ports. The Dallas side is only seeing one mac address. The service provider is telling me that their hardware is working correctly and that the hashing algorithm on the juniper boxes is deciding that only one link should receive traffic. Anyone else see this issue or can provide any tips. Thanks! Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco to Juniper LAG/LACP - Juniper not sending traffic over both links.
Just got word from the provider. They are using the default hashing algorithm which is based on mac address. On Thu, Sep 6, 2012 at 4:33 PM, Andrew Miehs and...@2sheds.de wrote: Which hashing algorithm are the using? One based on MAC address will do exactly as you are describing. Andrew Sent from a mobile device On 07/09/2012, at 6:58, Joseph Jackson recou...@gmail.com wrote: Hey networkers, I have 3 sites connected to a service providers MPLS network. Two of those sites (Dallas and LA) are configured as etherchannel/LACP ports with 2 1gig uplinks in them. On our end we have Catalyst 6506-E switches the provider side is Juniper gear (I don't have model info). The issue I am seeing is that on our side we are sending traffic out of both interfaces and appear to be load balancing correctly. The provider (juniper) side is only sending traffic inbound to us over 1 of the links and not using the full etherchannel to load balance in coming bandwidth. On the LA end the juniper routers are seeing two mac addresses learned on that etherchannel - one mac is the SVI and one mac is one of the member ports. The Dallas side is only seeing one mac address. The service provider is telling me that their hardware is working correctly and that the hashing algorithm on the juniper boxes is deciding that only one link should receive traffic. Anyone else see this issue or can provide any tips. Thanks! Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
On Tue, Nov 22, 2011 at 8:41 AM, Mark Mason mma...@jackhenry.com wrote: Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Mark Mason It should be fine. You'll get asymmetric routing regardless of what you do for the most part since you can only influence another AS' routing polices only so much using prepending. I'd only mess with localpref if you are over loading one of the links. Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS configuration conflict for flowmask on SVI interface behind FWSM
On Wed, Nov 16, 2011 at 1:49 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 11/16/2011 05:08 AM, Joseph Jackson wrote: Hey List, I'm wanting to apply a policy-map to rate limit a port that is a member of a vlan that is configured as a firewalled vlan. When I apply the service-policy input to the port directly connected to the server I get this message in the logs: %FM_EARL7-2-SWITCH_PORT_QOS_FLOWMASK_CONFLICT: QoS configuration on switch port FastEthernet1/5 conflicts for flowmask with feature configuration on SVI interface Vlan912 Can you show the class policy map you were trying to use, and the config of both interfaces (before you started)? Here ya go. class-map match-all limit-netcool-cdr match access-group 191 ! ! policy-map limit-netcool-cdr class limit-netcool-cdr police flow mask dest-only 200 62500 conform-action transmit exceed-action drop ! Directly connected interface - interface FastEthernet1/5 switchport switchport access vlan 101 no ip address speed 100 duplex full spanning-tree portfast end SVI - interface Vlan912 description ***OUTSIDE*** ip address 172.16.213.11 255.255.255.248 standby ip 172.16.213.13 standby timers 2 5 standby priority 200 standby preempt Thanks Phil! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Full BGP Feed Convergence Time on ASR 1006 RP2 Setup
On Fri, Nov 11, 2011 at 2:45 AM, Mark Tinka mti...@globaltransit.net wrote: I just brought up an ASR1006 + RP2 + ESP20 + SIP10, peering with 3x route reflectors, receiving a full v4/v6/VPNv4 table from them, simultaneously. For v4, the 1st session was done in about 48 seconds, the other two were done about 10 seconds earlier than that. Hope this helps. Cheers, Mark. Silly question time, but how are you judging that time on - router has stopped receiving prefixes on show ip bgp sum (or neighbor). Or are you defining it having a full feed with some other metric? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP
use a prefix list filter sending only that subnet. 2011/10/20 Mohammad Khalil eng_m...@hotmail.com: Hi all , i have in the attached file br1.hq is the border router which terminates 3 international links i want to advertise the x.x.x.x subnet through the provider terminated to CR1 (the provider send default route) what is the best practice in order for only the subnet x.x.x.x to use this default route and no other subnets use ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need advice to analysis traffic immediately
Enable netflow on the router and export it to a collector. Here's a free one that's pretty. http://www.plixer.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Deric Kwok Sent: Thursday, December 09, 2010 12:43 PM To: Cisco Network Service Providers Subject: [c-nsp] need advice to analysis traffic immediately Hi When the bandwidth is high / spike, how can I be easy way to identify the traffic coming from in cisco In linux, I can run the iftop -i int Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routes / backup router
On Wed, Dec 8, 2010 at 5:30 PM, Adam Greene maill...@webjogger.net wrote: Hi, I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. Thanks, Adam ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ If its a backup router and only one peering session why have full routes? Just a default route would work for all transit. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihoming
I currently do this for one of my sites and haven't had any issues. You just get a LOA from the ISP you get your /24 from and send it to the other ISP. Easy Peasy. On Wed, Sep 15, 2010 at 10:30 AM, Heath Jones hj1...@gmail.com wrote: Jon there seems to be a bit of a common belief that advertising a /24 or some prefix that has been assigned by a provider, out to another provider, is bad practise. I don't get it either and haven't seen issues myself. The only scenario I can think of is (in some odd configurations) when the original provider sees part of their own network being advertised by another ISP, they filter it and it breaks connectivity, or the original provider's igp contains that prefix somehow already.. ? On 15 September 2010 16:17, Jon Lewis jle...@lewis.org wrote: On Wed, 15 Sep 2010, Voigt, Thomas wrote: Hi Rocker, Rocker Feller wrote: I am pretty new to this concept and would appreciate any guidance on how as a customer I can achieve redundacy with autofailover between 2 ISPs. You need PI space to do this. Because each ISP can only route his own PA spaces plus the PI spaces from his customers. You don't need PI space to multihome. At least not in the ARIN region. You do generally need at least a /24 if you want any reasonable chance of the internet accepting your BGP announcement. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
How far apart are these issues geographically? Honestly it sounds like you are just having stuff break. It happens. I've had weeks like that were stuff that has ran for years with out issue starts to fail. None of the problems you are having are never been seen before. I've had a disk array controller with block errors. I've had a interface go whacked and routers restart. It happens. On Thu, Apr 29, 2010 at 8:25 PM, Mike mike-cisconspl...@tiedyenetworks.com wrote: This is becomming a crisis. The logical problem soliving procedure here is producing no leads or answers, I just have stuff thats beginning to die and experience 'never been seen before' malfunctions all across the network. From today, I have: An adtran ta5000 in a telco collocation space, suddenly experience the sudden restart of a single (adsl) card. No reason given. A customer router (soekris engineering SBC) had an ethernet port simply lock up and require a power cycle. A disk array controller in my noc suddenly threw up disk block errors ALL of these have _nothing_ in common. No mains power, no network connections, nothing. They are further physically seperated by substantial distance and administrative domains. So every day now I am experiencing these exceptional 'never in a lifetime' events. I am beginning to think there's something envionmental happening that is having a wide area of effect, maybe like an exceptional elctromagnetic or alpha partical storm of some kind? I can't possibly be the only one here. Mike- eNinja wrote: Let's apply logic... 1 - What changed prior to the 'events'? 2 - What's common to all the impacted devices experiencing the 'events'? Location, vendor, etc 3 - Which other devices could be experiencing similar 'events' but aren't. Eninja ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - hiding AS
I like that idea. I'm going to do that for a similar type thing. -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Mateusz Blaszczyk Sent: Thursday, April 03, 2008 2:54 PM To: Gary Roberton Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP - hiding AS On 03/04/2008, Gary Roberton [EMAIL PROTECTED] wrote: Hello All Well, my Provider does not support remove-private-as or as-override. So how can we do this now? Any ideas? gre is your friend - do the r2 need to know about your networks? can you do the remove-private-as on r3 -- -mat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Thanks to everyone for all the great info! -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Rikard Skjelsvik Sent: Monday, March 24, 2008 4:42 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Justin Shore wrote: Sridhar Ayengar wrote: Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Or you could use nipper http://sourceforge.net/projects/nipper ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] External Firewall
What are you talking about then? -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Fred Reimer Sent: Monday, March 24, 2008 5:03 PM To: Niels Bakker; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall I'm not talking about the ASR... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Niels Bakker Sent: Monday, March 24, 2008 5:32 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] External Firewall * [EMAIL PROTECTED] (Fred Reimer) [Mon 24 Mar 2008, 22:28 CET]: Don't be giving out any NDA materials now... The ASR and its featureset have been announced and thus are public knowledge. -- Niels. -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Windows networking across subnets
On 2/17/08, Robert Boyle [EMAIL PROTECTED] wrote: At 01:39 PM 2/14/2008, Mike Blodgett wrote: MS 2000. I am just looking to see if there is a router/network hardware solution for this. The do not want to map drives, they want to see all shares/printers in Network Barrio. Welcome to government. If there is not a network solution that is all I need to know; then it becomes not my problem. Not really a Windows guy either, but if you are running NBT (netbios over tcp), to get all the entries in the network neighborhood you would have to run a WINS server. If you disable NBT in favor of raw smb over TCP, I'm not sure but I'd guess the WINS functionality was put into active directory. WINS is old technology from Windows NT and hasn't been needed for WAN networking with Windows since 2000. If you are using active directory and only use Windows 2000/2003/2008/XP/Vista computers and haven't restricted any ports needed by Windows networking, just set the remote side to use the AD servers for DNS and the remote machines will register themselves and everything will just work. Obviously, all computers you want to talk need to have their default gateway and netmask set appropriately too. -Robert He will need a WINS server if he is wanting what I think he is (I'm a network guy but our shop is an enterprise windows 2003 AD setup). What he is most likely wanting is to beable to see other computers on differnet subnets through network neighborhood. There is only two ways to get that to happen. 1) Set up a WINS server and point all clients to that. 2)Have all clients be in the same broadcast domain or use IP-helper command to forward all broadcasts to the subnet that has the DHCP servers (if there are any). This will then allow you to view computers in network neighborhood. We had to do the ip helper setup since the boss didn't want a WINS server. Also without broadcast forwarding or a WINS server certain windows based tools won't work correct if they have to emunerate computers/roles or users. HTH Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Telstra ADSL pix firewall running 6.3
Hey all, Anyone have any experince with setting up a pix firewall with Telstras buisness ADSL? I have a pix in sydney that I've been trying to get online but I am running into some show stoppers. Here is the relavent config from the pix ip address outside 165.228.203.90 255.255.255.0 pppoe setroute (I've tried this with out the IP address also) vpdn group pppoex request dialout pppoe vpdn group pppoex localname [EMAIL PROTECTED] vpdn group pppoex ppp authentication chap vpdn username [EMAIL PROTECTED] password * All the commands go in ok but when I do a debug pppoe packets it looks like the pix can't find the pppoe server. It does the discovery but never gets a response so fails. The telstra setup email includes an ATM VPI/VCI number but the pix doesn't support that (I'm guessing its only for routers). I do not have outband access to the device and have been working with the datacenters smarthands through webex (love it). I haven't been able to get in touch with Telstra as its the weekend over there but I was wondering if you guys have come across this issue before. Thanks! Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT Detection with netflow or anything.
Hey all, I've been thinking about NAT detection for security purposes (rogue wireless AP's, etc). After some searching on the google I haven't been able to come up with much. Other than a page with a few dead links to papers/tools you can use I've come up empty. Anyone have any solutions to this? Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PA-2T3+ don't want to use anymore multilinks
Opps I meant PA-MC-T3 interface cards. Silly me. On 2/4/08, Joseph Jackson [EMAIL PROTECTED] wrote: Hey all, I have 2 PA-2T3+ at the end of a DS3. I am currently having to split all the t1's off of it and then reform them in a MPPP bundle. Is there anyway around this with those interface cards? Its not a full DS3 as a few channels are split off for voice but I'd like to take all the remaining channels and just use them as one pipe instead of these MPPP bundles which don't seem to be providing enough bandwidth. Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PA-2T3+ don't want to use anymore multilinks
Hey all, I have 2 PA-2T3+ at the end of a DS3. I am currently having to split all the t1's off of it and then reform them in a MPPP bundle. Is there anyway around this with those interface cards? Its not a full DS3 as a few channels are split off for voice but I'd like to take all the remaining channels and just use them as one pipe instead of these MPPP bundles which don't seem to be providing enough bandwidth. Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Line Code Violations on DS3
On 2/1/08, Gregory Boehnlein [EMAIL PROTECTED] wrote: Try putting a 12 db attenuator on the transmit portion, then re-try your loopback. We've found that the PA-MC-T3 cards tend to overdrive the DS3 a bit, and the only way that we've been able to get rid of the errors is attenuating the transmit load. Interesting, you're saying to put an attenuator on the transmit portion of the card. Some of the Cisco documentation is saying to put it on the receive portion. Is there any way using the show controller output to tell which one has the hot signal? He meant on the PA's receive (the telco's transmit). PA-MC-T3s are somewhat notorious for being sensitive to overly hot signals...where cisco's definition of 'overly hot' is 'normal' to several other vendors. In a pinch, if you can't find a suitable attenuator, you can use a really long service loop and/or multiple DS3 cables connected together using barrel connectors. We have at least one installation where after switching from a CAC Widebank28 to an Adtran mux, we ended up needing a coiled up 50' service loop sitting on top of the mux to keep the PA-MC-T3 happy. Jon, yes.. thank you .. that was exactly what I was getting at.. We, too, have several DS3's w/ 75 feet of coiled up cable sitting in the bottom of a cabinet to get the Adtran MX-2800s and the PA-MC-CT3's to play nice together. I know that to most people that sounds counter intuitive, but keep in mind the signals were meant to be driven over much longer distances than the typical 6 foot Patch Panel to CPE that exists in lots of data center installations. Ok this might sound weird but I LOVE YOU GUYS. We've been having this problem using an adtran mux. Line code violations and P-bit errors all over the place on only one end. I was just about to email the list when I thought I'd better search for this problem. I'm going to try the stuff suggested now. Thanks! Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Top 10 Network Engineering Tools
Hey all, Myself and a coworker are trying to get together a list of the top ten tools any network engineer shouldn't be without. We're looking for vendor neutral tools. So what do you all think are the most haves? Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Top 10 Network Engineering Tools
Thanks for all the great replies. I will complie a list of everything that I've recivied and email the list. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Tacacs+ accounting on ASA/PIX 7.x
Hey all, I know in the past the pix/asa would not generate account records of what command were entered on the device. Does anyone know if this has changed? I've read some docs that talk about accounting traffic that passes THROUGH the device but not accounting for what commands are entered on the device from what user, like you get on a IOS router. Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multilink bundle
It is coming out of a adtran T3su. I will give this a shot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Weis Sent: Wednesday, December 05, 2007 8:52 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multilink bundle Bill Nash wrote: Convert it to a full data pipe and find another way to transport the voice traffic over it? This is out of my scope, but it seems like VOIP could be a winner here. If you want to stay TDM get a pair of Adtran T3SU's appropriately carded and drop out the unused portion of the DS3 as HSSI. djweis ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] multilink bundle
Would it be considered retarded to put 23 T1's into a multilink bundle? Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multilink bundle
Just to answer everyones questions here's the story. One end has a 7206 NPE G1 with 1 gig of ram other end has 7204 NPE 300 with 256 megs of ram Each router has a PA-MC-T3= (the channelized ds3 card) We do have a ds3 it just has channels 1-5 stripped of it to do voice between the locations. I would like to use the rest of the DS3's bandwidth for data but I can't seem to find a way to do that without just using a crap load of T1's put into multilink bundles. Any ideas? Thanks Joseph From: Doug Clements [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 04, 2007 5:10 PM To: Joseph Jackson Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] multilink bundle On Dec 4, 2007 4:49 PM, Joseph Jackson [EMAIL PROTECTED] wrote: Would it be considered retarded to put 23 T1's into a multilink bundle? I wouldn't try it, but assuming you're running 7500, there are hardware limitations: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft /120t/120t3/multippp.htm#wp1025005 --Doug ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DSL router recommendation
Hey all, We are starting to look at a standard DSL router / VPN device for our remote engineering workers. I was wondering if any of you have any recommendations on what router from cisco would be the best setup. I'm looking at the product page for the 857 which looks pretty good but was wondering if anyone had any other options out there. Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSL router recommendation
Have you ever run into any problems with connecting them to a DSL network? Our users are all over the country and it wouldn't be fun to find out that DSL provider A supports our routers but DSL provider B doesn't. Anyone ever run into that problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin M. Streiner Sent: Monday, October 08, 2007 12:20 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DSL router recommendation On Mon, 8 Oct 2007, Alex Balashov wrote: I am accustomed to using the Cisco 837 with crypto module for this purpose. It has always served me extremely well. I've used the Cisco SB (Small Business) 107 ADSL router at client sites and they work great. They're also pretty reasonably priced. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configure two AS on one BGP router
You could do it inside a VRF, but I don't know if it would work for what you want since it makes seprate routing tables. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Haan Sent: Tuesday, July 03, 2007 10:34 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Configure two AS on one BGP router Hi Everyone, Is it possible to configure two ASes on one BGP router? If it's possible, how many feeds we are going to receive from an ISP peer? One or Two? Thanks, Alex _ Tell us your tech love story in the Summer Lovin Competition for your chance to win laptop loaded with Windows Vista, Office 2007 and Windows Live OneCare. http://www.microsoft.com/canada/home/contests/summerlovin/default.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configure two AS on one BGP router
Oh yep you guys are correct. There is no option to do bgp within a VRF. Atleast not on any of the hardware I am running. Sorry! Joseph -Original Message- From: Skeeve Stevens [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 10:58 AM To: 'Paul Stewart'; Joseph Jackson; 'Alex Haan'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Configure two AS on one BGP router No. On a 7200-npe400 running disk0:c7200-ik9o3s-mz.124-13a.bin Router(config)#router bgp 12345 BGP is already running; AS is 6789 ...Skeeve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Wednesday, 4 July 2007 3:45 AM To: 'Joseph Jackson'; 'Alex Haan'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Configure two AS on one BGP router Never done it... But can you not create: router bgp 12345 network x.x.x.x etc... router bgp 98765 network x.x.x.x into the same router?? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Jackson Sent: Tuesday, July 03, 2007 1:39 PM To: Alex Haan; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Configure two AS on one BGP router You could do it inside a VRF, but I don't know if it would work for what you want since it makes seprate routing tables. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Haan Sent: Tuesday, July 03, 2007 10:34 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Configure two AS on one BGP router Hi Everyone, Is it possible to configure two ASes on one BGP router? If it's possible, how many feeds we are going to receive from an ISP peer? One or Two? Thanks, Alex _ Tell us your tech love story in the Summer Lovin Competition for your chance to win laptop loaded with Windows Vista, Office 2007 and Windows Live OneCare. http://www.microsoft.com/canada/home/contests/summerlovin/default.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private ASN
You should be able to do it easily (sounds like you have it already setup). Check out this link http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009 3f27.shtml It explains what you are wanting to do. Joseph -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raman Sud Sent: Friday, June 01, 2007 10:53 AM To: cisco-nsp@puck.nether.net Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] Private ASN Is there a way to setup BGP with a customer using a private ASN and still be able to route that IP block over the internet? I am removing private ASN from leaving our network but I have not tested the implementation where traffic originating from Private AS can pass pass thru to the internet. Any ideas? Thanks Raman ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco PIX IPSEC remote access vpn stability
Hey list! We currently use PIX running 7.2.2 as our vpn end point for our remote access users and lan2lan connections. The LAN2LAN connections seem to remain stable while we get 3 to 4 complaints about the remote access VPN disconnecting users. Looking at the syslog reports seem to be DPD disconnects. If it was just one user on a certain ISP I wouldn't even ask the list but have any of you noticed that the remote access IPSec vpn seems to be VERY latency sensitive. Thanks all! Joseph Jackson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/