[nsp] Problems with static IP DSL config
Dan Lockwood
dlockwood at shastalink.k12.ca.us
Thu Aug 28 12:59:38 EDT 2003
I think you may be missing 'bridge ip route ip' in global config mode.
Dan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
cisco-nsp-request at puck.nether.net
Sent: Wednesday, August 27, 2003 21:47
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 9, Issue 55
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific than
"Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Re: Nachi worm mitigation finds bug in 7500 dCEF (Gert Doering)
2. Re: Nachi worm mitigation finds bug in 7500 dCEF (Greg Steele)
3. Problems with static IP DSL config (james)
4. Re: Problems with static IP DSL config (corrected) (james)
5. Securing Cisco Layer2 (esp. VTP & VLAN 1) (Pete Kruckenberg)
6. Who's in my VTP domain (Pete Kruckenberg)
7. Re: Nachi worm mitigation finds bug in 7500 dCEF (Jared Mauch)
8. RE: Securing Cisco Layer2 (esp. VTP & VLAN 1) (Sean Mathias)
9. RE: Who's in my VTP domain (Temkin, David)
10. 5300 redundant power supply (Michael Crone)
11. Re: Problems with static IP DSL config (james)
----------------------------------------------------------------------
Message: 1
Date: Thu, 28 Aug 2003 00:37:37 +0200
From: Gert Doering <gert at greenie.muc.de>
Subject: Re: [nsp] Nachi worm mitigation finds bug in 7500 dCEF
To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
Cc: Greg Steele <steele at oar.net>, cisco-nsp at puck.nether.net,
jlewis at lewis.org
Message-ID: <20030828003737.H594 at greenie.muc.de>
Content-Type: text/plain; charset=us-ascii
Hi,
On Wed, Aug 27, 2003 at 07:07:29PM +0200, Oliver Boehmer (oboehmer)
wrote:
> Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
What does "not supported" mean in this context? Will it fall back to
CPU switching, or will it just ignore the access list?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
------------------------------
Message: 2
Date: Wed, 27 Aug 2003 18:54:08 -0400 (EDT)
From: Greg Steele <steele at oar.net>
Subject: Re: [nsp] Nachi worm mitigation finds bug in 7500 dCEF
To: gert at greenie.muc.de (Gert Doering)
Cc: Greg Steele <steele at oar.net>, jlewis at lewis.org,
cisco-nsp at puck.nether.net
Message-ID: <200308272254.h7RMs8h8004051 at ra.oar.net>
Content-Type: text/plain; charset=us-ascii
Experience says it ignores the access list.
...Greg
>
> Hi,
>
> On Wed, Aug 27, 2003 at 07:07:29PM +0200, Oliver Boehmer (oboehmer)
> wrote:
> > Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
>
> What does "not supported" mean in this context? Will it fall back to
> CPU switching, or will it just ignore the access list?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
>
------------------------------
Message: 3
Date: Wed, 27 Aug 2003 17:54:55 -0600
From: "james" <hackerwacker at cybermesa.com>
Subject: [nsp] Problems with static IP DSL config
To: <cisco-nsp at puck.nether.net>
Message-ID: <073101c36cf6$9d8af4b0$0200000a at jamesnew>
Content-Type: text/plain; charset="iso-8859-1"
I am having no luck bringing a customer up on the interface for
customers receiving a static IP,
interface ATM1/IMA0.2 multipoint. Doing a "show arp" I only see
"incomplete" for the addresses
assigned to BVI2, except for the IP assigned to BVI2 itself. Take a look
at my config and
see what I am missing.
c2600-js-mz.121-19.bin on a Cisco 2620
ip classless
ip subnet-zero
ip cef
!
bridge irb
ip dhcp pool valor
network 65.a.b.0 255.255.255.0
domain-name cybermesa.com
default-router 65.a.b.1
dns-server xxx.xxx.xxx.xxx lease 0 6
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
ima-group 0
no scrambling-payload
!
interface ATM1/1
description Espanola Valor ATM T1 # 2
no ip address
no atm ilmi-keepalive
ima-group 0
no scrambling-payload
!
interface ATM1/IMA0
no ip address
atm ilmi-keepalive
ima differential-delay-maximum 100
!
interface ATM1/IMA0.1 multipoint
description Espanola DSL Bridged IMA group
pvc 0/37
!
pvc 0/36
!
<ect>
bridge-group 1
!
!
interface ATM1/IMA0.2 multipoint
description static DSL customers
no ip redirects
no ip unreachables
no ip mroute-cache
pvc 0/39
protocol ip 65.a.c.2 no broadcast
!
bridge-group 2
!
interface BVI1
ip address 65.a.b.1 255.255.255.0
no ip unreachables
no ip proxy-arp
arp timeout 3600
clns mtu 1514
!
interface BVI2
ip address 65.a.c.1 255.255.255.128
no ip unreachables
no ip proxy-arp
arp timeout 3600
clns mtu 1514
!
esp-dsl#sho ip route 65.a.c.0
Routing entry for 65.a.c.0/25
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via eigrp 101
Routing Descriptor Blocks:
* directly connected, via BVI2
Route metric is 0, traffic share count is 1
esp-dsl#sho atm pvc 0/39
ATM1/IMA0.2: VCD: 170, VPI: 0, VCI: 39
UBR, PeakRate: 3000
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s), OAM retry
frequency: 1 secon
d(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC state: Not Managed
ILMI VC state: Not Managed
InARP frequency: 15 minutes(s)
Transmit priority 4
InPkts: 105, OutPkts: 27137, InBytes: 15451, OutBytes: 1892302
InPRoc: 104, OutPRoc: 27137, Broadcasts: 0
InFast: 1, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0, OutPktDrops: 0/0/0 (holdq/outputq/total)
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
esp-dsl#
James Edwards
Routing and Security
jamesh at cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200 or Toll Free: 888-988-2700
------------------------------
Message: 4
Date: Wed, 27 Aug 2003 17:58:29 -0600
From: "james" <hackerwacker at cybermesa.com>
Subject: [nsp] Re: Problems with static IP DSL config (corrected)
To: <cisco-nsp at puck.nether.net>
Message-ID: <073c01c36cf7$1cfc8920$0200000a at jamesnew>
Content-Type: text/plain; charset="iso-8859-1"
Opps, forgot to include this most important part in the config I just
posted !
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
: c2600-js-mz.121-19.bin on a Cisco 2620
: ip classless
: ip subnet-zero
: ip cef
: !
: bridge irb
: ip dhcp pool valor
: network 65.a.b.0 255.255.255.0
: domain-name cybermesa.com
: default-router 65.a.b.1
: dns-server xxx.xxx.xxx.xxx lease 0 6
: !
: interface ATM1/0
: no ip address
: no atm ilmi-keepalive
: ima-group 0
: no scrambling-payload
: !
: interface ATM1/1
: description Espanola Valor ATM T1 # 2
: no ip address
: no atm ilmi-keepalive
: ima-group 0
: no scrambling-payload
: !
: interface ATM1/IMA0
: no ip address
: atm ilmi-keepalive
: ima differential-delay-maximum 100
: !
: interface ATM1/IMA0.1 multipoint
: description Espanola DSL Bridged IMA group
: pvc 0/37
: !
: pvc 0/36
: !
: <ect>
: bridge-group 1
: !
: !
: interface ATM1/IMA0.2 multipoint
: description static DSL customers
: no ip redirects
: no ip unreachables
: no ip mroute-cache
: pvc 0/39
: protocol ip 65.a.c.2 no broadcast
: !
: bridge-group 2
: !
: interface BVI1
: ip address 65.a.b.1 255.255.255.0
: no ip unreachables
: no ip proxy-arp
: arp timeout 3600
: clns mtu 1514
: !
: interface BVI2
: ip address 65.a.c.1 255.255.255.128
: no ip unreachables
: no ip proxy-arp
: arp timeout 3600
: clns mtu 1514
: !
:
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
: esp-dsl#sho ip route 65.a.c.0
: Routing entry for 65.a.c.0/25
: Known via "connected", distance 0, metric 0 (connected, via
interface)
: Redistributing via eigrp 101
: Routing Descriptor Blocks:
: * directly connected, via BVI2
: Route metric is 0, traffic share count is 1
:
: esp-dsl#sho atm pvc 0/39
: ATM1/IMA0.2: VCD: 170, VPI: 0, VCI: 39
: UBR, PeakRate: 3000
: AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
: OAM frequency: 0 second(s), OAM retry frequency: 1 second(s), OAM
retry frequency: 1 secon
: d(s)
: OAM up retry count: 3, OAM down retry count: 5
: OAM Loopback status: OAM Disabled
: OAM VC state: Not Managed
: ILMI VC state: Not Managed
: InARP frequency: 15 minutes(s)
: Transmit priority 4
: InPkts: 105, OutPkts: 27137, InBytes: 15451, OutBytes: 1892302
: InPRoc: 104, OutPRoc: 27137, Broadcasts: 0
: InFast: 1, OutFast: 0, InAS: 0, OutAS: 0
: InPktDrops: 0, OutPktDrops: 0/0/0 (holdq/outputq/total)
: CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
: OAM cells received: 0
: F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
: F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
: OAM cells sent: 0
: F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
: F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
: OAM cell drops: 0
: Status: UP
: esp-dsl#
:
:
:
:
: James Edwards
: Routing and Security
: jamesh at cybermesa.com
: At the Santa Fe Office: Internet at Cyber Mesa
: Store hours: 9-6 Monday through Friday
: Phone support 365 days till 10 pm via the Santa Fe office:
: 505-988-9200 or Toll Free: 888-988-2700
:
:
------------------------------
Message: 5
Date: Wed, 27 Aug 2003 18:01:20 -0600 (MDT)
From: Pete Kruckenberg <pete at kruckenberg.com>
Subject: [nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)
To: <cisco-nsp at puck.nether.net>
Message-ID:
<Pine.LNX.4.33.0308271749410.15236-100000 at minot.kruckenberg.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
I'm implementing a fairly large public Ethernet WAN/MAN
network, using primarily Cisco L2/L3 switches (6500, 4500,
3750, 3550). I'm finding out the hard way that VTP and VLAN
1, while they are friends to the Cisco enterprise network
engineer, they are becoming a nightmare for me.
My basic question: what are best practices for securing VTP
and VLAN 1 in a Cisco Layer2 network (ie no Layer3
boundaries), so individual organizations connected to that
network don't end up configuring each other's networks?
Right now, I am blocking VLAN1 on the dot1Q trunks between
my switches and customer switches, both on my side and the
CPE side. I am configuring VTP to transparent mode on the
customer switch and setting the VTP domain to some random
name. This all so VTP can only be enabled with multiple,
deliberate configuration changes. Is this a good solution?
What else should I be doing, or what shouldn't I be doing?
A specific concern: can I safely block VLAN1 between Cisco
switches without breaking things (esp my ability to manage
the switches in-band)? What about changing the native VLAN
(especially to get rid of those pesky syslog messages), is
that a good idea and would it help solve these problems?
Any good resources on CCO or elsewhere that I should read?
Thanks for your help and insight.
Pete.
------------------------------
Message: 6
Date: Wed, 27 Aug 2003 18:04:02 -0600 (MDT)
From: Pete Kruckenberg <pete at kruckenberg.com>
Subject: [nsp] Who's in my VTP domain
To: <cisco-nsp at puck.nether.net>
Message-ID:
<Pine.LNX.4.33.0308271801310.15236-100000 at minot.kruckenberg.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Another unrelated question on the VTP topic.
I had a rather nasty outage today when I discovered that
some switches are in my VTP domain, acting as servers, that
I was not aware of.
Is there any way to determine what VTP servers and VTP
clients are in a given domain?
Short of blocking VLAN 1 on a trunk, is there any other way
(such as disabling VTP on the trunk) to block VTP
traffic--can I run VLAN 1 between two switches, but restrict
VTP traffic from traversing the trunk?
Thanks again.
Pete.
------------------------------
Message: 7
Date: Wed, 27 Aug 2003 20:31:13 -0400
From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [nsp] Nachi worm mitigation finds bug in 7500 dCEF
To: Gert Doering <gert at greenie.muc.de>
Cc: Greg Steele <steele at oar.net>, cisco-nsp at puck.nether.net,
jlewis at lewis.org
Message-ID: <20030828003113.GC30221 at puck.nether.net>
Content-Type: text/plain; charset=us-ascii
On Thu, Aug 28, 2003 at 12:37:37AM +0200, Gert Doering wrote:
> Hi,
>
> On Wed, Aug 27, 2003 at 07:07:29PM +0200, Oliver Boehmer (oboehmer)
wrote:
> > Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
>
> What does "not supported" mean in this context? Will it fall back to
> CPU switching, or will it just ignore the access list?
i'm guessing it means process switched.
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only
mine.
------------------------------
Message: 8
Date: Wed, 27 Aug 2003 19:46:33 -0700
From: "Sean Mathias" <seanm at prosolve.com>
Subject: RE: [nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)
To: <cisco-nsp at puck.nether.net>
Message-ID: <CD855A91DC3CD411BEB20050DA2CB7D11EE0F1 at fs01.prosolve.com>
Content-Type: text/plain; charset="US-ASCII"
In 7.2 and later CatOS (maybe even earlier releases), set vtp off. As
for VLAN1, don't use it. You do not have to put the console port (sc0)
in VLAN1, simply remap it to another 'secure' vlan.
Bear in mind that there is really nothing special about VLAN1,
especially if there are no ports assigned to it.
Sean
-----Original Message-----
From: Pete Kruckenberg [mailto:pete at kruckenberg.com]
Sent: Wednesday, August 27, 2003 5:01 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)
I'm implementing a fairly large public Ethernet WAN/MAN network, using
primarily Cisco L2/L3 switches (6500, 4500, 3750, 3550). I'm finding out
the hard way that VTP and VLAN 1, while they are friends to the Cisco
enterprise network engineer, they are becoming a nightmare for me.
My basic question: what are best practices for securing VTP
and VLAN 1 in a Cisco Layer2 network (ie no Layer3
boundaries), so individual organizations connected to that network don't
end up configuring each other's networks?
Right now, I am blocking VLAN1 on the dot1Q trunks between
my switches and customer switches, both on my side and the
CPE side. I am configuring VTP to transparent mode on the customer
switch and setting the VTP domain to some random name. This all so VTP
can only be enabled with multiple, deliberate configuration changes. Is
this a good solution?
What else should I be doing, or what shouldn't I be doing?
A specific concern: can I safely block VLAN1 between Cisco switches
without breaking things (esp my ability to manage the switches in-band)?
What about changing the native VLAN (especially to get rid of those
pesky syslog messages), is that a good idea and would it help solve
these problems?
Any good resources on CCO or elsewhere that I should read?
Thanks for your help and insight.
Pete.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 9
Date: Wed, 27 Aug 2003 22:51:50 -0400
From: "Temkin, David" <temkin at sig.com>
Subject: RE: [nsp] Who's in my VTP domain
To: "'Pete Kruckenberg'" <pete at kruckenberg.com>,
cisco-nsp at puck.nether.net
Message-ID:
<DDE1D547D9B5B741A47D7354A5FFF4B701F50831 at msgbal509.ds.susq.com>
Content-Type: text/plain
You could set a VTP password to block rogue switches from affecting your
VTP
domain...
You could also do "set vtp mode off" on a CatOS switch, or go for vtp
transparent to not allow VTP to affect the local switch.
You could also use bogus random character vtp domain names on every
switch.
-----Original Message-----
From: Pete Kruckenberg [mailto:pete at kruckenberg.com]
Sent: Wednesday, August 27, 2003 8:04 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Who's in my VTP domain
Another unrelated question on the VTP topic.
I had a rather nasty outage today when I discovered that
some switches are in my VTP domain, acting as servers, that
I was not aware of.
Is there any way to determine what VTP servers and VTP
clients are in a given domain?
Short of blocking VLAN 1 on a trunk, is there any other way (such as
disabling VTP on the trunk) to block VTP traffic--can I run VLAN 1
between
two switches, but restrict VTP traffic from traversing the trunk?
Thanks again.
Pete.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 10
Date: Thu, 28 Aug 2003 11:50:14 +0800
From: "Michael Crone" <mcrone at chime.net.au>
Subject: [nsp] 5300 redundant power supply
To: <cisco-nsp at puck.nether.net>
Message-ID: <01cb01c36d17$7cd38c20$ae023b0a at win2k.iinet.net.au>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
We have received a batch of 5300's that have Redundant Power supplies.
We
are only supplying power to one of them. We therefore receive the
following
message:
00:14:01: %RPS-3-MULTFAIL: There is more than one failure with the
Redundant
Power System; please resolve problems immediately
Is there anyway to tell the NAS that we only want to use one power
supply or
to atleast surpress this message?
Cheers,
Michael Crone
Network Administrator
Chime Communications
@: mcrone at chime.net.au
P: (08) 9213 1319
M: 0407 500 015
------------------------------
Message: 11
Date: Wed, 27 Aug 2003 21:56:22 -0600
From: "james" <hackerwacker at cybermesa.com>
Subject: Re: [nsp] Problems with static IP DSL config
To: <brwatters at abs-internet.com>
Cc: cisco-nsp at puck.nether.net
Message-ID: <00c501c36d18$5c349b20$1500000a at taproot.bz>
Content-Type: text/plain; charset="iso-8859-1"
: Looks like you might be missing this
:
: bridge 1 protocol ieee
: bridge 1 route ip
See my next post, I forgot to include these statements for both bridge
groups (1 & 2)
in my first post. However they are in my config. It's Bridge group 2
that is causing the problems.
james
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 9, Issue 55
****************************************
More information about the cisco-nsp
mailing list