From alex.wilkinson at dsto.defence.gov.au Tue Jul 1 00:41:58 2008 From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex) Date: Tue, 1 Jul 2008 12:41:58 +0800 Subject: [c-nsp] 7200 upgrade from 12.2(25)S8 In-Reply-To: <20080701035035.GF12357@ref.nmedia.net> References: <20080701035035.GF12357@ref.nmedia.net> Message-ID: <20080701044157.GV3898@stlux503.dsto.defence.gov.au> 0n Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote: >Did Cisco ever use both cores of the G1? G1 is multicore ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. From christian at broknrobot.com Tue Jul 1 01:25:57 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 1 Jul 2008 01:25:57 -0400 Subject: [c-nsp] 7200 upgrade from 12.2(25)S8 In-Reply-To: <20080701044157.GV3898@stlux503.dsto.defence.gov.au> References: <20080701035035.GF12357@ref.nmedia.net> <20080701044157.GV3898@stlux503.dsto.defence.gov.au> Message-ID: MPF (multi-processor-forwarding) http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_end-of-life_notice0900aecd8067dd9f_ps352_Products_End-of-Life_Notice.html http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/MPF123T7.html On Tue, Jul 1, 2008 at 12:41 AM, Wilkinson, Alex < alex.wilkinson at dsto.defence.gov.au> wrote: > 0n Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote: > > >Did Cisco ever use both cores of the G1? > > G1 is multicore ? > > -aW > > IMPORTANT: This email remains the property of the Australian Defence > Organisation and is subject to the jurisdiction of section 70 of the CRIMES > ACT 1914. If you have received this email in error, you are requested to > contact the sender and delete the email. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mrz at velvet.org Tue Jul 1 01:29:00 2008 From: mrz at velvet.org (matthew zeier) Date: Mon, 30 Jun 2008 22:29:00 -0700 Subject: [c-nsp] bcp on edge filtering & udp In-Reply-To: <48695414.6050001@gmail.com> References: <486942C6.8030900@velvet.org> <48695414.6050001@gmail.com> Message-ID: <4869C09C.8060609@velvet.org> haven't made up my mind on that - either the routers directly connecting to the Internet or closer into my "core". Rogelio wrote: > matthew zeier wrote: >> Trying to find a pre-build set of ACLs for filtering bogus inbound >> udp, if one already exists, otherwise I'll have to build my own :) > > Where are you trying to filter this? At your CPE router? From mksmith at adhost.com Tue Jul 1 01:34:43 2008 From: mksmith at adhost.com (Michael Smith) Date: Mon, 30 Jun 2008 22:34:43 -0700 Subject: [c-nsp] bcp on edge filtering & udp In-Reply-To: <486942C6.8030900@velvet.org> Message-ID: Hey Matt: > From: matthew zeier > Date: Mon, 30 Jun 2008 13:32:06 -0700 > To: "cisco-nsp at puck.nether.net" > Subject: [c-nsp] bcp on edge filtering & udp > > Trying to find a pre-build set of ACLs for filtering bogus inbound udp, > if one already exists, otherwise I'll have to build my own :) Here's a good start. access-list 199 deny udp any any eq 135 access-list 199 deny udp any any eq 137 access-list 199 deny udp any any eq 138 access-list 199 deny udp any any eq 139 access-list 199 deny udp any any eq 445 access-list 199 deny udp any any eq 4899 access-list 199 deny udp any any eq 1434 access-list 199 deny udp any any eq 194 access-list 199 deny udp any any eq 529 access-list 199 deny udp any any eq 994 access-list 199 deny udp any any eq 69 access-list 199 deny udp any any range 6666 6669 Regards, Mike From zivl at gilat.net Tue Jul 1 01:54:48 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 1 Jul 2008 08:54:48 +0300 Subject: [c-nsp] Error In-Reply-To: <20080630163859.GM4633@greenie.muc.de> References: <200806301619.m5UGJs6f073793@puck.nether.net> <20080630163859.GM4633@greenie.muc.de> Message-ID: I have the same fixed IP address at home for 3 years now and I also get mailer error messages lately claiming that MY message didn't reach the recipient and the reasons are many, such as unknown user, mailbox over quota, out of office auto reply, some are from anti-spam systems, but all of them are sent back to me because the sender address is my e-mail address, and the mail was sent from a lot of ip addresses, none of them are even close to mine. So I guess someone is using my e-mail address for sending spam, and I guess I'm not the only one, The reason for spammers to use a valid e-mail address is quite clear, a lot of anti-spam systems perform this kind of check, to see if the sender's address is real and has good "reputation" Damn them! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Monday, June 30, 2008 7:39 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Error Hi, On Mon, Jun 30, 2008 at 06:09:20PM +0200, gert at greenie.muc.de wrote: > The original message was received at Mon, 30 Jun 2008 18:09:20 +0200 > from greenie.muc.de [168.218.142.88] > > ----- The following addresses had permanent fatal errors ----- > I'm not *exactly* sure what happened here (need to look more closely at my mail headers), but I can assure you that "168.218.142.88" is *not* one of my IP addresses (and has never been). So I think this was a fake, and never came near one of my machines :-/ Most likely a virus spam, or so. I've seen a few of those recently, claiming to be mailer errors and having a malware attachment. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From p.mayers at imperial.ac.uk Tue Jul 1 05:24:36 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 01 Jul 2008 10:24:36 +0100 Subject: [c-nsp] Layer 2 multicast issues In-Reply-To: <87e0d3ae0806280248jf71e065o63a1c5190881aef1@mail.gmail.com> References: <87e0d3ae0806280248jf71e065o63a1c5190881aef1@mail.gmail.com> Message-ID: <4869F7D4.3040203@imperial.ac.uk> vince anton wrote: > Hi list > > Im looking for some advice in troubleshooting a flat layer 2 network, made > up of a number of L2 interconnected/cascaded switches running ip multicast. > > currently, such network has about 50 video streams (or multicast groups) > from a single source at around 3-4Mbps each, and there are some issues with > video quality on some receivers, although this is random and i cant seem to > find a pattern yet. > > im trying to understand what issues with IP multicast traffic may be, and > what the root cause is, given that all of the swithces support IGMP snooping > in hardware, and dont have a maxed-out CPU Do you have an IGMP querier on the network? IGMP snooping works a lot better if you do. From anthony.gueneau at gmail.com Tue Jul 1 06:35:11 2008 From: anthony.gueneau at gmail.com (=?ISO-8859-1?Q?Anthony_Gu=E9neau?=) Date: Tue, 1 Jul 2008 12:35:11 +0200 Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps Message-ID: Hi, Does anybody know what syslog messages are supposed to be sent when a VSS failover occurs? Would it be easier to monitor it through SNMP traps? In that case what kind of traps should I enable and what are the corresponding OID to handle from the server? The main idea is to detect any failures within the VSS domain. I identified 3 types of failures I would need to detect thanks to the syslog messages or SNMP-traps. Then, corresponding alarms will be generated. Here they are: -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis Failure) -> Hot-standby Supervisor Engine Failure (=Standby Virtual Switch Chassis Failure) -> Complete VSL Failure (Dual Active) If someone knows or identified syslog messages and/or SNMP traps corresponding to each of these three failures, could you please get back to me with these informations? Many thanks. Anthony From aaronis at people.net.au Tue Jul 1 07:19:44 2008 From: aaronis at people.net.au (Aaron R) Date: Tue, 1 Jul 2008 19:19:44 +0800 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <20080630112104.GG4112@thot.informatik.uni-kl.de> Message-ID: <200807011121.m61BL2Ax084691@puck.nether.net> Hi, As we all know Telnet is plaintext and insecure. I assume they have disabled telnet from the firewall to encourage secure communication? I don't see why else they would have disabled it. Having said this they still enable telnet to the device which is a complete contradiction :P Cisco? Cheers, Aaron. -----Original Message----- From: Joerg Mayer [mailto:jmayer at loplof.de] Sent: Monday, June 30, 2008 7:21 PM To: Aaron R Cc: 'Felix Nkansah'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: > It is disabled as a security feature. I have also wanted to do the same for > troubleshooting purposes. And why exactly is this a security feature? What is the *gain* in security? Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From sukumars at cisco.com Tue Jul 1 07:40:35 2008 From: sukumars at cisco.com (Sukumar Subburayan (sukumars)) Date: Tue, 1 Jul 2008 04:40:35 -0700 Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps In-Reply-To: References: Message-ID: For Complete VSL failure, we have SNMP trap, that can be configured using: vss(config)#snmp-server enable traps vswitch ? vsl Enable SNMP Virtual Switch Link (VSL) notification For Active supervisor failure, you can monitor the following syslog message: PFREDUN-SW2_SPSTBY-6-ACTIVE: Initializing as Virtual Switch ACTIVE processor If the message comes from 'SW2' it means that previous active(SW1) went down. For standby supervisor failure, the VSL link will go down, as entire standby is down. So, you could use the VSL link trap. Additionally following syslogs are printed on the active, when standby goes down: %VSLP-SW2_SP-2-VSL_DOWN: All VSL links went down while switch is in ACTIVE role or this: %PFREDUN-SW2_SP-6-ACTIVE: Standby supervisor removed or reloaded, changing to Simplex mode sukumar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony Gu?neau Sent: Tuesday, July 01, 2008 4:05 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps Hi, Does anybody know what syslog messages are supposed to be sent when a VSS failover occurs? Would it be easier to monitor it through SNMP traps? In that case what kind of traps should I enable and what are the corresponding OID to handle from the server? The main idea is to detect any failures within the VSS domain. I identified 3 types of failures I would need to detect thanks to the syslog messages or SNMP-traps. Then, corresponding alarms will be generated. Here they are: -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis -> Failure) Hot-standby Supervisor Engine Failure (=Standby Virtual -> Switch Chassis Failure) -> Complete VSL Failure (Dual Active) If someone knows or identified syslog messages and/or SNMP traps corresponding to each of these three failures, could you please get back to me with these informations? Many thanks. Anthony _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From k.vdh at solcon.nl Tue Jul 1 07:09:49 2008 From: k.vdh at solcon.nl (Koen) Date: Tue, 01 Jul 2008 13:09:49 +0200 Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps In-Reply-To: References: Message-ID: <486A107D.5020006@solcon.nl> Hi Anthony, I was just looking for this too and found out the following you can use to make a check: MIB CISCO-VIRTUAL-SWITCH-MIB Object cvsChassisEntry OID 1.3.6.1.4.1.9.9.388.1.2.2.1 Type CvsChassisEntry Description "An entry describes the present chassis information in the virtual switch architecture." Object cvsChassisRole OID 1.3.6.1.4.1.9.9.388.1.2.2.1.2 Type VSSwitchRole 1:standalone 2:active 3:standby Greetz, Koen Anthony Gu?neau wrote: > Hi, > > Does anybody know what syslog messages are supposed to be sent when a VSS > failover occurs? > Would it be easier to monitor it through SNMP traps? In that case what kind > of traps should I enable and what are the corresponding OID to handle from > the server? > The main idea is to detect any failures within the VSS domain. I identified > 3 types of failures I would need to detect thanks to the syslog messages or > SNMP-traps. Then, corresponding alarms will be generated. Here they are: > -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis Failure) > -> Hot-standby Supervisor Engine Failure (=Standby Virtual Switch Chassis > Failure) > -> Complete VSL Failure (Dual Active) > > If someone knows or identified syslog messages and/or SNMP traps > corresponding to each of these three failures, could you please get back to > me with these informations? > Many thanks. > > Anthony > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sukumars at cisco.com Tue Jul 1 08:00:40 2008 From: sukumars at cisco.com (Sukumar Subburayan (sukumars)) Date: Tue, 1 Jul 2008 05:00:40 -0700 Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps In-Reply-To: <486A107D.5020006@solcon.nl> References: <486A107D.5020006@solcon.nl> Message-ID: Dual-active cases (VSL down) cannot be detected by below. We need to use the 'vswitch vsl' trap for that. sukumar -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Koen Sent: Tuesday, July 01, 2008 4:40 PM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps Hi Anthony, I was just looking for this too and found out the following you can use to make a check: MIB CISCO-VIRTUAL-SWITCH-MIB Object cvsChassisEntry OID 1.3.6.1.4.1.9.9.388.1.2.2.1 Type CvsChassisEntry Description "An entry describes the present chassis information in the virtual switch architecture." Object cvsChassisRole OID 1.3.6.1.4.1.9.9.388.1.2.2.1.2 Type VSSwitchRole 1:standalone 2:active 3:standby Greetz, Koen Anthony Gu?neau wrote: > Hi, > > Does anybody know what syslog messages are supposed to be sent when a > VSS failover occurs? > Would it be easier to monitor it through SNMP traps? In that case what > kind of traps should I enable and what are the corresponding OID to > handle from the server? > The main idea is to detect any failures within the VSS domain. I > identified > 3 types of failures I would need to detect thanks to the syslog > messages or SNMP-traps. Then, corresponding alarms will be generated. Here they are: > -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis > -> Failure) Hot-standby Supervisor Engine Failure (=Standby Virtual > -> Switch Chassis > Failure) > -> Complete VSL Failure (Dual Active) > > If someone knows or identified syslog messages and/or SNMP traps > corresponding to each of these three failures, could you please get > back to me with these informations? > Many thanks. > > Anthony > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From reuben-cisco-nsp at reub.net Tue Jul 1 07:29:11 2008 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 01 Jul 2008 21:29:11 +1000 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <200807011121.m61BL2Ax084691@puck.nether.net> References: <200807011121.m61BL2Ax084691@puck.nether.net> Message-ID: <486A1507.6040107@reub.net> You also can't ssh from a PIX, but you can of course ssh to it. So it's not IMHO likely to be a case of "telnet being insecure", but avoiding -all- client sourced access from a PIX out to anything else which the PIX could potentially connect to. I suspect the thinking is that the PIX itself, if compromised, can't be used as a platform to launch into other devices in the network. Especially given it is probably one device which would normally have direct and unrestricted access to the private and DMZ networks in most topologies... Reuben On 1/07/2008 9:19 PM, Aaron R wrote: > Hi, > > As we all know Telnet is plaintext and insecure. I assume they have disabled > telnet from the firewall to encourage secure communication? > > I don't see why else they would have disabled it. Having said this they > still enable telnet to the device which is a complete contradiction :P > > Cisco? > > Cheers, > > Aaron. From rodunn at cisco.com Tue Jul 1 10:16:23 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 1 Jul 2008 10:16:23 -0400 Subject: [c-nsp] 7200 upgrade from 12.2(25)S8 In-Reply-To: <20080701035035.GF12357@ref.nmedia.net> References: <20080701035035.GF12357@ref.nmedia.net> Message-ID: <20080701141623.GE13269@rtp-cse-489.cisco.com> On Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote: > I've got 12.2(25)S8 on various 7200 NPE-G1 and NPE-400 boxes in core and edge NSP roles. The last NPE-400 is about to get upgraded to a G1 or G2. > As a migration path 12.2(33)SRC1 towards IOX-XE on ASR is a good looking path. > This OS has been rock-solid for years. I'm using the routers for various combinations of mpls ldp/bgp vpn, ip4, ip6, bgp, ospf, multilink, ethernet, POS, mac-accounting, netflow, and that's really about it. Nothing new or overly complicated. > > I was hoping to get some use of the second G1 CPU core, some of the boxes could use more power, mostly for BGP rescans in the face of increasing traffic loads. And possibly newer ip6 code (i barely use it now, but things are heading in that direction.) > > Any recommendations for a newer version? Or, if it aint broke, don't fuck with it? Did Cisco ever use both cores of the G1? > We did for some PPPoX type offloading functionality but it turned out to be more complex than it was worth given the faster CPU's and HW forwarding rates desired. Hence the ASR1000 line was developed. Rodney > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Tue Jul 1 10:25:04 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 1 Jul 2008 07:25:04 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486A1507.6040107@reub.net> References: <200807011121.m61BL2Ax084691@puck.nether.net> <486A1507.6040107@reub.net> Message-ID: there is no need to have a firewall be an ssh/telnet client, that is not a firewall's purpose... if you want to source ssh/telnet from the same subnet your firewall is on, build a jump box/bastion host..IMO- no network device is a place to be using a remote access protocol (telnet, ssh, rsh), no matter a firewall, router, load balancer, whatever... there is just no reason for it, it just leaves another method of access to your infrastructure in the case your device gets compromised -christian From vikassharmas at gmail.com Tue Jul 1 11:27:09 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Tue, 1 Jul 2008 20:57:09 +0530 Subject: [c-nsp] CoPP on PE router for access network Message-ID: Hi, I want to understand the impact of mpls vpn (vrf) control traffic on CoPP. Can I block vrf contol plane packets (PE-CE) using CoPP? If yes, what is the impact? Another idea is to use infrastructure acl. but I am more interested if I can block PE-CE control traffic using CoPP? Regards, Vikas Sharma From rodunn at cisco.com Tue Jul 1 11:41:18 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 1 Jul 2008 11:41:18 -0400 Subject: [c-nsp] CoPP on PE router for access network In-Reply-To: References: Message-ID: <20080701154118.GI13269@rtp-cse-489.cisco.com> Last I checked CoPP was not VRF aware and it applied to any traffic punted to the RP that we could match on so it would apply to PE-CE links. Rodney On Tue, Jul 01, 2008 at 08:57:09PM +0530, Vikas Sharma wrote: > Hi, > > I want to understand the impact of mpls vpn (vrf) control traffic on CoPP. > Can I block vrf contol plane packets (PE-CE) using CoPP? If yes, what is the > impact? Another idea is to use infrastructure acl. but I am more interested > if I can block PE-CE control traffic using CoPP? > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jhigham at epri.com Tue Jul 1 12:06:29 2008 From: jhigham at epri.com (Higham, Josh) Date: Tue, 1 Jul 2008 09:06:29 -0700 Subject: [c-nsp] Capture expressions on an FWSM (was Re: Telnet FROM a PIX Appliance?) In-Reply-To: <48690FB4.6040902@spacething.org> References: <18dba4e50806300311n5d696788x541c687d7e315e14@mail.gmail.com><200806301032.m5UAWDRw056902@puck.nether.net><20080630112104.GG4112@thot.informatik.uni-kl.de> <4C3B8C75B5899943AEC675BA6DD462730103B755@uspalex02.epri.com> <002101c8dacb$11339ab0$f211a8c0@flamwsugsmul5v> <48690FB4.6040902@spacething.org> Message-ID: <4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com> > Tony Varriale wrote: > > Any chance you could give the group more details before saying it > > can't be trusted? > > > I'm afraid I don't have any concrete details to add, but I've found > capture expressions on Firewall Service Modules to be quite > inconsistent. Presumably this is something to do with the modules > interaction with the chassis? I haven't had the time to lab > this, and I > haven't always had problems, but I now generally work to the > mantra that > "the absence of a packet in an FWSM capture is not proof that > the packet > does not exist, but the presence of a packet in a capture does prove > it's existence". > > Perhaps there is a cisco documentation on this, listing known caveats > and limitations? I found the same situation with the ASA (version 8.0 code). Normally you would expect the packet capture to be the very first code path, but this is demonstrably not true. In my case I had a span port on a switch and would get the packet, but a capture on the firewall did not show it. "The absence of a packet is not proof that the packet doesn't exist" Thanks, Josh > > ----- Original Message ----- From: "Higham, Josh" > > To: > > Sent: Monday, June 30, 2008 10:41 AM > > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > > > >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes > >>> > >>> I guess it's more as a "working right" educational purpose, > >>> so you won't use your firewall as a debugging client. > >>> In newer versions there's the packet tracker that can help > >>> you debug connectivity problems. > >>> Ziv > >> > >> As an FYI, the ASA/Pix packet capture cannot currently be > completely > >> trusted (version 8.0). I found an annoying bug where I > would capture > >> the frame on a span session monitoring the port connected to the > >> firewall, but it wouldn't show up on the firewall capture. > >> > >> The packet in question was also being dropped by the > firewall, but with > >> no logging (and with a permit ip any any rule in place). > The 'fix' was > >> to apply a nat translation and then remove it. TAC was completely > >> unhelpful (worst ever TAC experience). > >> > >> Blocking outbound sessions on the firewall also means that > it can't be > >> used to bounce an attack, if compromised. > >> > >> Thanks, > >> Josh > > > > From mrz at velvet.org Tue Jul 1 12:40:40 2008 From: mrz at velvet.org (matthew zeier) Date: Tue, 01 Jul 2008 09:40:40 -0700 Subject: [c-nsp] bcp on edge filtering & udp In-Reply-To: References: Message-ID: <486A5E08.6000001@velvet.org> I keep seeing stuff with a udp src or dst port of 0. Anyone else see that in the wild? Michael Smith wrote: > Hey Matt: > > >> From: matthew zeier >> Date: Mon, 30 Jun 2008 13:32:06 -0700 >> To: "cisco-nsp at puck.nether.net" >> Subject: [c-nsp] bcp on edge filtering & udp >> >> Trying to find a pre-build set of ACLs for filtering bogus inbound udp, >> if one already exists, otherwise I'll have to build my own :) > > Here's a good start. > > access-list 199 deny udp any any eq 135 > access-list 199 deny udp any any eq 137 > access-list 199 deny udp any any eq 138 > access-list 199 deny udp any any eq 139 > access-list 199 deny udp any any eq 445 > access-list 199 deny udp any any eq 4899 > access-list 199 deny udp any any eq 1434 > access-list 199 deny udp any any eq 194 > access-list 199 deny udp any any eq 529 > access-list 199 deny udp any any eq 994 > access-list 199 deny udp any any eq 69 > access-list 199 deny udp any any range 6666 6669 > > Regards, > > Mike > From p.mayers at imperial.ac.uk Tue Jul 1 12:42:43 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 01 Jul 2008 17:42:43 +0100 Subject: [c-nsp] bcp on edge filtering & udp In-Reply-To: <486A5E08.6000001@velvet.org> References: <486A5E08.6000001@velvet.org> Message-ID: <486A5E83.8080706@imperial.ac.uk> matthew zeier wrote: > I keep seeing stuff with a udp src or dst port of 0. Anyone else see > that in the wild? If you're getting that from netflow, it's probably IP fragments. From jay at west.net Tue Jul 1 13:17:25 2008 From: jay at west.net (Jay Hennigan) Date: Tue, 01 Jul 2008 10:17:25 -0700 Subject: [c-nsp] Error In-Reply-To: References: <200806301619.m5UGJs6f073793@puck.nether.net> <20080630163859.GM4633@greenie.muc.de> Message-ID: <486A66A5.4070401@west.net> Ziv Leyes wrote: > I have the same fixed IP address at home for 3 years now and I also get mailer error messages lately claiming that MY message didn't reach the recipient and the reasons are many, such as unknown user, mailbox over quota, out of office auto reply, some are from anti-spam systems, but all of them are sent back to me because the sender address is my e-mail address, and the mail was sent from a lot of ip addresses, none of them are even close to mine. So I guess someone is using my e-mail address for sending spam, and I guess I'm not the only one, The reason for spammers to use a valid e-mail address is quite clear, a lot of anti-spam systems perform this kind of check, to see if the sender's address is real and has good "reputation" > > Damn them! Damn both the spammers and the broken mail servers that accept the mail first and then bounce it back to the forged "sender", thus being a secondary source of spam. The receiving mail system upon getting mail for an unknown user, mailbox full, or anti-spam detection should reject the mail immediately, not accept it and then later attempt to bounce it back to the purported sender. Don't even get me started on "out of office" autoresponders. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From scubacuda at gmail.com Tue Jul 1 13:37:37 2008 From: scubacuda at gmail.com (Rogelio) Date: Tue, 01 Jul 2008 10:37:37 -0700 Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch Message-ID: <486A6B61.8090409@gmail.com> I've got an interesting problem. I've got some non-Cisco wireless units that are VLAN tagged, and for whatever reason, they're not working, and I'm going to need to pull them down from a roof and troubleshoot them. Any ideas on what I might do to see them if I were to use a layer 2 non-VLAN-friendly switch? That's all I have immediately available. Or is doing a hard reset on them my only option? From jay at west.net Tue Jul 1 13:47:23 2008 From: jay at west.net (Jay Hennigan) Date: Tue, 01 Jul 2008 10:47:23 -0700 Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch In-Reply-To: <486A6B61.8090409@gmail.com> References: <486A6B61.8090409@gmail.com> Message-ID: <486A6DAB.80504@west.net> Rogelio wrote: > I've got an interesting problem. I've got some non-Cisco wireless units > that are VLAN tagged, and for whatever reason, they're not working, and > I'm going to need to pull them down from a roof and troubleshoot them. > > Any ideas on what I might do to see them if I were to use a layer 2 > non-VLAN-friendly switch? That's all I have immediately available. Crossover cable and ifconfig on any *nix box or Macintosh to set up the appropriate VLAN. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From scubacuda at gmail.com Tue Jul 1 13:59:01 2008 From: scubacuda at gmail.com (Rogelio) Date: Tue, 1 Jul 2008 10:59:01 -0700 Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch In-Reply-To: <486A6DAB.80504@west.net> References: <486A6B61.8090409@gmail.com> <486A6DAB.80504@west.net> Message-ID: <2b7af7c40807011059s25c4501bjd3c2343a0cff58b0@mail.gmail.com> On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan wrote: > > Crossover cable and ifconfig on any *nix box or Macintosh to set up the > appropriate VLAN. Wow, this is perfect. Thanks! From scubacuda at gmail.com Tue Jul 1 14:10:38 2008 From: scubacuda at gmail.com (Rogelio) Date: Tue, 1 Jul 2008 11:10:38 -0700 Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch In-Reply-To: <486A6DAB.80504@west.net> References: <486A6B61.8090409@gmail.com> <486A6DAB.80504@west.net> Message-ID: <2b7af7c40807011110y97ad036udcc32933df09744c@mail.gmail.com> On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan wrote: > Rogelio wrote: > >> I've got an interesting problem. I've got some non-Cisco wireless units >> that are VLAN tagged, and for whatever reason, they're not working, and I'm >> going to need to pull them down from a roof and troubleshoot them. >> >> Any ideas on what I might do to see them if I were to use a layer 2 >> non-VLAN-friendly switch? That's all I have immediately available. >> > > Crossover cable and ifconfig on any *nix box or Macintosh to set up the > appropriate VLAN. For what it's worth, here's a HOWTO on doing this http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html As you can see, different flavors of Linux do things quite differently... But here is one method of doing it (according to the above URL) Create the interface # vconfig add eth0 5 # ifconfig eth0.5 # ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up Check the interface # cat /proc/net/vlan/eth0.5 Kill the interface when you're done # ifconfig eth0.5 down # vconfig rem eth0.5 From dwinkworth at wi.rr.com Tue Jul 1 14:26:15 2008 From: dwinkworth at wi.rr.com (dwinkworth at wi.rr.com) Date: Tue, 1 Jul 2008 13:26:15 -0500 Subject: [c-nsp] bcp on edge filtering & udp Message-ID: <25281100.57441214936775672.JavaMail.root@hrndva-web15-z02> DLSw uses UDP port 0 by default. There is a feature that allows you to disable this. http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a0080093eca.shtml ---- matthew zeier wrote: > I keep seeing stuff with a udp src or dst port of 0. Anyone else see > that in the wild? > > Michael Smith wrote: > > Hey Matt: > > > > > >> From: matthew zeier > >> Date: Mon, 30 Jun 2008 13:32:06 -0700 > >> To: "cisco-nsp at puck.nether.net" > >> Subject: [c-nsp] bcp on edge filtering & udp > >> > >> Trying to find a pre-build set of ACLs for filtering bogus inbound udp, > >> if one already exists, otherwise I'll have to build my own :) > > > > Here's a good start. > > > > access-list 199 deny udp any any eq 135 > > access-list 199 deny udp any any eq 137 > > access-list 199 deny udp any any eq 138 > > access-list 199 deny udp any any eq 139 > > access-list 199 deny udp any any eq 445 > > access-list 199 deny udp any any eq 4899 > > access-list 199 deny udp any any eq 1434 > > access-list 199 deny udp any any eq 194 > > access-list 199 deny udp any any eq 529 > > access-list 199 deny udp any any eq 994 > > access-list 199 deny udp any any eq 69 > > access-list 199 deny udp any any range 6666 6669 > > > > Regards, > > > > Mike > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Tue Jul 1 14:34:31 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 01 Jul 2008 13:34:31 -0500 Subject: [c-nsp] Error In-Reply-To: <486A66A5.4070401@west.net> References: <200806301619.m5UGJs6f073793@puck.nether.net> <20080630163859.GM4633@greenie.muc.de> <486A66A5.4070401@west.net> Message-ID: <486A78B7.1070506@templin.org> Jay Hennigan wrote: > Damn both the spammers and the broken mail servers that accept the mail > first and then bounce it back to the forged "sender", thus being a > secondary source of spam. > > The receiving mail system upon getting mail for an unknown user, mailbox > full, or anti-spam detection should reject the mail immediately, not > accept it and then later attempt to bounce it back to the purported sender. Then write an updated RFC that changes the standards to reflect this behavior, and get it published and accepted. pt From daniel_p_lacey at yahoo.com Tue Jul 1 15:16:43 2008 From: daniel_p_lacey at yahoo.com (Daniel Lacey) Date: Tue, 01 Jul 2008 12:16:43 -0700 Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber interface Message-ID: <486A829B.4090606@yahoo.com> Hi all, I am trying to monitor a Cisco router (7206) using OpenNMS and SNMP. It is running: 7200 Software (C7200-IS-M), Version 12.2(19b), RELEASE SOFTWARE (fc3) There is an ATM fiber interface on this router. The sub-interfaces report the correct speed via the SNMP agent. The following interfaces report ifSpeed as 0, even tho the admin has told me that the speed is set by command line for every interface. The interfaces are named: ATM3/0-atm layer ATM3/0-aal5 layer Can anybody shed a little light on what we may be doing wrong? Is this an IOS problem/constraint or user error? Thanks in advance! Dan From ddunkin at netos.net Tue Jul 1 15:49:32 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 1 Jul 2008 12:49:32 -0700 Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber interface References: <486A829B.4090606@yahoo.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF206FB84E@MAIL.nosi.netos.com> This is normal behavior from what I've seen, as you don't have a PVC configured for the main interface so it has no bandwidth on the ATM layer. This is the view from a 7500, but I see the same results. Look at the 0.0 interface instead. ifIndex IfDescr ifType ifMtu ifSpeed 5 ATM0/0/0-atm layer 37 0 6 ATM0/0/0.0-atm subif 134 149760000 7 ATM0/0/0-aal5 layer 49 0 8 ATM0/0/0.0-aal5 layer 49 4470 149760000 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Lacey Sent: Tuesday, July 01, 2008 12:17 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber interface Hi all, I am trying to monitor a Cisco router (7206) using OpenNMS and SNMP. It is running: 7200 Software (C7200-IS-M), Version 12.2(19b), RELEASE SOFTWARE (fc3) There is an ATM fiber interface on this router. The sub-interfaces report the correct speed via the SNMP agent. The following interfaces report ifSpeed as 0, even tho the admin has told me that the speed is set by command line for every interface. The interfaces are named: ATM3/0-atm layer ATM3/0-aal5 layer Can anybody shed a little light on what we may be doing wrong? Is this an IOS problem/constraint or user error? Thanks in advance! Dan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sam_mailinglists at spacething.org Tue Jul 1 15:55:56 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Tue, 01 Jul 2008 20:55:56 +0100 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486A1507.6040107@reub.net> References: <200807011121.m61BL2Ax084691@puck.nether.net> <486A1507.6040107@reub.net> Message-ID: <486A8BCC.7070606@spacething.org> I can buy the comprising argument for a reason not to do this. I think the reason most people here want to be able to do outbound telnet is for troubleshooting - checking port connectivity and protocol banners. Many times administrators are insistent that a server is listening on such and such a port, and it's not. It's nice to be able to troubleshoot problems in chunks. Sam Reuben Farrelly wrote: > You also can't ssh from a PIX, but you can of course ssh to it. > > So it's not IMHO likely to be a case of "telnet being insecure", but > avoiding -all- client sourced access from a PIX out to anything else > which the PIX could potentially connect to. > > I suspect the thinking is that the PIX itself, if compromised, can't > be used as a platform to launch into other devices in the network. > Especially given it is probably one device which would normally have > direct and unrestricted access to the private and DMZ networks in most > topologies... > > Reuben > > > > On 1/07/2008 9:19 PM, Aaron R wrote: >> Hi, >> >> As we all know Telnet is plaintext and insecure. I assume they have >> disabled >> telnet from the firewall to encourage secure communication? >> I don't see why else they would have disabled it. Having said this they >> still enable telnet to the device which is a complete contradiction :P >> >> Cisco? >> >> Cheers, >> >> Aaron. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Tue Jul 1 16:18:27 2008 From: tdurack at gmail.com (Tim Durack) Date: Tue, 1 Jul 2008 16:18:27 -0400 Subject: [c-nsp] iSCSI SAN, Ethernet flow-control and redundant network topology Message-ID: <9e246b4d0807011318h4ff23a5en675b9bd2383ae93@mail.gmail.com> I'm coming under some pressure to enable ethernet flow-control and modify our network topology to keep a Dell iSCSI SAN engineer happy. (We already have several years successful experience with another iSCSI SAN, so this isn't new to us.) >From what I can tell ethernet flow-control probably doesn't work too well in the age of wire-speed switches. It could be deployed switch->server if really desired, but even then it might simply interfere with the higher-layer iSCSI/TCP congestion control mechanism. Our DC network topology is straight out of Cisco's DC design guide - every access switch is redundantly connected to two 6509s, 6509s 2x10G trunked, 6509s are the STP root. (I'd probably run VSS if it was baked a little more.) I've already got some good docs for reference, but any comments from the field? Tim:> From peder at networkoblivion.com Tue Jul 1 16:37:27 2008 From: peder at networkoblivion.com (Peder @ NetworkOblivion) Date: Tue, 01 Jul 2008 15:37:27 -0500 Subject: [c-nsp] PA-MC-T3 Error Message-ID: <486A9587.4060300@networkoblivion.com> I am getting the following on a new cT3 from a provider into a PA-MC-T3. I think it indicates that there is an issue on their end, but they say I have a config issue. Can anybody confirm or deny if this points to an issue on my end, or if it is their end? I have other DS3's into other equipment and there really isn't much to set, so I think it is their issue. When they do a loopback to me, I see it come up. 7204VXR#sh contr t3 3/0 T3 3/0 is down. Hardware is CT3 single wide port adapter CT3 H/W Version : 1.0.1, CT3 ROM Version : 1.1, CT3 F/W Version : 2.4.3 FREEDM version: 1, reset 0 resurrect 0 Applique type is Channelized T3 Description: Time Warner Transmitter is sending remote alarm. Receiver is getting AIS. Framing is M23, Line Code is B3ZS, Clock Source is Line Rx-error throttling on T1's ENABLED Rx throttle total 0, equipment customer loopback Data in current interval (205 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 205 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs SHOW RUN: controller T3 3/0 framing m23 clock source line t1 1 channel-group 0 timeslots 1-24 t1 2 channel-group 0 timeslots 1-24 t1 3 channel-group 0 timeslots 1-24 t1 4 channel-group 0 timeslots 1-24 t1 5 channel-group 0 timeslots 1-24 t1 6 channel-group 0 timeslots 1-24 t1 7 channel-group 0 timeslots 1-24 t1 8 channel-group 0 timeslots 1-24 t1 9 channel-group 0 timeslots 1-24 From SPfister at dps.k12.oh.us Tue Jul 1 16:39:44 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 01 Jul 2008 16:39:44 -0400 Subject: [c-nsp] L2TPv3 tunnel - one-way only Message-ID: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us> I've got an L2TPv3 tunnel set up between our central location and one of our remote sites. Everything looks OK, but data is only flowing one way (from the central side to the remote side, it looks like). Has anyone seen anything like this? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From jasongurtz at npumail.com Tue Jul 1 16:39:30 2008 From: jasongurtz at npumail.com (Jason Gurtz) Date: Tue, 1 Jul 2008 16:39:30 -0400 Subject: [c-nsp] Error In-Reply-To: <486A78B7.1070506@templin.org> References: <200806301619.m5UGJs6f073793@puck.nether.net> <20080630163859.GM4633@greenie.muc.de> <486A66A5.4070401@west.net> <486A78B7.1070506@templin.org> Message-ID: > Then write an updated RFC that changes the standards to reflect this > behavior, and get it published and accepted. Looks like 5821 will have to do (3821/4821 already taken) and be great when everyone's compliant by the year 2030. In the meantime, BATV (draft is: draft-levine-smtp-batv-01) can be of help. Helpfully, it even breaks most C/R systems as well :) ~JasonG -- From rodunn at cisco.com Tue Jul 1 16:54:03 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 1 Jul 2008 16:54:03 -0400 Subject: [c-nsp] L2TPv3 tunnel - one-way only In-Reply-To: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us> References: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <20080701205403.GO14994@rtp-cse-489.cisco.com> What boxes? I saw this once with the 3845 (I think it was) where the LAN interface was not going in to promiscuous mode to rx all mac frames. Check the VC and see if you only see tx or rx counters and on which box. Also check 'sh controller' to see if there is a promiscuous mode in it. Rodney On Tue, Jul 01, 2008 at 04:39:44PM -0400, Steven Pfister wrote: > I've got an L2TPv3 tunnel set up between our central location and one of our remote sites. Everything looks OK, but data is only flowing one way (from the central side to the remote side, it looks like). Has anyone seen anything like this? > > Thanks! > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From almog.purepeak at gmail.com Tue Jul 1 17:19:27 2008 From: almog.purepeak at gmail.com (almog ohayon) Date: Wed, 2 Jul 2008 00:19:27 +0300 Subject: [c-nsp] Real life - traffic limit .. Message-ID: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com> Hi, I have the following scenario : 1 specific source to 1 specific destination that needs to be limit to certain amount of bandwidth but still have minimum BW guarantee and minimum packet drops . which method to use : police ? shape average/peak ? priority ? etc... if you can give me a real life example it would be excellent . From christian at broknrobot.com Tue Jul 1 19:47:38 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 1 Jul 2008 19:47:38 -0400 Subject: [c-nsp] Real life - traffic limit .. In-Reply-To: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com> References: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com> Message-ID: what is your hardware/software ver platform? On Tue, Jul 1, 2008 at 5:19 PM, almog ohayon wrote: > Hi, > I have the following scenario : > 1 specific source to 1 specific destination that needs to be limit to > certain amount of bandwidth but > still have minimum BW guarantee and minimum packet drops . > > which method to use : > police ? > shape average/peak ? > priority ? > etc... > > if you can give me a real life example it would be excellent . > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ^christian$ From mtinka at globaltransit.net Tue Jul 1 21:32:35 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 2 Jul 2008 09:32:35 +0800 Subject: [c-nsp] 7200 upgrade from 12.2(25)S8 In-Reply-To: <20080701141623.GE13269@rtp-cse-489.cisco.com> References: <20080701035035.GF12357@ref.nmedia.net> <20080701141623.GE13269@rtp-cse-489.cisco.com> Message-ID: <200807020932.35530.mtinka@globaltransit.net> On Tuesday 01 July 2008 22:16:23 Rodney Dunn wrote: > As a migration path 12.2(33)SRC1... We've had some success with SRC in testing and partial deployment - as well as some interesting experiences. We like it because it's quite comprehensive, and runs across all our NPE-G1/G2 and 7201 deployments. Having a single OS on all routers of the same family is a plus. Watch out for bugs, especially if your configuration gets a little complex. Otherwise, SRC2 should be out later this month. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From whisper555 at gmail.com Tue Jul 1 23:59:46 2008 From: whisper555 at gmail.com (Whisper) Date: Wed, 2 Jul 2008 13:59:46 +1000 Subject: [c-nsp] bcp on edge filtering & udp In-Reply-To: References: <486942C6.8030900@velvet.org> Message-ID: <5333e1040807012059q46dc9d0ct9998c81fa3d42a28@mail.gmail.com> access-list 199 permit tcp any any access-list 199 permit icmp any any :) On Tue, Jul 1, 2008 at 3:34 PM, Michael Smith wrote: > Hey Matt: > > > > From: matthew zeier > > Date: Mon, 30 Jun 2008 13:32:06 -0700 > > To: "cisco-nsp at puck.nether.net" > > Subject: [c-nsp] bcp on edge filtering & udp > > > > Trying to find a pre-build set of ACLs for filtering bogus inbound udp, > > if one already exists, otherwise I'll have to build my own :) > > Here's a good start. > > access-list 199 deny udp any any eq 135 > access-list 199 deny udp any any eq 137 > access-list 199 deny udp any any eq 138 > access-list 199 deny udp any any eq 139 > access-list 199 deny udp any any eq 445 > access-list 199 deny udp any any eq 4899 > access-list 199 deny udp any any eq 1434 > access-list 199 deny udp any any eq 194 > access-list 199 deny udp any any eq 529 > access-list 199 deny udp any any eq 994 > access-list 199 deny udp any any eq 69 > access-list 199 deny udp any any range 6666 6669 > > Regards, > > Mike > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jay at west.net Wed Jul 2 00:19:07 2008 From: jay at west.net (Jay Hennigan) Date: Tue, 01 Jul 2008 21:19:07 -0700 Subject: [c-nsp] PA-MC-T3 Error In-Reply-To: <486A9587.4060300@networkoblivion.com> References: <486A9587.4060300@networkoblivion.com> Message-ID: <486B01BB.1060602@west.net> Peder @ NetworkOblivion wrote: > I am getting the following on a new cT3 from a provider into a PA-MC-T3. > I think it indicates that there is an issue on their end, but they say > I have a config issue. Can anybody confirm or deny if this points to an > issue on my end, or if it is their end? I have other DS3's into other > equipment and there really isn't much to set, so I think it is their > issue. When they do a loopback to me, I see it come up. Does the other side come up with a hard loop (co-ax jumper) from you? > 7204VXR#sh contr t3 3/0 > Transmitter is sending remote alarm. You are sending to the other end an indication that you are receiving an alarm from the other side. > Receiver is getting AIS. The other end is sending you a signal that it is seeing all 1 bits from you, unframed. > Framing is M23, Line Code is B3ZS, Clock Source is Line Make sure that the other side is set similarly, B3ZS and M23 (some equipment may have this as M13). Make sure that neither side has the TX and RX co-ax cables swapped. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From oboehmer at cisco.com Wed Jul 2 02:22:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 2 Jul 2008 08:22:25 +0200 Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan under thesame physical interface In-Reply-To: <1214849728.8702.10.camel@dsba-ipso> References: <1214849728.8702.10.camel@dsba-ipso> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com> luismi <> wrote on Monday, June 30, 2008 8:15 PM: > Hi there, > > I have a dude I could solve using a lab enviroment but for several > reasons I don't have enought time at this momment, neither I have the > correct equipment here. > > I am thinking on collapse several routers configurations in new > equipment, deploying subinterfaces with 802.1q and VRFs. > > The situation is that for the same physical interface I would have > several subinterfaces, working in the same vlan but diferent vrf, with > also diferent ip addresses but all of them are in the same subnet. > > The question is, is the router going to be enough clever to deliver > the packet in the correct interface? Take note that the IP address > use as destination in the incoming packet is not going to be ip > address of the interface since the router and its vrfs. This is not going to work. The router needs the vlan tag to associate the appropriate (sub)interface with the packet, so the vlan tag has to be unique on the interface (some platforms like the 6500 even ask for a unique tag per system). VRF association comes later and is based on the vrf configured on the (sub)interface. So if you want to consolidate multiple vlan/.1q connections, you will need to change vlan IDs in order to make them unique. oli From ayourtch at gmail.com Wed Jul 2 04:57:36 2008 From: ayourtch at gmail.com (Andrew Yourtchenko) Date: Wed, 2 Jul 2008 10:57:36 +0200 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486A8BCC.7070606@spacething.org> References: <200807011121.m61BL2Ax084691@puck.nether.net> <486A1507.6040107@reub.net> <486A8BCC.7070606@spacething.org> Message-ID: <530c5af60807020157k1083c5ffnf05d50304652828e@mail.gmail.com> On Tue, Jul 1, 2008 at 9:55 PM, Sam Stickland wrote: > I can buy the comprising argument for a reason not to do this. > > I think the reason most people here want to be able to do outbound telnet is > for troubleshooting - checking port connectivity and protocol banners. Many > times administrators are insistent that a server is listening on such and > such a port, and it's not. It's nice to be able to troubleshoot problems in > chunks. > if the matter is just testing whether the TCP server is listening on a given port or not, would the following work for this purpose ? ----- access-list foo permit tcp host x.x.x.x host y.y.y.y access-list foo permit tcp host y.y.y.y host x.x.x.x capture test interface bar access-list foo copy http://x.x.x.x:NNNN/test flash:test show capture test detail ----- thanks, andrew From tom at snnap.net Wed Jul 2 05:09:53 2008 From: tom at snnap.net (Tom Storey) Date: Wed, 2 Jul 2008 18:39:53 +0930 Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan under the same physical interface In-Reply-To: <1214849728.8702.10.camel@dsba-ipso> References: <1214849728.8702.10.camel@dsba-ipso> Message-ID: On 01/07/2008, at 3:45 AM, luismi wrote: > The question is, is the router going to be enough clever to deliver > the > packet in the correct interface? Lets assume the router was clever enough to do this, the question would then be: are the switches clever enough to do it? The buck doesnt stop at the router. :-) Youve got 4094 VLAN IDs to choose from, go nuts. Tom From ayourtch at gmail.com Wed Jul 2 05:19:26 2008 From: ayourtch at gmail.com (Andrew Yourtchenko) Date: Wed, 2 Jul 2008 11:19:26 +0200 Subject: [c-nsp] Capture expressions on an FWSM (was Re: Telnet FROM a PIX Appliance?) In-Reply-To: <4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com> References: <18dba4e50806300311n5d696788x541c687d7e315e14@mail.gmail.com> <200806301032.m5UAWDRw056902@puck.nether.net> <20080630112104.GG4112@thot.informatik.uni-kl.de> <4C3B8C75B5899943AEC675BA6DD462730103B755@uspalex02.epri.com> <002101c8dacb$11339ab0$f211a8c0@flamwsugsmul5v> <48690FB4.6040902@spacething.org> <4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com> Message-ID: <530c5af60807020219y75c93c8are15479325d76ddfb@mail.gmail.com> On Tue, Jul 1, 2008 at 6:06 PM, Higham, Josh wrote: >> Tony Varriale wrote: >> > Any chance you could give the group more details before saying it >> > can't be trusted? >> > >> I'm afraid I don't have any concrete details to add, but I've found >> capture expressions on Firewall Service Modules to be quite >> inconsistent. Presumably this is something to do with the modules >> interaction with the chassis? I haven't had the time to lab >> this, and I >> haven't always had problems, but I now generally work to the >> mantra that >> "the absence of a packet in an FWSM capture is not proof that >> the packet >> does not exist, but the presence of a packet in a capture does prove >> it's existence". >> >> Perhaps there is a cisco documentation on this, listing known caveats >> and limitations? it's useful to make a distinction between the FWSM and ASA. FWSM has a few distinct components - fast path, session path, and control plane. The bulk of the traffic goes over a fast path (separate chips), and the capture is accumulated on the control plane. While this sounds easy, in reality there are a lot of different scenarios to account for - and not all of them were caught the first time. Generally in 3.1.9 I have found it to be reasonably reliable - but I still tend to apply the same principle as you when it comes to "tricky" scenarios where the packets are absent - that I try to doublecheck to ensure there is no mistake made. The capture on the FWSM should work similar to ASA's - with the obvious caveat that since the packets are collected on the control plane, the timing might be a bit off - so for time-sensitive scenarios I'd still advise the span (by the way, the absence of the packets there is also not a proof that the packet did not exist :-) - keep in mind the DEC field notice. The descriptions for the fixes within the capture component should be coming up within the normal release notes - as for everything else. Now, the ASA is purely software, which makes things a lot easier. To me the only issue that readily comes to mind is CSCsh89784. The code is pretty early in the packet path, so the only reason I can see is that there was some issue at a lower level - the NIC driver. But then the tweaks with the xlate on the other hand should not have changed anything... If you're able to make this behaviour happen at will, please drop me an email. thanks, andrew > > I found the same situation with the ASA (version 8.0 code). Normally > you would expect the packet capture to be the very first code path, but > this is demonstrably not true. In my case I had a span port on a switch > and would get the packet, but a capture on the firewall did not show it. > > "The absence of a packet is not proof that the packet doesn't exist" > > Thanks, > Josh > >> > ----- Original Message ----- From: "Higham, Josh" >> > To: >> > Sent: Monday, June 30, 2008 10:41 AM >> > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> > >> > >> >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes >> >>> >> >>> I guess it's more as a "working right" educational purpose, >> >>> so you won't use your firewall as a debugging client. >> >>> In newer versions there's the packet tracker that can help >> >>> you debug connectivity problems. >> >>> Ziv >> >> >> >> As an FYI, the ASA/Pix packet capture cannot currently be >> completely >> >> trusted (version 8.0). I found an annoying bug where I >> would capture >> >> the frame on a span session monitoring the port connected to the >> >> firewall, but it wouldn't show up on the firewall capture. >> >> >> >> The packet in question was also being dropped by the >> firewall, but with >> >> no logging (and with a permit ip any any rule in place). >> The 'fix' was >> >> to apply a nat translation and then remove it. TAC was completely >> >> unhelpful (worst ever TAC experience). >> >> >> >> Blocking outbound sessions on the firewall also means that >> it can't be >> >> used to bounce an attack, if compromised. >> >> >> >> Thanks, >> >> Josh >> > >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Wed Jul 2 05:23:25 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 02 Jul 2008 11:23:25 +0200 Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan under thesame physical interface In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com> References: <1214849728.8702.10.camel@dsba-ipso> <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com> Message-ID: <1214990605.6603.4.camel@dsba-ipso> What I was thinking in assign different subinterfaces (from different physical interfaces) to the same vlan in the same chassis. I think that the router will be able to manage that configuration, for example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same vlan, with different IP address from the same subnet. Is that correct? El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer) escribi?: > luismi <> wrote on Monday, June 30, 2008 8:15 PM: > > > Hi there, > > > > I have a dude I could solve using a lab enviroment but for several > > reasons I don't have enought time at this momment, neither I have the > > correct equipment here. > > > > I am thinking on collapse several routers configurations in new > > equipment, deploying subinterfaces with 802.1q and VRFs. > > > > The situation is that for the same physical interface I would have > > several subinterfaces, working in the same vlan but diferent vrf, with > > also diferent ip addresses but all of them are in the same subnet. > > > > The question is, is the router going to be enough clever to deliver > > the packet in the correct interface? Take note that the IP address > > use as destination in the incoming packet is not going to be ip > > address of the interface since the router and its vrfs. > > This is not going to work. The router needs the vlan tag to associate > the appropriate (sub)interface with the packet, so the vlan tag has to > be unique on the interface (some platforms like the 6500 even ask for a > unique tag per system). VRF association comes later and is based on the > vrf configured on the (sub)interface. > So if you want to consolidate multiple vlan/.1q connections, you will > need to change vlan IDs in order to make them unique. > > oli From oboehmer at cisco.com Wed Jul 2 05:38:31 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 2 Jul 2008 11:38:31 +0200 Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan underthesame physical interface In-Reply-To: <1214990605.6603.4.camel@dsba-ipso> References: <1214849728.8702.10.camel@dsba-ipso> <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com> <1214990605.6603.4.camel@dsba-ipso> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com> luismi wrote on Wednesday, July 02, 2008 11:23 AM: > What I was thinking in assign different subinterfaces (from different > physical interfaces) to the same vlan in the same chassis. > > I think that the router will be able to manage that configuration, for > example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same > vlan, with different IP address from the same subnet. > > Is that correct? yes, this will work on most platforms. The 6500/7600 uses system-wide vlans (with a few exceptions), so this won't work there.. Tom's comment on the (possibly connected) switched infrastructure still applies, but if you are "only" consolidating the router part, it should work. oli > > El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer) > escribi?: >> luismi <> wrote on Monday, June 30, 2008 8:15 PM: >> >>> Hi there, >>> >>> I have a dude I could solve using a lab enviroment but for several >>> reasons I don't have enought time at this momment, neither I have >>> the correct equipment here. >>> >>> I am thinking on collapse several routers configurations in new >>> equipment, deploying subinterfaces with 802.1q and VRFs. >>> >>> The situation is that for the same physical interface I would have >>> several subinterfaces, working in the same vlan but diferent vrf, >>> with also diferent ip addresses but all of them are in the same >>> subnet. >>> >>> The question is, is the router going to be enough clever to deliver >>> the packet in the correct interface? Take note that the IP address >>> use as destination in the incoming packet is not going to be ip >>> address of the interface since the router and its vrfs. >> >> This is not going to work. The router needs the vlan tag to associate >> the appropriate (sub)interface with the packet, so the vlan tag has >> to be unique on the interface (some platforms like the 6500 even ask >> for a unique tag per system). VRF association comes later and is >> based on the vrf configured on the (sub)interface. >> So if you want to consolidate multiple vlan/.1q connections, you will >> need to change vlan IDs in order to make them unique. >> >> oli From asturluismi at gmail.com Wed Jul 2 07:12:03 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 02 Jul 2008 13:12:03 +0200 Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan underthesame physical interface In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com> References: <1214849728.8702.10.camel@dsba-ipso> <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com> <1214990605.6603.4.camel@dsba-ipso> <70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com> Message-ID: <1214997123.6603.9.camel@dsba-ipso> My conclusion is that in the scenario I am using the problem is that it won't be possible to configure a router with several subinterfaces in the same vlan under the same physical interface due an issue with the MAC address and the switches side. And yes, At the moment I am just trying to consolidate the router side, reduce the management efforts, point of failures... since we go for just 2 routers in HSRP with vlans and VRF instead of a 4 routers (2 x HSRP). Thanks for all the comments. El mi?, 02-07-2008 a las 11:38 +0200, Oliver Boehmer (oboehmer) escribi?: > luismi wrote on Wednesday, July 02, 2008 11:23 AM: > > > What I was thinking in assign different subinterfaces (from different > > physical interfaces) to the same vlan in the same chassis. > > > > I think that the router will be able to manage that configuration, for > > example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same > > vlan, with different IP address from the same subnet. > > > > Is that correct? > > yes, this will work on most platforms. The 6500/7600 uses system-wide vlans (with a few exceptions), so this won't work there.. > Tom's comment on the (possibly connected) switched infrastructure still applies, but if you are "only" consolidating the router part, it should work. > > oli > > > > > > El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer) > > escribi?: > >> luismi <> wrote on Monday, June 30, 2008 8:15 PM: > >> > >>> Hi there, > >>> > >>> I have a dude I could solve using a lab enviroment but for several > >>> reasons I don't have enought time at this momment, neither I have > >>> the correct equipment here. > >>> > >>> I am thinking on collapse several routers configurations in new > >>> equipment, deploying subinterfaces with 802.1q and VRFs. > >>> > >>> The situation is that for the same physical interface I would have > >>> several subinterfaces, working in the same vlan but diferent vrf, > >>> with also diferent ip addresses but all of them are in the same > >>> subnet. > >>> > >>> The question is, is the router going to be enough clever to deliver > >>> the packet in the correct interface? Take note that the IP address > >>> use as destination in the incoming packet is not going to be ip > >>> address of the interface since the router and its vrfs. > >> > >> This is not going to work. The router needs the vlan tag to associate > >> the appropriate (sub)interface with the packet, so the vlan tag has > >> to be unique on the interface (some platforms like the 6500 even ask > >> for a unique tag per system). VRF association comes later and is > >> based on the vrf configured on the (sub)interface. > >> So if you want to consolidate multiple vlan/.1q connections, you will > >> need to change vlan IDs in order to make them unique. > >> > >> oli From zivl at gilat.net Wed Jul 2 07:26:27 2008 From: zivl at gilat.net (Ziv Leyes) Date: Wed, 2 Jul 2008 14:26:27 +0300 Subject: [c-nsp] Error In-Reply-To: References: <200806301619.m5UGJs6f073793@puck.nether.net> <20080630163859.GM4633@greenie.muc.de> <486A66A5.4070401@west.net> <486A78B7.1070506@templin.org> Message-ID: I'm not the one that is capable to do it and I don't wanna sound demagogic but I think the whole SMTP protocol should be re-written from scratch. We're talking about a protocol that is over 40 years old! And nowadays we need much more than a "simple mail transfer protocol" Well, this goes also for TCP... Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Gurtz Sent: Tuesday, July 01, 2008 11:40 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Error > Then write an updated RFC that changes the standards to reflect this > behavior, and get it published and accepted. Looks like 5821 will have to do (3821/4821 already taken) and be great when everyone's compliant by the year 2030. In the meantime, BATV (draft is: draft-levine-smtp-batv-01) can be of help. Helpfully, it even breaks most C/R systems as well :) ~JasonG -- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From vikassharmas at gmail.com Wed Jul 2 07:49:02 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Wed, 2 Jul 2008 17:19:02 +0530 Subject: [c-nsp] /31 network Message-ID: Hi, has anyone used /31 network instead of /30? I believe this is recommended to use /31 network? Need expert comments. Regards, Vikas Sharma From risnaini at indo.net.id Wed Jul 2 07:56:06 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 02 Jul 2008 18:56:06 +0700 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <486B6CD6.5010107@indo.net.id> Yep, ti works. a. rahman isnaini r.sutan Vikas Sharma wrote: > Hi, > > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From stig.johansen at ementor.no Wed Jul 2 08:15:56 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Wed, 2 Jul 2008 14:15:56 +0200 Subject: [c-nsp] /31 network Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B11@100NOOSLMSG004.common.alpharoot.net> Hi there, It works just fine on "newer" Cisco IOS for point-to-point links. (It came in 12.2(2)T and 12.2(28)SB). The RFC is 3021 (Using 31-Bit Prefixes on IPv4 Point-to-Point Links). /Stig -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma Sent: 2. juli 2008 13:49 To: cisco-nsp at puck.nether.net Subject: [c-nsp] /31 network Hi, has anyone used /31 network instead of /30? I believe this is recommended to use /31 network? Need expert comments. Regards, Vikas Sharma _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From harbor235 at gmail.com Wed Jul 2 08:57:14 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 2 Jul 2008 08:57:14 -0400 Subject: [c-nsp] Route Reflector Design Message-ID: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> To all, Does anyone have any good docs on RR design in service provider networks? I have read docs detailing a central route reflector and a RR for each POP. The piece I am missing is how the next-hop attribute reflected for each POP prefix (say POP1) into the AS is routed to by other POPs or other routers not peering with the POP1(say POP10)? I assume an IGP is used somehow, however, its the internal IGP design I am not grasping. thanx in advance Mike j From ianh at chime.net.au Wed Jul 2 08:00:10 2008 From: ianh at chime.net.au (Ian Henderson) Date: Wed, 2 Jul 2008 20:00:10 +0800 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <100362309621454DAA534950B17E55DB9E02CAA8F3@isp-per-exc01.win2k.iinet.net.au> Vikas Sharma wrote on 2008-07-02: > has anyone used /31 network instead of /30? I believe this is > recommended to use /31 network? Need expert comments. Works fine. Just don't use x.x.x.0/31 or x.x.x.254/31 otherwise you'll get complaints from Windows users that traceroute no longer works. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From charles at thewybles.com Wed Jul 2 09:24:15 2008 From: charles at thewybles.com (charles at thewybles.com) Date: Wed, 2 Jul 2008 13:24:15 +0000 Subject: [c-nsp] Route Reflector Design Message-ID: <343740191-1215005099-cardhu_decombobulator_blackberry.rim.net-2140976254-@bxe135.bisx.prod.on.blackberry> Can you provide a link to the documentation you have reviewed already? Saves the google. :) I'm in the process of building out a service provider network and route reflector/noc info etc is a big part of that process. Thanks! Charles Wyble ------Original Message------ From: Mike Johnson Sender: To: cisco-nsp at puck.nether.net Sent: Jul 2, 2008 5:57 AM Subject: [c-nsp] Route Reflector Design To all, Does anyone have any good docs on RR design in service provider networks? I have read docs detailing a central route reflector and a RR for each POP. The piece I am missing is how the next-hop attribute reflected for each POP prefix (say POP1) into the AS is routed to by other POPs or other routers not peering with the POP1(say POP10)? I assume an IGP is used somehow, however, its the internal IGP design I am not grasping. thanx in advance Mike j _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent via BlackBerry from T-Mobile From justin at justinshore.com Wed Jul 2 09:27:06 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 02 Jul 2008 08:27:06 -0500 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <486B822A.6040206@justinshore.com> It works fine here. I use it for all my infrastructure links between Cisco gear (and only Cisco gear). More specifically IOS devices. I don't believe FWSMs, IDSMs, ASAs, etc have support for it. I never tried but I'd seriously doubt it. Justin Vikas Sharma wrote: > Hi, > > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ccie15385 at gmail.com Wed Jul 2 09:34:57 2008 From: ccie15385 at gmail.com (JH Cockburn) Date: Wed, 2 Jul 2008 15:34:57 +0200 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> Message-ID: <001201c8dc48$6d726a30$8604030a@africa.enterprise.root> Hi Mike, Regarding the next-hop stuff and taken from the RFC (2796): In addition, when a RR reflects a route, it should not modify the following path attributes: NEXT_HOP, AS_PATH, LOCAL_PREF, and MED. Their modification could potential result in routing loops. Also on page 6 of this RFC the deployment of RR's is discussed under the heading "9. Configuration and Deployment Considerations" Hope this helps... Cheers JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Johnson Sent: Wednesday, July 02, 2008 2:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Route Reflector Design To all, Does anyone have any good docs on RR design in service provider networks? I have read docs detailing a central route reflector and a RR for each POP. The piece I am missing is how the next-hop attribute reflected for each POP prefix (say POP1) into the AS is routed to by other POPs or other routers not peering with the POP1(say POP10)? I assume an IGP is used somehow, however, its the internal IGP design I am not grasping. thanx in advance Mike j _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tim at pelican.org Wed Jul 2 09:34:19 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 2 Jul 2008 14:34:19 +0100 (BST) Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> Message-ID: On Wed, July 2, 2008 1:57 pm, Mike Johnson wrote: > Does anyone have any good docs on RR design in service provider networks? > > > I have read docs detailing a central route reflector and a RR for each > POP. The piece I am missing is how the next-hop attribute reflected for > each POP prefix (say POP1) into the AS is routed to by other POPs or > other routers not peering with the POP1(say POP10)? > > I assume an IGP is used somehow, however, its the internal IGP design I > am not grasping. Have all the edge boxes - RR clients in PoPs - set update-source to a loopback, and set next-hop self. Peer between loopbacks everywhere. Put all the loopbacks in your IGP. Job done :) Regards, Tim. From jaitken at aitken.com Wed Jul 2 09:35:23 2008 From: jaitken at aitken.com (Jeff Aitken) Date: Wed, 2 Jul 2008 13:35:23 +0000 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> Message-ID: <20080702133523.GA68759@eagle.aitken.com> On Wed, Jul 02, 2008 at 08:57:14AM -0400, Mike Johnson wrote: > I have read docs detailing a central route reflector and a RR for each POP. > [...] > I assume an IGP is used somehow, however, its the internal IGP design I am > not grasping. Mike, A common, but by no means the only, strategy is as follows: 1. All routers participate in a single, flat IGP. The only routes carried in the IGP are loopbacks and links between routers. All other routes are carried in BGP. This keeps things simple and promotes fast convergence. 2. All core routers participate in a full IBGP mesh. 3. All lower-level routers in a "region" are client peers of the cores that serve that region (where 'region' could mean POP, city, country, etc., depending on your network). 4. All routes advertised via BGP have their next-hop reset where they enter the network. Typically this is on the edge routers, which are client peers of the local core routers, but can be done anywhere. The end result is that no matter where on the network you stand, every BGP route has a next-hop address that corresponds to a router loopback that you know how to reach via your IGP. Variations on this model might include: a. Multi-{level,area} IGP, if your network is big enough to warrant it. b. Fewer reflectors, from "regional" all the way to "central". c. In very large or complex networks, you might see tiered reflection or confederations, but those should be fairly rare. --Jeff From harbor235 at gmail.com Wed Jul 2 09:48:23 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 2 Jul 2008 09:48:23 -0400 Subject: [c-nsp] Route Reflector Design In-Reply-To: References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> Message-ID: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> Tim, Got that, now for a large network would you create a backbone area (OSPF) for regionalization of routes and make routers within the region into other areas? Its the underlying IGP design that makes all the connector nets to POPs available my main concern. thanx for your help, -Mike j On 7/2/08, Tim Franklin wrote: > > On Wed, July 2, 2008 1:57 pm, Mike Johnson wrote: > > > Does anyone have any good docs on RR design in service provider networks? > > > > > > I have read docs detailing a central route reflector and a RR for each > > POP. The piece I am missing is how the next-hop attribute reflected for > > each POP prefix (say POP1) into the AS is routed to by other POPs or > > other routers not peering with the POP1(say POP10)? > > > > I assume an IGP is used somehow, however, its the internal IGP design I > > am not grasping. > > Have all the edge boxes - RR clients in PoPs - set update-source to a > loopback, and set next-hop self. > > Peer between loopbacks everywhere. > > Put all the loopbacks in your IGP. > > Job done :) > > Regards, > Tim. > > > From petelists at templin.org Wed Jul 2 09:50:47 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 02 Jul 2008 08:50:47 -0500 Subject: [c-nsp] Route Reflector Design In-Reply-To: <20080702133523.GA68759@eagle.aitken.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <20080702133523.GA68759@eagle.aitken.com> Message-ID: <486B87B7.7010707@templin.org> I'm going to add some elaborations and alternatives in between your excellent comments, if you don't mind... Jeff Aitken wrote: > A common, but by no means the only, strategy is as follows: > > 1. All routers participate in a single, flat IGP. The only routes carried > in the IGP are loopbacks and links between routers. All other routes are > carried in BGP. This keeps things simple and promotes fast convergence. Lesson learned: if you can, put all of the loopbacks into an aggregateable range, and all of the inter-router links in an aggregateable range. Makes rACLs much easier when you deploy them (tomorrow). IGP metric design can take many shapes. Planning your metrics early can make for excellent stability in the face of issues and outages, and can keep leased line costs low. > 3. All lower-level routers in a "region" are client peers of the cores > that serve that region (where 'region' could mean POP, city, country, > etc., depending on your network). We took this a step further, for future-proofing, courtesy of guidance from AOL/ATDN and their excellent NANOG presentation on migrating from OSPF to ISIS. All of the lower-level routers are client peers of the cores, and are fully meshed within the region; the cores do NOT reflect routes from client to client. This helps quench MED oscillation issues. > 4. All routes advertised via BGP have their next-hop reset where they > enter the network. Typically this is on the edge routers, which are > client peers of the local core routers, but can be done anywhere. The > end result is that no matter where on the network you stand, every BGP > route has a next-hop address that corresponds to a router loopback that > you know how to reach via your IGP. It's simplest to reset ALL routes, but you might want to look at doing it on MOST, leaving a hook to exclude some special-case routes such as blackhole routes. You can also avoid the next-hop rewrite as long as the link containing the next hop is in BGP (or your IGP, but not recommended). I haven't proven my theory, but my theory says that NOT rewriting the next-hop allows MPLS (if you're running it) to label-switch packets all the way to the egress interface. A rewritten next-hop would invoke PHP at the next-to-edge router, and the edge router would have to do a FIB lookup. Am I wrong? Possibly. Would there be a benefit? I think so. pt From petelists at templin.org Wed Jul 2 09:58:02 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 02 Jul 2008 08:58:02 -0500 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> Message-ID: <486B896A.1020305@templin.org> Mike Johnson wrote: > Got that, now for a large network would you create a backbone area (OSPF) > for regionalization of routes > and make routers within the region into other areas? Its the underlying IGP > design that makes all the connector nets to POPs available my main concern. Would you be hitting anywhere close to 5,000 (nodes plus links plus loopbacks)? If not, single area seems to be the better bet. Multi-area becomes almost distance-vector: there's a vector to the backbone area, a vector across the backbone area, and a vector to the exit point. Ick. pt From bryan.phillips at cybera.net Wed Jul 2 10:01:10 2008 From: bryan.phillips at cybera.net (Bryan Phillips) Date: Wed, 2 Jul 2008 09:01:10 -0500 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <48FAC036AD7B7642BB2944FB9AE674A302F01281@EXCHANGE.nashville.cybera.net> Been using /31's for awhile now. Cuts down the IP space. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma Sent: Wednesday, July 02, 2008 6:49 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] /31 network Hi, has anyone used /31 network instead of /30? I believe this is recommended to use /31 network? Need expert comments. Regards, Vikas Sharma _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Wed Jul 2 10:03:04 2008 From: dudepron at gmail.com (Aaron) Date: Wed, 2 Jul 2008 10:03:04 -0400 Subject: [c-nsp] /31 network In-Reply-To: <486B822A.6040206@justinshore.com> References: <486B822A.6040206@justinshore.com> Message-ID: <480dad640807020703k544c2e84obeb55bb22a7b33b5@mail.gmail.com> It also works in 12.0S too. 12.0(21)+ Aaron On Wed, Jul 2, 2008 at 9:27 AM, Justin Shore wrote: > It works fine here. I use it for all my infrastructure links between Cisco > gear (and only Cisco gear). More specifically IOS devices. I don't believe > FWSMs, IDSMs, ASAs, etc have support for it. I never tried but I'd > seriously doubt it. > > Justin > > > Vikas Sharma wrote: > >> Hi, >> >> has anyone used /31 network instead of /30? I believe this is recommended >> to >> use /31 network? Need expert comments. >> >> Regards, >> Vikas Sharma >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisco-nsp at slepicka.net Wed Jul 2 10:07:36 2008 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 02 Jul 2008 09:07:36 -0500 Subject: [c-nsp] /31 network In-Reply-To: <486B822A.6040206@justinshore.com> References: <486B822A.6040206@justinshore.com> Message-ID: <486B8BA8.9070400@slepicka.net> /31s work fine here for IOS gear. I can confirm that the ASA does not support them. It's been a while since I last tried but, if I remember correctly, you can configure an interface with a /31, but it won't pass traffic nor will it be obvious what the problem is. Justin Shore wrote: > It works fine here. I use it for all my infrastructure links between > Cisco gear (and only Cisco gear). More specifically IOS devices. I > don't believe FWSMs, IDSMs, ASAs, etc have support for it. I never > tried but I'd seriously doubt it. > > Justin > > Vikas Sharma wrote: >> Hi, >> >> has anyone used /31 network instead of /30? I believe this is >> recommended to >> use /31 network? Need expert comments. >> >> Regards, >> Vikas Sharma >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From harbor235 at gmail.com Wed Jul 2 10:13:58 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 2 Jul 2008 10:13:58 -0400 Subject: [c-nsp] Route Reflector Design In-Reply-To: <486B896A.1020305@templin.org> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> <486B896A.1020305@templin.org> Message-ID: <836bf1f90807020713t72be891fp36493dccb735b39e@mail.gmail.com> Guys, this is great stuff, I may have some additional questions after I digest all the info. thanx again Mike j On 7/2/08, Pete Templin wrote: > > Mike Johnson wrote: > > Got that, now for a large network would you create a backbone area (OSPF) >> for regionalization of routes >> and make routers within the region into other areas? Its the underlying >> IGP >> design that makes all the connector nets to POPs available my main >> concern. >> > > Would you be hitting anywhere close to 5,000 (nodes plus links plus > loopbacks)? If not, single area seems to be the better bet. > > Multi-area becomes almost distance-vector: there's a vector to the backbone > area, a vector across the backbone area, and a vector to the exit point. > Ick. > > pt > > From p.caci at seabone.net Wed Jul 2 10:16:43 2008 From: p.caci at seabone.net (Pierfrancesco Caci) Date: Wed, 02 Jul 2008 16:16:43 +0200 Subject: [c-nsp] /31 network In-Reply-To: <486B822A.6040206@justinshore.com> (Justin Shore's message of "Wed, 02 Jul 2008 08:27:06 -0500") References: <486B822A.6040206@justinshore.com> Message-ID: <87skus74ms.fsf@clarabella.noc.seabone.net> :-> "Justin" == Justin Shore writes: > It works fine here. I use it for all my infrastructure links between > Cisco gear (and only Cisco gear). More specifically IOS > devices. works also between IOS and IOS-XR, XR to XR, and IOS to JUNOS, here. -- ------------------------------------------------------------------------------- Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ Linux clarabella 2.6.15-29-server #1 SMP Mon Sep 24 17:37:57 UTC 2007 i686 GNU/Linux From tim at pelican.org Wed Jul 2 10:23:05 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 2 Jul 2008 15:23:05 +0100 (BST) Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> Message-ID: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> On Wed, July 2, 2008 2:48 pm, Mike Johnson wrote: > Got that, now for a large network would you create a backbone area (OSPF) > for regionalization of routes > and make routers within the region into other areas? Its the underlying > IGP > design that makes all the connector nets to POPs available my main > concern. I wouldn't bother, unless you have many thousands of devices - but I must admit I haven't crunched the numbers hard or built anything large enough to see where the necessary pain happens. Remember, at this point you've only got a fairly small number of routes in your IGP, and they ought to be the most stable routes in your network, so you're going to be running SPF both quickly and infrequently. Regards, Tim. From SPfister at dps.k12.oh.us Wed Jul 2 11:20:02 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Wed, 02 Jul 2008 11:20:02 -0400 Subject: [c-nsp] L2TPv3 tunnel - one-way only In-Reply-To: <20080701205403.GO14994@rtp-cse-489.cisco.com> References: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us> <20080701205403.GO14994@rtp-cse-489.cisco.com> Message-ID: <486B6462.9E6F.00B8.0@dps.k12.oh.us> Here is the current config. I'm trying to gain access to vlan 77 on the remote side (10.77.0.0/16). Thanks! --Steve central side: l2tp-class l2-dyn authentication hostname ADM password somepassword cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! interface Loopback0 ip address 192.168.7.1 255.255.255.255 ! interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp ip pim sparse-mode speed 100 full-duplex no cdp enable ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 192.168.9.1 255.255.255.0 no snmp trap link-status no cdp enable ! interface FastEthernet0/0.77 encapsulation dot1Q 77 no snmp trap link-status no cdp enable xconnect 192.168.7.77 77 pw-class pw-dynamic ------------- remote side: l2tp-class l2-dyn authentication hostname XYZ password somepassword cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! interface Loopback0 ip address 192.168.7.77 255.255.255.255 ! interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp ip pim sparse-mode ip route-cache flow speed 100 full-duplex ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.77.0.1 255.255.0.0 no snmp trap link-status no cdp enable ! interface FastEthernet0/0.77 encapsulation dot1Q 77 no snmp trap link-status no cdp enable xconnect 192.168.7.1 77 pw-class pw-dynamic Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From harbor235 at gmail.com Wed Jul 2 11:34:42 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 2 Jul 2008 11:34:42 -0400 Subject: [c-nsp] Route Reflector Design In-Reply-To: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> Message-ID: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> How am I able to utilize thousands of devices in a flat IGP domain? I thought only a couple hundred is recommended before deploying multiple areas. Are you guys recommneding OSPF or ISIS? -mike j On 7/2/08, Tim Franklin wrote: > > On Wed, July 2, 2008 2:48 pm, Mike Johnson wrote: > > > Got that, now for a large network would you create a backbone area (OSPF) > > for regionalization of routes > > and make routers within the region into other areas? Its the underlying > > IGP > > design that makes all the connector nets to POPs available my main > > concern. > > I wouldn't bother, unless you have many thousands of devices - but I must > admit I haven't crunched the numbers hard or built anything large enough > to see where the necessary pain happens. > > Remember, at this point you've only got a fairly small number of routes in > your IGP, and they ought to be the most stable routes in your network, so > you're going to be running SPF both quickly and infrequently. > > Regards, > Tim. > > > From petelists at templin.org Wed Jul 2 11:47:34 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 02 Jul 2008 10:47:34 -0500 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> Message-ID: <486BA316.1060907@templin.org> Mike Johnson wrote: > How am I able to utilize thousands of devices in a flat IGP domain? I > thought only a couple hundred is recommended before deploying > multiple areas. Do you really have thousands of routers within your network "core"? I have twelve distribution/edge routers and two core routers, maximum, per POP. With five POPs, 40-60 routers, ~140 links, etc., I'm nowhere near the 5,000 target ceiling. > Are you guys recommneding OSPF or ISIS? I went from OSPF to ISIS a few years ago for several reasons. The relevant reasons are: 1) Perceived network security: since we don't accept CLNS packets from customers or providers, it's much tougher to packet-bomb our IGP. 2) Perceived operational security: since we do MPLS VPNs and anticipate savvy customers wanting to use OSPF over those, having our technicians "separated" from our production IGP as soon as they get to 'router o' was a good thing. I'm now contemplating going back to OSPF. The relevant reasons are: 1) We have some use for Catalyst 3550s in our network, and AFAIK they don't speak ISIS. 2) We're having extreme pain trying to bring up ISIS for IPv6. pt From karim.adel at gmail.com Wed Jul 2 12:05:05 2008 From: karim.adel at gmail.com (Kim Onnel) Date: Wed, 2 Jul 2008 19:05:05 +0300 Subject: [c-nsp] OT: Cisco ITP consultant needed In-Reply-To: References: Message-ID: Hello, Sorry if this is off topic, we are looking for someone who has Cisco ITP experience(SS7oIP) to do a 6 months job with a very very very and i do mean "Very" attractive money. Please forward this to anyone you might know willing and send me your resume if interested. Thanks, Kim From jaitken at aitken.com Wed Jul 2 12:12:23 2008 From: jaitken at aitken.com (Jeff Aitken) Date: Wed, 2 Jul 2008 16:12:23 +0000 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com> <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> Message-ID: <20080702161223.GA71249@eagle.aitken.com> On Wed, Jul 02, 2008 at 11:34:42AM -0400, Mike Johnson wrote: > How am I able to utilize thousands of devices in a flat IGP domain? I > thought only a couple hundred is recommended before deploying multiple > areas. There is no one right answer. It depends on your network: what is the topology, how much aggregation are you doing, how stable are the devices and links, etc. As usual, apply the KISS principle. If you don't NEED multiple areas, don't use them. That said, *thousands* of devices likely means multiple areas. > Are you guys recommneding OSPF or ISIS? Quoting from Dave Katz' excellent presentation from NANOG19 [1]: "For all but extreme cases (large full-mesh networks), protocols are pretty much equivalent in scalability and functionality Stability and scalability are largely artifacts of implementation, not protocol design Familiarity and comfort in both engineering and operations is probably the biggest factor in choosing" I've worked for at least two providers that switched from OSPF to ISIS, and my current employer uses both in various places. I'd recommend using what your ops folks are familiar with; the cost of learning something new will likely outweigh any (largely theoretical) gain. One final consideration is that OSPF support is pretty ubiquitous across a wide variety of devices (routers, switches, firewalls, load balancers, etc) while ISIS support tends to exist only in routers (and to a lesser degree, switches) used by service providers. Whether this matters to you depends on your current & expected vendor/platform set. --Jeff [1] http://www.nanog.org/mtg-0006/katz.html From jared at corp.sonic.net Wed Jul 2 13:36:59 2008 From: jared at corp.sonic.net (Jared Gillis) Date: Wed, 02 Jul 2008 10:36:59 -0700 Subject: [c-nsp] 3640 not sending OSPF state traps Message-ID: <486BBCBB.8060306@corp.sonic.net> Hi all, I recently turned up a 3640 running 12.3 latest Enterprise code and OSPF. Everything works as expected, except that the device will not send an OSPF trap OSPF state changes on any of it's interfaces. I do receive syslog messages for the OSPF state changes. log-adjacency-changes is on in my OSPF config, and all the trap types under "snmp-server enable traps" are active. There is no "snmp-server enable traps ospf" command available. I tried changing to 12.3 latest IP Plus code, with no change. I'm about to try other code versions, possibly even some 12.2 code, but I figure that there's got to be something new to 12.3 or the 3640 that I'm missing. Thanks in advance, -- Jared Gillis - jared at corp.sonic.net Sonic.net, Inc. Network Operations 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.3400 (Support) http://www.sonic.net/ From rsnyder at toontown.erial.nj.us Wed Jul 2 13:48:40 2008 From: rsnyder at toontown.erial.nj.us (Bob Snyder) Date: Wed, 2 Jul 2008 13:48:40 -0400 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <20080702174840.GA690@toontown.erial.nj.us> On Wed, Jul 02, 2008 at 05:19:02PM +0530, Vikas Sharma wrote: > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. Make sure your monitoring tools handle it ok. When I looked into it a number of years ago, Openview was not at all happy dealing with /31's. I'd hope that tools have updated since the release of the RFC a while ago, but..... At my current job, we continue to use /30's. Bob From tvarriale at comcast.net Wed Jul 2 13:52:06 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 2 Jul 2008 12:52:06 -0500 Subject: [c-nsp] /31 network References: Message-ID: <003001c8dc6c$58bf9b70$f211a8c0@flamwsugsmul5v> Yup. Works great on IOS on versions mentioned in other messages. tv ----- Original Message ----- From: "Vikas Sharma" To: Sent: Wednesday, July 02, 2008 6:49 AM Subject: [c-nsp] /31 network > Hi, > > has anyone used /31 network instead of /30? I believe this is recommended > to > use /31 network? Need expert comments. > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku+cisco-nsp at ytti.fi Wed Jul 2 15:11:53 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 2 Jul 2008 22:11:53 +0300 Subject: [c-nsp] CoPP on PE router for access network In-Reply-To: <20080701154118.GI13269@rtp-cse-489.cisco.com> References: <20080701154118.GI13269@rtp-cse-489.cisco.com> Message-ID: <20080702191152.GA32429@mx.ytti.net> On (2008-07-01 11:41 -0400), Rodney Dunn wrote: > Last I checked CoPP was not VRF aware and it applied to any traffic > punted to the RP that we could match on so it would apply to PE-CE > links. Big annoyance is that it most platforms CoPP is evaluated before labels are popped, so you will blindly accept packets coming from P side to the PE, assuming it's VRF packet (or you're running explicit null, in which case also INET packet will be blindly accepted in most platforms) -- ++ytti From saku+cisco-nsp at ytti.fi Wed Jul 2 15:15:12 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 2 Jul 2008 22:15:12 +0300 Subject: [c-nsp] /31 network In-Reply-To: References: Message-ID: <20080702191512.GB32429@mx.ytti.net> On (2008-07-02 17:19 +0530), Vikas Sharma wrote: > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. We've been running it years, some CPE grade boxes have had software bugs where while they should support /31 weird things start to happen, like they start to arp for whole Internet (0.0.0.0/0 towards PE), in which case our fix is to enable proxy-arp in PE (to get customer connection running) and upgrade software in next possible maintenance. I think we've seen another different issue too, but I didn't handle it. -- ++ytti From daniel.dib at reaper.nu Wed Jul 2 15:45:13 2008 From: daniel.dib at reaper.nu (Daniel Dib) Date: Wed, 2 Jul 2008 21:45:13 +0200 Subject: [c-nsp] /31 network In-Reply-To: <20080702191512.GB32429@mx.ytti.net> Message-ID: <000001c8dc7c$257ddc80$8119fea9@reap> On (2008-07-02 17:19 +0530), Vikas Sharma wrote: > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. We've been running it for a long time. We use it for PE-CPE links where CPE is c877/1800/3750/7300 etc. Haven't seen any issues with it. We used /30 before, also if we are upgrading a circuit and the customer gets a new router we often take the /30 back and replace it with /31 which saves some addresses. /Daniel From kgraham at industrial-marshmallow.com Wed Jul 2 16:08:52 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Wed, 2 Jul 2008 13:08:52 -0700 (PDT) Subject: [c-nsp] /31 network Message-ID: <599421.84529.qm@web906.biz.mail.mud.yahoo.com> > has anyone used /31 network instead of /30? I believe this is recommended to > use /31 network? Need expert comments. Support still seems very limited, but on a similar thread, has anyone toyed with the 'ip unnumbered for Ethernet' feature? Initially it was just option-82 magic, but I noticed there's now also a "poll" option to support non-DHCP hosts: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/unnumber.html There's the single message from a CLI example: "Warning: dynamic routing protocols will not work on non-point-to-point interfaces with IP unnumbered configured." ...though without more discussion on the underlying functionality, that's terribly vague (ie. would explicit neighbor configurations remedy the limitiation?). From rodunn at cisco.com Wed Jul 2 16:16:22 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 2 Jul 2008 16:16:22 -0400 Subject: [c-nsp] /31 network In-Reply-To: <599421.84529.qm@web906.biz.mail.mud.yahoo.com> References: <599421.84529.qm@web906.biz.mail.mud.yahoo.com> Message-ID: <20080702201622.GD27911@rtp-cse-489.cisco.com> There were some bad problems with that. I wouldn't use it. It was originally for the PPPoE type setups IIRC to preserve address space. For routed P2P use /31's. On Wed, Jul 02, 2008 at 01:08:52PM -0700, Kevin Graham wrote: > > > has anyone used /31 network instead of /30? I believe this is recommended to > > use /31 network? Need expert comments. > > Support still seems very limited, but on a similar thread, has anyone toyed > with the 'ip unnumbered for Ethernet' feature? Initially it was just option-82 > magic, but I noticed there's now also a "poll" option to support non-DHCP > hosts: > > http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/unnumber.html > > There's the single message from a CLI example: > > "Warning: dynamic routing protocols will not work on non-point-to-point > interfaces with IP unnumbered configured." > > ...though without more discussion on the underlying functionality, that's > terribly vague (ie. would explicit neighbor configurations remedy the > limitiation?). > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From almog.purepeak at gmail.com Wed Jul 2 16:23:33 2008 From: almog.purepeak at gmail.com (almog ohayon) Date: Wed, 2 Jul 2008 23:23:33 +0300 Subject: [c-nsp] Routing loop.. Message-ID: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com> Hi, How can i notice that there is a routing loop ?? This question is regarding CCIE R&S of course ... From juniper84 at live.com Wed Jul 2 16:38:45 2008 From: juniper84 at live.com (J C) Date: Wed, 2 Jul 2008 17:38:45 -0300 Subject: [c-nsp] Vlan Issue - 7304 & 4507 Message-ID: I'm experiencing a weird issue between a Cisco 7304 and a 4507R switch... Basically it looks like this: Customer -> Trunk (vlan 1709 native) -> 4507R -> Trunk -> Sub-interface 7304 (customer vrf) We can see the mac-address from the customer equipment but are unable to ping it from the 7304. We then moved the ip-address from the 7304 vlan sub-interface to a SVI on the 4507R and now we're able to successfully ping the device. Chaning the vlan from 1709 to 2000+ seemed to has fixed the issue in one previous incident. Everything appears fine when we look at the mac-address table and the ARP tables within the vrf. Anyone run into anything similar? I'm assuming code level, but I'd love to find a Cisco BugID before I speak out. _________________________________________________________________ Express yourself with free Messenger emoticons. Get them today! http://www.freemessengeremoticons.ca/?icid=EMENCA122 From adrian.minta at gmail.com Wed Jul 2 16:48:51 2008 From: adrian.minta at gmail.com (Adrian Minta) Date: Wed, 02 Jul 2008 23:48:51 +0300 Subject: [c-nsp] Routing loop.. In-Reply-To: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com> References: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com> Message-ID: <486BE9B3.4000503@gmail.com> almog ohayon wrote: > Hi, > How can i notice that there is a routing loop ?? > This question is regarding CCIE R&S of course ... > > traceroute ? -- Best regards, Adrian Minta From ATolstykh at integrysgroup.com Wed Jul 2 17:41:51 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Wed, 2 Jul 2008 16:41:51 -0500 Subject: [c-nsp] Routing loop.. In-Reply-To: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com> References: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com> Message-ID: <6E31172B4025564D861CD73627500BAC02E2F824@pru-mail02.pe.net> Debug ip routing -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of almog ohayon Sent: Wednesday, July 02, 2008 3:24 PM To: cisco-nsp at puck.nether.net; Cisco certification Subject: [c-nsp] Routing loop.. Hi, How can i notice that there is a routing loop ?? This question is regarding CCIE R&S of course ... _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From justin at justinshore.com Wed Jul 2 18:56:53 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 02 Jul 2008 17:56:53 -0500 Subject: [c-nsp] IS-IS default route quandary Message-ID: <486C07B5.2090705@justinshore.com> I'm trying to figure out a default route issue that stems from our original IS-IS deployment. The entire IS-IS deployment is a flat L2 design. A B |\ /| | \/ | | /\ | |/ \| C D A & B are border routers and C & D are our 7600 core. Each border is dual-homed to each core router. The access edge routers (DSL, cable, metroE, dialup, etc) are dual-homed to the core routers as well. Full BGP tables are extended to core (A-D are in an iBGP mesh). The access edge can't handle full routes. Customer routes are still in IS-IS but I'm slowly moving them to iBGP. To dynamically learn a default route on the access edge via IS-IS I have to originate it somewhere upstream. The borders currently originate the default route in IS-IS and advertise it to the core which propagates that on to the access edge. On each border router we also have a static default route pointed to the physical interface of the upstream peers (which if memory serves me correctly that's a bad idea because it causes an ARP to be sent for every flow that requires that specific route). This is a hold-over from my predecessor and hasn't been scrutinized until now. When I pull the static default from either A or B it relearns the default from the core routers, C & D. Now when I do this it still has routes pointing to all the advertised prefixes on the Internet thanks to the full tables so I don't think I'll have any reachability issues. Or will I? My main concerns are that this will cause a routing loop between the borders and core for any routes that aren't in the borders' RIB. This would mainly be BOGONs and other non-routable space that we use internally (so it may not be a real problem). In theory I shouldn't ever have to rely on a default route to my upstreams thanks to my full tables. I'm also concerned with how this may affect my uRPF and RTBH setup. Would this catchall route nullify the effect of a iBGP-learned null-route from my RTBH setup? I would prefer my borders to not have a default route vs a default pointing back to my core. Is there a way to not accept the default via IS-IS? L2 IS-IS speakers will propagate all L2 routes to all L2 neighbors. We could not get a L1 and L1/2 design to work early on in our testing so we chose the flat L2 approach instead. Is there something else that I'm missing here? Down the road I'll have to directly connect the borders together due to our upcoming SCE deployment (longer story). Thanks Justin From Kris.Amy at eip.net.au Wed Jul 2 21:07:11 2008 From: Kris.Amy at eip.net.au (Kris Amy) Date: Thu, 3 Jul 2008 11:07:11 +1000 Subject: [c-nsp] Ideal LNS/LAC Router Message-ID: Hi, Currently we are using 7301's for LAC/LNS purposes and was wondering what is the next platform that we should be looking to move towards. -- Kind Regards, Kris Amy From markom at markom.info Wed Jul 2 21:38:46 2008 From: markom at markom.info (Marko Milivojevic) Date: Thu, 3 Jul 2008 01:38:46 +0000 Subject: [c-nsp] Ideal LNS/LAC Router In-Reply-To: References: Message-ID: <1fb747910807021838nf6b425fmd07783ad14c35314@mail.gmail.com> Apparently, the new ASR 1000 series promises to be the future platform from Cisco for that purpose... On Thu, Jul 3, 2008 at 01:07, Kris Amy wrote: > Hi, > > Currently we are using 7301's for LAC/LNS purposes and was wondering what is > the next platform that we should be looking to move towards. From mtinka at globaltransit.net Wed Jul 2 22:14:36 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 3 Jul 2008 10:14:36 +0800 Subject: [c-nsp] Route Reflector Design In-Reply-To: <486BA316.1060907@templin.org> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> <486BA316.1060907@templin.org> Message-ID: <200807031014.43273.mtinka@globaltransit.net> On Wednesday 02 July 2008 23:47:34 Pete Templin wrote: > I went from OSPF to ISIS a few years ago for several > reasons. The relevant reasons are: One of the biggest reasons we made the switch is that IS-IS allows us to "string" our network across the globe easier than OSPF, because OSPF has the "all areas must connect to the backbone area" rule - and we don't like virtual links. All other reasons were gravy; although we do like the fact that v6 is implemented in the same IS-IS protocol as v4. > 1) We have some use for Catalyst 3550s in our network, > and AFAIK they don't speak ISIS. This is very annoying. We had a chat with our SE, and the DSBU are considering supporting IS-IS (initially for v4) on the 3560G (which we have a lot of) some time next year. > 2) We're having extreme pain trying to bring up ISIS for > IPv6. What kinds of issues? Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Jul 2 22:17:36 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 3 Jul 2008 10:17:36 +0800 Subject: [c-nsp] Route Reflector Design In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> Message-ID: <200807031017.37543.mtinka@globaltransit.net> On Wednesday 02 July 2008 23:34:42 Mike Johnson wrote: > How am I able to utilize thousands of devices in a flat > IGP domain? I thought > only a couple hundred is recommended before deploying > multiple areas. Our school of thought has always been, build scalability from the beginning even though you only have 2 routers in the network, i.e.: * support BGP peer groups or peer session templates from day one. * support route reflectors from day one. * support multi-area/multi-level IGP designs from day one. * support Loopbacks in the IGP and prefixes in iBGP from day one. One never knows when the network is going to explode - it saves you a lot of hassle and potential re-design, down the line. Probably the same reason most folk will buy a router/switch with full flash/memory from day one, even when it probably won't have BGP from the onset. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Thu Jul 3 01:14:36 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 3 Jul 2008 07:14:36 +0200 Subject: [c-nsp] IS-IS default route quandary In-Reply-To: <486C07B5.2090705@justinshore.com> References: <486C07B5.2090705@justinshore.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com> Justin Shore <> wrote on Thursday, July 03, 2008 12:57 AM: > I'm trying to figure out a default route issue that stems from our > original IS-IS deployment. The entire IS-IS deployment is a flat L2 > design. > > A B > |\ /| > | \/ | > | /\ | > |/ \| > C D > > A & B are border routers and C & D are our 7600 core. Each border is > dual-homed to each core router. The access edge routers (DSL, cable, > metroE, dialup, etc) are dual-homed to the core routers as well. Full > BGP tables are extended to core (A-D are in an iBGP mesh). The access > edge can't handle full routes. Customer routes are still in IS-IS but > I'm slowly moving them to iBGP. To dynamically learn a default route > on the access edge via IS-IS I have to originate it somewhere > upstream. > The borders currently originate the default route in IS-IS and > advertise it to the core which propagates that on to the access edge. > > On each border router we also have a static default route pointed to > the physical interface of the upstream peers (which if memory serves > me correctly that's a bad idea because it causes an ARP to be sent for > every flow that requires that specific route). right, if this is not a p2p interface. So a very bad idea.. > This is a hold-over from > my predecessor and hasn't been scrutinized until now. When I pull the > static default from either A or B it relearns the default from the > core routers, C & D. Now when I do this it still has routes pointing to all > the advertised prefixes on the Internet thanks to the full tables so I > don't think I'll have any reachability issues. Or will I? My main > concerns are that this will cause a routing loop between the borders > and core for any routes that aren't in the borders' RIB. This would > mainly be BOGONs and other non-routable space that we use internally (so it > may not be a real problem). and, in addition, such packets should not show up on your borders unless you have downstream peers/customers on the borders as well and they point a default towards you. > In theory I shouldn't ever have to rely > on a default route to my upstreams thanks to my full tables. I'm also > concerned with how this may affect my uRPF and RTBH setup. Would this > catchall route nullify the effect of a iBGP-learned null-route from my > RTBH setup? Well, if your current static default doesn't affect your uRPF and RTBH setup, why would a dynamic default do? > I would prefer my borders to not have a default route vs a default > pointing back to my core. Is there a way to not accept the default > via IS-IS? IS-IS doesn't have something like OSPF's "distribute-list in" to filter routes from being entered into the RIB, but you can use the "distance" command to achieve something similar: access-list 10 permit 0.0.0.0 router isis distance 255 0.0.0.0 255.255.255.255 10 this will assign distance 255 to the default-route (originated by whatever neighbor), and 255 will suppress installation into the RIB. Or you originate a default in iBGP and run your access nodes with a limited BGP table only. oli From risnaini at indo.net.id Thu Jul 3 02:20:44 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 03 Jul 2008 13:20:44 +0700 Subject: [c-nsp] Ideal LNS/LAC Router In-Reply-To: References: Message-ID: <486C6FBC.6030402@indo.net.id> Hallo, I'm using 2600, 7200 depends on how many vpdns will be established... rgs a. rahman isnaini r.sutan Kris Amy wrote: > Hi, > > Currently we are using 7301's for LAC/LNS purposes and was wondering what is > the next platform that we should be looking to move towards. > From gkg at gmx.de Thu Jul 3 03:28:49 2008 From: gkg at gmx.de (Garry) Date: Thu, 03 Jul 2008 09:28:49 +0200 Subject: [c-nsp] Ideal LNS/LAC Router In-Reply-To: References: Message-ID: <486C7FB1.3070708@gmx.de> Kris Amy wrote: > Hi, > > Currently we are using 7301's for LAC/LNS purposes and was wondering what is > the next platform that we should be looking to move towards. > We've replaced some ancient 7200 (non-VXR) with 3825, nice platform with the dual GigE on-board, and enough power to handle something like 2000-3000 L2TP tunnels (guestimate - currently doing something like 200-300 tunnels per router, with peak CPU around 10%) ... having multiple does for nice redundancy and easy extendability ... at a decent price ... guess after all it depends on how many sessions you need to handle though ... -gg From rupert.finnigan at googlemail.com Thu Jul 3 04:32:23 2008 From: rupert.finnigan at googlemail.com (Rupert Finnigan) Date: Thu, 3 Jul 2008 09:32:23 +0100 Subject: [c-nsp] 1800 Series QOS Problems Message-ID: <518564410807030132y34488b90r84847ce81ca86494@mail.gmail.com> Hi All, I'm having a bit of a hard time getting the QOS result I want on a 1800 router. I'm running VoIP trunks between digital PBX systems, but can't get the priority treatment that I want. The setup involves a 1801 router at one end on a ADSL connection, and a 2821 router at the other on a SDSL connection. I'm only really worried about the 1801 at the moment. This is what I've done so far: Applied a policy map to the inbound VLAN interface, to mark the RTP packets as EF and the rest as AF43. This works fine. Apply "qos pre-classify" on the mGRE Tun Interface to carry the markings over to the encrypted packets. Applied a policy map to the outbound ATM interface to priority queue the EF packets, with a max of 25% bandwidth, and fair-queue the rest. I'm not seeing the packet count increasing on "show policy-map interface atm 0" as I would expect, which suggests it's not working as it should be. However, if I apply the last policy-map to the dialer interface, it does increase as expected - but I'm not seeing any evidence that it's actually prioritising the VoIP packets. I'm a bit stumped now, and so any help would be greatly received! Thanks, Rupert From Michael.Robson at manchester.ac.uk Thu Jul 3 04:34:19 2008 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Thu, 3 Jul 2008 09:34:19 +0100 Subject: [c-nsp] Default-Information Originate In-Reply-To: References: Message-ID: I used to think that I had a handle on when the default information originate command was needed, but I have recently seen working config. that pokes a finger in my eye of understanding, where some bad Ciscco document caused further blurring; and so some questions - Should the default-information originate command be needed within BGP configuration of a router to cause a default route that has been learnt from an eBGP peer to be advertised by this router to its iBGP peers? - Similarly, should this command be needed to cause a default route that has been learnt from an iBGP peer to be advertised by the router to an eBGP peer? Ta. Michael. From p.mayers at imperial.ac.uk Thu Jul 3 05:22:51 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 03 Jul 2008 10:22:51 +0100 Subject: [c-nsp] Default-Information Originate In-Reply-To: References:

Message-ID: <486C9A6B.502@imperial.ac.uk> Michael Robson wrote: > I used to think that I had a handle on when the default information > originate command was needed, but I have recently seen working config. > that pokes a finger in my eye of understanding, where some bad Ciscco > document caused further blurring; and so some questions > > - Should the default-information originate command be needed within BGP > configuration of a router to cause a default route that has been learnt > from an eBGP peer to be advertised by this router to its iBGP peers? No > > - Similarly, should this command be needed to cause a default route that > has been learnt from an iBGP peer to be advertised by the router to an > eBGP peer? No We have both configs in place. From markom at markom.info Thu Jul 3 05:28:07 2008 From: markom at markom.info (Marko Milivojevic) Date: Thu, 3 Jul 2008 09:28:07 +0000 Subject: [c-nsp] Default-Information Originate In-Reply-To: References:

Message-ID: <1fb747910807030228q38cda954u68109d6c7328715f@mail.gmail.com> If the route is in BGP already, then answer to both of your questions is no. You will need it only on a router that is "injecting" it into the BGP from some other protocol. You will also need it on a router that has a full routing table, but for some reason you wish it to advertise subset+default to neighbors. On Thu, Jul 3, 2008 at 08:34, Michael Robson wrote: > I used to think that I had a handle on when the default information > originate command was needed, but I have recently seen working config. that > pokes a finger in my eye of understanding, where some bad Ciscco document > caused further blurring; and so some questions > > - Should the default-information originate command be needed within BGP > configuration of a router to cause a default route that has been learnt from > an eBGP peer to be advertised by this router to its iBGP peers? > > - Similarly, should this command be needed to cause a default route that has > been learnt from an iBGP peer to be advertised by the router to an eBGP > peer? > > Ta. > > Michael. From skeeve at skeeve.org Thu Jul 3 06:38:20 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Thu, 3 Jul 2008 20:38:20 +1000 Subject: [c-nsp] ASA questions Message-ID: <0ff801c8dcf8$e9650110$bc2f0330$@org> I am looking for an ASA with the primary use being to stop DDoS attacks which one of my customers is getting slammed with. Need at least a couple of hundred meg throughput.. Preferably in transparent mode. Couple of questions: - Is an SSM needed to do DoS protection? - The 5550 can't take an SSM? - Is the transparent protection functional in dot1q VLAN's? (If I want to run multiple carriers into a switch then into the ASA and back out) I am not so familiar with the protection or smarts offered by the ASA in regards to DoS protection. .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From peter at rathlev.dk Thu Jul 3 06:54:46 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 03 Jul 2008 12:54:46 +0200 Subject: [c-nsp] ASA questions In-Reply-To: <0ff801c8dcf8$e9650110$bc2f0330$@org> References: <0ff801c8dcf8$e9650110$bc2f0330$@org> Message-ID: <1215082486.20536.5.camel@svesken.sys.mjna.net> Hi Skeeve, On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote: > I am looking for an ASA with the primary use being to stop DDoS attacks > which one of my customers is getting slammed with. > > Need at least a couple of hundred meg throughput.. Preferably in transparent > mode. > > Couple of questions: > - Is an SSM needed to do DoS protection? The ASA code can protect against things like SYN flood (embryonic and half-open connection limits) and you can do rate limiting. If you need more advanced (e.g. signature based) protection, you'd need something like the AIP-SSM. But the ASA does a good job on it's own. > - The 5550 can't take an SSM? No, the 5550 can't take an SSM, since the slot is already taken by a 4 port GigabitEthernet module, which cannot be removed. > - Is the transparent protection functional in dot1q VLAN's? (If I want > to run multiple carriers into a switch then into the ASA and back out) Yes, you can run multiple transparent firewall interface pairs, filtering each pair seperately, if that is what you mean. Regards, Peter From drew.weaver at thenap.com Thu Jul 3 07:18:46 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 3 Jul 2008 07:18:46 -0400 Subject: [c-nsp] 'multiplexing" netflow? Message-ID: Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis. Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ? -Drew From achatz at forthnet.gr Thu Jul 3 07:18:52 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 03 Jul 2008 14:18:52 +0300 Subject: [c-nsp] 3640 not sending OSPF state traps In-Reply-To: <486BBCBB.8060306@corp.sonic.net> References: <486BBCBB.8060306@corp.sonic.net> Message-ID: <486CB59C.7040203@forthnet.gr> You need 12.3(14)T or later on 3640. -- Tassos Jared Gillis wrote on 2/7/2008 8:36 ??: > Hi all, > > I recently turned up a 3640 running 12.3 latest Enterprise code and > OSPF. Everything works as expected, except that the device will not send > an OSPF trap OSPF state changes on any of it's interfaces. I do receive > syslog messages for the OSPF state changes. > log-adjacency-changes is on in my OSPF config, and all the trap types > under "snmp-server enable traps" are active. > There is no "snmp-server enable traps ospf" command available. > I tried changing to 12.3 latest IP Plus code, with no change. > I'm about to try other code versions, possibly even some 12.2 code, but > I figure that there's got to be something new to 12.3 or the 3640 that > I'm missing. > Thanks in advance, > From markom at markom.info Thu Jul 3 07:41:15 2008 From: markom at markom.info (Marko Milivojevic) Date: Thu, 3 Jul 2008 11:41:15 +0000 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: References: Message-ID: <1fb747910807030441r7332657ka08fecfd9a6fa98f@mail.gmail.com> You should be able to configure two export destinations on a router. If you need more than that, you indeed need a netflow procy of the sorts. Have you checked if flow-tools package has something that you could use for this purpose? On Thu, Jul 3, 2008 at 11:18, Drew Weaver wrote: > Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis. > > Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ? From eric at atlantech.net Thu Jul 3 07:45:10 2008 From: eric at atlantech.net (Eric Van Tol) Date: Thu, 3 Jul 2008 07:45:10 -0400 Subject: [c-nsp] OSPF4-BAD-LENGTH Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local> Hi all, This isn't a question of what, but how :-) We received this log on one of our 6509s last night: Jul 3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5 This address has no direct connectivity with our network, as it appears to be from a Chinese network. My question is how does an OSPF packet get through the general internet? Or could this be more than likely just some sort of vulnerability scanner that is spoofing various protocols? -evt From drew.weaver at thenap.com Thu Jul 3 07:46:09 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 3 Jul 2008 07:46:09 -0400 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: <7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local> References: <7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local> Message-ID: Now I remember why I can't use this (sorry it's been a while since I've examined this) The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis. So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where. -Drew From: Ben Hicks [mailto:ben.hicks at centius.co.uk] Sent: Thursday, July 03, 2008 7:22 AM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 'multiplexing" netflow? Why not just have multiple export statements. Taken from - http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_mdnf.html#wp1021114 export destination 10.0.101.254 9991 export destination 10.0.101.254 1999 Many thanks, Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net on behalf of Drew Weaver Sent: Thu 03/07/2008 12:18 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 'multiplexing" netflow? Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis. Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ? -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at t3technology.com Thu Jul 3 07:52:18 2008 From: luan at t3technology.com (Luan M Nguyen) Date: Thu, 3 Jul 2008 07:52:18 -0400 Subject: [c-nsp] OSPF4-BAD-LENGTH In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local> References: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local> Message-ID: <002d01c8dd03$3edb29d0$bc917d70$@com> They are trying this maybe? http://www.cisco.com/en/US/partner/products/products_security_advisory09186a 008029e189.shtml -Luan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol Sent: Thursday, July 03, 2008 7:45 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] OSPF4-BAD-LENGTH Hi all, This isn't a question of what, but how :-) We received this log on one of our 6509s last night: Jul 3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5 This address has no direct connectivity with our network, as it appears to be from a Chinese network. My question is how does an OSPF packet get through the general internet? Or could this be more than likely just some sort of vulnerability scanner that is spoofing various protocols? -evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eric at atlantech.net Thu Jul 3 08:17:31 2008 From: eric at atlantech.net (Eric Van Tol) Date: Thu, 3 Jul 2008 08:17:31 -0400 Subject: [c-nsp] OSPF4-BAD-LENGTH In-Reply-To: <002d01c8dd03$3edb29d0$bc917d70$@com> References: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local> <002d01c8dd03$3edb29d0$bc917d70$@com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635058ED5A3@exchange.aoihq.local> > -----Original Message----- > From: Luan M Nguyen [mailto:luan at t3technology.com] > Sent: Thursday, July 03, 2008 7:52 AM > To: Eric Van Tol; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] OSPF4-BAD-LENGTH > > They are trying this maybe? > http://www.cisco.com/en/US/partner/products/products_security_advisor > y09186a > 008029e189.shtml > > -Luan > Hmm...quite possibly. Luckily, we're not running any affected version and we use authentication. Thanks for the info. -evt From MLouis at nwnit.com Thu Jul 3 08:21:31 2008 From: MLouis at nwnit.com (Mike Louis) Date: Thu, 3 Jul 2008 08:21:31 -0400 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: References: <7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local> Message-ID: Have you tried this tool? Flow Fan-out - It will replicate a single netflow source and send it out to multiple destinations. http://www.splintered.net/sw/flow-tools/docs/flow-fanout.html -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Thursday, July 03, 2008 7:46 AM To: 'Ben Hicks'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 'multiplexing" netflow? Now I remember why I can't use this (sorry it's been a while since I've examined this) The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis. So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where. -Drew From: Ben Hicks [mailto:ben.hicks at centius.co.uk] Sent: Thursday, July 03, 2008 7:22 AM To: Drew Weaver; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 'multiplexing" netflow? Why not just have multiple export statements. Taken from - http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_mdnf.html#wp1021114 export destination 10.0.101.254 9991 export destination 10.0.101.254 1999 Many thanks, Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net on behalf of Drew Weaver Sent: Thu 03/07/2008 12:18 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 'multiplexing" netflow? Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis. Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ? -Drew _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From gordon.bezzina at bell.net.mt Thu Jul 3 09:25:43 2008 From: gordon.bezzina at bell.net.mt (Gordon Bezzina) Date: Thu, 3 Jul 2008 15:25:43 +0200 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: References: Message-ID: <005c01c8dd10$4b79fc40$e26df4c0$@bezzina@bell.net.mt> Hi, Get a plain linux box, install flow-tools and use flow-fanout. Example: /usr/bin/flow-fanout -s 0/192.168.3.5/2000 0/192.168.3.10/9996 0/192.168.3.22/2055 Accept netflow from 192.168.3.5 on port 2000 and re-export them to: 1. 192.168.3.10 port 9996; and 2. 192.168.3.22 port 2055. My linux box has been up for 157days already and flow-fanout never crashed :-) Hope it helps Brgds Gordon On Thu, Jul 3, 2008 at 11:18, Drew Weaver wrote: > Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis. > > Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ? From emre.turkmenler at doruk.net.tr Thu Jul 3 06:15:56 2008 From: emre.turkmenler at doruk.net.tr (=?iso-8859-9?Q?Emre_T=FCrkmenler?=) Date: Thu, 3 Jul 2008 13:15:56 +0300 Subject: [c-nsp] Cisco 878 SDM connection problem Message-ID: <022c01c8dcf5$c85fa9f0$170d3ad4@emre> Hi, I want to connect to a Cisco 878 with SDM but i have problems, it may be a java problem. I have the latest version installed at the moment. Can someone explain how I can use SDM? Thanks From chris.garzon at gmail.com Thu Jul 3 12:48:59 2008 From: chris.garzon at gmail.com (Dracul) Date: Fri, 4 Jul 2008 00:48:59 +0800 Subject: [c-nsp] WLC and LWAPP Aps Message-ID: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> Hi All, Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. I cannot seem to make the lighweight AP to get IP address from the internal DHCP server of the WLC let more the LW AP be discovered by the 4404. used Layer2 and Layer 3 mode already From der.mikus at gmail.com Thu Jul 3 13:03:20 2008 From: der.mikus at gmail.com (Mike Butash) Date: Thu, 03 Jul 2008 10:03:20 -0700 Subject: [c-nsp] ASA questions In-Reply-To: <1215082486.20536.5.camel@svesken.sys.mjna.net> References: <0ff801c8dcf8$e9650110$bc2f0330$@org> <1215082486.20536.5.camel@svesken.sys.mjna.net> Message-ID: <486D0658.4040904@gmail.com> If it's a major DoS or DDoS, look at the Cisco Anomaly Detection/Mitigation appliances they borg'd from Riverhead a few years ago. When we began undergoing nightly DDoS's from millions of sources of several hundred meg and up to several gigs, they were a godsend to actually allow us to combat attacks effectively. They have their quirks, but they also work wonders for removing illegitimate traffic off the network. Maybe also recommend Prolexic.com services... Might be cheaper in the long run, and they are quite effective in doing about the same service the anomaly mitigation appliances provide. ASA's will allow for some basic protection as Peter stated, but they won't do much for intelligent attacks, which most botnets allow for push-button nuking of any network with somewhat decently emulated floods of traffic. Once you can dump out the flood of crap thrown at you, an average 5520 or whatever your "normal" traffic requires will suffice. -mb Peter Rathlev wrote: > Hi Skeeve, > > On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote: >> I am looking for an ASA with the primary use being to stop DDoS attacks >> which one of my customers is getting slammed with. >> >> Need at least a couple of hundred meg throughput.. Preferably in transparent >> mode. >> >> Couple of questions: >> - Is an SSM needed to do DoS protection? > > The ASA code can protect against things like SYN flood (embryonic and > half-open connection limits) and you can do rate limiting. If you need > more advanced (e.g. signature based) protection, you'd need something > like the AIP-SSM. But the ASA does a good job on it's own. > >> - The 5550 can't take an SSM? > > No, the 5550 can't take an SSM, since the slot is already taken by a 4 > port GigabitEthernet module, which cannot be removed. > >> - Is the transparent protection functional in dot1q VLAN's? (If I want >> to run multiple carriers into a switch then into the ASA and back out) > > Yes, you can run multiple transparent firewall interface pairs, > filtering each pair seperately, if that is what you mean. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From harbor235 at gmail.com Thu Jul 3 13:05:09 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Thu, 3 Jul 2008 13:05:09 -0400 Subject: [c-nsp] Route Reflector Design In-Reply-To: <200807031017.37543.mtinka@globaltransit.net> References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com> <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> <200807031017.37543.mtinka@globaltransit.net> Message-ID: <836bf1f90807031005rd123c4brcbf3fff192497c75@mail.gmail.com> Guys, thanx for the all the recommendations, I find them all insightful and will consider them all. thanx again -Mike j On 7/2/08, Mark Tinka wrote: > > On Wednesday 02 July 2008 23:34:42 Mike Johnson wrote: > > > How am I able to utilize thousands of devices in a flat > > IGP domain? I thought > > only a couple hundred is recommended before deploying > > multiple areas. > > Our school of thought has always been, build scalability > from the beginning even though you only have 2 routers in > the network, i.e.: > > * support BGP peer groups or peer session templates from > day one. > > * support route reflectors from day one. > > * support multi-area/multi-level IGP designs from day one. > > * support Loopbacks in the IGP and prefixes in iBGP from > day one. > > One never knows when the network is going to explode - it > saves you a lot of hassle and potential re-design, down the > line. > > Probably the same reason most folk will buy a router/switch > with full flash/memory from day one, even when it probably > won't have BGP from the onset. > > Cheers, > > Mark. > > From jmayer at loplof.de Thu Jul 3 14:15:17 2008 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 3 Jul 2008 20:15:17 +0200 Subject: [c-nsp] WLC and LWAPP Aps In-Reply-To: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> Message-ID: <20080703181517.GJ4112@thot.informatik.uni-kl.de> On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote: > Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. I > cannot seem to make the lighweight AP to get IP address from > the internal DHCP server of the WLC let more the LW AP be discovered by the > 4404. used Layer2 and Layer 3 mode already How about some more details? Are AP and management-if in the same network? If not, what have you done to make sure that the AP knows where to find it? If all fails: You can configure the managementi-if address directly on the lw-ap command line. Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From sthaug at nethelp.no Thu Jul 3 14:23:01 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 03 Jul 2008 20:23:01 +0200 (CEST) Subject: [c-nsp] Route Reflector Design In-Reply-To: <486BA316.1060907@templin.org> References: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org> <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com> <486BA316.1060907@templin.org> Message-ID: <20080703.202301.74732300.sthaug@nethelp.no> > I'm now contemplating going back to OSPF. The relevant reasons are: > > 1) We have some use for Catalyst 3550s in our network, and AFAIK they > don't speak ISIS. > 2) We're having extreme pain trying to bring up ISIS for IPv6. I was wondering whether you could elaborate a bit more on the second point? (Background: We have a Juniper based backbone, with IS-IS and IPv6, and it "just works". Due to an upcoming merger we are likely to have a mixed Juniper/Cisco backbone in the not too distant future, and any info on problems with IS-IS for IPv6 would be interesting.) Steinar Haug, Nethelp consulting, sthaug at nethelp.no From lsawyer at gci.com Thu Jul 3 14:29:26 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 3 Jul 2008 10:29:26 -0800 Subject: [c-nsp] Route Reflector Design In-Reply-To: <20080703.202301.74732300.sthaug@nethelp.no> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> Steinar Haug [sthaug at nethelp.no] writes in response to > Pete Templin [petelists at templin.org], whom wrote: >> I'm now contemplating going back to OSPF. The relevant reasons are: >> >> 1) We have some use for Catalyst 3550s in our network, and >> AFAIK they don't speak ISIS. >> 2) We're having extreme pain trying to bring up ISIS for IPv6. > > I was wondering whether you could elaborate a bit more on the > second point? (Background: We have a Juniper based backbone, > with IS-IS and IPv6, and it "just works". Due to an upcoming > merger we are likely to have a mixed Juniper/Cisco backbone > in the not too distant future, and any info on problems with > IS-IS for IPv6 would be interesting.) Really? This is the basic configlet I applied to our routers -n- switches, ignoring any issues with the cef commands, of course. I haven't seen any issues at all with our roll-out. ! ipv6 unicast-routing ipv6 cef ipv6 cef distributed ! router isis is-type level-2-only metric-style wide no adjacency-check ! address-family ipv6 multi-topology no adjacency-check ! From robbie.jacka at regions.com Thu Jul 3 14:33:55 2008 From: robbie.jacka at regions.com (robbie.jacka at regions.com) Date: Thu, 3 Jul 2008 13:33:55 -0500 Subject: [c-nsp] OSPF4-BAD-LENGTH In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local> Message-ID: Sounds possibly like an attack versus CSCsf12082. CVE is CVE-2008-0537 http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml -- robbie Eric Van Tol To Sent by: "cisco-nsp at puck.nether.net" cisco-nsp-bounces @puck.nether.net cc Subject 07/03/2008 06:45 [c-nsp] OSPF4-BAD-LENGTH AM Hi all, This isn't a question of what, but how :-) We received this log on one of our 6509s last night: Jul 3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5 This address has no direct connectivity with our network, as it appears to be from a Chinese network. My question is how does an OSPF packet get through the general internet? Or could this be more than likely just some sort of vulnerability scanner that is spoofing various protocols? -evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaron.glenn at gmail.com Thu Jul 3 14:49:33 2008 From: aaron.glenn at gmail.com (Aaron Glenn) Date: Thu, 3 Jul 2008 11:49:33 -0700 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: References: <7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local> Message-ID: <18f601940807031149k7863c1b7g3da0edb0268db004@mail.gmail.com> On Thu, Jul 3, 2008 at 4:46 AM, Drew Weaver wrote: > Now I remember why I can't use this (sorry it's been a while since I've examined this) > > The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis. > > So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where. flow-fanout or, my recommendation, pmacct From troy at i2bnetworks.com Thu Jul 3 16:04:34 2008 From: troy at i2bnetworks.com (Troy Beisigl) Date: Thu, 3 Jul 2008 13:04:34 -0700 Subject: [c-nsp] Strange behavior in a Cisco CPE Message-ID: <4FA21019-9272-43C4-A000-7B7C6A9CFD9F@i2bnetworks.com> Hi All, We are seeing some really strange behavior on a Cisco 1721 CPE. It acts like we are having a connectivity problem with packet loss or very high latency. There is about 86Kbps to 350Kbps of traffic on it. It has WIC-1DSU-T1 card and is doing just basic static routes with a Full T1. There are no errors on the T1. If I log into the router and try to send say 1000 icmp packets to something on the other end of the T1, it will go for few packets and then pause for about 15 to 20 seconds before continuing right where it stopped. It never drops any packets, just freezes and then continues. It does this about every minute or 2. Has anyone seen this before? Nothing shows up in the logs and we have rebooted it with no resolution to the problem. Pings to and through the router from outside never stop or drop when this happens either, but it is causing problems with QoS for VoIP. CPU load is nothing and RAM is fine. #sh proc cpu CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 2% #sh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 80A9C858 3134376 1932072 1202304 1024128 1089528 I/O D99C00 2515976 1661620 854356 854356 854300 Anyone have any ideas? Thanks. -Troy From vinny at tellurian.com Thu Jul 3 17:19:05 2008 From: vinny at tellurian.com (Vinny Abello) Date: Thu, 3 Jul 2008 17:19:05 -0400 Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design) In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> References: <20080703.202301.74732300.sthaug@nethelp.no> <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Leif Sawyer > Sent: Thursday, July 03, 2008 2:29 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Route Reflector Design > > Steinar Haug [sthaug at nethelp.no] writes in response to > > Pete Templin [petelists at templin.org], whom wrote: > >> I'm now contemplating going back to OSPF. The relevant reasons are: > >> > >> 1) We have some use for Catalyst 3550s in our network, and > >> AFAIK they don't speak ISIS. > >> 2) We're having extreme pain trying to bring up ISIS for IPv6. > > > > I was wondering whether you could elaborate a bit more on the > > second point? (Background: We have a Juniper based backbone, > > with IS-IS and IPv6, and it "just works". Due to an upcoming > > merger we are likely to have a mixed Juniper/Cisco backbone > > in the not too distant future, and any info on problems with > > IS-IS for IPv6 would be interesting.) > > Really? > > This is the basic configlet I applied to our routers -n- > switches, ignoring any issues with the cef commands, of course. > I haven't seen any issues at all with our roll-out. While on this topic, if anyone has figured out a non-disruptive strategy to deploying IPv6 in a core with a mix of Cisco and Foundry routers running ISIS, any pointers would be appreciated. Foundry currently doesn't support multi-toplogy with ISIS which is the major stumbling block I've run into. Not using multi-toplogy support and ignoring the v6 TLV's with "no adjacency-check" still seems to cause problems and drop adjacencies. I've additionally looked into the "multi-topology transition" command but it hasn't provided a clear answer to me. If we were all Cisco it looks like it's a piece of cake. I just can't find the magic combination with Cisco and Foundry... unless I disrupt my whole network to convert it to have both v4 and v6 TLV's in the single ISIS topology. Any pointers from anyone who has been down this path with these two vendors? It would be much appreciated. :) -Vinny From tedm at toybox.placo.com Thu Jul 3 23:21:32 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Thu, 3 Jul 2008 20:21:32 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: Message-ID: Rubbish. The reason the PIX doesen't allow Telnet is that the original PIX devices were built on a Windows core, Windows 3.1 as I believe, with the GUI and most of the command line utilities stripped away. Because the PIX was an early out-of-the-hole firewall, it captured a customer base of customers who needed a firewall but frankly didn't understand much about what they needed. ie: dumb bunnies in cash-rich organizations willing to buy sub-par technology that was hyped up to rediculous amounts. It's an old story in technology. This was a very valuable customer base which is why Cisco purchased the PIX product line. Cisco had little interest in the lame firewalling technology of the PIX and has spent at least a decade of careful work grooming the PIX customers off PIXes and on to Cisco router platforms. To accomplish this they were -extraordinairly- careful to preserve the PIX interface and limitations over the years. But as anyone who works with PIXes knows, Cisco has really not improved the basic technology of the PIX over the years. That is why the current Cisco IOS-based firewalls have a firewalling feature set that knocks a PIX into a cocked hat. It is also why Cisco has finally felt comfortable enough that they have migrated the PIX customers worth keeping over to their own product line, to announce that they were discontinuing the PIX product line. As they did recently. Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes > Sent: Monday, June 30, 2008 5:31 AM > To: Joerg Mayer; Aaron R > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > I guess it's more as a "working right" educational purpose, so > you won't use your firewall as a debugging client. > In newer versions there's the packet tracker that can help you > debug connectivity problems. > Ziv > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer > Sent: Monday, June 30, 2008 2:21 PM > To: Aaron R > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: > > It is disabled as a security feature. I have also wanted to do > the same for > > troubleshooting purposes. > > And why exactly is this a security feature? What is the *gain* in > security? > > Ciao > Joerg > -- > Joerg Mayer > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > ****************************************************************** > ****************** > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > ****************************************************************** > ****************** > > > > > > > > > ****************************************************************** > ****************** > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & > computer viruses. > ****************************************************************** > ****************** > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tvarriale at comcast.net Fri Jul 4 00:50:13 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 3 Jul 2008 23:50:13 -0500 Subject: [c-nsp] Telnet FROM a PIX Appliance? References: Message-ID: <004401c8dd91$72d8daf0$f211a8c0@flamwsugsmul5v> Holy crap. Did you say Windows? tv ----- Original Message ----- From: "Ted Mittelstaedt" To: "Ziv Leyes" ; "Joerg Mayer" ; "Aaron R" Cc: Sent: Thursday, July 03, 2008 10:21 PM Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > Rubbish. > > The reason the PIX doesen't allow Telnet is that the original > PIX devices were built on a Windows core, Windows 3.1 as I > believe, with the GUI and most of the command line utilities > stripped away. Because the PIX was an early out-of-the-hole > firewall, it captured a customer base of customers who needed > a firewall but frankly didn't understand much about what they > needed. ie: dumb bunnies in cash-rich organizations willing > to buy sub-par technology that was hyped up to rediculous > amounts. It's an old story in technology. > > This was a very valuable customer base which is why Cisco > purchased the PIX product line. Cisco had little interest > in the lame firewalling technology of the PIX and has > spent at least a decade of careful work grooming the PIX > customers off PIXes and on to Cisco router platforms. To > accomplish this they were -extraordinairly- careful to > preserve the PIX interface and limitations over the years. > But as anyone who works with PIXes knows, Cisco has really > not improved the basic technology of the PIX over the years. > > That is why the current Cisco IOS-based firewalls have > a firewalling feature set that knocks a PIX into a cocked > hat. > > It is also why Cisco has finally felt comfortable enough > that they have migrated the PIX customers worth keeping > over to their own product line, to announce that they were > discontinuing the PIX product line. As they did recently. > > Ted > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes >> Sent: Monday, June 30, 2008 5:31 AM >> To: Joerg Mayer; Aaron R >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> I guess it's more as a "working right" educational purpose, so >> you won't use your firewall as a debugging client. >> In newer versions there's the packet tracker that can help you >> debug connectivity problems. >> Ziv >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer >> Sent: Monday, June 30, 2008 2:21 PM >> To: Aaron R >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: >> > It is disabled as a security feature. I have also wanted to do >> the same for >> > troubleshooting purposes. >> >> And why exactly is this a security feature? What is the *gain* in >> security? >> >> Ciao >> Joerg >> -- >> Joerg Mayer >> We are stuck with technology when what we really want is just stuff that >> works. Some say that should read Microsoft instead of technology. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> ****************************************************************** >> ****************** >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ****************************************************************** >> ****************** >> >> >> >> >> >> >> >> >> ****************************************************************** >> ****************** >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ****************************************************************** >> ****************** >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Fri Jul 4 01:41:59 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 4 Jul 2008 07:41:59 +0200 (CEST) Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design) In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> References: <20080703.202301.74732300.sthaug@nethelp.no> <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> Message-ID: On Thu, 3 Jul 2008, Vinny Abello wrote: > While on this topic, if anyone has figured out a non-disruptive strategy > to deploying IPv6 in a core with a mix of Cisco and Foundry routers > running ISIS, any pointers would be appreciated. Foundry currently We had multitopology problems between platforms/vendors as well, we ended up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for IPv4/VPNv4), this gave us a completely different control plane for IPv6 and pretty much guaranteed to be non-intrusive to devices not running IPv6 or needing the information. Multitopology ISIS is a great idea and I would really like to run it, but it just didn't work with our mix of platforms and vendors. -- Mikael Abrahamsson email: swmike at swm.pp.se From tseveendorj at gmail.com Fri Jul 4 02:15:42 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Fri, 4 Jul 2008 15:15:42 +0900 Subject: [c-nsp] ISDN related errors Message-ID: <62c908120807032315m41f54695k43d543062f8e5be5@mail.gmail.com> Hi Guys, My gateway is 5350XM connected to ISDN by PRI. That gateway used for call terminating. I have found following errors when I'm debugging ISDN Q.931. What is the reason and how to solve this? 1. Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned 2. Cause i = 0x80BF - Service/option not available, unspecified Cause i = 0x80BF - Service/option not available, unspecified 3. Cause i = 0x82AF - Resource unavailable, unspecified Cause i = 0x82AF - Resource unavailable, unspecified 4. Cause i = 0x82FF - Interworking error; unspecified Cause i = 0x82FF - Interworking error; unspecified 5. Cause i = 0x8AAA - Switching equipment congestion Cause i = 0x8AAA - Switching equipment congestion Thank you Best regards, Tseveendorj From dr at cluenet.de Fri Jul 4 07:03:31 2008 From: dr at cluenet.de (Daniel Roesen) Date: Fri, 4 Jul 2008 13:03:31 +0200 Subject: [c-nsp] Restricting HWIC-3G-GSM to GPRS-only operation Message-ID: <20080704110331.GA23174@srv01.cluenet.de> Hi, is there any way to restrict an HWIC-3G-GSM UMTS/GPRS interface to GPRS-only operation? We want to avoid using flaky UMTS in a certain spot. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From juniper84 at live.com Fri Jul 4 08:10:48 2008 From: juniper84 at live.com (J C) Date: Fri, 4 Jul 2008 09:10:48 -0300 Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP Message-ID: I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly. According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS. In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification. Does anyone have any experience with this type of QoS configuration on this product? _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 From peder at networkoblivion.com Fri Jul 4 08:28:17 2008 From: peder at networkoblivion.com (Peder @ NetworkOblivion) Date: Fri, 04 Jul 2008 07:28:17 -0500 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: References: Message-ID: <486E1761.5010805@networkoblivion.com> What!? The original PIX code was < 500k as the first versions from Network Translations only had 512k flash moodules in them. There is no way that it was based on Windows, not even 3.1. I think you are thinking of the Centri (or whatever it was called) that was windows based that they bought many years ago. I actually worked at Cisco when they bought the PIX and the Centri and then they killed the Centri shortly thereafter. I think the Centri ran on Windows 95, but I am not 100% sure as that was 10+ years ago. IMO, the reason that so many people use(d) the PIX is that they just work. You set it up and forget it for two years. You rarely even need to update the software on it as there are so few bugs that are show stoppers. Now, the ASA is a different story. There is a lot more stuff in it and hence a lot more bugs. Ted Mittelstaedt wrote: > Rubbish. > > The reason the PIX doesen't allow Telnet is that the original > PIX devices were built on a Windows core, Windows 3.1 as I > believe, with the GUI and most of the command line utilities > stripped away. Because the PIX was an early out-of-the-hole > firewall, it captured a customer base of customers who needed > a firewall but frankly didn't understand much about what they > needed. ie: dumb bunnies in cash-rich organizations willing > to buy sub-par technology that was hyped up to rediculous > amounts. It's an old story in technology. > > This was a very valuable customer base which is why Cisco > purchased the PIX product line. Cisco had little interest > in the lame firewalling technology of the PIX and has > spent at least a decade of careful work grooming the PIX > customers off PIXes and on to Cisco router platforms. To > accomplish this they were -extraordinairly- careful to > preserve the PIX interface and limitations over the years. > But as anyone who works with PIXes knows, Cisco has really > not improved the basic technology of the PIX over the years. > > That is why the current Cisco IOS-based firewalls have > a firewalling feature set that knocks a PIX into a cocked > hat. > > It is also why Cisco has finally felt comfortable enough > that they have migrated the PIX customers worth keeping > over to their own product line, to announce that they were > discontinuing the PIX product line. As they did recently. > > Ted > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes >> Sent: Monday, June 30, 2008 5:31 AM >> To: Joerg Mayer; Aaron R >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> I guess it's more as a "working right" educational purpose, so >> you won't use your firewall as a debugging client. >> In newer versions there's the packet tracker that can help you >> debug connectivity problems. >> Ziv >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer >> Sent: Monday, June 30, 2008 2:21 PM >> To: Aaron R >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: >>> It is disabled as a security feature. I have also wanted to do >> the same for >>> troubleshooting purposes. >> And why exactly is this a security feature? What is the *gain* in >> security? >> >> Ciao >> Joerg >> -- >> Joerg Mayer >> We are stuck with technology when what we really want is just stuff that >> works. Some say that should read Microsoft instead of technology. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> ****************************************************************** >> ****************** >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ****************************************************************** >> ****************** >> >> >> >> >> >> >> >> >> ****************************************************************** >> ****************** >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> computer viruses. >> ****************************************************************** >> ****************** >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Fri Jul 4 08:29:57 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 4 Jul 2008 12:29:57 +0000 Subject: [c-nsp] Shutting Down Catalyst 6509? Message-ID: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> Hi Team, I am in a lab trying my hands for the first time on a new Catalyst 6509 to be deployed for a client. It has some gigabitethernet and FWSM modules installed, along with one supervisor engine. It's started and loaded beautifully, all modules having passed the diagnostics, etc. My concern is 'how do I shut the switch down'? I dont want to believe I can just power it off from the power source as I do with the lower end versions. Or is it? Please help answer this question along with any other caveats, links, etc that you would like to share with me based on your experiences. Regards, Felix From A.L.M.Buxey at lboro.ac.uk Fri Jul 4 08:42:37 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 4 Jul 2008 13:42:37 +0100 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> Message-ID: <20080704124237.GA31219@lboro.ac.uk> Hi, > My concern is 'how do I shut the switch down'? real power down? turn one PSU off, then the other. just ensure you've saved the config if you've made changes beforehand! alan From streiner at cluebyfour.org Fri Jul 4 08:46:51 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 4 Jul 2008 08:46:51 -0400 (EDT) Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> Message-ID: On Fri, 4 Jul 2008, Felix Nkansah wrote: > My concern is 'how do I shut the switch down'? > > I dont want to believe I can just power it off from the power source as I do > with the lower end versions. Or is it? There are on/off switches on each of the power supplies. Just twist the switch from the on to the off position. jms From felixnkansah at gmail.com Fri Jul 4 08:54:48 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 4 Jul 2008 12:54:48 +0000 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> Message-ID: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> Thanks guys. I thought it has some special shutdown procedures or commands. Thanks. From chris.garzon at gmail.com Fri Jul 4 09:42:22 2008 From: chris.garzon at gmail.com (Dracul) Date: Fri, 4 Jul 2008 21:42:22 +0800 Subject: [c-nsp] WLC and LWAPP Aps In-Reply-To: <6bc4a240807030959x3558a3c1u11af69e69569f78@mail.gmail.com> References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> <6bc4a240807030959x3558a3c1u11af69e69569f78@mail.gmail.com> Message-ID: <876789290807040642y1171ed37n5a9ef1df6349998b@mail.gmail.com> Hi havad, Thanks! I have an additional question, how many APs can the internal DHCP of a WLAN controller support? THanks, chris On Fri, Jul 4, 2008 at 12:59 AM, H?vard Nyhus wrote: > On Thu, Jul 3, 2008 at 6:48 PM, Dracul wrote: > > Hi All, > > > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. > I > > cannot seem to make the lighweight AP to get IP address from > > the internal DHCP server of the WLC let more the LW AP be discovered by > the > > 4404. used Layer2 and Layer 3 mode already > > Hi! > > You need to use dhcp option 43 for the access points to realize where > the wlc is.. this is described in detail here: > > http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml > > -- > H?vard Staub Nyhus > +47 41 88 00 99 > -- === Support www.gawadkalinga.org From chris.garzon at gmail.com Fri Jul 4 09:42:31 2008 From: chris.garzon at gmail.com (Dracul) Date: Fri, 4 Jul 2008 21:42:31 +0800 Subject: [c-nsp] WLC and LWAPP Aps In-Reply-To: <20080703181517.GJ4112@thot.informatik.uni-kl.de> References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> <20080703181517.GJ4112@thot.informatik.uni-kl.de> Message-ID: <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com> Additional query. On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer wrote: > On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote: > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. > I > > cannot seem to make the lighweight AP to get IP address from > > the internal DHCP server of the WLC let more the LW AP be discovered by > the > > 4404. used Layer2 and Layer 3 mode already > > How about some more details? Are AP and management-if in the same network? > If not, what have you done to make sure that the AP knows where to find it? > If all fails: You can configure the managementi-if address directly on the > lw-ap command line. > > Ciao > Joerg > -- > Joerg Mayer > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > -- === Support www.gawadkalinga.org From pavel.skovajsa at gmail.com Fri Jul 4 09:48:03 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Fri, 4 Jul 2008 15:48:03 +0200 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> Message-ID: <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com> There is a secret shutdown procedure but you will have to plug a mouse into the supervisor, and move into left bottom corner, click start, then shutdown :) Just joking, sorry. Pavel On Fri, Jul 4, 2008 at 2:54 PM, Felix Nkansah wrote: > Thanks guys. > > I thought it has some special shutdown procedures or commands. > > Thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mcrocker at crocker.com Fri Jul 4 10:06:05 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Fri, 4 Jul 2008 10:06:05 -0400 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com> Message-ID: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com> > There is a secret shutdown procedure but you will have to plug a mouse > into the supervisor, and move into left bottom corner, click start, > then shutdown :) > > Just joking, sorry. Of course you are joking, everyone knows it is the UPPER left corner, apple menu -> Shutdown... Start button to shutdown, geeez! From juniper84 at live.com Fri Jul 4 10:25:24 2008 From: juniper84 at live.com (J C) Date: Fri, 4 Jul 2008 11:25:24 -0300 Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP In-Reply-To: References: Message-ID: Anyone?... =) > From: juniper84 at live.com > To: cisco-nsp at puck.nether.net > Date: Fri, 4 Jul 2008 09:10:48 -0300 > Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP > > > I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly. > > According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS. In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification. > > Does anyone have any experience with this type of QoS configuration on this product? > > _________________________________________________________________ > Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! > http://g.msn.ca/ca55/212 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ From vinny at tellurian.com Fri Jul 4 10:25:56 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 4 Jul 2008 10:25:56 -0400 Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design) In-Reply-To: References: <20080703.202301.74732300.sthaug@nethelp.no> <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson > Sent: Friday, July 04, 2008 1:42 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] IPv6 Migration with ISIS (was Route Reflector > Design) > > On Thu, 3 Jul 2008, Vinny Abello wrote: > > > While on this topic, if anyone has figured out a non-disruptive > strategy > > to deploying IPv6 in a core with a mix of Cisco and Foundry routers > > running ISIS, any pointers would be appreciated. Foundry currently > > We had multitopology problems between platforms/vendors as well, we > ended > up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for > IPv4/VPNv4), this gave us a completely different control plane for IPv6 > and pretty much guaranteed to be non-intrusive to devices not running > IPv6 > or needing the information. > > Multitopology ISIS is a great idea and I would really like to run it, > but > it just didn't work with our mix of platforms and vendors. Thanks Mikael. I hadn't considered running OSPFv3 for IPv6. I'll have to see if that is a viable possibility in our network. Did you run into any challenges in doing this such as administrative distances of the routing protocols and things defaulting to using IPv6 instead of IPv4 or other unexpected results? In theory if you're only doing the IPv6 address family, I wouldn't expect any problems, but firsthand experience is always better than theory. :) By the way, what other vendor's or vendors' equipment were you working with besides Cisco where you had the same ISIS multi-topology challenges? -Vinny From jlarsen at richweb.com Fri Jul 4 10:29:47 2008 From: jlarsen at richweb.com (C. Jon Larsen) Date: Fri, 4 Jul 2008 10:29:47 -0400 (EDT) Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486E1761.5010805@networkoblivion.com> References: <486E1761.5010805@networkoblivion.com> Message-ID: Ted, Peder is correct. Cisco bought the company that made the pix (NTI) because NTI was one of the first companies to have a decent working NAT overload implementation. NAT was a big deal back then - around 1995/1996 and Cisco routers did not have NAT in the IOS until 11.2 I think. At that time UUnet and many other SPs were tossing out a full /24 for every t1, but the smaller ISDN and frac t1 based connections started coming with much smaller allocations, and PAT was something everyone (small customers) started wanting badly. There was a smattering of non cisco boxes that could do a little nat, but customers wanted solid state hardware that was easy to configure or at least flexible enough to be able to configure for a variety of wan service offerings - smds, atm, frame, isdn, x.25 was still here and there, and on the lan side decnet, ipx/spx, netbeui etc were still in play. Cisco, Proteon and Wellfleet and 3com to a lesser extent were the big router players but none of them were addressing the emerging NAT market very well. NTI was a small company with good engineers that wrote a custom kernel that did what few others were doing. I saw a few customers that actually bought the NTI box or were going to buy the box BEFORE cisco bought NTI. When Cisco bought NTI and threw their marketing behind the PIX, and started pushing it to resellers, it took off because it was a good box that fit a niche market very well. In fact the original NTI boxes were again more of a nat box that a firewall. When you installed a pix you set the screening router (a cisco of course) up as the dmz firewall with its acl capability to protect the dmz hosts and the pix had the outbound nat config and the conduits for the inbound flow to the inside network. The original pixes were pretty limited as a firewall and of course had no capability for a 3rd or 4th interface. They were strictly used for the corporate/inside network interface/connect point. Customers bought PIXes at that time because they were easier than having to figure out how to setup a linux or Sun bastion host / proxy toolkit or fiddle with ipmasq for most companies that did not have in house un*x talent. Customers were running out of IPs to number their PCs (and MACs - remember the need to browse the internet killed appletalk and localtalk) that and the ISPs were not handing them out (/24s) like candy anymore. As far as firewall feature set on a router goes ... I had to laugh. I have always considered that somewhat fiddly / buggy. Good way to make a solid product (a cisco router) into something that needs more attention and is slightly less reliable - especially when implemented on low end hardware like 800s, or 16xx, or 17xx, 2610s, etc. I have seen at least 3 or 4 fw feature set implementations on routers that were backwards - i.e. inspecting traffic in the wrong direction. There is also at least one config for the fwfs on cisco.com's website that has it backwards too that I ran across. As far as cisco discontinuing the pix ?? Thats plain wrong. The PIX lives on, it just has a new name (ASA) so cisco can move upmarket and charge more for the same code base :) Of course the cpus are much faster in the ASA boxes, and it has a more extensible/modular hardware architecture than the pix and you can plug in the IDS/IPS modules, etc. The ASA boxes usually have a celeron cpu in the 2Ghz range whereas the pixes started of as 486 dx2 66MHz chips (yes really, with like 4MB or maybe 8MB of main DRAM) and worked their way up to 300 or 400Mhz PII chips in the beefier models. Cisco has no interest in migrating any customers from PIX/ASA to routers. They want to sell you BOTH and a few Cat switches while they are at it :) And finally, Peder is correct again about the Centri. Centri was a flaming pile of junk. It ran on windows nt server (workstation was also supported I'm pretty sure). Of course it was terrible (the centri) - windows nt was a terrible product that never really did get stable enough for use as a reliable pc server much less as a critical piece of network gear. Centri did have some really "impressive" guis tools for managing firewall configs. At that time the pix was popular but hard to configure for end customers who typically have net admins on staff and not network engrs (times really have not changed have they :). Customers wanted to manage their own boxes and not have to call an integrator every time an acl needed a tweak. Thus the pretty gui of the cenrti appealed (in theory). I never saw one get sold and work though. Couple of demo/evals, and it usually died there in the sales process :) It would have been near impossible for anyone to build a firewall based on windows 3.1 technology. Windows 3.1 did not have a true kernel or built in (native) tcp stack. Remember Chameleon anyone ? trumpet winsock ? Those DOS TSR-based "tcp mini kernels" as they were called were so unstable that a windows 3.1 or 3.11 based firewall would have keeled over the minute it saw real use. Those stacks were barely functional as a client, much less a server or firewall. I dont remember any vendors coming out with windows based "firewalls" until win nt 4.0. Windows in all its versions just was not stable enough until then and recall that Windows 3.5 and up are not the same product at all as win 3.1. Win 3.1 was 16bit dos with a gui command shell and a gui api. Win 3.5.x and up was Cutler's 32bit rewrite of VAX and Microsofts first true operating system :) No way would cisco have purchased or built or sold or recommended to clients anything based on win3.1 other than maybe a terminal emulator to attach to a cisco serial console :) I remember a customer that badly wanted to migrate off of netware to "save" licensing $$. Remember this was before CALs and such and windows 3.5.1 was almost free as a network server. They had to boot the 3.5.1 server every nite so it would not crash the next day. The netware 3.12 server had been up for like 3-4 years at a time :) On Fri, 4 Jul 2008, Peder @ NetworkOblivion wrote: > What!? The original PIX code was < 500k as the first versions from Network > Translations only had 512k flash moodules in them. There is no way that it > was based on Windows, not even 3.1. I think you are thinking of the Centri > (or whatever it was called) that was windows based that they bought many > years ago. I actually worked at Cisco when they bought the PIX and the > Centri and then they killed the Centri shortly thereafter. I think the > Centri ran on Windows 95, but I am not 100% sure as that was 10+ years ago. > > IMO, the reason that so many people use(d) the PIX is that they just work. > You set it up and forget it for two years. You rarely even need to update > the software on it as there are so few bugs that are show stoppers. Now, the > ASA is a different story. There is a lot more stuff in it and hence a lot > more bugs. > > Ted Mittelstaedt wrote: >> Rubbish. >> >> The reason the PIX doesen't allow Telnet is that the original >> PIX devices were built on a Windows core, Windows 3.1 as I >> believe, with the GUI and most of the command line utilities >> stripped away. Because the PIX was an early out-of-the-hole >> firewall, it captured a customer base of customers who needed >> a firewall but frankly didn't understand much about what they >> needed. ie: dumb bunnies in cash-rich organizations willing >> to buy sub-par technology that was hyped up to rediculous >> amounts. It's an old story in technology. >> >> This was a very valuable customer base which is why Cisco >> purchased the PIX product line. Cisco had little interest >> in the lame firewalling technology of the PIX and has >> spent at least a decade of careful work grooming the PIX >> customers off PIXes and on to Cisco router platforms. To >> accomplish this they were -extraordinairly- careful to >> preserve the PIX interface and limitations over the years. >> But as anyone who works with PIXes knows, Cisco has really >> not improved the basic technology of the PIX over the years. >> >> That is why the current Cisco IOS-based firewalls have >> a firewalling feature set that knocks a PIX into a cocked >> hat. >> >> It is also why Cisco has finally felt comfortable enough >> that they have migrated the PIX customers worth keeping >> over to their own product line, to announce that they were >> discontinuing the PIX product line. As they did recently. >> >> Ted >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes >>> Sent: Monday, June 30, 2008 5:31 AM >>> To: Joerg Mayer; Aaron R >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >>> >>> >>> I guess it's more as a "working right" educational purpose, so you won't >>> use your firewall as a debugging client. >>> In newer versions there's the packet tracker that can help you debug >>> connectivity problems. >>> Ziv >>> >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer >>> Sent: Monday, June 30, 2008 2:21 PM >>> To: Aaron R >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >>> >>> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: >>>> It is disabled as a security feature. I have also wanted to do >>> the same for >>>> troubleshooting purposes. >>> And why exactly is this a security feature? What is the *gain* in >>> security? >>> >>> Ciao >>> Joerg >>> -- >>> Joerg Mayer >>> We are stuck with technology when what we really want is just stuff that >>> works. Some say that should read Microsoft instead of technology. >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >>> >>> >>> ****************************************************************** >>> ****************** >>> This footnote confirms that this email message has been scanned by >>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer >>> viruses. >>> ****************************************************************** >>> ****************** >>> >>> >>> >>> >>> >>> >>> ****************************************************************** >>> ****************** >>> This footnote confirms that this email message has been scanned by >>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer >>> viruses. >>> ****************************************************************** >>> ****************** >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From Michael.Robson at manchester.ac.uk Fri Jul 4 10:39:04 2008 From: Michael.Robson at manchester.ac.uk (Michael Robson) Date: Fri, 4 Jul 2008 15:39:04 +0100 Subject: [c-nsp] Default-Information Originate supplimental question References: Message-ID: Guys, thanks for the clarification; but now further questions leading on from this. My understanding is that by default (without overriding) if you are redistributing routes from BGP into OSPF on the router and some routes have been learned via iBGP, then these iBGP-learned routes will not be advertised since it is an IGP->IGP exchange (which might cause loops). Following from this, since as I understand it, "the default-information originate" command is a special case variant of the redistribute command, then the default route, by default, will not be injected into OSPF if it had been learned via iBGP - correct? If this is the case, then if you have the situation on a router where there are 2 default routes being learned, one via iBGP and one via eBGP and the _iBGP_ route is preferred over the eBGP (e.g. it has a lower MED value), then would the lesser preferred route be injected since the other cannot be by default, or would neither be injected because the preferred default route has been learned via iBGP? Finally (phew), can anyone give a possible explanation as to why none of our eBGP-learned routes have an origin type of e (i.e. they are all of type i)? Thanks, Michael -- From vinny at tellurian.com Fri Jul 4 10:47:03 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 4 Jul 2008 10:47:03 -0400 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486E1761.5010805@networkoblivion.com> References: <486E1761.5010805@networkoblivion.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Peder @ NetworkOblivion > Sent: Friday, July 04, 2008 8:28 AM > To: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > What!? The original PIX code was < 500k as the first versions from > Network Translations only had 512k flash moodules in them. There is no > way that it was based on Windows, not even 3.1. I think you are > thinking of the Centri (or whatever it was called) that was windows > based that they bought many years ago. I actually worked at Cisco when > they bought the PIX and the Centri and then they killed the Centri > shortly thereafter. I think the Centri ran on Windows 95, but I am not > 100% sure as that was 10+ years ago. > > IMO, the reason that so many people use(d) the PIX is that they just > work. You set it up and forget it for two years. You rarely even need > to update the software on it as there are so few bugs that are show > stoppers. Now, the ASA is a different story. There is a lot more > stuff > in it and hence a lot more bugs. I definitely agree with the "just work" statement, but there are some issues we've run into with the PIX that don't exist on the ASA. We use hundreds of Cisco PIX and ASA devices for our customers. In our experience, the ASA is far superior in features and verbosity of information it presents to you and flexibility. I think we had one customer hit by a show stopper bug that was a memory leak in the ASA which was triggered by a lot of web traffic. I think that was fixed in 7.2.3. We actually experienced quite a large show stopper bug on the PIX 6.3.5 code which still exists causing the PIX to crash. It was related to a large number of VPN connections changing state if I recall. We had to get an interim build from Cisco of 6.3.5.xxx to fix this. We mainly run 7.2.4 and 8.0.3 on the ASA (8.0.3 if we want AnyConnect). They work pretty well, although I'm leery of 8.x code still and noticed the ASA 5505 on 8.0.3 has an unusually high CPU load when doing nothing. Whenever I assist someone with troubleshooting a VPN issue or something else on a Cisco security device, my first question is if we're working with a PIX or ASA... If it's a PIX my usual response is ugh... If it's ASA I cheer in my head. :) The ASA is much easier to troubleshoot and is more predictable and IOS like. PIX 6.3.5 also has an issue sometimes with creating new VPN tunnels and the access-list you create not being recognized resulting in ACL deny messages in debug. Workarounds include reapplying the crypto map (not recommended as it's disruptive), rebooting, or a trick we found by adding an additional line to the access list then removing it. Odd, I know but it works every time. I think it actually is a result of the order all the commands are entered but I never tracked it down specifically. The ASA doesn't appear to have this glitch. Also, minus the added hardware in the ASA which handles things like SSL VPN's and the other optional hardware options, you can run the same code (not image, but code) on the PIX 515 and higher models that the ASA devices run (7.x and 8.x), providing you have enough memory. So when saying ASA above I'm also referring to the PIX on 7.x or 8.x code. When it comes down to it, they're all just little PC's with flash for the OS, Intel NICs and Intel processors. The modern ones are anyway... I know the older PIX models really resembled a PC having a floppy drive for recovery purposes and everything. I never worked much with those, however. -Vinny From justin at justinshore.com Fri Jul 4 10:53:19 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 04 Jul 2008 09:53:19 -0500 Subject: [c-nsp] IS-IS default route quandary In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com> References: <486C07B5.2090705@justinshore.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com> Message-ID: <486E395F.8040009@justinshore.com> Oliver Boehmer (oboehmer) wrote: >> On each border router we also have a static default route pointed to >> the physical interface of the upstream peers (which if memory serves >> me correctly that's a bad idea because it causes an ARP to be sent for >> every flow that requires that specific route). > > right, if this is not a p2p interface. So a very bad idea.. So if I have a static default I should aim it at the other side's interface IP, correct? I don't believe I need the static overall but it would be good to know anyway. >> and core for any routes that aren't in the borders' RIB. This would >> mainly be BOGONs and other non-routable space that we use internally > (so it >> may not be a real problem). > > and, in addition, such packets should not show up on your borders unless > you have downstream peers/customers on the borders as well and they > point a default towards you. Right, so I'm not sure if I really need it at all. I've begun distributing BOGONs around the network with my RTBH, at least but the martians that the IOS freaks out over. I would hope that I can block most of it on the edges but of course I can't guarantee that at this time. So this may not be a big issue anyway. >> In theory I shouldn't ever have to rely >> on a default route to my upstreams thanks to my full tables. I'm also >> concerned with how this may affect my uRPF and RTBH setup. Would this >> catchall route nullify the effect of a iBGP-learned null-route from my >> RTBH setup? > > Well, if your current static default doesn't affect your uRPF and RTBH > setup, why would a dynamic default do? Um, good point. That one escaped me. So if I'm thinking about this correctly, uRPF won't be harmed by the existence of a static default or a dynamic default. > IS-IS doesn't have something like OSPF's "distribute-list in" to filter > routes from being entered into the RIB, but you can use the "distance" > command to achieve something similar: A distribute-list would be a handy solution. > access-list 10 permit 0.0.0.0 > router isis > distance 255 0.0.0.0 255.255.255.255 10 > > this will assign distance 255 to the default-route (originated by > whatever neighbor), and 255 will suppress installation into the RIB. I never thought of use distance in that manner. That just might work! > Or you originate a default in iBGP and run your access nodes with a > limited BGP table only. I had been thinking about this, trying to decide pros and cons. My access edges are each in their own route-reflector cluster with the 2 cores and the RTBH trigger server. Convergence and recovery speed might be an issue I suppose. I'll have to kick that around some more. Thanks for the info. Have a great holiday Justin From sam_mailinglists at spacething.org Fri Jul 4 10:58:16 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Fri, 04 Jul 2008 15:58:16 +0100 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1> References: <486E1761.5010805@networkoblivion.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1> Message-ID: <486E3A88.1070704@spacething.org> Vinny Abello wrote: > Also, minus the added hardware in the ASA which handles things like SSL VPN's and the other optional hardware options, you can run the same code (not image, but code) on the PIX 515 and higher models that the ASA devices run (7.x and 8.x), providing you have enough memory. So when saying ASA above I'm also referring to the PIX on 7.x or 8.x code. > > My understanding is that the 7.x code is the same on the PIXes and the ASA; but version 8.x on the ASA is a rewrite built on top of a Linux kernel, whereas 8.x is still based on the old code. Sam From vinny at tellurian.com Fri Jul 4 11:08:44 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 4 Jul 2008 11:08:44 -0400 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486E3A88.1070704@spacething.org> References: <486E1761.5010805@networkoblivion.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1> <486E3A88.1070704@spacething.org> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E16@exchangenj1> > -----Original Message----- > From: Sam Stickland [mailto:sam_mailinglists at spacething.org] > Sent: Friday, July 04, 2008 10:58 AM > To: Vinny Abello > Cc: Peder @ NetworkOblivion; cisco-nsp at puck.nether.net >> Cisco-NSP > Mailing List > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > Vinny Abello wrote: > > Also, minus the added hardware in the ASA which handles things like > SSL VPN's and the other optional hardware options, you can run the same > code (not image, but code) on the PIX 515 and higher models that the > ASA devices run (7.x and 8.x), providing you have enough memory. So > when saying ASA above I'm also referring to the PIX on 7.x or 8.x code. > > > > > My understanding is that the 7.x code is the same on the PIXes and the > ASA; but version 8.x on the ASA is a rewrite built on top of a Linux > kernel, whereas 8.x is still based on the old code. You're saying 8.x on the ASA runs atop a Linux kernel whereas 8.x on the PIX is still based on the same 7.x kernel that both the ASA and PIX use in that version? I hadn't heard nor have I seen anything to indicate that, but it's definitely possible... and interesting. Does anyone have any references that confirms this? Maybe that's why my CPU look so different on the 5505 on 8.x. -Vinny From Robert.Smales at cw.com Fri Jul 4 11:12:11 2008 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 4 Jul 2008 16:12:11 +0100 Subject: [c-nsp] Strange behavior in a Cisco CPE In-Reply-To: <4FA21019-9272-43C4-A000-7B7C6A9CFD9F@i2bnetworks.com> Message-ID: <602ACF092EFFB044931BD8746C19AD2F081AEB@gbcwswiem006.ad.plc.cwintra.com> Troy Beisigl wrote: > We are seeing some really strange behavior on a Cisco 1721 CPE. It > acts like we are having a connectivity problem with packet loss or > very high latency. There is about 86Kbps to 350Kbps of > traffic on it. > It has WIC-1DSU-T1 card and is doing just basic static > routes with a > Full T1. There are no errors on the T1. If I log into the router and > try to send say 1000 icmp packets to something on the other > end of the > T1, it will go for few packets and then pause for about 15 to 20 > seconds before continuing right where it stopped. It never drops any > packets, just freezes and then continues. It does this about every > minute or 2. Has anyone seen this before? > How are you accessing the router? If you are telnetting in remotely, it could be that what you are seeing are delays in the information being transmitted from the router to your terminal, rather than delay in the router transmitting the icmp packets to the destination. Just a thought. Robert Robert Smales IP Provide Engineer Cable&Wireless Europe, Asia & US www.cw.com This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From vinny at tellurian.com Fri Jul 4 11:12:18 2008 From: vinny at tellurian.com (Vinny Abello) Date: Fri, 4 Jul 2008 11:12:18 -0400 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486E3A88.1070704@spacething.org> References: <486E1761.5010805@networkoblivion.com> <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1> <486E3A88.1070704@spacething.org> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E17@exchangenj1> > -----Original Message----- > From: Sam Stickland [mailto:sam_mailinglists at spacething.org] > Sent: Friday, July 04, 2008 10:58 AM > To: Vinny Abello > Cc: Peder @ NetworkOblivion; cisco-nsp at puck.nether.net >> Cisco-NSP > Mailing List > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > Vinny Abello wrote: > > Also, minus the added hardware in the ASA which handles things like > SSL VPN's and the other optional hardware options, you can run the same > code (not image, but code) on the PIX 515 and higher models that the > ASA devices run (7.x and 8.x), providing you have enough memory. So > when saying ASA above I'm also referring to the PIX on 7.x or 8.x code. > > > > > My understanding is that the 7.x code is the same on the PIXes and the > ASA; but version 8.x on the ASA is a rewrite built on top of a Linux > kernel, whereas 8.x is still based on the old code. Ahh, I just found indeed this is true. "Beginning with version PIX OS version 8.x, the codes diverge, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination." This is taken from Wikipedia: http://en.wikipedia.org/wiki/Cisco_ASA_5500_Series_Adaptive_Security_Appliances With references to Cisco's open source licensing in 8.x on the ASA. -Vinny From gulerozgur at yahoo.co.uk Fri Jul 4 11:14:08 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Fri, 4 Jul 2008 15:14:08 +0000 (GMT) Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP In-Reply-To: Message-ID: <342155.63869.qm@web25507.mail.ukl.yahoo.com> Can't you simply match the exp bit with explicit-null on egress PE? Why do you need the qos-group? Cheers Ozgur --- On Fri, 4/7/08, J C wrote: From: J C Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP To: cisco-nsp at puck.nether.net Date: Friday, 4 July, 2008, 1:10 PM I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly. According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS. In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification. Does anyone have any experience with this type of QoS configuration on this product? _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________________________________________________________ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html From mark at noc.mainstreet.net Fri Jul 4 10:47:12 2008 From: mark at noc.mainstreet.net (Mark Kent) Date: Fri, 4 Jul 2008 07:47:12 -0700 (PDT) Subject: [c-nsp] Shutting Down Catalyst 6509 In-Reply-To: (cisco-nsp-request@puck.nether.net) References: Message-ID: <200807041447.m64ElC2B025946@mainstreet.net> >> My concern is 'how do I shut the switch down'? In addition to the "turn it off" replies, if you wanted to be super-careful you could: a) wr in the msfc b) from the fwsm system context, "wr mem all", then force a fail-over to the other 6509/fwsm you have (you do have another, right?). c) Do "no power enable module 1" (replace 1 with the actual slot number). d) Repeat b+c for any other FWSM/ACE modules. e) remove power -mark From peter at rathlev.dk Fri Jul 4 11:37:15 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 04 Jul 2008 17:37:15 +0200 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com> <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com> Message-ID: <1215185835.32230.4.camel@svesken.sys.mjna.net> On Fri, 2008-07-04 at 10:06 -0400, Matthew Crocker wrote: > > There is a secret shutdown procedure but you will have to plug a mouse > > into the supervisor, and move into left bottom corner, click start, > > then shutdown :) > > > > Just joking, sorry. > > Of course you are joking, everyone knows it is the UPPER left corner, > apple menu -> Shutdown... Start button to shutdown, geeez! No no no, it's the upper RIGHT corner, where everybody sane places the XFCE system menu. The Ca6500 runs Linux/XFCE, only the 7600s run OS X. :-) Anyway, it would be nice with a "graceful shutdown" for the whole box. Things like letting the routing protocols converge before the router shuts interfaces and such things. Are there any other ways than some TCL for this? Regards, Peter > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From juniper84 at live.com Fri Jul 4 11:52:55 2008 From: juniper84 at live.com (J C) Date: Fri, 4 Jul 2008 12:52:55 -0300 Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP In-Reply-To: <342155.63869.qm@web25507.mail.ukl.yahoo.com> References: <342155.63869.qm@web25507.mail.ukl.yahoo.com> Message-ID: Those two commands that I listed were required (as far as I know) in configuring an end-to-end solution for Pipe Mode w/ Explicit Null. The 'set qos-group' and/or 'set discard-class' command(s) was used on the Egress PE link to capture the QoS settings from the MPLS EXP value that would have been lost on the final pop. The issue I'm having right now is that I'm not seeing any matches on my 'match mpls experimental topmost' policy-maps. CPE ------------ class match-any TEST match access-group 1 access-list 1 permit 192.168.1.0 0.0.0.255 policy-map TEST class TEST set mpls experimental imposition 5 interface Fa0/0 ip address 192.168.1.1 255.255.255.0 service-policy TEST input interface Fa0/1 ip address 172.31.1.1 255.255.255.0 mpls ip encapsulate explicit-null *A 'show policy-map interface Fa0/0' verifies that traffic is being 'marked' with MPLS EXP 5. 7600-PE ----------- interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk switchport nonegotiate load-interval 30 no snmp trap link-status mls qos trust dscp interface Vlan500 description Test-Site#1 ip vrf forwarding TEST ip address 172.31.1.2 255.255.255.0 load-interval 30 mpls ip I've tried placing a variety of policy-maps on both interface Gi1/1 and Vlan 500 to determine if the MPLS bits are carrying through to the PE. So far nothing. The backbone egress policy map on the TenGigabitEthernet interface shows that my test traffic is flowing through matching class-default; so I know that traffic isn't getting matched. Is it possible that the 7600-PFC3C doesn't support Pipe Mode with Explicit Null LSP...and that it just supports Short Pipe, Pipe Mode and Uniform mode? After reading the documentation on the PFC I don't see any mention to Pipe mode with Explicit Null. Date: Fri, 4 Jul 2008 15:14:08 +0000 From: gulerozgur at yahoo.co.uk Subject: Re: [c-nsp] Pipe Mode with an Explicit NULL LSP To: cisco-nsp at puck.nether.net; juniper84 at live.com Can't you simply match the exp bit with explicit-null on egress PE? Why do you need the qos-group? Cheers Ozgur --- On Fri, 4/7/08, J C wrote: From: J C Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP To: cisco-nsp at puck.nether.net Date: Friday, 4 July, 2008, 1:10 PM I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly. According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS. In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification. Does anyone have any experience with this type of QoS configuration on this product? _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Not happy with your email address? Get the one you really want - millions of new email addresses available now at Yahoo! _________________________________________________________________ Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games! http://g.msn.ca/ca55/207 From peter at rathlev.dk Fri Jul 4 12:08:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 04 Jul 2008 18:08:31 +0200 Subject: [c-nsp] Default-Information Originate supplimental question In-Reply-To: References:

Message-ID: <1215187711.32230.22.camel@svesken.sys.mjna.net> Hi Michael, I'm not too strong on redistributing, but have some general comments regarding the BGP part. I hope someone else will correct me if I'm wrong here. On Fri, 2008-07-04 at 15:39 +0100, Michael Robson wrote: > Guys, thanks for the clarification; but now further questions leading > on from this. My understanding is that by default (without overriding) > if you are redistributing routes from BGP into OSPF on the router and > some routes have been learned via iBGP, then these iBGP-learned > routes will not be advertised since it is an IGP->IGP exchange (which > might cause loops). Following from this, since as I understand it, > "the default-information originate" command is a special case variant > of the redistribute command, The "default-information originate" does not redistribute anything in itself. Focus on the "originate" part -- if this BGP speaker knows a "default" (not from BGP) and the default is lifted into BGP (via "network 0.0.0.0" or some kind of redistribution) the BGP speaker will only actually tell its neighbors about it if it can "originate" the default. > then the default route, by default, will > not be injected into OSPF if it had been learned via iBGP - correct? Your redistribution is not related to whether or not the box originates a default. In order for BGP to originate a default, it has to have the default from somewhere else, like an IGP or a static route. The "default-information originate" just allows a 0/0 route to be announced via BGP, which by default will not happen. If a box learns the default via BGP (e.g. from a BGP neighbor with "default-information originate") and you unconditionally redistribute everything to some OSPF process, I think this process will get the default, "originate" or not. And a BGP speaker will relay a default also without the "originate" command, since it doesn't _originate_ the route. > If this is the case, then if you have the situation on a router where > there are 2 default routes being learned, one via iBGP and one via > eBGP and the _iBGP_ route is preferred over the eBGP (e.g. it has a > lower MED value), then would the lesser preferred route be injected > since the other cannot be by default, or would neither be injected > because the preferred default route has been learned via iBGP? That may be a good question, but it sounds like a dangerous thing to try. :-) Do you need this redistribuion from BGP to your IGP? Are you using synchronization? > Finally (phew), can anyone give a possible explanation as to why none > of our eBGP-learned routes have an origin type of e (i.e. they are all > of type i)? Origin "e" is "EGP" a legacy protocol (probably) not used anymore. So either you have "?" (incomplete, e.g. redistributed routes) og "i" (IGP, e.g. "network" statements). Regards, Peter From sam_mailinglists at spacething.org Fri Jul 4 12:52:08 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Fri, 04 Jul 2008 17:52:08 +0100 Subject: [c-nsp] Quick spanning-tree and bridge-group question Message-ID: <486E5538.9030005@spacething.org> Guys, Maybe I'm going a little code-blind here. Ports Fa0/1.161, Fa0/1.162 and Se0/0/0.10 are all members of same IEEE bridge-group. The port path cost on all three interfaces is the same, but I've set the priority of the Serial interface port to be 144. How come the Se0/0/0.10 is still forwarding? What am I missing? R1#sh spanning-tree Bridge group 10 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0013.8050.b191 Configured hello time 2, max age 20, forward delay 15 Current root has priority 10, address 0019.aa7f.3480 Root port is 28 (Serial0/0/0.10), cost of root path is 685 Topology change flag not set, detected flag not set Number of topology changes 21 last change occurred 00:22:10 ago from FastEthernet0/1.161 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.26. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32929, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 5, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 862, received 4700 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.27. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32930, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 6, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 862, received 4690 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding Port path cost 647, Port priority 144, Port Identifier 144.28. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32768, address 0016.4699.0509 Designated port id is 128.21, designated path cost 38 Timers: message age 3, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 470, received 9930 Sam From sam_mailinglists at spacething.org Fri Jul 4 13:17:19 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Fri, 04 Jul 2008 18:17:19 +0100 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E5538.9030005@spacething.org> References: <486E5538.9030005@spacething.org> Message-ID: <486E5B1F.9030903@spacething.org> Apologies I pasted some info where the path costs didn't total up to be the same. Here's the correct one. The total path cost is 723 on every interface, the port priority on the Serial interface is higher. The only logical conclusion appears to be that it's comparing the bridge IDs before the port priority? Isn't this supposed to be the other way around? Sam R1#sh spanning-tree Bridge group 10 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0013.8050.b191 Configured hello time 2, max age 20, forward delay 15 Current root has priority 10, address 0019.aa7f.3480 Root port is 28 (Serial0/0/0.10), cost of root path is 723 Topology change flag not set, detected flag not set Number of topology changes 23 last change occurred 00:05:20 ago from FastEthernet0/1.161 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.26. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32929, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 5, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 863, received 5326 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.27. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32930, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 6, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 862, received 5314 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding Port path cost 685, Port priority 144, Port Identifier 144.28. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32768, address 0016.4699.0509 Designated port id is 128.21, designated path cost 38 Timers: message age 3, forward delay 0, hold 0 Number of transitions to forwarding state: 3 BPDU: sent 471, received 11176 From david.freedman at uk.clara.net Fri Jul 4 13:37:58 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 04 Jul 2008 18:37:58 +0100 Subject: [c-nsp] IS-IS default route quandary In-Reply-To: <486C07B5.2090705@justinshore.com> References: <486C07B5.2090705@justinshore.com> Message-ID: > On each border router we also have a static default route pointed to the > physical interface of the upstream peers Can't you get them to originate you a default via BGP? From peter at rathlev.dk Fri Jul 4 13:23:39 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 04 Jul 2008 19:23:39 +0200 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E5538.9030005@spacething.org> References: <486E5538.9030005@spacething.org> Message-ID: <1215192219.1142.5.camel@svesken.sys.mjna.net> On Fri, 2008-07-04 at 17:52 +0100, Sam Stickland wrote: > Guys, > > Maybe I'm going a little code-blind here. > > Ports Fa0/1.161, Fa0/1.162 and Se0/0/0.10 are all members of same IEEE > bridge-group. > > The port path cost on all three interfaces is the same, but I've set the > priority of the Serial interface port to be 144. > > How come the Se0/0/0.10 is still forwarding? What am I missing? > > R1#sh spanning-tree > > Bridge group 10 is executing the ieee compatible Spanning Tree protocol > Bridge Identifier has priority 32768, address 0013.8050.b191 > Configured hello time 2, max age 20, forward delay 15 > Current root has priority 10, address 0019.aa7f.3480 > Root port is 28 (Serial0/0/0.10), cost of root path is 685 > Topology change flag not set, detected flag not set > Number of topology changes 21 last change occurred 00:22:10 ago > from FastEthernet0/1.161 > Times: hold 1, topology change 35, notification 2 > hello 2, max age 20, forward delay 15 > Timers: hello 0, topology change 0, notification 0, aging 300 > According to the output above Se0/0/0.10 is the root port, which will never be blocking. You don't state what's beyond these three ports, but if Se0/0/0.10 is the only path towards the root, it will never block, no matter how you set cost or priority. Since the other ports are blocking, they are probably all paths towards the root. The port cost is 38 for Se0/0/0.10 and 76 for Fa0/1.161 and Fa0/1.162, so even if all ports went to the same device, Se0/0/0.10 would be preferred because of a lower cost. Regards, Peter From peter at rathlev.dk Fri Jul 4 13:30:28 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 04 Jul 2008 19:30:28 +0200 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E5B1F.9030903@spacething.org> References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org> Message-ID: <1215192628.1142.9.camel@svesken.sys.mjna.net> On Fri, 2008-07-04 at 18:17 +0100, Sam Stickland wrote: > Apologies I pasted some info where the path costs didn't total up to be > the same. Here's the correct one. Well, I jumped up and answered wrongly then. ;-) > The total path cost is 723 on every interface, the port priority on the > Serial interface is higher. > > The only logical conclusion appears to be that it's comparing the bridge > IDs before the port priority? Isn't this supposed to be the other way > around? Isn't port priority the last thing the Spanning Tree Algorithm looks at? AFAIK the selection of root port should be, in order: Root Bridge ID, Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is Port Priority and Port Index. Are the three ports all pointing towards the root bridge? Regards, Peter From david.freedman at uk.clara.net Fri Jul 4 13:46:24 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 04 Jul 2008 18:46:24 +0100 Subject: [c-nsp] IS-IS default route quandary In-Reply-To: References: <486C07B5.2090705@justinshore.com> Message-ID: And of course *carefully* redistribute this into IS-IS until you've migrated away from customer routes in the IS-IS. David Freedman wrote: >> On each border router we also have a static default route pointed to the >> physical interface of the upstream peers > > Can't you get them to originate you a default via BGP? > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sam_mailinglists at spacething.org Fri Jul 4 14:06:23 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Fri, 04 Jul 2008 19:06:23 +0100 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <1215192628.1142.9.camel@svesken.sys.mjna.net> References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org> <1215192628.1142.9.camel@svesken.sys.mjna.net> Message-ID: <486E669F.6000006@spacething.org> Peter Rathlev wrote: > > Isn't port priority the last thing the Spanning Tree Algorithm looks at? > AFAIK the selection of root port should be, in order: Root Bridge ID, > Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is > Port Priority and Port Index. > > Are the three ports all pointing towards the root bridge? > Yes, all three ports are pointing towards the root. You are right, I had remembered the order wrong. At least something like this causes it to sink it. (I would test it but I'm having trouble convincing one of the other routers to change it's bridge identifier on the BVI :| ) Sam From sam_mailinglists at spacething.org Fri Jul 4 14:18:05 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Fri, 04 Jul 2008 19:18:05 +0100 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E669F.6000006@spacething.org> References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org> <1215192628.1142.9.camel@svesken.sys.mjna.net> <486E669F.6000006@spacething.org> Message-ID: <486E695D.3010401@spacething.org> Sam Stickland wrote: > Peter Rathlev wrote: >> >> Isn't port priority the last thing the Spanning Tree Algorithm looks at? >> AFAIK the selection of root port should be, in order: Root Bridge ID, >> Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is >> Port Priority and Port Index. >> >> Are the three ports all pointing towards the root bridge? >> > Yes, all three ports are pointing towards the root. You are right, I > had remembered the order wrong. At least something like this causes it > to sink it. (I would test it but I'm having trouble convincing one of > the other routers to change it's bridge identifier on the BVI :| ) > Well I finally convinced the router to change it bridge id (had to change the mac-address on all physical interfaces - even those not in the bridge group!), but I still don't see the result I'd expect: R1#sh spanning-tree Bridge group 10 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0013.8050.b191 Configured hello time 2, max age 20, forward delay 15 Current root has priority 10, address 0019.aa7f.3480 Root port is 28 (Serial0/0/0.10), cost of root path is 723 Topology change flag not set, detected flag not set Number of topology changes 34 last change occurred 00:02:09 ago from FastEthernet0/1.161 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.26. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32929, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 6, forward delay 0, hold 0 Number of transitions to forwarding state: 6 BPDU: sent 870, received 7351 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking Port path cost 647, Port priority 128, Port Identifier 128.27. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32930, address 0019.aab4.f700 Designated port id is 112.3, designated path cost 76 Timers: message age 5, forward delay 0, hold 0 Number of transitions to forwarding state: 2 BPDU: sent 862, received 7330 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding Port path cost 685, Port priority 144, Port Identifier 144.28. Designated root has priority 10, address 0019.aa7f.3480 Designated bridge has priority 32768, address 0055.aa7f.3480 Designated port id is 128.20, designated path cost 38 Timers: message age 4, forward delay 0, hold 0 Number of transitions to forwarding state: 6 BPDU: sent 552, received 14515 From r.engehausen at gmail.com Fri Jul 4 14:24:56 2008 From: r.engehausen at gmail.com (Roy) Date: Fri, 04 Jul 2008 11:24:56 -0700 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E5538.9030005@spacething.org> References: <486E5538.9030005@spacething.org> Message-ID: <486E6AF8.6090502@gmail.com> I think the "designated path cost " of the serial link is the lowest. The path cost is the sum of the costs of the complete path to the root bridge. Does the serial port have the shortest path? You need to increase the cost of the serial line until its total path cost is greater than the ethernet ports Roy From rbf+cisco-nsp at panix.com Fri Jul 4 14:38:58 2008 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Fri, 4 Jul 2008 13:38:58 -0500 Subject: [c-nsp] Quick spanning-tree and bridge-group question In-Reply-To: <486E695D.3010401@spacething.org> References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org> <1215192628.1142.9.camel@svesken.sys.mjna.net> <486E669F.6000006@spacething.org> <486E695D.3010401@spacething.org> Message-ID: <20080704183858.GA13685@panix.com> On Fri, Jul 04, 2008 at 07:18:05PM +0100, Sam Stickland wrote: > Sam Stickland wrote: > >Peter Rathlev wrote: > >> > >>Isn't port priority the last thing the Spanning Tree Algorithm looks at? > >>AFAIK the selection of root port should be, in order: Root Bridge ID, > >>Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is > >>Port Priority and Port Index. > >> > >>Are the three ports all pointing towards the root bridge? > >> > >Yes, all three ports are pointing towards the root. You are right, I > >had remembered the order wrong. At least something like this causes it > >to sink it. (I would test it but I'm having trouble convincing one of > >the other routers to change it's bridge identifier on the BVI :| ) > > > Well I finally convinced the router to change it bridge id (had to > change the mac-address on all physical interfaces - even those not in > the bridge group!), but I still don't see the result I'd expect: Bridge Priority is part of the Bridge ID comparison. Your path costs are equal, so brige priority gets compared next. 32768 is the smallest of the three, so that path wins. You didn't need to convince the router to change the MAC address it used for the Bridge ID -- just increasing it's priority setting would have made it less preferred. (If you make it higher than 32929, then FA0/1.161 will become the root port and transition to frowarding.) Assuming an IOS router and a bridge group: bridge X priority 32391 > R1#sh spanning-tree > > Bridge group 10 is executing the ieee compatible Spanning Tree protocol > Bridge Identifier has priority 32768, address 0013.8050.b191 > Configured hello time 2, max age 20, forward delay 15 > Current root has priority 10, address 0019.aa7f.3480 > Root port is 28 (Serial0/0/0.10), cost of root path is 723 > Topology change flag not set, detected flag not set > Number of topology changes 34 last change occurred 00:02:09 ago > from FastEthernet0/1.161 > Times: hold 1, topology change 35, notification 2 > hello 2, max age 20, forward delay 15 > Timers: hello 0, topology change 0, notification 0, aging 300 > > Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking > Port path cost 647, Port priority 128, Port Identifier 128.26. > Designated root has priority 10, address 0019.aa7f.3480 > Designated bridge has priority 32929, address 0019.aab4.f700 > Designated port id is 112.3, designated path cost 76 > Timers: message age 6, forward delay 0, hold 0 > Number of transitions to forwarding state: 6 > BPDU: sent 870, received 7351 > > Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking > Port path cost 647, Port priority 128, Port Identifier 128.27. > Designated root has priority 10, address 0019.aa7f.3480 > Designated bridge has priority 32930, address 0019.aab4.f700 > Designated port id is 112.3, designated path cost 76 > Timers: message age 5, forward delay 0, hold 0 > Number of transitions to forwarding state: 2 > BPDU: sent 862, received 7330 > > Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding > Port path cost 685, Port priority 144, Port Identifier 144.28. > Designated root has priority 10, address 0019.aa7f.3480 > Designated bridge has priority 32768, address 0055.aa7f.3480 > Designated port id is 128.20, designated path cost 38 > Timers: message age 4, forward delay 0, hold 0 > Number of transitions to forwarding state: 6 > BPDU: sent 552, received 14515 -- Brett From justin at justinshore.com Sat Jul 5 02:25:31 2008 From: justin at justinshore.com (Justin Shore) Date: Sat, 05 Jul 2008 01:25:31 -0500 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> Message-ID: <486F13DB.80708@justinshore.com> Felix Nkansah wrote: > Thanks guys. > > I thought it has some special shutdown procedures or commands. Some of the linecards should be commanded to shutdown prior to cutting power to the chassis. Interface linecards aren't a concern but those that have special functions are essentially servers on a linecards. IDSM2, FWSMs, ACEs, SLBs, and the WebVPN module I believe are examples of linecards that should be told to shutdown gracefully before cutting off power to the chassis. Figure out which modules are in what slot with 'show module' and then use 'hw-module module X shutdown' to shutdown the appropriate modules. 'show module' will tell you when the linecard is offline. Justin From avayner at cisco.com Sat Jul 5 04:21:01 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sat, 5 Jul 2008 10:21:01 +0200 Subject: [c-nsp] Ideal LNS/LAC Router In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501910BF9@xmb-ams-331.emea.cisco.com> Kris, For short term (or lower scale) solutions, you should be looking at 7201. The 7201 is a NPE-G2 in 1RU format, like the 7301 is a 1RU format of the NPE-G1. The extra bonus on 7201 (except more CPU power) is a 4th GigE port allowing easier redundant topologies... For longer term (or large scale) solutions, I would suggest you take a look at ASR1000. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy Sent: Thursday, July 03, 2008 04:07 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Ideal LNS/LAC Router Hi, Currently we are using 7301's for LAC/LNS purposes and was wondering what is the next platform that we should be looking to move towards. -- Kind Regards, Kris Amy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From risnaini at indo.net.id Sat Jul 5 04:09:03 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Sat, 05 Jul 2008 15:09:03 +0700 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com> <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com> Message-ID: <486F2C1F.2080100@indo.net.id> Mine at up right corner, I just moved my Bar :) a. r.i. rangkayo sutan Matthew Crocker wrote: >> There is a secret shutdown procedure but you will have to plug a mouse >> into the supervisor, and move into left bottom corner, click start, >> then shutdown :) >> >> Just joking, sorry. > > Of course you are joking, everyone knows it is the UPPER left corner, > apple menu -> Shutdown... Start button to shutdown, geeez! > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From sam_mailinglists at spacething.org Sat Jul 5 05:39:04 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Sat, 05 Jul 2008 10:39:04 +0100 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <486F13DB.80708@justinshore.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> <486F13DB.80708@justinshore.com> Message-ID: <486F4138.50808@spacething.org> Justin Shore wrote: > Felix Nkansah wrote: >> Thanks guys. >> >> I thought it has some special shutdown procedures or commands. > > Some of the linecards should be commanded to shutdown prior to cutting > power to the chassis. Interface linecards aren't a concern but those > that have special functions are essentially servers on a linecards. > IDSM2, FWSMs, ACEs, SLBs, and the WebVPN module I believe are examples > of linecards that should be told to shutdown gracefully before cutting > off power to the chassis. Figure out which modules are in what slot > with 'show module' and then use 'hw-module module X shutdown' to > shutdown the appropriate modules. 'show module' will tell you when > the linecard is offline. I nearly replied to this thread sooner, because I'd always been told to shut down the FWSMs gracefully before pulling the power. But when I google'd it I couldn't actually find anything to support this. The closest I could find was from the FWSM FAQ at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml which states: Q. The FWSM has a label that states, "Do not remove card while status light is green or disk corruption may occur." What does this mean? A. The firewall module should be removed only after you disable power using one of these methods. (There is no preference for a particular method.) * Use the command-line interface (CLI) of the switch and issue one of these commands. o CatOS - set module power down mod o Cisco IOS? Software - no power enable module slot * Press the shutdown button on the blade. * Physically power down the chassis. You can remove the module safely when the status light is longer green. So "no preference for a particular method" certainly seems to be saying that it's OK to just pull the plug on FWSMs. On the other hand the documentation is very clear about the ACE module: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html#wp42206 * Step 1 Before you remove the module from the chassis, enter the no power enable module command in configure mode at the switch or router CLI to properly shut down the module to prevent data loss. Sam From justin at justinshore.com Sat Jul 5 11:43:51 2008 From: justin at justinshore.com (Justin Shore) Date: Sat, 05 Jul 2008 10:43:51 -0500 Subject: [c-nsp] IS-IS default route quandary In-Reply-To: References: <486C07B5.2090705@justinshore.com> Message-ID: <486F96B7.20703@justinshore.com> It's a possibility. I'll have to hit up my upstreams to see. I've got a couple options to try next week. Thanks Justin David Freedman wrote: > And of course *carefully* redistribute this into IS-IS until you've > migrated away from customer routes in the IS-IS. > > David Freedman wrote: >>> On each border router we also have a static default route pointed to the >>> physical interface of the upstream peers >> Can't you get them to originate you a default via BGP? From cisco-nsp at punk.co.nz Sun Jul 6 00:00:04 2008 From: cisco-nsp at punk.co.nz (Kris Price) Date: Sun, 06 Jul 2008 12:00:04 +0800 Subject: [c-nsp] 7600 vs MX experience? Message-ID: <48704344.1030808@punk.co.nz> Hi, We're looking at 7600 + RSP720 platform and the MX from Juniper for our MPLS needs and I was interested in hearing feedback from people about their experiences - both positive and negative - with either platforms. Whatever is selected will be used both as Ps and PEs w/ all 10GE on the core side. This is a fairly large (continental) deployment, and it will set the standard internationally for this customer. Main use will be for IP VPN and EoMPLS, but VPLS may show up in the future too. Looks like they both will work for our needs. So what it really comes down to is important things like *stability*, support experience, etc. Please contact me off list if you'd rather not express something in public. Feedback is very much appreciated. :) Cheers Kris From tedm at toybox.placo.com Sun Jul 6 02:06:45 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Sat, 5 Jul 2008 23:06:45 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <004401c8dd91$72d8daf0$f211a8c0@flamwsugsmul5v> Message-ID: Yes. I heard this from the president/owner of Imagestream. Considering what that company makes there's no question in my mind that the reverse-engineered one of the very early version PIXes. There are vestiges of this even in current code - notice for example that access-list subnet masks are not IOS-style, they are DOS/Windows style - although I'm sure with the number of PIXes that Cisco sold once they bought the product, any licensable Windows code was long since removed. Ted > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Thursday, July 03, 2008 9:50 PM > To: Ted Mittelstaedt > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > Holy crap. Did you say Windows? > > tv > ----- Original Message ----- > From: "Ted Mittelstaedt" > To: "Ziv Leyes" ; "Joerg Mayer" > ; "Aaron > R" > Cc: > Sent: Thursday, July 03, 2008 10:21 PM > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > > > > Rubbish. > > > > The reason the PIX doesen't allow Telnet is that the original > > PIX devices were built on a Windows core, Windows 3.1 as I > > believe, with the GUI and most of the command line utilities > > stripped away. Because the PIX was an early out-of-the-hole > > firewall, it captured a customer base of customers who needed > > a firewall but frankly didn't understand much about what they > > needed. ie: dumb bunnies in cash-rich organizations willing > > to buy sub-par technology that was hyped up to rediculous > > amounts. It's an old story in technology. > > > > This was a very valuable customer base which is why Cisco > > purchased the PIX product line. Cisco had little interest > > in the lame firewalling technology of the PIX and has > > spent at least a decade of careful work grooming the PIX > > customers off PIXes and on to Cisco router platforms. To > > accomplish this they were -extraordinairly- careful to > > preserve the PIX interface and limitations over the years. > > But as anyone who works with PIXes knows, Cisco has really > > not improved the basic technology of the PIX over the years. > > > > That is why the current Cisco IOS-based firewalls have > > a firewalling feature set that knocks a PIX into a cocked > > hat. > > > > It is also why Cisco has finally felt comfortable enough > > that they have migrated the PIX customers worth keeping > > over to their own product line, to announce that they were > > discontinuing the PIX product line. As they did recently. > > > > Ted > > > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes > >> Sent: Monday, June 30, 2008 5:31 AM > >> To: Joerg Mayer; Aaron R > >> Cc: cisco-nsp at puck.nether.net > >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > >> > >> > >> I guess it's more as a "working right" educational purpose, so > >> you won't use your firewall as a debugging client. > >> In newer versions there's the packet tracker that can help you > >> debug connectivity problems. > >> Ziv > >> > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer > >> Sent: Monday, June 30, 2008 2:21 PM > >> To: Aaron R > >> Cc: cisco-nsp at puck.nether.net > >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > >> > >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: > >> > It is disabled as a security feature. I have also wanted to do > >> the same for > >> > troubleshooting purposes. > >> > >> And why exactly is this a security feature? What is the *gain* in > >> security? > >> > >> Ciao > >> Joerg > >> -- > >> Joerg Mayer > > >> We are stuck with technology when what we really want is just > stuff that > >> works. Some say that should read Microsoft instead of technology. > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > >> > >> > >> > >> ****************************************************************** > >> ****************** > >> This footnote confirms that this email message has been scanned by > >> PineApp Mail-SeCure for the presence of malicious code, vandals & > >> computer viruses. > >> ****************************************************************** > >> ****************** > >> > >> > >> > >> > >> > >> > >> > >> > >> ****************************************************************** > >> ****************** > >> This footnote confirms that this email message has been scanned by > >> PineApp Mail-SeCure for the presence of malicious code, vandals & > >> computer viruses. > >> ****************************************************************** > >> ****************** > >> > >> > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From tedm at toybox.placo.com Sun Jul 6 02:26:49 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Sat, 5 Jul 2008 23:26:49 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <486E1761.5010805@networkoblivion.com> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Peder @ > NetworkOblivion > Sent: Friday, July 04, 2008 5:28 AM > To: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > What!? The original PIX code was < 500k as the first versions from > Network Translations only had 512k flash moodules in them. There is no > way that it was based on Windows, not even 3.1. I think you are > thinking of the Centri (or whatever it was called) that was windows > based that they bought many years ago. I actually worked at Cisco when > they bought the PIX and the Centri and then they killed the Centri > shortly thereafter. I think the Centri ran on Windows 95, but I am not > 100% sure as that was 10+ years ago. > Interesting, I'm sure your correct. > IMO, the reason that so many people use(d) the PIX is that they just > work. I disagree. The reason they use them is they are cheap. Cisco did not require a separate IOS license the way that they do with a router running IOS-Firewall Feature set. Ted From tedm at toybox.placo.com Sun Jul 6 04:27:00 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Sun, 6 Jul 2008 01:27:00 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of C. Jon Larsen > Sent: Friday, July 04, 2008 7:30 AM > To: Peder @ NetworkOblivion > Cc: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > > Ted, > > Peder is correct. Cisco bought the company that made the pix > (NTI) because > NTI was one of the first companies to have a decent working NAT overload > implementation. There was a set of patches to FreeBSD version 2.1 that added in translation, that came out around 1995. I had a running translator years before IOS 11.2 came out with it and had a 60 person company behind it. > NAT was a big deal back then - around 1995/1996 and Cisco > routers did not have NAT in the IOS until 11.2 I think. Yes, and Cisco could have used the freely available NAT code that was BSD-licensed (ie: free, NOT GPL, really free). They did not have to pay off the NTI guys for something already available for free. And they didn't. They wanted the NTI customer brainshare, and likely, to put a potential competitor out of business. > At that > time UUnet and many other SPs were tossing out a full /24 for every t1, > but the smaller ISDN and frac t1 based connections started coming > with much > smaller allocations, and PAT was something everyone (small customers) > started wanting badly. There was a smattering of non cisco boxes that > could do a little nat, but customers wanted solid state hardware > that was > easy to configure or at least flexible enough to be able to > configure for a > variety of wan service offerings - smds, atm, frame, isdn, x.25 was still > here and there, and on the lan side decnet, ipx/spx, netbeui etc were > still in play. > > Cisco, Proteon and Wellfleet and 3com to a lesser extent > were the big router players but none of them were addressing the > emerging NAT market very well. > > NTI was a small company with good engineers that wrote a > custom kernel that did what few others were doing. I saw a few customers > that actually bought the NTI box or were going to buy the box > BEFORE cisco > bought NTI. When Cisco bought NTI and threw their marketing behind the > PIX, and started pushing it to resellers, it took off because it was a > good box that fit a niche market very well. In fact the original > NTI boxes > were again more of a nat box that a firewall. When you installed > a pix you set > the screening router (a cisco of course) up as the dmz firewall with its > acl capability to protect the dmz hosts and the pix had the outbound nat > config and the conduits for the inbound flow to the inside network. The > original pixes were pretty limited as a firewall and of course had no > capability for a 3rd or 4th interface. They were strictly used for the > corporate/inside network interface/connect point. > > Customers bought PIXes at that time because they were easier than having > to figure out how to setup a linux Linux was a toy in 1995 nobody was using it for production anything. > or Sun bastion host / proxy toolkit or > fiddle with ipmasq for most companies that did not have in house un*x > talent. Customers were running out of IPs to number their PCs (and MACs > - remember the need to browse the internet killed appletalk and > localtalk) > that and the ISPs were not handing them out (/24s) like candy anymore. > > As far as firewall feature set on a router goes ... I had to > laugh. I have > always considered that somewhat fiddly / buggy. Good way to make a solid > product (a cisco router) into something that needs more attention and is > slightly less reliable - especially when implemented on low end hardware > like 800s, or 16xx, or 17xx, 2610s, etc. IOS 11.2 for the 2500 was the first that did NAT > I have seen at least 3 or 4 fw > feature set implementations on routers that were backwards - i.e. > inspecting traffic in the wrong direction. There is also at least one > config for the fwfs on cisco.com's website that has it backwards too that > I ran across. > Yeah, I've seen that config too. But, every IOS rev Cisco has ever come out with has been full of bugs for at least the first 10 revisions. In any case, putting them head-to-head today is a very different fish-kettle than in the beginning. I'll take a 2800 or 3800 series router with firewall on it over an ASA any day. > As far as cisco discontinuing the pix ?? Thats plain wrong. The PIX > lives on, it just has a new name (ASA) so cisco can move upmarket > and charge more for the same code base :) > Let's just say Cisco's not discontinuing a PIX-like firewall. But calling the ASA a PIX? No, not at all. The ASA is ever worse to deal with than the PIX Fortunately, I don't have to deal with either on new installs, at any rate. Our customers who used to demand PIXes and routinely override my recommendations to buy a router aren't doing that with the ASA due to the price hike. > Of course the cpus are much faster in the ASA boxes, and it has a more > extensible/modular hardware architecture than the pix and you can plug in > the IDS/IPS modules, etc. The ASA boxes usually have a celeron cpu in the > 2Ghz range whereas the pixes started of as 486 dx2 66MHz chips (yes > really, with like 4MB or maybe 8MB of main DRAM) and worked their way up > to 300 or 400Mhz PII chips in the beefier models. > > Cisco has no interest in migrating any customers from PIX/ASA to routers. > They want to sell you BOTH Heh. Yep, and unnecessary. > and a few Cat switches while they are at it :) > Cisco is a smart enough company to sell to people's preconceptions. Such as, for example, the silliness that having a firewall that allows outbound telnet is safer than allowing incoming telnet to a bastion host (either inside or outside) and then having people jump off from that to the inside. Once you open a vector from the outside to the inside, the firewall is compromised, no matter how convoluted you make that vector. Not to mention that the vast majority of trouble comes in via e-mail anyhow. But, you don't see Cisco trying to educate people. They simply make products in every way, shape or form that do whatever people want, no matter how stupid, and sit back and let people waste money if they want. > And finally, Peder is correct again about the Centri. Centri was > a flaming > pile of junk. It ran on windows nt server (workstation was also > supported I'm pretty sure). > > Of course it was terrible (the centri) - windows nt was a > terrible product > that never really did get stable enough for use as a reliable pc server > much less as a critical piece of network gear. Vista today and MS Server are any different? > Centri did have some > really "impressive" guis tools for managing firewall configs. At that > time the pix was popular but hard to configure for end customers who > typically have net admins on staff and not network engrs (times > really have not changed have they :). Customers wanted to manage their > own boxes and not have to call an integrator every time an acl needed a > tweak. Thus the pretty gui of the cenrti appealed (in theory). I > never saw > one get sold and work though. Couple of demo/evals, and it usually died > there in the sales process :) > > It would have been near impossible for anyone to build a firewall based > on windows 3.1 technology. Windows 3.1 did not have a true kernel > or built > in (native) tcp stack. It most certainly did - it was the MS Networking Client for DOS that had the TCP/IP protocol. It only worked with LAN cards, though. MS even released a winsock that talked to that stack. Yes it was real-mode, and technically it wasn't "windows" code but really most Windows 3.1 apps took over the system anyway, to do their own thing, it's mainly a semantic argument. > Remember Chameleon anyone ? trumpet winsock ? Those got a boost because they would speak PPP/SLIP out the serial port. The MS Networking stuff wouldn't until Windows 95. > Those DOS TSR-based "tcp mini kernels" as they were called were so > unstable that a windows 3.1 or 3.11 based firewall would have keeled over > the minute it saw real use. Those stacks were barely functional as a > client, much less a server or firewall. > Once more, not true see: http://www.ka9q.net/code/ka9qnos/ Many people ran this stuff for years, very stable it was. > I dont remember any vendors coming out with windows based "firewalls" > until win nt 4.0. Windows in all its versions just was not stable enough > until then and recall that Windows 3.5 and up are not the same product at > all as win 3.1. Win 3.1 was 16bit dos with a gui command shell and a > gui api. Win 3.5.x and up was Cutler's 32bit rewrite of VAX and > Microsofts first true operating system :) > Xenix was Microsoft's first true operating system in 1980, followed by OS/2 in 1987 (joint with IBM). Cutler and his Vomit Making System rewrite didn't come along until '88. > No way would cisco have purchased or built or sold or recommended > to clients anything based on win3.1 other than maybe a terminal emulator > to attach to a cisco serial console :) > > I remember a customer that badly wanted to migrate off of netware to > "save" licensing $$. Remember this was before CALs and such and windows > 3.5.1 was almost free as a network server. They had to boot the 3.5.1 > server every nite so it would not crash the next day. The netware > 3.12 server had been up for like 3-4 years at a time :) > I remember similar nonsense from customers during that time period as well. Ted From zivl at gilat.net Sun Jul 6 05:18:47 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 6 Jul 2008 12:18:47 +0300 Subject: [c-nsp] Cisco 878 SDM connection problem In-Reply-To: <022c01c8dcf5$c85fa9f0$170d3ad4@emre> References: <022c01c8dcf5$c85fa9f0$170d3ad4@emre> Message-ID: I think this will get you started: http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/sdmi21.htm There are also links to download the SDM software and install it on your PC instead of using the Java from within the device. You need to have a registered user in Cisco in order to be able to download this kind of software Regards, Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Emre T?rkmenler Sent: Thursday, July 03, 2008 1:16 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 878 SDM connection problem Hi, I want to connect to a Cisco 878 with SDM but i have problems, it may be a java problem. I have the latest version installed at the moment. Can someone explain how I can use SDM? Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From nick.jon.griffin at gmail.com Sun Jul 6 11:57:31 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Sun, 6 Jul 2008 10:57:31 -0500 Subject: [c-nsp] WLC and LWAPP Aps In-Reply-To: <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com> References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> <20080703181517.GJ4112@thot.informatik.uni-kl.de> <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com> Message-ID: You should be asking yourself, how many access points can the controller itself accomodate, I imagine that the DHCP server will let you dole out dhcp scopes all day long, but at the end of the day the controllers are bound to a maximum number of access points. If your ap manager and your management interface are on the same subnet, its a great idea to place the access points your talking about on the same vlan/subnet so that they may discover the controller via L2 broadcast frames, otherwise you get to do some TLV/conversions to configure DHCP option 43, in your situation, since this is your first deployment I would recommend priming the access points as I mentioned above. You will also need to configure the ip address of the controller under the management, and probably the ap manager interface. HTH, Nick Griffin On Fri, Jul 4, 2008 at 8:42 AM, Dracul wrote: > Additional query. > > On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer wrote: > > > On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote: > > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR > 1131. > > I > > > cannot seem to make the lighweight AP to get IP address from > > > the internal DHCP server of the WLC let more the LW AP be discovered by > > the > > > 4404. used Layer2 and Layer 3 mode already > > > > How about some more details? Are AP and management-if in the same > network? > > If not, what have you done to make sure that the AP knows where to find > it? > > If all fails: You can configure the managementi-if address directly on > the > > lw-ap command line. > > > > Ciao > > Joerg > > -- > > Joerg Mayer > > We are stuck with technology when what we really want is just stuff that > > works. Some say that should read Microsoft instead of technology. > > > > > > -- > === > Support www.gawadkalinga.org > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From anthony.gueneau at gmail.com Sun Jul 6 12:11:12 2008 From: anthony.gueneau at gmail.com (Anthony GUENEAU) Date: Sun, 6 Jul 2008 18:11:12 +0200 Subject: [c-nsp] 3750 stack member failure detection Message-ID: <4870eea3.0c07560a.1598.155e@mx.google.com> Hi, Does anybody know how to detect a stack member down within a 3750 stack through SNMP ? What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it ? Thanks. Anthony From bennetb at gmail.com Sun Jul 6 13:49:25 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Sun, 6 Jul 2008 11:49:25 -0600 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: References: <486E1761.5010805@networkoblivion.com> Message-ID: On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt wrote: > > > What!? The original PIX code was < 500k as the first versions from > > Network Translations only had 512k flash moodules in them. There is no > > way that it was based on Windows, not even 3.1. > Straight from the horses mouth. It's was written from the ground up. http://www.control.auc.dk/~magnus/Mailboxe/firewall-archive/0000.html also another good read: http://home.cfl.rr.com/dealgroup/pix/pix_page_history.htm Aparently they used Plan9 computer to develop it as well with the rumor that PIX is a dediation to Plan9 being that IX is the roman numerals for 9. > >I disagree. The reason they use them is they are cheap. Cisco > >did not require a separate IOS license the way that they do with > >a router running IOS-Firewall Feature set. > I have found that PIX/ASA does a much better job at stateful firewalling that CBAC can even though they share 95% of the same inspect engines. I have never had an issue with scaling the CPU/memory on a PIX or resource limitations. I have had this on IOS from time to time. > Yes, and Cisco could have used the freely available NAT code >that was BSD-licensed (ie: free, NOT GPL, really free). They >did not have to pay off the NTI guys for something already >available for free. And they didn't. They wanted the NTI >customer brainshare, and likely, to put a potential competitor out >of business. The fact of the matter is that NTI was doing it better and faster than the Sun and BSD implentations out there at the time. Combine this with the fact that it was easy to setup, maintain, and monitor simiar to the rest of the network gear and it just makes sense. I don't think this is an example of Cisco trying to dominate the market by "buying-out" competitors. If that was the case Cisco would not have continued the product line for 13 years (and running). >Let's just say Cisco's not discontinuing a PIX-like firewall. But >calling the ASA a PIX? No, not at all. The ASA is ever worse >to deal with than the PIX Dude, the ASA is a pix with some slight modifications. The code was shared until 8.x (you could boot asa code on a pix and pix code on an asa). 8.x the ASA now runs a linux kernel, but most of the actually firewall code is the same. For all intent and purposes the ASA is the next-generation PIX. Further more the price difference between the PIX and the ASA is not much. There is still free 3DES/AES licencing, there is still free IPSec VPN termination. The only difference would be the additional licensing and modules that the ASA can do (SSLVPN, IPS, etc) Lets compare Pix 515e could handl 190mbits clear text The ASA5510 can handle 300mbit clear text. List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW, 128MB, 2 FE,VAC+), USD 6,995.00 List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES, USD 3,495.00 So the ASA is acutally FAR cheaper. Even the ASA5520 (which may be bit more of a better comparison) is still cheaper than the PIX515e. The config is the same, the code is the same. I am not sure why you say they are far different. I've been using PIX for nearly 8 years now and the ASA is nothing different. As far as the rest of your conversation, it kinda getting far off topic. :) Although I am not sure how much information I can take from a guy who though PIX code was Windows 3.1 based. (Not to mention Windows 3.1 didn't even include a kernel!). The wrap up: The PIX/ASA is very capible firewall, you quickly learn ways around not being able to telnet from the box itself. IOS as well shares a lot from the PIX/ASA (and visa versa) and also can make a good firewall. With the ASR1000 it can make a very very quick firewall :) Also there are other options from other vendors (blasphemy... I know) like a netscreen (which ironically ALSO doesn't allow you to telnet from the box :) ) -Brandon Bennett CCIE No 19406. From rubensk at gmail.com Sun Jul 6 15:04:42 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 6 Jul 2008 16:04:42 -0300 Subject: [c-nsp] 7600 vs MX experience? In-Reply-To: <48704344.1030808@punk.co.nz> References: <48704344.1030808@punk.co.nz> Message-ID: <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com> On a recent event I could meet with lots of people from carriers of all sizes in the LAC region, so I will summarize based on the overall experience: - There were far more stories of instability on the 7600 than on Juniper, even from those that uses both as Ps and PEs. I can't precise whether the Junipear gear was M-, MX- or T- series. IOS versions that solved that bug that was annoying but introduced some different bugs of their own were also a popular quote. - On the other hand, people with simpler 7600 configurations had less problems and could use more IOS versions that the others. That's my direct experience: with no FlexWAN, OSMs or ES-20s service cards, you have much more flexibility in adopting newer software and has fewer bugs to deal with. - Support experience with Cisco from carriers that had either Cisco SmartNET contracts or Cisco Shared Support from one Cisco Partner (let's name them and reward their good service: NEC) was rather good, but other Cisco Shared Support partners were awful at supporting carrier needs. Support experience with Juniper was good whether they called a partner(the same partner serves most or all of Juniper carrier customers in the region) or Juniper directly. Based on that experience, may I suggest some ideas ? 1) If you are going to avoid using 7600 with service cards, then don't get a 7600. Get a ME6500 or some other Catalyst with the port density you need. No VPLS, some restrictions on EoMPLS (port or subinterface but no VLAN-based EoMPLS), but they cost much less, are stable and made by a friendly BU. ME6500 has H-VPLS, so you can provide VPLS services if you have a VPLS concentrator somewhere, which then would be a pricier 7600, or a Juniper with low port density (M7i-2GE for instance). 2) If you buy Cisco gear and don't know wether you Shared Support partner will do a good job, buy some boxes with SmartNET and some boxed with Shared Support for the 2nd year. On the 1st year you will probably get SmarNET because of Cisco sales policies, so you will already have a quality to compare to. From 2nd year on, Shared Support will be much cheaper and you will be tempted to buy all support in this flavor, but beware of the provider you don't know yet. 3) Think a lot before doing VPLS services, as the customer may think it's good due to no subnetting or renumbering, but point-to-multipoint is something that I really prefer to see routed. IP VPN with Multicast can probably fit most customer needs instead of VPLS. Rubens On Sun, Jul 6, 2008 at 1:00 AM, Kris Price wrote: > Hi, > > We're looking at 7600 + RSP720 platform and the MX from Juniper for our MPLS > needs and I was interested in hearing feedback from people about their > experiences - both positive and negative - with either platforms. > > Whatever is selected will be used both as Ps and PEs w/ all 10GE on the core > side. This is a fairly large (continental) deployment, and it will set the > standard internationally for this customer. Main use will be for IP VPN and > EoMPLS, but VPLS may show up in the future too. > > Looks like they both will work for our needs. So what it really comes down > to is important things like *stability*, support experience, etc. > > Please contact me off list if you'd rather not express something in public. > > Feedback is very much appreciated. :) > > Cheers > Kris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Sun Jul 6 15:18:19 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 6 Jul 2008 15:18:19 -0400 Subject: [c-nsp] 7600 vs MX experience? In-Reply-To: <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com> References: <48704344.1030808@punk.co.nz> <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com> Message-ID: <001001c8df9d$0f60f0d0$2e22d270$@org> Hi Rubens... Sorry if this is sidetracking the conversation a bit - apologies. But, what can folks tell me about shared support in general? I always thought it was Smartnet or nothing hence why I'm asking... is this "3rd party Cisco support" that I've seen advertised a few times? With "shared smartnet", do you lose the ability to contact TAC directly? What about software updates - from Cisco or from the partner?? Thanks very much, Paul Stewart -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl Jr. Sent: Sunday, July 06, 2008 3:05 PM To: Kris Price Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7600 vs MX experience? On a recent event I could meet with lots of people from carriers of all sizes in the LAC region, so I will summarize based on the overall experience: - There were far more stories of instability on the 7600 than on Juniper, even from those that uses both as Ps and PEs. I can't precise whether the Junipear gear was M-, MX- or T- series. IOS versions that solved that bug that was annoying but introduced some different bugs of their own were also a popular quote. - On the other hand, people with simpler 7600 configurations had less problems and could use more IOS versions that the others. That's my direct experience: with no FlexWAN, OSMs or ES-20s service cards, you have much more flexibility in adopting newer software and has fewer bugs to deal with. - Support experience with Cisco from carriers that had either Cisco SmartNET contracts or Cisco Shared Support from one Cisco Partner (let's name them and reward their good service: NEC) was rather good, but other Cisco Shared Support partners were awful at supporting carrier needs. Support experience with Juniper was good whether they called a partner(the same partner serves most or all of Juniper carrier customers in the region) or Juniper directly. Based on that experience, may I suggest some ideas ? 1) If you are going to avoid using 7600 with service cards, then don't get a 7600. Get a ME6500 or some other Catalyst with the port density you need. No VPLS, some restrictions on EoMPLS (port or subinterface but no VLAN-based EoMPLS), but they cost much less, are stable and made by a friendly BU. ME6500 has H-VPLS, so you can provide VPLS services if you have a VPLS concentrator somewhere, which then would be a pricier 7600, or a Juniper with low port density (M7i-2GE for instance). 2) If you buy Cisco gear and don't know wether you Shared Support partner will do a good job, buy some boxes with SmartNET and some boxed with Shared Support for the 2nd year. On the 1st year you will probably get SmarNET because of Cisco sales policies, so you will already have a quality to compare to. From 2nd year on, Shared Support will be much cheaper and you will be tempted to buy all support in this flavor, but beware of the provider you don't know yet. 3) Think a lot before doing VPLS services, as the customer may think it's good due to no subnetting or renumbering, but point-to-multipoint is something that I really prefer to see routed. IP VPN with Multicast can probably fit most customer needs instead of VPLS. Rubens On Sun, Jul 6, 2008 at 1:00 AM, Kris Price wrote: > Hi, > > We're looking at 7600 + RSP720 platform and the MX from Juniper for our MPLS > needs and I was interested in hearing feedback from people about their > experiences - both positive and negative - with either platforms. > > Whatever is selected will be used both as Ps and PEs w/ all 10GE on the core > side. This is a fairly large (continental) deployment, and it will set the > standard internationally for this customer. Main use will be for IP VPN and > EoMPLS, but VPLS may show up in the future too. > > Looks like they both will work for our needs. So what it really comes down > to is important things like *stability*, support experience, etc. > > Please contact me off list if you'd rather not express something in public. > > Feedback is very much appreciated. :) > > Cheers > Kris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.5/1537 - Release Date: 7/6/2008 5:26 AM From apowers at lancope.com Sun Jul 6 14:44:49 2008 From: apowers at lancope.com (Adam Powers) Date: Sun, 06 Jul 2008 14:44:49 -0400 Subject: [c-nsp] 'multiplexing" netflow? In-Reply-To: <005c01c8dd10$4b79fc40$e26df4c0$@bezzina@bell.net.mt> Message-ID: Lancope sells a commercial Flow Replicator that?s designed for replication and redistribution of any unidirectional UDP app including NetFlow. It operates in both unicast and promiscuous modes. More info here... http://www.lancope.com/products/replicator.aspx An open source alternative that I know many have used to much success is the UDP Samplicator project found here: http://freshmeat.net/projects/samplicator/ On 7/3/08 9:25 AM, "Gordon Bezzina" wrote: > Hi, > > Get a plain linux box, install flow-tools and use flow-fanout. > > Example: > > /usr/bin/flow-fanout -s 0/192.168.3.5/2000 0/192.168.3.10/9996 > 0/192.168.3.22/2055 > > Accept netflow from 192.168.3.5 on port 2000 and re-export them to: > 1. 192.168.3.10 port 9996; and > 2. 192.168.3.22 port 2055. > > My linux box has been up for 157days already and flow-fanout never crashed > :-) > > Hope it helps > > Brgds > Gordon > > > On Thu, Jul 3, 2008 at 11:18, Drew Weaver wrote: >> > Hi there, we have equipment at our edge that requires us to > export our netflow to it in order for it to function but we would also like > our NetFlow stats to be exported somewhere else for analysis. >> > >> > Does anyone know of a product that you can export your netflow to that > will then in turn export it to multiple destinations (that works well and is > easy to use/reliable) ? > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 f. 678.302.8744 e. adam at lancope.com From mtinka at globaltransit.net Sun Jul 6 21:18:28 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 7 Jul 2008 09:18:28 +0800 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> Message-ID: <200807070918.32290.mtinka@globaltransit.net> On Friday 04 July 2008 20:54:48 Felix Nkansah wrote: > Thanks guys. > > I thought it has some special shutdown procedures or > commands. Which is something we wish for on Cisco's new ASR line, seeing as it has a hard drive and all. Current documented procedure to shutdown the ASR is to reload as normal, then power-off the PSU's when you see the Bootloader - not very elegant. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From chris.garzon at gmail.com Sun Jul 6 22:36:23 2008 From: chris.garzon at gmail.com (Dracul) Date: Mon, 7 Jul 2008 10:36:23 +0800 Subject: [c-nsp] WLC and LWAPP Aps In-Reply-To: References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com> <20080703181517.GJ4112@thot.informatik.uni-kl.de> <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com> Message-ID: <876789290807061936r326a245aue7b1e388d4283413@mail.gmail.com> Thanks Nick, I'm planning to maximize my 4404's capability. which is 100. What I'm afraid of if the internal DHCP of the 4404 will be ok to serve the 100 LWAPs. Then my clients would use another DHCP server to connect. Best regards, Chris On Sun, Jul 6, 2008 at 11:57 PM, Nick Griffin wrote: > You should be asking yourself, how many access points can the controller > itself accomodate, I imagine that the DHCP server will let you dole out dhcp > scopes all day long, but at the end of the day the controllers are bound to > a maximum number of access points. If your ap manager and your management > interface are on the same subnet, its a great idea to place the access > points your talking about on the same vlan/subnet so that they may discover > the controller via L2 broadcast frames, otherwise you get to do some > TLV/conversions to configure DHCP option 43, in your situation, since this > is your first deployment I would recommend priming the access points as I > mentioned above. You will also need to configure the ip address of the > controller under the management, and probably the ap manager interface. > > > HTH, > > Nick Griffin > > On Fri, Jul 4, 2008 at 8:42 AM, Dracul wrote: > >> Additional query. >> >> On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer wrote: >> >> > On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote: >> > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR >> 1131. >> > I >> > > cannot seem to make the lighweight AP to get IP address from >> > > the internal DHCP server of the WLC let more the LW AP be discovered >> by >> > the >> > > 4404. used Layer2 and Layer 3 mode already >> > >> > How about some more details? Are AP and management-if in the same >> network? >> > If not, what have you done to make sure that the AP knows where to find >> it? >> > If all fails: You can configure the managementi-if address directly on >> the >> > lw-ap command line. >> > >> > Ciao >> > Joerg >> > -- >> > Joerg Mayer > > >> > We are stuck with technology when what we really want is just stuff that >> > works. Some say that should read Microsoft instead of technology. >> > >> >> >> >> >> > From tvarriale at comcast.net Sun Jul 6 22:50:16 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Sun, 6 Jul 2008 21:50:16 -0500 Subject: [c-nsp] Telnet FROM a PIX Appliance? References: Message-ID: <006101c8dfdc$30146020$f211a8c0@flamwsugsmul5v> It's fairly well known by people that have been fortunate to been around Cisco that long and/or that know a little PIXen history that the OS was called Finesse. It was a custom built OS and AFAIK has had no stage performances in any other devices. But, don't take my word for it. I'm sure the NTI guys are still around out west somewhere. I think your Windows similiarity stretch is incredible creepy. I feel like I'm getting hoaxed into a pyramid scheme for some reason. tv ----- Original Message ----- From: "Ted Mittelstaedt" To: "Tony Varriale" Cc: Sent: Sunday, July 06, 2008 1:06 AM Subject: RE: [c-nsp] Telnet FROM a PIX Appliance? > > Yes. I heard this from the president/owner of Imagestream. > Considering what that company makes there's no question in > my mind that the reverse-engineered one of the very early > version PIXes. There are vestiges of this even in current > code - notice for example that access-list subnet masks are > not IOS-style, they are DOS/Windows style - although I'm > sure with the number of PIXes that Cisco sold once they > bought the product, any licensable Windows code was long > since removed. > > Ted > >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Thursday, July 03, 2008 9:50 PM >> To: Ted Mittelstaedt >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> Holy crap. Did you say Windows? >> >> tv >> ----- Original Message ----- >> From: "Ted Mittelstaedt" >> To: "Ziv Leyes" ; "Joerg Mayer" >> ; "Aaron >> R" >> Cc: >> Sent: Thursday, July 03, 2008 10:21 PM >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> > >> > Rubbish. >> > >> > The reason the PIX doesen't allow Telnet is that the original >> > PIX devices were built on a Windows core, Windows 3.1 as I >> > believe, with the GUI and most of the command line utilities >> > stripped away. Because the PIX was an early out-of-the-hole >> > firewall, it captured a customer base of customers who needed >> > a firewall but frankly didn't understand much about what they >> > needed. ie: dumb bunnies in cash-rich organizations willing >> > to buy sub-par technology that was hyped up to rediculous >> > amounts. It's an old story in technology. >> > >> > This was a very valuable customer base which is why Cisco >> > purchased the PIX product line. Cisco had little interest >> > in the lame firewalling technology of the PIX and has >> > spent at least a decade of careful work grooming the PIX >> > customers off PIXes and on to Cisco router platforms. To >> > accomplish this they were -extraordinairly- careful to >> > preserve the PIX interface and limitations over the years. >> > But as anyone who works with PIXes knows, Cisco has really >> > not improved the basic technology of the PIX over the years. >> > >> > That is why the current Cisco IOS-based firewalls have >> > a firewalling feature set that knocks a PIX into a cocked >> > hat. >> > >> > It is also why Cisco has finally felt comfortable enough >> > that they have migrated the PIX customers worth keeping >> > over to their own product line, to announce that they were >> > discontinuing the PIX product line. As they did recently. >> > >> > Ted >> > >> >> -----Original Message----- >> >> From: cisco-nsp-bounces at puck.nether.net >> >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes >> >> Sent: Monday, June 30, 2008 5:31 AM >> >> To: Joerg Mayer; Aaron R >> >> Cc: cisco-nsp at puck.nether.net >> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> >> >> >> I guess it's more as a "working right" educational purpose, so >> >> you won't use your firewall as a debugging client. >> >> In newer versions there's the packet tracker that can help you >> >> debug connectivity problems. >> >> Ziv >> >> >> >> >> >> -----Original Message----- >> >> From: cisco-nsp-bounces at puck.nether.net >> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer >> >> Sent: Monday, June 30, 2008 2:21 PM >> >> To: Aaron R >> >> Cc: cisco-nsp at puck.nether.net >> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote: >> >> > It is disabled as a security feature. I have also wanted to do >> >> the same for >> >> > troubleshooting purposes. >> >> >> >> And why exactly is this a security feature? What is the *gain* in >> >> security? >> >> >> >> Ciao >> >> Joerg >> >> -- >> >> Joerg Mayer >> >> >> We are stuck with technology when what we really want is just >> stuff that >> >> works. Some say that should read Microsoft instead of technology. >> >> >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> >> >> >> >> >> >> ****************************************************************** >> >> ****************** >> >> This footnote confirms that this email message has been scanned by >> >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> >> computer viruses. >> >> ****************************************************************** >> >> ****************** >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ****************************************************************** >> >> ****************** >> >> This footnote confirms that this email message has been scanned by >> >> PineApp Mail-SeCure for the presence of malicious code, vandals & >> >> computer viruses. >> >> ****************************************************************** >> >> ****************** >> >> >> >> >> >> >> >> _______________________________________________ >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> From sethm at rollernet.us Mon Jul 7 00:40:08 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 06 Jul 2008 21:40:08 -0700 Subject: [c-nsp] Shutting Down Catalyst 6509? In-Reply-To: <200807070918.32290.mtinka@globaltransit.net> References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com> <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com> <200807070918.32290.mtinka@globaltransit.net> Message-ID: <48719E28.1080409@rollernet.us> Mark Tinka wrote: > On Friday 04 July 2008 20:54:48 Felix Nkansah wrote: > >> Thanks guys. >> >> I thought it has some special shutdown procedures or >> commands. > > Which is something we wish for on Cisco's new ASR line, > seeing as it has a hard drive and all. > > Current documented procedure to shutdown the ASR is to > reload as normal, then power-off the PSU's when you see the > Bootloader - not very elegant. > How the heck would something like that make it past QA? I've never in my life worried about corrupting a router, switch, or any associated modules. One would think that some kind of battery-backed write cache similar to how RAID controllers deal with unexpected power loss could be used. I've never priced an ASR but they certainly don't look cheap. ~Seth From juniper84 at live.com Mon Jul 7 00:51:30 2008 From: juniper84 at live.com (J C) Date: Mon, 7 Jul 2008 01:51:30 -0300 Subject: [c-nsp] 7600 MPLS QoS Message-ID: I've been going through all the documentation regarding MPLS and configuring MPLS QoS on PFC's and I'm stumped on this question. In the past MPLS networks I've used Pipe Mode with Explicit Null LSP to configure QoS within the MPLS network. The benefit of this for a carrier network was that it preserved the customer markings and allowed us to control the treatment of the traffic right up to (and including) the egress of the PE to the carrier owned CPE. >From reading the documentation on the 7600 I don't see anywhere the ability to use Pipe Mode with Explicit-Null LSP...I only see Uniform Mode and Short Pipe Mode. Right away Uniform Mode is out of the question, and Short Pipe mode is the best alternative, but it only allows you to control the treatment of the traffic until it reaches the final PE, at which point the traffic has no MPLS EXP bits left on it and only the original customer markings are left. So my question is...am I just missing something regarding the 7600 and its ability to support Pipe mode with Explicit-Null? I'm asking this because I also noticed that 'set qos-groups' is not available to do on ingress MPLS-MPLS interfaces... And if this method of MPLS QoS is not supported on the 7600, whats the next best thing?...Lastly, if Short Pipe Mode is the only alternative, then how can the SP still control treatment on the Egress of the final PE...as all MPLS EXP bits will be stripped during the final 'pop'. Thanks in advance MPLS guru's!!!! _________________________________________________________________ Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games! http://g.msn.ca/ca55/207 From justin at justinshore.com Mon Jul 7 01:50:52 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 07 Jul 2008 00:50:52 -0500 Subject: [c-nsp] 7600 vs MX experience? In-Reply-To: <001001c8df9d$0f60f0d0$2e22d270$@org> References: <48704344.1030808@punk.co.nz> <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com> <001001c8df9d$0f60f0d0$2e22d270$@org> Message-ID: <4871AEBC.5020304@justinshore.com> Paul Stewart wrote: > Hi Rubens... > > Sorry if this is sidetracking the conversation a bit - apologies. But, what > can folks tell me about shared support in general? I always thought it was > Smartnet or nothing hence why I'm asking... is this "3rd party Cisco > support" that I've seen advertised a few times? > > With "shared smartnet", do you lose the ability to contact TAC directly? > What about software updates - from Cisco or from the partner?? To go along with Paul's question, what about hardware warranty & RMA? Justin From john.douglas at gmail.com Mon Jul 7 02:33:35 2008 From: john.douglas at gmail.com (john douglas) Date: Mon, 7 Jul 2008 16:33:35 +1000 Subject: [c-nsp] What is spanning tree interface "St1" Message-ID: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com> Hi All, I am investigating some ongoing spanning tree root changes and I am seeing this interface "St1" appearing in the STP root debug 016536: Jul 7 16:10:01.680 AEST: STP: VLAN0148 heard root 32916-0013.60a9.0f00 on St1 016537: Jul 7 16:10:01.680 AEST: STP: VLAN0149 Topology Change rcvd on St1 016538: Jul 7 16:10:01.680 AEST: STP: VLAN0148 heard root 32916-0013.60a9.0f00 on St1 016544: Jul 7 16:10:01.722 AEST: STP: VLAN0148 we are the spanning tree root 016545: Jul 7 16:10:01.722 AEST: STP: VLAN0148 heard root 8340-0008.e379.d980 on Gi1/0/28 016546: Jul 7 16:10:01.722 AEST: supersedes 32916-0013.60a9.0f00 016547: Jul 7 16:10:01.722 AEST: STP: VLAN0148 new root is 8340, 0008.e379.d980 on port Gi1/0/28, cost 39 016548: Jul 7 16:10:01.722 AEST: STP: VLAN0148 sent Topology Change Notice on Gi1/0/28 016549: Jul 7 16:10:02.678 AEST: STP: VLAN0148 Topology Change rcvd on St1 My google fu must be bad today because I cannot seem to find any reference to spanning tree and "St1" at all .. I see similar output in the sh spanning tree details for this vlan. I only have 2 interfaces on the switch that live in Vlan 148, however I now have this magical interface "St1" which has appeared with cost 100 ? #sh vlan id 148 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 148 foofoofoobar1 active Gi1/0/28, Gi2/0/23 #sh spanning-tree vlan 148 VLAN0148 Spanning tree enabled protocol ieee Root ID Priority 8340 Address 0008.e379.d980 Cost 38 Port 28 (GigabitEthernet1/0/28) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32916 (priority 32768 sys-id-ext 148) Address 0013.60a9.0f00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/28 Root FWD 29 128.28 P2p St1 Desg FWD 100 128.1000 P2p Gi2/0/23 Desg FWD 9 128.75 P2p Ideas anyone? From avayner at cisco.com Mon Jul 7 03:46:00 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 7 Jul 2008 09:46:00 +0200 Subject: [c-nsp] What is spanning tree interface "St1" In-Reply-To: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com> References: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501910D64@xmb-ams-331.emea.cisco.com> John, St1 is a logical interface associated with the internal stack. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas Sent: Monday, July 07, 2008 09:34 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] What is spanning tree interface "St1" Hi All, I am investigating some ongoing spanning tree root changes and I am seeing this interface "St1" appearing in the STP root debug 016536: Jul 7 16:10:01.680 AEST: STP: VLAN0148 heard root 32916-0013.60a9.0f00 on St1 016537: Jul 7 16:10:01.680 AEST: STP: VLAN0149 Topology Change rcvd on St1 016538: Jul 7 16:10:01.680 AEST: STP: VLAN0148 heard root 32916-0013.60a9.0f00 on St1 016544: Jul 7 16:10:01.722 AEST: STP: VLAN0148 we are the spanning tree root 016545: Jul 7 16:10:01.722 AEST: STP: VLAN0148 heard root 8340-0008.e379.d980 on Gi1/0/28 016546: Jul 7 16:10:01.722 AEST: supersedes 32916-0013.60a9.0f00 016547: Jul 7 16:10:01.722 AEST: STP: VLAN0148 new root is 8340, 0008.e379.d980 on port Gi1/0/28, cost 39 016548: Jul 7 16:10:01.722 AEST: STP: VLAN0148 sent Topology Change Notice on Gi1/0/28 016549: Jul 7 16:10:02.678 AEST: STP: VLAN0148 Topology Change rcvd on St1 My google fu must be bad today because I cannot seem to find any reference to spanning tree and "St1" at all .. I see similar output in the sh spanning tree details for this vlan. I only have 2 interfaces on the switch that live in Vlan 148, however I now have this magical interface "St1" which has appeared with cost 100 ? #sh vlan id 148 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 148 foofoofoobar1 active Gi1/0/28, Gi2/0/23 #sh spanning-tree vlan 148 VLAN0148 Spanning tree enabled protocol ieee Root ID Priority 8340 Address 0008.e379.d980 Cost 38 Port 28 (GigabitEthernet1/0/28) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32916 (priority 32768 sys-id-ext 148) Address 0013.60a9.0f00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/28 Root FWD 29 128.28 P2p St1 Desg FWD 100 128.1000 P2p Gi2/0/23 Desg FWD 9 128.75 P2p Ideas anyone? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Mon Jul 7 03:49:12 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 7 Jul 2008 00:49:12 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: Message-ID: -----Original Message----- From: Brandon Bennett [mailto:bennetb at gmail.com] Sent: Sunday, July 06, 2008 10:49 AM To: Ted Mittelstaedt Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt wrote: >>I disagree. The reason they use them is they are cheap. Cisco >>did not require a separate IOS license the way that they do with >>a router running IOS-Firewall Feature set. >I have found that PIX/ASA does a much better job at stateful firewalling >that CBAC can even though they share 95% of the same inspect engines. I >have never had an issue with scaling the CPU/memory on a PIX or resource >limitations. I have had this on IOS from time to time. I have, actually. With a lot of VPN tunnels terminated on a PIX 506. Not that I blame the PIX though, as I had been telling the customer almost a year earlier that they would need a 515. I've also had trouble with stateful inspection on IOS on a router with insufficent ram in it. Once again, I predicted to the customer in advance it would happen, the customer didn't want to spend money in advance on ram, and sure enough it did happen at an inconvenient time for them. Both times I savored saying "I told you so", believe me. >> Yes, and Cisco could have used the freely available NAT code >>that was BSD-licensed (ie: free, NOT GPL, really free). They >>did not have to pay off the NTI guys for something already >>available for free. And they didn't. They wanted the NTI >>customer brainshare, and likely, to put a potential competitor out >>of business. >The fact of the matter is that NTI was doing it better and faster than >the Sun and BSD implentations out there at the time. I was not aware of any Sun NAT implementation at that time period. If there was, what was it? Checkpoint did run on Solaris, I admined one of those as a matter of fact, but it was not NAT. And it was annoying. As for the NTI being better than BSD, that's just your opinion. First of all the NAT stuff was only on FreeBSD, NOT on any of the other BSD's, and it definitely wasn't on Solaris. When it was released it was a set of kernel patches and an application, and it wasn't applicable to any other UNIX. Please point out any "bake-off's" comparisons that were done at that time. Most people didn't know what NAT was. I never had problems with the FreeBSD implementation of NAT and in fact, doing it this way supported some applications that the Cisco IOS nat didn't. (at the beginning) like PPTP client VPN's initiated from behind. And Netmeeting H.323 since you could also run a NM proxy on the system, if you recall that was pretty common in the NT days for remote control since it was free. I never used the NTI stuff at that time so I don't have an opinion on which was better, but I'll bet money you never used the FreeBSD NAT patches either, so I'll put your "fact of the matter is" statement down to youthful eagerness and leave it at that. ;-) >Combine this with >the fact that it was easy to setup, maintain, and monitor simiar to the >rest of the network gear If a PIX is so easy to setup and maintain then I would have not had quite a lot of work over the years in administering them for people. I will say that the PIX command line is no worse to setup and admin than IOS - once you know all of the idiosyncracies of the PIXos - but that's no different than the idiosyncracies of IOS. I do find the PIX GUI to be a big piece of crap, though. But, the assertion that it's easy to setup is only the case when your talking about real network admins. For the general public, that is frankly absurd. What is easy to setup is a Linksys RV042. (which will VPN into a PIX quite nicely, although you have to turn off stateful packet inspection on it if your running Vista, per http://support.microsoft.com/kb/934430/en-us) >and it just makes sense. I don't think this >is an example of Cisco trying to dominate the market by "buying-out" >competitors. If that was the case Cisco would not have continued the >product line for 13 years (and running). Continuing the product line for 13 years is definitely not a symptom of a company trying to buy out a competitor, your right there. What it IS a symptom of, is a company trying to keep a captured customer base from bolting. If there had been no brainshare and no customer base for the NTI stuff then Cisco would have done the same thing they did when they picked up the ISDN technology they wanted from Combinet, they would have almost immediately renamed the product line and moved all the decent technology into IOS as quick as they could. I'm sure you have been in the business long enough to understand that companies only buy other companies to make money. That money comes from - drumroll - customers, does it not? Thus to put it simply, companies only buy other companies so they can get more money out of customers. They don't do it to make prices cheaper for you, they do it so they can lock you into them further, or because they pitched their products to you and you didn't like them and so went with someone else, now they bought that someone else, so they own you even though you never liked them. The stated reasons of "helping customers" are almost always utter hogwash. For the most part acquisitions essentially reduce competition and thus allow the acquiring company to maintain high prices or jack up their prices. This doesen't help customers. The very FEW times that an acquisition helps is when the acquired company was going bankrupt - and your a customer who bought in to the failing companies product line. But boy, your gonna pay through the nose to the acquiring company to maintain your service agreements, and the fact of the matter is you made a decision to buy into a loser's products - it's a regrettable decision no matter how you slice it, and the acquiring company is merely the less unpleasant than scrapping and replacing the product. If Cisco hadn't maintained the PIX product line for as long as they did, I would agree that Cisco just bought NTI because they wanted it's technology. But you are missing the obvious here. Your saying the ASA is a PIX, meaning Cisco isn't killing the PIX after all. If so, why? I'll tell you, it's because there's a customer base out there that is large! It is NOT because it's better or worse to do the same thing that the PIX does on an IOS router, it's because this large customer base THINKS it's better to do the stuff the PIX does on a standalone box that isn't a router. The baby wants his bottle and Cisco isn't going to take it away. Simple as that. >>Let's just say Cisco's not discontinuing a PIX-like firewall. But >>calling the ASA a PIX? No, not at all. The ASA is ever worse >>to deal with than the PIX >Dude, the ASA is a pix with some slight modifications. The code was shared >until 8.x (you could boot asa code on a pix and pix code on an asa). 8.x >the ASA now runs a linux kernel, but most of the actually firewall code is >the same. For all intent and purposes the ASA is the next-generation PIX. If it only has slight modifications then it's definitely not next-generation. Make up your mind, please! :-) The reason -I- think the ASA is worse is because the ASA just perpetuates the nonsense that a router can't be a firewall. Sure it can, it just depends on what firmware is running on it. Cisco missed the boat here to educate the customer base. I am just thankful Cisco jacked up the price so I can educate my customers without them just hearing "mo money mo money mo money mo money". >Further more the price difference between the PIX and the ASA is not much. >There is still free 3DES/AES licencing, there is still free IPSec VPN >termination. The only difference would be the additional licensing and >modules that the ASA can do (SSLVPN, IPS, etc) >Lets compare Pix 515e could handl 190mbits clear text The ASA5510 can >handle 300mbit clear text. >List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW, > 128MB, 2 FE,VAC+), USD 6,995.00 >List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES, > USD 3,495.00 >So the ASA is acutally FAR cheaper. Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports? How you going to get 300mbt through 2 FE ports? Let's tack on an extra $1K, shall we? And where does Cisco get off charging an extra $3K for 50 miserable SSL VPN licenses? The SSL protocol is OPEN for God's sake. Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft VPN client that's FREE) and replace it with SSL VPN client that -costs money- Yeah, give me more, baby. Harder, Harder! And, I forgot about AIP, what is that, $7K a year for a subscription? So if you don't pay the $7K a year, then when the latest AIM comes out that is written to get around the current inspection and is wasting your employees productivity in spades, you have to buy a new ASA. Great one, that!! > Even the ASA5520 (which may be bit more > of a better comparison) is still cheaper than the PIX515e. The point was rather a comparison between IOS-based router and PIX or ASA, not between PIX and ASA. In any case, how many companies have 300Mbit Internet connections? How many companies have 190Mbit Internet connections? And how exactly do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces on it? ;-) These are BigCo comparisons your talking, and frankly, BigCo's buy what they do because of their previously established vendor relationships, they are not switching to ASA's because they care about the price. And most BigCo's buy direct from Cisco anyhow, so the list prices are pure fiction. A much more realistic comparison with product that's sold to people who actually do care about the price is: PIX-506E-BUN-K9 @ $1,395 vs ASA5505-UL-BUN-K9 @ $995. So yes, on the surface it LOOKS like a better deal - until you have to bend over and take it in the shorts for that insane SSL VPN license. Oh, and of course, with the 5505, your screwed there since 50 SSL users is the licensed limit, you have to go to the 5510 for more. The old 506E had no restriction on number of VPN clients. In a router vs ASA comparison: CISCO1841-SEC/K9 1841 Security Bundle, Advanced Security, 64FL/256DR $2495 ASA5505-SSL-10-K9 ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users, 3DES/AES $2095 Let's see, with the former I can use all of my free Microsoft VPN clients, PPTP, L2TP, whatever I want, as many as I want. I can put in as many server to server VPN's as I want. I can drop in a T1 card if needed. I can have as much stuff as I want behind it. With the ASA I can have a max 10 SSL users, or I have to switch all my Microsoft VPN clients over to L2TP. I'm limited to 50 users. For the extra $400 it's not worth dealing with the ASA when you can have a real router. And 5 years from now when some competitor has come out with an ethernet-to-ethernet firewall that is better than the ASA, well I can still use the router to feed the T1. And on top of that IOS has had IPv6 for years, the ASA just finally got a working implementation with version 8.0.3 or so I read. (I don't really know, maybe it still doesen't work right) >>As far as the rest of your conversation, it kinda getting far off topic. :) >Although I am not sure how much information I can take from a guy who >though PIX code was Windows 3.1 based. (Not to mention Windows 3.1 didn't >even include a kernel!). I never said CURRENT code was Win 3.1 based, I said I had heard that the original PIX code from pre-Cisco days was Win 3.1 based. Surely you remember that Win 3.1 will run in real mode, without the GUI, by just putting command.com as the last statement in the winstart.bat file. Win 3.0, don't forget, would run on an XT, in real mode, with a GUI. Back in those days a lot of people who wrote embedded stuff would use DOS or a stripped Windows merely as a program loader, so it didn't seem that farfetched to me when I heard it. >The wrap up: The PIX/ASA is very capible firewall, you quickly learn >ways around not being able to telnet from the box itself. IOS as well >shares a lot from the PIX/ASA (and visa versa) and also can make a good >firewall. With the ASR1000 it can make a very very quick firewall :) >Also there are other options from other vendors (blasphemy... I know) >like a netscreen (which ironically ALSO doesn't allow you to telnet >from the box :) ) Or, a Linux box with squid as a transparent proxy, etc. Ted From tedm at toybox.placo.com Mon Jul 7 04:09:19 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 7 Jul 2008 01:09:19 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: <006101c8dfdc$30146020$f211a8c0@flamwsugsmul5v> Message-ID: > -----Original Message----- > From: Tony Varriale [mailto:tvarriale at comcast.net] > Sent: Sunday, July 06, 2008 7:50 PM > To: Ted Mittelstaedt > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? > > > It's fairly well known by people that have been fortunate to been around > Cisco that long and/or that know a little PIXen history that the OS was > called Finesse. > > It was a custom built OS and AFAIK has had no stage performances in any > other devices. > Well, actually Cisco's LocalDirector, the "industries first load balancer" > But, don't take my word for it. I'm sure the NTI guys are still > around out > west somewhere. > Once the atual OS name was supplied, digging up information about it proved simple: http://www.linkedin.com/in/brantleycoile > I think your Windows similiarity stretch is incredible creepy. I > feel like > I'm getting hoaxed into a pyramid scheme for some reason. > :-) Cisco Corp. is a pyramid scheme. ;-) Ted From techconfig at yahoo.com Mon Jul 7 04:23:23 2008 From: techconfig at yahoo.com (Mark Tech) Date: Mon, 7 Jul 2008 01:23:23 -0700 (PDT) Subject: [c-nsp] WS-X6748-SFP 7600 MPLS Message-ID: <706576.69100.qm@web44807.mail.sp1.yahoo.com> Hi Can the WS-X6748-SFP support MPLS on a 7600 chassis? Regards Marl From rubensk at gmail.com Mon Jul 7 04:47:45 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 7 Jul 2008 05:47:45 -0300 Subject: [c-nsp] Shared Support versus Smartnet Message-ID: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com> On Sun, Jul 6, 2008 at 4:18 PM, Paul Stewart wrote: > Hi Rubens... > > Sorry if this is sidetracking the conversation a bit - apologies. But, what > can folks tell me about shared support in general? I always thought it was > Smartnet or nothing hence why I'm asking... is this "3rd party Cisco > support" that I've seen advertised a few times? Don't know for sure, but probably yes. > With "shared smartnet", do you lose the ability to contact TAC directly? Yes, according to CCO docs. L1 and L2 are done by partner, TAC gets involved from L3 and above. > What about software updates - from Cisco or from the partner?? Partner, according to CCO docs. I'll only know for sure in a few weeks when we renew our contracts. Cisco Shared Support looks very similar to the old PICA contracts; Cisco and partners insist they are different, but the more I look, more I feel they are the same. Rubens From rubensk at gmail.com Mon Jul 7 04:53:32 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 7 Jul 2008 05:53:32 -0300 Subject: [c-nsp] Support versus warranty/RMA Message-ID: <6bb5f5b10807070153s6f470adagf9edc61adf3902d4@mail.gmail.com> >> Smartnet or nothing hence why I'm asking... is this "3rd party Cisco >> support" that I've seen advertised a few times? >> >> With "shared smartnet", do you lose the ability to contact TAC directly? >> What about software updates - from Cisco or from the partner?? > > To go along with Paul's question, what about hardware warranty & RMA? Shared Support gives you support level hardware maintenance, not warranty level. Shared Support is usually "same day ship"/"next business day", but could give a faster replacing policy if the partner can afford the logistics to do it and you can afford to buy the service. Usually they cannot, so if want 4h or 12h you probably need to stick with Smartnet, but that is up to the partner so they might do it. Rubens From rubensk at gmail.com Mon Jul 7 04:57:29 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 7 Jul 2008 05:57:29 -0300 Subject: [c-nsp] WS-X6748-SFP 7600 MPLS In-Reply-To: <706576.69100.qm@web44807.mail.sp1.yahoo.com> References: <706576.69100.qm@web44807.mail.sp1.yahoo.com> Message-ID: <6bb5f5b10807070157i72df6c12o473e63e87a58b801@mail.gmail.com> You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From techconfig at yahoo.com Mon Jul 7 05:14:45 2008 From: techconfig at yahoo.com (Mark Tech) Date: Mon, 7 Jul 2008 02:14:45 -0700 (PDT) Subject: [c-nsp] WS-X6748-SFP 7600 MPLS Message-ID: <953271.75056.qm@web44802.mail.sp1.yahoo.com> Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns.?I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS? Mark ----- Original Message ---- From: Rubens Kuhl Jr. To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 9:57:29 AM Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck..nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Mon Jul 7 05:16:10 2008 From: asturluismi at gmail.com (luismi) Date: Mon, 07 Jul 2008 11:16:10 +0200 Subject: [c-nsp] Switch cluster with 2950 and 3750 stack Message-ID: <1215422170.10856.8.camel@dsba-ipso> Hi all, I need to redesign an smaill network here. It is working with now with just a 2950 but I would like to improve the availability. I have some dudes that they will be probably answered in some place in Internet but I didn't find that place yet. The actual scenario is: 1 x 2950 connected to a 3750 stack The future scensario I would like to have is: 2 x 2950 connected to a 3750 stack Well, the reason to use 2950 is that we have several 2950 switches here and there is no reason to make a new invesment since they are enough for our requirements, they load is also quite small. I would like to do a cluster with the 2950 switches probably using some GigaStack Gbics. The question is... As soon as I create the cluster in the 2950 switches, is it possible to create a port-channel (one port from one 2950 and one port from the other 2950) against a port-channel at the 3750 stack side? I hope someone in this list can answer that. Thanks in advance. From ccie15385 at gmail.com Mon Jul 7 05:25:01 2008 From: ccie15385 at gmail.com (JH Cockburn) Date: Mon, 7 Jul 2008 11:25:01 +0200 Subject: [c-nsp] WS-X6748-SFP 7600 MPLS In-Reply-To: <953271.75056.qm@web44802.mail.sp1.yahoo.com> References: <953271.75056.qm@web44802.mail.sp1.yahoo.com> Message-ID: <000f01c8e013$57cb97a0$8604030a@africa.enterprise.root> Hi Mark, We have those (DFC-equipped) in our 7600's acting as P devices in our Datacenter and they work 100%. Is there anything special you want to do MPLS-wise? Cheers JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: Monday, July 07, 2008 11:15 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns.?I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS? Mark ----- Original Message ---- From: Rubens Kuhl Jr. To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 9:57:29 AM Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck..nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pavel.skovajsa at gmail.com Mon Jul 7 05:35:34 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 7 Jul 2008 11:35:34 +0200 Subject: [c-nsp] Switch cluster with 2950 and 3750 stack In-Reply-To: <1215422170.10856.8.camel@dsba-ipso> References: <1215422170.10856.8.camel@dsba-ipso> Message-ID: <323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com> Hi, no this is not possible. Etherchannel is always one logical device to another logical device. For example two 2950 to each other. Or stack of 3750 to one 2950 or stack of 3750 to stack of 3750 or the newest edge bleeding etherchannel setup (google up MEC) is: VSS 1440 (2x650x) to 2950 pavel On Mon, Jul 7, 2008 at 11:16 AM, luismi wrote: > Hi all, > > I need to redesign an smaill network here. > It is working with now with just a 2950 but I would like to improve the > availability. > > I have some dudes that they will be probably answered in some place in > Internet but I didn't find that place yet. > > The actual scenario is: > 1 x 2950 connected to a 3750 stack > > The future scensario I would like to have is: > 2 x 2950 connected to a 3750 stack > > Well, the reason to use 2950 is that we have several 2950 switches here > and there is no reason to make a new invesment since they are enough for > our requirements, they load is also quite small. > > I would like to do a cluster with the 2950 switches probably using some > GigaStack Gbics. > > The question is... > As soon as I create the cluster in the 2950 switches, is it possible to > create a port-channel (one port from one 2950 and one port from the > other 2950) against a port-channel at the 3750 stack side? > > I hope someone in this list can answer that. > > Thanks in advance. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Mon Jul 7 05:37:51 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 7 Jul 2008 12:37:51 +0300 Subject: [c-nsp] Shared Support versus Smartnet In-Reply-To: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com> References: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com> Message-ID: <20080707093750.GA30789@mx.ytti.net> On (2008-07-07 05:47 -0300), Rubens Kuhl Jr. wrote: > Yes, according to CCO docs. L1 and L2 are done by partner, TAC gets > involved from L3 and above. It's all what you agree in the contract. In my case with HP, we agreed that P1 and P2 could be opened directly to TAC and P3, P4 via HP. I almost exclusively open cases as P3 so HP was mail bouncer for us, they could not offer us much of added value, because all the cases require internal cisco information, but as far as it went to tracking the cases and bouncing the emails I was satisfied. Had our cases been simpler ones, which would not require internal cisco knowledge, I have no doubt the HP CCIE's could have helped me. > > What about software updates - from Cisco or from the partner?? > > Partner, according to CCO docs. I'll only know for sure in a few weeks > when we renew our contracts. > > Cisco Shared Support looks very similar to the old PICA contracts; > Cisco and partners insist they are different, but the more I look, > more I feel they are the same. At least mine was PICA and all the agreed accesses to CCO were there, including rights to download software. So bottom line, TAC cases took slight delay because of the need for HP to bounce the email, but on the plus side, I could forget about the cases and HP did good track about polling for updates for cases not moving. CCO side was all that I needed, couldn't differentiate it for my needs from gold partner account. RMA stuff under HP was flawless (fast, easy). Of course this is just one example, I'm sure there are tons of bad places to buy cisco support from, tons of bad agreements signed etc. So all I can recommend is make sure agreement guarantees that you get the minimum service you require to run things smoothly and that there is financial penalty to provider in case you don't get it. -- ++ytti From techconfig at yahoo.com Mon Jul 7 05:58:33 2008 From: techconfig at yahoo.com (Mark Tech) Date: Mon, 7 Jul 2008 02:58:33 -0700 (PDT) Subject: [c-nsp] WS-X6748-SFP 7600 MPLS Message-ID: <449636.76373.qm@web44811.mail.sp1.yahoo.com> Hi, I don't need anything special, I'm just wanting to make sure that I can label switch on these plain cards using RSP720's on a 7600 chassis as its not clear in the Cisco docs that I've found. If not I'd like to know what extra cards would be required to accomplish this Cheers Mark ----- Original Message ---- From: JH Cockburn To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 10:25:01 AM Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Mark, We have those (DFC-equipped) in our 7600's acting as P devices in our Datacenter and they work 100%. Is there anything special you want to do MPLS-wise? Cheers JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: Monday, July 07, 2008 11:15 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns.?I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS? Mark ----- Original Message ---- From: Rubens Kuhl Jr. To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 9:57:29 AM Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck..nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ? ? ? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ccie15385 at gmail.com Mon Jul 7 06:15:41 2008 From: ccie15385 at gmail.com (JH Cockburn) Date: Mon, 7 Jul 2008 12:15:41 +0200 Subject: [c-nsp] WS-X6748-SFP 7600 MPLS In-Reply-To: <449636.76373.qm@web44811.mail.sp1.yahoo.com> References: <449636.76373.qm@web44811.mail.sp1.yahoo.com> Message-ID: <000301c8e01a$6c11b350$8604030a@africa.enterprise.root> Hi M, Also make sure your IOS will support MPLS.ip-base image will not for instance. Cheers _____ From: Mark Tech [mailto:techconfig at yahoo.com] Sent: Monday, July 07, 2008 11:59 AM To: JH Cockburn Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi, I don't need anything special, I'm just wanting to make sure that I can label switch on these plain cards using RSP720's on a 7600 chassis as its not clear in the Cisco docs that I've found. If not I'd like to know what extra cards would be required to accomplish this Cheers Mark ----- Original Message ---- From: JH Cockburn To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 10:25:01 AM Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Mark, We have those (DFC-equipped) in our 7600's acting as P devices in our Datacenter and they work 100%. Is there anything special you want to do MPLS-wise? Cheers JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: Monday, July 07, 2008 11:15 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns. I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS? Mark ----- Original Message ---- From: Rubens Kuhl Jr. To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 9:57:29 AM Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck..nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Mon Jul 7 06:11:36 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 7 Jul 2008 18:11:36 +0800 Subject: [c-nsp] WS-X6748-SFP 7600 MPLS In-Reply-To: <449636.76373.qm@web44811.mail.sp1.yahoo.com> References: <449636.76373.qm@web44811.mail.sp1.yahoo.com> Message-ID: <200807071811.37318.mtinka@globaltransit.net> On Monday 07 July 2008 17:58:33 Mark Tech wrote: > Hi, I don't need anything special, I'm just wanting to > make sure that I can label switch on these plain cards > using RSP720's on a 7600 chassis as its not clear in the > Cisco docs that I've found. If not I'd like to know what > extra cards would be required to accomplish this Cheers As Rubens mentioned, MPLS on this platform is provided via the PFC. You should be fine with an RSP720. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From techconfig at yahoo.com Mon Jul 7 06:22:32 2008 From: techconfig at yahoo.com (Mark Tech) Date: Mon, 7 Jul 2008 03:22:32 -0700 (PDT) Subject: [c-nsp] WS-X6748-SFP 7600 MPLS In-Reply-To: <000301c8e01a$6c11b350$8604030a@africa.enterprise.root> Message-ID: <61156.67646.qm@web44804.mail.sp1.yahoo.com> Hi all, thanks for clearing that up for me. BTW we will be running S764AIK9-12233SRC Cheers Mark JH Cockburn wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } Hi M, Also make sure your IOS will support MPLS ip-base image will not for instance Cheers --------------------------------- From: Mark Tech [mailto:techconfig at yahoo.com] Sent: Monday, July 07, 2008 11:59 AM To: JH Cockburn Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi, I don't need anything special, I'm just wanting to make sure that I can label switch on these plain cards using RSP720's on a 7600 chassis as its not clear in the Cisco docs that I've found. If not I'd like to know what extra cards would be required to accomplish this Cheers Mark ----- Original Message ---- From: JH Cockburn To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 10:25:01 AM Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Mark, We have those (DFC-equipped) in our 7600's acting as P devices in our Datacenter and they work 100%. Is there anything special you want to do MPLS-wise? Cheers JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: Monday, July 07, 2008 11:15 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns. I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS? Mark ----- Original Message ---- From: Rubens Kuhl Jr. To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Monday, July 7, 2008 9:57:29 AM Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I don't think it matters: the card doesn't have "service capabilities" and will fall-back to PFC-based MPLS, which might satisfy your requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla MPLS. Rubens On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech wrote: > Hi > Can the WS-X6748-SFP support MPLS on a 7600 chassis? > Regards > Marl > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck..nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Mon Jul 7 07:23:40 2008 From: asturluismi at gmail.com (luismi) Date: Mon, 07 Jul 2008 13:23:40 +0200 Subject: [c-nsp] Switch cluster with 2950 and 3750 stack In-Reply-To: <323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com> References: <1215422170.10856.8.camel@dsba-ipso> <323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com> Message-ID: <1215429820.7241.0.camel@dsba-ipso> Thanks for the fast answer!! :D El lun, 07-07-2008 a las 11:35 +0200, Pavel Skovajsa escribi?: > Hi, > no this is not possible. Etherchannel is always one logical device to > another logical device. > > For example two 2950 to each other. > Or stack of 3750 to one 2950 > or stack of 3750 to stack of 3750 > or the newest edge bleeding etherchannel setup (google up MEC) is: VSS > 1440 (2x650x) to 2950 > > pavel > > > > On Mon, Jul 7, 2008 at 11:16 AM, luismi wrote: > > Hi all, > > > > I need to redesign an smaill network here. > > It is working with now with just a 2950 but I would like to improve the > > availability. > > > > I have some dudes that they will be probably answered in some place in > > Internet but I didn't find that place yet. > > > > The actual scenario is: > > 1 x 2950 connected to a 3750 stack > > > > The future scensario I would like to have is: > > 2 x 2950 connected to a 3750 stack > > > > Well, the reason to use 2950 is that we have several 2950 switches here > > and there is no reason to make a new invesment since they are enough for > > our requirements, they load is also quite small. > > > > I would like to do a cluster with the 2950 switches probably using some > > GigaStack Gbics. > > > > The question is... > > As soon as I create the cluster in the 2950 switches, is it possible to > > create a port-channel (one port from one 2950 and one port from the > > other 2950) against a port-channel at the 3750 stack side? > > > > I hope someone in this list can answer that. > > > > Thanks in advance. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From SPfister at dps.k12.oh.us Mon Jul 7 08:35:36 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Mon, 07 Jul 2008 08:35:36 -0400 Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 Message-ID: <4871D558.9E6F.00B8.0@dps.k12.oh.us> I've got a 3640 router that's connected to a 3550 switch. The trunking is set up as dynamic desirable, and I need to change it to be a dot1q trunk. I'm having a little trouble getting that done. I tried doing a: switchport trunk encapsulation dot1q switchport mode trunk and the switch became unreachable. Do I need to add something like: switchport trunk native vlan 77 ? Parts of the config are included below... Thanks! router ------- interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp ip pim sparse-mode ip route-cache flow speed 100 full-duplex ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.77.0.1 255.255.0.0 no snmp trap link-status no cdp enable ! interface FastEthernet0/0.77 encapsulation dot1Q 77 no snmp trap link-status no cdp enable xconnect 192.168.7.1 77 pw-class pw-dynamic Switch -------- interface FastEthernet0/48 switchport access vlan 77 switchport mode dynamic desirable speed 100 duplex full spanning-tree portfast ! interface Vlan77 ip address 10.77.0.10 255.255.0.0 ! ip default-gateway 10.77.0.1 Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From maillist at webjogger.net Mon Jul 7 09:24:37 2008 From: maillist at webjogger.net (Adam Greene) Date: Mon, 7 Jul 2008 09:24:37 -0400 Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 References: <4871D558.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <010501c8e034$cdf5fa30$12140a0a@GINKGO> Steven, Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on the switch. If you want the switch to use an IP address from the 10.77.0.0/16 block, you have to include vlan 1 as the native vlan on the 3550, and put the 10.77.0.10 address on vlan 1 rather than vlan 77. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: Sent: Monday, July 07, 2008 8:35 AM Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 > I've got a 3640 router that's connected to a 3550 switch. The trunking is > set up as dynamic desirable, and I need to change it to be a dot1q trunk. > I'm having a little trouble getting that done. I tried doing a: > > switchport trunk encapsulation dot1q > switchport mode trunk > > and the switch became unreachable. Do I need to add something like: > > switchport trunk native vlan 77 > > ? > > Parts of the config are included below... > > Thanks! > > > > router > ------- > interface FastEthernet0/0 > no ip address > no ip redirects > no ip proxy-arp > ip pim sparse-mode > ip route-cache flow > speed 100 > full-duplex > ! > interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip address 10.77.0.1 255.255.0.0 > no snmp trap link-status > no cdp enable > ! > interface FastEthernet0/0.77 > encapsulation dot1Q 77 > no snmp trap link-status > no cdp enable > xconnect 192.168.7.1 77 pw-class pw-dynamic > > > Switch > -------- > interface FastEthernet0/48 > switchport access vlan 77 > switchport mode dynamic desirable > speed 100 > duplex full > spanning-tree portfast > ! > interface Vlan77 > ip address 10.77.0.10 255.255.0.0 > ! > ip default-gateway 10.77.0.1 > > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From notrevebr at gmail.com Mon Jul 7 10:46:05 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Mon, 7 Jul 2008 11:46:05 -0300 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access Message-ID: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com> Hi all, Is it possible to use 2821 for vpn concentrator doing both site-to-site and remote access connections in only one interface? Hi have 2 crypto map?s, but the interface accept only one. crypto dynamic-map vpnmap 10 set transform-set transfervpn reverse-route crypto map L2L 11 ipsec-isakmp set peer 200.200.200.1 set peer 200.200.201.1 set transform-set L2L match address 120 interface GigabitEthernet0/0 ip address 200.100.100.1 255.255.254.0 duplex auto speed auto crypto map onsaescom end Anybody use the 2800 for this purpose? Tks all. From SPfister at dps.k12.oh.us Mon Jul 7 11:26:28 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Mon, 07 Jul 2008 11:26:28 -0400 Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 In-Reply-To: <010501c8e034$cdf5fa30$12140a0a@GINKGO> References: <4871D558.9E6F.00B8.0@dps.k12.oh.us> <010501c8e034$cdf5fa30$12140a0a@GINKGO> Message-ID: <4871FD63.9E6F.00B8.0@dps.k12.oh.us> Yes, I knew that was a problem, but wasn't sure which way to go. Is there any way to do this by changing the router instead? The 10.77.0.0/16 is supposed to be part of the 77 vlan. I'm hoping to be able to do this remotely (the site has limited access hours). The router is the nearer device and the switch is behind it (from the central site's point of view). Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Adam Greene" 7/7/2008 9:24 AM >>> Steven, Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on the switch. If you want the switch to use an IP address from the 10.77.0.0/16 block, you have to include vlan 1 as the native vlan on the 3550, and put the 10.77.0.10 address on vlan 1 rather than vlan 77. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: Sent: Monday, July 07, 2008 8:35 AM Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 > I've got a 3640 router that's connected to a 3550 switch. The trunking is > set up as dynamic desirable, and I need to change it to be a dot1q trunk. > I'm having a little trouble getting that done. I tried doing a: > > switchport trunk encapsulation dot1q > switchport mode trunk > > and the switch became unreachable. Do I need to add something like: > > switchport trunk native vlan 77 > > ? > > Parts of the config are included below... > > Thanks! > > > > router > ------- > interface FastEthernet0/0 > no ip address > no ip redirects > no ip proxy-arp > ip pim sparse-mode > ip route-cache flow > speed 100 > full-duplex > ! > interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip address 10.77.0.1 255.255.0.0 > no snmp trap link-status > no cdp enable > ! > interface FastEthernet0/0.77 > encapsulation dot1Q 77 > no snmp trap link-status > no cdp enable > xconnect 192.168.7.1 77 pw-class pw-dynamic > > > Switch > -------- > interface FastEthernet0/48 > switchport access vlan 77 > switchport mode dynamic desirable > speed 100 > duplex full > spanning-tree portfast > ! > interface Vlan77 > ip address 10.77.0.10 255.255.0.0 > ! > ip default-gateway 10.77.0.1 > > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From moua0100 at umn.edu Mon Jul 7 11:52:42 2008 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 7 Jul 2008 10:52:42 -0500 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access In-Reply-To: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com> References: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com> Message-ID: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu> Yes, use subinterfaces: interface GigabitEthernet0/0.1 interface GigabitEthernet0/0.2 interface GigabitEthernet0/0.3 ++ Then attach different crypto-map per sub-interface. We are doing this. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz Sent: Monday, July 07, 2008 9:46 AM To: cisco-nsp Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access Hi all, Is it possible to use 2821 for vpn concentrator doing both site-to-site and remote access connections in only one interface? Hi have 2 crypto map?s, but the interface accept only one. crypto dynamic-map vpnmap 10 set transform-set transfervpn reverse-route crypto map L2L 11 ipsec-isakmp set peer 200.200.200.1 set peer 200.200.201.1 set transform-set L2L match address 120 interface GigabitEthernet0/0 ip address 200.100.100.1 255.255.254.0 duplex auto speed auto crypto map onsaescom end Anybody use the 2800 for this purpose? Tks all. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Mon Jul 7 11:59:45 2008 From: asturluismi at gmail.com (luismi) Date: Mon, 07 Jul 2008 17:59:45 +0200 Subject: [c-nsp] Off-Topic?: Powerswitches recommendation Message-ID: <1215446385.7241.4.camel@dsba-ipso> Hi all, First of all, sorry for this message but I need some recommendations about powerswitches manufacters. I need a powerswitch (maybe more than one) for at least 16 switches, routers, I saw that MGE and APC are now working together. I also know about http://www.epowerswitch.at I would like to hear about other manufacters. All comments are appreciated. Thanks. From kyled at noelcomm.com Mon Jul 7 12:42:48 2008 From: kyled at noelcomm.com (Kyle Duren) Date: Mon, 7 Jul 2008 09:42:48 -0700 Subject: [c-nsp] cisco-nsp Digest, Vol 68, Issue 27 In-Reply-To: Message-ID: <002c01c8e050$7dd7cf80$b71d0a0a@noelcomm.local> I had good luck with this unit, it's a smaller company that makes them, but when we had a unit fail, the company did a good job making sure we had a new one asap! We used them to restart various network servers and switches. http://www.digital-loggers.com/epcr2.html -Kyle Duren ---------------------------------------------------------------------- Message: 1 Date: Mon, 07 Jul 2008 17:59:45 +0200 From: luismi Subject: [c-nsp] Off-Topic?: Powerswitches recommendation To: cisco-nsp at puck.nether.net Message-ID: <1215446385.7241.4.camel at dsba-ipso> Content-Type: text/plain Hi all, First of all, sorry for this message but I need some recommendations about powerswitches manufacters. I need a powerswitch (maybe more than one) for at least 16 switches, routers, I saw that MGE and APC are now working together. I also know about http://www.epowerswitch.at I would like to hear about other manufacters. All comments are appreciated. Thanks. From ATolstykh at integrysgroup.com Mon Jul 7 13:55:45 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Mon, 07 Jul 2008 12:55:45 -0500 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access In-Reply-To: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu> Message-ID: Use multiple statements within a single crypto map configuration: crypto map iosvpn 5 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard5 reverse-route crypto map iosvpn 15 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard15 reverse-route crypto map iosvpn 25 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard25 reverse-route crypto map iosvpn 35 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard35 reverse-route crypto map iosvpn 100 ipsec-isakmp dynamic dyn On 7/7/08 10:52 AM, "Ge Moua" wrote: > Yes, use subinterfaces: > interface GigabitEthernet0/0.1 > interface GigabitEthernet0/0.2 > interface GigabitEthernet0/0.3 > ++ > > Then attach different crypto-map per sub-interface. We are doing this. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz > Sent: Monday, July 07, 2008 9:46 AM > To: cisco-nsp > Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access > > Hi all, > > Is it possible to use 2821 for vpn concentrator doing both site-to-site and > remote access connections in only one interface? > > Hi have 2 crypto map?s, but the interface accept only one. > > crypto dynamic-map vpnmap 10 > set transform-set transfervpn > reverse-route > > crypto map L2L 11 ipsec-isakmp > set peer 200.200.200.1 > set peer 200.200.201.1 > set transform-set L2L > match address 120 > > interface GigabitEthernet0/0 > ip address 200.100.100.1 255.255.254.0 > duplex auto > speed auto > crypto map onsaescom > end > > Anybody use the 2800 for this purpose? > > Tks all. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ? The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.?Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.??If you received this in error, please contact the sender and delete the material from any computer. From justin at justinshore.com Mon Jul 7 14:52:47 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 07 Jul 2008 13:52:47 -0500 Subject: [c-nsp] Off-Topic?: Powerswitches recommendation In-Reply-To: <1215446385.7241.4.camel@dsba-ipso> References: <1215446385.7241.4.camel@dsba-ipso> Message-ID: <487265FF.6060007@justinshore.com> luismi wrote: > Hi all, > > First of all, sorry for this message but I need some recommendations > about powerswitches manufacters. We have some Emerson in our data center but I've never actually got my hands on them. I believe they have a common management front-end that can manage all the strips at once. Justin From notrevebr at gmail.com Mon Jul 7 15:08:35 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Mon, 7 Jul 2008 16:08:35 -0300 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access In-Reply-To: References: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu> Message-ID: <3cf174360807071208w20d8c627s98e0137f52146c8e@mail.gmail.com> Andrew, Great!!! Tks for good information. On 7/7/08, Tolstykh, Andrew wrote: > Use multiple statements within a single crypto map configuration: > > crypto map iosvpn 5 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard5 > reverse-route > crypto map iosvpn 15 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard15 > reverse-route > crypto map iosvpn 25 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard25 > reverse-route > crypto map iosvpn 35 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard35 > reverse-route > crypto map iosvpn 100 ipsec-isakmp dynamic dyn > > > On 7/7/08 10:52 AM, "Ge Moua" wrote: > > > Yes, use subinterfaces: > > interface GigabitEthernet0/0.1 > > interface GigabitEthernet0/0.2 > > interface GigabitEthernet0/0.3 > > ++ > > > > Then attach different crypto-map per sub-interface. We are doing this. > > > > Regards, > > Ge Moua | Email: moua0100 at umn.edu > > > > Network Design Engineer > > University of Minnesota | Networking & Telecommunications Services > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz > > Sent: Monday, July 07, 2008 9:46 AM > > To: cisco-nsp > > Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access > > > > Hi all, > > > > Is it possible to use 2821 for vpn concentrator doing both site-to-site and > > remote access connections in only one interface? > > > > Hi have 2 crypto map?s, but the interface accept only one. > > > > crypto dynamic-map vpnmap 10 > > set transform-set transfervpn > > reverse-route > > > > crypto map L2L 11 ipsec-isakmp > > set peer 200.200.200.1 > > set peer 200.200.201.1 > > set transform-set L2L > > match address 120 > > > > interface GigabitEthernet0/0 > > ip address 200.100.100.1 255.255.254.0 > > duplex auto > > speed auto > > crypto map onsaescom > > end > > > > Anybody use the 2800 for this purpose? > > > > Tks all. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. > > From bennetb at gmail.com Mon Jul 7 16:17:55 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Mon, 7 Jul 2008 14:17:55 -0600 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: References: Message-ID: > > >I have, actually. With a lot of VPN tunnels terminated on a PIX 506. > >Not that I blame the PIX though, as I had been telling the customer > >almost a year earlier that they would need a 515. And running a production webserver on a 486-DX2 is also not a good idea. I don't see your point here. > >I was not aware of any Sun NAT implementation at that time period. If > >there was, what was it? Checkpoint did run on Solaris, I admined one of > >those as a matter of fact, but it was not NAT. And it was annoying. > > >As for the NTI being better than BSD, that's just your opinion. Well the point that Bradly Coile made is that he could not the the performance he wanted using traditional IP stacks on those platforms. Not so much my opinion, but his. > >Please point out any "bake-off's" comparisons that were done at > >that time. Pointless and a waste of time. If you want to argue PIX popularity 13 years ago, be my guest. I will not be subject to it however. > >Most people didn't know what NAT was. I never had > >problems with the FreeBSD implementation of NAT and in fact, doing > >it this way supported some applications that the Cisco IOS nat didn't. > >(at the beginning) like PPTP client VPN's initiated from behind. And > >Netmeeting H.323 since you could also run a NM proxy on the system, > >if you recall that was pretty common in the NT days for remote control > >since it was free. Again off-topic and pointless. NAT didn't just one day get deployed on nearly every enterprise network overnight. It started somewhere, the applications that ran over them doesn't matter. > > > >I never used the NTI stuff at that time so I don't have an opinion > >on which was better, but I'll bet money you never used the FreeBSD > >NAT patches either, so I'll put your "fact of the matter is" > >statement down to youthful eagerness and leave it at that. ;-) I was aguing a technical point. My grammar and choice of words may have been poor. I apologize > > > >If a PIX is so easy to setup and maintain then I would have not > >had quite a lot of work over the years in administering them for > >people. It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands to setup NAT than It was to apply a patch and compile new FreeBSD kernel and userland utilities. Now days this just comes down to a matter of preference. > > > >I will say that the PIX command line is no worse to setup and > >admin than IOS - once you know all of the idiosyncracies of the > >PIXos - but that's no different than the idiosyncracies of IOS. > >I do find the PIX GUI to be a big piece of crap, though. There is at least something we agree on :) > > > >But, the assertion that it's easy to setup is only the case when > >your talking about real network admins. For the general public, > >that is frankly absurd. What is easy to setup is a Linksys RV042. > >(which will VPN into a PIX quite nicely, although you have to turn > >off stateful packet inspection on it if your running Vista, per > >http://support.microsoft.com/kb/934430/en-us > ) Both of which are produts of the 21st century. I think you either really misinterpreted my point or you are just grasping for anything. ?---- clip---------- >a bunch of crap of aqusitions >--- clip----------- Who cares. > > >If Cisco hadn't maintained the PIX product line for as long > >as they did, I would agree that Cisco just bought NTI because > >they wanted it's technology. But you are missing the obvious > >here. Your saying the ASA is a PIX, meaning Cisco isn't killing > >the PIX after all. If so, why? I'll tell you, it's because > >there's a customer base out there that is large! It is NOT > >because it's better or worse to do the same thing that the > >PIX does on an IOS router, it's because this large customer > >base THINKS it's better to do the stuff the PIX does on a > >standalone box that isn't a router. The baby wants his > >bottle and Cisco isn't going to take it away. Simple as that. Interesting standpoint. I view it more as a customer choice. There are something I find easier on a pix (troubleshooting, captures, packet-tracer) and there are something I find much better on IOS (Lan to Lan IPSec) and the are both very capible products. If you want to push your customers onto IOS firewalls knock yourself out. I don't think anyone can argue that point. >If it only has slight modifications then it's definitely not > >next-generation. Make up your mind, please! :-) Oh jesus christ. If your only argument on why you think the ASA is not a PIX is some gramatical sematics on my part then you have bigger problems. > > The reason -I- think the ASA is worse is because the ASA just > perpetuates the nonsense that a router can't be a firewall. > Sure it can, it just depends on what firmware is running on it. > Cisco missed the boat here to educate the customer base. I > am just thankful Cisco jacked up the price so I can educate > my customers without them just hearing "mo money mo money > mo money mo money". > > >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports? >How you going to get 300mbt through 2 FE ports? Gigabit interface are not avaible on the 515. Why is that a fair comparison? > >And where does Cisco get off charging an extra $3K for 50 miserable SSL > VPN > >licenses? The same license is required on IOS to support the same functionality >The SSL protocol is OPEN for God's sake. They aren't charging for the SSL protocol, they are charging for all the additional features that comes with it. Do you even understand what the SSL VPN product is? It provided proxied connections for http, citrix, rdp, exchange, in addition to almost any application you throw at that. In addition it create a full tunnel through TLS and TLS over UDP. All of which are not defined in the SSL standard! > >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft > VPN client that's > >FREE) and replace it with SSL VPN client that -costs money- Yeah, give > >me more, baby. Harder, Harder! IPsec license is still free. L2TP over IPSEC is stil free and works with Microsoft out of the box (and is secure!). PPTP was removed cause it is not a secure protocol! > > >And, I forgot about AIP, what is that, $7K a year for a subscription? > >So if you don't pay the $7K a year, then when the latest AIM comes out > >that is written to get around the current inspection and is wasting your > >employees productivity in spades, you have to buy a new ASA. Great one, > >that!! Say what? There are cheaper Smartnet contracts out there. Do some research. > > > The point was rather a comparison between IOS-based router and > PIX or ASA, not between PIX and ASA. > > >In any case, how many companies have 300Mbit Internet connections? > >How many companies have 190Mbit Internet connections? And how exactly > >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces > >on it? ;-) These are BigCo comparisons your talking, and frankly, > >BigCo's buy what they do because of their previously established > >vendor relationships, they are not switching to ASA's because they > >care about the price. I said nothing about companies or the reason to buy ASA. It was mearly comparing the price of two similar firewalls. You fabricated the rest. Yes when buying a firewall, or any gear for that matter, you must take a lot into concideration. No one is arguing that. > >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure > fiction. They still get a discount off of list on most gear. So list prices are a good comparison standpoint. Now I can't say take the list prices from Juniper and compare them to Cisco as I get different discounts from each company, but to compare Cisco to Cisco it is 100% valid. > > > A much more realistic comparison with product that's sold to > people who actually do care about the price is: > > >PIX-506E-BUN-K9 @ $1,395 vs ASA5505-UL-BUN-K9 @ $995. So yes, > >on the surface it LOOKS like a better deal - until you have to bend > >over and take it in the shorts for that insane SSL VPN license. Oh, > >and of course, with the 5505, your screwed there since 50 SSL users > >is the licensed limit, you have to go to the 5510 for more. The old 506E > >had no restriction on number of VPN clients. A PIX cannot support SSL VPN. SSL VPN is an addition feature avablie (via a license) on the ASA platform. ASA still includes free IPSec VPN client termination (and lan to lan). Yes there is a hard limit on the number of _IPSec_ on the ASA platform which some have complained about, but you shouldn't be terminating that many clients on a Pix 506 in the first place. It has no hardware crypto! >CISCO1841-SEC/K9 1841 Security Bundle, Advanced Security, 64FL/256DR > >$2495 > > >ASA5505-SSL-10-K9 ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users, > >3DES/AES > >$2095 > > >Let's see, with the former I can use all of my free Microsoft VPN clients, > >PPTP, L2TP, whatever I want, as many as I want. I can put in as many > >server to server VPN's as I want. I can drop in a T1 card if needed. I > >can have as much stuff as I want behind it. >With the ASA I can have a max 10 SSL users, or I have to switch all my >Microsoft VPN clients over to L2TP. I'm limited to 50 users. Yes and those are some valid point of why you should use an IOS based router as a firewall. These reasons are definatly more apparent in SMB situations. Where you have sepearte hardware in a corproate enviroment most of this is moot. As far as PPTP goes, Dude is 2008! PPTP has not only proven to be insecure but it also doesn't work through PAT as it requires a GRE tunnel (GRE doesn't have port numberes). It's like saying I should run my network with RIPv2 cause my routers support it. Sure it's there, that doesn't mean you should use it. PIX forces certain level of security onto the users. I cannot enable telnet on the outside interface for example. Argue this point if you must, but I don't see it as a bad thing. You can setup an IOS based PPTP server for termination while you migrate your users to another platform. As far as SSL VPN licenses go. Cisco is currently the cheapest per SSL VPN user in the industry. Seems like to be thats not bad. If thats still to expensive for you, use IPSec, L2TP over IPSec, or an open source solution like OpenVPN > > >And on top of that IOS has had IPv6 for years, the ASA just finally > >got a working implementation with version 8.0.3 or so I read. (I > >don't really know, maybe it still doesen't work right) According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T, although ahead of the curve then the ASA, 12.3T is also ED code and shouldn't been used. > > >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe > original PIX code from pre-Cisco days >was Win 3.1 based. > >Surely you remember that Win 3.1 will run in real > >mode, without the GUI, by just putting command.com as the last statement > >in the winstart.bat file. Win 3.0, don't forget, > >would run on an XT, in real mode, with a GUI. Back in > >those days a lot of people who wrote embedded stuff would > >use DOS or a stripped Windows merely as a program loader, > >so it didn't seem that farfetched to me when I heard it. Seriously?!? I don't even know what to say to that.... > > > In the end its your network. That was the point. From jason.plank at comcast.net Mon Jul 7 16:29:14 2008 From: jason.plank at comcast.net (jason.plank at comcast.net) Date: Mon, 07 Jul 2008 20:29:14 +0000 Subject: [c-nsp] Telnet FROM a PIX Appliance? Message-ID: <070720082029.13813.48727C99000E949B000035F5220073483005020E049FD202019C0E06@comcast.net> Brandon, Much respect. -- Regards, Jason Plank CCIE #16560 e: jason.plank at comcast.net -------------- Original message ---------------------- From: "Brandon Bennett" > > > > >I have, actually. With a lot of VPN tunnels terminated on a PIX 506. > > >Not that I blame the PIX though, as I had been telling the customer > > >almost a year earlier that they would need a 515. > > > And running a production webserver on a 486-DX2 is also not a good idea. I > don't see your point here. > > > > >I was not aware of any Sun NAT implementation at that time period. If > > >there was, what was it? Checkpoint did run on Solaris, I admined one of > > >those as a matter of fact, but it was not NAT. And it was annoying. > > > > >As for the NTI being better than BSD, that's just your opinion. > > Well the point that Bradly Coile made is that he could not the the > performance he wanted using traditional IP stacks on those platforms. Not > so much my opinion, but his. > > > > >Please point out any "bake-off's" comparisons that were done at > > >that time. > > > Pointless and a waste of time. If you want to argue PIX popularity 13 years > ago, be my guest. I will not be subject to it however. > > > > > >Most people didn't know what NAT was. I never had > > >problems with the FreeBSD implementation of NAT and in fact, doing > > >it this way supported some applications that the Cisco IOS nat didn't. > > >(at the beginning) like PPTP client VPN's initiated from behind. And > > >Netmeeting H.323 since you could also run a NM proxy on the system, > > >if you recall that was pretty common in the NT days for remote control > > >since it was free. > > > Again off-topic and pointless. NAT didn't just one day get deployed on > nearly every enterprise network overnight. It started somewhere, the > applications that ran over them doesn't matter. > > > > > > > >I never used the NTI stuff at that time so I don't have an opinion > > >on which was better, but I'll bet money you never used the FreeBSD > > >NAT patches either, so I'll put your "fact of the matter is" > > >statement down to youthful eagerness and leave it at that. ;-) > > > I was aguing a technical point. My grammar and choice of words may have > been poor. I apologize > > > > > > > >If a PIX is so easy to setup and maintain then I would have not > > >had quite a lot of work over the years in administering them for > > >people. > > > It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands > to setup NAT than It was to apply a patch and compile new FreeBSD kernel and > userland utilities. Now days this just comes down to a matter of > preference. > > > > > > > >I will say that the PIX command line is no worse to setup and > > >admin than IOS - once you know all of the idiosyncracies of the > > >PIXos - but that's no different than the idiosyncracies of IOS. > > >I do find the PIX GUI to be a big piece of crap, though. > > > There is at least something we agree on :) > > > > > > > >But, the assertion that it's easy to setup is only the case when > > >your talking about real network admins. For the general public, > > >that is frankly absurd. What is easy to setup is a Linksys RV042. > > >(which will VPN into a PIX quite nicely, although you have to turn > > >off stateful packet inspection on it if your running Vista, per > > > >http://support.microsoft.com/kb/934430/en-us 4430/en-us> > > ) > > > Both of which are produts of the 21st century. I think you either really > misinterpreted my point or you are just grasping for anything. > > ?---- clip---------- > >a bunch of crap of aqusitions > >--- clip----------- > > Who cares. > > > > > > > >If Cisco hadn't maintained the PIX product line for as long > > >as they did, I would agree that Cisco just bought NTI because > > >they wanted it's technology. But you are missing the obvious > > >here. Your saying the ASA is a PIX, meaning Cisco isn't killing > > >the PIX after all. If so, why? I'll tell you, it's because > > >there's a customer base out there that is large! It is NOT > > >because it's better or worse to do the same thing that the > > >PIX does on an IOS router, it's because this large customer > > >base THINKS it's better to do the stuff the PIX does on a > > >standalone box that isn't a router. The baby wants his > > >bottle and Cisco isn't going to take it away. Simple as that. > > > Interesting standpoint. I view it more as a customer choice. There are > something I find easier on a pix (troubleshooting, captures, packet-tracer) > and there are something I find much better on IOS (Lan to Lan IPSec) and the > are both very capible products. If you want to push your customers onto > IOS firewalls knock yourself out. I don't think anyone can argue that > point. > > >If it only has slight modifications then it's definitely not > > >next-generation. Make up your mind, please! :-) > > > Oh jesus christ. If your only argument on why you think the ASA is not a > PIX is some gramatical sematics on my part then you have bigger problems. > > > > > > The reason -I- think the ASA is worse is because the ASA just > > perpetuates the nonsense that a router can't be a firewall. > > Sure it can, it just depends on what firmware is running on it. > > Cisco missed the boat here to educate the customer base. I > > am just thankful Cisco jacked up the price so I can educate > > my customers without them just hearing "mo money mo money > > mo money mo money". > > > > >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports? > > >How you going to get 300mbt through 2 FE ports? > > Gigabit interface are not avaible on the 515. Why is that a fair > comparison? > > > > > >And where does Cisco get off charging an extra $3K for 50 miserable SSL > > VPN > > >licenses? > > > The same license is required on IOS to support the same functionality > > >The SSL protocol is OPEN for God's sake. > > > They aren't charging for the SSL protocol, they are charging for all the > additional features that comes with it. Do you even understand what the SSL > VPN product is? It provided proxied connections for http, citrix, rdp, > exchange, in addition to almost any application you throw at that. In > addition it create a full tunnel through TLS and TLS over UDP. > > All of which are not defined in the SSL standard! > > > > >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft > > VPN client that's > > >FREE) and replace it with SSL VPN client that -costs money- Yeah, give > > >me more, baby. Harder, Harder! > > > IPsec license is still free. L2TP over IPSEC is stil free and works with > Microsoft out of the box (and is secure!). PPTP was removed cause it is > not a secure protocol! > > > > > >And, I forgot about AIP, what is that, $7K a year for a subscription? > > >So if you don't pay the $7K a year, then when the latest AIM comes out > > >that is written to get around the current inspection and is wasting your > > >employees productivity in spades, you have to buy a new ASA. Great one, > > >that!! > > > Say what? There are cheaper Smartnet contracts out there. Do some > research. > > > > > > > The point was rather a comparison between IOS-based router and > > PIX or ASA, not between PIX and ASA. > > > > >In any case, how many companies have 300Mbit Internet connections? > > >How many companies have 190Mbit Internet connections? And how exactly > > >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces > > >on it? ;-) These are BigCo comparisons your talking, and frankly, > > >BigCo's buy what they do because of their previously established > > >vendor relationships, they are not switching to ASA's because they > > >care about the price. > > > I said nothing about companies or the reason to buy ASA. It was mearly > comparing the price of two similar firewalls. You fabricated the rest. Yes > when buying a firewall, or any gear for that matter, you must take a lot > into concideration. No one is arguing that. > > > > >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure > > fiction. > > > They still get a discount off of list on most gear. So list prices are a > good comparison standpoint. Now I can't say take the list prices from > Juniper and compare them to Cisco as I get different discounts from each > company, but to compare Cisco to Cisco it is 100% valid. > > > > > > > > A much more realistic comparison with product that's sold to > > people who actually do care about the price is: > > > > >PIX-506E-BUN-K9 @ $1,395 vs ASA5505-UL-BUN-K9 @ $995. So yes, > > >on the surface it LOOKS like a better deal - until you have to bend > > >over and take it in the shorts for that insane SSL VPN license. Oh, > > >and of course, with the 5505, your screwed there since 50 SSL users > > >is the licensed limit, you have to go to the 5510 for more. The old 506E > > >had no restriction on number of VPN clients. > > > A PIX cannot support SSL VPN. SSL VPN is an addition feature avablie (via a > license) on the ASA platform. ASA still includes free IPSec VPN client > termination (and lan to lan). Yes there is a hard limit on the number of > _IPSec_ on the ASA platform which some have complained about, but you > shouldn't be terminating that many clients on a Pix 506 in the first place. > It has no hardware crypto! > > >CISCO1841-SEC/K9 1841 Security Bundle, Advanced Security, 64FL/256DR > > >$2495 > > > > >ASA5505-SSL-10-K9 ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users, > > >3DES/AES > > >$2095 > > > > >Let's see, with the former I can use all of my free Microsoft VPN clients, > > >PPTP, L2TP, whatever I want, as many as I want. I can put in as many > > >server to server VPN's as I want. I can drop in a T1 card if needed. I > > >can have as much stuff as I want behind it. > > >With the ASA I can have a max 10 SSL users, or I have to switch all my > >Microsoft VPN clients over to L2TP. I'm limited to 50 users. > > Yes and those are some valid point of why you should use an IOS based router > as a firewall. These reasons are definatly more apparent in SMB > situations. Where you have sepearte hardware in a corproate enviroment most > of this is moot. > > As far as PPTP goes, Dude is 2008! PPTP has not only proven to be insecure > but it also doesn't work through PAT as it requires a GRE tunnel (GRE > doesn't have port numberes). It's like saying I should run my network with > RIPv2 cause my routers support it. Sure it's there, that doesn't mean you > should use it. > > PIX forces certain level of security onto the users. I cannot enable telnet > on the outside interface for example. Argue this point if you must, but I > don't see it as a bad thing. You can setup an IOS based PPTP server for > termination while you migrate your users to another platform. > > As far as SSL VPN licenses go. Cisco is currently the cheapest per SSL VPN > user in the industry. Seems like to be thats not bad. If thats still to > expensive for you, use IPSec, L2TP over IPSec, or an open source solution > like OpenVPN > > > > > >And on top of that IOS has had IPv6 for years, the ASA just finally > > >got a working implementation with version 8.0.3 or so I read. (I > > >don't really know, maybe it still doesen't work right) > > > According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T, > although ahead of the curve then the ASA, 12.3T is also ED code and > shouldn't been used. > > > > > >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe > > original PIX code from pre-Cisco days >was Win 3.1 based. > > >Surely you remember that Win 3.1 will run in real > > >mode, without the GUI, by just putting command.com as the last statement > > >in the winstart.bat file. Win 3.0, don't forget, > > >would run on an XT, in real mode, with a GUI. Back in > > >those days a lot of people who wrote embedded stuff would > > >use DOS or a stripped Windows merely as a program loader, > > >so it didn't seem that farfetched to me when I heard it. > > > Seriously?!? I don't even know what to say to that.... > > > > > > > In the end its your network. That was the point. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.passmore at gmail.com Mon Jul 7 20:14:13 2008 From: nic.passmore at gmail.com (Nic Passmore) Date: Tue, 8 Jul 2008 10:14:13 +1000 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote Message-ID: <3d794efd0807071714m78222c0di576fabda817f134e@mail.gmail.com> Am having a similiar problem here. I find when I apply the dynamic map at the end of the crypto map that is applied to the interface, the existing site to site tunnels do not come up. Haven't had a chance to do any actual diagnostics yet this morning, but was under the impression it might have something to do with the following configuration line: crypto map somemap client configuration address respond Anyone have any tips? Cheers, Nic. -------------------------------------------- Message: 2 Date: Mon, 07 Jul 2008 12:55:45 -0500 From: "Tolstykh, Andrew" Subject: Re: [c-nsp] 2800 for VPN Server site-to-site and remote access To: , "'Everton Diniz'" , "'cisco-nsp'" Message-ID: > Content-Type: text/plain; charset="iso-8859-1" Use multiple statements within a single crypto map configuration: crypto map iosvpn 5 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard5 reverse-route crypto map iosvpn 15 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard15 reverse-route crypto map iosvpn 25 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard25 reverse-route crypto map iosvpn 35 ipsec-isakmp set peer X.X.X.X set security-association lifetime seconds 28800 set transform-set aes-sha match address vpn_XXXgard35 reverse-route crypto map iosvpn 100 ipsec-isakmp dynamic dyn From tvarriale at comcast.net Mon Jul 7 20:53:02 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 7 Jul 2008 19:53:02 -0500 Subject: [c-nsp] Telnet FROM a PIX Appliance? References: Message-ID: <000a01c8e094$fa901f70$f211a8c0@flamwsugsmul5v> ----- Original Message ----- From: "Ted Mittelstaedt" To: "Tony Varriale" Cc: Sent: Monday, July 07, 2008 3:09 AM Subject: RE: [c-nsp] Telnet FROM a PIX Appliance? > > >> -----Original Message----- >> From: Tony Varriale [mailto:tvarriale at comcast.net] >> Sent: Sunday, July 06, 2008 7:50 PM >> To: Ted Mittelstaedt >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >> >> >> It's fairly well known by people that have been fortunate to been around >> Cisco that long and/or that know a little PIXen history that the OS was >> called Finesse. >> >> It was a custom built OS and AFAIK has had no stage performances in any >> other devices. >> > > Well, actually > > Cisco's LocalDirector, the "industries first load balancer" In the context of our discussion, the stage perf was meant as outside of NTI/Cisco. So, I should have clarified (since I've had the pleasure of working on those devices). > >> But, don't take my word for it. I'm sure the NTI guys are still >> around out >> west somewhere. >> > > Once the atual OS name was supplied, digging up information > about it proved simple: > > http://www.linkedin.com/in/brantleycoile Well, the OS name wasn't Windows. > >> I think your Windows similiarity stretch is incredible creepy. I >> feel like >> I'm getting hoaxed into a pyramid scheme for some reason. >> > > :-) Cisco Corp. is a pyramid scheme. ;-) I was suggesting that when I've been approached by people with schemes to sell, your Windows pitch sounded very familiar. Just because the sun shines in the USA and Antartica, doesn't mean the continents are connected. tv From mustafa.golam at gmail.com Mon Jul 7 22:10:05 2008 From: mustafa.golam at gmail.com (Mustafa Golam -) Date: Tue, 8 Jul 2008 08:10:05 +0600 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch Message-ID: Hi group, We are having unusual problem with 3560 G switch for SPAN. Our scenario: |-------------------------------| | | | Extreme Switch | | | |-----||-----------||------------| ||3:39 || || || || || || || || || |------------------------------| || | | ||________________________| | |_________________________ Cisco 3560 G | monitored port fa1/1| | |-----||----------------------| ||fa1/2 || monitor port || We are trying to SPAN cisco 3560 switch with Extreme Switch. For the above senario, we want to monitor the traffic of port 3:39 of extreme switch through cisco switch. The same configuration worked with Cisco 2950 and 4506 switch. Is there any coveat detail in 3560 G, that we are missing? We are using IOS advanceservicepack ios for 3560G. relevant configuration at Cisco 3560: monitor session 1 source interface fastethernet1/1 monitor session 1 destination interface fastethernet1/2 system mtu 1998 system mtu jumbo 9000 system mtu routing 1998 Relevant configuration at Extreme End: ===================================== enable mirroring to port 3:39 configure jumbo-frame-size size 1784 enable jumbo-frame ports all configure mirroring add vlan VLAN_B Relevant HW information of Extreme Switch: ========================================== SWITCH_SS02.1 # sh version Chassis : 800128-00-03 07075-00248 Rev 3.0 Slot-1 : 800093-00-03 06415-01441 Rev 3.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 Slot-2 : 800093-00-04 06415-01418 Rev 4.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 Slot-3 : 800093-00-04 06415-01482 Rev 4.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 Slot-4 : Slot-5 : 800181-00-03 06395-00381 Rev 3.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 Slot-6 : Slot-7 : Slot-8 : Slot-9 : Slot-10 : 800095-00-02 06345-02449 Rev 2.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 MSM-A : 800181-00-03 06395-00381 Rev 3.0 BootROM: 1.0.1.11 IMG: 11.6.2.9 MSM-B : PSUCTRL-1 : 450105-00-01 06525-00883 Rev 1.0 BootROM: 2.13 PSUCTRL-2 : 450105-00-01 06525-00903 Rev 1.0 BootROM: 2.13 Image : ExtremeXOS version 11.6.2.9 v1162b9 by release-manager on Tue Mar 6 13:23:03 PST 2007 BootROM : 1.0.1.11 If you need any more information, please let me know!! Thanks in advance!! -- -- *??) ?.???.?*??) ?.?*?) (?.?? (?.?` *Mustafa Golam Fedora Ambassador, Bangladesh -.*.-`,`.*RHCE,CC{D,I,N,V..}P`.CCIE(..)'.'`,. http://fedoraproject.org/wiki/MustafaGolam http://mustafa.golam.googlepages.com/home "Winners never quit------Quiters never win" From ltd at cisco.com Mon Jul 7 22:18:01 2008 From: ltd at cisco.com (Lincoln Dale) Date: Tue, 08 Jul 2008 12:18:01 +1000 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch In-Reply-To: References: Message-ID: <4872CE59.4020505@cisco.com> Mustafa Golam - wrote: > We are having unusual problem with 3560 G switch for SPAN. > Our scenario: > you didn't actually say what the problem is that you're having.... cheers, lincoln. From ATolstykh at integrysgroup.com Tue Jul 8 01:52:05 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Tue, 08 Jul 2008 00:52:05 -0500 Subject: [c-nsp] 2800 for VPN Server site-to-site and remote In-Reply-To: <3d794efd0807071714m78222c0di576fabda817f134e@mail.gmail.com> Message-ID: Add no-xauth for all defined isakmp pre-shared keys On 7/7/08 7:14 PM, "Nic Passmore" wrote: > Am having a similiar problem here. I find when I apply the dynamic map at > the end of the crypto map that is applied to the interface, the existing > site to site tunnels do not come up. > > Haven't had a chance to do any actual diagnostics yet this morning, but was > under the impression it might have something to do with the following > configuration line: > > crypto map somemap client configuration address respond > > Anyone have any tips? > > Cheers, > > Nic. > > -------------------------------------------- > Message: 2 > Date: Mon, 07 Jul 2008 12:55:45 -0500 > From: "Tolstykh, Andrew" > Subject: Re: [c-nsp] 2800 for VPN Server site-to-site and remote > access > To: , "'Everton Diniz'" , > "'cisco-nsp'" > Message-ID: > roup.com> >> > Content-Type: text/plain; charset="iso-8859-1" > > Use multiple statements within a single crypto map configuration: > > crypto map iosvpn 5 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard5 > reverse-route > crypto map iosvpn 15 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard15 > reverse-route > crypto map iosvpn 25 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard25 > reverse-route > crypto map iosvpn 35 ipsec-isakmp > set peer X.X.X.X > set security-association lifetime seconds 28800 > set transform-set aes-sha > match address vpn_XXXgard35 > reverse-route > crypto map iosvpn 100 ipsec-isakmp dynamic dyn > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From golam.mustafa at grameenphone.com Tue Jul 8 02:59:02 2008 From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan CN Networks) Date: Tue, 8 Jul 2008 12:59:02 +0600 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch In-Reply-To: <4873068E.5070207@cisco.com> Message-ID: Hi Lincoln, Sorry for my BAD _English_!! Refer to my previous email: The problem is: we are not able to monitor Extreme switches' Port traffic from Cisco 3560 G; even though we can monitor/analyze it from 2950/4506 with same configuration at Extreme switch and similar configuration at Cisco End!! My asking is: is there any minor detail that we are missing, in SPAN [Switched Port Analyzer] for 3560 G? Does it make sense now? N.B.: 1. We have opened a Level 3 severity TAC request, and expecting formal reply from cisco. 2. We have read http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html and more! Thanking You, _--_--_-.??ll??ll??..??ll??ll??.-_--_--_--_ Mustafa Golam ( ) System Engineer x CNPN, GrameenPhone Ltd. / \ _--_--_--_--_--_--_--_--_--_--_--_ > -----Original Message----- > From: Lincoln Dale [mailto:ltd at cisco.com] > Sent: Tuesday, July 08, 2008 12:18 PM > To: Golam Md. Mustafa Bhuyan CN Networks > Subject: Re: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch > > you still haven't said what the _problem_ is. > > > Golam Md. Mustafa Bhuyan CN Networks wrote: > > Hi Lincoln, > > Thanks for your reply. > > > > Our goal is to monitor network traffic of port 3:39 of extreme > > Switch from CISCO 3560 G Switch. > > > > The problem is: we can monitor traffic of extreme switch port > > from CISCO 4506/2950 switch with similar physical topology. > > > > Relevant URLs: > > From ltd at cisco.com Tue Jul 8 03:42:14 2008 From: ltd at cisco.com (Lincoln Dale) Date: Tue, 08 Jul 2008 17:42:14 +1000 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch In-Reply-To: References: Message-ID: <48731A56.1000602@cisco.com> Hi, > N.B.: 1. We have opened a Level 3 severity TAC request, and expecting > formal reply from cisco. i'm not TAC & don't take what i say as a "formal" reply. TAC will presumably also be getting back to you. > The problem is: we are not able to monitor Extreme switches' > Port traffic from Cisco 3560 G; even though we can monitor/analyze > it from 2950/4506 with same configuration at Extreme switch and > similar configuration at Cisco End!! > > My asking is: is there any minor detail that we are missing, in SPAN > [Switched Port Analyzer] for 3560 G? > there are a few things that i can think might be a possible cause: 1. per http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html make sure the destination SPAN port doesn't belong tin a SPAN source VLAN. it isn't clear if you're running a .1q trunk between the switches or if the source is an 'access' port. 2. you've explicitly configured some jumbo frames on both switches. are you attempting to SPAN frames >1524 bytes on a 10/100 interface? cheers, lincoln. From golam.mustafa at grameenphone.com Tue Jul 8 04:14:59 2008 From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan CN Networks) Date: Tue, 8 Jul 2008 14:14:59 +0600 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch In-Reply-To: <48731A56.1000602@cisco.com> Message-ID: > > i'm not TAC & don't take what i say as a "formal" reply. TAC will > presumably also be getting back to you. I understand and I appreciate your helping mind:) > > there are a few things that i can think might be a possible cause: > > 1. per > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se > /12.1_19_ea1/configuration/guide/swspan.html > make sure the destination SPAN port doesn't belong tin a SPAN source VLAN. It might be what we were missing. We will share our feedback, as we did not put source and destination ports in different VLAN. > it isn't clear if you're running a .1q trunk between the switches or if > the source is an 'access' port. > We have configured dot1q trunk link > 2. you've explicitly configured some jumbo frames on both switches. are > you attempting to SPAN frames >1524 bytes on a 10/100 interface? > Yes, But it's Gigabit port. > > cheers, > > lincoln. Cheers, Mustafa From ibrahim.abozaid at gmail.com Tue Jul 8 04:15:40 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Tue, 8 Jul 2008 11:15:40 +0300 Subject: [c-nsp] Frame-relay broadcast queue Message-ID: Dear All i was reading about Frame-relay broadcast queue which reserves by default 25% of PVC CIR and takes precedence over normal traffic as it queue routing updates by default , 25% of interface bandwidth is reserved for control traffic , does this reserved bandwidth is the broadcast queue ? you comments are highly appreciated . best regards --Ibrahim From golam.mustafa at grameenphone.com Tue Jul 8 04:30:38 2008 From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan CN Networks) Date: Tue, 8 Jul 2008 14:30:38 +0600 Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch Message-ID: > -----Original Message----- > From: Golam Md. Mustafa Bhuyan CN Networks > Sent: Tuesday, July 08, 2008 2:15 PM > To: 'Lincoln Dale' > Cc: cisco-nsp at puck.nether.net; mustafa.golam at gmail.com > Subject: RE: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch > > 1. per > > > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea se > > /12.1_19_ea1/configuration/guide/swspan.html > > make sure the destination SPAN port doesn't belong tin a SPAN source > VLAN. Hi Lincoln, We put source and destination in different Vlan and configured accordingly. But it did not work. Thanks for your reply. Mustafa From pavel.skovajsa at gmail.com Tue Jul 8 05:15:58 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Tue, 8 Jul 2008 11:15:58 +0200 Subject: [c-nsp] C6509-E air flow Message-ID: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com> Hello, we have a C6509-E with interesting temperature issue. The EARL chip on module 1 detects temperature over 65C and the whole module shuts down. We have swapped the chassis, fan, module and sup and still have the same issue. The interesting part is when we moved the card in module 1 into module 2 - no temperature issue. >From this I deduce that we have some kind of air flow issues, as module 1 has worse air flow than module 2. Does somebody have some nice doc that describes the C6509-E air flow? Or maybe a recomendation about the room air conditioning, or air flow in the room. Thanks, Pavel From zivl at gilat.net Tue Jul 8 09:02:11 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 8 Jul 2008 16:02:11 +0300 Subject: [c-nsp] Funny bug? Message-ID: Hi, I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess... The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) Here's a banal output of the show interface command, now you try and find what I mean... (I swear that's what I've got, didn't touch it!) FastEthernet0/20 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4) MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second ouxtput rate 0 bits/sec, 0 packets/sec 47049228 packets input, 390118490 bytes, 0 no buffer Received 20 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 224115988 packets output, 1355337530 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Ziv ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From pk at nodex.ru Tue Jul 8 09:27:26 2008 From: pk at nodex.ru (Pavel Kuzin) Date: Tue, 8 Jul 2008 17:27:26 +0400 Subject: [c-nsp] Funny bug? References: Message-ID: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru> You mean 30 second ouxtput rate 0 bits/sec, 0 packets/sec ^^ ? -- Pavel D.Kuzin Nodex LTD. ----- Original Message ----- From: "Ziv Leyes" To: Sent: Tuesday, July 08, 2008 5:02 PM Subject: [c-nsp] Funny bug? > Hi, > I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess... > The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) > Here's a banal output of the show interface command, now you try and find what I mean... > (I swear that's what I've got, didn't touch it!) > > FastEthernet0/20 is up, line protocol is up (connected) > Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4) > MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s > input flow-control is off, output flow-control is off > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue :0/40 (size/max) > 30 second input rate 0 bits/sec, 0 packets/sec > 30 second ouxtput rate 0 bits/sec, 0 packets/sec > 47049228 packets input, 390118490 bytes, 0 no buffer > Received 20 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 224115988 packets output, 1355337530 bytes, 0 underruns > 0 output errors, 0 collisions, 2 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > > Ziv > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From zivl at gilat.net Tue Jul 8 09:30:41 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 8 Jul 2008 16:30:41 +0300 Subject: [c-nsp] Funny bug? In-Reply-To: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru> References: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru> Message-ID: Yep! -----Original Message----- From: Pavel Kuzin [mailto:pk at nodex.ru] Sent: Tuesday, July 08, 2008 4:27 PM To: Ziv Leyes; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Funny bug? You mean 30 second ouxtput rate 0 bits/sec, 0 packets/sec ^^ ? -- Pavel D.Kuzin Nodex LTD. ----- Original Message ----- From: "Ziv Leyes" To: Sent: Tuesday, July 08, 2008 5:02 PM Subject: [c-nsp] Funny bug? > Hi, > I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess... > The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) > Here's a banal output of the show interface command, now you try and find what I mean... > (I swear that's what I've got, didn't touch it!) > > FastEthernet0/20 is up, line protocol is up (connected) > Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4) > MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s > input flow-control is off, output flow-control is off > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue :0/40 (size/max) > 30 second input rate 0 bits/sec, 0 packets/sec > 30 second ouxtput rate 0 bits/sec, 0 packets/sec > 47049228 packets input, 390118490 bytes, 0 no buffer > Received 20 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 224115988 packets output, 1355337530 bytes, 0 underruns > 0 output errors, 0 collisions, 2 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > > Ziv > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From rbeckett at cisco.com Tue Jul 8 09:39:46 2008 From: rbeckett at cisco.com (Robert Beckett) Date: Tue, 8 Jul 2008 06:39:46 -0700 (PDT) Subject: [c-nsp] Funny bug? In-Reply-To: References: Message-ID: You actually have two bugs here: for the "Output queue :0/40" CSCdx72484 show interface has an inconsistent format in Output queue display for the "ouxtput" CSCdz44280 5 minute output/input rate does not display correctly on port-channel On Tue, 8 Jul 2008, Ziv Leyes wrote: > Hi, > I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess... > The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1) > Here's a banal output of the show interface command, now you try and find what I mean... > (I swear that's what I've got, didn't touch it!) > > FastEthernet0/20 is up, line protocol is up (connected) > Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4) > MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s > input flow-control is off, output flow-control is off > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue :0/40 (size/max) > 30 second input rate 0 bits/sec, 0 packets/sec > 30 second ouxtput rate 0 bits/sec, 0 packets/sec > 47049228 packets input, 390118490 bytes, 0 no buffer > Received 20 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 224115988 packets output, 1355337530 bytes, 0 underruns > 0 output errors, 0 collisions, 2 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > > Ziv > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > rtb /* e ni kaita mochi wa kuenu */ From streiner at cluebyfour.org Tue Jul 8 09:42:34 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 8 Jul 2008 09:42:34 -0400 (EDT) Subject: [c-nsp] C6509-E air flow In-Reply-To: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com> References: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com> Message-ID: On Tue, 8 Jul 2008, Pavel Skovajsa wrote: > we have a C6509-E with interesting temperature issue. The EARL chip on > module 1 detects temperature over 65C and the whole module shuts down. > We have swapped the chassis, fan, module and sup and still have the > same issue. The interesting part is when we moved the card in module 1 > into module 2 - no temperature issue. >> From this I deduce that we have some kind of air flow issues, as > module 1 has worse air flow than module 2. Does somebody have some > nice doc that describes the C6509-E air flow? Or maybe a recomendation > about the room air conditioning, or air flow in the room. The 6509-E has right-to-left airflow like the non-E version. Make sure nothing is blocking the intake vents on the right side of the chassis and that nothing in the cabinet/rack to the right (if there is one) is exhausting hot air toward the 6509-E. I have several 6509s (E and non-E) in production and have had no temperature issues with them, aside from one that was located in a dirty area and the intake vents got fouled. Once the obstruction was cleared, the temperature alarms went away. jms From djweis at internetsolver.com Tue Jul 8 09:33:18 2008 From: djweis at internetsolver.com (Dave Weis) Date: Tue, 8 Jul 2008 08:33:18 -0500 (CDT) Subject: [c-nsp] Funny bug? In-Reply-To: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru> References: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru> Message-ID: If we're being picky there's also a misplaced colon: > Output queue :0/40 (size/max) On Tue, 8 Jul 2008, Pavel Kuzin wrote: > You mean 30 second ouxtput rate 0 bits/sec, 0 packets/sec > ^^ > ? > -- > Pavel D.Kuzin > Nodex LTD. > > ----- Original Message ----- From: "Ziv Leyes" > To: > Sent: Tuesday, July 08, 2008 5:02 PM > Subject: [c-nsp] Funny bug? > > >> Hi, >> I have a Catalyst 2950 where I've found what seems to be a typo bug, I >> guess... >> The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version >> 12.1(13)EA1, RELEASE SOFTWARE (fc1) >> Here's a banal output of the show interface command, now you try and find >> what I mean... >> (I swear that's what I've got, didn't touch it!) >> >> FastEthernet0/20 is up, line protocol is up (connected) >> Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4) >> MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, >> reliability 255/255, txload 1/255, rxload 1/255 >> Encapsulation ARPA, loopback not set >> Keepalive set (10 sec) >> Full-duplex, 100Mb/s >> input flow-control is off, output flow-control is off >> ARP type: ARPA, ARP Timeout 04:00:00 >> Last input never, output 00:00:00, output hang never >> Last clearing of "show interface" counters never >> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 >> Queueing strategy: fifo >> Output queue :0/40 (size/max) >> 30 second input rate 0 bits/sec, 0 packets/sec >> 30 second ouxtput rate 0 bits/sec, 0 packets/sec >> 47049228 packets input, 390118490 bytes, 0 no buffer >> Received 20 broadcasts, 0 runts, 0 giants, 0 throttles >> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored >> 0 watchdog, 0 multicast, 0 pause input >> 0 input packets with dribble condition detected >> 224115988 packets output, 1355337530 bytes, 0 underruns >> 0 output errors, 0 collisions, 2 interface resets >> 0 babbles, 0 late collision, 0 deferred >> 0 lost carrier, 0 no carrier, 0 PAUSE output >> 0 output buffer failures, 0 output buffers swapped out >> >> >> Ziv >> >> >> >> >> >> >> ************************************************************************************ >> This footnote confirms that this email message has been scanned by >> PineApp Mail-SeCure for the presence of malicious code, vandals & computer >> viruses. >> ************************************************************************************ >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Dave Weis djweis at internetsolver.com http://www.internetsolver.com/ From maillist at webjogger.net Tue Jul 8 10:41:34 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 8 Jul 2008 10:41:34 -0400 Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 References: <4871D558.9E6F.00B8.0@dps.k12.oh.us> <010501c8e034$cdf5fa30$12140a0a@GINKGO> <4871FD63.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <014601c8e108$b7fc4390$12140a0a@GINKGO> Steve, Just take 10.77.0.1 255.255.0.0 off FastEthernet0/0.1 and put it on FastEthernet0/0.77, and you should be good to go. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: ; "Adam Greene" Sent: Monday, July 07, 2008 11:26 AM Subject: Re: [c-nsp] Question on 802.1q trunks and L2TPv3 Yes, I knew that was a problem, but wasn't sure which way to go. Is there any way to do this by changing the router instead? The 10.77.0.0/16 is supposed to be part of the 77 vlan. I'm hoping to be able to do this remotely (the site has limited access hours). The router is the nearer device and the switch is behind it (from the central site's point of view). Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Adam Greene" 7/7/2008 9:24 AM >>> Steven, Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on the switch. If you want the switch to use an IP address from the 10.77.0.0/16 block, you have to include vlan 1 as the native vlan on the 3550, and put the 10.77.0.10 address on vlan 1 rather than vlan 77. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: Sent: Monday, July 07, 2008 8:35 AM Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 > I've got a 3640 router that's connected to a 3550 switch. The trunking is > set up as dynamic desirable, and I need to change it to be a dot1q trunk. > I'm having a little trouble getting that done. I tried doing a: > > switchport trunk encapsulation dot1q > switchport mode trunk > > and the switch became unreachable. Do I need to add something like: > > switchport trunk native vlan 77 > > ? > > Parts of the config are included below... > > Thanks! > > > > router > ------- > interface FastEthernet0/0 > no ip address > no ip redirects > no ip proxy-arp > ip pim sparse-mode > ip route-cache flow > speed 100 > full-duplex > ! > interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip address 10.77.0.1 255.255.0.0 > no snmp trap link-status > no cdp enable > ! > interface FastEthernet0/0.77 > encapsulation dot1Q 77 > no snmp trap link-status > no cdp enable > xconnect 192.168.7.1 77 pw-class pw-dynamic > > > Switch > -------- > interface FastEthernet0/48 > switchport access vlan 77 > switchport mode dynamic desirable > speed 100 > duplex full > spanning-tree portfast > ! > interface Vlan77 > ip address 10.77.0.10 255.255.0.0 > ! > ip default-gateway 10.77.0.1 > > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From SPfister at dps.k12.oh.us Tue Jul 8 10:53:04 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 08 Jul 2008 10:53:04 -0400 Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 In-Reply-To: <014601c8e108$b7fc4390$12140a0a@GINKGO> References: <4871D558.9E6F.00B8.0@dps.k12.oh.us> <010501c8e034$cdf5fa30$12140a0a@GINKGO> <4871FD63.9E6F.00B8.0@dps.k12.oh.us> <014601c8e108$b7fc4390$12140a0a@GINKGO> Message-ID: <4873470D.9E6F.00B8.0@dps.k12.oh.us> That's what I thought, but I can't do it with the xconnect statement on f0/0.77l Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Adam Greene" 7/8/2008 10:41 AM >>> Steve, Just take 10.77.0.1 255.255.0.0 off FastEthernet0/0.1 and put it on FastEthernet0/0.77, and you should be good to go. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: ; "Adam Greene" Sent: Monday, July 07, 2008 11:26 AM Subject: Re: [c-nsp] Question on 802.1q trunks and L2TPv3 Yes, I knew that was a problem, but wasn't sure which way to go. Is there any way to do this by changing the router instead? The 10.77.0.0/16 is supposed to be part of the 77 vlan. I'm hoping to be able to do this remotely (the site has limited access hours). The router is the nearer device and the switch is behind it (from the central site's point of view). Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Adam Greene" 7/7/2008 9:24 AM >>> Steven, Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on the switch. If you want the switch to use an IP address from the 10.77.0.0/16 block, you have to include vlan 1 as the native vlan on the 3550, and put the 10.77.0.10 address on vlan 1 rather than vlan 77. Thanks, Adam ----- Original Message ----- From: "Steven Pfister" To: Sent: Monday, July 07, 2008 8:35 AM Subject: [c-nsp] Question on 802.1q trunks and L2TPv3 > I've got a 3640 router that's connected to a 3550 switch. The trunking is > set up as dynamic desirable, and I need to change it to be a dot1q trunk. > I'm having a little trouble getting that done. I tried doing a: > > switchport trunk encapsulation dot1q > switchport mode trunk > > and the switch became unreachable. Do I need to add something like: > > switchport trunk native vlan 77 > > ? > > Parts of the config are included below... > > Thanks! > > > > router > ------- > interface FastEthernet0/0 > no ip address > no ip redirects > no ip proxy-arp > ip pim sparse-mode > ip route-cache flow > speed 100 > full-duplex > ! > interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip address 10.77.0.1 255.255.0.0 > no snmp trap link-status > no cdp enable > ! > interface FastEthernet0/0.77 > encapsulation dot1Q 77 > no snmp trap link-status > no cdp enable > xconnect 192.168.7.1 77 pw-class pw-dynamic > > > Switch > -------- > interface FastEthernet0/48 > switchport access vlan 77 > switchport mode dynamic desirable > speed 100 > duplex full > spanning-tree portfast > ! > interface Vlan77 > ip address 10.77.0.10 255.255.0.0 > ! > ip default-gateway 10.77.0.1 > > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From tedm at toybox.placo.com Tue Jul 8 11:17:14 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Tue, 8 Jul 2008 08:17:14 -0700 Subject: [c-nsp] Telnet FROM a PIX Appliance? In-Reply-To: Message-ID: -----Original Message----- From: Brandon Bennett [mailto:bennetb at gmail.com] Sent: Monday, July 07, 2008 1:18 PM To: Ted Mittelstaedt Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Telnet FROM a PIX Appliance? >And running a production webserver on a 486-DX2 is also not a good >idea. I don't see your point here. I was under the impression you were attempting to argue that IOS-based firewalls were inherently not as good as a PIX. I guess your comment here is acknowledging that's not the case. >Well the point that Bradly Coile made is that he could not the the >performance he wanted using traditional IP stacks on those platforms. >Not so much my opinion, but his. But of course, I would not expect anyone making and selling something to diss their own product over something available for free. >>Please point out any "bake-off's" comparisons that were done at >>that time. >Pointless and a waste of time. If you want to argue PIX popularity >13 years ago, be my guest. I will not be subject to it however. I'll take that as a retraction of your statement that the NTI stuff was technically superior at that time, then. 'Nuff said. >>If a PIX is so easy to setup and maintain then I would have not >>had quite a lot of work over the years in administering them for >>people. >It was a lot easier in 1995/1996 to unbox a PIX and enter in some >commands to setup NAT than It was to apply a patch and compile new >FreeBSD kernel and userland utilities. Now days this just comes down >to a matter of preference. That is true. After all that is one thing your paying for in most commercial products, isn't it? Not functionality, merely ease of use. Once you learn how to use either of them, there's no advantage to the commercial product in that respect. There's only a handful of commercial products out there where the commercial stuff is superior to what you could put together yourself - given enough time, of course. >>I will say that the PIX command line is no worse to setup and >>admin than IOS - once you know all of the idiosyncracies of the >>PIXos - but that's no different than the idiosyncracies of IOS. >>I do find the PIX GUI to be a big piece of crap, though. >There is at least something we agree on :) :-) >>?---- clip---------- >>a bunch of crap of aqusitions >>--- clip----------- >Who cares. Anyone who buys and uses products. Besides ease of use, support is one of the other big selling points of any product. If the company selling such product is poorly managed and acquired as a result, it very often affects support. Thus reducing the value of the product. Naturally anyone owning an orphaned product is very much interested in this. In the case of the PIX, Cisco took it and ran with it, thus NTI's customer base undoubtedly breathed a sigh of relief. That doesen't always happen with all of Cisco's acquisitions. >standalone box that isn't a router. The baby wants his >bottle and Cisco isn't going to take it away. Simple as that. >Interesting standpoint. I view it more as a customer choice. Customer choice only from what the vendor offers. Some vendors don't offer a lot. >There are >something I find easier on a pix (troubleshooting, captures, packet-tracer) >and there are something I find much better on IOS (Lan to Lan IPSec) and the >are both very capible products. If you want to push your customers onto IOS >firewalls knock yourself out. I don't think anyone can argue that point. You were before. >They aren't charging for the SSL protocol, they are charging for all the >additional features that comes with it. Do you even understand what the SSL >VPN product is? It provided proxied connections for http, citrix, rdp, >exchange, in addition to almost any application you throw at that. In >addition it create a full tunnel through TLS and TLS over UDP. Great, then unbundle the SSL VPN stuff and include it with the ASA and leave the proxy stuff in the $3K add-on. Most people don't need it. Old story of putting one feature a lot of people want into a separate bundle of a big pile of stuff and making you pay a lot for the big pile. Then you feel compelled to at least look at using some of the stuff in the big pile. Embrace and extend. > In the end its your network. That was the point. No, in the end it's our customers network, and what they want and what they have to pay, that's the point. The PIX was cheaper than the equivalent IOS-based solutions when it was sold, now the ASA is not. I will grant that yes, you can get a lot more feaatures in the ASA than you used to in the PIX. But you pay more. You also get those features in IOS for the same price as what a hopped-up ASA costs. As for PPTP being worse or better, that's not Cisco's call to make. As you said earlier, it's customer choice. I'll agree PPTP has more problems than a newer protocol. But a customer that has 200 remotes deployed with PPTP already isn't too interested in paying the labor to switch them all over just because they upgraded their firewall. My main argument was that the IOS solution was better than the PIX, and I'm just glad that now the ASA (configured with adequate licensing) costs the same as the equivalent IOS based solution because now my customers can't knee-jerk choose the ASA over the IOS based stuff just because it is significantly cheaper. Which some used to do with the PIX. I see nothing in your rebuttal that disproves that. The comparisons between PIX and current product were just for fun, even from you, as that product isn't for sale any longer. No need to get so defensive over them. But the ASA vs IOS comparisons don't argue for the ASA being more inexpensive unless you accept a very stripped-down unit. Ted From pavel.skovajsa at gmail.com Tue Jul 8 13:28:57 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Tue, 8 Jul 2008 19:28:57 +0200 Subject: [c-nsp] ASA or FRSW in transparent mode over qinq Message-ID: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com> Hello, does anybody know whether ASA or FWSW is able to firewall qinq packets in transparent mode? Does anybody have some configs of this? In short we are a service provider who wants to offer firewall protection to various customer qinq tunnels. Pavel From mihai at duras.ro Tue Jul 8 13:55:08 2008 From: mihai at duras.ro (Mihai Tanasescu) Date: Tue, 08 Jul 2008 20:55:08 +0300 Subject: [c-nsp] VRF-Lite & Multicast question Message-ID: <4873A9FC.2020109@duras.ro> Hello all, I have just started studying multicast for accomplishing a task that I've been giving and don't know where / what I am doing wrong. My setup is something like the following: RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) between Router B and Router C I have 5 links (4 are vrf-lite in Router C, the 5th is in the global table and use for MPLS ldp). I have configured on each router: ip multicast-routing (in C for example for both global and VRF) , ip pim sparse-dense-mode on interfaces and the RP. If I connect with a cable in Router A I can view the multicast stream. Same if I connect in Router B. But in Router C it doesn't work (neither in the global table, neither in the VRFs from vrf-lite implementation). Can you help with an advice or what I could be doing wrong ? (I'm just a beginner/newbie when it comes to mcast) Thanks, Mihai From avayner at cisco.com Tue Jul 8 15:15:40 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 8 Jul 2008 21:15:40 +0200 Subject: [c-nsp] VRF-Lite & Multicast question In-Reply-To: <4873A9FC.2020109@duras.ro> References: <4873A9FC.2020109@duras.ro> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com> Hmm... Could you share some "show ip mroute" and "show ip mroute count" outputs both for global and vrf mode on router C? First thing to check would be the RPF path for the source - do you have a route back to the source through all the interfaces on router C? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu Sent: Tuesday, July 08, 2008 20:55 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VRF-Lite & Multicast question Hello all, I have just started studying multicast for accomplishing a task that I've been giving and don't know where / what I am doing wrong. My setup is something like the following: RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) between Router B and Router C I have 5 links (4 are vrf-lite in Router C, the 5th is in the global table and use for MPLS ldp). I have configured on each router: ip multicast-routing (in C for example for both global and VRF) , ip pim sparse-dense-mode on interfaces and the RP. If I connect with a cable in Router A I can view the multicast stream. Same if I connect in Router B. But in Router C it doesn't work (neither in the global table, neither in the VRFs from vrf-lite implementation). Can you help with an advice or what I could be doing wrong ? (I'm just a beginner/newbie when it comes to mcast) Thanks, Mihai _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From psirt at cisco.com Tue Jul 8 14:36:40 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Tue, 8 Jul 2008 14:36:40 -0400 Subject: [c-nsp] Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks Message-ID: <200807081436.dns@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks Advisory ID: cisco-sa-20080708-dns http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml Revision 1.0 For Public Release 2008 July 08 1800 UTC (GMT) Summary ======= Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches. To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml. This security advisory is being published simultaneously with announcements from other affected organizations. Affected Products ================= Products that cache DNS responses and process DNS messages with the recursion desired (RD) flag set may be vulnerable to a DNS cache poisoning attack depending on implementation of the DNS protocol. Products that process DNS messages with the RD flag set will attempt to answer the question asked on behalf of the client. A product is only affected if using a vulnerable implementation of the DNS protocol, the DNS server functionality for the product is enabled, and the DNS feature for the product is configured to process recursive DNS query messages. Vulnerable Products +------------------ The following Cisco products are capable of acting as DNS servers and have been found to have the DNS implementation weakness that makes some types of DNS cache poisoning attacks more likely to succeed: * Cisco IOS Software A device that is running Cisco IOS Software will be affected if it is running a vulnerable version and if it is acting as a DNS server. All Cisco IOS Software releases that support the DNS server functionality and that have not had their DNS implementation improved are affected. For information about specific fixed versions, please refer to the Software Versions and Fixes section. A device that is running Cisco IOS Software is configured to act as a DNS server if the command "ip dns server" is present in the configuration. This command is not enabled by default. * Cisco Network Registrar All Cisco Network Registrar versions are affected, and DNS services are enabled by default. The DNS server on CNR is enabled via the command-line interface (CLI) commands "server dns enable start-on-reboot" or "dns enable start-on-reboot" or via the web management interface in the Servers page by selecting the appropriate "Start," "Stop," or "Reload" button. * Cisco Application and Content Networking System All Cisco Application and Content Networking System (ACNS) versions are affected; DNS services are disabled by default. ACNS is configured to act as a DNS server if the command "dns enable" is present in the configuration. * Cisco Global Site Selector Used in Combination with Cisco Network Registrar The Cisco Global Site Selector (GSS) is affected when it is used in combination with Cisco Network Registrar software to provide a more complete DNS solution. Fixed software would come in the form of an update of the Cisco Network Registrar software rather than an update of the GSS software. Products Confirmed Not Vulnerable +-------------------------------- Products that do not offer DNS server capabilities are not affected by this vulnerability. The Cisco GSS by itself is not affected by this vulnerability. However, it is affected when it is used with Cisco Network Registrar software. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Domain Name System is an integral part of networks that are based on TCP/IP such as the Internet. Simply stated, the Domain Name System is a hierarchical database that contains mappings of hostnames and IP addresses. The DNS protocol is part of the TCP/IP protocol suite and allows DNS clients to query the DNS database to resolve hostnames to IP addresses. A DNS server is an application that implements the DNS protocol and that has the ability to respond to queries made by DNS clients. When handling a query from a DNS client, a DNS server can look into its portion of the global DNS database (if the query is for a portion of the DNS database for which the DNS server is authoritative), or it can relay the query to other DNS servers (if it is configured to do so and if the query is for a portion of the DNS database for which the DNS server is not authoritative.) Because of the processing time and bandwidth that is associated with handling a DNS query, most DNS servers locally store responses that are received from other DNS servers. The area where these responses are stored locally is called a "cache." Once a response is stored in a cache, the DNS server can use the locally stored response for a certain time (called the "time to live") before having to query DNS servers again to refresh the local (cached) copy of the response. A DNS cache poisoning attack is an attack in which an entry in the DNS cache of a DNS server is changed so the IP address associated with a hostname in the cache does not point to the correct place. For example, if www.example.com is mapped to the IP address 192.168.0.1 and this mapping is present in the cache of a DNS server, an attacker who succeeds in poisoning the DNS cache of this server may be able to map www.example.com to 10.0.0.1 instead. If this happens, a user who is trying to visit www.example.com may end up contacting the wrong web server. Although DNS cache poisoning attacks are not new, a security researcher recently presented a technique that allows an attacker to mount successful DNS cache poisoning attacks with low complexity tools and low traffic requirements. This technique exploits a weakness in most implementations of the DNS protocol. The fundamental implementation weakness is that the DNS transaction ID and source port number used to validate DNS responses are not sufficiently randomized and can easily be predicted, which allows an attacker to create forged responses to DNS queries that will match the expected values. The DNS server will consider such responses to be valid. The following Cisco products that offer DNS server functionality have been found to be susceptible to DNS cache poisoning attacks: * Cisco IOS Software: The vulnerability documented in Cisco bug ID CSCso81854. * Cisco Network Registrar: The vulnerability documented in Cisco bug ID CSCsq01298. * Cisco Application and Content Networking System (ACNS): The vulnerability documented in Cisco bug ID CSCsq21930. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1447. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss Cisco Bugs: * DNS cache prone to poisoning/forged answers attacks (CSCsq21930) * DNS susceptible to forged query response attacks (CSCsq01298) * Need to make DNS implementation more resilient against forged answers (CSCso81854) CVSS Base Score - 6.4 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 5.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed (same score for the three Cisco bugs listed above.) Impact ====== Successful exploitation of the vulnerability described in this document may result in invalid hostname-to-IP address mappings in the cache of an affected DNS server. This may lead users of this DNS server to contact the wrong provider of network services. The ultimate impact varies greatly, ranging from a simple denial of service (for example, making www.example.com resolve to 127.0.0.1) to phishing and financial fraud. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco IOS Software +----------------- Each row of the Cisco IOS Software table (below) names a Cisco IOS Software release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +----------------------------------------+ | Major | Availability of | | Release | Repaired Releases | |------------+---------------------------| | Affected | First Fixed | Recommended | | 12.0-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | 12.0 | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0DA | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.0(7)DB | | | | are | | | | vulnerable, | 12.4(19a) | | 12.0DB | release | | | | 12.0(7)DB | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.0(7)DC | | | | are | | | | vulnerable, | 12.4(19a) | | 12.0DC | release | | | | 12.0(7)DC | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.0S | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SP | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0ST | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0SZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.0T | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.0W | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0WC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.0WT | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Note: | | | | Releases | | | | prior to | | | | 12.0(7)XE1 | | | | are | | | 12.0XE | vulnerable, | | | | release | | | | 12.0(7)XE1 | | | | and later | | | | are not | | | | vulnerable; | | |------------+-------------+-------------| | 12.0XF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XH | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XI | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XJ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.0(7)XK2 | | | | are | | | | vulnerable, | 12.4(19a) | | 12.0XK | release | | | | 12.0(7)XK2 | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.0XL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.0(7)XR1 | | | | are | | | | vulnerable, | 12.4(19a) | | 12.0XR | release | | | | 12.0(7)XR1 | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.0XS | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XV | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.0XW | Not | | | | Vulnerable | | |------------+-------------+-------------| | Affected | First Fixed | Recommended | | 12.1-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.1 | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.1AA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1AX | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.1(22)AY1 | | | | are | | | 12.1AY | vulnerable, | 12.1(22) | | | release | EA11 | | | 12.1(22)AY1 | | | | and later | | | | are not | | | | vulnerable; | | |------------+-------------+-------------| | 12.1AZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1CX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1DA | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.1(4)DB1 | | | | are | | | | vulnerable, | 12.4(19a) | | 12.1DB | release | | | | 12.1(4)DB1 | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.1(4)DC2 | | | | are | | | | vulnerable, | 12.4(19a) | | 12.1DC | release | | | | 12.1(4)DC2 | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.1E | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.1(11)EA1 | | | | are | | | 12.1EA | vulnerable, | 12.1(22) | | | release | EA11 | | | 12.1(11)EA1 | | | | and later | | | | are not | | | | vulnerable; | | |------------+-------------+-------------| | 12.1EB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EO | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EV | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EW | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Note: | | | | Releases | | | | prior to | | | | 12.1(8a)EX | | | | are | | | 12.1EX | vulnerable, | | | | release | | | | 12.1(8a)EX | | | | and later | | | | are not | | | | vulnerable; | | |------------+-------------+-------------| | 12.1EY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1EZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1GA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1GB | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.1T | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.1XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XB | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.1(1)XC1 | | | | are | | | | vulnerable, | 12.4(19a) | | 12.1XC | release | | | | 12.1(1)XC1 | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.1XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XH | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XI | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XJ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XO | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XP | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XR | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XS | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XT | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XV | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XW | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1XZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YD | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Note: | | | | Releases | | | | prior to | | | | 12.1(5)YE1 | | | | are | 12.4(19a) | | 12.1YE | vulnerable, | | | | release | 12.4(19b) | | | 12.1(5)YE1 | | | | and later | | | | are not | | | | vulnerable; | | |------------+-------------+-------------| | 12.1YF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YH | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YI | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.1YJ | Not | | | | Vulnerable | | |------------+-------------+-------------| | Affected | First Fixed | Recommended | | 12.2-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2 | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2B | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2BC | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2BW | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.2(8)BY | | | | are | | | | vulnerable, | 12.4(19a) | | 12.2BY | release | | | | 12.2(8)BY | 12.4(19b) | | | and later | | | | are not | | | | vulnerable; | | | | first fixed | | | | in 12.4 | | |------------+-------------+-------------| | 12.2BZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2CX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2CY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2CZ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.2DA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2DD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2DX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EW | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EWA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2EZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2FX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2FY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2FZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2IXF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2JA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2MB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2MC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2S | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SBC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SCA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SED | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SEG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SGA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SO | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SRA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SRB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SRC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SV | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SVA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SVC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SVD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SW | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXH | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SXI | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2SZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2T | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.2(8) | | | | TPC10d are | | | | vulnerable, | | | 12.2TPC | release | | | | 12.2(8) | | | | TPC10d and | | | | later are | | | | not | | | | vulnerable; | | |------------+-------------+-------------| | 12.2UZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XB | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XC | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XF | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XG | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2XH | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XI | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XJ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XK | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XL | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XNA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XO | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XR | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XS | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XT | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2XU | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2XV | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2XW | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YE | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YG | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YH | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YJ | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2YK | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YL | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YM | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YN | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.2(18) | | | migrate to | SXF15; | | 12.2YO | any release | Available | | | in 12.2SY | on | | | | 08-AUG-08 | |------------+-------------+-------------| | 12.2YP | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YR | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YS | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YT | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YU | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2YV | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2YW | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2YZ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2ZA | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2ZB | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.2ZC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2ZD | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2ZE | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2ZF | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.2ZG | first fixed | | | | in 12.4T | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.2ZH | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.2ZJ | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.2ZL | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.2ZP | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2ZU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2ZY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.2ZYA | Not | | | | Vulnerable | | |------------+-------------+-------------| | Affected | First Fixed | Recommended | | 12.3-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3 | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3B | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.3BC | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3BW | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.3EU | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JEA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JEB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JEC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.3JX | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3T | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.3TPC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.3VA | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3XA | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XB | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3XC | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XD | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3XE | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XF | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3XG | first fixed | | | | in 12.4T | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XH | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.3XI | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | | 12.3(14) | | | | YX12 | | | Vulnerable; | | | 12.3XJ | first fixed | 12.4(20)T; | | | in 12.3YX | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XK | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XQ | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3XR | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(19a) | | 12.3XS | first fixed | | | | in 12.4 | 12.4(19b) | |------------+-------------+-------------| | 12.3XU | Not | | | | Vulnerable | | |------------+-------------+-------------| | | | 12.3(14) | | | | YX12 | | | Vulnerable; | | | 12.3XW | first fixed | 12.4(20)T; | | | in 12.3YX | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.3XY | Not | | | | Vulnerable | | |------------+-------------+-------------| | | | 12.4(19a) | | | | | | | Vulnerable; | 12.4(19b) | | 12.3YA | first fixed | | | | in 12.4 | 12.4(20)T; | | | | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YD | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | | 12.3(14) | | | | YX12 | | | Vulnerable; | | | 12.3YF | first fixed | 12.4(20)T; | | | in 12.3YX | Available | | | | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YG | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YH | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YI | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.3YJ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YK | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Releases | | | | prior to | | | | 12.3(14) | | | | YM12 are | | | | vulnerable, | 12.3(14) | | 12.3YM | release | YM12 | | | 12.3(14) | | | | YM12 and | | | | later are | | | | not | | | | vulnerable; | | |------------+-------------+-------------| | 12.3YQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YS | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.3YT | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | | Vulnerable; | | | 12.3YU | first fixed | | | | in 12.4XB | | |------------+-------------+-------------| | 12.3YX | 12.3(14) | 12.3(14) | | | YX12 | YX12 | |------------+-------------+-------------| | 12.3YZ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | Affected | First Fixed | Recommended | | 12.4-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | 12.4(18b) | | | | | | | | 12.4(19a) | 12.4(19a) | | 12.4 | | | | | 12.4(19b) | 12.4(19b) | | | | | | | 12.4(21) | | |------------+-------------+-------------| | 12.4JA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MD | 12.4(15)MD | 12.4(15)MD | |------------+-------------+-------------| | 12.4MR | 12.4(19)MR | 12.4(19)MR | |------------+-------------+-------------| | 12.4SW | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | 12.4(15)T6 | | | | | 12.4(20)T; | | 12.4T | 12.4(20)T; | Available | | | Available | on | | | on | 11-JUL-08 | | | 11-JUL-08 | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.4XA | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.4XB | 12.4(2)XB10 | | |------------+-------------+-------------| | 12.4XC | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | | 12.4(4) | 12.4(20)T; | | | XD11; | Available | | 12.4XD | Available | on | | | on | 11-JUL-08 | | | 31-JUL-08 | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.4XE | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.4XF | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.4XJ | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | |------------+-------------+-------------| | 12.4XK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XL | 12.4(15)XL2 | 12.4(15)XL2 | |------------+-------------+-------------| | 12.4XM | 12.4(15)XM1 | 12.4(15)XM1 | |------------+-------------+-------------| | 12.4XN | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XQ | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XT | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XV | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XW | 12.4(11)XW8 | 12.4(11)XW6 | |------------+-------------+-------------| | 12.4XY | 12.4(15)XY3 | | |------------+-------------+-------------| | | Vulnerable; | 12.4(20)T; | | 12.4XZ | first fixed | Available | | | in 12.4T | on | | | | 11-JUL-08 | +----------------------------------------+ Cisco Network Registrar +---------------------- +---------------------------------------+ | Affected | | | Release | First Fixed Release | | Train | | |--------------+------------------------| | 6.1.x | Contact TAC | |--------------+------------------------| | | 6.3.1.1 patch; | | 6.3.x | available mid-July | | | 2008 | |--------------+------------------------| | 7.0.x | 7.0.1; available in | | | mid-July 2008 | +---------------------------------------+ Cisco Network Registrar software is available for download at: http://www.cisco.com/pcgi-bin/Software/Tablebuild/tablebuild.pl/nr-eval Cisco Application and Content Networking System +---------------------------------------------- This issue is fixed in version 5.5.11 of Cisco ACNS software. This release will be available for download from www.cisco.com in late July 2008. Cisco ACNS 5.5 software is available for download at: http://www.cisco.com/pcgi-bin/tablebuild.pl/acns55 Workarounds =========== There are no workarounds. Additional information about identification and mitigation of attacks against DNS is in the Cisco Applied Intelligence white paper "DNS Best Practices, Network Protections, and Attack Identification," available at http://www.cisco.com/web/about/security/intelligence/dns-bcp.html. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Although DNS cache poisoning attacks are not new, security researcher Dan Kaminsky of IOActive recently presented a technique that makes DNS cache poisoning attacks more likely to succeed. Cisco would like to thank Dan Kaminsky for notifying vendors about his findings. Note that vulnerability information for Cisco IOS Software is being provided in this advisory outside of the announced publication schedule for Cisco IOS Software described at http://www.cisco.com/go/psirt due to industry-wide disclosure of the vulnerability. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------------------------+ | Revision 1.0 | 2008-July-08 | Initial public release | +-----------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Jul 08, 2008 Document ID: 107064 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkhztUIACgkQ86n/Gc8U/uCAgACfVRRoJO4w4defnpwbNlfgBm4t 2SMAnjKCKECHtsjN9umqqPrPd2DW4IcC =XGZw -----END PGP SIGNATURE----- From tony at lava.net Tue Jul 8 17:12:03 2008 From: tony at lava.net (Antonio Querubin) Date: Tue, 8 Jul 2008 11:12:03 -1000 (HST) Subject: [c-nsp] VRF-Lite & Multicast question In-Reply-To: <4873A9FC.2020109@duras.ro> References: <4873A9FC.2020109@duras.ro> Message-ID: On Tue, 8 Jul 2008, Mihai Tanasescu wrote: > I have just started studying multicast for accomplishing a task that I've > been giving and don't know where / what I am doing wrong. > > > My setup is something like the following: > > > RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) > > > between Router B and Router C I have 5 links (4 are vrf-lite in Router C, the > 5th is in the global table and use for MPLS ldp). > > > I have configured on each router: > ip multicast-routing (in C for example for both global and VRF) , ip pim > sparse-dense-mode on interfaces and the RP. > > > If I connect with a cable in Router A I can view the multicast stream. > Same if I connect in Router B. > > > But in Router C it doesn't work (neither in the global table, neither in the > VRFs from vrf-lite implementation). > > > Can you help with an advice or what I could be doing wrong ? (I'm just a > beginner/newbie when it comes to mcast) Do you have an RP on the right-hand-side of your diagram and do you have MSDP peering running between the left and right to distribute source info? Antonio Querubin whois: AQ7-ARIN From markom at markom.info Tue Jul 8 17:27:44 2008 From: markom at markom.info (Marko Milivojevic) Date: Tue, 8 Jul 2008 21:27:44 +0000 Subject: [c-nsp] VRF-Lite & Multicast question In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com> References: <4873A9FC.2020109@duras.ro> <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com> Message-ID: <1fb747910807081427y162c1040x25e5213e6e0730f0@mail.gmail.com> I think this cold be a little bit more complicated case than just that, since this is esentially "interprovider multicast" :-). What is configured as RP on C? If it's not the same as in A-B, you need to configure MSDP between C and whatever is RP in A-B. Even if it is the same, you may need static mroute or multicast AF BGP between B and C to make it work. Not a simplest scenario to start with :-) Kind regards, Marko. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu > Sent: Tuesday, July 08, 2008 20:55 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VRF-Lite & Multicast question > > Hello all, > > > > I have just started studying multicast for accomplishing a task that > I've been giving and don't know where / what I am doing wrong. > > > My setup is something like the following: > > > RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) > > > between Router B and Router C I have 5 links (4 are vrf-lite in Router > C, the 5th is in the global table and use for MPLS ldp). > > > I have configured on each router: > ip multicast-routing (in C for example for both global and VRF) , ip pim > > sparse-dense-mode on interfaces and the RP. > > > If I connect with a cable in Router A I can view the multicast stream. > Same if I connect in Router B. > > > But in Router C it doesn't work (neither in the global table, neither in > > the VRFs from vrf-lite implementation). > > > Can you help with an advice or what I could be doing wrong ? (I'm just a > > beginner/newbie when it comes to mcast) From Alley.Hasan at megapath.com Tue Jul 8 17:30:48 2008 From: Alley.Hasan at megapath.com (Alley Hasan) Date: Tue, 8 Jul 2008 14:30:48 -0700 Subject: [c-nsp] VRF-Lite & Multicast question In-Reply-To: References: <4873A9FC.2020109@duras.ro> Message-ID: Some of the basic things to check: - Everything should be pingible from everywhere, including the sender and reciver. Layer 3 connectivity should be complete before anything can happen. - Make sure that the RP is pinglible by the sender and the reciever. - Make sure that the RP address is not mis-typed (its amazing how many times that ends up being the culprit). - Throw ip pim sparse on the loopbacks as well. Hope this helps. Sr. Network Engineer Megapath Inc. CCIE 9651 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Querubin Sent: Tuesday, July 08, 2008 2:12 PM To: Mihai Tanasescu Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] VRF-Lite & Multicast question On Tue, 8 Jul 2008, Mihai Tanasescu wrote: > I have just started studying multicast for accomplishing a task that I've > been giving and don't know where / what I am doing wrong. > > > My setup is something like the following: > > > RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite) > > > between Router B and Router C I have 5 links (4 are vrf-lite in Router C, the > 5th is in the global table and use for MPLS ldp). > > > I have configured on each router: > ip multicast-routing (in C for example for both global and VRF) , ip pim > sparse-dense-mode on interfaces and the RP. > > > If I connect with a cable in Router A I can view the multicast stream. > Same if I connect in Router B. > > > But in Router C it doesn't work (neither in the global table, neither in the > VRFs from vrf-lite implementation). > > > Can you help with an advice or what I could be doing wrong ? (I'm just a > beginner/newbie when it comes to mcast) Do you have an RP on the right-hand-side of your diagram and do you have MSDP peering running between the left and right to distribute source info? Antonio Querubin whois: AQ7-ARIN _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.6/1540 - Release Date: 7/8/2008 6:33 AM From ibrahim.abozaid at gmail.com Tue Jul 8 19:52:25 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Wed, 9 Jul 2008 02:52:25 +0300 Subject: [c-nsp] Frame-relay broadcast queue Message-ID: Dear All i was reading about Frame-relay broadcast queue which reserves by default 25% of PVC CIR and takes precedence over normal traffic as it queue routing updates by default , 25% of interface bandwidth is reserved for control traffic , does this reserved bandwidth is the broadcast queue ? you comments are highly appreciated . best regards --Ibrahim From madunix at gmail.com Wed Jul 9 02:26:39 2008 From: madunix at gmail.com (Mad Unix) Date: Wed, 9 Jul 2008 08:26:39 +0200 Subject: [c-nsp] Analog Dialer Message-ID: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> have a PRI connecting 60 ppl using BRI and Analog calls the Router 3800 PRI interface is having Digital modem to accept analog phone calls the analog callers cant connect! What could be wrong? interface Group-Async1 description connected tp Dial-in pcs (Analog) ip unnumbered GigabitEthernet0/0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 async mode interactive peer default ip address pool cisco3662-group-2 no fair-queue ppp authentication chap pap ms-chap callin group-range 0/450 0/473 -- madunix From oboehmer at cisco.com Wed Jul 9 02:39:14 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 9 Jul 2008 08:39:14 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> Can't tell based on this config alone. can you please show the full config? (at least the one of the Serialx/y:z (the D-channel), any dialer interfaces and the "line" config at the end)? http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which can easily be adapted to your environment.. oli Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: > have a PRI connecting 60 ppl using BRI and Analog calls > the Router 3800 PRI interface is having Digital modem to accept > analog phone calls > the analog callers cant connect! > What could be wrong? > > interface Group-Async1 > description connected tp Dial-in pcs (Analog) > ip unnumbered GigabitEthernet0/0 > encapsulation ppp > no ip split-horizon > dialer in-band > dialer idle-timeout 3600 > dialer-group 1 > async mode interactive > peer default ip address pool cisco3662-group-2 > no fair-queue > ppp authentication chap pap ms-chap callin > group-range 0/450 0/473 > -- > madunix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From madunix at gmail.com Wed Jul 9 03:05:36 2008 From: madunix at gmail.com (Mad Unix) Date: Wed, 9 Jul 2008 09:05:36 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> Message-ID: <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> Am using interface Group-Async1 to accept analog calls for data transfer interface GigabitEthernet0/0 description $ES_LAN$ ip address 10.16.0.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.16.1.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface Serial0/0/0 description ---- Elect ---- ip address 10.14.11.5 255.255.255.252 ! interface Serial0/0/1 description --- Bank --- ip address 10.14.11.1 255.255.255.252 encapsulation ppp interface Serial4/0:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 2 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Serial4/1:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Dialer1 description connected to Dial-inPCs(ISDN) ip address 10.13.1.1 255.255.255.0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 peer default ip address pool Cisco3662-Group-1 ppp authentication chap pap ms-chap callin ! interface Group-Async1 description connected tp Dial-in pcs (Analog) ip unnumbered GigabitEthernet0/0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 async mode interactive peer default ip address pool cisco3662-group-2 no fair-queue ppp authentication chap pap ms-chap callin group-range 0/450 0/473 ip http server ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ! ip radius source-interface GigabitEthernet0/0 access-list 2 permit 10.5.0.0 0.0.255.255 access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 permit tcp host 10.5.3.10 any eq telnet dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Can't tell based on this config alone. can you please show the full > config? (at least the one of the Serialx/y:z (the D-channel), any dialer > interfaces and the "line" config at the end)? > http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura > tion_example09186a0080094a49.shtmlshows a sample AS5xxx config, which > can easily be adapted to your environment.. > > oli > > > Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: > > > have a PRI connecting 60 ppl using BRI and Analog calls > > the Router 3800 PRI interface is having Digital modem to accept > > analog phone calls > > the analog callers cant connect! > > What could be wrong? > > > > interface Group-Async1 > > description connected tp Dial-in pcs (Analog) > > ip unnumbered GigabitEthernet0/0 > > encapsulation ppp > > no ip split-horizon > > dialer in-band > > dialer idle-timeout 3600 > > dialer-group 1 > > async mode interactive > > peer default ip address pool cisco3662-group-2 > > no fair-queue > > ppp authentication chap pap ms-chap callin > > group-range 0/450 0/473 > > -- > > madunix > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- madunix From madunix at gmail.com Wed Jul 9 04:30:45 2008 From: madunix at gmail.com (Mad Unix) Date: Wed, 9 Jul 2008 10:30:45 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> Message-ID: <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com> Any updates On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix wrote: > Am using interface Group-Async1 to accept analog calls for data transfer > > > interface GigabitEthernet0/0 > description $ES_LAN$ > ip address 10.16.0.2 255.255.255.0 > duplex auto > speed auto > media-type rj45 > ! > interface GigabitEthernet0/1 > ip address 10.16.1.2 255.255.255.0 > duplex auto > speed auto > media-type rj45 > ! > interface Serial0/0/0 > description ---- Elect ---- > ip address 10.14.11.5 255.255.255.252 > ! > interface Serial0/0/1 > description --- Bank --- > ip address 10.14.11.1 255.255.255.252 > encapsulation ppp > > interface Serial4/0:15 > no ip address > encapsulation ppp > no ip route-cache cef > dialer rotary-group 1 > dialer-group 2 > isdn switch-type primary-net5 > isdn incoming-voice modem > isdn guard-timer 3000 > ! > interface Serial4/1:15 > no ip address > encapsulation ppp > no ip route-cache cef > dialer rotary-group 1 > dialer-group 1 > isdn switch-type primary-net5 > isdn incoming-voice modem > isdn guard-timer 3000 > ! > interface Dialer1 > description connected to Dial-inPCs(ISDN) > ip address 10.13.1.1 255.255.255.0 > encapsulation ppp > no ip split-horizon > dialer in-band > dialer idle-timeout 3600 > dialer-group 1 > peer default ip address pool Cisco3662-Group-1 > ppp authentication chap pap ms-chap callin > ! > interface Group-Async1 > description connected tp Dial-in pcs (Analog) > ip unnumbered GigabitEthernet0/0 > encapsulation ppp > no ip split-horizon > dialer in-band > dialer idle-timeout 3600 > dialer-group 1 > async mode interactive > peer default ip address pool cisco3662-group-2 > no fair-queue > ppp authentication chap pap ms-chap callin > group-range 0/450 0/473 > ip http server > ip http authentication local > ip http timeout-policy idle 60 life 86400 requests 10000 > ! > ip radius source-interface GigabitEthernet0/0 > access-list 2 permit 10.5.0.0 0.0.255.255 > access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255 > access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255 > access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255 > access-list 101 permit tcp host 10.5.3.10 any eq telnet > dialer-list 1 protocol ip permit > dialer-list 2 protocol ip permit > > > On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) < > oboehmer at cisco.com> wrote: > >> Can't tell based on this config alone. can you please show the full >> config? (at least the one of the Serialx/y:z (the D-channel), any dialer >> interfaces and the "line" config at the end)? >> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura >> tion_example09186a0080094a49.shtmlshows a sample AS5xxx config, which >> can easily be adapted to your environment.. >> >> oli >> >> >> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: >> >> > have a PRI connecting 60 ppl using BRI and Analog calls >> > the Router 3800 PRI interface is having Digital modem to accept >> > analog phone calls >> > the analog callers cant connect! >> > What could be wrong? >> > >> > interface Group-Async1 >> > description connected tp Dial-in pcs (Analog) >> > ip unnumbered GigabitEthernet0/0 >> > encapsulation ppp >> > no ip split-horizon >> > dialer in-band >> > dialer idle-timeout 3600 >> > dialer-group 1 >> > async mode interactive >> > peer default ip address pool cisco3662-group-2 >> > no fair-queue >> > ppp authentication chap pap ms-chap callin >> > group-range 0/450 0/473 >> > -- >> > madunix >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > -- > madunix -- madunix From benny+usenet at amorsen.dk Wed Jul 9 04:31:18 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Wed, 09 Jul 2008 10:31:18 +0200 Subject: [c-nsp] ASA or FRSW in transparent mode over qinq In-Reply-To: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com> (Pavel Skovajsa's message of "Tue\, 8 Jul 2008 19\:28\:57 +0200") References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com> Message-ID: <1215592278.6067.107.camel@ursa.amorsen.dk> "Pavel Skovajsa" writes: > does anybody know whether ASA or FWSW is able to firewall qinq packets > in transparent mode? Does anybody have some configs of this? > In short we are a service provider who wants to offer firewall > protection to various customer qinq tunnels. I don't know the answer to your question, but I do have another one... Which firewall does MPLS providers use to connect customer VRF's to the Internet? 6500's with FWSM's? What if they have thousands of VRF's? All of the usual enterprise firewalls like ASA, Netscreen, Checkpoint VSX top out at a few hundred virtual firewalls per box. /Benny From oboehmer at cisco.com Wed Jul 9 05:05:41 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 9 Jul 2008 11:05:41 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com> some patience, please :-) .. we all do this in our spare time.. The "line" config is missing (i.e. the lower part of the config). can you send this as well? Please re-enable CEF on the serial interface ("ip route-cache cef") oli ________________________________ From: Mad Unix [mailto:madunix at gmail.com] Sent: Wednesday, July 09, 2008 10:31 AM To: Oliver Boehmer (oboehmer) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Analog Dialer Any updates On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix wrote: Am using interface Group-Async1 to accept analog calls for data transfer interface GigabitEthernet0/0 description $ES_LAN$ ip address 10.16.0.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.16.1.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface Serial0/0/0 description ---- Elect ---- ip address 10.14.11.5 255.255.255.252 ! interface Serial0/0/1 description --- Bank --- ip address 10.14.11.1 255.255.255.252 encapsulation ppp interface Serial4/0:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 2 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Serial4/1:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Dialer1 description connected to Dial-inPCs(ISDN) ip address 10.13.1.1 255.255.255.0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 peer default ip address pool Cisco3662-Group-1 ppp authentication chap pap ms-chap callin ! interface Group-Async1 description connected tp Dial-in pcs (Analog) ip unnumbered GigabitEthernet0/0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 async mode interactive peer default ip address pool cisco3662-group-2 no fair-queue ppp authentication chap pap ms-chap callin group-range 0/450 0/473 ip http server ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ! ip radius source-interface GigabitEthernet0/0 access-list 2 permit 10.5.0.0 0.0.255.255 access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 permit tcp host 10.5.3.10 any eq telnet dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) wrote: Can't tell based on this config alone. can you please show the full config? (at least the one of the Serialx/y:z (the D-channel), any dialer interfaces and the "line" config at the end)? http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which can easily be adapted to your environment.. oli Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: > have a PRI connecting 60 ppl using BRI and Analog calls > the Router 3800 PRI interface is having Digital modem to accept > analog phone calls > the analog callers cant connect! > What could be wrong? > > interface Group-Async1 > description connected tp Dial-in pcs (Analog) > ip unnumbered GigabitEthernet0/0 > encapsulation ppp > no ip split-horizon > dialer in-band > dialer idle-timeout 3600 > dialer-group 1 > async mode interactive > peer default ip address pool cisco3662-group-2 > no fair-queue > ppp authentication chap pap ms-chap callin > group-range 0/450 0/473 > -- > madunix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- madunix -- madunix From madunix at gmail.com Wed Jul 9 05:25:25 2008 From: madunix at gmail.com (Mad Unix) Date: Wed, 9 Jul 2008 11:25:25 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com> Message-ID: <4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com> I have added this but it didnt help it keeps trying to connect to authenticate then failed SDC_R2#conf t Enter configuration commands, one per line. End with CNTL/Z. SDC_R2(config)#line 450 473 SDC_R2(config-line)#exec-timeout 0 0 SDC_R2(config-line)#modem Dialin SDC_R2(config-line)#transport input all SDC_R2(config-line)#autoselect during-login SDC_R2(config-line)#autoselect ppp SDC_R2(config-line)# SDC_R2(config-line)#exit SDC_R2(config)#exit SDC_R2#sh line Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 0 CTY - - - - - 1 0 0/0 - Ready 1 1 AUX 9600/9600 - - - - - 0 0 0/0 - Ready I 0/450 450 TTY - DialIn - - - 0 0 0/0 - Idle I 0/451 451 TTY - DialIn - - - 0 0 0/0 - Idle I 0/452 452 TTY - DialIn - - - 0 0 0/0 - Idle I 0/453 453 TTY - DialIn - - - 0 0 0/0 - Idle I 0/454 454 TTY - DialIn - - - 0 0 0/0 - Idle I 0/455 455 TTY - DialIn - - - 0 0 0/0 - Idle I 0/456 456 TTY - DialIn - - - 0 0 0/0 - Idle I 0/457 457 TTY - DialIn - - - 0 0 0/0 - Idle I 0/458 458 TTY - DialIn - - - 0 0 0/0 - Idle I 0/459 459 TTY - DialIn - - - 0 0 0/0 - Idle I 0/460 460 TTY - DialIn - - - 0 0 0/0 - Idle I 0/461 461 TTY - DialIn - - - 0 0 0/0 - Idle I 0/462 462 TTY - DialIn - - - 0 0 0/0 - Idle I 0/463 463 TTY - DialIn - - - 0 0 0/0 - Idle I 0/464 464 TTY - DialIn - - - 0 0 0/0 - Idle I 0/465 465 TTY - DialIn - - - 0 0 0/0 - Idle I 0/466 466 TTY - DialIn - - - 0 0 0/0 - Idle I 0/467 467 TTY - DialIn - - - 0 0 0/0 - Idle I 0/468 468 TTY - DialIn - - - 0 0 0/0 - Idle I 0/469 469 TTY - DialIn - - - 0 0 0/0 - Idle I 0/470 470 TTY - DialIn - - - 0 0 0/0 - Idle I 0/471 471 TTY - DialIn - - - 0 0 0/0 - Idle I 0/472 472 TTY - DialIn - - - 0 0 0/0 - Idle I 0/473 473 TTY - DialIn - - - 0 0 0/0 - Idle * 706 706 VTY - - - - - 50 0 0/0 - Ready * 707 707 VTY - - - - - 9 0 0/0 - Ready 708 708 VTY - - - - - 1 0 0/0 - Ready 709 709 VTY - - - - - 0 0 0/0 - Idle 710 710 VTY - - - - - 0 0 0/0 - Idle Line(s) not in async mode -or- with no hardware support: 2-449, 474-705 regarding the CEF we have disabled becuase it was disconnecting the Dialer after atime... so we added this no ip route-cache cef interface Serial4/0:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 2 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Serial4/1:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > some patience, please :-) .. we all do this in our spare time.. > > The "line" config is missing (i.e. the lower part of the config). can you > send this as well? > Please re-enable CEF on the serial interface ("ip route-cache cef") > > oli > > ------------------------------ > *From:* Mad Unix [mailto:madunix at gmail.com] > *Sent:* Wednesday, July 09, 2008 10:31 AM > *To:* Oliver Boehmer (oboehmer) > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] Analog Dialer > > Any updates > > On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix wrote: > >> Am using interface Group-Async1 to accept analog calls for data transfer >> >> >> interface GigabitEthernet0/0 >> description $ES_LAN$ >> ip address 10.16.0.2 255.255.255.0 >> duplex auto >> speed auto >> media-type rj45 >> ! >> interface GigabitEthernet0/1 >> ip address 10.16.1.2 255.255.255.0 >> duplex auto >> speed auto >> media-type rj45 >> ! >> interface Serial0/0/0 >> description ---- Elect ---- >> ip address 10.14.11.5 255.255.255.252 >> ! >> interface Serial0/0/1 >> description --- Bank --- >> ip address 10.14.11.1 255.255.255.252 >> encapsulation ppp >> >> interface Serial4/0:15 >> no ip address >> encapsulation ppp >> no ip route-cache cef >> dialer rotary-group 1 >> dialer-group 2 >> isdn switch-type primary-net5 >> isdn incoming-voice modem >> isdn guard-timer 3000 >> ! >> interface Serial4/1:15 >> no ip address >> encapsulation ppp >> no ip route-cache cef >> dialer rotary-group 1 >> dialer-group 1 >> isdn switch-type primary-net5 >> isdn incoming-voice modem >> isdn guard-timer 3000 >> ! >> interface Dialer1 >> description connected to Dial-inPCs(ISDN) >> ip address 10.13.1.1 255.255.255.0 >> encapsulation ppp >> no ip split-horizon >> dialer in-band >> dialer idle-timeout 3600 >> dialer-group 1 >> peer default ip address pool Cisco3662-Group-1 >> ppp authentication chap pap ms-chap callin >> ! >> interface Group-Async1 >> description connected tp Dial-in pcs (Analog) >> ip unnumbered GigabitEthernet0/0 >> encapsulation ppp >> no ip split-horizon >> dialer in-band >> dialer idle-timeout 3600 >> dialer-group 1 >> async mode interactive >> peer default ip address pool cisco3662-group-2 >> no fair-queue >> ppp authentication chap pap ms-chap callin >> group-range 0/450 0/473 >> ip http server >> ip http authentication local >> ip http timeout-policy idle 60 life 86400 requests 10000 >> ! >> ip radius source-interface GigabitEthernet0/0 >> access-list 2 permit 10.5.0.0 0.0.255.255 >> access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255 >> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255 >> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255 >> access-list 101 permit tcp host 10.5.3.10 any eq telnet >> dialer-list 1 protocol ip permit >> dialer-list 2 protocol ip permit >> >> >> On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) < >> oboehmer at cisco.com> wrote: >> >>> Can't tell based on this config alone. can you please show the full >>> config? (at least the one of the Serialx/y:z (the D-channel), any dialer >>> interfaces and the "line" config at the end)? >>> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura >>> tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which >>> can easily be adapted to your environment.. >>> >>> oli >>> >>> >>> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: >>> >>> > have a PRI connecting 60 ppl using BRI and Analog calls >>> > the Router 3800 PRI interface is having Digital modem to accept >>> > analog phone calls >>> > the analog callers cant connect! >>> > What could be wrong? >>> > >>> > interface Group-Async1 >>> > description connected tp Dial-in pcs (Analog) >>> > ip unnumbered GigabitEthernet0/0 >>> > encapsulation ppp >>> > no ip split-horizon >>> > dialer in-band >>> > dialer idle-timeout 3600 >>> > dialer-group 1 >>> > async mode interactive >>> > peer default ip address pool cisco3662-group-2 >>> > no fair-queue >>> > ppp authentication chap pap ms-chap callin >>> > group-range 0/450 0/473 >>> > -- >>> > madunix >>> > _______________________________________________ >>> > cisco-nsp mailing list cisco-nsp at puck.nether.net >>> > https://puck.nether.net/mailman/listinfo/cisco-nsp >>> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> >> -- >> madunix > > > > > -- > madunix > -- madunix From oboehmer at cisco.com Wed Jul 9 07:09:58 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 9 Jul 2008 13:09:58 +0200 Subject: [c-nsp] Analog Dialer In-Reply-To: <4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com> References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com> <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com> <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com> <4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CF9A@xmb-ams-333.emea.cisco.com> Hmm, so how far does the connection go? Do the modems train up? You might want to go through http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0 080094eb9.shtml or http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a 008019cfa7.shtml oli ________________________________ From: Mad Unix [mailto:madunix at gmail.com] Sent: Wednesday, July 09, 2008 11:25 AM To: Oliver Boehmer (oboehmer) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Analog Dialer I have added this but it didnt help it keeps trying to connect to authenticate then failed SDC_R2#conf t Enter configuration commands, one per line. End with CNTL/Z. SDC_R2(config)#line 450 473 SDC_R2(config-line)#exec-timeout 0 0 SDC_R2(config-line)#modem Dialin SDC_R2(config-line)#transport input all SDC_R2(config-line)#autoselect during-login SDC_R2(config-line)#autoselect ppp SDC_R2(config-line)# SDC_R2(config-line)#exit SDC_R2(config)#exit SDC_R2#sh line Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 0 CTY - - - - - 1 0 0/0 - Ready 1 1 AUX 9600/9600 - - - - - 0 0 0/0 - Ready I 0/450 450 TTY - DialIn - - - 0 0 0/0 - Idle I 0/451 451 TTY - DialIn - - - 0 0 0/0 - Idle I 0/452 452 TTY - DialIn - - - 0 0 0/0 - Idle I 0/453 453 TTY - DialIn - - - 0 0 0/0 - Idle I 0/454 454 TTY - DialIn - - - 0 0 0/0 - Idle I 0/455 455 TTY - DialIn - - - 0 0 0/0 - Idle I 0/456 456 TTY - DialIn - - - 0 0 0/0 - Idle I 0/457 457 TTY - DialIn - - - 0 0 0/0 - Idle I 0/458 458 TTY - DialIn - - - 0 0 0/0 - Idle I 0/459 459 TTY - DialIn - - - 0 0 0/0 - Idle I 0/460 460 TTY - DialIn - - - 0 0 0/0 - Idle I 0/461 461 TTY - DialIn - - - 0 0 0/0 - Idle I 0/462 462 TTY - DialIn - - - 0 0 0/0 - Idle I 0/463 463 TTY - DialIn - - - 0 0 0/0 - Idle I 0/464 464 TTY - DialIn - - - 0 0 0/0 - Idle I 0/465 465 TTY - DialIn - - - 0 0 0/0 - Idle I 0/466 466 TTY - DialIn - - - 0 0 0/0 - Idle I 0/467 467 TTY - DialIn - - - 0 0 0/0 - Idle I 0/468 468 TTY - DialIn - - - 0 0 0/0 - Idle I 0/469 469 TTY - DialIn - - - 0 0 0/0 - Idle I 0/470 470 TTY - DialIn - - - 0 0 0/0 - Idle I 0/471 471 TTY - DialIn - - - 0 0 0/0 - Idle I 0/472 472 TTY - DialIn - - - 0 0 0/0 - Idle I 0/473 473 TTY - DialIn - - - 0 0 0/0 - Idle * 706 706 VTY - - - - - 50 0 0/0 - Ready * 707 707 VTY - - - - - 9 0 0/0 - Ready 708 708 VTY - - - - - 1 0 0/0 - Ready 709 709 VTY - - - - - 0 0 0/0 - Idle 710 710 VTY - - - - - 0 0 0/0 - Idle Line(s) not in async mode -or- with no hardware support: 2-449, 474-705 regarding the CEF we have disabled becuase it was disconnecting the Dialer after atime... so we added this no ip route-cache cef interface Serial4/0:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 2 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Serial4/1:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer) wrote: some patience, please :-) .. we all do this in our spare time.. The "line" config is missing (i.e. the lower part of the config). can you send this as well? Please re-enable CEF on the serial interface ("ip route-cache cef") oli ________________________________ From: Mad Unix [mailto:madunix at gmail.com] Sent: Wednesday, July 09, 2008 10:31 AM To: Oliver Boehmer (oboehmer) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Analog Dialer Any updates On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix wrote: Am using interface Group-Async1 to accept analog calls for data transfer interface GigabitEthernet0/0 description $ES_LAN$ ip address 10.16.0.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 10.16.1.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface Serial0/0/0 description ---- Elect ---- ip address 10.14.11.5 255.255.255.252 ! interface Serial0/0/1 description --- Bank --- ip address 10.14.11.1 255.255.255.252 encapsulation ppp interface Serial4/0:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 2 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Serial4/1:15 no ip address encapsulation ppp no ip route-cache cef dialer rotary-group 1 dialer-group 1 isdn switch-type primary-net5 isdn incoming-voice modem isdn guard-timer 3000 ! interface Dialer1 description connected to Dial-inPCs(ISDN) ip address 10.13.1.1 255.255.255.0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 peer default ip address pool Cisco3662-Group-1 ppp authentication chap pap ms-chap callin ! interface Group-Async1 description connected tp Dial-in pcs (Analog) ip unnumbered GigabitEthernet0/0 encapsulation ppp no ip split-horizon dialer in-band dialer idle-timeout 3600 dialer-group 1 async mode interactive peer default ip address pool cisco3662-group-2 no fair-queue ppp authentication chap pap ms-chap callin group-range 0/450 0/473 ip http server ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ! ip radius source-interface GigabitEthernet0/0 access-list 2 permit 10.5.0.0 0.0.255.255 access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255 access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 101 permit tcp host 10.5.3.10 any eq telnet dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) wrote: Can't tell based on this config alone. can you please show the full config? (at least the one of the Serialx/y:z (the D-channel), any dialer interfaces and the "line" config at the end)? http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which can easily be adapted to your environment.. oli Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM: > have a PRI connecting 60 ppl using BRI and Analog calls > the Router 3800 PRI interface is having Digital modem to accept > analog phone calls > the analog callers cant connect! > What could be wrong? > > interface Group-Async1 > description connected tp Dial-in pcs (Analog) > ip unnumbered GigabitEthernet0/0 > encapsulation ppp > no ip split-horizon > dialer in-band > dialer idle-timeout 3600 > dialer-group 1 > async mode interactive > peer default ip address pool cisco3662-group-2 > no fair-queue > ppp authentication chap pap ms-chap callin > group-range 0/450 0/473 > -- > madunix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- madunix -- madunix -- madunix From david.freedman at uk.clara.net Wed Jul 9 08:29:54 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 9 Jul 2008 13:29:54 +0100 Subject: [c-nsp] CSCek62099 Message-ID: Have been hitting what I think is this bug on a number of CPE, applying the workaround "ppp multilink fragment delay" fixes the problem, but applying supposedly fixed IOS releases (tried 12.3-22M and 12.4-19M) does not make the problem go away (i.e workaround has still to be applied) , since I'm sure these releases were tested properly, has anybody else seen this behaviour (no PPPoE headers on CEF MLPPP with single link) and perhaps it is not CSCek62099? Am about to open TAC case, but thought I would ask.. Dave. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From eng_mssk at hotmail.com Wed Jul 9 09:32:44 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Wed, 9 Jul 2008 16:32:44 +0300 Subject: [c-nsp] MPLS L2 VPN any to any Message-ID: Hey all i have a problem in a setup we have 2 Cisco routers acting as MPLS PE routers , one is 7609 and the other is 7206 we are trying to implement MPLS L2 VPN between ATM sub interface on one router and Giga ethernet (also sub interface) on the other router but the xconnect never came up can anyone help in regard?? Thanks in advance BR, Mohammad Khalil _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From markom at markom.info Wed Jul 9 09:50:54 2008 From: markom at markom.info (Marko Milivojevic) Date: Wed, 9 Jul 2008 13:50:54 +0000 Subject: [c-nsp] MPLS L2 VPN any to any In-Reply-To: References: Message-ID: <1fb747910807090650w57fc4bf7mab77da455f90c612@mail.gmail.com> This is a little bit software-dependent - not all IOS's will support the configuration. Did you configure interworking in pseudowire configuration? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsinterw.html#wp1055162 On Wed, Jul 9, 2008 at 13:32, Mohammad Khalil wrote: > > Hey all > i have a problem in a setup > we have 2 Cisco routers acting as MPLS PE routers , one is 7609 and the other is 7206 > we are trying to implement MPLS L2 VPN between ATM sub interface on one router and Giga ethernet (also sub interface) on the other router > but the xconnect never came up > can anyone help in regard?? From ccie15385 at gmail.com Wed Jul 9 10:01:44 2008 From: ccie15385 at gmail.com (JH Cockburn) Date: Wed, 9 Jul 2008 16:01:44 +0200 Subject: [c-nsp] MPLS L2 VPN any to any In-Reply-To: References: Message-ID: <000301c8e1cc$54ea0520$8604030a@africa.enterprise.root> Hi , Make sure about the MTU sizes on the interfaces...must be the same I think.... Let me know -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Wednesday, July 09, 2008 3:33 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] MPLS L2 VPN any to any Hey all i have a problem in a setup we have 2 Cisco routers acting as MPLS PE routers , one is 7609 and the other is 7206 we are trying to implement MPLS L2 VPN between ATM sub interface on one router and Giga ethernet (also sub interface) on the other router but the xconnect never came up can anyone help in regard?? Thanks in advance BR, Mohammad Khalil _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From James.Munroe at gnb.ca Wed Jul 9 09:35:40 2008 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Wed, 9 Jul 2008 10:35:40 -0300 Subject: [c-nsp] Looking for other's experiences with 12.2.31-SBxx or 12.2.33-SRC1 on 7204VXRs w/ NPE-2G Message-ID: <458B3EC21E4A3044998E917199AACB2F5C4B05@GNBEX02.gnb.ca> Hello, Looking on upgrading our MBGP Route Reflectors to support the new MDT SAFI address family. Just curious if anyone has run into trouble with either 12.2.31-SBxx or 12.2.33-SRC1 code trains for a Cisco 7204VXR (NPE-2G)? These 7200's are dedicated RR's serving no other functions other than our MPLS vpnv4 addressing. Any thoughts or experiences would be appreciated. Thanks, Jim Munroe From mcrocker at crocker.com Wed Jul 9 10:33:58 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Wed, 9 Jul 2008 10:33:58 -0400 Subject: [c-nsp] MPLS capabilities of SUP2 Message-ID: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com> I'm working with a customer on a network redesign. The plan is to use 7206/NPE-G1s as PE routers and 6509/SUP2 as P routers. The SUP2s would only need to switch the MPLS tags they won't need to do anything special. The 7206s will handle the grunt work of maintaining per VRF routing tables and adding/removing MPLS tags. Can the SUP2 handle this or will I need to go to SUP720/3BXL? I could just dumb the 6509s down and run everything L2 with dot1q VLANs but looking to the future MPLS would be nice. The layout would be CUST <--T1/IP--> [7206] <--GigE/MPLS--> [6509] <--GigE/MPLS--> [6509] <--GigE/MPLS--> [7206] <--T1/IP-> CUST From kelvin_team at yahoo.com Wed Jul 9 10:49:42 2008 From: kelvin_team at yahoo.com (Kelvin Goei) Date: Wed, 9 Jul 2008 07:49:42 -0700 (PDT) Subject: [c-nsp] Intermittent management vlan conectivity Message-ID: <373570.9745.qm@web56715.mail.re3.yahoo.com> Hi I have one 6513 edge switch with SUP32, its connected to 2 Up stream Distribution Switch using portchannel. There is another 3550 edge switch connected to the 6513 edge switch with single uplink. All have management Vlan on Vlan2. The problem now is the ping to interface Vlan2 for the edge switch6513 and other 3550 switch connected to it is intermittent. I checked on the interface Vlan2 for both the 6513 and 3550 both have proxy-arp enable, but not on the Distribution Switch. What could be the reason for this? The switch is up all the time, and user traffic on other vlan is ok, just traffic from Vlan2 is intermittent. Any help really appreciated. Thanks. Regards, Kelvin.? From oboehmer at cisco.com Wed Jul 9 10:56:09 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 9 Jul 2008 16:56:09 +0200 Subject: [c-nsp] MPLS capabilities of SUP2 In-Reply-To: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com> References: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1D135@xmb-ams-333.emea.cisco.com> As many others will suggest: The PFC2 on the Sup2 has *no* MPLS capability, it can't switch MPLS-tagged packets. Period :-| So unless you're using your Sup2 as pure Layer 2 (then it doesn't care), you need to buy OSMs or Flexwans to do the tagging, so you want to go with Sup720 or Sup32.. oli Matthew Crocker <> wrote on Wednesday, July 09, 2008 4:34 PM: > I'm working with a customer on a network redesign. The plan is to use > 7206/NPE-G1s as PE routers and 6509/SUP2 as P routers. The SUP2s > would only need to switch the MPLS tags they won't need to do anything > special. The 7206s will handle the grunt work of maintaining per VRF > routing tables and adding/removing MPLS tags. > > Can the SUP2 handle this or will I need to go to SUP720/3BXL? I could > just dumb the 6509s down and run everything L2 with dot1q VLANs but > looking to the future MPLS would be nice. > > The layout would be > > CUST <--T1/IP--> [7206] <--GigE/MPLS--> [6509] <--GigE/MPLS--> [6509] > <--GigE/MPLS--> [7206] <--T1/IP-> CUST > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From squid at oranged.to Wed Jul 9 11:06:12 2008 From: squid at oranged.to (Jimmy Stewpot) Date: Wed, 09 Jul 2008 16:06:12 +0100 Subject: [c-nsp] 6500 port capabilities and port mappings Message-ID: <4874D3E4.50206@oranged.to> Hello, I have been working on diagnosing an issue where certain servers have been experiencing poor network performance over a pvlan network. Through diagnostics I have found a few points which I would like to try and understand a little better. The switch is a 6500 running in hybrid ios/catos. The blade in question is a WS-X6516A-GBIC. When I run the following command I get the "Maximum Allowed Mappings:" variable of 32. show port capabilities 3/14 Model WS-X6516A-GBIC Port 3/14 Type 1000BaseT Auto MDIX no AuxiliaryVlan no Broadcast suppression percentage(0-100) Channel yes COPS port group 3/13-16 CoS rewrite yes Dot1q-all-tagged yes Dot1x yes Duplex full Fast start yes Flow control receive-(off,on,desired),send-(off,on,desired) Inline power no Jumbo frames yes Link debounce timer yes Link debounce timer delay yes Membership static,dynamic Port ASIC group 3/10,3/12,3/14,3/16 Port VLAN Mapping Group: 3/9-16 Maximum Allowed Mappings: 32 QOS scheduling rx-(1p1q4t),tx-(1p2q2t) Security yes SPAN source,destination Speed 1000 Sync restart delay yes ToS rewrite DSCP Trunk encap type 802.1Q,ISL Trunk mode on,off,desirable,auto,nonegotiate UDLD yes From reading through the Cisco documentation I have been able to find very little which actually tells me what that means. We currently have well over 126 mappings on the port in question and have been having no other issues. Can someone tell me what that really means? Regards, Jimmy. From nick.jon.griffin at gmail.com Wed Jul 9 11:35:17 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 9 Jul 2008 10:35:17 -0500 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF Message-ID: I am thinking that I should be able to create sub-interfaces on these devices to be used for multiple vrf's, but maybe I'm confused. I have some routed core/dist links I need to maintain as well as extended some services via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable to configure a subinterface. Am I missing something, does this require a 3750E? interface fas 1/0/1 no switch ip address 1.1.1.1 255.255.255.0 int fas 1/0/1.100, etc ip vrf VRF1 forwarding ip address 2.2.2.2 255.255.255.0 Hope this makes sense, thanks in advance, Nick Griffin From markom at markom.info Wed Jul 9 11:44:10 2008 From: markom at markom.info (Marko Milivojevic) Date: Wed, 9 Jul 2008 15:44:10 +0000 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF In-Reply-To: References: Message-ID: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> I think that you need to use SVI's (interface vlan xxx) combined with trunks on these boxes. They don't support subinterfaces, as far as I recall. On Wed, Jul 9, 2008 at 15:35, Nick Griffin wrote: > I am thinking that I should be able to create sub-interfaces on these > devices to be used for multiple vrf's, but maybe I'm confused. I have some > routed core/dist links I need to maintain as well as extended some services > via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable > to configure a subinterface. Am I missing something, does this require a > 3750E? > > interface fas 1/0/1 > no switch > ip address 1.1.1.1 255.255.255.0 > > int fas 1/0/1.100, etc > ip vrf VRF1 forwarding > ip address 2.2.2.2 255.255.255.0 > > Hope this makes sense, thanks in advance, From harbor235 at gmail.com Wed Jul 9 12:10:14 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 9 Jul 2008 12:10:14 -0400 Subject: [c-nsp] GPON Message-ID: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> Does anybody have any GPON experience on the list? If so I am looking for Pros and Cons for implementing this for the CAN. Is there a power savings or the power requirement just pushed out to the desktop? hardware required to build a PON? OLTs, ONT/ONUs, splitters? How is GPON managed? Pice comparisons? Basically whatever info you have outside the classic definition, harbor235 ;} From charles at thewybles.com Wed Jul 9 12:26:48 2008 From: charles at thewybles.com (Charles N Wyble) Date: Wed, 09 Jul 2008 09:26:48 -0700 Subject: [c-nsp] GPON In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> Message-ID: <4874E6C8.7050504@thewybles.com> Hope the resource recommendation helps. :) Charles Wyble Mike Johnson wrote: > Does anybody have any GPON experience on the list? > I don't have any hands on experience with GPON or any PON as of yet unfortunately. APON is sweeping the United States. Wish they had gone with E/G PON. Ah well. > If so I am looking for Pros and Cons for implementing this for the CAN. > Pros and Cons of PON vs what? You looking to provide broadband to end users? What type of area (rural/suburban/cbd)? Etc. > Is there a power savings or the power requirement just pushed out to the > desktop? > Well there are certainly power savings as the equipment is passive. Are you looking to deploy this in a service provider environment (I presume you are based on the nature of this list), or in an internal enterprise network (you mention pushing power out to the desktop). > hardware required to build a PON? OLTs, ONT/ONUs, splitters? > I just read a fantastic book on EPON and highly recommend it. It covers various other standards etc (including GPON). Amazon link: *http://tinyurl.com/5okll7 *I checked it out from the Los Angeles Public Library. So your local library may have it as well. Or I suppose your company could purchase it. Might be available on Safari. > How is GPON managed? > Pice comparisons? > > Basically whatever info you have outside the classic definition, > > harbor235 ;} > > -- Charles N Wyble (818) 280-7059 http://charlesnw.blogspot.com From harbor235 at gmail.com Wed Jul 9 12:44:21 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 9 Jul 2008 12:44:21 -0400 Subject: [c-nsp] GPON In-Reply-To: <4874E6C8.7050504@thewybles.com> References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> <4874E6C8.7050504@thewybles.com> Message-ID: <836bf1f90807090944m1549014fx882c56fa8962b4f3@mail.gmail.com> Charles, APON vs GPON Verizon is installing GPON via there FIOS product in the east as of 2008, previously they were installing BPON. I cannot speak of the other providers PROs and CONs for deploying GPON to the desktop for a large CAN Power savings yes for the passive equipment but the OLTs and ONT/ONUs do require power as well as the managemnet systems required to provision.monitor etc .. Would it save power if there were no access switches in the mix? Instead of aggregating users to access switches build a PON, power requirements are then pushed to the desktop. Is this a better solution? does it really save power? increase/decrease cost per port? thanx for the input harbor235 ;} On 7/9/08, Charles N Wyble wrote: > > > > Hope the resource recommendation helps. :) > > Charles Wyble > > Mike Johnson wrote: > > Does anybody have any GPON experience on the list? > > > I don't have any hands on experience with GPON or any PON as of yet > unfortunately. APON is sweeping the United States. Wish they had gone > with E/G PON. Ah well. > > If so I am looking for Pros and Cons for implementing this for the CAN. > > > > Pros and Cons of PON vs what? You looking to provide broadband to end > users? What type of area (rural/suburban/cbd)? Etc. > > > Is there a power savings or the power requirement just pushed out to the > > desktop? > > > Well there are certainly power savings as the equipment is passive. Are > you looking to deploy this in a service provider environment (I presume > you are based on the nature of this list), or in an internal enterprise > network (you mention pushing power out to the desktop). > > > hardware required to build a PON? OLTs, ONT/ONUs, splitters? > > > > I just read a fantastic book on EPON and highly recommend it. It covers > various other standards etc (including GPON). > Amazon link: *http://tinyurl.com/5okll7 > *I checked it out from the Los Angeles Public Library. So your local > library may have it as well. Or I suppose your company could purchase > it. Might be available on Safari. > > > > How is GPON managed? > > Pice comparisons? > > > > Basically whatever info you have outside the classic definition, > > > > harbor235 ;} > > > > > > > -- > Charles N Wyble (818) 280-7059 > http://charlesnw.blogspot.com > > > From RTeller at deltadentalwa.com Wed Jul 9 13:16:01 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 9 Jul 2008 10:16:01 -0700 Subject: [c-nsp] 3750 stack member failure detection In-Reply-To: <4870eea3.0c07560a.1598.155e@mx.google.com> References: <4870eea3.0c07560a.1598.155e@mx.google.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00C84@tiger.deltadentalwa.com> You could count how many interfaces are available. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony GUENEAU Sent: Sunday, July 06, 2008 9:11 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3750 stack member failure detection Hi, Does anybody know how to detect a stack member down within a 3750 stack through SNMP ? What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it ? Thanks. Anthony _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From kapsi1911 at hotmail.com Wed Jul 9 13:59:02 2008 From: kapsi1911 at hotmail.com (D W) Date: Wed, 9 Jul 2008 13:59:02 -0400 Subject: [c-nsp] Flat MPLS service from provider In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> Message-ID: Hello, Does anyone on this list manage a network or have customers that run a large (500+ sites, scaling up to 1000) flat (single vrf) enterprise network. If so, can you share any lessons learned from this service as opposed to building a hierarchal design (ordering multiple VRF clouds from a provider - core cloud, regional cloud, etc..). I'm in the process of identifying potential issues for a customer considering a flat network design model. Their network is currently regionalized with point-to-point circuits. Two of the first that came to mind were: - Summarization (could only do per site, no large regional summarization blocks). Unless defaults are used. - Difficult to deploy distributed services with no aggregation sites. Thanks, Dave _________________________________________________________________ The i?m Talkaton. Can 30-days of conversation change the world? http://www.imtalkathon.com/?source=EML_WLH_Talkathon_ChangeWorld From nick.jon.griffin at gmail.com Wed Jul 9 14:23:40 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 9 Jul 2008 13:23:40 -0500 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF In-Reply-To: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> References: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> Message-ID: I think I must need the metro switch for this: Take a look at "Configuring the PE Switch B" at this url: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.1_14_ax/configuration/guide/swiprout.html#wp1258623 On Wed, Jul 9, 2008 at 10:44 AM, Marko Milivojevic wrote: > I think that you need to use SVI's (interface vlan xxx) combined with > trunks on these boxes. They don't support subinterfaces, as far as I > recall. > > On Wed, Jul 9, 2008 at 15:35, Nick Griffin > wrote: > > I am thinking that I should be able to create sub-interfaces on these > > devices to be used for multiple vrf's, but maybe I'm confused. I have > some > > routed core/dist links I need to maintain as well as extended some > services > > via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still > unable > > to configure a subinterface. Am I missing something, does this require a > > 3750E? > > > > interface fas 1/0/1 > > no switch > > ip address 1.1.1.1 255.255.255.0 > > > > int fas 1/0/1.100, etc > > ip vrf VRF1 forwarding > > ip address 2.2.2.2 255.255.255.0 > > > > Hope this makes sense, thanks in advance, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Wed Jul 9 14:29:30 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 09 Jul 2008 14:29:30 -0400 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF In-Reply-To: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> References: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> Message-ID: <4875038A.7040203@utc.edu> Marko Milivojevic wrote: > I think that you need to use SVI's (interface vlan xxx) combined with > trunks on these boxes. They don't support subinterfaces, as far as I > recall. Yes, you need trunks for the CE/PE links and SVIs/VLANs for each VRF you want to transport across almost all of the Catalysts below 6500. Some you can GRE-tunnel across a P2P L3 link, but that isn't officially supported on some, and is process switched on all. Dotted interfaces are primarily a true router-ism (WAN). Jeff From mail.ag at foghorn.nit.gwu.edu Wed Jul 9 13:37:51 2008 From: mail.ag at foghorn.nit.gwu.edu (mail.ag) Date: Wed, 09 Jul 2008 13:37:51 -0400 Subject: [c-nsp] GPON In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com> Message-ID: <4874F76F.2090706@foghorn.nit.gwu.edu> Mike Johnson wrote: > Does anybody have any GPON experience on the list? > > If so I am looking for Pros and Cons for implementing this for the CAN. > > Is there a power savings or the power requirement just pushed out to the > desktop? > hardware required to build a PON? OLTs, ONT/ONUs, splitters? > How is GPON managed? > Pice comparisons? > > Basically whatever info you have outside the classic definition, > > harbor235 ;} > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > We're in the middle of our first deployment of EPON for a dorm near our campus. I'm not sure I can address your questions on power requirements, as our current network topology is fiber to the desk which has very different power requirements than a standard copper network. My initial choice would have been to go with GPON because of its additional downstream bandwidth and potential for more ONT vendors (assuming a good interop picture). However, because of lead times and deadlines, we went with EPON for this site. We selected Wave7 Optics as our vendor. Two things that drove this decision: an 8 port ONT (8 each of voice/video/data) and GPON/EPON support in the same chassis. We're supposed to go live August 1. I'll have more details then :) Good luck. From nick.jon.griffin at gmail.com Wed Jul 9 16:13:17 2008 From: nick.jon.griffin at gmail.com (Nick Griffin) Date: Wed, 9 Jul 2008 15:13:17 -0500 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF In-Reply-To: <4875038A.7040203@utc.edu> References: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> <4875038A.7040203@utc.edu> Message-ID: If anyone can confirm that the dotted subinterface configurations can be configured on the 3750ME's, that would be excellent. Nick Grififn On Wed, Jul 9, 2008 at 1:29 PM, Jeff Kell wrote: > Marko Milivojevic wrote: > >> I think that you need to use SVI's (interface vlan xxx) combined with >> trunks on these boxes. They don't support subinterfaces, as far as I >> recall. >> > > Yes, you need trunks for the CE/PE links and SVIs/VLANs for each VRF you > want to transport across almost all of the Catalysts below 6500. > > Some you can GRE-tunnel across a P2P L3 link, but that isn't officially > supported on some, and is process switched on all. > > Dotted interfaces are primarily a true router-ism (WAN). > > Jeff > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From christian at broknrobot.com Wed Jul 9 17:39:35 2008 From: christian at broknrobot.com (Christian Koch) Date: Wed, 9 Jul 2008 17:39:35 -0400 Subject: [c-nsp] ASA or FRSW in transparent mode over qinq In-Reply-To: <1215592278.6067.107.camel@ursa.amorsen.dk> References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com> <1215592278.6067.107.camel@ursa.amorsen.dk> Message-ID: im a bit confused by your use of terms in the question... are you asking about vrf-aware firewalls? or are you just unsure of the method a SP delivers layer 3 vpns? On Wed, Jul 9, 2008 at 4:31 AM, Benny Amorsen > wrote: > "Pavel Skovajsa" writes: > > > does anybody know whether ASA or FWSW is able to firewall qinq packets > > in transparent mode? Does anybody have some configs of this? > > In short we are a service provider who wants to offer firewall > > protection to various customer qinq tunnels. > > I don't know the answer to your question, but I do have another one... > > Which firewall does MPLS providers use to connect customer VRF's to > the Internet? 6500's with FWSM's? What if they have thousands of > VRF's? > > All of the usual enterprise firewalls like ASA, Netscreen, Checkpoint > VSX top out at a few hundred virtual firewalls per box. > > > /Benny > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ^christian$ From jleitao.l at gmail.com Wed Jul 9 18:03:31 2008 From: jleitao.l at gmail.com (Jose Leitao) Date: Thu, 10 Jul 2008 00:03:31 +0200 Subject: [c-nsp] C3560 show version memory values Message-ID: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com> Hi everyone, Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and looking at the output of show version, I noticed something rather peculiar: "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with 0K/8184K bytes of memory" Should this be a concern?, I couldn't find anything related to this, is this a bug? Thanks, JL From peter at rathlev.dk Wed Jul 9 18:59:52 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 10 Jul 2008 00:59:52 +0200 Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF In-Reply-To: References: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com> <4875038A.7040203@utc.edu> Message-ID: <1215644392.8915.2.camel@svesken.sys.mjna.net> On Wed, 2008-07-09 at 15:13 -0500, Nick Griffin wrote: > If anyone can confirm that the dotted subinterface configurations can be > configured on the 3750ME's, that would be excellent. I'm not sure, but I think it's only the ES ports (uplinks) on the 3750ME that can be configured "router wise". Is there any reason why you wouldn't just use SVIs instead? You can't use the same VLAN on different psysical ports, but even the 6500/7600 can't do that with subinterfaces either. Regards, Peter From kgraham at industrial-marshmallow.com Wed Jul 9 21:04:57 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Wed, 9 Jul 2008 18:04:57 -0700 (PDT) Subject: [c-nsp] 3750 stack member failure detection Message-ID: <976875.20274.qm@web907.biz.mail.mud.yahoo.com> >> Does anybody know how to detect a stack member down within a 3750 stack >> through SNMP ? > > You could count how many interfaces are available. It'd be a lot more effective to just watch the IF-MIB::ifOperStatus of the stack ports. I haven't checked, but I would think that counting interfaces wouldn't work, as they'd show up in IF-MIB::ifTable as soon as the stack member was provisioned. From James.Baker at chelmer.co.nz Wed Jul 9 21:31:57 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Thu, 10 Jul 2008 13:31:57 +1200 Subject: [c-nsp] 3750 stack member failure detection In-Reply-To: <4870eea3.0c07560a.1598.155e@mx.google.com> References: <4870eea3.0c07560a.1598.155e@mx.google.com> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD59985E@chmaexch.chelmer.co.nz> check out either http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.500 or http://www.oidview.com/mibs/9/CISCO-STACKWISE-MIB.html or if you use nagios http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F2430.html;d= 1 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony GUENEAU Sent: Monday, 7 July 2008 4:11 a.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3750 stack member failure detection Hi, Does anybody know how to detect a stack member down within a 3750 stack through SNMP ? What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it ? Thanks. Anthony _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From chris.garzon at gmail.com Wed Jul 9 22:34:47 2008 From: chris.garzon at gmail.com (Dracul) Date: Thu, 10 Jul 2008 10:34:47 +0800 Subject: [c-nsp] WLAN setup Using separte DHCP server for wireless clients Message-ID: <876789290807091934g1f28cef6vc44078d28337002b@mail.gmail.com> Hi got my LW APs to be recognized, now I'm trying to setup my WLC 4404 with 1131 Light weight APs. I used the internal DHCP of the controller for the APs. and put in on lets say VLAN3. then I have a DHCP server on native VLAN. Now I want my wireless clients to get the DHCP from my external DHCP. So far when i test ed the wireless connections I can only get the DHCP from the internal DHCP of the 4404 not my external DHCP server. Any recommendations on how I can do this? thanks chris From achatz at forthnet.gr Wed Jul 9 23:28:10 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 10 Jul 2008 06:28:10 +0300 Subject: [c-nsp] C3560 show version memory values In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com> References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com> Message-ID: <487581CA.1050404@forthnet.gr> I've got the same on a 3750: 12.2(25)SEE2 cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory. 12.2(44)SE2 cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 0K/12280K bytes of memory. Probably a bug...since memory is still there: 3750>sh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 28EC57C 78826116 34405100 44421016 43390576 43310028 I/O 7400000 12574720 8795768 3778952 3775780 3765032 -- Tassos Jose Leitao wrote on 10/7/2008 1:03 ??: > Hi everyone, > > Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and > looking at the output of show version, I noticed something rather > peculiar: > > "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with > 0K/8184K bytes of memory" > > Should this be a concern?, I couldn't find anything related to this, > is this a bug? > > Thanks, > > JL > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Thu Jul 10 00:09:13 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 10 Jul 2008 07:09:13 +0300 Subject: [c-nsp] C3560 show version memory values In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com> References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com> Message-ID: <48758B69.4060004@forthnet.gr> I've got the same on a 3750: 12.2(25)SEE2 cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory. 12.2(44)SE2 cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 0K/12280K bytes of memory. Probably a bug...since memory is still there: 3750>sh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 28EC57C 78826116 34405100 44421016 43390576 43310028 I/O 7400000 12574720 8795768 3778952 3775780 3765032 -- Tassos Jose Leitao wrote on 10/7/2008 1:03 ??: > Hi everyone, > > Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and > looking at the output of show version, I noticed something rather > peculiar: > > "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with > 0K/8184K bytes of memory" > > Should this be a concern?, I couldn't find anything related to this, > is this a bug? > > Thanks, > > JL > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ganbold at micom.mng.net Thu Jul 10 00:13:28 2008 From: ganbold at micom.mng.net (Ganbold) Date: Thu, 10 Jul 2008 12:13:28 +0800 Subject: [c-nsp] Cisco 7513 problem In-Reply-To: <4859D623.6060302@micom.mng.net> References: <4851EA54.4000908@micom.mng.net> <20080613115225.GF15312@rtp-cse-489.cisco.com> <4858B03D.1000901@micom.mng.net> <4859048D.2040100@davidcoulson.net> <4859D623.6060302@micom.mng.net> Message-ID: <48758C68.1040602@micom.mng.net> Ganbold wrote: > David Coulson wrote: >> The whole router reloads, or just one of the RSPs? Have you tried it >> with just a single RSP? Maybe one is dying? > > Router reloads :( > >> >> >> FYI, I have experienced great stability with >> rsp-ik91sv-mz.122-25.S12.bin - Some routers have been running it for >> almost 18 months. I'm not saying it's perfect, but I would suspect if >> you have so many stability issues that it is maybe a hardware problem. > > I see, yesterday we updated IOS to 12.4(19b). Let us see how it works. Actually it was 12.4(19a), and it works more stable, no more router reloads. Ganbold > > Ganbold > >> >> Ganbold wrote: >>> >>> I tried 12.0(32).S10, however router restarts sometimes without any >>> suspicious log :( >>> I have rsp-pv-mz.120-33.S.bin image, maybe I will try that. >>> >>> Ganbold >> >> >> > > -- Antonym, n.: The opposite of the word you're trying to think of. From benny+usenet at amorsen.dk Thu Jul 10 04:37:58 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Thu, 10 Jul 2008 10:37:58 +0200 Subject: [c-nsp] ASA or FRSW in transparent mode over qinq References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com> <1215592278.6067.107.camel@ursa.amorsen.dk>