[nsp] Re: cisco-nsp Digest, Vol 8, Issue 65
Victor M. Acosta
victorm at elpasotimes.com
Thu Jul 24 16:47:14 EDT 2003
I found a solution for it:
I just add the following line to my ACL.
access-list 101 permit tcp any host <SERVER-IP> gt 1023
If I only have the ftp-data and data open, when the FTP Client go to Passive
it will open different ports. Therefore, you have to specify a range of
addresses or open the greater-than (gt) <port number> "gt 1023" However, you
will exposed all the ports going from 1024 to whatever.
If this is a concern to you can use the Proftpd that someone else suggested
on the last post. Thanks for everyone that respond.
Victor M. Acosta El Paso Times
300 North Campbell St. IT
El Paso TX, 79901
Ph. (915) 546-6394 victorm at elpasotimes.com
Fax.(915) 546-6346 victorm at eudoramail.com
----- Original Message -----
From: <cisco-nsp-request at puck.nether.net>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, July 24, 2003 3:07 PM
Subject: cisco-nsp Digest, Vol 8, Issue 65
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
> 1. Re: Problem with DSL interface on a 2620 (Siva Valliappan)
> 2. Re: 2621 keeps freezing (Z)
> 3. Re: WU-FTPD and The Cisco router. (C. Jon Larsen)
> 4. RE: Re: 2621 keeps freezing (Steve Rude)
> 5. Re: Re: 2621 keeps freezing (Z)
> 6. RE: Direction of manual summarization (Stephen Gill)
> 7. Re: silly question... (Gert Doering)
> 8. Re: silly question... (rpcbind at speakeasy.net)
> 9. Intelligent Route Control? (Brian R. Watters)
> 10. Re: silly question... (Streiner, Justin)
> 11. RE: silly question... (Mike Carter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Jul 2003 11:25:00 -0700 (PDT)
> From: Siva Valliappan <svalliap at cisco.com>
> Subject: Re: [nsp] Problem with DSL interface on a 2620
> To: james <hackerwacker at cybermesa.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <Pine.GSO.4.53.0307241121450.7601 at sj-cse-717.cisco.com>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> you have configured the atm interface for ip routing. you will need
> to configure it to bridge packets if the telco is bridging. this
> can be done by using RBE if the platform/software you are using supports
> RBE, if not by IRB. i notice you have a partial IRB config. in order
> to complete it you will need to configure the ATM interface for bridging,
> create a BVI interface, assign the IP address to the BVI interface, and
> configure
>
> bridge X route ip
> bridge X protocol [ieee | dec]
>
> where X is your bridge-group number
>
> cheers
> .siva
>
> On Thu, 24 Jul 2003, james wrote:
>
> > Router is a cisco 2620 running c2600-js-mz.121-19.bin. I am seeking to
> > give a static IP to a DSL customer (the telco provided CPE only supports
bridging)
> > while avoiding creating /30's for each static IP DSL user.
> > On our 7206's I use "atm route-bridged ip" and write a static route to
the interface
> > but that is not supported till 3xxx series.
> > I have used the below config on a 7206 in the past and it works, yet it
is not working on the 2620.
> > It is not supported in this series or am I missing something ?
> >
> > ip cef
> > bridge irb
> > !
> > interface ATM1/1.2 multipoint
> > description Static DSL Customers
> > ip address 1.2.3.1 255.255.255.128
> > no ip redirects
> > no ip unreachables
> > no ip mroute-cache
> > !
> > pvc 1/37
> > protocol ip 1.2.3.2 no broadcast
> > !
> >
> >
> >
> >
> >
> > James Edwards
> > Routing and Security
> > jamesh at cybermesa.com
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > Phone support 365 days till 10 pm via the Santa Fe office:
> > 505-988-9200 or Toll Free: 888-988-2700
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 24 Jul 2003 10:33:17 -0700
> From: Z <z at wotb.org>
> Subject: Re: [nsp] 2621 keeps freezing
> To: "Daryl G. Jurbala" <daryl at introspect.net>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20030724173317.GC20152 at wotb.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Jul 24, 2003 at 02:14:46PM -0400, Daryl G. Jurbala wrote:
> > Are you graphing your CPU/bandwidth usage and getting syslog events sent
> > somewhere (or SNMP traps)? If so, can you see any events leading up to
> > the lockup?
> >
> > And how locked is the lockup? Even the console port?
>
>
> Up to this point, I have not been able to get someone on the
> console ( the router is remote and houses all connectivity to the
> location ), but I had this in mind as well.
>
> The MRTG graphs don't show anything significant over the last 4
> 'freezes' which weren't happening about the first 2 weeks this
> router was in place. It just started happening on around the 15th
> of the month and have had 4 crashes since the 15th. All of the
> crashes have ocurred during business hours when traffic is pumping
> through.
>
> In other words, as far as I can tell the router runs normally
> without any noticeable spike of activity that would indicate what is
> happening. This is why I asked if it is possibly a bug in the IOS
> version.
>
>
> .z
>
> ------------------------------
>
> Message: 3
> Date: Thu, 24 Jul 2003 14:46:23 -0400 (EDT)
> From: "C. Jon Larsen" <jlarsen at richweb.com>
> Subject: Re: [nsp] WU-FTPD and The Cisco router.
> To: "Victor M. Acosta" <victorm at elpasotimes.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID:
> <Pine.LNX.4.44.0307241443490.19624-100000 at foxx.richweb.com>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> You could (should?) upgrade to an ftp daemon that is more secure and will
> allow you to set your pasv port range. proftpd and pureftpd both can do
> this. Set your range of pasv ports used by the ftp server to say,
> 50000 to 50299. Then on your router's acl you can allow these ports
> inbound to the ftp server. You can use a smaller or larger range of ports
> depending on how many clients you have connected to your ftp service.
>
> On Thu, 24 Jul 2003, Victor M. Acosta wrote:
>
> > Have any one hear or have problems dealing with WU-FTPD behind cisco
> > routers (2600) series?
> > The problem resides in that randomly users get stuck on the hand-shake
> > between Client-Server
> > the servers are behind a 2611 router with ISO :
> > c2600-i-mz.123-1.bin
> > ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
> > cisco 2611 (MPC860) processor (revision 0x202) with 28672K/4096K bytes
of
> > memory.4
> > Then after the Client authenticate I have a denied error and
Access-List
> > 101 like this:
> > 02:27:06: %SEC-6-IPAC02:27:06: %SEC-6-IPACCESSLOGRL: access-list logging
> > rate-limited or missed 2 packets
> > 02:27:11: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.1.1.1(61777) ->
> > 12.1.11.1(55816), 1 packet
> >
> > Where we have 216.1.1.1 is the FTP-Client (Any FTP Client Mac/PC )and
> > 12.1.11.1 is the Server (RH 7.2) (wu-ftpd 2.6.2) behind the router. I am
let
> > in traffic to the 12.1.11.1 on ftp-data and ftp. I was researching over
the
> > internet and it seems that some other people that have similar setup had
the
> > same problems. I try their fixes and did not work. I wonder if someone
can
> > point me to the right direction.
> > Thanks.
> >
> >
> > Victor M. Acosta El Paso Times
> > 300 North Campbell St. IT
> > El Paso TX, 79901
> > Ph. (915) 546-6394 victorm at elpasotimes.com
> > Fax.(915) 546-6346 victorm at eudoramail.com
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> --
> + Jon Larsen: Chief Technology Officer, Richweb, Inc.
> + Richweb.com: Providing Internet-Based Business Solutions since 1995
> + GnuPG Public Key: http://richweb.com/jlarsen.gpg
> + Business: (804) 359.2220 x 101; Mobile: (804) 307.6939
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 24 Jul 2003 11:46:41 -0700
> From: "Steve Rude" <steve at skyriver.net>
> Subject: RE: [nsp] Re: 2621 keeps freezing
> To: "Z" <z at wotb.org>
> Cc: cisco-nsp at puck.nether.net
> Message-ID:
> <5E43695CC08E3D43A722EB75F116BC293BC0BD at skyriverserver3.skyriver.net>
> Content-Type: text/plain; charset="us-ascii"
>
> Do you have CEF turned on? CEF will drop CPU load significantly.
>
> In your acl's do you have the log statement? Every time you have a
> packet hit the log statement, it will cause CPU cycles.
>
> Can you log into the router console when it freezes?
>
> I have several 2621's with 4 T1's running about 3-4 Mbps peak in a
> Multilink bundle, and relatively small acls and I've never had a problem
> with freezing. CPU runs about 40-60 percent at peak times.
>
> I run 12.2(8)T10, you might want to give that a shot.
>
> Good luck,
>
> --steve
>
>
> -----Original Message-----
> From: Z [mailto:z at wotb.org]
> Sent: Thursday, July 24, 2003 9:42 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Re: 2621 keeps freezing
>
> On Thu, Jul 24, 2003 at 09:34:25AM -0700, z at wotb.org wrote:
> >
> > First off, this router hasn't exhibited hardware issues that I
> > can tell.. but it replaced 2 2621's. The Internet T1 used to be on
> > another 2621 entirely, while the other 2621 had everything listed
> > above except that T1 ( and had an ethernet interface to the Internet
> > 2621 ). The load was high on the non-Internet T1 and it only had
> > 32MB of memory, but it never froze up completely requiring a reset.
>
> That should have read "The load was high on the non-Internet T1
> router, and it would seem to drop EIGRP hello's and cause adjacency
> issues every now and then.. so I thought it might've been a memory
> issue so I upgraded another 2621 and sent it out, but the old router
> never froze up completely requiring a reset.. it would just get
> slow."
>
> So yes, add EIGRP to the list of things this router is running as
> well.
>
>
> .z
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 24 Jul 2003 10:57:04 -0700
> From: Z <z at wotb.org>
> Subject: Re: [nsp] Re: 2621 keeps freezing
> To: Steve Rude <steve at skyriver.net>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20030724175704.GD20152 at wotb.org>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Jul 24, 2003 at 11:46:41AM -0700, Steve Rude wrote:
> > Do you have CEF turned on? CEF will drop CPU load significantly.
> >
> > In your acl's do you have the log statement? Every time you have a
> > packet hit the log statement, it will cause CPU cycles.
> >
> > Can you log into the router console when it freezes?
> >
> > I have several 2621's with 4 T1's running about 3-4 Mbps peak in a
> > Multilink bundle, and relatively small acls and I've never had a problem
> > with freezing. CPU runs about 40-60 percent at peak times.
> >
> > I run 12.2(8)T10, you might want to give that a shot.
> >
>
> Yep, CEF is turned on. I don't have any logging ACLs, most of the
> stuff I need to see can be looked at through just matches ( sh ip
> access-list ).
>
> The next step is, *IF* it freezes to see if the console is still
> responsive and if any logs are dumped to it.
>
> Also, the IPv4 protocol bug ACL was on the wrong interface until
> just about an hour ago ( needed to be on the point-to-point
> sub-interface instead of the parent interface, wasn't seeing any of
> the permit ip any any matches.. so hopefully this was the cause of
> my troubles.. but somehow I doubt it ).
>
>
> Thanks for your input,
>
> .z
>
> ------------------------------
>
> Message: 6
> Date: Thu, 24 Jul 2003 14:29:11 -0500
> From: "Stephen Gill" <gillsr at yahoo.com>
> Subject: RE: [nsp] Direction of manual summarization
> To: <Jack.W.Parks at alltel.com>, <Rick.Cheung at NextelPartners.com>,
> <cisco-nsp at puck.nether.net>
> Message-ID: <000901c35219$dd601ef0$1efdfe0a at t23>
> Content-Type: text/plain; charset="us-ascii"
>
> Use EIGRP stub at the remotes, and 'ip summary-address eigrp ...' at the
> hub interface(s).
>
> -- steve
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Jack.W.Parks at alltel.com
> Sent: Thursday, July 24, 2003 1:24 PM
> To: Rick.Cheung at NextelPartners.com; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Direction of manual summarization
>
> The EIGRP Stub feature might fit your needs with or without
> summarization
>
> http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products_
> configuration_guide_chapter09186a00800d97f8.html#1003712
>
> Jack W. Parks IV
> Sr. Network Engineer
> ALLTEL Communications
> jack.w.parks at alltel.com
> Work: 501-905-5961
> Cell: 501-680-3341
>
> -----Original Message-----
> From: Cheung, Rick [mailto:Rick.Cheung at NextelPartners.com]
> Sent: Thursday, July 24, 2003 8:59 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Direction of manual summarization
>
>
> Thanks to everyone who replied on the 5 9's Infrastructure
> question posted recently.
>
> I have a question on manual summarization. In practice, with
> EIGRP in a hub/spoke network, do we typically summarize addresses
> towards the core, or summarize it to the spokes? The intent is to limit
> the EIGRP queries from rippling to the edge routers, as we're trying to
> work around CSCdr91621 on our edge 4232 L3s.
>
> I believe, however, best practices state to localize queries,
> and not propagate them to the core.
>
>
>
> Thanks,
> Rick Cheung
>
>
> This message, including any attachments, contains confidential
> information intended for a specific individual and purpose and is
> protected by law. If you are not the intended recipient, please contact
> sender immediately by reply e-mail and destroy all copies. You are
> hereby notified that any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, is strictly
> prohibited.
>
> WARNING: Computer viruses can be transmitted via email. The recipient
> should check this email and any attachments for the presence of viruses.
> The sender accepts no liability for any damage caused by any virus
> transmitted by this email. E-mail transmission cannot be guaranteed to
> be secure or error-free as information could be intercepted, corrupted,
> lost, destroyed, arrive late or incomplete, or contain viruses. The
> sender therefore does not accept liability for any errors or omissions
> in the contents of this message, which arise as a result of e-mail
> transmission.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 24 Jul 2003 21:38:44 +0200
> From: Gert Doering <gert at greenie.muc.de>
> Subject: Re: [nsp] silly question...
> To: Mike Carter <mike.c at altatechnologies.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <20030724213844.F20907 at greenie.muc.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> On Thu, Jul 24, 2003 at 01:17:31PM -0500, Mike Carter wrote:
> > We just upgraded to NPE-G1's and now have gaping holes in the I/O slots
on
> > our 7206's...anyone have a link or idea where to source the covers.
>
> Put the I/O board back in and enjoy an additional ethernet port...?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
>
> ------------------------------
>
> Message: 8
> Date: Thu, 24 Jul 2003 12:49:56 -0700 (PDT)
> From: rpcbind at speakeasy.net
> Subject: Re: [nsp] silly question...
> To: Mike Carter <mike.c at altatechnologies.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Message-ID:
> <Pine.LNX.4.44.0307241249190.30353-100000 at grace.speakeasy.net>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> IO-CONTROLR-BLANK=
>
>
http://www.cisco.com/en/US/customer/products/hw/routers/ps341/products_data_sheet09186a00800c6bd6.html
>
>
> On Thu, 24 Jul 2003, Mike Carter wrote:
>
> > We just upgraded to NPE-G1's and now have gaping holes in the I/O slots
on
> > our 7206's...anyone have a link or idea where to source the covers.
> >
> > TIA,
> >
> > Michael Carter
> > Sun/Cisco/IBM Sales
> > Alta Technologies
> > 763-475-5327 (direct)
> > 800-546-2582 (Ext. 327)
> > 763-475-5361 or 763-475-5346(Fax)
> > AOL instant messenger mikec at alta
> > email mike.c at altatechnologies.com
> > Website www.altatechnologies.com
> >
> >
> > ***To be removed from this mailing list simply reply with remove in the
> > subject line***
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 24 Jul 2003 12:50:52 -0700
> From: "Brian R. Watters" <brwatters at abs-internet.com>
> Subject: [nsp] Intelligent Route Control?
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <20030724195350.8B110301C5 at exchange.abs-internet.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello all,
>
>
> Does anyone have any advise for route control based on real time link and
or
> destination performance? .. netVmg and others like Route Science are far
to
> expensive .. We of course would like to find a OpenSource solution to this
> problem .. Anyone have a solution or experience with this sort of need?
>
>
> Brian
>
>
> ------------------------------
>
> Message: 10
> Date: Thu, 24 Jul 2003 15:45:45 -0400 (EDT)
> From: "Streiner, Justin" <streiner at stargate.net>
> Subject: Re: [nsp] silly question...
> To: Mike Carter <mike.c at altatechnologies.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <Pine.GSO.4.51.0307241543020.25646 at lurch>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Thu, 24 Jul 2003, Mike Carter wrote:
>
> > We just upgraded to NPE-G1's and now have gaping holes in the I/O slots
on
> > our 7206's...anyone have a link or idea where to source the covers.
>
> The part number is IO-CONTROLR-BLANK.
>
> jms
>
> ------------------------------
>
> Message: 11
> Date: Thu, 24 Jul 2003 14:55:29 -0500
> From: "Mike Carter" <mike.c at altatechnologies.com>
> Subject: RE: [nsp] silly question...
> To: "Streiner, Justin" <streiner at stargate.net>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <NHBBKBJMGDGPHNNBELKLAELCFBAA.mike.c at altatechnologies.com>
> Content-Type: text/plain; charset="Windows-1252"
>
> Thanks for all the replies...Cisco is sending them out!
>
> -----Original Message-----
> From: Streiner, Justin [mailto:streiner at stargate.net]
> Sent: Thursday, July 24, 2003 2:46 PM
> To: Mike Carter
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] silly question...
>
>
> On Thu, 24 Jul 2003, Mike Carter wrote:
>
> > We just upgraded to NPE-G1's and now have gaping holes in the I/O slots
on
> > our 7206's...anyone have a link or idea where to source the covers.
>
> The part number is IO-CONTROLR-BLANK.
>
> jms
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
>
>
> End of cisco-nsp Digest, Vol 8, Issue 65
> ****************************************
More information about the cisco-nsp
mailing list