[c-nsp] cisco-nsp Digest, Vol 86, Issue 48
Mehdi Badreddine
mehdi.badreddine at fr.clara.net
Tue Jan 19 04:05:09 EST 2010
Hi,
Thanks for your responses.
A colleague of mine gave me this answer :
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
But I still don't have accounting informations on my tac_plus server.
What's your opinion ?
Mehdi BADREDDINE
Administrateur Système et Réseaux
CLARANET Paris
68, rue du Faubourg Saint-Honoré
75008 PARIS
-----Message d'origine-----
De : cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
Envoyé : vendredi 15 janvier 2010 14:30
À : cisco-nsp at puck.nether.net
Objet : cisco-nsp Digest, Vol 86, Issue 48
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Re: RIB failure : Higher admin distance (Randy)
2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
3. cisco users accounting and logging (Mehdi Badreddine)
4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
5. Re: cisco users accounting and logging (Peter Rathlev)
6. OSPF on ASA with large routing tables (scott owens)
7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)
----------------------------------------------------------------------
Message: 1
Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
From: Randy <randy_94108 at yahoo.com>
To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
Subject: Re: [c-nsp] RIB failure : Higher admin distance
Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
..sorry for the top posting..
Hi Andy,
You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
Regards
./Randy
--- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:
From: Andy Ashley <lists at nexus6.co.za>
Subject: [c-nsp] RIB failure : Higher admin distance
To: cisco-nsp at puck.nether.net
Date: Thursday, January 14, 2010, 6:32 PM
Hi all,
We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.
We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)
There is an issue:
We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.
(Site A Router)#sh ip bgp rib-failure
Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a
etc etc (there is a list of all of our static routes here)
(Site A Router)#show ip bgp (Slash /24 in question)
BGP routing table entry for (Slash /24 in question)/24, version 4317116
Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
Not advertised to any peer
(65003)
???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
? ???Community: ASN:200 no-export
(Site A Router)#show ip route (Slash /24 in question)
Routing entry for (Slash /24 in question)/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
Routing Descriptor Blocks:
* (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
? ???Route metric is 20, traffic share count is 1
The rib failure condition seems to be persistent.
Any ideas how to overcome this issue?
Thanks.
Andy.
-- This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 2
Date: Fri, 15 Jan 2010 06:55:00 +0100
From: Stephane MAGAND <stmagconsulting at gmail.com>
To: Marcelo Zilio <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi
Thanks for this information.
Anyone have more detail ? anyone have use this function ?
Thanks
Stephane
2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> > When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> > If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 3
Date: Fri, 15 Jan 2010 09:23:47 -0000
From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] cisco users accounting and logging
Message-ID:
<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
Thanks in advance for your help.
Mehdi BADREDDINE
System&Network Admin
CLARANET Paris
68, rue du Faubourg Saint-Honor?
75008 PARIS
------------------------------
Message: 4
Date: Fri, 15 Jan 2010 10:32:32 +0100
From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
To: Jason LeBlanc <jasonleblanc at gmail.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
Message-ID:
<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Jason,
see below
-pavel skovajsa
On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> Hello,
>
> We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
>
> Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
>
> The Cisco best practice is:
>
> Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
>
The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true: not following best practices -> bad design -> network
melts
> We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
>
> Symptoms:
> Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
>
> router-a#sh ip ospf stat
> ?Area 0.0.0.0: SPF algorithm executed 7865 times
> ?Area 192.8.208.0: SPF algorithm executed 386 times
> ?Area 192.70.0.0: SPF algorithm executed 563 times
> ?Area 192.100.0.0: SPF algorithm executed 93076 times
Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above "show ip ospf stat" and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
and "show ip ospf database database-sum" will help you.
>
>
> Questions:
> Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?
> Should we be doing Totally NSSA's instead of NSSA's?
Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.
> ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs....
> Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?
Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.
>
>
> Any help advise is greatly appreciated!
>
> Regards,
>
> //LeBlanc
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
Message: 5
Date: Fri, 15 Jan 2010 11:47:33 +0100
From: Peter Rathlev <peter at rathlev.dk>
To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] cisco users accounting and logging
Message-ID: <1263552453.28844.4.camel at localhost>
Content-Type: text/plain; charset="UTF-8"
On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> I've already installed tac_plus on BSD, though it doesn't provide
> users accounting, just authentication.
We use tac_plus with accounting, no problems there. The relevant
configuration is:
accounting file = /var/log/tacacs-accounting.log
or similar in the tac_plus.conf file, and then:
aaa accounting exec [method] start-stop group tacacs+
aaa accounting commands 0 [method] start-stop group tacacs+
aaa accounting commands 15 [method] start-stop group tacacs+
aaa accounting connection [method] start-stop group tacacs+
besides you normal AAA config on the Cisco devices.
I wouldn't know about Juniper or HP.
--
Peter
------------------------------
Message: 6
Date: Fri, 15 Jan 2010 07:24:56 -0600
From: scott owens <scottowens12 at gmail.com>
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF on ASA with large routing tables
Message-ID:
<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
>
> Message: 5
> Date: Thu, 14 Jan 2010 19:47:07 -0600
> From: Greg Clark <gregpclark at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
> <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> We're considering running OSPF on handful of core ASA 5580 but our routing
> table is somewhat large (roughly 10,000 routes). Does anyone have any
> experience running OSPF on an ASA platform with a large number of routes on
> a production network. Did you run into any limitations or issues. We
> don't
> plan on running mutiple context and will not have a large number of
> peers/neighbors just a large routing table.
>
> Thanks,
>
> Greg
>
>
>
> I am certainly sure I do not know your network topology - but having 10,000
routes going to a firewall seems like you may want another pair or more of
eyes to check out that route summarization problem. Ditto with the guy with
8,000+ routes.
I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
connectivity and I don't think we have more than 100 or 200 routes present.
------------------------------
Message: 7
Date: Fri, 15 Jan 2010 08:29:00 -0500
From: <NMaio at guesswho.com>
To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Message-ID:
<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
Content-Type: text/plain; charset="us-ascii"
I use this but it isn't an automatic update. The user is presented with a message box once they sign in and it lets them know that an update is available. It is up to the user to click the box to update. If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.
client-access-rule 1 permit type WinNT version 5.0.0*
client-access-rule 2 permit type "Mac OS X" version 4.9.01*
client-access-rule 3 permit type Linux version "4.8.02 (0030)"
client-access-rule 4 deny type * version *
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Friday, January 15, 2010 12:55 AM
To: Marcelo Zilio
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
Hi
Thanks for this information.
Anyone have more detail ? anyone have use this function ?
Thanks
Stephane
2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> Client Software Update.
>
> I remember see this in older versions too. I never used it, but I think
> this
> is you are looking for.
>
> On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> noc at phibee.net> wrote:
>
> > Hi
> >
> > anyone know if it's possible :
> >
> > When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > version
> > of the IPSec Client Software, i thinks.
> >
> > If this software are too old, the asa can sent a update automatiquely
> ?
> >
> >
> > Thanks
> > Jerome
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 86, Issue 48
*****************************************
More information about the cisco-nsp
mailing list