[c-nsp] cisco-nsp Digest, Vol 86, Issue 48

luismi asturluismi at gmail.com
Tue Jan 19 05:54:58 EST 2010 

I have this and I have accounting:

aaa authentication attempts login 2
aaa authentication login default group tac-plus local-case
aaa authentication login console group tac-plus local-case
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated 
aaa authorization network default group tac-plus local 
aaa accounting send stop-record authentication failure vrf GestionIP
aaa accounting send stop-record authentication failure
aaa accounting suppress null-username
aaa accounting update newinfo periodic 1440
aaa accounting exec default start-stop group tac-plus
aaa accounting commands 0 default start-stop group tac-plus
aaa accounting commands 1 default start-stop group tac-plus
aaa accounting commands 15 default start-stop group tac-plus
aaa accounting network default start-stop group tac-plus
aaa accounting connection default start-stop group tac-plus
aaa accounting system default start-stop group tac-plus



El mar, 19-01-2010 a las 09:05 +0000, Mehdi Badreddine escribió:
> Hi, 
> 
> Thanks for your responses.
> A colleague of mine gave me this answer : 
> 
> aaa new-model
> aaa authentication login default group tacacs+ enable
> aaa authentication enable default group tacacs+ enable
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting network default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> aaa session-id common
> 
> But I still don't have accounting informations on my tac_plus server. 
> 
> What's your opinion ?
> 
> 
> Mehdi BADREDDINE
> 
> Administrateur Système et Réseaux
> CLARANET Paris
> 68, rue du Faubourg Saint-Honoré
> 75008 PARIS
> 
> 
> -----Message d'origine-----
> De : cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] De la part de cisco-nsp-request at puck.nether.net
> Envoyé : vendredi 15 janvier 2010 14:30
> À : cisco-nsp at puck.nether.net
> Objet : cisco-nsp Digest, Vol 86, Issue 48
> 
> Send cisco-nsp mailing list submissions to
> 	cisco-nsp at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> 	cisco-nsp-request at puck.nether.net
> 
> You can reach the person managing the list at
> 	cisco-nsp-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: RIB failure : Higher admin distance (Randy)
>    2. Re: Cisco ASA and Update Cisco VPN Client (Stephane MAGAND)
>    3. cisco users accounting and logging (Mehdi Badreddine)
>    4. Re: OSPF Campus Design : Excessive SPF Runs (Pavel Skovajsa)
>    5. Re: cisco users accounting and logging (Peter Rathlev)
>    6. OSPF on ASA with large routing tables (scott owens)
>    7. Re: Cisco ASA and Update Cisco VPN Client (NMaio at guesswho.com)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 14 Jan 2010 21:49:44 -0800 (PST)
> From: Randy <randy_94108 at yahoo.com>
> To: cisco-nsp at puck.nether.net, Andy Ashley <lists at nexus6.co.za>
> Subject: Re: [c-nsp] RIB failure : Higher admin distance
> Message-ID: <34888.80577.qm at web80505.mail.mud.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
> 
> ..sorry for the top posting..
> Hi Andy,
> You wouldn't happen to have an interface on router A on with an addr. in that range would you? *connected* eq ad of 0. A longer prefix match will not work in this case when it comes to installing routes in the bgp routing table.
> Regards
> ./Randy
> 
> 
> --- On Thu, 1/14/10, Andy Ashley <lists at nexus6.co.za> wrote:
> 
> 
> From: Andy Ashley <lists at nexus6.co.za>
> Subject: [c-nsp] RIB failure : Higher admin distance
> To: cisco-nsp at puck.nether.net
> Date: Thursday, January 14, 2010, 6:32 PM
> 
> 
> Hi all,
> 
> We have two routers at site A and one at site B, both routers at site A have an uplink each to a transit provider. There are two Layer 3 core switches below the two routers.
> The router at site B has an uplink to another transit provider and there is also a private link between the routers at site A and B.
> 
> We run OSPF between all the routers/switches, also over the private link between site A and B and use "redistribute static subnets"
> There is iBGP running between the routers/switches and an iBGP session runs over a GRE tunnel between site A and B so that if the private link breaks,
> the traffic will go out over the transit providers and they will still talk to each other, etc (same AS in path)
> 
> There is an issue:
> We have a /20 that is announced from site A and we split this up into 3 longer prefixes (/21, /22 and /24). We want to use the /24 for site B and announce the /21 and /23 from site A.
> However, when we remove the aggregate /20 route at site A and put a static in for the /24, it is not announced to our transit providers at site B due to rib failure.
> 
> (Site A Router)#sh ip bgp rib-failure
> Network? ? ? ? ? ? Next Hop? ? ? ? ? ? ? ? ? ? ? RIB-failure? ? ? ? ? ? ? ? ? ? ? ? ? ? ? RIB-NH Matches
> X.X.X.X/20? ? ???(Layer 3 Core Switch)???Higher admin distance? ? ? ? ? ? ? n/a
> 
> etc etc (there is a list of all of our static routes here)
> 
> (Site A Router)#show ip bgp (Slash /24 in question)
> BGP routing table entry for (Slash /24 in question)/24, version 4317116
> Paths: (1 available, best #1, table default, not advertised to EBGP peer, RIB-failure(17))
> Not advertised to any peer
> (65003)
> ???(Site B Router Tunnel IP) (metric 1002) from (Site A Router IP) (X.X.X.X)
> ? ???Origin IGP, metric 0, localpref 100, valid,? confed-internal, best
> ? ???Community: ASN:200 no-export
> 
> (Site A Router)#show ip route (Slash /24 in question)
> Routing entry for (Slash /24 in question)/24
> Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 2
> Last update from (Site A Router Private Link Interface) on GigabitEthernet0/1.8, 5w5d ago
> Routing Descriptor Blocks:
> * (Site A Router Private Link Interface), from (Site B Router), 5w5d ago, via GigabitEthernet0/1.8
> ? ???Route metric is 20, traffic share count is 1
> 
> The rib failure condition seems to be persistent.
> 
> Any ideas how to overcome this issue?
> 
> Thanks.
> Andy.
> 
> 
> -- This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 15 Jan 2010 06:55:00 +0100
> From: Stephane MAGAND <stmagconsulting at gmail.com>
> To: Marcelo Zilio <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<c33829391001142155r684ee390v253dbd82c9a8af83 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 15 Jan 2010 09:23:47 -0000
> From: "Mehdi Badreddine" <mehdi.badreddine at fr.clara.net>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] cisco users accounting and logging
> Message-ID:
> 	<70F55AD71714494087D3F5CF5ED1008305720B4D at EXVS02.claranet.local>
> Content-Type: text/plain;	charset="iso-8859-1"
> 
> Hi, 
> 
> I'm looking for an open source software to log cisco/hp/juniper users' commands. For the moment, we are not able to know what commands are issued by users.
> I've already installed tac_plus on BSD, though it doesn't provide users accounting, just authentication.
> Thanks in advance for your help.
> 
> 
> Mehdi BADREDDINE
> 
> System&Network Admin
> CLARANET Paris
> 68, rue du Faubourg Saint-Honor?
> 75008 PARIS
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 15 Jan 2010 10:32:32 +0100
> From: Pavel Skovajsa <pavel.skovajsa at gmail.com>
> To: Jason LeBlanc <jasonleblanc at gmail.com>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs
> Message-ID:
> 	<323aca891001150132t303f9a45l1e1c2870835f9069 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi Jason,
> 
> see below
> 
> -pavel skovajsa
> 
> On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc <jasonleblanc at gmail.com> wrote:
> > Hello,
> >
> > We currently have Layer 3 Routed Access configured at all of our Metro Campus locations. ?There are a few obvious deviations from the best practice design guides. ? The current setup is:
> >
> > Core --> ? ? ? ?Datacenter Distribution --> | (fiber connect) | --> ? ? Building Distribution --> ? ? ? Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? (ASBR) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(OSPF enabled access switch)
> >
> > The Cisco best practice is:
> >
> > Core --> ? ? ? ?Distribution --> ? ? ? ?Access
> > (backbone) ? ? ?(ABR) ? ? ? ? ? ? ? ? ? (OSPF enabled access switch)
> >
> 
> The best practices are exactly what it says - best practices - in real
> practice everybody finds hard to actually achieve that, due to
> geopolitical/other reasons. In other words the following implication
> is NOT true:  not following best practices -> bad design -> network
> melts
> 
> > We are running NSSA with no-summary and the range command on the Datacenter Distribution routers. ?Each floor has 2 access switches (w/ OSPF running) which each have a link back to the Building Distribution router. ?Vlans on each box on each floor are mutually exclusive.
> >
> > Symptoms:
> > Lots of SPF re-calculations, NTP failing from Datacenter Distro -> Building Distro, and users reporting loss of their shared drives.
> >
> > router-a#sh ip ospf stat
> > ?Area 0.0.0.0: SPF algorithm executed 7865 times
> > ?Area 192.8.208.0: SPF algorithm executed 386 times
> > ?Area 192.70.0.0: SPF algorithm executed 563 times
> > ?Area 192.100.0.0: SPF algorithm executed 93076 times
> 
> Well, that last area 192.100.0.0 seems to be the culprit - what about
> troubleshooting it for a while, instead of redesigning whole network?
> Use commands like above "show ip ospf stat" and looks for Seq# and LSA
> Age to find the flapping LSA. Also stuff like "Debug ip ospf monitor"
> and "show ip ospf database database-sum" will help you.
> 
> 
> >
> >
> > Questions:
> > Should we be advertising (passively or non-passively) L3 Vlans into OSPF?
> 
> Passively. Why would somebody do that in non-passive way and have
> miriads of neighbors per each vlan?
> 
> > Should we be doing Totally NSSA's instead of NSSA's?
> 
> Totally stubby (or totally not-so-stubby if you need ASBR) should be
> default design, only configure no-summary if you have specific reason.
> Also I don't understand the need for ASBR in your NSSA - but you
> probably have a reason for that.
> 
> > ? ? ? ?If not is there a way to get the DR in NSSA to advertise a single route back as default route?
> > Should we be sending each campus distribution router directly to the Core so that its the 3 hops?
> 
> As written above, if you have the funding to do this it will certainly
> make your network design nicer, but I don't see how doing this would
> actually massively decrement your SFP runs....
> 
> > Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?
> 
> Scale and speed are contradictory goals. Fast reaction to changes in
> network topology, tends to end up in a network that never converges
> and is unstable.
> 
> >
> >
> > Any help advise is greatly appreciated!
> >
> > Regards,
> >
> > //LeBlanc
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 15 Jan 2010 11:47:33 +0100
> From: Peter Rathlev <peter at rathlev.dk>
> To: Mehdi Badreddine <mehdi.badreddine at fr.clara.net>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] cisco users accounting and logging
> Message-ID: <1263552453.28844.4.camel at localhost>
> Content-Type: text/plain; charset="UTF-8"
> 
> On Fri, 2010-01-15 at 09:23 +0000, Mehdi Badreddine wrote:
> > I've already installed tac_plus on BSD, though it doesn't provide
> > users accounting, just authentication.
> 
> We use tac_plus with accounting, no problems there. The relevant
> configuration is:
> 
> accounting file = /var/log/tacacs-accounting.log
> 
> or similar in the tac_plus.conf file, and then:
> 
> aaa accounting exec [method] start-stop group tacacs+
> aaa accounting commands 0 [method] start-stop group tacacs+
> aaa accounting commands 15 [method] start-stop group tacacs+
> aaa accounting connection [method] start-stop group tacacs+
> 
> besides you normal AAA config on the Cisco devices.
> 
> I wouldn't know about Juniper or HP.
> 
> -- 
> Peter
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Fri, 15 Jan 2010 07:24:56 -0600
> From: scott owens <scottowens12 at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OSPF on ASA with large routing tables
> Message-ID:
> 	<c0c598d51001150524n3f34a9b3l76da8abb9c3ae271 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> >
> > Message: 5
> > Date: Thu, 14 Jan 2010 19:47:07 -0600
> > From: Greg Clark <gregpclark at gmail.com>
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] OSPF on ASA with large routing tables
> > Message-ID:
> >        <44ae085f1001141747r5951bf09ka16e3cb239a9eb92 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > We're considering running OSPF on handful of core ASA 5580 but our routing
> > table is somewhat large (roughly 10,000 routes).  Does anyone have any
> > experience running OSPF on an ASA platform with a large number of routes on
> > a production network.  Did you run into any limitations or issues.  We
> > don't
> > plan on running mutiple context and will not have a large number of
> > peers/neighbors just a large routing table.
> >
> > Thanks,
> >
> > Greg
> >
> >
> >
> > I am certainly sure I do not know your network topology - but having 10,000
> routes going to a firewall seems like you may want another pair or more of
> eyes to check out that route summarization problem.  Ditto with the guy with
> 8,000+ routes.
> 
> 
> I have multiple 10GB, Nexus 7Ks, Redundant Gig Internet (/16), I2
> connectivity and I don't think we have more than 100 or 200 routes present.
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Fri, 15 Jan 2010 08:29:00 -0500
> From: <NMaio at guesswho.com>
> To: <stmagconsulting at gmail.com>, <ziliomarcelo at gmail.com>
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> Message-ID:
> 	<2AA600764E54964491083B1E0EC81A3033D742DEB2 at EXCLUS.nationala-1advertising.com>
> 	
> Content-Type: text/plain; charset="us-ascii"
> 
> I use this but it isn't an automatic update.  The user is presented with a message box once they sign in and it lets them know that an update is available.  It is up to the user to click the box to update.  If you are concerned about users using old clients you could always restrict the version via a client-access-rule...something like this...under your group-policy.
> 
> client-access-rule 1 permit type WinNT version 5.0.0*
> client-access-rule 2 permit type "Mac OS X" version 4.9.01*
> client-access-rule 3 permit type Linux version "4.8.02 (0030)"
> client-access-rule 4 deny type * version *
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephane MAGAND
> Sent: Friday, January 15, 2010 12:55 AM
> To: Marcelo Zilio
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and Update Cisco VPN Client
> 
> Hi
> 
> Thanks for this information.
> 
> Anyone have more detail ? anyone have use this function ?
> 
> Thanks
> Stephane
> 
> 
> 2010/1/13 Marcelo Zilio <ziliomarcelo at gmail.com>
> 
> > I just see in my ASA 8.2 under Configuration > Remote Access VPN > Network
> > (Client) Access > IPsec Connection Profiles (Advancede > IPSec) an option
> > Client Software Update.
> >
> > I remember see this in older versions too. I never used it, but I think
> > this
> > is you are looking for.
> >
> > On Wed, Jan 13, 2010 at 9:14 AM, Phibee Network Operation Center <
> > noc at phibee.net> wrote:
> >
> > > Hi
> > >
> > > anyone know if it's possible :
> > >
> > >    When a user connect to my Cisco ASA in VPN IPSec, the ASA see the
> > > version
> > > of the IPSec Client Software, i thinks.
> > >
> > >    If this software are too old, the asa can sent a update automatiquely
> > ?
> > >
> > >
> > > Thanks
> > > Jerome
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 
> End of cisco-nsp Digest, Vol 86, Issue 48
> *****************************************
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list