From o.calvano at gmail.com Mon Sep 2 04:47:48 2019 From: o.calvano at gmail.com (Olivier CALVANO) Date: Mon, 2 Sep 2019 10:47:48 +0200 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? Message-ID: Hi I use 2 Cisco ASA5550: ASA Version: 9.1(7)32 ADSM Version: 7.12(2) i want configure Hight Availability and Scalability Wizards but that's don't work. I click on the button: no action, the wizards don't start someone has already encountered the problem ? thanks Olivier From giles at coochey.net Mon Sep 2 04:53:47 2019 From: giles at coochey.net (Giles Coochey) Date: Mon, 2 Sep 2019 09:53:47 +0100 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? In-Reply-To: References: Message-ID: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> On 02/09/2019 09:47, Olivier CALVANO wrote: > Hi > > I use 2 Cisco ASA5550: > ASA Version: 9.1(7)32 > ADSM Version: 7.12(2) > > i want configure Hight Availability and Scalability Wizards but that's > don't work. > I click on the button: no action, the wizards don't start > > someone has already encountered the problem ? I don't think you can use ASDM 7.12(2) with ASA 9.1 https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html > > thanks > Olivier > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Giles Coochey From dcp at dcptech.com Mon Sep 2 19:38:48 2019 From: dcp at dcptech.com (David Prall) Date: Mon, 02 Sep 2019 19:38:48 -0400 Subject: [c-nsp] Inter-VRF with NAT In-Reply-To: <003601d5568d$c8b39f10$5a1add30$@gvtc.com> References: <9c32ee68-28f7-35cd-d4d3-4b8e1f8a4f0d@tiedyenetworks.com> <2F7033B2-DA96-4378-A521-7593A7FB8A3F@gmail.com> <003601d5568d$c8b39f10$5a1add30$@gvtc.com> Message-ID: <0D00C557-4F01-4772-8BB1-4428D0D660AA@dcptech.com> Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html David -- http://dcp.dcptech.com ?On 8/19/19, 8:58 AM, "cisco-nsp on behalf of Aaron Gould" wrote: We have lots of zyxel's and manage all them with their public address. Why don't you just do that? -Aaron -----Original Message----- From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Sunday, August 18, 2019 3:14 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Inter-VRF with NAT > Hi Mike, > > I'm not sure I've understood your network topology to be honest. Are you saying that you have Cisco devices with a single WAN link that doesn't support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs over different VLANs, e.g. internet in global routing table over VLAN 10, management VRF over VLAN 20 etc? And you basically want multiple VRFs between the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your management traffic or need layer 2 connectivity to every CPE? My cpe devices are typically zyxel. On the wan interface of these devices, we usually have one service which is customer internet access (pppoe or dhcp), and then another service which is mapped at either a different vlan or a different vci/vpl, which is for management (and it's always dhcp). So, from the perspective of the device, it only has one routing table - the global table - and the 'default route' will normally be the internet service gateway. A common short-sightedness in these is that they can't do policy routing, and they can't have a seperate routing table where management network traffic uses a gateway different than the internet service gateway. The broadband aggregation router will have layer 2 to the subscriber. So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20 would be management traffic. I would like to have vlan 20 in a seperate vrf, and I would like to be able to assign it an ip address (172.16.1.1), and I want to hand out addresses to the cpe in the range of 172.16.1.x. But, because the CPE are braindead, I need to arrange things so management access to the cpe all appear to come from 172.16.1.1. That way, the devices won't need to consult the routing table for a gateway and will instead simply arp for the 172.16.1.1 as it's on the same l3 network segment. This is the only way to deal with devices that don't know the correct gateway back. The only way I know how to accomplish this is with nat, unless there was some other socks type proxy on my asr1000 I don't know about. Mike- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jwbensley+cisco-nsp at gmail.com Tue Sep 3 04:31:49 2019 From: jwbensley+cisco-nsp at gmail.com (James Bensley) Date: Tue, 3 Sep 2019 09:31:49 +0100 Subject: [c-nsp] Inter-VRF with NAT In-Reply-To: <0D00C557-4F01-4772-8BB1-4428D0D660AA@dcptech.com> References: <9c32ee68-28f7-35cd-d4d3-4b8e1f8a4f0d@tiedyenetworks.com> <2F7033B2-DA96-4378-A521-7593A7FB8A3F@gmail.com> <003601d5568d$c8b39f10$5a1add30$@gvtc.com> <0D00C557-4F01-4772-8BB1-4428D0D660AA@dcptech.com> Message-ID: On Tue, 3 Sep 2019 at 00:39, David Prall wrote: > > Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html > > David > -- > http://dcp.dcptech.com I'm happy to be wrong here, but I though the VASI stuff had been killed off? Cheers, James. From dave at brockmans.com Tue Sep 3 08:24:05 2019 From: dave at brockmans.com (Dave Brockman) Date: Tue, 3 Sep 2019 08:24:05 -0400 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? In-Reply-To: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> References: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> Message-ID: On 9/2/2019 4:53 AM, Giles Coochey wrote: > > On 02/09/2019 09:47, Olivier CALVANO wrote: >> Hi >> >> I use 2 Cisco ASA5550: >> ASA Version: 9.1(7)32 >> ADSM Version: 7.12(2) >> >> i want configure Hight Availability and Scalability Wizards but that's >> don't work. >> I click on the button: no action, the wizards don't start >> >> someone has already encountered the problem ? > > I don't think you can use ASDM 7.12(2) with ASA 9.1 > > https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html Generally you can use newer ASDM images, note the matrix you link shows 7.5(2)+. Cheers, dtb -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From giles at coochey.net Tue Sep 3 08:30:46 2019 From: giles at coochey.net (Giles Coochey) Date: Tue, 3 Sep 2019 13:30:46 +0100 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? In-Reply-To: References: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> Message-ID: <7ca9118f-9ad3-2a3d-26ff-f57cdc599b42@coochey.net> On 03/09/2019 13:24, Dave Brockman wrote: > On 9/2/2019 4:53 AM, Giles Coochey wrote: >> On 02/09/2019 09:47, Olivier CALVANO wrote: >>> Hi >>> >>> I use 2 Cisco ASA5550: >>> ASA Version: 9.1(7)32 >>> ADSM Version: 7.12(2) >>> >>> i want configure Hight Availability and Scalability Wizards but that's >>> don't work. >>> I click on the button: no action, the wizards don't start >>> >>> someone has already encountered the problem ? >> I don't think you can use ASDM 7.12(2) with ASA 9.1 >> >> https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html > Generally you can use newer ASDM images, note the matrix you link shows > 7.5(2)+. I may have quickly found the wrong link by lack of google-fu, I seem to have recollection of finding notes for 7.12(2) to say it's not fully compatible with earlier versions beyond a certain age. -- Giles Coochey From dcp at dcptech.com Tue Sep 3 08:50:14 2019 From: dcp at dcptech.com (David Prall) Date: Tue, 03 Sep 2019 08:50:14 -0400 Subject: [c-nsp] Inter-VRF with NAT In-Reply-To: References: <9c32ee68-28f7-35cd-d4d3-4b8e1f8a4f0d@tiedyenetworks.com> <2F7033B2-DA96-4378-A521-7593A7FB8A3F@gmail.com> <003601d5568d$c8b39f10$5a1add30$@gvtc.com> <0D00C557-4F01-4772-8BB1-4428D0D660AA@dcptech.com> Message-ID: Supported in IOS-XE. VASI on the GSR has been long gone. IOS-XR had it at one point as well. David -- http://dcp.dcptech.com ?On 9/3/19, 4:32 AM, "James Bensley" wrote: On Tue, 3 Sep 2019 at 00:39, David Prall wrote: > > Have you looked at VASI configuration. https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html > > David > -- > http://dcp.dcptech.com I'm happy to be wrong here, but I though the VASI stuff had been killed off? Cheers, James. From dave at brockmans.com Tue Sep 3 08:52:58 2019 From: dave at brockmans.com (Dave Brockman) Date: Tue, 3 Sep 2019 08:52:58 -0400 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? In-Reply-To: <7ca9118f-9ad3-2a3d-26ff-f57cdc599b42@coochey.net> References: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> <7ca9118f-9ad3-2a3d-26ff-f57cdc599b42@coochey.net> Message-ID: On 9/3/2019 8:30 AM, Giles Coochey wrote: > > On 03/09/2019 13:24, Dave Brockman wrote: >> On 9/2/2019 4:53 AM, Giles Coochey wrote: >>> On 02/09/2019 09:47, Olivier CALVANO wrote: >>>> Hi >>>> >>>> I use 2 Cisco ASA5550: >>>> ASA Version: 9.1(7)32 >>>> ADSM Version: 7.12(2) >>>> >>>> i want configure Hight Availability and Scalability Wizards but that's >>>> don't work. >>>> I click on the button: no action, the wizards don't start >>>> >>>> someone has already encountered the problem ? >>> I don't think you can use ASDM 7.12(2) with ASA 9.1 >>> >>> https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html >>> >> Generally you can use newer ASDM images, note the matrix you link shows >> 7.5(2)+. > > I may have quickly found the wrong link by lack of google-fu, I seem to > have recollection of finding notes for 7.12(2) to say it's not fully > compatible with earlier versions beyond a certain age. "Because ASDM is backwards compatible with earlier ASA releases, you can upgrade ASDM no matter which ASA version you are running." [1] Unless it was very early in the PDM days, the above has always been the case. Cheers, dtb [1] - https://www.cisco.com/c/en/us/td/docs/security/asdm/7_12/release/notes/rn712.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From giles at coochey.net Tue Sep 3 09:00:35 2019 From: giles at coochey.net (Giles Coochey) Date: Tue, 3 Sep 2019 14:00:35 +0100 Subject: [c-nsp] Cisco ASA5550 and Wizard High Availability ? In-Reply-To: References: <00826d31-c8ae-a4a7-3b25-2ec143d2a54d@coochey.net> <7ca9118f-9ad3-2a3d-26ff-f57cdc599b42@coochey.net> Message-ID: On 03/09/2019 13:52, Dave Brockman wrote: > On 9/3/2019 8:30 AM, Giles Coochey wrote: >> On 03/09/2019 13:24, Dave Brockman wrote: >>> On 9/2/2019 4:53 AM, Giles Coochey wrote: >>>> On 02/09/2019 09:47, Olivier CALVANO wrote: >>>>> Hi >>>>> >>>>> I use 2 Cisco ASA5550: >>>>> ASA Version: 9.1(7)32 >>>>> ADSM Version: 7.12(2) >>>>> >>>>> i want configure Hight Availability and Scalability Wizards but that's >>>>> don't work. >>>>> I click on the button: no action, the wizards don't start >>>>> >>>>> someone has already encountered the problem ? >>>> I don't think you can use ASDM 7.12(2) with ASA 9.1 >>>> >>>> https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html >>>> >>> Generally you can use newer ASDM images, note the matrix you link shows >>> 7.5(2)+. >> I may have quickly found the wrong link by lack of google-fu, I seem to >> have recollection of finding notes for 7.12(2) to say it's not fully >> compatible with earlier versions beyond a certain age. > "Because ASDM is backwards compatible with earlier ASA releases, you can > upgrade ASDM no matter which ASA version you are running." [1] > > Unless it was very early in the PDM days, the above has always been the > case. > > Cheers, > > dtb > > [1] - > https://www.cisco.com/c/en/us/td/docs/security/asdm/7_12/release/notes/rn712.html > > > Well, either way, it resolved the OPs problem -------- Forwarded Message -------- Subject: Re: [c-nsp] Cisco ASA5550 and Wizard High Availability ? Date: Mon, 2 Sep 2019 15:30:35 +0200 From: Olivier CALVANO <##> To: Giles Coochey <##> Oh yes you have reason. i donwgrade and now i have the wizard problems solved thanks ;=) -- Giles Coochey From romka at kharkov.org.ua Thu Sep 5 10:43:30 2019 From: romka at kharkov.org.ua (Sheremet Roman) Date: Thu, 5 Sep 2019 17:43:30 +0300 Subject: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb) In-Reply-To: <1287353852.20190725154944@kharkov.org.ua> References: <1287353852.20190725154944@kharkov.org.ua> Message-ID: <146882808.20190905174330@kharkov.org.ua> Hi, Yep we change card to brand new and update our IOS, now looks best now: ASR1002#sh platform | in 10G 0/3 SPA-1X10GE-L-V2 ok 1w0d But we have one more problem, media errors: ASR1002# sh int TenGigabitEthernet 0/3/0 | in err 227 input errors, 181 CRC, 46 frame, 0 overrun, 0 ignored 362103129 packets output, 194841004589 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 babbles, 0 late collision, 0 deferred And amount growing up.... Fiber is good, we reuse same fiber which we use with 1G link, we just move it to 10G. Any idea how to debug this ? Or possible we need some settings for 10G links? (I use 10G first time). Maybe something like as frame size, or MTU, etc.... > Hi, > We have Cisco ASR1002-X > Cisco IOS Software, IOS-XE Software -- ? ?????????, Sheremet mailto:romka at kharkov.org.ua From dudepron at gmail.com Thu Sep 5 11:57:10 2019 From: dudepron at gmail.com (Aaron) Date: Thu, 5 Sep 2019 11:57:10 -0400 Subject: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb) In-Reply-To: <146882808.20190905174330@kharkov.org.ua> References: <1287353852.20190725154944@kharkov.org.ua> <146882808.20190905174330@kharkov.org.ua> Message-ID: clean the fiber. On Thursday, September 5, 2019, Sheremet Roman wrote: > Hi, > > Yep we change card to brand new and update our IOS, now looks best > now: > > ASR1002#sh platform | in 10G > 0/3 SPA-1X10GE-L-V2 ok 1w0d > > But we have one more problem, media errors: > > ASR1002# sh int TenGigabitEthernet 0/3/0 | in err > > 227 input errors, 181 CRC, 46 frame, 0 overrun, 0 ignored > 362103129 packets output, 194841004589 bytes, 0 underruns > 0 output errors, 0 collisions, 5 interface resets > 0 babbles, 0 late collision, 0 deferred > > And amount growing up.... Fiber is good, we reuse same fiber which we > use with 1G link, we just move it to 10G. > > Any idea how to debug this ? Or possible we need some settings for 10G > links? (I use 10G first time). Maybe something like as frame size, or > MTU, etc.... > > > > > Hi, > > > We have Cisco ASR1002-X > > Cisco IOS Software, IOS-XE Software > > > > > > > -- > ? ?????????, > Sheremet mailto:romka at kharkov.org.ua > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eng_mssk at hotmail.com Sat Sep 14 12:42:00 2019 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sat, 14 Sep 2019 16:42:00 +0000 Subject: [c-nsp] Csr1000v multicast deployment Message-ID: Greetings I am planning to conduct a POC at a customer side with gre over multicast deployment with the assistance of service provider. Did anyone have any use case for such in order to highlight anything to be aware of as there are other competitors conducting as well. Thanks Get Outlook for Android From harbor235 at gmail.com Mon Sep 23 15:15:27 2019 From: harbor235 at gmail.com (harbor235) Date: Mon, 23 Sep 2019 15:15:27 -0400 Subject: [c-nsp] NFV Message-ID: Looking for real word experiences virtualizing router and firewall services with rates above 1Gbps on x86 platforms. Most testing I have been involved with virtualizing routers and firewalls, performance drops dramatically above 1Gbps. Connections per second are critical for a firewall in particular, can a virtual firewall handle high connections per second as appliances? Anyone experience good results at 10GigE with a virtual firewall? Where do you draw the line for router based virtualization? Mike From jac.kloots at surfnet.nl Tue Sep 24 04:40:18 2019 From: jac.kloots at surfnet.nl (Jac Kloots) Date: Tue, 24 Sep 2019 10:40:18 +0200 Subject: [c-nsp] NFV In-Reply-To: References: Message-ID: Hi Mike, We run an openstack with VPP NFV setup with fortigate virtual firewalls. To get to competitive performance we also use mellanox ConnectX NICs to offload processing to this hardware. A lot of effort has to be put into this setup to get good performance. We have tested upto 10G bi-dir and 30k+ sessions, we are planning on testing with higher speeds/more sessions soon. Jac On 23/09/2019 21:15, harbor235 wrote: > Looking for real word experiences virtualizing router and firewall services > with rates above 1Gbps on x86 platforms. Most testing I have been involved > with virtualizing routers and firewalls, performance drops > dramatically above 1Gbps. > > Connections per second are critical for a firewall in particular, can a > virtual firewall handle high connections per second as appliances? > > Anyone experience good results at 10GigE with a virtual firewall? > > Where do you draw the line for router based virtualization? > > > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jac Kloots Teamlead Network Services Network Department SURFnet From malitsky at netabn.com Wed Sep 25 23:54:05 2019 From: malitsky at netabn.com (Michael Malitsky) Date: Thu, 26 Sep 2019 03:54:05 +0000 Subject: [c-nsp] Experience with 9500-16X ? Message-ID: Does anyone have personal experience with the Catalyst 9500 series (specifically interested in 16X)? Impressions, caveats? Sincerely, Michael Malitsky From Steve.Mikulasik at civeo.com Thu Sep 26 10:21:50 2019 From: Steve.Mikulasik at civeo.com (Steve Mikulasik) Date: Thu, 26 Sep 2019 14:21:50 +0000 Subject: Experience with 9500-16X ? In-Reply-To: References: Message-ID: We run the 16x and 40X. I honestly wouldn't buy them again since the other 9500 models use the UADP 3.0 ASIC and have better buffers. The UADP 2.0 9500 switches split the 32MB buffer into two 16MB buffers per core, well the UADP 3.0 9500 switches have 36M shared between both cores. I have heard that pricing between the 2.0 and 3.0 9500s is pretty close. I don't know why Cisco has ASICs that work different in the same switch series, just makes it hard to know what switch you are really getting. https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9500-series-switches/white-paper-c11-741484.pdf From: cisco-nsp On Behalf Of Michael Malitsky Sent: Wednesday, September 25, 2019 9:54 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Experience with 9500-16X ? CAUTION: This email originated from outside of Civeo. Do not click links or open attachments unless you recognize the sender and know the content is safe. Does anyone have personal experience with the Catalyst 9500 series (specifically interested in 16X)? Impressions, caveats? Sincerely, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kai.gehring at burda.com Mon Sep 30 07:33:34 2019 From: kai.gehring at burda.com (Gehring Kai) Date: Mon, 30 Sep 2019 11:33:34 +0000 Subject: [c-nsp] Experience with 9500-16X ? In-Reply-To: References: Message-ID: We run two 9500-16X (as a virtual stack) with 16.9.2 as a router and concentrator at a smaller site. No problems so far, just runs. I'd agree with Steve about the ASIC Generations (UADP 2.0/3.0) though, better buy something with the 3.0 today. Kai -----Original Message----- From: Steve Mikulasik Sent: Thursday, September 26, 2019 4:22 PM To: Michael Malitsky ; cisco-nsp at puck.nether.net Subject: RE: Experience with 9500-16X ? We run the 16x and 40X. I honestly wouldn't buy them again since the other 9500 models use the UADP 3.0 ASIC and have better buffers. The UADP 2.0 9500 switches split the 32MB buffer into two 16MB buffers per core, well the UADP 3.0 9500 switches have 36M shared between both cores. I have heard that pricing between the 2.0 and 3.0 9500s is pretty close. I don't know why Cisco has ASICs that work different in the same switch series, just makes it hard to know what switch you are really getting. https://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-9500-series-switches/white-paper-c11-741484.pdf From: cisco-nsp On Behalf Of Michael Malitsky Sent: Wednesday, September 25, 2019 9:54 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Experience with 9500-16X ? CAUTION: This email originated from outside of Civeo. Do not click links or open attachments unless you recognize the sender and know the content is safe. Does anyone have personal experience with the Catalyst 9500 series (specifically interested in 16X)? Impressions, caveats? Sincerely, Michael Malitsky _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/