Oh, The money order. I had this mixed up with another transaction. I sent it last Friday, I think. I purchased it at the Post Office and mailed it right there at the counter. Sorry for the delay. It should've been there by Wednesday because I sent it priority mail. Let me know. Regards, Fred --- cisco-nsp-request@puck.nether.net wrote: From: cisco-nsp-request@puck.nether.net Date: Fri, 25 Nov 2005 18:14:38 -0500 (EST) To: cisco-nsp@puck.nether.net Subject: cisco-nsp Digest, Vol 36, Issue 95 Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-request@puck.nether.net You can reach the person managing the list at cisco-nsp-owner@puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..." Today's Topics: 1. RE: RTBH and MPLS network (Oliver Boehmer (oboehmer)) 2. RE: netflow on native 6509 (Alex Rubenstein) 3. RE: cisco 2610 flash issue (Brian Turnbow) 4. RE: netflow on native 6509 (Oliver Boehmer (oboehmer)) 5. RE: C4510R and SFP interfaces (Asbjorn Hojmark - Lists) 6. Re: R: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem (Andrew Yourtchenko) 7. RE: C4510R and SFP interfaces (David Prall) ---------------------------------------------------------------------- Message: 1 Date: Fri, 25 Nov 2005 18:11:44 +0100 From: "Oliver Boehmer \(oboehmer\)" Subject: RE: [c-nsp] RTBH and MPLS network To: "Daemen, Seth, VF-NL" , Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784014C35FF@xmb-ams-333.emea.cisco.com> Content-Type: text/plain; charset="us-ascii" Daemen, Seth, VF-NL wrote on Friday, November 25, 2005 3:10 PM: > What do you mean with: You need to set the next-hop inbound or > outbound at your vpnv4 neighbor. > Maybe a stupid question but I'm a student and I have not much > experience with mpls VPN's. assuming you have configured "neighbor x.x.x.x send-community both" on all your neighbors within "address-family vpnv4": route-map static2bgp permit 10 match tag 666 set local-preference 200 set origin igp set community 1:1 route-map static2bgp permit 20 ... router bgp XX address-family ipv4 vrf XXX redistribute static static2bgp and then ip community-list 1 permit 1:1 ! route-map blackhole permit 10 match community 1 set ip next-hop 192.168.0.1 route-map blackhole permit 20 ! router bgp XX address-family vpnv4 neighbor x.x.x.x route-map blackhole out this requires that all PE's as well as the vpnv4 route-reflectors (if present) know about the 192.168.0.1 prefix in the global routing table.. oli > > > Seth > -----Original Message----- > From: Oliver Boehmer (oboehmer) [mailto:oboehmer@cisco.com] > Sent: vrijdag 25 november 2005 14:57 > To: Daemen, Seth, VF-NL; cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] RTBH and MPLS network > > Daemen, Seth, VF-NL wrote on Friday, > November 25, 2005 2:38 PM: > >> No I thinks not that RTBH behaves differently in MPLS networks. >> Butt I have configuration problems. >> >> In the bgp configuration is a redistribute: >> >> static route-map black-hole-trigger >> >> The following route map is created: >> >> route-map black-hole-trigger, permit, sequence 10 >> Match clauses: >> tag 66 >> Set clauses: >> local-preference 200 >> origin igp >> ip next-hop 192.0.2.1 >> >> Static route: >> >> ip route vrf VPN_Internet 2.2.2.2 255.255.255.255 Null0 tag 66 >> >> This works well the route 2.2.2.2 is advertised to the other routers >> also the local-preference is applied. Butt the problem is that the ip >> next-hop value is ignored. The next-hop address used is the ip >> address of the advertising router. > > Aha, so you want to use this in an MPLS-*VPN* environment (three > letters > do make a difference :) > > You are right, the PE device in an MPLS-VPN will always do > next-hop-self > when it redistributes the routes into the vpnv4 mesh, this is how > RFC2547bis works. You need to set the next-hop inbound or outbound at > your vpnv4 neighbor. Please be aware that a MPLS-VPN PE looks into the > global routing table to resolve the next-hop, so your route to > 192.0.2.1 > needs to be in the global table.. > > oli ------------------------------ Message: 2 Date: Fri, 25 Nov 2005 12:21:08 -0500 (Eastern Standard Time) From: Alex Rubenstein Subject: RE: [c-nsp] netflow on native 6509 To: "Oliver Boehmer \\(oboehmer\\)" Cc: cisco-nsp@puck.nether.net Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Since I have written this, I spent about 5 hours experimenting. I have found the following: If you enable mls nde with: mls flow ip interface-full mls nde sender version 5 mls nde interface ip flow-export version 5 origin-as ip flow-export destination [collector] [port] every flow across every interface will be sent to the collector. HOWEVER, once you enter this global command: mls sampling packet-based x y No flows, I repeat, NO FLOWS are sent to the collector. I tested this extensively. As soon as you enter the following on an interface: interface Blah4/5 mls netflow sampling Sampled netflow, at the rate defined in the global command, begins to flow to the collector, ONLY FOR THE INTERFACES enabled on. And, only in the inbound aspect. Anyone else confirm this behavior? On Fri, 25 Nov 2005, Oliver Boehmer \(oboehmer\) wrote: > Alex Rubenstein <> wrote on Friday, November 25, 2005 3:15 AM: > >> Hello, >> >> Sup2, MSFC2, 12.1.26E Native (no CatOS). >> >> Fairly simple question. Running mls nde, is it globally on all >> interfaces only, or can you enable/disable mls nde per interface? > > it is enabled globally for all interfaces on this platform/IOS release, > so you need to filter the flows on the collector.. > > oli > -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net ------------------------------ Message: 3 Date: Fri, 25 Nov 2005 18:24:08 +0100 From: "Brian Turnbow" Subject: RE: [c-nsp] cisco 2610 flash issue To: "Rivo Tahina RAZAFINDRATSIFA" , Message-ID: <52964DBFB59FA34F98E96921BE21C906B23461@twt-exch.milano.twt> Content-Type: text/plain; charset="iso-8859-1" I've seen this with different tftp clients. I use pumkin and don't have problems http://kin.klever.net/pumpkin/ If you check the nsp archives you can find other discussions about this. Brian -----Original Message----- From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Rivo Tahina RAZAFINDRATSIFA Sent: venerd? 25 novembre 2005 11.44 To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 2610 flash issue Hi all, I have a Cisco 2610 with 16 Meg of flash, when I'm trying to upgrade with a larger IOS, after erase, it says that there is not enough space whe 8.3 Meg is downloaded. Can anyone help? _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 4 Date: Fri, 25 Nov 2005 18:44:01 +0100 From: "Oliver Boehmer \(oboehmer\)" Subject: RE: [c-nsp] netflow on native 6509 To: "Alex Rubenstein" Cc: cisco-nsp@puck.nether.net Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784014C361F@xmb-ams-333.emea.cisco.com> Content-Type: text/plain; charset="us-ascii" Alex, http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura tion_guide_chapter09186a008007e6f0.html#wp1060003 says: ---snip--- Sampled NetFlow Sampled NetFlow exports data for a subset of the Layer 3-switched IP packets instead of for all packets in a flow. Sampled NetFlow substantially decreases the Supervisor Engine 2 CPU utilization. Release 12.1(13)E and later releases support sampled NetFlow on the Supervisor Engine 2. With the full-interface or destination-source-interface flow masks, you can enable or disable sampled NetFlow on each LAN port. With all other flow masks, sampled Netflow is enabled or disabled globally. ---snip--- since you have "mls flow ip interface-full", you need to enable SNF on the L3 interface(s).. sampled NF is processed on the MSFC oli Alex Rubenstein wrote on Friday, November 25, 2005 6:21 PM: > Since I have written this, I spent about 5 hours experimenting. > > I have found the following: > > If you enable mls nde with: > > mls flow ip interface-full > mls nde sender version 5 > mls nde interface > ip flow-export version 5 origin-as > ip flow-export destination [collector] [port] > > every flow across every interface will be sent to the collector. > > HOWEVER, once you enter this global command: > > mls sampling packet-based x y > > No flows, I repeat, NO FLOWS are sent to the collector. I tested this > extensively. > > As soon as you enter the following on an interface: > > interface Blah4/5 > mls netflow sampling > > Sampled netflow, at the rate defined in the global command, begins to > flow > to the collector, ONLY FOR THE INTERFACES enabled on. And, only in the > inbound aspect. > > Anyone else confirm this behavior? > > > > > > > On Fri, 25 Nov 2005, Oliver Boehmer \(oboehmer\) wrote: > >> Alex Rubenstein <> wrote on Friday, November 25, 2005 3:15 AM: >> >>> Hello, >>> >>> Sup2, MSFC2, 12.1.26E Native (no CatOS). >>> >>> Fairly simple question. Running mls nde, is it globally on all >>> interfaces only, or can you enable/disable mls nde per interface? >> >> it is enabled globally for all interfaces on this platform/IOS >> release, so you need to filter the flows on the collector.. >> >> oli >> > > -- > Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben > Net Access Corporation, 800-NET-ME-36, http://www.nac.net ------------------------------ Message: 5 Date: Fri, 25 Nov 2005 19:45:07 +0100 From: "Asbjorn Hojmark - Lists" Subject: RE: [c-nsp] C4510R and SFP interfaces To: "'David Prall'" , Cc: cisco-nsp@puck.nether.net Message-ID: <000001c5f1f0$5c6ed6a0$280a0a0a@hojmark.net> Content-Type: text/plain; charset="us-ascii" > With the most recent code, all ports on the supervisor can > now be used. But, you will be oversubscribing if you use both > 10ge and all 4 ge ports. Are you sure? 12.2(25)SG config guide says: "With Cisco Release 12.2(25)SG, you can simultaneously deploy the dual 10 Gigabit Ethernet ports and the four Gigabit Ethernet SFP ports. This capability is supported on the Catalyst 4503, Catalyst 4506, and Catalyst 4507R chassis." So: Only supported in *other* chassis than the 4510R, the OP is using. For 4510R, they say: " When deploying a Catalyst 4510R chassis, one of three > configurations is supported: > > . Enable the dual 10 -Gigabit Ethernet ports (X2 optics) only. > . Enable the four Gigabit Ethernet ports (SFP optics) only. > . Enable both the dual 10 Gigabit Ethernet and the four Gigabit > Ethernet ports, with the understanding that the tenth slot > (Flex-Slot) will only support a 2-port gigabit interface > converter (GBIC) line card (WS-X4302-GB) when in this mode. ... Which I think is also what I wrote. -A > > -----Original Message----- > > From: cisco-nsp-bounces@puck.nether.net > > [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of > > Asbjorn Hojmark - Lists > > Sent: Wednesday, November 23, 2005 5:03 PM > > To: security@cytanet.com.cy > > Cc: cisco-nsp@puck.nether.net > > Subject: RE: [c-nsp] C4510R and SFP interfaces > > > > > We have a C4510R switches with Supervisor V-10GE. We have 4 > > > SFP interfaces which when we go to interface configuration, > > > they return a message below > > > > > > Cisco(config-if)#interface GigabitEthernet1/3 > > > > > > % WARNING: Interface GigabitEthernet1/3 is usable/operational > > > only in gigabit > > > % uplink configuration. > > > > That is expected. You must either: > > > > 1) Enable both 10G interfaces or > > 2) Enable the four GE interfaces or > > 3) Use just a 2-port GE line card in slot 10 > > > > This is controllable with the 'hw-module uplink' command. > > > > > > The reason is, the SupV-10GE is a 68 Gbps switching engine. In a > > 4500, each slot (normally) gets 6G, and with 8 slots, that's 48G. > > Add to that 20G on the supervisor and you have 68G and can't use > > the GE ports. (Yes, that also means you're limited in what ports > > you can use when running dual supervisors). > > > > -A > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 6 Date: Fri, 25 Nov 2005 23:08:32 +0100 (CET) From: Andrew Yourtchenko Subject: Re: R: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem To: "Peder @ NetworkOblivion" Cc: cisco-nsp Mailing List Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > you add a new crypto map entry, you ALWAYS have to de-apply and re-apply > it for it to work correctly. I've even run into a lot of instances > where changing the crypto map without de-applying it kills the pix and > it needs to be physically powered off and on (management is dead). I > generally use notepad and setup something like this. In the early versions the being newly added crypto map entry would mean "encrypt everything". And since the set peer statement was absent, and transform set was absent - this would indeed nuke your SSH session from outside - it would try to encrypt it, but there were no rules. It's been quite a while since you should no longer need to remove the crypto map off the interface before changing it - any entries that are incomplete, are inactive until their configuration is finished, so it should work. (CSCea89724 is a reference WRT when this was done - 6.2.3/6.3.2 and later should work as I have described) Indeed removing/reapplying the crypto map as you mentioned works as well. If while changing the crypto map your _serial_ console went dead - then it would be a separate story with some different reason - which I can not think of - never seen this happening. thanks, andrew ------------------------------ Message: 7 Date: Fri, 25 Nov 2005 18:10:54 -0500 From: "David Prall" Subject: RE: [c-nsp] C4510R and SFP interfaces To: "'Asbjorn Hojmark - Lists'" , Cc: cisco-nsp@puck.nether.net Message-ID: <003401c5f215$7db92d90$3bd0520a@amer.cisco.com> Content-Type: text/plain; charset="UTF-8" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Asbjorn, As I stated in the email: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/relnotes/ol_5184.htm Cisco Catalyst 4500 Series Supervisor Engine V-10GE Uplink Enhancement for simultaneous use of 10-Gigabit Ethernet and the Gigabit Ethernet SFP interfaces. (The Catalyst 4510R requires optional configuration. See the "Configuring Interfaces" chapter.) - -------------------------------------------------------------------------------- Note On a Catalyst 4510R series switch, if you enable both the 10-Gigabit Ethernet and the Gigabit Ethernet SFP uplink ports, you must re-boot the switch. On the Catalyst 4503, 4506, and 4507R series switches, this capability is automatically enabled. - -------------------------------------------------------------------------------- The above from the release notes states that they are on by default on all chassis except the 4510R. On the 4510R they must be configured manually, and it requires a reboot. David - -- David C Prall dcp@dcptech.com http://dcp.dcptech.com > -----Original Message----- > From: Asbjorn Hojmark - Lists [mailto:Lists@Hojmark.ORG] > Sent: Friday, November 25, 2005 1:45 PM > To: 'David Prall'; security@cytanet.com.cy > Cc: cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] C4510R and SFP interfaces > > > With the most recent code, all ports on the supervisor can > > now be used. But, you will be oversubscribing if you use both > > 10ge and all 4 ge ports. > > Are you sure? 12.2(25)SG config guide says: > > "With Cisco Release 12.2(25)SG, you can simultaneously deploy the > dual 10 Gigabit Ethernet ports and the four Gigabit Ethernet SFP > ports. This capability is supported on the Catalyst 4503, > Catalyst 4506, and Catalyst 4507R chassis." > > So: Only supported in *other* chassis than the 4510R, the OP is > using. > > For 4510R, they say: > " When deploying a Catalyst 4510R chassis, one of three > > configurations is supported: > > > > . Enable the dual 10 -Gigabit Ethernet ports (X2 optics) only. > > . Enable the four Gigabit Ethernet ports (SFP optics) only. > > . Enable both the dual 10 Gigabit Ethernet and the four Gigabit > > Ethernet ports, with the understanding that the tenth slot > > (Flex-Slot) will only support a 2-port gigabit interface > > converter (GBIC) line card (WS-X4302-GB) when in this mode. > > ... Which I think is also what I wrote. > > -A > > > > > -----Original Message----- > > > From: cisco-nsp-bounces@puck.nether.net > > > [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of > > > Asbjorn Hojmark - Lists > > > Sent: Wednesday, November 23, 2005 5:03 PM > > > To: security@cytanet.com.cy > > > Cc: cisco-nsp@puck.nether.net > > > Subject: RE: [c-nsp] C4510R and SFP interfaces > > > > > > > We have a C4510R switches with Supervisor V-10GE. We have 4 > > > > SFP interfaces which when we go to interface configuration, > > > > they return a message below > > > > > > > > Cisco(config-if)#interface GigabitEthernet1/3 > > > > > > > > % WARNING: Interface GigabitEthernet1/3 is usable/operational > > > > only in gigabit > > > > % uplink configuration. > > > > > > That is expected. You must either: > > > > > > 1) Enable both 10G interfaces or > > > 2) Enable the four GE interfaces or > > > 3) Use just a 2-port GE line card in slot 10 > > > > > > This is controllable with the 'hw-module uplink' command. > > > > > > > > > The reason is, the SupV-10GE is a 68 Gbps switching engine. In a > > > 4500, each slot (normally) gets 6G, and with 8 slots, that's 48G. > > > Add to that 20G on the supervisor and you have 68G and can't use > > > the GE ports. (Yes, that also means you're limited in what ports > > > you can use when running dual supervisors). > > > > > > -A > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.3 (Build 2932) iQEVAwUBQ4eZ/oYwPzEDHVgLAQhRwggAh2WjhvxQTfM9begHhfaassXsLtgucy6h pr/xZ1azXTSqZugP6s+P9+3mWBSndxvBI/XHaawNIuc6ZC+MnkbmnAgzt9BVLclk RMG+43V3mbzr8dKigpUOXe3+51W03aFAayjhvsBJsDaW/dwEozMMTuHmZgmdOAwL lj/vMT1Z6lk+NzyJLvow8ljPhC9dMXg2rkXILwNiqjIe8b9TgUKs7hICuvjHUJvB DGNoqnsUyXvzmqGgXh8W/bosRzX0p/knWId6IzctAzPRmgo/1CodwhktWHV/m3uj FmOMWvdp9d5ncWDEbqrz6KPScb7MoMd8NJPQYSTrhzBEIomMykSNWw== =O1Kg -----END PGP SIGNATURE----- ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 36, Issue 95 *****************************************