Re: [c-nsp] Cisco 6503 Sup2T Engine block outbound TCP or UDP Port traffic
On 02/01/2014 08:28 PM, Joseph Hardeman wrote: Hi Everyone, I have a SUP2t engine running IOS s2t54-ADVIPSERVICESK9-M version and I am wondering if there is a way to filter or block TCP or UDP port traffic. I know how to NULL route IP 's but I don't know if there is a way to block or deny traffic based on destination port's also based on IP ranges. Any ideas would be much appreciated. Look for Access Control Lists. Just remember that all ACLs have a deny everything implicitly at the end. It may bite you a few times but you won't have trouble getting the hang of it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPPoE Session
Hi allCan I control the session timeout via CLI ? i.e. I want each PPPoE session to be disconnected automatically after for example 24 hours? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPPoE Session
Hi all Can I control the session timeout via CLI ? i.e. I want each PPPoE session to be disconnected automatically after for example 24 hours? Yes We Can: ! int dialer 3 ! ... encapsulation ppp dialer pool 2 dialer-group 1 dialer idle-timeout 0 dialer persistent no cdp enable keepalive 30 ppp authentication chap ... ppp chap ... ! ... ! timeout absolute 1400 0 ! ! On the central side, You can put it into an interface virtual-template or set it thru AAA (radiator can calculate the value to fix the automatic disconnection to a given time. Hope this help's, Juergen. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPPoE Session
Thanks for the replyU mean the timeout absolute 1400 0 , for example for 24 hours it should be 1440 ? BR, From: c...@marenda.net To: gunner_...@live.com; cisco-nsp@puck.nether.net Subject: AW: [c-nsp] PPPoE Session Date: Sun, 2 Feb 2014 12:43:50 +0100 Hi all Can I control the session timeout via CLI ? i.e. I want each PPPoE session to be disconnected automatically after for example 24 hours? Yes We Can: ! int dialer 3 ! ... encapsulation ppp dialer pool 2 dialer-group 1 dialer idle-timeout 0 dialer persistent no cdp enable keepalive 30 ppp authentication chap ... ppp chap ... ! ... ! timeout absolute 1400 0 ! ! On the central side, You can put it into an interface virtual-template or set it thru AAA (radiator can calculate the value to fix the automatic disconnection to a given time. Hope this help's, Juergen. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
On Sun, Feb 2, 2014 at 4:16 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. You can also look at Thales and SafeNet. They can also 2 Layer2 encryption (think of it like encrypted VPLS). They come in 100M/1G/10G line rate boxes. Eugeniu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TAC hits a new record level of aggravation...
On Sat, 1 Feb 2014, Mike Hale wrote: I was having weird issues but realized that it was because the file was too big. Not that there was an error message to that effect or anything. Along the file too big line, is it really necessary for a show tech from a Nexus 7000 to be ~40 MB *compressed*? jms On Feb 1, 2014 6:59 AM, Pavel Skovajsa pavel.skova...@gmail.com wrote: Resurrecting this thread, Is any of you having issues uploading file attachments to TAC cases using the http java page? Somehow nobody in our org can upload anything - we have latest Firefox, latest Java from Sun, still after clicking the Submit button in the file upload window nothing happens. Regards, -pavel skovajsa On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote: Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624 Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet-level iSCSI debugging
On 02/02/2014 01:41, Mike Hale wrote: the utilization is well below 10gigs what you mean here is that the utilization is well below 10gigs averaged over the sampling period. Iscsi is sensitive to dropped packets, and it could be that you're dropping packets due to traffic bursts which are too short to see on your graph sampling period (300 seconds? most graphs use 300s by default). Check out the dropped packet counts on all your iscsi ports and see what's happening there. Even better, monitor the packet drop rate on your graphing system and build up a profile of what's happening. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] You have a new encrypted message from j...@parknationalbank.com
You have received an encrypted message from j...@parknationalbank.com. To view the email message, paste the following URL into your browser to access the Barracuda Message Center. Once at the Message Center you’ll be prompted to either create a password or enter the one you’ve already set up. https://encrypt.barracudanetworks.com/login?nid=U2FsdGVkX1%2F6kEonwr3UJ8OHPRjKJ63vYZWUoi1tIcV96fif3mNkYNdhPRBUjgPOkhBlbDhsu9pioYC6jGLrlCUWPWxCwTOQIvfR6nzJLZxa0qmVp7tSvCRhUb1H%2BMDKSDokBVJ2WlbHOch6o3YXWKn5yeaTWkZVppuPrSow4MtsCdXyFarOVc0L7ASYKiVytCTBt4mdTqW0TWMvGEXJglWa1CcMP8E64cHAfTREHqVybouZZiPfKahCDw2dFYA0%2BJsMuyCaUI2V4TYiUq5Biw%3D%3D The secure message will expire in 30 days. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. For the reasons you mentioned, we as a customer went this direction. We needed to ensure our WAN (150 sites/multiple data centers)traveling across a variety of links/providers including DS1/DS3/Metro-e is secure. It has really scaled worked well. GETVPN is VRF aware can function on the PE side as well. -jeff Sent from my ATT iPhone On Feb 1, 2014, at 9:16 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
hey, If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. There is no reason why you can't use GETVPN inside L3VPN. This is exactly one use case for GETVPN and many people are using it successfully. If you don't trust your provider at all, encrypting in CPE doesn't fly and you need separate routers. It's still good protection against traffic interception by 3rd party. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPPoE Session
Thanks for the reply U mean the timeout absolute 1400 0 , for example for 24 hours it should be 1440 ? Yes, you got it J ! It is timeout absolute minutes seconds , 1day = 24 hours = 24*60 = 1440 minutes plus 0 seconds. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
I'm looking for the simplest way to do it. Most customers have L2 connections between Data Centers. The edge device controlled by the customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on, need a router in the edge. This implies modification of the customer's topologies. L2 encryption seems the perfect solution and it seems there are several options on the market. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Jeff Orr [mailto:j...@communicorr.com] Sent: domingo, 2 de Fevereiro de 2014 17:25 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. For the reasons you mentioned, we as a customer went this direction. We needed to ensure our WAN (150 sites/multiple data centers)traveling across a variety of links/providers including DS1/DS3/Metro-e is secure. It has really scaled worked well. GETVPN is VRF aware can function on the PE side as well. -jeff Sent from my ATT iPhone On Feb 1, 2014, at 9:16 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimiz ation/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
Great ! Here are the links for those interested on this subject: Thales: http://www.thales-esecurity.com/products-and-services/products-and-services/ network-encryption-appliances/datacryptor-link-and-layer-2-encryption SafeNet: http://www.safenet-inc.com/data-protection/network-encryption/ And heres another one I received offline: Engage: http://www.engageinc.com/Products2/BlackDoor.htm Now Im trying to find if someone already made a comparison of the available options on the market. Regards, Antonio Soares, CCIE #18473 (RS/SP) mailto:amsoa...@netcabo.pt amsoa...@netcabo.pt http://www.ccie18473.net/ http://www.ccie18473.net From: Eugeniu Patrascu [mailto:eu...@imacandi.net] Sent: domingo, 2 de Fevereiro de 2014 12:47 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption On Sun, Feb 2, 2014 at 4:16 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization /%0d%0aEncryption/n-4294953119 Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. You can also look at Thales and SafeNet. They can also 2 Layer2 encryption (think of it like encrypted VPLS). They come in 100M/1G/10G line rate boxes. Eugeniu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Debug Radius auth and passwords
Hi I'm just troubleshooting Radius authentications for VPN and PPPoE access. I enabled Radius auth debug by : debug radius authentication But I see * as password in debug log. Is any way to change this behavior ? I would like what user enters as need to check is correct. I know that I can check this on Radius server level, but I would like to see this on Cisco router and debug level. Is it possible ? Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
Many of those devices do think that the WAN Ethernet is Bit-transparent, not paket-oriented, unlimited MTU... In Reality, those EthernetLinks are MTU-Limited, often with an EthernetMTU of just 1500 or sometimes plus 1 or 2 VLAN Tags. Full-Stop. No Space for Additional information,encryption header, etc. Or for jumbo Frames found in iscsi etc. applications. BUT You need your Ethernet-crypto device to solve this, So when my switches on both ends have an MTU of 9216 Bytes I would like the crypto-device to transport this even over the ethernet link with an MTU of 1371 . Very ew of the Products solve that, so take Care in selecting your Product, simple Products think that you own a dark-fibre where they can to anything But in reality, you just have a paket-switched link with singlemode-fibres on both ends. I'm looking for the simplest way to do it. Most customers have L2 connections between Data Centers. The edge device controlled by the customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on, need a router in the edge. This implies modification of the customer's topologies. L2 encryption seems the perfect solution and it seems there are several options on the market. You can use Cisco-routers to build an encrypting, transparent Ethernet-link, bridging every paket including STP CDP LLDP ... Needs some CPU on the router, that sets the limits, but this works well, even with limited links. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Jeff Orr [mailto:j...@communicorr.com] Sent: domingo, 2 de Fevereiro de 2014 17:25 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. For the reasons you mentioned, we as a customer went this direction. We needed to ensure our WAN (150 sites/multiple data centers)traveling across a variety of links/providers including DS1/DS3/Metro-e is secure. It has really scaled worked well. GETVPN is VRF aware can function on the PE side as well. -jeff Sent from my ATT iPhone On Feb 1, 2014, at 9:16 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security- Optimiz ation/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Debug Radius auth and passwords
Hi Rob, No. Passwords are obscured for security reasons. Sincerely, David. On Feb 2, 2014, at 4:50 PM, Robert Hass robh...@gmail.com wrote: Hi I'm just troubleshooting Radius authentications for VPN and PPPoE access. I enabled Radius auth debug by : debug radius authentication But I see * as password in debug log. Is any way to change this behavior ? I would like what user enters as need to check is correct. I know that I can check this on Radius server level, but I would like to see this on Cisco router and debug level. Is it possible ? Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Twinax trivia check (was Re: Is there such a thing as a 10GBase-T SFP+ transciever)
On 2/2/2014 5:49 PM, Murphy-Olson, Daniel E. wrote: Most of the switch vendors have an official compatibility list, but I've found that generally the most common compatibility issue is active vs passive twinax. Brocade edge switches and nics are normally active only, which seems to come up a lot - because most short cables are passive unless they are brocade branded. 5m is normally the cutoff for passive twinax. Pretty much everything else I've encountered supports passive. But when these twinax cables are SFP-to-SFP connector, you'd think they would be more forgiving about the copper details between them, and just conform to the SFP+ attributes at the business ends. Still somewhat of a mystery, as there is no proper twinax standard like there is with 10G-SR, LR, LRM, ER, etc. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
On 3 Feb 2014, at 8:10 am, Antonio Soares amsoa...@netcabo.pt wrote: I'm looking for the simplest way to do it. Most customers have L2 connections between Data Centers. The edge device controlled by the customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on, need a router in the edge. This implies modification of the customer's topologies. L2 encryption seems the perfect solution and it seems there are several options on the market. What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2 encryption. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/swmacsec.html#wp1334072 says: This example shows how to configure Cisco TrustSec authentication in manual mode on an interface: Switch# configure terminal Switch(config)# interface tengiigabitethernet 1/1/2 Switch(config-if)# cts manual Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap Switch(config-if-cts-manual)# no propagate sgt Switch(config-if-cts-manual)# exit Switch(config-if)# end (Its a copy and paste, even the typos ;)). Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/