from:"kell"


[ 
https://issues.apache.org/jira/browse/NIFI-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15413640#comment-15413640
 ] 

Alexander Kell edited comment on NIFI-2342 at 8/9/16 2:49 PM:
--

of course, i will prepare a report and some screenshots from netstat.
we noticed that all SFTP Processors with schedule time 0 sec ( List SFTP, fetch 
SFTP, get SFTP ) have this issue ... netstat showed us there are thousends of 
open FTP connections ... 
Workaround is to set scheduletime to any vale > 0 sec, 10 ms for example 


was (Author: akell):
of course, i will prepare a report and some screenshots from netstat

> FTP processors don't close FTP conections when scheduling time = 0 sec
> --
>
> Key: NIFI-2342
> URL: https://issues.apache.org/jira/browse/NIFI-2342
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.5.1, 0.7.0, 0.6.1
>    Reporter: Alexander Kell
>Priority: Minor
>
> I noticed that all FTP processors don't close open connections when 
> scheduling time is 0 sec.
> When i set scheduling time to >0 sec (10 ms for example) it works fine .
> Maybe it is possible to set default scheduling time >0 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2342) FTP processors don't close FTP conections when scheduling time = 0 sec


[ 
https://issues.apache.org/jira/browse/NIFI-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15413640#comment-15413640
 ] 

Alexander Kell commented on NIFI-2342:
--

of course, i will prepare a report and some screenshots from netstat

> FTP processors don't close FTP conections when scheduling time = 0 sec
> --
>
> Key: NIFI-2342
> URL: https://issues.apache.org/jira/browse/NIFI-2342
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.5.1, 0.7.0, 0.6.1
>    Reporter: Alexander Kell
>Priority: Minor
>
> I noticed that all FTP processors don't close open connections when 
> scheduling time is 0 sec.
> When i set scheduling time to >0 sec (10 ms for example) it works fine .
> Maybe it is possible to set default scheduling time >0 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (NIFI-2523) Add an "Undo" to the User Interface


 [ 
https://issues.apache.org/jira/browse/NIFI-2523?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Kell updated NIFI-2523:
-
Description: 
I am not sure whether this feature has been forgotten ... 
As a NiFi user, I'd like to be able to quickly undo an action, or series of 
actions, in case I accidentally delete or move one or more processors while 
editing them.
This feature is nessesary to work with nifi alot more effectivly


  was:
I am not sure whether this feature has been forgotten ... 



> Add an "Undo" to the User Interface
> ---
>
> Key: NIFI-2523
> URL: https://issues.apache.org/jira/browse/NIFI-2523
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core Framework, Core UI
>Reporter: Alexander Kell
>  Labels: usability
> Fix For: 1.1.0
>
>
> I am not sure whether this feature has been forgotten ... 
> As a NiFi user, I'd like to be able to quickly undo an action, or series of 
> actions, in case I accidentally delete or move one or more processors while 
> editing them.
> This feature is nessesary to work with nifi alot more effectivly



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (NIFI-2523) Add an "Undo" to the User Interface

Alexander Kell created NIFI-2523:


 Summary: Add an "Undo" to the User Interface
 Key: NIFI-2523
 URL: https://issues.apache.org/jira/browse/NIFI-2523
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Core Framework, Core UI
Reporter: Alexander Kell
 Fix For: 1.1.0


I am not sure whether this feature has been forgotten ... 




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (NIFI-2342) FTP processors don't close FTP conections when scheduling time = 0 sec


 [ 
https://issues.apache.org/jira/browse/NIFI-2342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Kell updated NIFI-2342:
-
Fix Version/s: 1.0.0

> FTP processors don't close FTP conections when scheduling time = 0 sec
> --
>
> Key: NIFI-2342
> URL: https://issues.apache.org/jira/browse/NIFI-2342
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.5.1, 0.7.0, 0.6.1
>    Reporter: Alexander Kell
>Priority: Minor
> Fix For: 1.0.0
>
>
> I noticed that all FTP processors don't close open connections when 
> scheduling time is 0 sec.
> When i set scheduling time to >0 sec (10 ms for example) it works fine .
> Maybe it is possible to set default scheduling time >0 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (NIFI-2313) possibility to lock components on the screen


 [ 
https://issues.apache.org/jira/browse/NIFI-2313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Kell updated NIFI-2313:
-
Fix Version/s: 1.0.0

> possibility to lock components on the screen
> 
>
> Key: NIFI-2313
> URL: https://issues.apache.org/jira/browse/NIFI-2313
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core UI
>    Reporter: Alexander Kell
>  Labels: features, usability
> Fix For: 1.0.0
>
>
> when you have a complex construct of processors and different components , 
> often it happens that you click the wrong component and move them over the 
> screen. Ofcourse a kind kind undo button would be nice but i guess a 
> functionality to lock components on the screen would be also helpful and 
> would improve usability a lot and i guess it is easier to realize as an undo 
> button.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (NIFI-2342) FTP processors don't close FTP conections when scheduling time = 0 sec

2016-07-21 Thread Alexander Kell (JIRA)

Alexander Kell created NIFI-2342:


 Summary: FTP processors don't close FTP conections when scheduling 
time = 0 sec
 Key: NIFI-2342
 URL: https://issues.apache.org/jira/browse/NIFI-2342
 Project: Apache NiFi
  Issue Type: Bug
  Components: Core Framework
Affects Versions: 0.6.1, 0.7.0, 0.5.1
Reporter: Alexander Kell
Priority: Minor


I noticed that all FTP processors don't close open connections when scheduling 
time is 0 sec.
When i set scheduling time to >0 sec (10 ms for example) it works fine .

Maybe it is possible to set default scheduling time >0 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (NIFI-2313) possibility to lock components on the screen

2016-07-19 Thread Alexander Kell (JIRA)

Alexander Kell created NIFI-2313:


 Summary: possibility to lock components on the screen
 Key: NIFI-2313
 URL: https://issues.apache.org/jira/browse/NIFI-2313
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Core UI
Reporter: Alexander Kell


when you have a complex construct of processors and different components , 
often it happens that you click the wrong component and move them over the 
screen. Ofcourse a kind kind undo button would be nice but i guess a 
functionality to lock components on the screen would be also helpful and would 
improve usability a lot and i guess it is easier to realize as an undo button.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (NIFI-2312) set different colors also for Processor groups

2016-07-19 Thread Alexander Kell (JIRA)

Alexander Kell created NIFI-2312:


 Summary: set different colors also for Processor groups
 Key: NIFI-2312
 URL: https://issues.apache.org/jira/browse/NIFI-2312
 Project: Apache NiFi
  Issue Type: Improvement
  Components: Core UI
Reporter: Alexander Kell


It is already possible to change the color of processors , unfortunately this 
is not possible for processorgroups , it would be really helpful to keep the 
overview of data flows by having different colors also for groups



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Closed] (NIFI-2179) ExecuteSQL and PutSQL can't assignt controller service

2016-07-11 Thread Alexander Kell (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Kell closed NIFI-2179.


this is done, reason was a custom nar

> ExecuteSQL and PutSQL can't assignt controller service
> --
>
> Key: NIFI-2179
> URL: https://issues.apache.org/jira/browse/NIFI-2179
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.6.0, 0.6.1
> Environment: Windows 7 , Linux Red Hat Enterprise
>    Reporter: Alexander Kell
>Priority: Critical
>  Labels: ControllerService, SQL
> Attachments: Wrong_controllerservicetype.png
>
>
> ExecuteSQL Processor is broken, it is not possible to assignt a neccesary 
> controllerservice connection.
> I created a working SQL Controller , it is not possible to assignt this 
> controller to created ExecuteSQL Processor , even if i create one 
> controllerservice out of property page , it is not possible for the processor 
> to use this service. 
> It has probably nothing to do with changes in processor code ... it has 
> probably spomething to do with controller service  ... i just tested it with 
> 0.5.0 and it works ... it is broken since 0.6.0
> Maybe it has something to do with NIFI-1800: Tie Controller Services to 
> Process Groups.
> or 
> NIFI-1994: Fixed issue with Controller Service Fully Qualified Class 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Resolved] (NIFI-2179) ExecuteSQL and PutSQL can't assignt controller service

2016-07-09 Thread Alexander Kell (JIRA)


 [ 
https://issues.apache.org/jira/browse/NIFI-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Kell resolved NIFI-2179.
--
   Resolution: Not A Problem
Fix Version/s: (was: 1.0.0)

It had something to do with a custom nar

org.apache.nifi.nar.ExtensionManager Attempt was made to load 
org.apache.nifi.dbcp.DBCPConnectionPool from 
org.apache.nifi.nar.NarClassLoader[.\work\nar\extensions\nifi-dbcp-service-nar-0.6.1.nar-unpacked]
 but that class name is already loaded/registered from 
org.apache.nifi.nar.NarClassLoader[.\work\nar\extensions\nifi-hsdg-nar-1.0.nar-unpacked].
  This may cause unpredictable behavior.  Order of NARs is not guaranteed.

> ExecuteSQL and PutSQL can't assignt controller service
> --
>
> Key: NIFI-2179
> URL: https://issues.apache.org/jira/browse/NIFI-2179
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.6.0, 0.6.1
> Environment: Windows 7 , Linux Red Hat Enterprise
>    Reporter: Alexander Kell
>Priority: Critical
>  Labels: ControllerService, SQL
> Attachments: Wrong_controllerservicetype.png
>
>
> ExecuteSQL Processor is broken, it is not possible to assignt a neccesary 
> controllerservice connection.
> I created a working SQL Controller , it is not possible to assignt this 
> controller to created ExecuteSQL Processor , even if i create one 
> controllerservice out of property page , it is not possible for the processor 
> to use this service. 
> It has probably nothing to do with changes in processor code ... it has 
> probably spomething to do with controller service  ... i just tested it with 
> 0.5.0 and it works ... it is broken since 0.6.0
> Maybe it has something to do with NIFI-1800: Tie Controller Services to 
> Process Groups.
> or 
> NIFI-1994: Fixed issue with Controller Service Fully Qualified Class 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-2179) ExecuteSQL and PutSQL can't assignt controller service

2016-07-09 Thread Alexander Kell (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15368959#comment-15368959
 ] 

Alexander Kell commented on NIFI-2179:
--

I just rechecked on my home computer withour custome nar , it works with 0.61 
and 0.6.0 ... so it has probably something to do with our custom processor nar 
... i just figured our what went wrong ... 
org.apache.nifi.nar.ExtensionManager Attempt was made to load 
org.apache.nifi.dbcp.DBCPConnectionPool from 
org.apache.nifi.nar.NarClassLoader[.\work\nar\extensions\nifi-dbcp-service-nar-0.6.1.nar-unpacked]
 but that class name is already loaded/registered from 
org.apache.nifi.nar.NarClassLoader[.\work\nar\extensions\nifi-hsdg-nar-1.0.nar-unpacked].
  This may cause unpredictable behavior.  Order of NARs is not guaranteed.

> ExecuteSQL and PutSQL can't assignt controller service
> --
>
> Key: NIFI-2179
> URL: https://issues.apache.org/jira/browse/NIFI-2179
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 0.6.0, 0.6.1
> Environment: Windows 7 , Linux Red Hat Enterprise
>    Reporter: Alexander Kell
>Priority: Critical
>  Labels: ControllerService, SQL
> Fix For: 1.0.0
>
> Attachments: Wrong_controllerservicetype.png
>
>
> ExecuteSQL Processor is broken, it is not possible to assignt a neccesary 
> controllerservice connection.
> I created a working SQL Controller , it is not possible to assignt this 
> controller to created ExecuteSQL Processor , even if i create one 
> controllerservice out of property page , it is not possible for the processor 
> to use this service. 
> It has probably nothing to do with changes in processor code ... it has 
> probably spomething to do with controller service  ... i just tested it with 
> 0.5.0 and it works ... it is broken since 0.6.0
> Maybe it has something to do with NIFI-1800: Tie Controller Services to 
> Process Groups.
> or 
> NIFI-1994: Fixed issue with Controller Service Fully Qualified Class 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (NIFI-833) Add an "Undo" to the User Interface

2016-07-01 Thread Alexander Kell (JIRA)


[ 
https://issues.apache.org/jira/browse/NIFI-833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15359985#comment-15359985
 ] 

Alexander Kell commented on NIFI-833:
-

I also agree with this feature wish , nifi is a great tool , but a little bit 
more comfort functionallity would be really nice and helps to improve the 
efficiency by working with nifi . Especially when you are building big 
Dataflows, without an undo functionallity it is really a pain.

> Add an "Undo" to the User Interface
> ---
>
> Key: NIFI-833
> URL: https://issues.apache.org/jira/browse/NIFI-833
> Project: Apache NiFi
>  Issue Type: Improvement
>  Components: Core UI
>Reporter: John Titus
>
> As a NiFi user, I'd like to be able to quickly undo an action, or series of 
> actions, in case I accidentally delete one or more processors while editing 
> them.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[ovs-dev] re



I have a proposal for you kindly E-mail me at mrrsshhui7...@hotmail.com

Yours Faithfully
Mrs Huian Shao
















__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__
___
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Bug#73611: re




I have a proposal for you kindly E-mail me at mrrsshhui7...@hotmail.com
Yours Faithfully
Mrs Huian Shao
















__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Bug#73611: re




I have a proposal for you kindly E-mail me at mrrsshhui7...@hotmail.com
Yours Faithfully
Mrs Huian Shao
















__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Bug#795270: re




I have a proposal for you kindly E-mail me at mrsshuai...@hotmail.com

Yours Faithfully
Mrs Huian Shao
















__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

[Freesurfer] nifti1Read(): unsupported slice timing pattern 5 -- mri_convert fix?

2015-10-23 Thread Alex Kell

Hi,

I'm analyzing data from a collaborator who used SPM to generate some
niftis, and freesurfer is unable to read these.  I get the following error:
nifti1Read(): unsupported slice timing pattern 5

Someone previously

had the same problem that I currently have, and Doug sent them a modified
version of mri_convert.

Could you send me the modified version of mri_convert?


Thanks,
Alex
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

[Freesurfer] fsfast: using an empirically derived HRF with mkanalysis-sess

2014-09-14 Thread Alex Kell

hi freesurfers,

i would like to use an empirically derived HRF with mkanalysis-sess.  i
have derived the HRF i want [via an FIR model], but it's not obvious how i
can use my custom HRF with mkanalysis-sess.

one option, it seems, is to feed in my own regressors with the -taskreg
flag and then not supply the model with any other regressors of interest.
 i'd just convolve stick regressors that have the appropriate timing with
my own HRF.  but this would only work if selxavg3-sess does NOT convolve
task regressors with the HRF.

so two questions:

1. is the -taskreg flag the best way to do this?  is there another, better
way?

2. does selxavg3-sess convolve task regressors with the HRF?


thanks,
alex
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

Re: [Freesurfer] fsfast: using an empirically derived HRF with mkanalysis-sess

2014-09-14 Thread Alex Kell

and one point of clarification: i only care about beta weights for each
condition of interest, so i don't care that -taskreg would only run an
F-test for significance maps and wouldn't give me t maps for each regressor
of interest.


thanks again,
alex

On Sun, Sep 14, 2014 at 1:55 PM, Alex Kell alexk...@mit.edu wrote:

 hi freesurfers,

 i would like to use an empirically derived HRF with mkanalysis-sess.  i
 have derived the HRF i want [via an FIR model], but it's not obvious how i
 can use my custom HRF with mkanalysis-sess.

 one option, it seems, is to feed in my own regressors with the -taskreg
 flag and then not supply the model with any other regressors of interest.
  i'd just convolve stick regressors that have the appropriate timing with
 my own HRF.  but this would only work if selxavg3-sess does NOT convolve
 task regressors with the HRF.

 so two questions:

 1. is the -taskreg flag the best way to do this?  is there another, better
 way?

 2. does selxavg3-sess convolve task regressors with the HRF?


 thanks,
 alex


___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

[Freesurfer] reading writing surface files in python

2014-06-30 Thread Alex Kell

hi freesurfers,

i'm looking to read and write freesurfer surface files in python -- like
MRIread.m  MRIwrite.m but for surfaces and in python.  i'm happy to write
the code myself, but it seems like the kind of thing that has been done
before and i don't want to reinvent the wheel if i don't have to.

i poked around and found pyfsio, which reads but doesn't write surfaces.
 any suggestions?


thanks,
alex
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

Re: [c-nsp] Need suggestion on cisco 3560 sw IOS

2014-06-26 Thread Jeff Kell

On 6/26/2014 6:09 PM, a.l.m.bu...@lboro.ac.uk wrote:

 on recent versions you can do the microcode update BEFORE the reload
 (check the update-sw flag list!) which saves loads of down time(!)

First I've heard of that one (!).

The microcode update is pervasive across the 3560s/3750s.  First time I
ran across it, I was doing a remote IOS update on a number of switches
at a preset maintenance window (reload at xx:yy)... most came right
back, but the ones doing the microcode update I thought were a
meltdown and I was packing up for a repair field trip before trying them
one last time before hitting the door...

Very annoying, and very unexpected the first time around...

Jeff
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 4500X trivia question...

2014-06-20 Thread Jeff Kell

Just breaking ground with some 4500X switches...  and was curious...

With other Catalysts the switches are often oversubscribed... at least
the uplinks... but there were platform specific commands to determine
which ports were mapped to which ASICs and you could try to optimize
your loads across the physical ASICs...

Is this still the case with the 4500X?  It can't be line rate (not at 32
ports x 10Ggps)... so what's the breakdown on bandwidth here?

Jeff
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: No route to weather.gov

2014-06-11 Thread Jeff Kell

On 6/11/2014 11:13 PM, Hugo Slabbert wrote:
 No luck from here.

 weather.gov resolves as 204.227.127.201 for me, and I have no routes
 for that IP.

Likewise here, and we have various views.

 UTC-Border#show ip route 204.227.127.201
 % Network not in table

BGP path falls back to default route...

 UTC-Border#show ip bgp 204.227.127.201
 BGP routing table entry for 0.0.0.0/0, version 671407710
 Paths: (4 available, best #4, table Default-IP-Routing-Table)
 Multipath: eBGP

Jeff

Re: [WIRELESS-LAN] requests for open, unauthenticated, no portal WiFi

2014-05-20 Thread Jeff Kell

We use essentially the eduroam services guidelines
(https://www.eduroam.us/node/69) but we have bandwidth restrictions on
guest WiFi that are not applied to actual eduroam traffic.

Jeff

On 5/20/2014 1:31 PM, Heath Barnhart wrote:
 I'm using a simple ACL to restrict traffic. For VPN access we are
 allowing SSL and some well know ports used by many VPNs. My supervisor
 said he got the list from somewhere on Educause, though I never saw
 the actual documentation.
 -- 
 Heath Barnhart
 ITS Network Administrator
 Washburn University
 785-670-2307


 On Tue, 2014-05-20 at 12:01 +, Osborne, Bruce W (Network Services)
 wrote:
 Heath,

  

 What do you allow for VPN? There are several different technologies
 used.

  

 *Bruce Osborne*

 /Network Engineer – Wireless Team/

 *IT Network Services*

  

 *(434) 592-4229*

  

 *LIBERTY UNIVERSITY*

 /Training Champions for Christ since 1971/


  

 *From:* Heath Barnhart [mailto:heath.barnh...@washburn.edu]
 *Sent:* Monday, May 19, 2014 11:01 AM
 *Subject:* Re: requests for open, unauthenticated, no portal WiFi


  

 There are certain laws you might fall under if you allow open access,
 such as CALEA. We recently put in an open/unauthenticated network,
 but with restrictions. Visitors must still register there devices
 (thought there is no validation), we only allow for 3 days of access
 followed by a 3 day exclusion period, and we limit what services can
 be used to basic stuff like HTTP, HTTPS, FTP, SSH, and VPN.

  
 -- 
 Heath Barnhart
 ITS Network Administrator
 Washburn University
 785-670-2307


 On Thu, 2014-05-15 at 12:52 -0400, Chuck Anderson wrote:

  
 Has anyone had to deal with administration requests for completely
 open, unauthenticated WiFi with no captive port auth for guest access
 to use during events or generally?  What arguments do you use against
 this kind of deployment?  We are in a city and do not wish to become
 the ISP for surrounding neighborhoods.
  
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Getting pretty close to default IPv4 route maximum for 6500/7600 routers.

2014-05-06 Thread Jeff Kell

On 5/6/2014 11:39 AM, Drew Weaver wrote:
 Hi all,

 I am wondering if maybe we should make some kind of concerted effort to 
 remind folks about the IPv4 routing table inching closer and closer to the 
 512K route mark.

 We are at about 94/95% right now of 512K.

 For most of us, the 512K route mark is arbitrary but for a lot of folks who 
 may still be running 6500/7600 or other routers which are by default 
 configured to crash and burn after 512K routes; it may be a valuable public 
 service.

Yes, a Sup720/PFC3CXL defaults to 512K IPv4 routes, and reconfiguring
the FIB requires a reload.  So I've been quietly expecting a somewhat
serious meltdown when we hit 512K :)

Jeff

Re: [c-nsp] 3750: SNMP-3-INPUT_QFULL_ERR, ssh session dies, show tech support fails, switch stack crashes on reload

2014-05-05 Thread Jeff Kell

On 5/5/2014 11:10 AM, Darren O'Connor wrote:
 Never seen it myself, but googling around brings up a few things.

 Did this recently start? Any other switch on the same code having the same 
 issues or not? Generally if five different devices all start having the same 
 issue an external issue is to blame. Maybe your SNMP server is sending a 
 particular packet that this IOS code doesn't like?

 Have you tried restarting SNMP itself on the switch?

Are these stacks of more than two switches?  And are they the original
3750Gs, or something else?

We have had recurring problems with a 4-stack of 3750-48Gs that for
various reasons end up with MALLOC errors (out of memory) and you can no
longer establish an SSH, Telnet, nor even serial console connection
%Low on memory, try again later.

This started with the 12.2 train and has continued into the 15.x train. 
We are NOT yet on the latest-and-greatest which as explained to me by
our account rep is a result of adding bells and whistles to the IOS
while these original 3750s are already memory constrained.  Supposedly
this was addressed in the most recent 15.x release to be more
conservative about memory utilization.  However, our stack is
presently stuck in the Low on memory, try again later state and will
require a hard reload (power cycle).  Supposedly this only affects
stacks of  2 switches.  Simply power cycling the current stack the last
time around lasted about an hour before running out of memory again. 
They continue to forward packets (thankfully) but you can't do anything
with them at all.  We plan an update to the latest 15.x release at the
next maintenance window, but since this stack powers one of our primary
server farms (top-of-racks), we can't just arbitrarily power cycle them.

TAC has been less than useful, and this started over a year ago, but
seems to recur more often in the 15.x train.

If this sounds familiar, I can provide some case numbers of past
attempts to remedy this... but previously a power-cycle would clear it
up for a few months (while the 15.x train is down to hours).

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: We hit half-million: The Cidr Report

2014-04-29 Thread Jeff Kell

On 4/29/2014 2:06 PM, Owen DeLong wrote:
 If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or 
 even 3) IPv6 prefixes…

 As a bonus, we could get rid of NAT, too. ;-)

 /me ducks (but you know I had to say it)

Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
etc  had been eliminated by process of can't get there from here... we
expose millions more endpoints...

/me ducks too (but you know *I* had to say it)

Re: We hit half-million: The Cidr Report

2014-04-29 Thread Jeff Kell

On 4/29/2014 11:37 PM, TheIpv6guy . wrote:
 On Tue, Apr 29, 2014 at 7:54 PM, Jeff Kell jeff-k...@utc.edu wrote:
 On 4/29/2014 2:06 PM, Owen DeLong wrote:
 If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1 (or 
 even 3) IPv6 prefixes…
 As a bonus, we could get rid of NAT, too. ;-)
 /me ducks (but you know I had to say it)
 Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
 etc  had been eliminated by process of can't get there from here... we
 expose millions more endpoints...

 /me ducks too (but you know *I* had to say it)

 No ducking here.  You forgot Nimda.  Do you have an example from the
 last 10 years of this class ?

Oh?  Anything hitting portmapper (tcp/135), or CIFS (tcp/445), or RDP
(tdp/3389 -- CVE-2012-0002 ring any bells?). 

The vulnerabilities never stop.  We just stop paying attention because
most of us have blocked 135-139 and 445 and 3389 at the border long ago.

Now granted that 80/443 (server-side) are more dangerous these days :) 
But that doesn't eliminate the original risks. 

These are ports that were originally open by default...  and if you
don't have a perimeter policy, you're wrong (policy, compliance,
regulation, etc).

Not to mention that PCI compliance requires you are RFC1918 (non-routed)
at your endpoints, but I digress...

Jeff

Re: Requirements for IPv6 Firewalls

2014-04-18 Thread Jeff Kell

On 4/18/2014 9:53 PM, Dobbins, Roland wrote:
 On Apr 19, 2014, at 1:20 AM, William Herrin b...@herrin.us wrote:

 There isn't much a firewall can do to break it.
 As someone who sees firewalls break the Internet all the time for those whose 
 packets have the misfortune to traverse one, I must respectfully disagree.

If end-to-end connectivity is your idea of the Internet, then a
firewall's primary purpose is to break the Internet.  It's how we
provide access control.

If a firewall blocks legitimate, authorized access then perhaps it
adds to breakage (PMTU, ICMP, other blocking) but otherwise it works.

As to address the other argument in this threat on NAT / private
addressing, PCI requirement 1.3.8 pretty  much requires RFC1918
addressing of the computers in scope...  has anyone hinted at PCI for IPv6?

Jeff

Re: Requirements for IPv6 Firewalls

2014-04-18 Thread Jeff Kell

On 4/18/2014 10:10 PM, Dobbins, Roland wrote:
 On Apr 19, 2014, at 9:04 AM, Jeff Kell jeff-k...@utc.edu wrote:

 It's how we provide access control.
 Firewalls  'access control'.

 Firewalls are one (generally, very poor and grossly misused) way of providing 
 access control.  They're often wedged in where stateless ACLs in 
 hardware-based routers and/or layer-3 switches would do a much better job, 
 such as in front of servers:

I call BS...  what do you expect closes the gap, host firewalls?  Most
3rd party crap has no firewalls and gets no specific rules for local
LANs or authorized users.

Firewalls are front-line defense, for the crap that is too generic /
misconfigured to protect itself.  And there are tons of these.

Anyone ever pentested you?  It's an enlightening experience.

Jeff

Re: Heartbleed Bug Found in Cisco Routers, Juniper Gear

2014-04-12 Thread Jeff Kell

On 4/12/2014 8:55 PM, Harry Hoffman wrote:
 Didn't Cisco already release a bunch of updates related to Anyconnect and 
 heartbleed?

There were AnyConnect for iOS (little i, not big I) issues with
heartbleed, but everything else has been mostly phone and UCS related.
IOS XE is affected if you have enabled https:// administrative
interface.  Otherwise no (at least not yet, they're still checking).

There were, however, four separate security issues released this week
that affected SSL VPN, AnyConnect, and ASAs (I had to patch our ASAs
even though we do not do SSL VPN or AnyConnect, there is a DoS attack
possible via SIP).




signature.asc
Description: OpenPGP digital signature

Re: Yahoo DMARC breakage

2014-04-09 Thread Jeff Kell

On 4/9/2014 5:24 PM, valdis.kletni...@vt.edu wrote:
 On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said:

 Meh. This just means list software will have to rewrite the From
 header to From: John Levine nanog@nanog.org and rely on the
 Reply-To header for anybody who wants to send a message back to the
 originator.

 Maybe this is a good thing - we can stop getting all the sorry I'm
 out of the office emails when posting to a list.

 The sort of programmer that writes out-of-mind software that doesn't
 employ the long well-known heuristics for detecting mailing lists
 (starting with checking Return-Path: for owner- and similar) will also
 likely disregard the Reply-To: header.  This Is Not A Good Thing.

The most sane out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header.  Anything To: somelist@somehost does not qualify :)

Jeff

Re: Yahoo DMARC breakage

2014-04-09 Thread Jeff Kell

On 4/9/2014 6:11 PM, bmann...@vacation.karoshi.com wrote:
 On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:
 The most sane out-of-mind response should only be sent *if* the
 out-of-mind person is named explicitly as a recipient in the RFC822
 header.  Anything To: somelist@somehost does not qualify :)

 Jeff
   and just how is an algorithm supposed to detect that 
   jeff-k...@utc.edu is a single human and not a list?

Because *I* set the out-of-office notification for my email
address[es].  If I'm not in the recipient list, do not respond.  This is
a per user knob we are talking about here, so it knows darn well what
address[es] are me.

Jeff

Re: Yahoo DMARC breakage

2014-04-09 Thread Jeff Kell

On 4/9/2014 7:22 PM, Larry Sheldon wrote:
 On 4/9/2014 5:11 PM, bmann...@vacation.karoshi.com wrote:
 On Wed, Apr 09, 2014 at 05:49:27PM -0400, Jeff Kell wrote:

 The most sane out-of-mind response should only be sent *if* the
 out-of-mind person is named explicitly as a recipient in the RFC822
 header.  Anything To: somelist@somehost does not qualify :)

 Jeff

 and just how is an algorithm supposed to detect that
 jeff-k...@utc.edu is a single human and not a list?

 It is really too bad that there is not place to put a precedence
 that the software could key on--with values like bulk or junk or
 list.

Headers of your message include:

 Precedence: list
 List-Id: North American Network Operators Group nanog.nanog.org
 List-Unsubscribe: http://mailman.nanog.org/mailman/options/nanog,
  mailto:nanog-requ...@nanog.org?subject=unsubscribe
 List-Archive: http://mailman.nanog.org/pipermail/nanog/
 List-Post: mailto:nanog@nanog.org
 List-Help: mailto:nanog-requ...@nanog.org?subject=help
 List-Subscribe: http://mailman.nanog.org/mailman/listinfo/nanog,
  mailto:nanog-requ...@nanog.org?subject=subscribe
 Errors-To: nanog-bounces+jeff-kell=utc@nanog.org
 Return-Path: nanog-bounces+jeff-kell=utc@nanog.org

Proper mail clients can provide list links based on the List- headers,
but few if any actually do.

So take your pick, but my point remains, it still retains:

 Date: Wed, 9 Apr 2014 18:22:51 -0500
 From: Larry Sheldon larryshel...@cox.net
 Organization: Maybe tomorrow
 User-Agent: Mozilla/5.0 (Windows NT 5.1;
  rv:24.0) Gecko/20100101 Thunderbird/24.4.0
 To: nanog@nanog.org
 Subject: Re: Yahoo DMARC breakage

And I'm nowhere mentioned.  I only appear in the envelope RCPT TO:
RFC821 header, nowhere in the RFC822 header.

It's not rocket science if you have headers available (which even
Outlook can see, although you have to jump through a few hoops to see them).

Jeff
Jeff

Re: [fonc] Communicating with Aliens Problem

2014-04-08 Thread Stephen Kell

On Sun, 6 Apr 2014 22:01:03 -0400, Shawn Vincent wrote:
 I am very interested in learning more about the state of the art in
 the communicating with aliens problem mentioned here and other
 places.
 
 What techniques have been developed or considered for this?

Greetings from another lurker. I somehow mostly missed the previous
discussion here on this topic. (Now I look, 90% glue code is a good
summary of the status quo; will revisit that thread soon.) Anyway... 

... I did write a PhD thesis about some work in this area: linking
software that doesn't have matched interfaces. Note that there's
nothing distributed about this work. Sadly it's not a great thesis by
any means; I don't want to build it up. But if you wanted to read
something not too long, there was an OOPSLA paper in 2010 (that would
be delighted to have somebody read it :-).
http://dx.doi.org/10.1145/1869459.1869487 (or Google me for a
non-paywalled copy, or for the thesis...).

I had/have a whole raft of follow-up work that I would like to do. In
short, declaratively specifying your glue is the first step towards
generating it automatically. There's a lot that could be done. Sadly
this whole area seems too cold to get research funding by any means I
know right now.

Stephen
___
fonc mailing list
fonc@vpri.org
http://vpri.org/mailman/listinfo/fonc

Re: Anternet

2014-04-05 Thread Jeff Kell

On 4/5/2014 2:32 AM, Andrew D Kirch wrote:
 So, if there's more than 4 billion ants... what are they going to do?

Who knows, but they'll definitely need IPv6 :)

Jeff

Re: BGPMON Alert Questions

2014-04-02 Thread Jeff Kell

So we're somewhat safe until the fast food burger grills and fries
cookers advance to level-3 routing?  Or Daquiri blenders get their own
ASNs? 

Bad enough that professional folks can goof to this extent, but
scarier still that the Internet of Everything seems to progress
without bounds...

Jeff

On 4/2/2014 11:43 PM, Randy Bush wrote:
 We've detected 415,652 prefixes being hijacked by Indosat today.
 Those who do not understand AS7007 are doomed to repeat it?
 i very much doubt this is a 7007, where bgp was redistributed into rip,
 which sliced it into a jillion /24s, and then redistributed from rip
 back into bgp.

 of course the lack of filtering or origin validation is an endemic
 disease.

 randy

Re: A little silly for IPv6

2014-03-25 Thread Jeff Kell

On 3/26/2014 12:28 AM, Larry Sheldon wrote:
 According to the Ace of Spades HQ blog:

 IPv6 would allow every atom on the surface of the earth to have its
 own IP address, with enough spare to do Earth 100+ times.

Not with a /64 minimum allocation per customer :)

Jeff

Re: IPv6 isn't SMTP

2014-03-25 Thread Jeff Kell

On 3/26/2014 12:33 AM, Larry Sheldon wrote:
 On 3/25/2014 11:18 PM, John Levine wrote:
 3.  Arguing about IPv6 in the context of requirements upon SMTP
 connections is playing that uncomfortable game with
 ones own combat boots.  And not particularly productive.

 If you can figure out how to do effective spam filtering without
 looking at the IP addresses from which mail arrives, you will be in a
 position to make a whole lot of money.
 Is spam fighting really about SMTP?  Or is it about abuse of the
 transport layer by (among other things) the SMTP?

Well, with current spam, the transport layer is irrelevant, given the
proper phished credentials :(

Jeff

Re: Level 3 blames Internet slowdowns on ISPs' refusal to upgrade networks | Ars Technica

2014-03-20 Thread Jeff Kell

On 3/20/2014 7:32 PM, Jimmy Hess wrote:
 Then there is this whole matter of end-to-end connectivity. Just
 because your WAN device links up at 8 Megabits, does not mean you have
 been guaranteed 8 Mbits end-to-end.

Have run into this one more times that I care to count.  We're running
very marginally loaded links all around, and have setup speedtest site
locally to prove the issue is not local.  Our upstream Commodity
provider also has speedtest peer, and we can also point people there. 
You can point people to them to prove it's not between us and the next
hop.  Of course some folks just don't get it :)

You chase down the squeaky wheel complainers, and find them running IE
with a dozen toolbars, a few P2P clients, adware out the wazoo, and
other things I can barely bring myself to think about, let alone admit
in a public forum :)  And doing it over wireless, while they're
microwaving their dinner, and ignoring their wireless printer they never
bothered to disable since they plugged it in wired.  While playing XBox
with their wireless controllers, listening to Pandora over their
BlueTooth headset, while their roommate is watching Netflix (wirelessly)
on their smart TV, with the wireless subwoofer and back speakers.

Yeah, end-to-end guarantee?  It's difficult enough to prove you have the
first hop covered.

Plug the damned thing in the wall, download Malwarebytes / Spybot /
something, and deal with the real problem here, dude :)

Your internet sucks!.  Or as a recent Tweet from a student mentioned,
Fix the Mother Effing wireless in the dorms.

(The dorm with the 802.11n / gig ports on the APs / etherchannels back
to the data center, nonetheless).

Jeff

Re: [WIRELESS-LAN] 11ac migration question

2014-03-17 Thread Jeff Kell

On 3/17/2014 5:12 PM, Kitri Waterman wrote:
 Thomas,

 We're looking at the same antenna for an auditorium space as well, so
 glad to hear it's worked out for you.

 Considering this universal mount or similar:
 http://www.terra-wave.com/shop/universal-articulating-mount-p-672.html

Does this work on Aruba APs ?

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 11ac migration question

2014-03-17 Thread Jeff Kell

On 3/17/2014 10:56 PM, Frank Sweetser wrote:
 Well damn.  I had been hoping that clients would have gotten at least
 a little smarter in their roaming decisions, but clearly that was just
 wishful thinking.

Well, some client drivers will let you tweak the advanced settings.  I
know I can prefer 5Ghz and I can prefer N on my aging laptop (yeah,
it was my Dell below, trying to track a client issue back to the wiring
closet where we hung a leftover Aruba AP65 (a/b/g only), and my own
freaking laptop was hanging on to an n on a floor below).

It also appears that iOS 7.1 update changed the captive portal
detection on Apple devices... so if you're having issues with your
registration portal for new devices, you might double-check their
captive portal site check.

We've had a *flood* of iOS devices that couldn't register on the
network today...

Jeff


 Thanks all for the confirmation...

 Frank Sweetser fs at wpi.edu|  For every problem, there is a
 solution that
 Manager of Network Operations   |  is simple, elegant, and wrong.
 Worcester Polytechnic Institute |   - HL Mencken

 On 3/16/2014 1:04 AM, Jeff Kell wrote:
 Have seen similar results with Dell laptop locking onto 802.11n at a
 distance
 and ignoring same room a/b/g.  We are trying to avoid mixed
 deployments, and
 sounds like the same concerns extend to 11ac as well.

 Jeff

 On 3/15/2014 11:12 PM, Alok Vimawala wrote:
 Hi Frank,

 We just had an interesting incident in one of our buildings where
 half of
 the ac radios stopped working. The building has Cisco 3602i APs with
 the
 add-on 802.11ac Wave-1 module. So, the building turned into a mixed
 802.11n
 and 802.11ac deployment on the 5GHz spectrum. What we saw in that
 building
 was that new Apple MacBook Pros with the 802.11ac capable chipsets were
 preferring to associated with a bad 802.11ac signal rather than
 connecting
 to a great (AP right above the laptop) 802.11n signal.

 Clients seem to prefer protocols with highest theoretical throughput
 regardless of signal strength and that behavior hasn't really
 changed since
 the days when 802.11n was first introduced. My recommendation would
 be to
 avoid mixed 5GHz 802.11n and 802.11ac environments.

 Thanks,

 Alok Vimawala
 University of Michigan


 On Sat, Mar 15, 2014 at 9:54 PM, Frank Sweetser f...@wpi.edu
 mailto:f...@wpi.edu wrote:

 Hello all,

   we're beginning plans to upgrade our wireless infrastructure
 from 11n
 to 11ac, and I'm hoping that someone can chime in on their
 experience
 with mixed capability buildings.

 When we first went from  11a/b/g to 11n, we found that clients in
 buildings with mixed capability APs had some odd roaming issues
 - and by
 odd, I mean utterly braindead.  A fair number of clients would
 aggressively latch onto an 11n AP at -80, while ignoring an
 a/b/g AP in
 the same room at -50, with predictably poor results.  In the
 end, we had
 to ensure that buildings were upgraded in full, rather than
 incrementally, to fix the complaints.

 My question is, has anyone seen similar issues in buildings with
 a mix
 of 11ac and 11n APs?

 --
 Frank Sweetser fs at wpi.edu http://wpi.edu|  For every
 problem,
 there is a solution that
 Manager of Network Operations   |  is simple, elegant, and wrong.
 Worcester Polytechnic Institute |   - HL Mencken

 **
 Participation and subscription information for this EDUCAUSE
 Constituent
 Group discussion list can be found at
 http://www.educause.edu/groups/.


 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 11ac migration question

2014-03-17 Thread Jeff Kell

I sort of missed my conclusion... so my apologies, let me add that part...

On 3/17/2014 11:04 PM, Jeff Kell wrote:
 Well, some client drivers will let you tweak the advanced settings.
 I know I can prefer 5Ghz and I can prefer N on my aging laptop
 (yeah, it was my Dell below, trying to track a client issue back to
 the wiring closet where we hung a leftover Aruba AP65 (a/b/g only),
 and my own freaking laptop was hanging on to an n on a floor below).
 It also appears that iOS 7.1 update changed the captive portal
 detection on Apple devices... so if you're having issues with your
 registration portal for new devices, you might double-check their
 captive portal site check.

I suppose you can provide the option for user-selectable advanced
settings (perfer 5Ghz, perfer N, turn off wireless upon wired connect,
etc) all have their benefits, but also mean that any user that can find
the right buttons can shoot themselves in the foot :)

And when the vendors make less than ideal choices (if Apple is choosing
5G or choosing n or ac if available) it shoots many of their users
in the foot. 

That would clearly be a design decision that nobody can really
universally be happy about (just look at Bonjour, mDNS, AppleTV, etc...
fine for home, lousy for campus/enterprise).

As personal (BYOD) things continue to grow in popularity, we need to
EXPECT them to be optimized for home use.  I suppose not until the
density of these devices get to the point where apartment neighbors are
fighting with each other by pushing content to the other's AppleTVs...
and we have some controversy / conflict / court cases, they're not going
to get the hint either :(

There is no universally predictable model to follow, but (hint,
hint...) if you have authenticated to a wireless network via
802.1X/WPA2/Enterprise, hey, you're probably not in somebody's house :)

Waiting on DHCP options to support some of these ideas... assuming they
would be supported afterward (e.g., DNS suffix search list finally
approved, and still not accepted by any windows clients).  But oh wait,
DHCP... in IPv6 days?  What WAS I thinking of...  :)

Jeff
Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 11ac migration question

2014-03-15 Thread Jeff Kell

Have seen similar results with Dell laptop locking onto 802.11n at a
distance and ignoring same room a/b/g.  We are trying to avoid mixed
deployments, and sounds like the same concerns extend to 11ac as well. 

Jeff

On 3/15/2014 11:12 PM, Alok Vimawala wrote:
 Hi Frank,

 We just had an interesting incident in one of our buildings where half
 of the ac radios stopped working. The building has Cisco 3602i APs
 with the add-on 802.11ac Wave-1 module. So, the building turned into a
 mixed 802.11n and 802.11ac deployment on the 5GHz spectrum. What we
 saw in that building was that new Apple MacBook Pros with the 802.11ac
 capable chipsets were preferring to associated with a bad 802.11ac
 signal rather than connecting to a great (AP right above the laptop)
 802.11n signal.

 Clients seem to prefer protocols with highest theoretical throughput
 regardless of signal strength and that behavior hasn't really changed
 since the days when 802.11n was first introduced. My recommendation
 would be to avoid mixed 5GHz 802.11n and 802.11ac environments.

 Thanks,

 Alok Vimawala
 University of Michigan


 On Sat, Mar 15, 2014 at 9:54 PM, Frank Sweetser f...@wpi.edu
 mailto:f...@wpi.edu wrote:

 Hello all,

   we're beginning plans to upgrade our wireless infrastructure
 from 11n to 11ac, and I'm hoping that someone can chime in on
 their experience with mixed capability buildings.

 When we first went from  11a/b/g to 11n, we found that clients in
 buildings with mixed capability APs had some odd roaming issues -
 and by odd, I mean utterly braindead.  A fair number of clients
 would aggressively latch onto an 11n AP at -80, while ignoring an
 a/b/g AP in the same room at -50, with predictably poor results.
  In the end, we had to ensure that buildings were upgraded in
 full, rather than incrementally, to fix the complaints.

 My question is, has anyone seen similar issues in buildings with a
 mix of 11ac and 11n APs?

 -- 
 Frank Sweetser fs at wpi.edu http://wpi.edu|  For every
 problem, there is a solution that
 Manager of Network Operations   |  is simple, elegant, and wrong.
 Worcester Polytechnic Institute |   - HL Mencken

 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.


 ** Participation and subscription information for this
 EDUCAUSE Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

[c-nsp] EIGRP potentially silly question...

2014-03-05 Thread Jeff Kell

After a deployment of EIGRP with the intent of providing link
utilization based load-sharing as opposed to round robin, I get the
rude awakening that the default k-values for EIGRP do NOT include link
utilization.

Any shortcuts / workarounds / etc to resetting k-values site-wide
without breaking each individual peering as the values are changed? 
(EIGRP won't peer with mismatched k-values...)

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

2014-02-14 Thread Jeff Kell

On 2/14/2014 9:07 PM, Paul Ferguson wrote:
 Indeed -- I'm not in the business of bit-shipping these days, so I
 can't endorse or advocate any particular method of blocking spoofed IP
 packets in your gear.

If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks your prefixes on ingress, is perhaps the safest bet. 
Strict uRPF has it's complications, and loose uRPF is almost too
forgiving.  If you're providing transit, it gets much more complicated
much more quickly, but the same principles apply (they just get to be a
less-than-100% solution)  :)

 I can, however, say with confidence that it is still a good idea.
 Great idea, even. :-)

Oh yeah :)

Jeff



signature.asc
Description: OpenPGP digital signature

Re: [WIRELESS-LAN] How many drops 802.11ac phase 2

2014-02-07 Thread Jeff Kell

On 2/7/2014 7:11 PM, Green, William C wrote:
 We pull one 6a also.  That makes enough of us to drink together comfortably 
 at the next Educause party.

 Most of our APs are one 5e.  As well discussed, I also expect GE to be 
 sufficient for a number of years, but I never bet against more bandwidth (we 
 consume 3 orders of magnitude more WAN bandwidth than from when I started my 
 career).  Power use to be my concern driving the consideration for two cables 
 (and I think we have that in several buildings), but not with the new POE 
 standards.

 Given the amount of 5e out there (thinking beyond WiFi), the magic of market 
 forces will likely provide additional options for more bandwidth across 5e 
 (just look at the  options for Cat 3 as ugly as they might be).  

I've heard rumors from several sources about a multi-Gig network
interface model that can push 1Gbps  some-rate  10Gbps over Cat5e.

It would be a forklift upgrade to take advantage, but it was an
interesting compromise that would be appealing for an older installed
base.

And while I'm replying...  we are just doing single runs, but we're
doing Cat6 in recent projects and no 5e yet.  We haven't jumped to Cat6A
(yet).  We considered double runs with 11ac coming, and we're an Aruba
shop (they have two ports on newer APs) but we're rethinking some of
that mainly due to density / coverage collapse (if 11ad rolls out, with
it's 60Ghz band, coverage area/interference get to be a major pain).

We've also ditched 62.5u MM fiber for 50u OM3/OM4 similarly (there was a
ton of 62.5 done initially that is absolutely useless beyond 1Gbps).

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Twinax trivia check (was Re: Is there such a thing as a 10GBase-T SFP+ transciever)

2014-02-02 Thread Jeff Kell

On 2/2/2014 4:03 PM, Bryan Tong wrote:
 These cables are most commonly known as Direct Attach Copper SFP+

The big issue appears to be that these are not always consistently
functional crossing vendor lines (sometimes product lines within the
same vendor).  There does not appear to be any standardization in
place.  Not sure how much of this is picky vendor software looking for
branded marks in their transceivers (e.g., Cisco service
unsupported-transceiver) versus true incompatibilities.

We have had issues in test cases crossing vendor lines (Cisco / Brocade
/ Dell / HP) with a twinax link that just simply won't work.  If
anyone has a clear explanation or better understanding, I'm all ears. 
Personal experience comes from only a few testbed cases.

Jeff

Re: [c-nsp] Twinax trivia check (was Re: Is there such a thing as a 10GBase-T SFP+ transciever)

2014-02-02 Thread Jeff Kell

On 2/2/2014 5:49 PM, Murphy-Olson, Daniel E. wrote:
 Most of the switch vendors have an official compatibility list, but I've 
 found that generally the most common compatibility issue is active vs passive 
 twinax. 

 Brocade edge switches and nics are normally active only, which seems to come 
 up a lot - because most short cables are passive unless they are brocade 
 branded.  5m is normally the cutoff for passive twinax.  Pretty much 
 everything else I've encountered supports passive.

But when these twinax cables are SFP-to-SFP connector, you'd think
they would be more forgiving about the copper details between them, and
just conform to the SFP+ attributes at the business ends. 

Still somewhat of a mystery, as there is no proper twinax standard
like there is with 10G-SR, LR, LRM, ER, etc.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

2014-02-01 Thread Jeff Kell

Could we petition for an HTML 1.0, old-school, no-javascript, no Java
apps, alternative TAC site?

Then look at the usage statistics between the two?  :)

And bring back ftp.cisco.com :)

Jeff

On 2/1/2014 12:41 PM, Chris Marget wrote:
 I tried two operating systems and four browsers yesterday. I couldn't
 upload files that were just a few hundred KB.

 /chris


 On Sat, Feb 1, 2014 at 9:54 AM, Pavel Skovajsa 
 pavel.skova...@gmail.comwrote:

 Resurrecting this thread,

 Is any of you having issues uploading file attachments to TAC cases using
 the http java page? Somehow nobody in our org can upload anything - we have
 latest Firefox, latest Java from Sun, still after clicking the Submit
 button in the file upload window nothing happens.

 Regards,
 -pavel skovajsa


 On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt
 wrote:

 Another tool that is a nightmare. The new bug search tool: it hangs my IE
 9,
 my FF 25, ...

 This is what FF tells me:

 A script on this page may be busy, or it may have stopped responding.
 You
 can stop the script now, or you can continue to see if the script will
 complete.

 Script:
 https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624
 

 Java, JavaScript, etc, why do we need that ?


 Regards,

 Antonio Soares, CCIE #18473 (RS/SP)
 amsoa...@netcabo.pt
 http://www.ccie18473.net


 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Justin M. Streiner
 Sent: domingo, 3 de Novembro de 2013 14:35
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] TAC hits a new record level of aggravation...

 On Sun, 3 Nov 2013, Jeff Kell wrote:

 Customer support died a decade ago.
 For the front-end stuff, sure.

 To be fair, and to give credit where credit is due, I have dealt with
 some
 TAC engineers who have been incredibly helpful, professional, and
 responsive.  For the things I generally reach out to TAC for, it seems
 like
 the level of response I've gotten recently has improved a bit from, say,
 two
 years ago.

 jms
 ___



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: Will a single /27 get fully routed these days?

2014-01-25 Thread Jeff Kell

(snip)

I doubt that anything  /24 will ever be eligible as a portable
provider independent block.  If within a provider, you can slice and
dice as you wish.

Jeff

[c-nsp] 3750G memory leak?

2014-01-24 Thread Jeff Kell

Just curious...  has anyone had issues with memory leaks on 3750Gs?  We
have had nightmares from a 4-switch stack of 3750G-48TS's (IP Services).

Runs for months, then you try to write mem and get memory allocation
errors and it fails.  It progresses a bit further and you can no longer
get serial console, telnet, or SSH either.

Have had several suggested workarounds and software upgrades; we're on
almost bleeding edge (15.something SE4, while SE5 is latest).  I'd tell
you what version it is if I could get into it :)

Used to just reload and it would work another few months, but tonight's
reload we immediately couldn't get into the serial console (%%Low on
memory - Try again later).

Starting to think this is a hardware issue as we haven't seen it on any
other 3750s, wondering if anyone else has seen this.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [WIRELESS-LAN] Guest Network Access Policy

2014-01-16 Thread Jeff Kell

On 1/16/2014 4:55 PM, Alexander, David wrote:
 1)  Do you allow guests on your wireless network?

Yes.

 a.   If you allow guests, what steps do they need to take to gain
 access to the network (eg. sponsorship, MAC registration, open network)?


We provide 'eduroam' for participating guests, otherwise you need a
sponsored guest account (gives you full access), or for rush
last-minute cases we have a WPA2/PSK SSID and distribute the preshared
key to certain individuals authorized to hand out guest access.  The
eduroam and PSK traffic goes out with access controls (the Eduroam
recommended protocols/ports) and is rate limited.  Sponsored guests are
essentially open.  All are treated as outside access...  they can only
reference campus services open to the public and those connections
traverse our border firewall.

 b.  If you require sponsorship or device registration, can you
 explain the process or give me a pointer to your policy?


Currently only certain individuals can provide guest accounts, it's not
open to any registered campus user.

 2)  Is your wireless network completely open in any part of your
 campus (eg. Library, student center, event spaces, athletic fields, etc.)?


Essentially no.  At our athletic facilities we have provisions for
wired guests on certain ports to facilitate media/press/others, but
otherwise no, there is no open access (CALEA concerns, among others).

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [c-nsp] Re-licensing secondhand Cisco equipment

2014-01-07 Thread Jeff Kell

For some hardware, especially the fixed-chassis Catalysts, there is a
limited lifetime warranty that is supposed to include software
updates, particularly those related to security defects and known
release defects.

However, the current TAC downloads will show releases, but requests a
login to actually download.  I don't have a non-contracted login to try
to see if this works for an arbitrary warranty download, or to what
extent it covers software updates.  I'd very much like to know the
official process :)

Jeff

On 1/7/2014 7:12 PM, Tony wrote:
 I can confirm getting software from TAC due to a PSIRT vulnerability as well, 
 it's not usually too much trouble (although more hassle than just being able 
 to download it).


 We had the strange situation where an EOL piece of kit was out of maintenance 
 and past the date for adding maintenance to it. We needed a software update 
 for it but could NOT purchase maintenance for it (we tried !) and so could 
 not download the file via Cisco website.


 Found a PSIRT issue that was revelant to the box in question and then opened 
 a case with TAC referencing this and eventually got the software we needed.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[Bug ada/59671] Improper Ada behavior under -gnat2012

2014-01-05 Thread p-kell at live dot com

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59671

Patrick Kelly p-kell at live dot com changed:

   What|Removed |Added

 Status|RESOLVED|UNCONFIRMED
 Resolution|DUPLICATE   |---

--- Comment #2 from Patrick Kelly p-kell at live dot com ---
Exactly why I marked this as blocker. There is no workaround. -gnat2012 will
not compile properly, plain and simple. Adding out to a parameter of a
function results in this error. Stepping back to -gnat2005 is not a workaround,
it's moving to a different language; it's a less severe form of moving from,
say Ada to ALGOL.

I disagree with this being a duplicate, as the problem in that report, which I
read prior to filing this one, is an issue with pragmas behavior, while this is
with out parameters of functions; these are not the same thing. Two different
issues are reporting the same error message; the error message is what is
common, not the error.

[Bug ada/59671] Improper Ada behavior under -gnat2012

2014-01-05 Thread p-kell at live dot com

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59671

--- Comment #4 from Patrick Kelly p-kell at live dot com ---
Let's say I'm trying to build a library/package, tens thousands of lines long,
provided by someone else. Is changing every instance of a function with an
out parameter to a procedure with an out parameter, and an additional out
for what used to be the return, really a workaround? For a convenient little
test case, sure, it's a workaround. For real code projects, in no way is the
proposed a valid workaround. Just because I happened to encounter this early on
in a project, where I could work around it, doesn't mean it wouldn't be
encountered late, possibly at release time.

Nearly identical, yes, nearly having quite an important role in semantics.
Code that fits the ARM2012 is not properly compiling under -gnat2012. The
duplicate bug was in regards to pragmas causing this. This bug is in regards
to out parameters on functions. I've already stated this. If you consider
them to be identical issues, then at this point I ask how? How are directives
and subroutines even closely related to each other?

I thought I was clear of the steps needed to produce it. Compile, using the
flags listed, with a function utilizing an out parameter. This would occur
even in test packages, in which the function was the only member of the
package.

[Bug ada/58151] conflict of writable function parameter in construct with arbitrary order of evaluation is often a spurious error

2014-01-03 Thread p-kell at live dot com

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58151

Patrick Kelly p-kell at live dot com changed:

   What|Removed |Added

 CC||p-kell at live dot com

--- Comment #3 from Patrick Kelly p-kell at live dot com ---
I've faced an almost identical problem. Compilation under -gnat2012 fails with
this error. Fallback to -gnat2005, and it reports that functions can only have
an in parameter, which is correct for -gnat2005; however, they can be used in
-gnat2012. Removing the out parameter and compiling with -gnat2005 resulted
in a correct build. Immediately compiling with -gnat2012 resulted in a correct
build. I was lucky in that I didn't actually need the out on those
parameters. The current behavior is not following the ARM2012. Occurred on GCC
4.8.2.

[Bug ada/59671] New: Improper Ada behavior under -gnat2012

2014-01-03 Thread p-kell at live dot com

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59671

Bug ID: 59671
   Summary: Improper Ada behavior under -gnat2012
   Product: gcc
   Version: 4.8.2
Status: UNCONFIRMED
  Severity: blocker
  Priority: P3
 Component: ada
  Assignee: unassigned at gcc dot gnu.org
  Reporter: p-kell at live dot com

Compilation under -gnat2012 fails with this error:
conflict of writable function parameter in construct with arbitrary order of
evaluation

Fallback to -gnat2005, and it reports that functions can only have an in
parameter, which is correct for -gnat2005; however, they can be used in
-gnat2012. Removing the out parameter and compiling with -gnat2005 resulted
in a correct build. Immediately compiling with -gnat2012 resulted in a correct
build. I was lucky in that I didn't actually need the out on those
parameters. (note: an unused out doesn't cause problems in an of itself)

The current behavior is not following the ARM2012, which is why I've labeled
this as a blocker. in out parameters on functions is one of the major
enhancements to Ada 2012.

Other compilation flags: -O2 -gnato -gnatE -fstack-check
Error still occurs without -O2

Re: turning on comcast v6

2013-12-30 Thread Jeff Kell

On 12/30/2013 8:16 PM, Leo Bicknell wrote:
 There's a reason why there's huge efforts to put RA guard in switches, and do 
 cryptographic RA's.
These are two admissions that the status quo does not work for many
folks, but for some reason these two solutions get pushed over a simple
DHCP router assignment option.

The more disturbing feature for those that have been there, done that,
debugged the meltdown, and tried to avoid repeating the issue is the
growing proliferation of automatic discovery/configuration... whether
RA / SLAAC / mDNS / Bonjour / uPnP / (the list goes on...).  There are
too many opportunities for spoofing / MITM / self-propagating issues.

Yes, DHCP is prone to similar issues, but better to focus on one
service and one authoritative source to try to lock down than to try
to protect the plethora of growing options to introduce issues from
arbitrary sources.

But as the market focus appears to continue to try to address the home /
SOHO environment of naive users, the self-configuration nastiness
continues to propagate.  It may fit at home / SOHO, but not in the
Enterprise, and certainly not in a university environment where you
can't be as restrictive on a universal basis as you might like to be :(

Jeff



signature.asc
Description: OpenPGP digital signature

Re: NSA able to compromise Cisco, Juniper, Huawei switches

2013-12-30 Thread Jeff Kell

On 12/30/2013 11:06 PM, [AP] NANOG wrote:
 As I was going through reading all these replies, the one thing that
 continued to poke at me was the requirement of the signed binaries and
 microcode.  The same goes for many of the Cisco binaries, without direct
 assistance, which is unclear at this point through the cloud of smoke so
 to speak, it would be difficult to load this code post implementation or
 manufacturing. 

Signed binaries??  Surely you jest...

Try download *anything* from Cisco TAC these days with a new browser and
latest Java and see how many exceptions you have to make to get an
allegedly legitimate copy of anything. 

If you don't like it, open a TAC case, and count the number of
exceptions you have to make to get to THAT point as well.  And of course
they'll want you to upload a show tech first thing, and see how many
MORE exceptions you have to make to get that to work.

Geez, just open ASDM today I have to honor Java exceptions.

We're all getting far too conditioned for the click OK to proceed
overload, and the sources aren't helping.

Jeff

[c-nsp] Quick question on HSRP...

2013-12-30 Thread Jeff Kell

Quick question for someone that's been there, done that, as I'm a bit
rushed to try to lab test this...

We're adding some new routers (4500Xs) for an upgraded server farm
arrangement with a number of server-side vlans / VRFs.  The plan was to
trunk it with the existing L3 router, and fire up HSRP (v2) across them
to transition the L3 routing to the new router without being too
terribly disruptive.  Not sure if we want to leave the HSRP in place
(thinking yes) or remove it (and the old router) after the migration,
but will cross that bridge when we get there.

HSRP would place the current default gateway as the virtual IP, and I
presume it will pick up a new MAC address.  I'm concerned this will
affect the active hosts with the ARP cached for their gateway.  The MAC
address would still be valid (should match the original gateway) but the
traffic would be directed to the original (now virtual) IP, as opposed
to the new physical gateway on the router.

So just how disruptive will introducing HSRP really be?

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [WIRELESS-LAN] Game consoles?

2013-12-23 Thread Jeff Kell

On 12/23/2013 4:43 PM, Danny Eaton wrote:

 There seems to be a growing demand, and with the holiday season upon
 us, I'm expecting more than a few requests when we all come back.  Is
 anyone allowing residential students to register game consoles on a
 wireless SSID?  If so, how?  WPA2-PSK?  MAC address registration?


We tolerate it, but we strongly encourage wired connections for game
consoles, TVs, BluRays, etc.

We have game console registration support based on MAC address OID
verification.  The others we are at this point manually registering
(they enter a helpdesk ticket).

If you have a spectrum analyzer sort of device that will give you a
timeslice breakdown of a given radio channel, you'll quickly be
alarmed by the utilization of these silly devices :(

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11AC Future Infrastructure

2013-12-18 Thread Jeff Kell

That was a standard across the AMP jacks...  you could get one Cat5
100Mbps, or two 10Mb split cable jacks.  It was a matter of which
insert you plugged into the socket.

It wasn't my decision, and I cringe everytime I see one, but they're
still around in our older campus buildings.

Jeff

On 12/18/2013 4:42 PM, John York wrote:

 Years ago I “got creative” and made some patch cables that allowed me
 to put two 10M hosts on a single jack instead of pulling new cables. 
 The boss said unkind things and shoved a notebook of the TIA-568 spec
 in my face.  Ah, the bad old days…;-)

 John

  

 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler
 *Sent:* Wednesday, December 18, 2013 4:07 PM
 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 *Subject:* Re: [WIRELESS-LAN] 802.11AC Future Infrastructure

  

 There is also the option, if you're a vendor that owns both ends (AP
 and Switch) to do something creative with only a single Cat5/6.

  

 Jeff




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WiFi planning

2013-12-12 Thread Jeff Kell

On 12/12/2013 5:11 PM, Ian McDonald wrote:
 It seems to me to be completely impractical from a planning and
 budgetary perspective to be increasing the density of AP's on an
 annual basis due to poor client design, whether low transmit power,
 antenna deficiency, or insufficiently well designed front-ends.

 If a device can't connect to the same wireless network, side by side
 with last year's device, then from my perspective, that's an issue
 with the device, not an infrastructure issue.

Well, when most of us started wireless deployment, it was pretty
optimistic to plan for a laptop per student / class seat / dorm bed,
this was the same time we were doing ResNet plans with a port per
pillow -- a plan which game consoles initially wrecked, now followed by
BluRays and Smart TVs and femtocells and who-knows-what-else.  And now
for wireless, it's certainly not just laptops (we have more
registered/identified BYODs than computers now).

Wireless devices continue to explode...  its not last year's device that
can't necessarily communicate, it's the 3-4 extras today over the
original device that cause the issues.  If you designed for 2.4G
power/distance back when 2.4G was in vogue, and 5G was either ancient
(11a) or new again (11n), it wasn't necessarily a design goal, and 5G
doesn't tolerate walls, etc as well.  Not sure about 11ac, but 11ad at
even higher frequencies will penetrate even less.

So yeah, if we had to do it over again AND knew what we know today...
sure.  How many deployed 11a/b/g over 100Mb ports?  And out of those,
how many were Cat6/6A?  Regretting any of those decisions yet?  Just
give it time :)

Things evolve.  I'd agree they should last longer than last year but
things change *fast* in this business :)

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [c-nsp] 4500X weird issue...

2013-12-12 Thread Jeff Kell

Follow-up to the follow-up :)  Long story short...

Switch essentially had no flash and dir, etc gave errors.  TAC had us
boot from tftp image via ROMMON.  Booted up, found config, write mem
worked, founds it's VSS partner, and dropped to standby.  Rebooted the
other switch, this one became primary, and all is well.

Still don't understand why even ROMMON couldn't find a flash, yet tftp
booting IOS seemed to make everything well again.  But not looking a
gift horse in the mouth, just wondering in case this shows up again.  I
really don't like the restart breaking things scenario :)

Jeff

On 12/10/2013 8:45 PM, Jeff Kell wrote:
 Follow-up...  the secondary booted up OK.  We're looking at a possible
 RMA on the failing one (TAC case open) rather than cracking the case on
 a virgin switch to mess with flash :).

 Jeff

 On 12/6/2013 11:25 PM, Jeff Kell wrote:
 We received our first pair of 4500X switches, and proceeded to try to
 prepare them for deployment.  They came up OK on console access, we got
 a very basic configuration setup, linked them together, and did an
 initial VSS pairing.

 With that successful, we put in a management IP address for the
 management port, saved everything, and proceeded to move them to the
 server room.

 Upon power-up at the new location, they won't boot...

  
  *  *
  * Rom Monitor NVRAM configuration is being initialized to  *
  * default values. This may be because it was never initialized.*
  *  *
  
 Writing to Primary Region failed
 Writing to Backup Region failed



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 4500X weird issue...

2013-12-10 Thread Jeff Kell

Follow-up...  the secondary booted up OK.  We're looking at a possible
RMA on the failing one (TAC case open) rather than cracking the case on
a virgin switch to mess with flash :).

Jeff

On 12/6/2013 11:25 PM, Jeff Kell wrote:
 We received our first pair of 4500X switches, and proceeded to try to
 prepare them for deployment.  They came up OK on console access, we got
 a very basic configuration setup, linked them together, and did an
 initial VSS pairing.

 With that successful, we put in a management IP address for the
 management port, saved everything, and proceeded to move them to the
 server room.

 Upon power-up at the new location, they won't boot...

  
  *  *
  * Rom Monitor NVRAM configuration is being initialized to  *
  * default values. This may be because it was never initialized.*
  *  *
  
 Writing to Primary Region failed
 Writing to Backup Region failed



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: Caps (was Re: ATT UVERSE Native IPv6, a HOWTO)

2013-12-08 Thread Jeff Kell

On 12/9/2013 12:48 AM, Jay Ashworth wrote:
 A 3270 that took 5 seconds of delay and then *snapped* the entire screen
 up at once was perceived as faster than a 9600 tty that painted the same
 entire screen in about a second and a half or so.  Don't remember who it
 was either, but likely Bell Labs.

This is a screen/block mode I/O issue versus a character-mode one. 

And the screen/block I/O won't start until the whole screen data is
there, so there is an initial delay.  The character-mode variant will
paint portions of the screen as the data arrives.

Similar anomalies exist on input... the screen/block mode is buffered
locally and proceeds normally; while the character mode version has to
transit the WAN link, whatever it may be.

I won't argue that one is better than the other, depending on your link
speed (transmitting a whole screen will incur longer delays than
transmitting individual fields, though admittedly it happens less
often).  But the user perception goes a long way...

I have seen advantages to both, having done serial termainal
applications from back to the 1970s, and won't argue one way or the
other.  You choose your poison.  With 3270 you have little choice other
than full screen transactions.  For other ASCII terminal interfaces,
you could optimize the individual fields (while paying the full screen
price). 

There are user perceived throughput values, transaction perceived
throughput values, and application perceived throughput values.  And
very rarely did the three equal out for every application :(

Jeff

[c-nsp] 4500X weird issue...

2013-12-06 Thread Jeff Kell

We received our first pair of 4500X switches, and proceeded to try to
prepare them for deployment.  They came up OK on console access, we got
a very basic configuration setup, linked them together, and did an
initial VSS pairing.

With that successful, we put in a management IP address for the
management port, saved everything, and proceeded to move them to the
server room.

Upon power-up at the new location, they won't boot...

  
  *  *
  * Rom Monitor NVRAM configuration is being initialized to  *
  * default values. This may be because it was never initialized.*
  *  *
  
 Writing to Primary Region failed
 Writing to Backup Region failed

  Rommon (G) Signature verification PASSED
 flash0:/codesign/rm1.dat open failure

  Rommon (P) Signature verification PASSED
 flash0:/codesign/rm2.dat open failure

  
  *  *
  * Rom Monitor NVRAM configuration is being initialized to  *
  * default values. This may be because it was never initialized.*
  *  *
  
 Writing to Primary Region failed
 Writing to Backup Region failed

  FPGA   (P) Signature verification PASSED
 flash0:/codesign/fpga.dat open failure
  
  *  *
  * Welcome to Rom Monitor forWS-C4500X-16 System.   *
  * Copyright (c) 2008-2013 by Cisco Systems, Inc.   *
  * All rights reserved. *
  *  *
  

  Rom Monitor (P) Version 15.0(1r)SG10
  CPU Rev: 2.2, Board Rev: 9, Board Type: 108
  CPLD Mobat Rev: 2.0x549a.0x59a4
  Chassis: WS-C4500X-16

  MAC Address  : e4-c7-22-**-**-**
  Ip Address   : Not set.
  Netmask  : Not set.
  Gateway  : Not set.
  TftpServer   : Not set.

  Non-Redundant system or peer not running IOS
  System Uplinks  Linecards have been reset!!


  * The system will autoboot in 5 seconds *


  Type control-C to prevent autobooting.
  . . . .
  Management Ethernet Link Up: 1Gb Full Duplex
  .

   The system will autoboot now 


  config-register = 0x102
 Writing to Primary Region failed
 Writing to Backup Region failed
  Autobooting using BOOT variable specified file.

  Could not find a valid file in BOOT environment variable.
  BOOT variable can be set from IOS. To find currently set
  Rom Monitor variables, please type 'set' command.

  For help on choosing a boot method,  type 'confreg' command.
 Writing to Primary Region failed
 Writing to Backup Region failed
 Writing to Primary Region failed
 Writing to Backup Region failed
 Writing to Primary Region failed
 Writing to Backup Region failed
 rommon 1 boot
 Writing to Primary Region failed
 Writing to Backup Region failed
 ExtX super block invalid signature
  No bootable image found !
  boot: can not determine first file name on device flash1:/USER
 rommon 2 

What the heck???

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [WIRELESS-LAN] Eapol-Rate-Optimization

2013-12-03 Thread Jeff Kell

On 12/3/2013 9:34 PM, Wright, Don wrote:
Just curious, have any Aruba shops tried enabling EAPOL rate
 optimization to try helping with the Apple roaming/dropping issue?
  It's a new setting in 6.1 and while it didn't help in my testing,
 I've heard others have had success with it.  Would someone care to
 update with details?

We have had issues with MacOS devices and roaming.  Three variables
were suggested - OKC, PMKID, and EAPOL-rate-opt.

We had OKC / PMKID both enabled, no EAPOL-rate-opt, and interval
between ID requests at 30 seconds.  Wandering around a well-covered
building with a MacOS laptop pinging a fixed target and it would
disassociate / reassociate / reauthenticate with significant delay in
between; Windows laptop did not have this issue (maybe drop a packet or
two between roaming targets).  We tried disabling OKC by itself, but it
seemed to make no difference.  This was discussed on the list before so
I'll not repeat the whole issue.

We tried the EAPOL-rate-opt, and we would drop a handful of pings, but
essentially keep a connection intact.  So yes, it did appear to help. 
It's not 100% still (is anything wireless ever 100%?) but was a solid
improvement over the previous case.

We're still grabbing at straws to improve the mobility, and hoping
perhaps the sticky client voodoo in 6.3 might help the issue as well. 

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [c-nsp] EIGRP reality check

2013-11-26 Thread Jeff Kell

Actually, I would have entertained equal cost even without the unequal
variance options, but the latter would be even better.

To answer some other questions others have asked... back to the original
diagram...

+--A-\
| | \
| B---D
| | /
+--C-/

These are layer-2 paths. We have a rather unusual network topology
that would take too long to explain without sounding like a raving
lunatic :) Which still may be the case, but doesn't help :)

There are three layer-3 backbone rings in play here... A-B-C-D is on
one common /22 subnet. B-D-others are on another. And C-D-others are
on a third.

From the perspective of D there are three paths to B, each one
layer-3 hop away (same /22 subnet).

Each of the three somehow works out to equivalent EIGRP paths in
topology... despite A-D and B-D being 10G and D-C and C-A being gigabit
channels. This I suspect is due to not using wide EIGRP metrics.

These are all Catalysts (6500 at A, various 3750 models at B-C-D) so
nothing new and bleeding edge here.

Jeff

On 11/26/2013 10:10 PM, Mark Tinka wrote:
On Monday, November 25, 2013 04:55:08 AM Jeff Kell wrote:

We have been using EIGRP in the most recent generation of
our campus network, a choice that was largely made on
the fact that it could load-share across equal-cost
paths, and take the path of least resistance to the
target.

I'm guessing you meant unequal cost :-).

Have you seen this:

http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.3/routing/configuration/guide/b_routing_cg43xcrs_chapter_0101.html#concept_6F7168EEB2D343CCBA82BB223B311E7B

I haven't tried it, so don't know if it actually does what
it says on the tin.

Anyone? Oli?

Mark.

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] EIGRP reality check

2013-11-24 Thread Jeff Kell

We have been using EIGRP in the most recent generation of our campus
network, a choice that was largely made on the fact that it could
load-share across equal-cost paths, and take the path of least
resistance to the target.

Recently we upgraded some core links to 10Gbps, with a couple remaining
gig backup links across them.  As a result, we ended up with a grouping:

+--A-\
|  |  \
|  B---D
|  |  /
+--C-/

A-B, A-D, and B-D are 10Gbps.  A-C and C-D are multi 1G channels.  D
hosts our backup server, so we tried to optimize the data paths from A,
B, and C.

Making things a bit more non-standard, these are not point-to-points,
they're on a small broadcast subnet.  A-B, A-C, and A-D are one, B-C and
C-D are another, and B-D is the third. 

From B to D there are three routes... direct to D (10G), via A to D
(10G), and via C to D (gig channel).  And vice versa.

EIGRP shows the three paths as equal weight (Catalyst 3750s and 6500s on
current code) despite the bandwidth difference.  Some early Googling
indicates that newer EIGRP versions support wide metrics, to
accomodate higher bandwidth link metrics, but I'm not sure if they are
even supported on all our platforms and code versions (appears to be
router-IOS 15.2 and higher).

Further investigation into the EIGRP topology for these links indicates
they come up with equal metrics, and they do NOT appear to be load
sharing (always using the same path... and not the direct path in both
cases, which lead to this investigation).

Then I discover in the K-values lookups that the default K-values (1 0 1
0 0) don't include bandwidth as I originally thought...

Aaargh...  and changing K-values will drop all your adjacencies? 

So... has anyone been through at least the wide metrics adjustments
for 10G?  Or changed their K-values?  Any shortcuts, war stories,
suggestions, etc?

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [WIRELESS-LAN] 802.1x vs web-portal

2013-11-19 Thread Jeff Kell

On 11/19/2013 4:05 PM, Peter P Morrissey wrote:
 Can anyone name an application that does not have strong encryption?

 I'm not arguing against 802.1x, because it works very well for us as users 
 don't have to authenticate constantly on a portal, and we seem to do a very 
 good job getting them on initially, but I am having a hard time understanding 
 the encryption benefits lately.

Does FireSheep or Ettercap ring any bells?

Jeff

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [c-nsp] Third party transceivers that fail only with new, NX-OS 6.2.2a on sup-2E

2013-11-19 Thread Jeff Kell

On 11/19/2013 5:51 PM, Tim Durack wrote:
 Second that. The more people buy 3rd party (coded if you want) the better.
 Vendors only listen to sales.

+1 to that.  We recently ran across some 3rd-party CODED DOM-supporting
optics that have worked (thus far) in both Ciscos and Brocades.  When
you can issue a show int trans and get results from 3rd-parties while
Ciscos remain silent, it speaks volumes :)

We still keep branded spares for any surprise issues.  But I don't think
we would have enough to survive a software upgrade enforced
transceiver refusal such as the one being discussed... so I remain
skeptical, and disgruntled over the whole branded issue.

Could you imagine if you could stick a vendor PROM in an ethernet
cable?  We don't tolerate such silliness with any other interfaces...

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco bug locator?

2013-11-19 Thread Jeff Kell

On 11/19/2013 9:40 PM, Mikael Abrahamsson wrote:

 So complain to your account team and give feedback on their website.
 Only by customers complaining will we see improvement.


Don't hold your breath.  I've been bitching since they started the whole
Web 2.0 / HTML5 / Java nonsense migration, and it's only getting WORSE
with EVERY new version.

Opening a TAC case now presents you with no less than FIVE Java
authentication warning windows, if you have the latest Java.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: OT: Below grade fiber interconnect points

2013-11-13 Thread Jeff Kell

You can stick a splice in a manhole.  You don't want a patch panel
or cross-connect in that sort of environment, keep that housed inside,
somewhere.

Jeff

On 11/13/2013 7:53 PM, Thomas wrote:
 Usually it would spliced outside at the manhole where the fiber meet to go in 
 the building.  Depends on the way you want to connect them etc.

 Thomas L Graves
 Sent from my IPhone 


 On Nov 13, 2013, at 2:05 PM, Justin M. Streiner strei...@cluebyfour.org 
 wrote:

 On Wed, 13 Nov 2013, Roy hockett wrote:

 Has anyone ever used a below grade vault for housing fiber cross connects?

 We have to move a fiber interconnect facility due to the current building 
 being demolished.  If you have I would be interested in talking to you.  If 
 there are more appropriate lists, I would appreciate any suggestions.
 When you say below grade vault, do you mean something that's only 
 accessible through a manhole?

 I haven't done this specifically, however if the vault does not have a 
 controlled environment, you could be dealing with massive headaches related 
 to dust/dirt contamination, moisture penetration, etc.  I work in a 
 large-campus .edu environment, so I'm some of the headaches you're probably 
 trying to avoid.  Also, be aware that access to the vault could be an issue. 
  There are OSHA regs related to what sort of training and safety equipment 
 someone who will be working in an underground vault must have.

 I'm assuming that the fiber will be cross-connected to a new location prior 
 to the building being demolished.

 Not knowing your outside plant or circumstances, would it be feasible to 
 fusion-splice a new tail onto the fiber that was going to the building 
 that's being demolished, or (ideally) pulling a new piece of fiber to the 
 new building, so you don't have to deal with potentially dodgy splices?

 jms

Re: CPE dns hijacking malware

2013-11-11 Thread Jeff Kell

On 11/12/2013 1:12 AM, Dobbins, Roland wrote:
 On Nov 12, 2013, at 12:56 PM, Mike mike-na...@tiedyenetworks.com wrote:

 It appears that some of my subscribers DSL modems (which are acting as nat 
 routers) have had their dns settings hijacked and presumably for serving ads 
 or some such nonsense. 
 How do you think this was accomplished?  Via some kind of Web exploit 
 customized for those devices and targeting your user population via email or 
 social media, which tricked users into clicking on something that accessed 
 the Web admin interface via default admin credentials or somsesuch; or via 
 some direct attack on the CPE devices themselves; or via some other method?

Basically two cases...  (1) XSS attack on the router using default (or
dictionary) credentials to set the DNS server on the router, or (2) DHCP
hijacking daemon installed on the client, supplying the hijacker's DNS
servers on a DHCP renewal.  Have seen both, the latter being more
common, and the latter will expand across the entire home subnet in time
(based on your lease interval)

Jeff

Warning Your Mailbox Has Exceeded Quota Limit

2013-11-07 Thread Kell, Todd




Dear user,

Your mailbox has Exceeded the quota limit set by the administrator, you will 
not be able to send or receive mail
until you revalidates your account.

Please click the link below or copy paste to your browser to validate your 
mailbox.
http://tinylink.net/quotalimit

Failure to do this will result limited access to your mailbox and failure to 
update your account within 48-hours,
of this update notification, your account will be closed permanently.

Thanks
System Administrator.--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Warning Your Mailbox Has Exceeded Quota Limit

2013-11-07 Thread Kell, Todd




Dear user,

Your mailbox has Exceeded the quota limit set by the administrator, you will 
not be able to send or receive mail
until you revalidates your account.

Please click the link below or copy paste to your browser to validate your 
mailbox.
http://tinylink.net/quotalimit

Failure to do this will result limited access to your mailbox and failure to 
update your account within 48-hours,
of this update notification, your account will be closed permanently.

Thanks
System Administrator.--
To unsubscribe from this list: send the line unsubscribe git in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [c-nsp] TAC hits a new record level of aggravation...

2013-11-03 Thread Jeff Kell

On 11/3/2013 1:41 AM, Dobbins, Roland wrote:
 On Nov 3, 2013, at 12:08 PM, Jeff Kell jeff-k...@utc.edu wrote:

 If enough of us complain... maybe.
 Plenty of people inside and outside of Cisco have complained vociferously, to 
 no avail.  It's unlikely to change.

Maybe we should all go back to the phone call interface.  Will probably
get Bangalore, but who knows.  Refuse the web garbage :)

Or email?  Make them call you?  Again... Bangalore...  oh well...

Customer support died a decade ago.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

2013-11-03 Thread Jeff Kell

On 11/3/2013 7:46 AM, Chuck Church wrote:
 It's not just the TAC tool that has been suck-ified.  The replacement for
 the dynamic configuration tool sucks.  Tried it a few days ago, first thing
 it asks for is a whole bunch of customer info.  I just wanted to verify if
 there is a non-EOS OC-3 POS that would work with a 6500.  Painful.  Today it
 crashes when I find what I think is the right link.  Then the replacement
 for Software Advisor is Software Research.  It takes looking around to find
 that Research doesn't cover many devices, and you eventually find a link to
 the old software advisor.  

My colleague in our data center systems group was working on a UCS
configuration, and the page was kicking out some blocks on our
TippingPoint because of some ungodly obfuscated javascript, and I had to
apply an exception to let him load the tool. 

I wish//I had kept a copy of the page source element that was triggering
it...  it was a real WTF?? moment.

Jeff
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] TAC hits a new record level of aggravation...

I had the opportunity to open a TAC case last week...  and was greeted
by the new website...

I use Firefox with NoScript, Ghostery, AdBlock, and some other plugins
that require their own unique whitelisting to get cisco.com to work at
all, and even more if you need to login to anything.

I have the most current Java 1.7 installed as of the last round of updates.

So... going to open a TAC case...  I'm presented by at least four (maybe
five?) Java permissions warnings/windows asking me if they can run.

I bear with this, enter a case, and everything I carefully formatted and
pasted into the case was compressed down into a block of continuous
text, forget my newlines, everything crammed into one piece.

I submit the case, and more Java permissions windows.  I go to review
the case... still MORE permissions windows.

Of course I have to go upload a show tech (first request for any
case)...  and STILL MORE permissions windows.

THIS IS RIDICULOUS !!!

Anyone else had the pleasure of hitting the new case management site?

I have NEVER experienced such a technical challenge such as that
presented by the TAC website...

I also now get Java warnings/permissions windows for ASDM for ASA, ASDM
for FWSM, oh the list just keeps on growing for this Java crap.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA 8.4 error 305006 regular translation creation failed

Not having fun with TAC, let me ask the real experts :)

ASA-5585X running 8.4(7), recent upgrade in response to last month's
security advisories against the 8.4 code we were running...

Now getting a number of the %ASA-3-305006 regular translation creation
failed errors logged, typically for plain vanilla TCP connections.

Checking the logs for the internal IPs being flagged, in every case I'm
seeing the internal IP having no translation, and the 305006 is almost
immediately followed by a %ASA-6-305009: Built dynamic translation for
the address in question. 

We have plenty of IPs in our outside pool.  We're not close to our xlate
or connection table limits.  This seems to just happen out of the blue.

For the failed 305006, it will list source-IP/source-port to
external-IP/external-port that failed.  This connection will never be
established.  The follow-up 305009 will create the translation, then
there will be a normal connection logged from the same
source-IP/different-source-port.  So the original attempt fails and the
subsequent retry succeeds. 

We only have a handful of these in a given day... but I'm not sure of
our xlate creation/teardown rate.  Connection-wise we're doing close
to 1000 connections/second at peak. 

I saw some of these errors in earlier 8.4 code, but they seem to have
gotten worse with 8.4(7) [and/or our traffic has increased accordingly].

Anyone else? 

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

So Cisco is now sleeping with Microsoft?  The human network suddenly
requires Internet Explorer?  And specific Java for the Oracle contingent?

Years ago, it just worked.  Might not have been HTML5 or Ajax or Web2.0
but the damned thing worked.  Everytime.

Jeff

On 11/2/2013 9:23 PM, Engel wrote:
 Have you try using MS Explorer? 

 Sent from my iPhone


 On 2013/11/03, at 7:53, Jeff Kell jeff-k...@utc.edu wrote:

 I had the opportunity to open a TAC case last week...  and was greeted
 by the new website...

 I use Firefox with NoScript, Ghostery, AdBlock, and some other plugins
 that require their own unique whitelisting to get cisco.com to work at
 all, and even more if you need to login to anything.

 I have the most current Java 1.7 installed as of the last round of updates.

 So... going to open a TAC case...  I'm presented by at least four (maybe
 five?) Java permissions warnings/windows asking me if they can run.

 I bear with this, enter a case, and everything I carefully formatted and
 pasted into the case was compressed down into a block of continuous
 text, forget my newlines, everything crammed into one piece.

 I submit the case, and more Java permissions windows.  I go to review
 the case... still MORE permissions windows.

 Of course I have to go upload a show tech (first request for any
 case)...  and STILL MORE permissions windows.

 THIS IS RIDICULOUS !!!

 Anyone else had the pleasure of hitting the new case management site?

 I have NEVER experienced such a technical challenge such as that
 presented by the TAC website...

 I also now get Java warnings/permissions windows for ASDM for ASA, ASDM
 for FWSM, oh the list just keeps on growing for this Java crap.

 Jeff

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

On 11/2/2013 11:20 PM, Alex Presse wrote:
 It's the new java update - unsigned code gets user verification windows. 
 Cisco (and everybody else) will need to update all their java delivered user 
 interfaces to avoid this annoyance.

And we need Java to submit a case, exactly why?

Plain old school FORM text box worked wonders.

Jeff

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...