[c-nsp] PIX or ASA Privilege level access issue
Dear All, We have encouter an issue as we Assign Privilege Levels in PIX or ASA with Microsoft IAS server. We plan to set RO and RW access for users to have different privilege levels to access Cisco devices. We have tested that Switch and Router does not have the RO(router>)non-privilege level issue. But in ASA/PIX using user account which is in the RO group which has set "shell:priv-lvl=1 or 5" can access the privilege mode (prompt is router#) itestmo is a RO group >From PIX or ASA. " Username: ittestmo Password: *** Type help or '?' for a list of available commands. MOOFFW01> EN Password: *** MOOFFW01# " >From Switch or router " User Access Verification Username: ittestmo Password: MOOFSW01>EN Password: % Access denied MOOFSW01> " Could anyone let me know how to use this issue? Thanks and Regards, Edward ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM NP1&2 dot1q drops
Simple setup: A pair of cat6509(sup 720-3bxl) with fwsm in active/standby mode. 6509's on 12.2(33)SXI4a advipservices. fwsm on 3.2(5)routed/single-context. I am at my wits end trying to understand why I am seeing *dot1q drops* by NP1 and NP2 of fwsm. On NP1 the dot1q drops are almost equal to drops because of not-dot1q: PKT_MNG: total packets (dot1q) dropped : 4557 PKT_MNG: PKT_DROP_NOT_DOT1Q_INGR : 3874 On NP2: PKT_MNG: total packets (dot1q) dropped : 2490 PKT_MNG: PKT_DROP_NOT_DOT1Q_INGR : 0 All other drop counters are at zero for NP1 and NP2 The MSFC itself is configured for multiple-vlan-interfaces(INSIDE, OUTSIDE) given our setup ( policy-routing is in effect.) and everything is working as expected *EXCEPT* for the drops-in question. Only vlans being carried by 6Gig port-channel trunk b/w fwsm are ones for INSIDE, OUTSIDE, lan-failover and state-failover (100, 73, 2 and 3) Snippets wrt *drops*: NP1: fwsm-dc3/act# sh np 1 stats --- Fast Path 64 bit Global Statistics Counters (NP-1) --- PKT_MNG: total packets (dot1q) rcvd: 16276 PKT_MNG: total packets (dot1q) sent: 31113 PKT_MNG: total packets (dot1q) dropped : 7566 PKT_MNG: TCP packets received : 15110 PKT_MNG: UDP packets received : 1718 PKT_MNG: ICMP packets received : 66 PKT_MNG: ARP packets received : 0 PKT_MNG: other protocol pkts received : 0 PKT_MNG: default (no IP/ARP) dropped : 0 SESS_MNG: sessions created : 1484 SESS_MNG: sessions embryonic to active : 0 SESS_MNG: sessions deleted : 1484 SESS_MNG: session lookup hits : 26900 SESS_MNG: session lookup misses: 4198 SESS_MNG: embryonic lookup hits: 0 SESS_MNG: embryonic lookup misses : 3425 --- Fast Path 32 bit Global Statistics Counters (NP-1) --- SESS_MNG: insert errors: 0 SESS_MNG: embryonic to active errors : 0 SESS_MNG: delete errors: 0 PKT_MNG: packets to NP-3 : 3894 PKT_MNG: packets from NP-3 : 3064 PKT_MNG: packets to FWSM : 59 PKT_MNG: packets from FWSM : 5952 PKT_MNG: packets sent to other blade : 1824 PKT_MNG: packets rcv from other blade : 14237 PKT_MNG: pkt drop (l2 checks) : 0 PKT_MNG: pkt drop (l3 checks) : 0 PKT_MNG: pkt drop (l4 checks) : 0 PKT_MNG: pkt drop (rate limiting) : 0 PKT_MNG: pkt drop (A200) : 0 LU_MNG: UDP packets sent by FP ok : 0 LU_MNG: TCP packets sent by FP ok : 4468 LU_MNG: LU packets sent by SP ok : 0 LU_MNG: LU pkt xmit errors leas twin fail : 0 LU_MNG: UDP packets received for FP ok : 0 LU_MNG: TCP packets received for FP ok : 0 LU_MNG: LU packets received for SP ok : 0 LU_MNG: LU packets received errors : 0 LU_MNG: LU packets redirected to NP3 : 0 LU_MNG: LU packets returned by NP3 : 0 LU_MNG: LU pkt sent new conn : 1489 LU_MNG: LU pkt sent update: 1491 LU_MNG: LU pkt sent fin : 1488 LU_MNG: LU pkt sent data channel : 0 LU_MNG: LU pkt sent move embr to active : 0 LU_MNG: LU pkt xmit error interface down : 0 LU_MNG: LU pkt xmit err intf not configured: 0 LU_MNG: LU pkt xmit err FO flag stop traffic : 0 LU_MNG: LU pkt xmit err FO flag mismatch : 0 LU_MNG: LU pkt rcv err global table mismatch : 0 LU_MNG: LU pkt rcv err FO flag mismatch: 0 LU_MNG: LU pkt rcv err not .1Q : 0 LU_MNG: LU pkt rcv err not : 0 LU_MNG: LU pkt rcv err lkp hit msg mismatch: 0 LU_MNG: LU pkt rcv err lkp hit pkt/leaf mismatch : 0 LU_MNG: LU pkt rcv err lkp miss msg mismatch : 0 LU_MNG: LU pkt rcv err half hit: 0 LU_MNG: LU pkt rcv err embr to active fail : 0 LU_MNG: LU pkt rcv err control channel not found : 0 LU_MNG: LU pkt rcv err insertion fail : 0 LU_MNG: LU pkt rcv err pkt to np3 msg mismatch : 0 LU_MNG: LU pkt rcv err pkt to np3 leaf not active : 0 AGE_MNG: Aging Errors (no timeout set) : 0 PKT_MN
Re: [c-nsp] GLC-LH-SM vs SFP-GE-L
Some of them are perfectly fine. You can get something from quality brands, which are at least as good as 'Cisco' (but still cheaper)... probably because they are who OEMs the 'Cisco' SFPs. But other pluggables (the Chinese copies?) really are crap, and in my experience if you get something labeled and coded Cisco, it is a lot more likely to be Chinese copy crap than if you get something from a quality brand. But YMMV. -A Are you referring to optics that are labeled 'Cisco' on the sticker but are grey market optics or optics with a Brand X sticker but EEPROM says otherwise? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] suppress bgp updates?
On Thu, 2010-11-18 at 09:52 +0100, Andrew Miehs wrote: > Why not add something like > > ip route 192.0.2.0 255.255.255.0 null0 255 > > on two of your routers somewhere? > > That way internal flaps will not be announced to your peers. As I understand it the problem is that when the RIB swaps out 192.0.2.0/24 from an interface with 192.0.2.0/24 from a static route pointing towards Null0 it triggers a BGP update. The floating static Null0-route was present in the mail. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OEM transceivers on IOS XR
Has anybody made this work with a non-Cisco SFP? my customer has tried all these commands ( ASR9k running 3.9 ) and it hasn't worked.. I'm guessing that my customer is gonna have to help Cisco recovery :) and buy their optics.. but just wanted to make sure.. Thanks On Mon, Nov 1, 2010 at 9:37 AM, Tomasz Lemiech wrote: > On Sat, 30 Oct 2010, Dmitry Kiselev wrote: > >> Thanks for Your answer, but seems this is not enough to forse OEM module >> to work: >> >> RP/0/RSP0/CPU0:ios#sh run int te0/0/0/0 >> interface TenGigE0/0/0/0 >> transceiver permit pid all > > Strange, "transceiver permit pid all" does the job for me, however in 1G > ports. Haven't tried this for 10G (because my 10G optics "just work"). > >> RP/0/RSP0/CPU0:ios#sh controller te0/0/0/0 internal >> ... >> Pluggable Present : yes >> Pluggable Type : OC48-LR >> Pluggable Compl. : (Service Un) - Failed - Bad Vendor CRC >> Pluggable Type Supp.: (Service Un) - Supported >> Pluggable PID Supp. : (Permit All) - Not Checked >> Pluggable Scan Flg: false > > Maybe that is a SONET-only pluggable? (if such stuff exists at all...) > > RP/0/RSP0/CPU0:CR-WAR05#sh control te0/0/0/0 phy | i Codes > Mon Nov 1 17:32:46.528 CET > Ethernet Xcvr Codes: 10GBASE-LR, > SONET Xcvr Codes: SDH_I_64.1 SDH_L_64 > > This is how it looks like for SONET+Eth XFP. > > Regards, > > -- > Tomasz Lemiech > RLU#189399 > TL1942-RIPE > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k, 3.1.0S MTU issues on PortChannel interfaces
Hi, Yet another update. I turns out that the old 'turn it off and on again' worked. After I reload the box I got the MTU of the subinterfaces at 4400, which is good. I still had to use clns mtu (of 4379) to make it work. The maximal ICMP packet I can get through now is: BGAUESD01#ping 10.123.223.1 size 4383 df-bit Type escape sequence to abort. Sending 5, 4383-byte ICMP Echos to 10.123.223.1, timeout is 2 seconds: Packet sent with the DF bit set ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k, 3.1.0S MTU issues on PortChannel interfaces
Hi, On 19 November 2010 08:29, Irina Arsenieva wrote: > Hi there, > AFAIK, to change MTU on Po1.600, you have to change it on Po1, then Po1.600 > MTU = Po1 - 4 > which makes sense as 802.1Q tag size is 4 bytes. > And I also suggest trying "clns mtu 1496" on both ends. I have it changed already to 4400 on Po1 and that show correctly in the output (please see my previous email). The problem is the po1.600 is not inheriting those settings. setting clns mtu is not an option for me, as I need that 4400 (or thereabout) to run some of the services (the link will be part of an mpls network, so I need at least another few bytes for the labels and potential q-in-q and other things like l2tp headers). I guess if I don't get a resolution I'll have to file a TAC case. kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7609_uRFP Performance Impact
On 2010-11-18 21:02, Victor Lyapunov wrote: I am examining the prospect of enabling urfp in a cisco 7609 / RSP 720 platform, for subscriber facing interfaces. My needs are covered by plain strict urpf (no acls, or multipath support is needed). According to documentation traffic failing urpf is supposed to be handled in hardware. Yes, but bear in mind with current generation of the PFC (B/C) the uRPF mode is global for the whole chassis. Is the "mls unicast ip rpf-failure" rate limiter needed in the case of strict urfp? or its usage is limited to packets failing uRFP check when ACL / multipath is needed? Yes: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dos.html#wp1140986 -- "Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end." | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7609_uRFP Performance Impact
Hello all I am examining the prospect of enabling urfp in a cisco 7609 / RSP 720 platform, for subscriber facing interfaces. My needs are covered by plain strict urpf (no acls, or multipath support is needed). According to documentation traffic failing urpf is supposed to be handled in hardware. In my setup the mls rate-limiter for unicast ip rpf-failure is disabled (needed the rate limiter resources for other traffic types) Is the "mls unicast ip rpf-failure" rate limiter needed in the case of strict urfp? or its usage is limited to packets failing uRFP check when ACL / multipath is needed? Thnx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k, 3.1.0S MTU issues on PortChannel interfaces
Hi there, AFAIK, to change MTU on Po1.600, you have to change it on Po1, then Po1.600 MTU = Po1 - 4 which makes sense as 802.1Q tag size is 4 bytes. And I also suggest trying "clns mtu 1496" on both ends. Rgds Alex -- From: "Pshem Kowalczyk" Sent: Wednesday, November 17, 2010 11:05 PM To: Subject: [c-nsp] ASR 1k, 3.1.0S MTU issues on PortChannel interfaces Hi, I'm currently trying to test the following scenario: ASR1k 4900M - ASR9k the 1k runs 3.1.0S (or 15.0(1)S) the 9k runs 3.9.1 (XR) as the link between the 4900M and 9k is provided by a third party we only have a MTU of 4400 there. There are 3 links between 1k and 4900M. I'm struggling with getting the ISIS to come up, as I suspect due to MTU on the PortChannel interface: Port-channel1 is up, line protocol is up Hardware is GEChannel, address is 5475.d089.a4c0 (bia 5475.d089.a4c0) MTU 4400 bytes, BW 3000 Kbit/sec, DLY 10 usec, <--- reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 No. of active members in this channel: 3 Member 0 : TenGigabitEthernet0/0/0 , Full-duplex, 1Mb/s Member 1 : TenGigabitEthernet1/0/0 , Full-duplex, 1Mb/s Member 2 : TenGigabitEthernet2/0/0 , Full-duplex, 1Mb/s No. of PF_JUMBO supported members in this channel : 3 interface Port-channel1 mtu 4400 no ip address end Port-channel1.600 is up, line protocol is up Hardware is GEChannel, address is 5475.d089.a4c0 (bia 5475.d089.a4c0) Description: SPNZSKY01 Internet address is 10.123.223.2/29 MTU 1500 bytes, BW 3000 Kbit/sec, DLY 10 usec, <--- reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 600. interface Port-channel1.600 description SPNZSKY01 encapsulation dot1Q 600 ip address 10.123.223.2 255.255.255.248 ip mtu 4396 ip router isis vfnz-core mpls ip isis network point-to-point isis authentication mode md5 isis authentication key-chain VFNZ-KEY-CHAIN isis csnp-interval 10 I tried multiple things already to change that MTU, but it just doesn't want to move (removing the config and re-applying it doesn't work either) when I debug isis adj I get the following: *Nov 17 15:50:46.998: ISIS-Adj: Sending serial IIH on Port-channel1.600, length 1496 when I look on the 9k I can see: RP/0/RSP0/CPU0:Nov 18 11:57:19.616 : isis[285]: SEND P2P IIH (L2) on TenGigE0/0/0/1.600: Holdtime 30s, Length 4379 RP/0/RSP0/CPU0:Nov 18 11:57:24.163 : isis[285]: RECV P2P IIH (L2) from TenGigE0/0/0/1.600 SNPA 5475.d089.a4c0: System ID BGAUESD01, Holdtime 30, length 1496 I can not ping with anything bigger then 1500 from the 1K either. The 4900M has all interfaces set to MTU of 9196 (max for the platform). Any idea how to change that mtu? kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/18/10 2:28 AM, si...@pitwood.org wrote: > It might have something to do with the version? > > CAT2924Switch#sh run > Building configuration... > > Current configuration: > ! > version 12.0 > no service pad > service timestamps debug uptime > service timestamps log uptime > no service password-encryption password-encryption != password-recovery And password-encryption == password-encryption only for very small values of encryption. This really should be called password-obfuscation as it is trivial to reverse. The original poster didn't specify the specific problem he was trying to solve. If the bad guys have unmonitored physical access to the switch they could swap it out with their own device entirely even if the configuration is locked down. It's not like 2924XLs are expensive or hard to get. Mitigate with RANCID, etc. If the concern is that the same access password on the switch which could be recovered is used elsewhere in the OP's network and bad guys recovering that password could use it to attack other devices... Don't do that, then. Mitigate with unique passwords, TACACS+, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GLC-LH-SM vs SFP-GE-L
On Thu, 18 Nov 2010 08:41:04 +, you wrote: >> We have also been using Cisco-coded transceivers for years, and haven't >> had significantly worse failure rate on those than on optics purchased >> from Cisco. YMMV. > Not surprising really,considering they're probably exactly the same > hardware (bar an EEPROM label/value) maybe even from the same factory > :-) Some of them are perfectly fine. You can get something from quality brands, which are at least as good as 'Cisco' (but still cheaper)... probably because they are who OEMs the 'Cisco' SFPs. But other pluggables (the Chinese copies?) really are crap, and in my experience if you get something labeled and coded Cisco, it is a lot more likely to be Chinese copy crap than if you get something from a quality brand. But YMMV. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7K Training.
Would anyone here share any positive feedback for a Nexus training partner or training class? I'm located in the Chicago area. We will be deploying a Nexus in a large campus LAN environment in the next few months. I'm looking at either: ICN75KE v3.0 or ICN7K v3.0 Bret Disclaimer Confidentiality Notice: This e-mail, and any attachments and/or documents linked to this email, are intended for the addressee and may contain information that is privileged, confidential, proprietary, or otherwise protected by law. Any dissemination, distribution, or copying is prohibited. This notice serves as a confidentiality marking for the purpose of any confidentiality or nondisclosure agreement. If you have received this communication in error, please contact the original sender. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1k IOS recommendation
For what it's worth, We recently upgraded a pair of ASR 1004 to latest available 15.0 software. These are used as large scale DMVPN hubs. We ran into a memory leak on the previous 12.2.33 XNF software version that required some tweaking of NHRP. We also saw as of about a month ago, on one hub, the front end interface simply stop establishing sessions with spokes. That required a reload to fix. At the time, the hubs were handling about 1500 spokes and had done so for over a month without problems. Still testing 15.0, not many spokes on it at this time. One fantastic feature addition to this new train is the "bgp listen-range" command. That alone has cut down the configuration lines in the router by a significant margin. There was one "cdp enable" line that was left out of the configuration once the router had started up on the new software but we found and fixed it. It occurred on both routers. Once manually entered, it has remained despite subsequent reboots. We have not seen any issues with the new software but again, the routers have only been running for about a week now on it and they are not supporting production traffic at this time. Vijay Ramcharan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Gee, will this work in my 7609? (OT, Lame humor)
On 11/17/10 23:27, Chris Boyd wrote: In light of the recent discussion of Cisco optics, I laughed out loud when I stumbled across this on Amazon's US web site: http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=MGBLH1 --Chris Probably they work with "/service unsupported/-/transceiver"/. Caveats: - the real distance is smaller than Cisco/Cisco version; - they tend to get stuck on the slot. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
If the environment is that important, you might want to upgrade the switch. That switch has been EoL for a long time and probably has a whole load of caveats that are unresolved. As others have pointed out, if the switch is accessible by 'bad guys' then they can pull the plug or swap it out. Mack -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Wednesday, November 17, 2010 3:10 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] No Service Password Recovery Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1k IOS recommendation
Hi, On Thu, Nov 18, 2010 at 08:41:31AM +0100, Garry wrote: > currently, there's 2.4 through 2.6 and 3.1S available for download, Rest assured, this problem is going to be solved. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpRuAmit9RNT.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls on RR ?
Hi, I hope there is no reason to have MPLS enabled on RR. You know, packet destined to RR is processed by control plane, so the MPLS header must be stripped out anyway. In case of plain IPv4 over MPLS and MPLS/LDP enabled on RR interfaces, then RR should act as egress LSR and egress LSR send implicit null for their connected and summarized routes by default. It means that the packet arrive at the RR as IPv4 packet. If you don't have MPLS enabled on the RR the packet arrive as IPv4 again, so there is no difference and for both cases the packet should transit MPLS Network as labeled/MPLS packet. Best Regards, Marek 2010/11/16 selamat pagi > Let me rephrase my question> > if RR not in forwarding path, is there a reason for MPLS on RR > > > > 2010/11/16 Stephen.Chen > > > yes,core routers always act RR, when no additional investment for > network > > construction > > > > > > > > Stephen.Chen > > > > 2010/11/16 selamat pagi > > > > Now, I came across some examples with mpls enabled on RR and want to > verify > >> if there are > >> reasons for enabling MPLS in network offering Internet-accees and L3VPNs > >> > > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
It might have something to do with the version? CAT2924Switch#sh run Building configuration... Current configuration: ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CAT2924Switch ! enable secret 5 $1$yWj2$gSWok9LpvLZcLKeV6qUV5/ Hey all, I've been googling and ciscocom searching and have found nothing so far. I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone know of a way? It is in a delicate environment and it doesn't support 'secret', so if its password recovered people would be able to crack the 'password' level passwords. ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- eintellego - The Experts that the Experts call - Juniper - HP Networking - Cisco - Brocade - Arista - Allied Telesis Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
On 11/18/2010 09:39 AM, Dmitry Valdov wrote: You can use "mls qos trust dscp" on all ports of the system instead. It's a good suggestion, but only if the downstream devices are trusted - which they're not in this case. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
You can use "mls qos trust dscp" on all ports of the system instead. On Thu, 18 Nov 2010, Phil Mayers wrote: On 11/18/2010 08:55 AM, Dmitry Valdov wrote: I think, yes. Darn it. That will be the problem then. Oh well. Back to the drawing board. -- Dmitry Valdov CCIE #15379 (R&S and SP) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
On 11/18/2010 08:55 AM, Dmitry Valdov wrote: I think, yes. Darn it. That will be the problem then. Oh well. Back to the drawing board. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
I think, yes. === The no mls qos rewrite ip dscp command is incompatible with Multiprotocol Label Switching (MPLS). The default mls qos rewrite ip dscp command must remain enabled in order for the PFC3BXL or PFC3B to assign the correct MPLS Experimental (EXP) value for the labels that it imposes. This restriction does not apply to PFC3C or PFC3CXL forward. == http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1049874 On Thu, 18 Nov 2010, Phil Mayers wrote: On 11/18/2010 08:43 AM, Dmitry Valdov wrote: It only affects 3B(XL) systems. 3C(XL) doesn't have this bug. Which bug? I *do* have a -3B, and I *do* have "no mls qos rewrite ip dscp" - are you saying it's known to cause problems? -- Dmitry Valdov CCIE #15379 (R&S and SP) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] suppress bgp updates?
Sent from my iPhone On 18.11.2010, at 00:27, Mark Kent wrote: > Are we _still_ looking for a way to show a persistently static face > to BGP peers? Hi Mark, Why not add something like ip route 192.0.2.0 255.255.255.0 null0 255 on two of your routers somewhere? That way internal flaps will not be announced to your peers. Andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
On 11/18/2010 08:43 AM, Dmitry Valdov wrote: It only affects 3B(XL) systems. 3C(XL) doesn't have this bug. Which bug? I *do* have a -3B, and I *do* have "no mls qos rewrite ip dscp" - are you saying it's known to cause problems? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS qos on 6500/sup720 - setting EXP when it shouldn't?
It only affects 3B(XL) systems. 3C(XL) doesn't have this bug. On Thu, 18 Nov 2010, daigo nakayama wrote: #sh mls qos detailed QoS ip packet dscp rewrite disabled globally If there is the following command in your config, the command might be a cause. no mls qos rewrite ip dscp --- nkymdg 2010/11/17 Phil Mayers : On 17/11/10 12:50, Manu Chao wrote: Can you please send "show mls qos detailed"? #sh mls qos detailed ═QoS is enabled globally ═Policy marking depends on port_trust ═QoS ip packet dscp rewrite disabled globally ═Input mode for GRE Tunnel is Pipe mode ═Input mode for MPLS is Pipe mode ═QoS is vlan-based on the following interfaces: ═ ═Te1/1 Te1/5 Te2/1 Te2/2 Te2/3 Gi8/41 Gi9/39 Po1 Po2 ═Vlan or Portchannel(Multi-Earl) policies supported: Yes ═Egress policies supported: Yes ...then a load of per-module stats noise - representative example: ═- Module [1] - Traffic: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═Total pkt's - Total packets: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ 559899 IP shortcut packets: ═ ═ ═ ═ ═ ═ ═ ═ ═ 557056 Packets dropped by policing: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ 0 IP packets with TOS changed by policing: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═0 IP packets with COS changed by policing: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═769 Non-IP packets with COS changed by policing: ═ ═ ═ ═ ═ ═ ═ ═ ═ 474422 MPLS packets with EXP changed by policing: ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═0 ___ cisco-nsp mailing list ═cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Dmitry Valdov CCIE #15379 (R&S and SP) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GLC-LH-SM vs SFP-GE-L
On 17 November 2010 23:45, wrote: > We have also been using Cisco-coded transceivers for years, and haven't > had significantly worse failure rate on those than on optics purchased > from Cisco. YMMV. Not surprising really,considering they're probably exactly the same hardware (bar an EEPROM label/value) maybe even from the same factory :-) -- Daniel Holme ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GLC-LH-SM vs SFP-GE-L
n...@foobar.org (Nick Hilliard) wrote: > On 17/11/2010 17:51, Peter Rathlev wrote: > >If you can insert an SFP in a WS-X6724-SFP LC in a 7600 chassis with a > >Sup720 then why not in a WS-X6724-SFP LC in a 6500 chassis with a > >Sup720? > > because the 7600 is a router and the 6500 is a switch? That at least is what the BUs want you to believe. Elmar, routing on 65's and switching on 76's... -- "Machen Sie sich erst einmal unbeliebt. Dann werden Sie auch ernstgenommen." (Konrad Adenauer) --[ ELMI-RIPE ]--- pgpvqDfkxIXmf.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/