[c-nsp] time warner outage (around the central texas - san antonio / austin areas) ?
Anyone see anything weird bgp related or internet related with time warner 2 hours ago ? and seems to be fixed now Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7k EPLD version in I/O mods
We have a 7k chassis that has a SUP-1 and FAB-1 that will be upgraded with SUP-2 and FAB-2, but while I am testing in a spare chassis I don't want to prohibit the spare modules from being used in chassis with SUP-1 if the EPLD is incompatible. Q1. Is the EPLD version that I load into an I/O mod the same regardless of weather it was loaded with a SUP-1 or SUP-2? Q2. Is a higher rev EPLD compatible with lower NX-OS version? The doc seems to imply its OK. So if I update the EPLD of an I/O mod on my spare chassis that has a SUP-2, can I use that mod in a chassis that has a SUP-1 without changing the EPLD code. I know when you download the EPLD from CISCO, you need to use the version for the specific SUP (1 or 2), but I believe that is only because there is EPLD on it for the SUP whereas the module EPLD is always the same regardless of SUP version. I think.. I have all the docs on procedure, but they didn't mention this case. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPPoE static IP w/o RADIUS
Hi all, Is it possible to assign a static IP to a PPPoE user using local authentication; without the likes of RADIUS, TACACS, LDAP, etc? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GNS3 TFTP
Hi all , am trying to test tftp with gns3 but its not working ? what is the exact path for the IOS image?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] blocking icmp type 3 code 3 [no, but type 3 code 4 yes!]
On 17/07/2013 20:22, Aaron wrote: Are there well-known attacks that produce a mass amount of icmp type 3 (destination unreachable) code 3 (port unreachable) ? I've seen things like this in netflow lately. NO prior communications from my host(s) BUT I see the response of icmp 3 3. Leads me to believe someone is spoofing as coming from my network and thus causing icmp 3 3 's to come back my way. How to mitigate / combat this ? What if I acl deny icmp 3 3 inbound ? downsides ? Aaron I have not seen icmp 3 3's, but I have seen icmp 3 4s (Fragmentation Needed but DF bit set). It turns out that there are some devices out there that if they receive a icmp 3 4, they actually send out the same packet again without reducing the payload size, net result is a self-inflicted DDoS. Limelight networks appeared to have hosts exhibiting this problem until about March or April this year, but I've seen the problem resurface more recently with a couple of Microsoft hosts: 213.199.149.133 and 213.199.149.227 The problem only manifests itself if you have a (usually intermediate) hop with a lower MTU and hosts at the remote end that don't do stuff like PMTU discovery (e.g. Windows XP). -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] blocking icmp type 3 code 3
On 07/17/2013 08:22 PM, Aaron wrote: Are there well-known attacks that produce a mass amount of icmp type 3 (destination unreachable) code 3 (port unreachable) ? As you suggest, spoofing which is blocked at the target with some kind of ACL/filter that is rejecting rather than dropping. If you can set up a SPAN, you can examine the embedded IP/L4 header in the ICMP error message and get a better idea of the root cause. We've been getting backscatter from source-spoofed DNS attacks (not reflection attacks, although we've been getting those as well) of a very peculiar nature for a few weeks now. There's a lot of odd stuff going on at the moment. How to mitigate / combat this ? With difficulty. Really, whoever is returning the ICMP is misbehaving; they may be being DDoSed, but returning an ICMP error in response to the DDoS just compounds the problem for yet more innocent parties. You could contact the source of the ICMP, ask them to drop rather than error the traffic, or rate-limit the ICMP generation (shame router platforms aren't smarter in this respect). What if I acl deny icmp 3 3 inbound ? downsides ? Well, yes, you'll break ICMP error propagation for legitimate cases. If you must do this, consider rate-limiting them, or block only the people who are spamming you with 3/3. What kind of traffic levels are you seeing? Because if it's e.e. 100-1000 pps, another strategy is "ignore it". ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multicast issue
On 07/17/2013 05:28 PM, Chris Marget wrote: Span mode? Nope. Just an optical splitter at the carrier handoff. Just to add a "+1" - tap rather than SPAN is important, because SPAN has some distinctly screwy behaviours w.r.t multicast traffic on some platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/