[c-nsp] ASA-V vs ASA contexts
We run multi-tenant Cloud infrastructure for many small clients. We are using ASA firewall contexts to protect inter-client hosted communications. Was thinking of using ASA-V instead of multiple contexts to keep costs down - and I would more easily be able to automate the provisioning of the Client Firewalls. Does anyone have any experience do this ? It is generally cheaper or more expensive that multiple contexts? We have some quotes in with our supplier - but It looks ludicrously expensive compared to Contexts licensing at a first glance. I'm not interested in a chat about throughput, just in ease of rollout and costs. Specifically the ASA-V10 (not the 30) and the standard license. Any insightful hindsight would be greatly appreeaciated. Thanks, Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus / VPC - Management port "needed" in VPC?
Thanks for clarifying Quinn - So on a pair of 3Ks, a "typical" VPC setup would be 2 x 10Gb links + "a" link(i.e. Management ports) for the keepalives? And on a pair of 9Ks, 2 x 40Gb links, plus management port link? Cheers From: quinn snyderSent: Friday, 20 November 2015 8:13 AM To: CiscoNSP List Cc: cisco-nsp Subject: Re: [c-nsp] Nexus / VPC - Management port "needed" in VPC? > On Nov 19, 2015, at 14:07, CiscoNSP List wrote: > > We have a customer that is wanting to do VPC on some N9Ks and also N3Ks - I > "thought" VPC would be similar to VSS...i.e. dual link between the > switches...but my (brief) reading up on the setup, I see some setup guides > where there are dual links(2 x 10Gb, or 2 x 40Gb), plus the use of the > management port for vPC peer keepalives? > > > http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html > > Any info on the "correct" method to setup VPC on the Nexus would be greatly > appreciated the above is correct. vpc requires the “data plane” (vpc peer-link) that performs synchronization using cfsoe between vpc domain peers. it also *can* be used to forward actual data-plane traffic under failure scenarios. its important to understand the baked-in vpc drop conditions that exist to provide loop prevention under steady-state. the management (or some other set of layer-3 adjacencies within an isolated vrf) are used for simple heartbeats between the devices. failure of this link does not mean catastrophic failure of the domain. this is similar to something like ‘fast-hellos’ using an oob link when dealing with vss. q. -- quinn snyder | snyd...@gmail.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus / VPC - Management port "needed" in VPC?
> On Nov 19, 2015, at 7:14 PM, CiscoNSP Listwrote: > > > Thanks for clarifying Quinn - So on a pair of 3Ks, a "typical" VPC setup > would be 2 x 10Gb links + "a" link(i.e. Management ports) for the keepalives? > > And on a pair of 9Ks, 2 x 40Gb links, plus management port link? > > Cheers Correct. Note that the management port does not have to be the one used as the peer-keepalive. You could just as easily use another copper or fiber port configured with a /31 or similar, if you really wanted to use the management port for your OOB network only (or whatever other design criteria you may have). We use the management port for some of these deployments from a certain legacy acquisition, while others in another part of our network use a dedicated link due to fiber being more readily available to connect between cabinets. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
Hi, On Thu, Nov 19, 2015 at 06:55:46PM +0200, Nick Hilliard wrote: > On 19/11/2015 18:15, Jeremy Bresley wrote: > > With the exception of NX-OS, pretty much anything on code released in the > > last 3-4 years supports HTTP downloads > > XR supports only ftp and tftp. It does sftp, but maybe not "from the XR box" but "pushing towards the XR box" (and that one actually works, unless the file is bigger than 2G *sigh*) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus / VPC - Management port "needed" in VPC?
> On Nov 19, 2015, at 18:14, CiscoNSP Listwrote: > > > Thanks for clarifying Quinn - So on a pair of 3Ks, a "typical" VPC setup > would be 2 x 10Gb links + "a" link(i.e. Management ports) for the keepalives? > > And on a pair of 9Ks, 2 x 40Gb links, plus management port link? not so much typical as 'sized for your use case'. during failure scenarios, it is possible to have traffic transit the peer-link. however -- it comes down to understanding your environment, sla, redundancy, etc. while the minimum recommended links is (2) for the peer-link, this can scale and you'll need to dial this in for your situation. playing in the lab and running through a reflective set of test cases is your best bet here. obviously -- you'll need to extrapolate this to being under load as well. q. -- quinn snyder | snyd...@gmail.com -= sent via iphone. please excuse spelling, grammar, and brevity =- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus / VPC - Management port "needed" in VPC?
Hi Everyone(Sent this yesterday, but it seems to have not made it to the list?), We have a customer that is wanting to do VPC on some N9Ks and also N3Ks - I "thought" VPC would be similar to VSS...i.e. dual link between the switches...but my (brief) reading up on the setup, I see some setup guides where there are dual links(2 x 10Gb, or 2 x 40Gb), plus the use of the management port for vPC peer keepalives? http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html Any info on the "correct" method to setup VPC on the Nexus would be greatly appreciated Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus / VPC - Management port "needed" in VPC?
> On Nov 19, 2015, at 14:07, CiscoNSP Listwrote: > > We have a customer that is wanting to do VPC on some N9Ks and also N3Ks - I > "thought" VPC would be similar to VSS...i.e. dual link between the > switches...but my (brief) reading up on the setup, I see some setup guides > where there are dual links(2 x 10Gb, or 2 x 40Gb), plus the use of the > management port for vPC peer keepalives? > > > http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series-switches/white_paper_c11-685753.html > > Any info on the "correct" method to setup VPC on the Nexus would be greatly > appreciated the above is correct. vpc requires the “data plane” (vpc peer-link) that performs synchronization using cfsoe between vpc domain peers. it also *can* be used to forward actual data-plane traffic under failure scenarios. its important to understand the baked-in vpc drop conditions that exist to provide loop prevention under steady-state. the management (or some other set of layer-3 adjacencies within an isolated vrf) are used for simple heartbeats between the devices. failure of this link does not mean catastrophic failure of the domain. this is similar to something like ‘fast-hellos’ using an oob link when dealing with vss. q. -- quinn snyder | snyd...@gmail.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7K - Routing over vPC Peer-link between chassis
Hi All, Could you please tell me what is the disadvantage of running routing protocols e.g. iBGP between SVIs of two chassis over vPC peer-link? I heard a lot that cisco recommend to use a separate link for layer-3 but why? logically peer-link should be more reliable as generally it bundle with multiple physical links. Thanks in advance. Regards YH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K - Routing over vPC Peer-link between chassis
I ran into this a few years back - and we did end up doing it. It's basically because it peer link is totally different to a trunk between two chassis. i.e don't use it ever unless a downstream VPC link is down. I can't remember the details, however this post by Brad Hedlund explains everything you need to know. http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/ -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Yham Sent: 19 November 2015 11:49 To: cisco-nsp@puck.nether.net NSP Subject: [c-nsp] Nexus 7K - Routing over vPC Peer-link between chassis Hi All, Could you please tell me what is the disadvantage of running routing protocols e.g. iBGP between SVIs of two chassis over vPC peer-link? I heard a lot that cisco recommend to use a separate link for layer-3 but why? logically peer-link should be more reliable as generally it bundle with multiple physical links. Thanks in advance. Regards YH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
On 19/Nov/15 12:25, Harry Hambi - Atos wrote: > Hi All, > Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved > very slow, so I decided to use SCP which was a lot quicker. However, SCP > caused a cpu spike on the switch which caused snmp drops. Has anyone ever > experience this?, the switch was passing data traffic normally. Might make sense. SCP is exception traffic, as is SNMP traffic to the switch. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] TFTP/SCP
Hi All, Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved very slow, so I decided to use SCP which was a lot quicker. However, SCP caused a cpu spike on the switch which caused snmp drops. Has anyone ever experience this?, the switch was passing data traffic normally. Rgds Harry Harry Hambi BEng(Hons) MIET Rsgb ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
I've suggested removing TFTP as its a crutch and has many shortcomings, more so when any latency is involved. People used a custom RCPD in the past to solve this as well. Beware as the CIsco FTP clients behave strangely across all versions and may request the file multiple times. They don't seem to test it often so if you report a bug, it takes quite some time to find the code caretaker. Jared Mauch > On Nov 19, 2015, at 8:14 AM, Mark Tinkawrote: > > > >> On 19/Nov/15 15:54, Jared Mauch wrote: >> >> We use FTP as the image isn't something that needs to be protected from >> eavesdroppers. > > We use FTP also, as SCP support was non-uniform across various versions > of IOS for a while. > > Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
Yup. You can filter by IP address and check image checksum after if it's something without a crypto signature. Jared Mauch > On Nov 19, 2015, at 8:54 AM, Daniel Brissonwrote: > > What about protecting credentials? Do you use a service account that has 0 > access other than FTP'ing images? > > -dan > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared > Mauch > Sent: Thursday, November 19, 2015 8:54 AM > To: Mark Tinka > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TFTP/SCP > > We use FTP as the image isn't something that needs to be protected from > eavesdroppers. > > Jared Mauch > >> On Nov 19, 2015, at 6:46 AM, Mark Tinka wrote: >> >> >> >>> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: >>> >>> Hi All, >>> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved >>> very slow, so I decided to use SCP which was a lot quicker. However, SCP >>> caused a cpu spike on the switch which caused snmp drops. Has anyone ever >>> experience this?, the switch was passing data traffic normally. >> >> Might make sense. >> >> SCP is exception traffic, as is SNMP traffic to the switch. >> >> Mark. >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
The crypto-work gets done on the CPU in software, and the CPUs on those switches are not very strong. (data traffic is forwarded by the hardware, only some special pakets (STP, CDP, ...) disturb the CPU; while management traffic must be handled by the CPU) Juergen. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
It was using SCP that caused the switch CPU to spike. Sorry if I have miss read your comments. Are you saying there's a setting in the SCP server to limit bandwidth?, I 'me using solar winds SFTP & SCP server Rgds Harry Harry Hambi BEng(Hons) MIET Rsgb -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex Pressé Sent: 19 November 2015 15:01 To: Daniel Brisson Cc: cisco-nsp@puck.nether.net; Jared Mauch Subject: Re: [c-nsp] TFTP/SCP I've dumped images in a place available via HTTP. The nice thing about SCP is being able to push the image directly to the switches instead of having the switches pull. When pushing the image, SCP also offers the ability to limit bandwidth (thus preventing your CPU spike). On Thu, Nov 19, 2015 at 7:54 AM, Daniel Brissonwrote: > What about protecting credentials? Do you use a service account that has > 0 access other than FTP'ing images? > > -dan > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Jared Mauch > Sent: Thursday, November 19, 2015 8:54 AM > To: Mark Tinka > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TFTP/SCP > > We use FTP as the image isn't something that needs to be protected from > eavesdroppers. > > Jared Mauch > > > On Nov 19, 2015, at 6:46 AM, Mark Tinka wrote: > > > > > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: > >> > >> Hi All, > >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This > proved very slow, so I decided to use SCP which was a lot quicker. However, > SCP caused a cpu spike on the switch which caused snmp drops. Has anyone > ever experience this?, the switch was passing data traffic normally. > > > > Might make sense. > > > > SCP is exception traffic, as is SNMP traffic to the switch. > > > > Mark. > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Presse "How much net work could a network work if a network could net work?" ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
With the exception of NX-OS, pretty much anything on code released in the last 3-4 years supports HTTP downloads. Just put the images on a web server reachable by the client (can put them in a directory and specify the path as well). I did this with a Linux host with Apache and did an alias for /code pointed to a directory that the network team can update with new images as needed. To upgrade a 3560X they just have to do: archive download-sw /overwrite http://serverip/code/c3560e-universalk9-tar.152-4.E.tar As a plus, it's easy for the junior engineers to just click on a link and see what images are available for that platform if we update to a newer version and they have an older doc with what our standard image is (we remove all but the current standard and sometimes the immediate previous one in case we need to roll a device back.) This makes it easy to keep people from loading old non-standard code whenever they replace a device. Jeremy "TheBrez" Bresley b...@brezworks.com On 11/19/2015 7:54 AM, Jared Mauch wrote: We use FTP as the image isn't something that needs to be protected from eavesdroppers. Jared Mauch On Nov 19, 2015, at 6:46 AM, Mark Tinkawrote: On 19/Nov/15 12:25, Harry Hambi - Atos wrote: Hi All, Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved very slow, so I decided to use SCP which was a lot quicker. However, SCP caused a cpu spike on the switch which caused snmp drops. Has anyone ever experience this?, the switch was passing data traffic normally. Might make sense. SCP is exception traffic, as is SNMP traffic to the switch. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
In Linux SSH you can use the -l flag. http://linux.die.net/man/1/scp No idea if Solarwinds implemented SSH with any features. scp -l 2000 c3750e-universalk9-mz.150-2.SE8.bin admin@myswitch :flash:/c3750e-universalk9-mz.150-2.SE8.bin On Thu, Nov 19, 2015 at 8:12 AM, Harry Hambi - Atoswrote: > It was using SCP that caused the switch CPU to spike. Sorry if I have miss > read your comments. Are you saying there's a setting in the SCP server to > limit bandwidth?, I 'me using solar winds SFTP & SCP server > > > Rgds > Harry > > Harry Hambi BEng(Hons) MIET Rsgb > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Alex Pressé > Sent: 19 November 2015 15:01 > To: Daniel Brisson > Cc: cisco-nsp@puck.nether.net; Jared Mauch > Subject: Re: [c-nsp] TFTP/SCP > > I've dumped images in a place available via HTTP. > > The nice thing about SCP is being able to push the image directly to the > switches instead of having the switches pull. When pushing the image, SCP > also offers the ability to limit bandwidth (thus preventing your CPU > spike). > > > > On Thu, Nov 19, 2015 at 7:54 AM, Daniel Brisson wrote: > > > What about protecting credentials? Do you use a service account that has > > 0 access other than FTP'ing images? > > > > -dan > > > > > > -Original Message- > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > > Jared Mauch > > Sent: Thursday, November 19, 2015 8:54 AM > > To: Mark Tinka > > Cc: cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] TFTP/SCP > > > > We use FTP as the image isn't something that needs to be protected from > > eavesdroppers. > > > > Jared Mauch > > > > > On Nov 19, 2015, at 6:46 AM, Mark Tinka wrote: > > > > > > > > > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: > > >> > > >> Hi All, > > >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This > > proved very slow, so I decided to use SCP which was a lot quicker. > However, > > SCP caused a cpu spike on the switch which caused snmp drops. Has anyone > > ever experience this?, the switch was passing data traffic normally. > > > > > > Might make sense. > > > > > > SCP is exception traffic, as is SNMP traffic to the switch. > > > > > > Mark. > > > > > > ___ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > Alex Presse > "How much net work could a network work if a network could net work?" > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > - > http://www.bbc.co.uk > This e-mail (and any attachments) is confidential and > may contain personal views which are not the views of the BBC unless > specifically stated. > If you have received it in > error, please delete it from your system. > Do not use, copy or disclose the > information in any way nor act in reliance on it and notify the sender > immediately. > Please note that the BBC monitors e-mails > sent or received. > Further communication will signify your consent to > this. > - > -- Alex Presse "How much net work could a network work if a network could net work?" ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
We use FTP as the image isn't something that needs to be protected from eavesdroppers. Jared Mauch > On Nov 19, 2015, at 6:46 AM, Mark Tinkawrote: > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: >> >> Hi All, >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved >> very slow, so I decided to use SCP which was a lot quicker. However, SCP >> caused a cpu spike on the switch which caused snmp drops. Has anyone ever >> experience this?, the switch was passing data traffic normally. > > Might make sense. > > SCP is exception traffic, as is SNMP traffic to the switch. > > Mark. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
What about protecting credentials? Do you use a service account that has 0 access other than FTP'ing images? -dan -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Thursday, November 19, 2015 8:54 AM To: Mark TinkaCc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TFTP/SCP We use FTP as the image isn't something that needs to be protected from eavesdroppers. Jared Mauch > On Nov 19, 2015, at 6:46 AM, Mark Tinka wrote: > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: >> >> Hi All, >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved >> very slow, so I decided to use SCP which was a lot quicker. However, SCP >> caused a cpu spike on the switch which caused snmp drops. Has anyone ever >> experience this?, the switch was passing data traffic normally. > > Might make sense. > > SCP is exception traffic, as is SNMP traffic to the switch. > > Mark. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
I've dumped images in a place available via HTTP. The nice thing about SCP is being able to push the image directly to the switches instead of having the switches pull. When pushing the image, SCP also offers the ability to limit bandwidth (thus preventing your CPU spike). On Thu, Nov 19, 2015 at 7:54 AM, Daniel Brissonwrote: > What about protecting credentials? Do you use a service account that has > 0 access other than FTP'ing images? > > -dan > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Jared Mauch > Sent: Thursday, November 19, 2015 8:54 AM > To: Mark Tinka > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TFTP/SCP > > We use FTP as the image isn't something that needs to be protected from > eavesdroppers. > > Jared Mauch > > > On Nov 19, 2015, at 6:46 AM, Mark Tinka wrote: > > > > > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: > >> > >> Hi All, > >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This > proved very slow, so I decided to use SCP which was a lot quicker. However, > SCP caused a cpu spike on the switch which caused snmp drops. Has anyone > ever experience this?, the switch was passing data traffic normally. > > > > Might make sense. > > > > SCP is exception traffic, as is SNMP traffic to the switch. > > > > Mark. > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Presse "How much net work could a network work if a network could net work?" ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
On 19/11/2015 18:15, Jeremy Bresley wrote: > With the exception of NX-OS, pretty much anything on code released in the > last 3-4 years supports HTTP downloads XR supports only ftp and tftp. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
> On 19/11/2015 18:15, Jeremy Bresley wrote: >> With the exception of NX-OS, pretty much anything on code released in the >> last 3-4 years supports HTTP downloads > > XR supports only ftp and tftp. SCP is in XR 05.01.01 (but not via the "filesystem" like wrapper so you can actually use it in all IO based commands, but via the new, pretty limited scp keyword). HTTP(S) is "prototyped" for 5.3.3, not sure if they are gonna make it. More about this here: https://supportforums.cisco.com/blog/12244311/xr-usability-and-debugability-got-wish-comment https://supportforums.cisco.com/blog/12602981/usability-functionality-read-out-status-so-far Regards, Lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
On 19/Nov/15 15:54, Jared Mauch wrote: > We use FTP as the image isn't something that needs to be protected from > eavesdroppers. We use FTP also, as SCP support was non-uniform across various versions of IOS for a while. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/