Re: [c-nsp] Syslog timezone
The syslog messages don't have the correct timezone. The timezone in the event is correct. service timestamps log datetime msec localtime show-timezone I think this did fix it. It just took a while. On Thu, Mar 22, 2018 at 1:09 PM, Alan Buxey wrote: > just to check - do you mean the events are coming through to syslog > with wrong timezone - or do you mean the syslog server is showing the > wrong timzene in its events - both are unique/seperate > > alan > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Syslog timezone
Hello, I'm trying to change the syslog message timezone to the correct one for my location. This: service timestamps log datetime msec localtime show-timezone Only changes the console log timezone to the correct timezone. The syslog messages continue to use the UTC timezone. Is there any way to modify this, or do we have to somehow change this on our logging server? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4500R+E input voltage
Hello, Just wondering if anyone has switched from 110v to 220v on a 4500 chassis without shutting it off? Power Fan Inline Supply Model No Type Status Sensor Status -- - --- --- --- PS1 PWR-C45-4200ACV AC 4200W good good good PS1-1 110V good PS1-2 110V good PS2 PWR-C45-4200ACV AC 4200W good good good PS2-1 110V good PS2-2 110V good Power supplies needed by system: 1 Power supplies currently available : 2 Power Summary Maximum (in Watts) Used Available -- - System Power (12V)8771360 Inline Power (-50V) 01183 Backplane Power (3.3V) 40 40 -- - Total 917 (not to exceed Total Maximum Available = 2100) Power MeasurementInline Power (-50V) (in Watts) (+/- 50Watts) -- --- PS1 50 PS2 0 -- --- Total50 Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] asa, internal web filter
Hello, We currently have our gateway / web filter routing setup in this manor: lan --- 2921 ---asa(firewall) ---internet | -- web filter So the traffic destined to the internet that is not supposed to be filtered goes right through the router to the asa. The traffic that is destined to be filtered gets policy routed to the web filter which then gets routed back to the 2921 and out to the asa. This is a bad design, I will admit that. What I want to do is this: lan - 2921 --- asa(firewall) --- internet || --- web filter --- With this change the traffic will not have to go back to the router and then back out to the asa. This will cut the traffic going through the router in half, which will result in lower cpu usage. My question about changing this is as follows. The asa has a route to the lan networks that are getting filtered. Lets say they are 172.16.0.0/16. There is an eigrp relationship between the router and asa. If I use a route-map to policy route certain networks to the web filter connected in the new way, will the return traffic go back through the web filter or will it go back directly to the router? I don't have a spare ASA to test this with. One other thing to note is the web filter is a proxy so the http and https traffic changes the source ip after its passed through. The rest of the traffic is untouched. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redistribute bgp subnet
Ok, found out that the subnet I was trying to use is not transfered over to our ISP so nothing I was trying was workingIt's all good now. On Thu, Aug 15, 2013 at 4:28 PM, Darren O'Connor wrote: > You can run BGP with your customer. Set aside some of your address space > for p2p customer links and the range you assign to the customer sits behind > their router. > > Make your customers use private AS numbers and you ensure that those AS > numbers are stripped outbound to your ISP. Of course you need to advertise > an aggregate to your ISP. > > So something like this: > > /29 - [Customer Router]BGP /30 [Your router] --BGP-- [Your ISP] > > Darren > http://www.mellowd.co.uk/ccie > > > > Date: Wed, 14 Aug 2013 21:25:48 -0500 > > From: danletke...@gmail.com > > To: cisco-nsp@puck.nether.net > > > Subject: [c-nsp] redistribute bgp subnet > > > > Hello, > > > > Excuse my ignorance, as this is my first time working with BGP outside > of a > > lab. > > > > I am working on an ASR that is in use as a BGP peer to an ISP and also an > > EIGRP neighbor to an internal network. I have setup this router for > > NAT/PAT and all is working well for the internal private subnets. These > > network are routed to the main public subnet based on the source ip > range. > > > > Now there is also a separate public IP subnet that is set aside for > > customer use and is being advertised via BGP to the ISP. What I would > like > > to do is route that subnet through the ASR to the customers site for use > by > > them. > > > > I'm sure this is very simple for most, but I'm not sure where to start. > > > > > > Thanks for now. > > Dan. > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] redistribute bgp subnet
Hello, Excuse my ignorance, as this is my first time working with BGP outside of a lab. I am working on an ASR that is in use as a BGP peer to an ISP and also an EIGRP neighbor to an internal network. I have setup this router for NAT/PAT and all is working well for the internal private subnets. These network are routed to the main public subnet based on the source ip range. Now there is also a separate public IP subnet that is set aside for customer use and is being advertised via BGP to the ISP. What I would like to do is route that subnet through the ASR to the customers site for use by them. I'm sure this is very simple for most, but I'm not sure where to start. Thanks for now. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vrf-lite routing
I think it makes more sense to do this based on the equipment they have. http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/ Get the performance of routing on the 3k switches but the segregation of VRF-lite if they want it. Dan. On Wed, Jul 17, 2013 at 7:45 PM, Dan Letkeman wrote: > The current network is routed via EIGRP, but also has a lot of vlan's > trunked everywhere...its an STP nightmare with various ISP's providing > service via fiber, and a host of wireless bridges, that are any where from > 10-40 miles My though was to use tunnel's and vrf-lite instead of > trunking vlan's everywhere, but from what I am hearing, GRE tunnels are not > going to perform. I have this working in a test network and it's working > well. Other than I have not tried a performance test. > > They do want separation on some of the networks, but not all. I have done > this in the past with access lists and vlan's but its a pain. Is there any > other way to segregate the traffic on routed network? > > Ideally they should have a router at each location and not a switch. > > Dan. > > > On Wed, Jul 17, 2013 at 1:28 AM, Mattias Gyllenvarg > wrote: > >> Hi Dan >> >> Sounds like your getting of on the wrong foot. >> >> The 3560 can't do much more then routing and switching. No GRE or MPLS so >> you are pretty much stuck with trunking. >> >> VRFs will only be helpfull with MPLS unless you want VRF-lite (thats VRF >> that is local to one machine only). Then you still need the trunks and >> vlans. >> You can setup the VRFs to talk fairly easily, but why have the separation >> if you want them to talk? >> >> Sound like you should just replace the old machine with the new one. >> >> If you should do anything then setup the 3k boxes for dynamic routing so >> that they simply route the traffic instead of switching it. Then you wont >> have to add vlans for every new internet customer. But shaping may be >> harder to do as you dont have the customers interface in your core. >> >> //Mattias >> >> >> On Wed, Jul 17, 2013 at 4:12 AM, Dan Letkeman wrote: >> >>> Hello, >>> >>> Just wondering if anyone can direct me down the correct path. I have >>> been >>> asked by a friend to help replace an ISR2851 with a new ASR1001. The >>> 2851 >>> currently does some route-maps for different networks and a few customers >>> as well as some shaping. They want to use the ASR to peer with an ISP >>> and >>> I suggested to use tunnel's and VRF's instead of trunking vlan's through >>> there network to the customers, like they are doing now. >>> >>> The network currently consists of mostly 3k switches and either fiber or >>> wireless trunks to about 45 different locations. The main goal is to >>> provide internet to each of the 45 locations each having there own public >>> ip/range. >>> >>> My thought was to create tunnels from the ASR to each of the locations >>> (each have a 3560 switch) and then to create VRF's on each tunnel and >>> assign a public IP to each VRF and then advertise those networks into the >>> global BGP table. >>> >>> First time I have done anything like this...Any thoughts? >>> >>> Dan. >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> >> >> -- >> *Med Vänliga Hälsningar* >> *Mattias Gyllenvarg* >> > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vrf-lite routing
The current network is routed via EIGRP, but also has a lot of vlan's trunked everywhere...its an STP nightmare with various ISP's providing service via fiber, and a host of wireless bridges, that are any where from 10-40 miles My though was to use tunnel's and vrf-lite instead of trunking vlan's everywhere, but from what I am hearing, GRE tunnels are not going to perform. I have this working in a test network and it's working well. Other than I have not tried a performance test. They do want separation on some of the networks, but not all. I have done this in the past with access lists and vlan's but its a pain. Is there any other way to segregate the traffic on routed network? Ideally they should have a router at each location and not a switch. Dan. On Wed, Jul 17, 2013 at 1:28 AM, Mattias Gyllenvarg wrote: > Hi Dan > > Sounds like your getting of on the wrong foot. > > The 3560 can't do much more then routing and switching. No GRE or MPLS so > you are pretty much stuck with trunking. > > VRFs will only be helpfull with MPLS unless you want VRF-lite (thats VRF > that is local to one machine only). Then you still need the trunks and > vlans. > You can setup the VRFs to talk fairly easily, but why have the separation > if you want them to talk? > > Sound like you should just replace the old machine with the new one. > > If you should do anything then setup the 3k boxes for dynamic routing so > that they simply route the traffic instead of switching it. Then you wont > have to add vlans for every new internet customer. But shaping may be > harder to do as you dont have the customers interface in your core. > > //Mattias > > > On Wed, Jul 17, 2013 at 4:12 AM, Dan Letkeman wrote: > >> Hello, >> >> Just wondering if anyone can direct me down the correct path. I have >> been >> asked by a friend to help replace an ISR2851 with a new ASR1001. The >> 2851 >> currently does some route-maps for different networks and a few customers >> as well as some shaping. They want to use the ASR to peer with an ISP and >> I suggested to use tunnel's and VRF's instead of trunking vlan's through >> there network to the customers, like they are doing now. >> >> The network currently consists of mostly 3k switches and either fiber or >> wireless trunks to about 45 different locations. The main goal is to >> provide internet to each of the 45 locations each having there own public >> ip/range. >> >> My thought was to create tunnels from the ASR to each of the locations >> (each have a 3560 switch) and then to create VRF's on each tunnel and >> assign a public IP to each VRF and then advertise those networks into the >> global BGP table. >> >> First time I have done anything like this...Any thoughts? >> >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > -- > *Med Vänliga Hälsningar* > *Mattias Gyllenvarg* > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vrf-lite routing
Hello, Just wondering if anyone can direct me down the correct path. I have been asked by a friend to help replace an ISR2851 with a new ASR1001. The 2851 currently does some route-maps for different networks and a few customers as well as some shaping. They want to use the ASR to peer with an ISP and I suggested to use tunnel's and VRF's instead of trunking vlan's through there network to the customers, like they are doing now. The network currently consists of mostly 3k switches and either fiber or wireless trunks to about 45 different locations. The main goal is to provide internet to each of the 45 locations each having there own public ip/range. My thought was to create tunnels from the ASR to each of the locations (each have a 3560 switch) and then to create VRF's on each tunnel and assign a public IP to each VRF and then advertise those networks into the global BGP table. First time I have done anything like this...Any thoughts? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2960 -> 4948 - no more drops :)
Same here. We went from 3560G's to 4948's and it was night and day. Zero output drops now and a noticeable performance improvement, as we were using these switches for ISCSI traffic. No qos tuning or disabling helped our situation on the 3560G's. What type of traffic were you sending through the 2960G? Dan. On Sat, Feb 16, 2013 at 5:15 PM, CiscoNSP_list CiscoNSP_list < cisconsp_l...@hotmail.com> wrote: > > > Hi Guys, > > We recently upgraded a 2960G(Only doing L2) that was hitting ~500Mb/sec on > one port, and we were seeing 40,000+ output drops (5Min) - Since the swap > to the 4948, we see zero output drops. Is the difference in performance > purely buffer size? I *think* the 2960 has 1.9Mb (Per ASIC) and the 4948 > has 16Mb (total?)? > > Cheers. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redundant radius server config
Thanks, looks like the "radius-server timeout" options was what I was missing. On Mon, Dec 10, 2012 at 9:38 AM, Alberto Cruz wrote: > Hello Dan > > You need to adjust the following values: > Router(config)# radius-server retransmit > Specifies how many times the router transmits each RADIUS request to the > server before giving up (the default is 3). > > Router(config)# radius-server timeout > Specifies for how many seconds a router waits for a reply to a RADIUS > request before retransmitting the request. > > Router(config)# radius-server deadtime > Specifies for how many minutes a RADIUS server that is not responding to > authentication requests is passed over by requests for RADIUS > authentication. > > Alberto > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net [mailto: > cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Letkeman > Sent: December-09-12 9:38 PM > To: cisco-nsp > Subject: [c-nsp] redundant radius server config > > Hello, > > Having some trouble with my redundant radius server config. I have > configured the switch to use two different radius servers in a group. > > When I shutdown one of the radius servers the switch still requests a > connection to the down server, then times out and tries the secondary > server, but the last message I see is "access-challenge" on the radius > servers and it stalls there. The only way I can get it to work again is > wait a long time or a shut, no shut on the port. So it seems as if the > redundancy is working but not all of the messages are getting through, when > it fails over to the redundant server. > > I'm also seeing these messages when I shut off the radius server. Don't > think I should be seeing the alive message when its off. > > Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server > 10.11.200.10:1812,1813 > is not responding. > Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server > 10.11.200.10:1812,1813 > is being marked alive. > > 3560G 15.0(1)SE3 > > Relevant config: > > > aaa group server radius gvsd_radius > server name radius1 > server name radius2 > ! > aaa authentication dot1x default group gvsd_radius aaa authorization > network default group gvsd_radius aaa accounting dot1x network start-stop > group gvsd_radius ! > dot1x system-auth-control > ! > interface GigabitEthernet0/16 > switchport access vlan 1125 > switchport mode access > authentication port-control auto > authentication periodic > dot1x pae authenticator > spanning-tree portfast > ! > radius-server retransmit 5 > radius-server deadtime 1 > ! > radius server radius2 > address ipv4 10.11.200.11 auth-port 1812 acct-port 1813 key cisco ! > radius server radius1 > address ipv4 10.11.200.10 auth-port 1812 acct-port 1813 key cisco ! > > > Here is an example. I had 10.11.200.10(radius1) running, authenticated > successfully then shut it off. With 10.11.200.11(radius2) the only one > running I did a shut, no shut on G0/16. > > logs: > > > > Dec 10 02:32:15.151: RADIUS/ENCODE(04F2):Orig. component type = Dot1X > Dec 10 02:32:15.151: RADIUS(04F2): Config NAS IP: 0.0.0.0 Dec 10 > 02:32:15.151: RADIUS(04F2): Config NAS IPv6: :: > Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for > Radius-Server 10.11.200.1 > 0 > Dec 10 02:32:15.151: RADIUS(04F2): Sending a IPv4 Radius Packet Dec 10 > 02:32:15.151: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# > Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed > state to up 802.1x(config-if)# Dec 10 02:32:19.815: RADIUS(04F2): > Request timed out Dec 10 02:32:19.815: RADIUS: Retransmit to ( > 10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:19.815: RADIUS(04F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:24.580: RADIUS(04F2): Request timed out > Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:24.580: RADIUS(04F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:29.353: RADIUS(04F2): Request timed out > Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:29.353: RADIUS(04F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:33.145: RADIUS/ENCODE(04F2):Orig. > component type = Dot1X Dec 10 02:32:33.145: RADIUS(04F2): Config NAS > IP: 0.0.0.0 Dec 10 02:32:33.145: RADIUS(04F2): Config NAS IPv6: :: > Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for > Radius-Server 10.11.200.10 Dec 10 02:32:33.145: RADIUS(04F2): Sending a > IPv4 Radius Packet Dec 10
[c-nsp] redundant radius server config
Hello, Having some trouble with my redundant radius server config. I have configured the switch to use two different radius servers in a group. When I shutdown one of the radius servers the switch still requests a connection to the down server, then times out and tries the secondary server, but the last message I see is "access-challenge" on the radius servers and it stalls there. The only way I can get it to work again is wait a long time or a shut, no shut on the port. So it seems as if the redundancy is working but not all of the messages are getting through, when it fails over to the redundant server. I'm also seeing these messages when I shut off the radius server. Don't think I should be seeing the alive message when its off. Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.200.10:1812,1813 is not responding. Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.200.10:1812,1813 is being marked alive. 3560G 15.0(1)SE3 Relevant config: aaa group server radius gvsd_radius server name radius1 server name radius2 ! aaa authentication dot1x default group gvsd_radius aaa authorization network default group gvsd_radius aaa accounting dot1x network start-stop group gvsd_radius ! dot1x system-auth-control ! interface GigabitEthernet0/16 switchport access vlan 1125 switchport mode access authentication port-control auto authentication periodic dot1x pae authenticator spanning-tree portfast ! radius-server retransmit 5 radius-server deadtime 1 ! radius server radius2 address ipv4 10.11.200.11 auth-port 1812 acct-port 1813 key cisco ! radius server radius1 address ipv4 10.11.200.10 auth-port 1812 acct-port 1813 key cisco ! Here is an example. I had 10.11.200.10(radius1) running, authenticated successfully then shut it off. With 10.11.200.11(radius2) the only one running I did a shut, no shut on G0/16. logs: Dec 10 02:32:15.151: RADIUS/ENCODE(04F2):Orig. component type = Dot1X Dec 10 02:32:15.151: RADIUS(04F2): Config NAS IP: 0.0.0.0 Dec 10 02:32:15.151: RADIUS(04F2): Config NAS IPv6: :: Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.1 0 Dec 10 02:32:15.151: RADIUS(04F2): Sending a IPv4 Radius Packet Dec 10 02:32:15.151: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up 802.1x(config-if)# Dec 10 02:32:19.815: RADIUS(04F2): Request timed out Dec 10 02:32:19.815: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:19.815: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:24.580: RADIUS(04F2): Request timed out Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:24.580: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:29.353: RADIUS(04F2): Request timed out Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:29.353: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:33.145: RADIUS/ENCODE(04F2):Orig. component type = Dot1X Dec 10 02:32:33.145: RADIUS(04F2): Config NAS IP: 0.0.0.0 Dec 10 02:32:33.145: RADIUS(04F2): Config NAS IPv6: :: Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.10 Dec 10 02:32:33.145: RADIUS(04F2): Sending a IPv4 Radius Packet Dec 10 02:32:33.145: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:34.319: RADIUS(04F2): Request timed out Dec 10 02:32:34.319: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:34.319: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:38.119: RADIUS(04F2): Request timed out Dec 10 02:32:38.119: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185 Dec 10 02:32:38.119: RADIUS(04F2): Started 5 sec timeout Dec 10 02:32:38.656: RADIUS(04F2): Request timed out Dec 10 02:32:38.656: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:38.656: RADIUS(04F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:42.758: RADIUS(04F2): Request timed out Dec 10 02:32:42.767: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185 Dec 10 02:32:42.767: RADIUS(04F2): Started 5 sec timeout Dec 10 02:32:43.471: RADIUS(04F2): Request timed out Dec 10 02:32:43.471: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id 1645/184 Dec 10 02:32:43.471: RADIUS: authenticator 77 4E 8B 50 10 D5 86 A4 - 78 32 47 FE 83 B0 1E BE Dec 10 02:32:43.471: RADIUS: User-Name [1] 23 "host/ u...@example.com" Dec 10 02:32:43.471: RADIUS: Service-Type[6] 6 Framed [2] Dec 10 02:32:43.471: RADIUS: Framed-MTU [12] 6 1500 Dec 10 02:32:43.471: RADIUS: Called-Station-Id [30] 19 "9C-AF-CA-F4-40-10" Dec 10 02:32:43.471: RADIUS: Calling-Station-Id [31
[c-nsp] Config management
Hello, Curious as to what everyone is using for config management for switches. I have a few hundred 2960's and 3560's to manage on a regular basis, and I would like to have something that can make mass config changes. Not really looking for anything to monitor them as I have that part covered. Just the ability to mass add to acl's or upload config changes to keep everything consistent. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Rogue NAT gateways
Wondering if anyone has any tricks for disabling the use of any NAT gateways? I know the best way is to remove it physically, but in the case of guest access and mobile devices its sometimes difficult to do so. Now that many devices can act as a hotspot, some of these devices are becoming difficult to find. I have looked into ACL's with ttl requirements, but I could not seem to get it to work like I wanted. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Replace 3750 with 3600x
Thanks Reuben, excellent post. Dan. On Sat, Jul 7, 2012 at 2:21 AM, Reuben Farrelly wrote: > On 7/07/2012 11:45 AM, Dan Letkeman wrote: >> >> Hello, >> >> Looking at replacing a 3750G-12S-12 with an ME-3600X-24FS-M. I have >> never used or seen a 3600x, and I was wondering for the basic switch >> services does it have the same command line options. Just doing dot1q >> trunking, maybe some qos marking, rstp, eigrp, etherchannel, and some >> simple ipv4 acls. >> >> Thanks to anyone who can comment. > > > Yes, generally speaking the same command line options apply. It's still > 15.S IOS code in both. > > However note that the hardware between the 3750G and 3600X is totally and > completely different though (the ME3600X hardware is much much better). The > software follows different trains too but like most IOS it still has more or > less the same command line options. > > Notable points/things that you may run into: > > - No VTP (although I'd never use VTP in an SP environment anyway so that's > not a bad thing) > > - VLAN interfaces and trunk ports can be configured the same as a normal > enterprise switch if you want to, however you will gain a lot of very cool > flexibility by configuring your trunks/customer facing ports using EVC's > instead. So take the plunge and set things up the EVC way where possible > from day dot, as it'll allow you to take advantage of many of the metro > ethernet edge features that this platform has to offer that you don't get on > a switch like the 3750G. Plus it'll give you per-service-instance counters. > The VLAN interface counters on this platform don't populate with the total > traffic flow (same as the 3750G), but the service instances /do/ have > counters which allow per-vlan and in turn per-EVC graphs to be generated. > QoS and ACLs can be applied on EVCs as well. > > - From memory the units do not ship with any power supplies. Check before > you place the order :-) > > But otherwise, everything you've listed is easily do-able and shouldn't > present any problems, and you should be able to copy and paste config across > between the two units with few surprises. > > Having run these switches for over a year now in production, I really like > them and I wouldn't want to ever go back to making do with 3750s in my > network core or edge. > > Reuben > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Replace 3750 with 3600x
Hello, Looking at replacing a 3750G-12S-12 with an ME-3600X-24FS-M. I have never used or seen a 3600x, and I was wondering for the basic switch services does it have the same command line options. Just doing dot1q trunking, maybe some qos marking, rstp, eigrp, etherchannel, and some simple ipv4 acls. Thanks to anyone who can comment. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small DC switch design
This switch will never need to hold a bgp table. I do how ever want to do PBR, and I am finding mixed messages on if it works or not. And if it does work will it work in my situation or will it switch in software and have poor performance? The idea of using it as an aggregation switch would mean that it would have to do PBR at line speed which it probably won't do. I don't know if there is a better way to do what I am trying to accomplish but my scenario is like this: traffic -->---me3600x-router a--firewall | -router b-firewall All I want to do is PBR some traffic to router b. The link speed will be either 1gbps fiber or 2gbps etherchannel, and if I apply a route-map on an interface at that speed will it choke? If so what other option do I have? Thanks, Dan. On Wed, May 16, 2012 at 2:31 AM, Mark Tinka wrote: > On Wednesday, May 16, 2012 05:14:54 AM Dan Letkeman wrote: > >> Most high bandwidth traffic is to and from the servers >> and sans, and would stay within the 4500-E, second to >> that would be the traffic from all of the users from all >> the buildings to and from the servers, and then all of >> the internet traffic. Some of the things I would like >> to do with the me3600x is PBR, possibly some shaping or >> policing, eigrp routing, and some access lists. Netflow >> would be nice, but it doesn't seem like it supports it. > > Be mindful that while the ME3600X is, for all intents and > purposes, a switch which is also a decent router, much of > that functionality is not yet available in the software, > even though the hardware supports it. > > And when the features do come, it's uncertain how they'll > perform in the wild, given the box is still relatively new. > > Also remember that if you ever want to hold a full BGP IPv4 > table, the ME3600X/3800X can't do it. > > Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small DC switch design
Jason, Thank you for the response. I have a few more questions and maybe some clarification if you could. On Tue, May 15, 2012 at 10:58 AM, Jason Gurtz wrote: > Your size sounds fairly close to our situation... Do you have a spare > fiber pair going to each location? > >> Right now in each of the 7 buildings has a 3560G as an aggregation >> switch connected back to the DC. The DC also has a few 3560G's and >> 3750G's for the sans and servers. > [...] >> What I would like to know (costs being the biggest factor) is what >> would be a better switch design for the current and future traffic in >> this network. Some options I was thinking about are as follows: > > Without more details I'm guessing here. Like many smaller shops I've been > around the thing has grown from a long time ago and there may be a > primarily flat L2 design in place, maybe there are some vlans. Maybe there > is some (or a lot of) daisy chaining of switches; maybe the spanning-tree > configuration hasn't gotten a lot of thought. OTOH, hopefully you're in a > better spot than this? Yes things have been around a while and have seen alot of growth. Still have many closets with original cat5 cable. I have however been eliminating the small closets with one or two switches and consolidating them in most buildings, removing the daisy chains. I have also added many vlans, as all of our access switches are 2960's. Distribution switches are 3560's running eigrp. I have also added etherchannel links between distribution closets, and I have added redundant uplinks to form a ring in most of the larger buildings. I did a spanning tree project two years ago including RSTP and verifying vlan priorites, so this part has been working well, and it makes for a much easier time when doing upgrades and maintenance. Most buildings have 2-4 access vlans, voice vlans, wireless vlans, etc. As far as the fiber connections, each building that is connected to the DC has at least two pairs back to the DC, and then another pair is spliced so that it connects to the next closest building forming a ring. Each building has at least two paths back to the DC, and a 3560G or two as an aggregation switch which connects to the DC and to the next closest building in case of sfp or switch failure. I'm sure there is more I can do, but I am in an ok spot as of right now. > > In the Cisco world I think you're right on the money with Cat45xx; the > 49xx series are related... Skim over this document and see if the general > idea makes sense. You have L3 capable switches everywhere so it's a no > brainer in a way: > https://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigr > ation_09186a00805fccbf.pdf > > We used this as a model, a pair of 4900M switches as the core and a few > 4507-E w/SUP-6E as our access switches running OSPF; it is collapsed-core > w/10G links fanning out (no separate distribution layer). As a whole we > are very happy with the system. The nice thing about routing everything is > it fails in more pleasant ways than the typical spanning-tree disaster. So just to clarify my design idea. I was thinking to use an ME3600X, with an ip services licensing for routing, as my core/aggrigation switch for all of the fiber coming into the DC. The ME3600X would also have the internet routers and firewalls connected to them, then have a 10G uplink to the 4500-E which would host the servers and sans. In the future I would look at adding another 4500-E and possibly another ME3600X, but for now I would just be one of each. Crude drawing: routers, firewalls-- | building a --1gig fiber - ME3600X (Layer 3) --10g fiber -4500-Eservers and sans. | building b -1gig fiber --- | building c ---2gig fiber -- Most high bandwidth traffic is to and from the servers and sans, and would stay within the 4500-E, second to that would be the traffic from all of the users from all the buildings to and from the servers, and then all of the internet traffic. Some of the things I would like to do with the me3600x is PBR, possibly some shaping or policing, eigrp routing, and some access lists. Netflow would be nice, but it doesn't seem like it supports it. Do you know what the buffer size is on an me3600x? What about on a 4500-E with a sup6l-e? Do you know if an me3600x has support for eigrp without an extra license? > > The 45xx line has seen a major upgrade. You probably want a "+E" chassis > instead of "-E". Also, the SUP-7E is out and it has netflow amongst other > upgrades. There is an SUP-7L-E as well for a cheaper option. Check with > your rep about bundles as it's definitely money saving. For the core, look > at the 4900M or the newer 4500-X; these t
[c-nsp] Small DC switch design
Hello, I'm working on options for a small DC switch design. This DC has 5 virtual hosts with 10-20 guest vm's each. Each server has two quad port gig nics with 6 of the 8 gig ports connected (3 for iSCSI and 3 for data or management. It also has two 3 node sans each with 2 gig ports per node, a host of other small servers including voice servers, management servers, asa firewall, and a few routers. Total of 50-60 ports as of right now. Connected to the DC is 7 other buildings each with there own 1 gig fiber connection serving about 3000 devices in total including desktops, laptops, ip phones, wireless ap's, building automation, alarm panels, etc Right now in each of the 7 buildings has a 3560G as an aggregation switch connected back to the DC. The DC also has a few 3560G's and 3750G's for the sans and servers. The system seems to work ok for the most part aside from micro bursts overwhelming the buffers on these switches and the etherchannel trunks between them dropping a minor amount of packets. QOS is configured for the voice network and there are little to no complaints. What I would like to know (costs being the biggest factor) is what would be a better switch design for the current and future traffic in this network. Some options I was thinking about are as follows: I would needs at least 96 ports. So option A is to go with a 4506-E bundle with 2 48 port line cards, sup 6l-e and a WS-X4712-SFP+E or something of the sorts. And then upgrade to the enterprise services license and do all of the routing and switching for the DC on this one switch. Means little redundancy and no failover. Option B was to go with the same 4506-E bundle, without the extra license and without the SFP line card and put in some sort of layer three aggregation switch with sftp slots and a layer three license. Option C Is to go with the 4503-E, the SFP line card and the IP Enterprise services license. And two top of rack switches, either 2360's or 4948's. I have no experience in this matter so any other thoughts or suggestions would be appreciated. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA NAT/PAT rpf-check
Hello, Having some trouble with an rpf-check on an ASA when doing pat to an internal web server. I have static nat working: network object laptop host 192.168.75.208 network object internet-75 host 100.1.1.75 nat (inside,outside) after-auto source dynamic laptop internet-75 No problems here, the client device gets out to the internet using the correct ip address. Now when I do this: network object laptop-pat host 192.168.75.208 object network laptop-pat nat (inside,outside) static internet-75 service tcp www 81 it adds this entry above the static nat entry and everything appears to look correct. The problem is when I do a packet-trace it shows this: fw# packet-tracer input outside tcp 222.222.222.222 1080 192.168.75.208 81 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit object http-81 any object laptop-pat Phase: 8 Type: NAT Subtype: rpf-check Result: DROP Config: nat (inside,outside) after-auto source dynamic laptop internet-75 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule For some reason it is not picking up the auto-nat entry for the secondary object I created with the same host name (laptop-pat) Any ideas why the firewall is always stopping at phase 8 with the rpf-check error? If so what do I need to do to fix this? Is there an easier or "right" way to do pat on this device? Thanks, Dan. 5520 - version 8.4 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shaping outbound
Excellent info Anton. This has help immensely. I have tested the configuration example that you have shown me and it seems to work very well. I added a class in the shape-down policy-map for http and shaped it to 2M just for testing. policy-map shape-down class http shape average 200 256000 128000 queue-limit 32768 packets class class-default shape average 4000 service-policy qos-down It works, but I had to add the queue-limit 32768 packets (i know this is a large number), as the default is 64 packets. If I left it at 64 packets I would see many drops in my test environment which makes sense as I am hammering a 2M http policy. I just needed to see this to make sense of it all. >From my understanding, when the traffic load is too much for the allotted bandwidth the queue would need to be increased or the bandwidth needs to be increased? If I wanted shape a website, for example youtube.com, would it be best to mark it on the incoming interface with a dscp marking and then shape that dscp marking on the output interface? I tried this, but with no success, I was only able to drop the traffic, and not shape it. Now my next stumbling block is how to shape my sub interfaces for my guest networks on the router. It seems as if you are not allowed to add shaping even with a child/parent policy map. Dan. On Sun, Dec 25, 2011 at 2:46 PM, Anton Kapela wrote: > Dan, > > On Sat, Dec 24, 2011 at 2:49 PM, Dan Letkeman wrote: > >> I'm confused as to when and where it is possible to shape traffic. I >> have a 50Mbps internet connection from our ISP and I would like to >> shape some of the download traffic using our 2821. Here is what I >> have setup: >> >> lan users - g0/0 - 2821 - g0/1 --internet >> >> Currently I have no way of limiting someone from using up the entire >> pipe. My thought was to add a policy-map in the outbound direction on > > [..] > >> Any idea on how to go about this? Or Am I stuck with buying a >> ridiculously expensive packet shaper or something of the sorts? > > You can, in fact, shape, queue, and control bits arriving at your > doorstep if you're willing to give up a bit of the internet pipes' > peak downstream bitrate. In general, if you were to, say, queue > packets towards your users (lan side), at less than the configured ISP > rate, you'd effectively congest within the router (which you control). > This could be useful. > > A rule of thumb I've kept in mind is to shape at ~80% of the overal > CIR from your isp. Then, apply queueing to taste. A fairly useful & > straight-forward approach might look like the following: > > policy-map qos-down > class class-default > fair-queue > queue-limit 2048 packets > > policy-map shape-down > class class-default > shape average 4000 16 > service-policy qos-down > > Then, apply to lan facing port: > > interface GigabitEthernet0/0 > service-policy output shape-down > > Same for upstream, though, you can typically get away shaping within > 95% of the configured CIR bitrate. Say you had 5 mbits/sec upstream. > You'd then want something like: > > policy-map qos-up > class class-default > fair-queue > queue-limit 512 packets > > policy-map shape-up > class class-default > shape average 475 19000 > service-policy qos-down > > ..then applied in the output direction of Gi 0/1, per your config setup. > > Fair-queue alone will ensure per-flow fairness is provided by the > router in the Tx direction for any packets buffered in the shaped > class-default. This could be 'bad' if you're concerned that or faced > with many-flow apps (torrents, etc) out-competing single- or few-flow > apps (shoutcast, iptv, netflix, etc). If that's the case, then > adjustment and specific queueing must be created to single-out the > jerks and/or reserve bits for known-friendly-er apps. If you're not > seeing/concerned with flow-rich vs. flow-poor apps getting a fair > shake, and are considering a more docile/typical app mix (few big > downloads, app updates, imap/exchange email, vpns, net radio, etc), > then fair-queue alone will probably be sufficient. > > -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shaping outbound
Ok, so my solution would look something like this: class-map match-any application match protocol http policy-map inbound class application police 1000 100 class class-default police 2000 200 interface g0/1 service-policy input inbound And this would police http traffic to 10mbps and all other traffic to 20mbps. Are there any recommendations on the police command to limit the about of drops I get from doing this? I do have an ASA5520 in front of this router, is there any way of utilizing that to shape the traffic? Thanks, Dan. On Sat, Dec 24, 2011 at 3:06 PM, Arie Vayner (avayner) wrote: > Dan, > > On the ingress direction, you can apply a policer on specific classes, > and limit the rate. > As you are most likely talking about TCP based applications, policing > them would make the applications regulate their download rate. > > Arie > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Letkeman > Sent: Saturday, December 24, 2011 22:49 > To: cisco-nsp > Subject: [c-nsp] shaping outbound > > Hello, > > I'm confused as to when and where it is possible to shape traffic. I > have a 50Mbps internet connection from our ISP and I would like to shape > some of the download traffic using our 2821. Here is what I have setup: > > lan users - g0/0 - 2821 - g0/1 --internet > > Currently I have no way of limiting someone from using up the entire > pipe. My thought was to add a policy-map in the outbound direction on > the G0/0 interface and shape based on NBAR protocols or something like > that. Apparently this is not the correct way to do thisIf I > apply a policy-map in the outbound direction on G0/1 this helps nothing > because it only shapes the upload traffic which is minimal at peak > times. > > Any idea on how to go about this? Or Am I stuck with buying a > ridiculously expensive packet shaper or something of the sorts? > > Thanks, > Dan. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] shaping outbound
Hello, I'm confused as to when and where it is possible to shape traffic. I have a 50Mbps internet connection from our ISP and I would like to shape some of the download traffic using our 2821. Here is what I have setup: lan users - g0/0 - 2821 - g0/1 --internet Currently I have no way of limiting someone from using up the entire pipe. My thought was to add a policy-map in the outbound direction on the G0/0 interface and shape based on NBAR protocols or something like that. Apparently this is not the correct way to do thisIf I apply a policy-map in the outbound direction on G0/1 this helps nothing because it only shapes the upload traffic which is minimal at peak times. Any idea on how to go about this? Or Am I stuck with buying a ridiculously expensive packet shaper or something of the sorts? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] shaping w/sub interfaces - drops
Hello, I'm wondering if its possible to eliminate drops using shaping? I have a sub interface set-up for guest access and I want to limit all access to 3mbps and http access to 2mbps. If I apply a policy to the sub interface I continuously see drops on the http class when it runs in and around 2mbps. Its just web browsing so I don't ever want to drop the packets just retransmit. I have the following configured: class-map match-all http match protocol http policy-map guest-output class http shape peak 200 50 25 class class-default shape average 300 256000 policy-map guest-input class guest-upload police 75 10 1000 conform-action transmit exceed-action drop violate-action drop interface GigabitEthernet0/0.823 encapsulation dot1Q 823 ip address 10.7.184.1 255.255.255.0 ip access-group wifiguest in ip helper-address 10.4.0.5 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip virtual-reassembly ip policy route-map router-astarogw service-policy input guest-input service-policy output guest-output I am also seeing drops on the physical interface G0/0. I tried to apply a policy and it says I cannot do any shaping when shaping is already applied to a sub interface. Do I need to apply a policy to the G0/0 interface first, and then apply a policy to shape certain traffic on the sub interface? Any hints, ideas or configuration examples would be appreciated. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] remote location voice qos with switches
Hello, I have a remote location, where I have a 3560 which connects to our main location via a wireless bridge and goes into a 3560G. The wireless bridge has approximately 70mbps throughput. This remote location has about 12 7962 phones, and for the most part everything works fine, except when some of our I.T. staff are doing large backups or copying images across the link. What would be the most simple qos config to solve the data transfers from hogging the link? Or maybe not qos, maybe just policing? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tftp woes
Thanks guys, I will do some packet captures and see what it shows me. I think the server might be over utilized as well, because if we are imaging off of one server and then we tftp off of another, things are faster. So that to me says that its a server problem and not a network problem. Yes we multicast as well, but sometimes the guys who do the imaging want to unicast instead for what ever reason. Dan. On Mon, Jul 25, 2011 at 2:25 AM, Peter Hicks wrote: > On Sun, 2011-07-24 at 21:43 -0500, Dan Letkeman wrote: > >> After about 12-15 machines start the image transfer the server gets >> over utilized and the tftp download from the server starts to take a >> lot longer on the rest of the machines that need to download the >> imaging software, not the image itself. Is there a simple way on >> these switches to prioritize the tftp traffic over the actual image >> transfer? Possibly some simple QOS commands? > > tftp is UDP-based, have you checked the whole network to make sure you > don't have a duff link producing errors and dropping UDP packets? Are > you suffering over-utilization at any point? > > Is the initial software download happening in a machine's PXE > environment? If so, the timeout for tftp packets may be a lot larger > than you expect, hence a single packet being dropped equates a much > larger impact. > > Have you looked at a multicast-based solution for imaging the machines? > > > Peter > > -- > Peter Hicks > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] tftp woes
Hello, We have imaging servers in all of our locations, and we normally image around 30 to 60 machines at once. The image is usually stored on a server with local SAS raid storage, which is connected to a 3560G at1Gbps, and then to 2960's (10/100 w/Gig Uplinks to the 3560G). After about 12-15 machines start the image transfer the server gets over utilized and the tftp download from the server starts to take a lot longer on the rest of the machines that need to download the imaging software, not the image itself. Is there a simple way on these switches to prioritize the tftp traffic over the actual image transfer? Possibly some simple QOS commands? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP HSRP Successors
Hello, I'm working on a test configuration for hsrp between two switches where i'm running eigrp, and I'm wondering if its best practice to leave the added successors in the route list? For example, after I made vlan 501 into an hsrp enabled vlan between the two switches it added itself as an equal path route to the original one on vlan 4001. P 10.11.56.0/24, 2 successors, FD is 3840 via 10.5.8.2 (3840/3584), Vlan501 via 10.100.4.1 (3840/3584), Vlan4001 P 172.16.8.0/23, 2 successors, FD is 3584 via 10.5.8.2 (3584/3328), Vlan501 via 10.100.200.1 (67840/3328), Vlan2200 P 192.168.72.0/24, 2 successors, FD is 3840 via 10.5.8.2 (3840/3584), Vlan501 via 10.100.4.1 (3840/3584), Vlan4001 P 172.16.42.0/24, 2 successors, FD is 4096 via 10.5.8.2 (4096/3840), Vlan501 via 10.100.4.1 (4096/3840), Vlan4001 If I want to hsrp enable all of the vlan's on the switch so that its completly redundant, I might have up to 10-20 equal paths between the switchesis this ok practice to leave it like this? Or should I be removing the routes somehow? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] off-topic NMS Suggestion
Intermapper has worked well for me for the past few years, easy to setup, not expensive, and has the ability to make a nice graphical map of all your devices any which way you please. Dan. On Tue, May 17, 2011 at 9:38 PM, omar parihuana wrote: > Hi List, > > Please could you suggest me a NMS for WAN/LAN? the WAN is a MPLS/VPN (300 > remote offices) and the Switching is a campus LAN (aprox 1000 Network > Devices) and three remote buildings (aprox Network 200 devices in each > building). Before I tried Cisco Works but I faced some issues; HP Openview > was difficult also. We need a easy web interface for monitoring and > reporting (unfortunately no open source solutions are accepted). > > Thank you for your suggestions. > > Rgds. > > -- > Omar E.P.T > - > Certified Networking Professionals make better Connections! > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Core: 2x4948 or 1x4503
Hello, We are looking at replacing our core switches (2x3560G). I'm looking at a few options, but the ones that interest me the most is the 4948E-E, and the 4503-E w/two 48 Port line cards and a SUP 6L-E. As far as bandwidth required, we have three esx hosts and two san's. About 40 vm's. We do have some fiber trunks to various different buildings so the 4948E's look like a better choice because they have the sfp slots built in. The main thing i'm looking at, is to setup redundancy to the esx hosts & san's. I've read alot about people using 3750G's in a stack, but I really wanted to get away from the 3750's and 3560's because of the output discards from micro bursts. Any suggestions? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 vs 4948 shared buffer memory
Yes, I knew there was something I was missing.Thats too bad. Dan. On Tue, Mar 8, 2011 at 10:12 AM, Brandon Ewing wrote: > On Mon, Mar 07, 2011 at 11:15:01PM -0500, Chris Evans wrote: >> We don't use 3750 or smaller switches anymore due to this. 4948 is deemed >> data center class so we started using it ffor that. Haven't had any issues >> so far. > > Do note that 4948 doesn't support IPv6 in hardware, and 4948E does. > > -- > Brandon Ewing (nicot...@warningg.com) > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 vs 4948 shared buffer memory
Hello, I've noticed a fair amount of output drops from traffic bursts on our 3560G's. This is happening with or without QOS on. So I have been looking a replacing these switches for this reason and others. From what I understand there is a problem with the shared memory buffer space, when there are traffic bursts/micro bursts. Would a 4948 be a big improvement when it comes to output drops vs a 3560? Has anyone else replaced there 3560/3750 with a 4948 and seen the output drops go away? I see the 4948E's have much more shared buffer memory, but those are out of our price range. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asa routed public network through asa
Yes, I only have the /26 with a pre-existing netmask. On Fri, Feb 4, 2011 at 9:54 PM, Jeff Kell wrote: > On 2/4/2011 9:16 PM, Dan Letkeman wrote: >> The asa is running 8.3(2), and I have a /26 from our isp to work with. >> One of those IP's currently exists on the routed outside interface of >> the asa. > > Do you have "only" that /26, and are the endpoints (yours and the ISPs) > part of that /26 with a pre-existing netmask? > > You basically want to have the site-to-site (you-to-ISP) link more along > the lines of a /30, then play with the ISP-provided /26 for NAT. > > >> So I understand the part of trunking a vlan to the asa. Where i'm >> stuck is how to add a secondary ip to a routed port on the asa(if this >> is even possible) and how to "route" the traffic through the asa an >> not "NAT" it. > > It still has to pass through the ASA. You want to NAT-exempt the piece > you want to pass through. > > Jeff > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] asa routed public network through asa
Hello, I have an odd network design request that I'm trying to figure out. Currently I have an asa 5520 thats configured to NAT a few dozen private networks to one public IP for desktop access. Simple enough. What I want do do is create a private network inside the current network, but give this network a public ip so they can use there own nat device. But I would like to have all of this traffic go through the asa. The asa is running 8.3(2), and I have a /26 from our isp to work with. One of those IP's currently exists on the routed outside interface of the asa. Example: private lan(nat device) - lan - switch - switch - router - asa - internet. So I understand the part of trunking a vlan to the asa. Where i'm stuck is how to add a secondary ip to a routed port on the asa(if this is even possible) and how to "route" the traffic through the asa an not "NAT" it. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Constant output drops on etherchannel
Nick, Thanks for the detailed explanation. The problem is I also see this on our gig switches as well. And only on ether channel's, not on a single interconnects. The traffic can be a such a minimum and I still see drops. I would like to tune the output buffers, but I'm not sure where to start. I know that I need to learn some more about qos, because we do have a voice network that is growing very fast. Do you know of some good documentation or books that I can start with? Dan. On Sun, Jan 16, 2011 at 9:14 AM, Nick Hilliard wrote: > On 16/01/2011 02:30, Dan Letkeman wrote: >> >> Drops are happening even when its not under load. Has nothing to do >> with bandwidth. > > Dan, > > hypothetically on a 100Mb port, if you burst your output to 200 megs for 1 > second, then drop to zero traffic for 4 minutes 59 seconds, you will see: > > - 50% packet loss on the link > - a 5 minute throughput rate of 333000 bits per sec > > This is called a microburst. I.e. a burst of traffic which goes beyond the > capacity of the link, but which is too short to be measured accurately by > your 5 minute rolling average. Typically you'll see this on slower speed > lan links with bursty traffic, and it's why you're seeing relatively low > levels of traffic, but output drops on the interface. > > If you want to fix this problem, you have several potential workarounds: > > - increase your port speeds > - get a switch with bigger buffers > - tune the output buffers on your existing switch > - in your particular case, you could try fiddling with the etherchannel > hashing algorithm to see if it helps (it's unlikely to make the problem > disappear completely). > > Going back to your port channel > >> Port-channel2 is up, line protocol is up (connected) >> Hardware is EtherChannel, address is 001b.d59d.7199 (bia 001b.d59d.7199) >> MTU 1500 bytes, BW 20 Kbit, DLY 100 usec, >> reliability 255/255, txload 24/255, rxload 2/255 >> Encapsulation ARPA, loopback not set >> Keepalive set (10 sec) >> Full-duplex, 100Mb/s, link type is auto, media type is unknown >> input flow-control is off, output flow-control is unsupported >> Members in this channel: Fa0/23 Fa0/24 > > Your problem is here --> ^ > > You need to upgrade your switch to a gig capable device. You've outgrown > your existing equipment. > > Nick > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Constant output drops on etherchannel
No. Drops are happening even when its not under load. Has nothing to do with bandwidth. On Fri, Jan 14, 2011 at 9:25 PM, Klementina Miloslava wrote: > I'm guesing that your problem is less of a buffer problem and more of a > bandwidth problem. I bet you are using etherchanel so that you can have > more than 1Gbps of bandwidth. > > However, what you didn't expect is that the etherchannel isn't evenly load > balanced. In fact, it's not load balancing at all, it's load sharing. So, > as a result you have one interface approaching the 1Gbps mark. As others > have already pointed out, you begin to drop when you fill the buffers. > > So, instead of adding bandwidth (faking it) with etherchannels you should > consider adding true bandwidth by increasing the interface speed. Consider > 10Gbps instead. > > I can only assume that the buffers on a 10Gbps interface will be a little > deeper. But I'd ask other to comment on this. > > So, if you can't add bandwidth, then you should consider re-engineering the > traffic patterns to reduce bandwidth requirements. So, since you are > trunking multilpe vlans over you etherchannel, you should consider carrying > each vlan over it's one dedicated interface. This may or may not working > depending on what's happening on those vlans, but the idea is to reduce the > load on each of the circuits. > > In the end you may be asking too much out of that switch. > > Klementina > > On Fri, 14 Jan 2011, Dan Letkeman wrote: > >> So is there any way to increase the buffers without causing more >> damage? Or is this a hardware limitation? >> >> >> On Fri, Jan 14, 2011 at 3:54 PM, Gert Doering wrote: >>> >>> Hi, >>> >>> On Fri, Jan 14, 2011 at 12:28:03PM -0600, Dan Letkeman wrote: >>>> >>>> 3560 or 3560G. >>> >>> Lame switches with too-small buffers. >>> >>> [..] >>>> >>>> I do have auto qos enabled for some of the phones I have connected to >>>> the switches, but I don't have any qos on the etherchannel trunks. >>> >>> Turning *off* qos will reduce the amount of drops you see (what qos does >>> is "take tiny buffers, spread over 4 different queues, and all of a >>> sudden your traffic only has 1/4th the buffer space available"). >>> >>> Alternatively, you could fiddle with qos to give all buffers to >>> a single queue, and put all traffic in that queue, but that's >>> effectively turning it off... >>> >>> gert >>> -- >>> USENET is *not* the non-clickable part of WWW! >>> >>> //www.muc.de/~gert/ >>> Gert Doering - Munich, Germany >>> g...@greenie.muc.de >>> fax: +49-89-35655025 >>> g...@net.informatik.tu-muenchen.de >>> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Constant output drops on etherchannel
So is there any way to increase the buffers without causing more damage? Or is this a hardware limitation? On Fri, Jan 14, 2011 at 3:54 PM, Gert Doering wrote: > Hi, > > On Fri, Jan 14, 2011 at 12:28:03PM -0600, Dan Letkeman wrote: >> 3560 or 3560G. > > Lame switches with too-small buffers. > > [..] >> I do have auto qos enabled for some of the phones I have connected to >> the switches, but I don't have any qos on the etherchannel trunks. > > Turning *off* qos will reduce the amount of drops you see (what qos does > is "take tiny buffers, spread over 4 different queues, and all of a > sudden your traffic only has 1/4th the buffer space available"). > > Alternatively, you could fiddle with qos to give all buffers to > a single queue, and put all traffic in that queue, but that's > effectively turning it off... > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Constant output drops on etherchannel
3560 or 3560G. (C3560-IPSERVICESK9-M), Version 12.2(53)SE2 Interface config: interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk native vlan 3009 switchport trunk allowed vlan 8,10,1008,1101,3009 switchport mode trunk end I see more output drops during higher traffic, but I still see drops during low traffic rates. Always more on one interface. I do have auto qos enabled for some of the phones I have connected to the switches, but I don't have any qos on the etherchannel trunks. I'm just using the default etherchannel load balancing algorithm. Thanks, Dan. On Fri, Jan 14, 2011 at 10:12 AM, Phil Mayers wrote: > On 14/01/11 16:08, Dan Letkeman wrote: >> >> Hello, >> >> I'm seeing many of our etherchannel's on different switches having output >> drops: > > Platform? IOS version? Config of the interface(s) (routed, SVI, etc.) > >> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: >> 898085 > > Are you monitoring the traffic rate? Do the drops correspond to traffic > bursts? Do you have QoS enabled? > >> I also see that it usually uses one port of the etherchannel to a high >> degree, say 92% before it seems to push data through the other >> connection. > > That's not necessarily unusual, depending on your etherchannel load > balancing algorithm and traffic patterns. But you haven't really supplied > enough info for people to help you. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Constant output drops on etherchannel
Hello, I'm seeing many of our etherchannel's on different switches having output drops: Port-channel2 is up, line protocol is up (connected) Hardware is EtherChannel, address is 001b.d59d.7199 (bia 001b.d59d.7199) MTU 1500 bytes, BW 20 Kbit, DLY 100 usec, reliability 255/255, txload 24/255, rxload 2/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported Members in this channel: Fa0/23 Fa0/24 ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 2w0d, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 898085 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1601000 bits/sec, 1044 packets/sec 5 minute output rate 18983000 bits/sec, 1739 packets/sec 1334506578 packets input, 1057033776276 bytes, 0 no buffer Received 36222411 broadcasts (31794053 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 31794053 multicast, 0 pause input 0 input packets with dribble condition detected 1118193661 packets output, 625080881800 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Is there something else I need to configure to minimize this? I also see that it usually uses one port of the etherchannel to a high degree, say 92% before it seems to push data through the other connection. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2821 NAT Limitations
I'm pushing about 30mbit, but we have a content filter that everyone is force to go through, which essentially doubles the nat entries on the router (it's just the way it works). Would we be better off getting two 5510's? and load balancing? Dan. On Thu, Oct 14, 2010 at 8:44 AM, Ryan West wrote: > Dan, > >>-Original Message- >>From: cisco-nsp-boun...@puck.nether.net >>[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Letkeman >>Sent: Thursday, October 14, 2010 9:26 AM >>To: rod...@cisco.com >>Cc: cisco-nsp@puck.nether.net >>Subject: Re: [c-nsp] 2821 NAT Limitations >> >>I'll look into getting an ASA. My graphs show about 4 nat translations >>at the time the router had issues, would an ASA5510 be the right choice or >>would you go with a 5520? > >>Dan. > > Probably want to consider the 5520, the 5510 would require the security plus > license to reach over 50k sessions (130k) and support HA. The 5520 will do > 280k sessions and supports HA with no additional licensing. How much > throughput are you pushing through the 2821? > > -ryan > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2821 NAT Limitations
I'll look into getting an ASA. My graphs show about 4 nat translations at the time the router had issues, would an ASA5510 be the right choice or would you go with a 5520? Dan. On Thu, Oct 14, 2010 at 4:47 AM, Rodney Dunn wrote: > In the spirit of technical accuracy. > > NAT is a more complex feature than it appears on the surface. In regards to > the "process switch" portion. NAT today for normal http traffic is CEF > switched, even the SYN's, along with the payload data. > The FIN/RST's are punted to tear the translations down. > > As for the 2821 specifically, NAT is no different there (assuming same code > version) than it is on a 72xx for example. Only difference is CPU power and > memory (depending on the difference). > > Therefore, scale is a directly related to those two factors on the platform. > And port ranges if you do overload. > > The main factors to watch from a scale are: > > CPU > Memory > NAT pool allocation > Input Queue drops on interfaces (set them to the max) > > Good NAT'ing. :) > > For an IOS device the ASR1k is the leader today. It does ALL NAT'ing (even > ALG) in the *hardware* forwarding path. > > Rodney > > > > On 10/13/10 5:40 PM, Ge Moua wrote: >> >> forgot to mention that I'm fairly certain that many NAT sessions that >> you require will overun the 2800 which process switch that function (no >> good). >> >> -- >> Regards, >> Ge Moua >> Network Design Engineer >> >> University of Minnesota | OIT - NTS >> -- >> >> >> On 10/13/10 4:38 PM, Ge Moua wrote: >>> >>> we do upwards of 75,000 NAT sessions on an asa-5550 with no problems; >>> bad thing here for you is that you'll also need a router platform to >>> do the route maps >>> >>> not sure if you can split the functions, but if so then this might >>> work for you. >>> >>> -- >>> Regards, >>> Ge Moua >>> Network Design Engineer >>> >>> University of Minnesota | OIT - NTS >>> -- >>> >>> >>> On 10/13/10 4:11 PM, Dan Letkeman wrote: >>>> >>>> Hi, >>>> >>>> Wondering if anyone has some experience with the NAT limitations on a >>>> 2821 router? I have about 1500 users, which about half of them are on >>>> the internet at one time, but we have a proxy web filter appliance >>>> that all of the clients connect to that does a website lookup, and >>>> check before it lets the client access the page, so it creates a >>>> separate entry for every page requested. This doubles the NAT entries >>>> in the router. >>>> >>>> Would 40,000 - 60,000 NAT translation entries be too much for a 2821? >>>> It's not doing much else except NAT and a couple of route-maps. >>>> >>>> If so would device would be recommended that could handle this amount >>>> of translations? >>>> >>>> Thanks, >>>> Dan. >>>> ___ >>>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2821 NAT Limitations
Hi, Wondering if anyone has some experience with the NAT limitations on a 2821 router? I have about 1500 users, which about half of them are on the internet at one time, but we have a proxy web filter appliance that all of the clients connect to that does a website lookup, and check before it lets the client access the page, so it creates a separate entry for every page requested. This doubles the NAT entries in the router. Would 40,000 - 60,000 NAT translation entries be too much for a 2821? It's not doing much else except NAT and a couple of route-maps. If so would device would be recommended that could handle this amount of translations? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios l2tp ipsec vpn help
Sort of...I have tried this a few times, but it doesn't seem to initiate anything. Here is an idea of what I want to do: via a route-map clients on lan1 accessing http site x-2821l2tp over ipsec vpnVPN SERVICE PROVIDER In that config it shows dialup clients which I don't have, and so I don't understand how the 2821 can initiate the l2tp vpn? This is the configuration I have tried, and after enabling all of the debugs I can find, if have found that it does nothing. vpdn enable vpdn-group 1 request-dialin protocol l2tp initiate-to ip 200.200.200.1 ! crypto isakmp policy 1 authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco address 200.200.200.1 ! crypto ipsec transform-set testtrans esp-des ! crypto map l2tpmap 10 ipsec-isakmp set peer 200.200.200.1 set transform-set testtrans match address 101 ! interface Ethernet0 ip address 10.10.10.1 255.255.255.0 ip nat inside ! interface vlan 800 ip address 65.65.65.1 255.255.255.224 (external interface) ip nat outside crypto map l2tpmap ! access-list 101 permit udp host 20.1.1.1 eq 1701 host 20.1.1.2 eq 1701 ! Thanks, Dan. On Sun, May 30, 2010 at 1:04 AM, Sercan Aktas wrote: > Sorry, here is the link... > > http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp > le09186a0080093f6f.shtml#diag > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sercan Aktas > Sent: Sunday, May 30, 2010 9:50 AM > To: 'Dan Letkeman > Cc: 'cisco-nsp' > Subject: Re: [c-nsp] ios l2tp ipsec vpn help > > Hi Dan, > > Have a look this simple example on CCO for configuring L2TP over IPSec. > > I guess your router should be configured as LAC for your clients and then > initiate a session to the LNS located at your VPN SP. Then the L2TP session > between your router (LAC) and your provider router (LNS) should be encrypted > using IPSec. > > I hope this is what you are looking for. > > Sercan > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Letkeman > Sent: Sunday, May 30, 2010 7:38 AM > To: cisco-nsp > Subject: [c-nsp] ios l2tp ipsec vpn help > > I'm struggling with getting a connection to our vpn service provider > from our 2821 router. I would like to terminate the vpn on the router > so I can route certain traffic through the vpn. Example info I got > from our vpn provider is: > > address: vpn.provider.com > username: user > password: pass > l2tp shared secret: asdfasdfasdfasfd > > They support l2tp over ipsec, pptp and sstp. > > >From the research I have done so far, I have found that ios does not > support outgoing pptp connections, and I cannot for the life of me > find a working l2tp over ipsec configuration that makes sense. I do > have an hwic-4esw card in the router that I am trying to make the vpn > connection from, so I'm wondering if that is where i'm having the > troubleI'm also running NAT on the interfaces on this router, > which could also be part of my problem. > > I'm a bit confused with the LAC, LNS, client-initiated, client peer, > lan to lan, etc, configurations on the Cisco site. I'm assuming that > i should not be setting up my router as an LAC, but instead as a > client? > > Does anyone know if this even works? Or is the vpn support on an IOS > router only for router to router configurations? > > Thanks, > Dan. > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > Note:The information contained in this message may be privileged and > confidential and protected from disclosure . If the reader of this message > is not the > intended recipient, or an employee or agent responsible for delivering this > message to the intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is strictly > prohibited. If you have received this communication in error, please notify > us > immediately by replying to the message and deleting it from your computer. > Thankyou. ThruPoint Ltd. > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > Note:The information contained in this message may be privileged and > confidential and protected from disclosure . If the reader of this message is > not the > intended rec
[c-nsp] ios l2tp ipsec vpn help
I'm struggling with getting a connection to our vpn service provider from our 2821 router. I would like to terminate the vpn on the router so I can route certain traffic through the vpn. Example info I got from our vpn provider is: address: vpn.provider.com username: user password: pass l2tp shared secret: asdfasdfasdfasfd They support l2tp over ipsec, pptp and sstp. >From the research I have done so far, I have found that ios does not support outgoing pptp connections, and I cannot for the life of me find a working l2tp over ipsec configuration that makes sense. I do have an hwic-4esw card in the router that I am trying to make the vpn connection from, so I'm wondering if that is where i'm having the troubleI'm also running NAT on the interfaces on this router, which could also be part of my problem. I'm a bit confused with the LAC, LNS, client-initiated, client peer, lan to lan, etc, configurations on the Cisco site. I'm assuming that i should not be setting up my router as an LAC, but instead as a client? Does anyone know if this even works? Or is the vpn support on an IOS router only for router to router configurations? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] router as l2tp vpn client
Hello, I'm wondering if anyone has a configuration example of how to make an l2tp vpn client connection from an ISR? There seems to be many options regarding vpdn, client-initiated, etc. I'm confused as to where to start. I have the connection information for the vpn server, that I have received from the company where we purchased the vpn from: example i got from them was: vpnserver.company.com username: user password: pass123 l2tp key: (shared secret) 1a2b3c4b5d And they permit PPTP/L2TP/SSTP connections. From what I have researched so far, IOS does not allow pptp client connections from the router. So i'm left with L2TP. Any configuration examples would be appreciated Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing SSDP for Windows Desktops
No, everything is wide open. Everything works if both machines are on the same subnet. But if i move one machine to a different subnet, i can see the other machine, but it doesn't allow me access. From what I have read on the MS documentation, there must be a mechanism that deny's access if your network address is different, than the remote machine. Any other ideas? Dan. On Mon, May 10, 2010 at 8:48 PM, Dave Brockman wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Just a stab, check firewall policy for allowed incoming connections? > Usually if it's defaultish configured, it is "localnet", which includes > only the local subnet. > > Regards, > > dtb > > On 05/10/2010 09:06 PM, Dan Letkeman wrote: >> Thanks, that worked. But I wonder if windows allows this? I can now >> see the device, but it seems I have no access if i'm on a different >> subnet. >> >> Dan. >> >> On Sun, May 9, 2010 at 11:43 PM, Anton Kapela wrote: >>> >>> On May 9, 2010, at 10:17 PM, Dan Letkeman wrote: >>> >>>> Am I missing something? Or does this just not work? >>> >>> Well, ttl=1 always wins, or doesn't, so to speak. AFAIK, ssdp mcast >>> destined packets are ttl=1 on winders by default. Not authoritative in all >>> cases, but this seems spot on: >>> >>> http://msdn.microsoft.com/en-us/library/aa381091%28VS.85%29.aspx >>> >>> -Tk >> >> ___ >> cisco-nsp mailing list cisco-...@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvot3QACgkQABP1RO+tr2QH3wCfYVzSrTuzfjPzjrF9gIniG83B > PpMAnRiMLV6o7d7qp5xotbnWi8UjHimz > =GCVt > -END PGP SIGNATURE- > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing SSDP for Windows Desktops
Thanks, that worked. But I wonder if windows allows this? I can now see the device, but it seems I have no access if i'm on a different subnet. Dan. On Sun, May 9, 2010 at 11:43 PM, Anton Kapela wrote: > > On May 9, 2010, at 10:17 PM, Dan Letkeman wrote: > >> Am I missing something? Or does this just not work? > > Well, ttl=1 always wins, or doesn't, so to speak. AFAIK, ssdp mcast destined > packets are ttl=1 on winders by default. Not authoritative in all cases, but > this seems spot on: > > http://msdn.microsoft.com/en-us/library/aa381091%28VS.85%29.aspx > > -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Routing SSDP for Windows Desktops
Hello, I'm struggling with getting media device discovery on Windows 7 working across my network. I have enabled multicast routing & PIM dense mode on the respective interfaces where the workstations are located, igmp snooping is enabled, the group 239.255.255.250 exists on all switches, and I can see that everything is working when I run "show ip mroute" on the switch. So the clients have joined the session, the route exists, but when i look at the network neighborhood on the workstations, I see nothing, except whatever is on the same vlan (local workgroup). Am I missing something? Or does this just not work? Oh, and I do not have a server with a domain, just workstations. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Dynamic DNS updates to Local DNS Server
Hello, I cannot seem to find any information or configuration examples of using a Cisco IOS DHCP server to update A records on a local dns server. I would like to have the router that is running dhcp update the records for a few windows workstation to a bind dns server. Any help would be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 827 noise margin
Hello, I have an 827 router that seems to have noise issue's after a while and i'm wondering if it is the device or the line? The noise margin drops down after a week or two of use. If I restart the router the noise margin is back up to about 7 dB. This is what is looks like after a week or two: ATU-R (DS) ATU-C (US) Modem Status: Showtime (DMTDSL_SHOWTIME) DSL Mode: ITU G.992.1 (G.DMT) ITU STD NUM: 0x01 0x01 Vendor ID: 'ALCB' 'ANDV' Vendor Specific: 0x 0x Vendor Country: 0x00 0x00 Capacity Used: 96% 104% Noise Margin: -41.5 dB 11.0 dB Output Power: 20.0 dBm 12.0 dBm Attenuation: 32.5 dB 18.0 dB Defect Status: LOM None Last Fail Code: Protocol error Selftest Result: 0x49 Subfunction: 0x02 Interrupts: 661 (1 spurious) Activations: 2 SW Version: 3.8129 FW Version: 0x1A0 Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 memory problem?
Thanks! 2009/5/11 Lukasz Bromirski : > On 2009-05-11 05:31, Dan Letkeman wrote: >> >> Hello, >> >> I just noticed this on one of our switches: >> cisco WS-C3560-24TS (PowerPC405) processor (revision E0) with 0K/8184K >> 12.2(44)SE > > Known bug: CSCsq70343. > >> cisco WS-C3560-24TS (PowerPC405) processor (revision D0) with >> 122880K/8184K bytes of memory. >> 12.2(40)SE > >> I'm a bit worried that if i restart this switch that it won't come >> back up. Anyone seen this before? > > Yep. No worry, cosmetic thing. > > -- > "Don't expect me to cry for all the | Łukasz Bromirski > reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 memory problem?
Hello, I just noticed this on one of our switches: cisco WS-C3560-24TS (PowerPC405) processor (revision E0) with 0K/8184K bytes of memory. Processor board ID CAT1115RH2K Last reset from power-on 13 Virtual Ethernet interfaces 24 FastEthernet interfaces 2 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 12.2(44)SE All of the other switches show the proper amount of memory: cisco WS-C3560-24TS (PowerPC405) processor (revision D0) with 122880K/8184K bytes of memory. Processor board ID CAT1041ZHPN Last reset from power-on 27 Virtual Ethernet interfaces 24 FastEthernet interfaces 2 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 12.2(40)SE I'm a bit worried that if i restart this switch that it won't come back up. Anyone seen this before? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cef load sharing timeouts
Hello, I have five 827 adsl routers in front of a 2821 for internet access. The 2821 is doing cef load sharing: ip cef load-sharing algorithm include-ports source destination Browsing the internet works great, but it seems like large downloads timeout often, but not all of the time. When i direct traffic to only one of the 827's instead of the cef load-sharing randomly picking one, then the large downloads work and do not timeout. The 2821 is running: c2800nm-adventerprisek9-mz.124-20.T.bin Is load-sharing the problem? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2821 hardware compatibility
Hello, I'm looking at putting in some WIC-1ADSL cards into a 2821 router. I would need to put in 6 of them, but the 2821 only has 4 onboard slots and I was wondering if the NM-2E2W is compatible with a 2821 router so I can add the last two? Thanks Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] passive ftp static nat
Hello, I'm having trouble logging into our ftp server from an external source. It works when you set the client to active mode, but passive mode always hangs. 2821, IOS Firewall Relevant config: ip inspect name SDM_LOW ftp interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.252 ip nat inside ! ! interface FastEthernet0/0/3 description Internet switchport access vlan 800 bandwidth 1 no cdp enable ! ! interface Vlan800 description Internet bandwidth 1 ip address 64.x.x.1 255.255.255.224 ip access-group firewall in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip inspect SDM_LOW out ip virtual-reassembly no mop enabled ! ! ip nat pool 152 64.x.x.1 64.x.x.1 netmask 255.255.255.224 ip nat inside source list internet-152 pool 152 overload ip nat inside source static tcp 172.16.0.24 21 64.x.x.1 21 extendable ip nat inside source static tcp 172.16.0.24 80 64.x.x.1 80 extendable ! ip access-list extended firewall permit tcp any host 64.x.x.1 eq ftp deny ip any any log ! ip access-list extended internet-152 permit tcp host 172.16.0.24 any I have tried adding: "permit tcp any host 64.x.x.1 gt 1024 established" to the firewall acl, but it still does not seem to connect from a passive ftp client. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] aironet disable ssid when no lan connection
I think the shutdown command would work. Thanks! On Fri, Apr 3, 2009 at 11:30 PM, Matthew Huff wrote: > Will "station-role root access-point fallback track fa 0" under the radio > interface work for you? > > > On 4/3/09 9:10 PM, "Dan Letkeman" wrote: > > Hello, > > Is there a command on an 1131ag aironet ap that allows you to disable > the ssid broadcast if there is no lan connection to the ap? > > Thanks, > Dan. > ___ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] aironet disable ssid when no lan connection
Hello, Is there a command on an 1131ag aironet ap that allows you to disable the ssid broadcast if there is no lan connection to the ap? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] multiple wic-1adsl
Hello, I'm wondering if there is a low cost router that could handle six wic-1adsl cards? I'm looking at replacing six cisco 827 routers (connected to dsl) that are sitting in-front of another router which is doing cef load sharing between the six 827's users---cef load sharing router -six 827 routers, pppoe & nat--internet ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vpn configuration
Hello, I have the need to create a vpn between two routers. R2 is behind R1 which is doing nat, and R3 has an interface with a public ip. R3 has to initiate the vpn connection because it has a dynamic public ip. I also need to be able to run ospf across the vpn and monitor the vpn traffic. What would be the best way to do this? Does anyone have any configuration examples? Thanks Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1142 Power Options
Hello, Has anyone tried powering the new 1142 access points on a 3550-24PWR switch? The docs says it requires only 12.95w of power but it also says it requires an 802.3af switch. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip dns server load information
Hello, I'm interested in using a cisco router as a DNS server and I was wondering if anyone has real world experience or documentation that could inform me as to how many users/clients could one router handle if it were the primary dns server. Also, i'm wondering if there is a way to have a router act as a slave dns server? Or would there be a way to cluster them? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP Sla Configuration
Hello, I have 5 different route's on our 2821 router and I'm running IP SLA to dynamically remove routes if they are down. The problem is that when I monitor the address of the device, but the link is up but flaky it still responds and does not remove the route. The device i'm monitoring is an 827 router with an adsl connection. Is there a better way to configure it that what I have done? ip sla 1 icmp-echo *.*.56.144 timeout 3000 frequency 5 ip sla schedule 1 life forever start-time now ip route 0.0.0.0 0.0.0.0 192.168.11.101 track 1 track 1 ip sla 1 reachability Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 TX Discards
Hello, When our backups are running there are a few ports on the 3560 that are reporting discards via snmp: FastEthernet0/1 [ifIndex=10001] TX Discards = 1999/minute Would this cause any problems or is it basically reporting that the bandwidth is used and it can't transmit the data? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HWIC-4ESW
It was a while ago, but If I remember correctly, it did not work on the hwic, only on the integrated ports. You could pickup a cheap 827 or 837 router on ebay to do the pppoe. Dan. On Wed, Nov 19, 2008 at 11:36 AM, Peter Chuba <[EMAIL PROTECTED]> wrote: > Hi, > > I've got a 2801 whose built-in ports are damaged. I was wondering if I could > add an HWIC-4ESW module and use this to connect to both the provider and > LAN. And will I be able to do NAT with this setup? Will I also be able to do > PPPOE on the vlan interface? I think it should work but want to be sure > before buying the card. > > Thanks > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] route problem
Sorry for the poor diagram. The vlan's are both on the 3560 and the 3560 is in routing mode. It's default route is the 2801 router which does the nat for the internet connection. Normal users are fine because they use are internal dns servers and have access to our internal web server. What is happening on the guest vlan is when someone goes to www.ourwebsite.com (this being our internal web server) they are resolving our external ip address for the site, but they are trying to access the site via the external ip address from the inside of the router. I'm sure it's just an access list problem. Not sure I quite understand how show ip route will help... Dan. On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: > I'm assuming your diagram was: > > normal uservlan 500---3560 switch---2801router---internet > gusest users---vlan 167--/ > > such that inter vlan routing would happen on the 3560. > > Just follow the packet via 'sh ip route'. > > So a norma user goes to a webserver..what is the address? > > When the packet leaves the normal user does it make it in the > 3560 ACL on the ingress interface? > If so, what does 'sh ip route' say for the destination of the packet? > Go to next hop...etc.. > > Rodney > > > On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote: >> Hello, >> >> I have setup a guest vlan for internet access. When the users connect >> to the guest network they get only internet access and no access to >> any of the servers on the rest of the network. The problem I'm having >> now is that the users on the guest network cannot access our internal >> web servers. I'm wondering if this is a simple access list problem or >> is it a route problem? >> >> topology is a follows: >> >> >> normal user--vlan 500--3560 switch--2801 >> routerinternet >> | >> | >> guest users-vlan 167- >> >> >> There is an access list on vlan 167 on the 3560 switch that only >> allows the guest users access to the internet. So when I do a trace >> route from the guest network to the internal web address I get a >> timeout at the router. The internal web server resolves with our >> external ip address because the guest users are not using our internal >> dns servers. >> >> Any ideas where I should start? >> >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] route problem
Hello, I have setup a guest vlan for internet access. When the users connect to the guest network they get only internet access and no access to any of the servers on the rest of the network. The problem I'm having now is that the users on the guest network cannot access our internal web servers. I'm wondering if this is a simple access list problem or is it a route problem? topology is a follows: normal user--vlan 500--3560 switch--2801 routerinternet | | guest users-vlan 167- There is an access list on vlan 167 on the 3560 switch that only allows the guest users access to the internet. So when I do a trace route from the guest network to the internal web address I get a timeout at the router. The internal web server resolves with our external ip address because the guest users are not using our internal dns servers. Any ideas where I should start? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] routing email domain
Hello, Is there any way to route different email traffic by each domain name? eg: make email from @domain1.com go out route 1.1.1.1 and email from @domain2.com go out route 2.2.2.2 All of this email traffic is coming from the same email server. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ips usbflash
I booted up our test router with a different usb flash card and it shows up after a reload. Must be something with the usb flash card. Dan. On Sat, Nov 8, 2008 at 7:26 PM, Christian Koch <[EMAIL PROTECTED]> wrote: > hmm i cant think of anything else, that is odd..you do have the public > key configured right? > > also how did you copy the sigs to the usb drive, from a pc? or ftp > through the router? > > On Sat, Nov 8, 2008 at 8:04 PM, Dan Letkeman <[EMAIL PROTECTED]> wrote: >> As far as I know yes. >> >> ip ips config location usbflash1:/ retries 5 timeout 10 >> >> Dan. >> >> On Sat, Nov 8, 2008 at 6:56 PM, Christian Koch <[EMAIL PROTECTED]> wrote: >>> do you have the signature location configured properly? >>> >>> ie: ip ips config location flash:(directory) >>> >>> On Sat, Nov 8, 2008 at 7:48 PM, Dan Letkeman <[EMAIL PROTECTED]> wrote: >>>> Hello, >>>> >>>> I have configured IPS on a 2821 running the firewall ios. I have the >>>> configuration and signature files on a usbflash card. It all works >>>> fine until the router reloads, then the usbflash does not mount. Is >>>> there a command load it? >>>> >>>> If I do a "show usb device 1" it show the device, and all the details, >>>> but I cannot do a dir on the device, and I cannot write to it. >>>> >>>> Dan. >>>> ___ >>>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ips usbflash
Hello, I have configured IPS on a 2821 running the firewall ios. I have the configuration and signature files on a usbflash card. It all works fine until the router reloads, then the usbflash does not mount. Is there a command load it? If I do a "show usb device 1" it show the device, and all the details, but I cannot do a dir on the device, and I cannot write to it. Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] route-map ftp connection
Hello, I have a route-map on my 2811 router that sets the next hop for ftp traffic: route-map inet permit 100 match ip address ftp set ip next-hop 192.168.11.101 The access list looks like this: 1 permit tcp any any eq ftp 2 permit tcp any any eq ftp-data 3 deny ip any any This seem's to work well for active ftp connections but passive ftp connections don't seem to make a connection. Is there something else I can do to make this work with passive ftp connections? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1131ag vs 521
Hello, I'm wondering what the main differences between an 1131ag access point and a 521 express access point is? I know the 1131ag has a 5ghz card in it and supports telnet. Are there any other differences between the two? I'm interested in buying about 15-20 access points for one building. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] load-sharing round robin time?
I have tried enabling per-packet load balancing, but if I do that then no pages come up in the browser. So I did a tcp-mss adjust on the interface and still no difference. topology: lansquid box2621 router---4 827 modem's(nat & adsl) Dan. On Thu, Sep 11, 2008 at 9:12 PM, David Coulson <[EMAIL PROTECTED]> wrote: > You can set it to use per-packet load balancing instead, assuming all of the > paths are essentially the same (otherwise you get out of order packets, > which may not be what you want). > > Is the squid box on the 192.168.11.x subnet? If you have ip redirects > enabled, then the squid box will actually route directly to one of the > gateways, rather than through the 2621... Not sure how your environment is > build - Maybe a routing table and some other interface configs would help? > > Dan Letkeman wrote: >> >> Hello, >> >> I'm doing load-sharing on a 2621 router with ios 12.3(26). >> >> ip route 0.0.0.0 0.0.0.0 192.168.11.251 >> ip route 0.0.0.0 0.0.0.0 192.168.11.252 >> ip route 0.0.0.0 0.0.0.0 192.168.11.253 >> >> This was working just fine, but now we implemented a squid cache just >> behind the router and it strips the source ip, so all of the requests >> through the router all look like they are coming from the squid box >> now. What is happening now is the squid box is randomly switching >> from route to route, but it's taking about 10 minutes to switch from >> each route. So watching the graphs on the three routers and its only >> really using one route at a time. Is there a way to change the time >> limit for switching routes to make it switch faster? >> >> Thanks, >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] load-sharing round robin time?
Hello, I'm doing load-sharing on a 2621 router with ios 12.3(26). ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 This was working just fine, but now we implemented a squid cache just behind the router and it strips the source ip, so all of the requests through the router all look like they are coming from the squid box now. What is happening now is the squid box is randomly switching from route to route, but it's taking about 10 minutes to switch from each route. So watching the graphs on the three routers and its only really using one route at a time. Is there a way to change the time limit for switching routes to make it switch faster? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? On Thu, Sep 4, 2008 at 7:43 PM, GIULIANO (UOL) <[EMAIL PROTECTED]> wrote: > Dan, > > Yes. It is a good choice. > > Take a look: > > http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf > > > Its an initial guide for router performance. > > Att, > > Giuliano > > >> I was wondering if anyone has recommendations for a 2800 series router >> for a 20-30mbit internet connection. I would like to run a firewall >> IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? >> >> Thanks, >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 04/09/2008 >> 18:54 >> > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Recommended 2800 ISR
I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 827 nat translations
Is there a way that you can off load the NAT to a router instead of the 827 handling it? On Sat, Aug 30, 2008 at 9:29 PM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Sat, Aug 30, 2008, Dan Letkeman wrote: >> I'm currently running a 2621 just behind the 827(s) which is doing CEF >> load distribution. I plan on putting in a 2800 series router with the >> firewall IOS. Do you know if there is a way you can do PPPOE on a sub >> interface? I plan on having up to 7 ADSL connections in front the the >> 2800 series connecting via 827's or whatever else works best. > > I know its possible; I've done PPPoE on a subif on a 2651 but I had to be > -very- selective with my IOS choice. I don't have any saved configs or notes > from the experience, sorry. > > > > > Adrian > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support > - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 827 nat translations
I'm currently running a 2621 just behind the 827(s) which is doing CEF load distribution. I plan on putting in a 2800 series router with the firewall IOS. Do you know if there is a way you can do PPPOE on a sub interface? I plan on having up to 7 ADSL connections in front the the 2800 series connecting via 827's or whatever else works best. Any suggestions would be appreciated. Thanks, Dan. On Sat, Aug 30, 2008 at 12:10 AM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Fri, Aug 29, 2008, Dan Letkeman wrote: >> How many nat translations could an 827 router handle? This is for a >> school environment where there are about 300 workstations (assuming >> that not everyone would be browsing at once) and a 7mbit internet >> connection. Could this router handle this kind of load? > > Sort of! > >> Is there anything I could do to take the load off the cpu? > > Grab the latest image and make -certain- you set: > > * the global NAT table limit; > * the per-IP NAT table entry limit; > * protocol timeouts. > > Exhausting memory w/ NAT table entries on the 827 is a trivial thing > to do with a single PC running bittorrent. 300 PCs could be a bit > of a challenge. That said, IIRC exhaustion hit with ~ 5000 NAT > entries, so YMMV. > > You may discover after the above that you still run out of RAM. > You may also find you don't run out of RAM but connections still > mysteriously disappear. In which case, do what I did - grab some > other device to do NAT and leave the 827 as a router/bridge. > > > > Adrian > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 827 nat translations
How many nat translations could an 827 router handle? This is for a school environment where there are about 300 workstations (assuming that not everyone would be browsing at once) and a 7mbit internet connection. Could this router handle this kind of load? Is there anything I could do to take the load off the cpu? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] route availability
Yes, I think that should work, but I only have a 2621 router and it looks like those options are not available on that router/ios. Do you have any other ideas? Dan. On Sun, Aug 24, 2008 at 12:12 AM, Arie Vayner (avayner) <[EMAIL PROTECTED]> wrote: > Dan, > > Take a look at "Enhanced Object Tracking": > http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_eot. > html > > Arie > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman > Sent: Sunday, August 24, 2008 07:27 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] route availability > > Hello, > > I currently have a four default routes on a 2621 router that is doing > load balancing to four adsl modems/routers (which are doing NAT). > > ip cef > > ip route 0.0.0.0 0.0.0.0 192.168.11.251 > ip route 0.0.0.0 0.0.0.0 192.168.11.252 > ip route 0.0.0.0 0.0.0.0 192.168.11.253 > ip route 0.0.0.0 0.0.0.0 192.168.11.254 > > This is working for load balancing, but when one of the modems stops > working I basically loose all connection to the internet. What would be > the best way to verify the availability of the next hop? > > Thanks, > Dan. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] route availability
Hello, I currently have a four default routes on a 2621 router that is doing load balancing to four adsl modems/routers (which are doing NAT). ip cef ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip route 0.0.0.0 0.0.0.0 192.168.11.254 This is working for load balancing, but when one of the modems stops working I basically loose all connection to the internet. What would be the best way to verify the availability of the next hop? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip cef load sharing
My only options for the IP CEF command are as follows: original Original algorithm tunnel Algorithm for use in tunnel only environments universal Algorithm for use in most environments I tried original, and it seems as if it load balances, but it doesn't switch from modem to modem very fast. But in any case there is a lot less problems with this on. I also found out that the content filter that is before the cisco router is also doing NAT. I'm assuming that's a problem as well because now the router doesn't know what the source IP is anymore. Any other ideas on how to make this work better? Thanks, Dan. On Sat, Aug 16, 2008 at 6:35 PM, Ben Steele <[EMAIL PROTECTED]> wrote: > Dan the reason your having issues is not MTU related, it's NAT related, > because you have 3 ADSL lines each doing NAT against a different outside IP > when you turn on per-packet load sharing you end up with flows to the same > destination having different source IP addresses. > > Your only option is per-destination load balancing (ie the default), one way > you can tweak this a little without breaking to much is to change the > standard algorithm to include ports. > > Try adding "ip cef load-sharing algorithm include-ports destination" into > your global config once you've removed your per-packet load sharing and see > how you go. > > You are never going to get perfect load balancing in your scenario but if > you have enough hosts on your LAN it should be sufficient enough, one way > you can do per-packet is if you get another IP routed down all 3 adsl lines > and put it on a loopback and NAT everything against that. > > Ben > > - Original Message - From: "Dan Letkeman" <[EMAIL PROTECTED]> > To: "Rodney Dunn" <[EMAIL PROTECTED]>; > Sent: Saturday, August 16, 2008 3:29 AM > Subject: Re: [c-nsp] ip cef load sharing > > >> Still seem to have the same problem even with this: >> >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> ip tcp adjust-mss 1300 >> duplex auto >> speed auto >> >> >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> ip load-sharing per-packet >> duplex auto >> speed auto >> >> Dan. >> >> On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: >>> >>> On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >>>> >>>> ip load-sharing per-packet >>>> >>>> I tried adding this to F0/1 and the trace route works now(it randomly >>>> picks either line), but there seems to be issues with maybe the MTU? >>>> If I try to browse websites i get page errors and some of the pictures >>>> and pages don't load. >>> >>> Yep...try configuring "ip tcp adjust-mss 1300" or so on the >>> ingress interface from the LAN. >>> >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> Dan. >>>> >>>> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: >>>> > Try ip load-sharing per-packet on both egress interfaces. >>>> > >>>> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >>>> >> Hello, >>>> >> >>>> >> I have a 2621 router running 12.3(26) and I would like to setup load >>>> >> sharing to multiple adsl lines. When I do a traceroute on the router >>>> >> it randomly picks a dsl line and seems to work fine. But when I do >>>> >> traceroute tests from a workstation it always seems to take the same >>>> >> adsl line. Is there something else I need to add to the >> >>>> >> configuration >>>> >> to make it pick random lines, or is there a timeout of some sorts >>>> >> before it will select the next ip route >>>> >> >>>> >> Here is my config: >>>> >> >>>> >> ! >>>> >> interface FastEthernet0/0 >>>> >> ip address 10.1.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> interface FastEthernet0/1 >>>> >> ip address 192.168.10.1 255.255.255.0 >>>> >> duplex auto >>>> >> speed auto >>>> >> ! >>>> >> ip http server >>>> >> ip classless >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >>>> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >>>> >> ! >>>> >> >>>> >> The two adsl modem/routers I have are 192.168.10.10, and >> >>>> >> 192.168.10.11 >>>> >> >>>> >> Thanks, >>>> >> Dan. >>>> >> ___ >>>> >> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> > >>> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] content filter placement in data center
I'm still a bit confused as to how I would connect this to the router? The filter appliance has an ingress and egress interface and only works in this configuration. Would I route-map incoming traffic and outgoing traffic to and from the router? I would like to make sure all incoming and outgoing traffic is filtered. I'm visualizing this configuration: --internet | switch--router-content filter | --wccp cache So if I route-map source ip's(workstations) to the content filter, the content filter will redirect the traffic back to the router and out the default route to the internet, but do I need to route-map the internet traffic back to the content filter? If I don't won't the traffic just go back into the network unfiltered? Would I be better off using my current configuration and rather setting up an object track between the switch and router with an alternate route? eg: switch--content filterrouter-internet || - Thanks, Dan. On Sun, Aug 17, 2008 at 6:17 PM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Sun, Aug 17, 2008, Dan Letkeman wrote: > >> Is there a way to connect it to the router and use policy routing, and >> the verify availability option so that if the content filter is down >> the system still works with out it? > > Yes. > > * Does the content filter speak WCCPv2? Or can you glue it to Squid? > If so, try WCCPv2. > > * Otherwise, see if your platform/IOS supports object tracking and > conditional route maps. You can set things up to use a route-map > (or route!) if a destination host is reachable via ICMP. > > The archives have details on both of these. > > > Adrian > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] content filter placement in data center
Hello, I have a few questions regarding content filter placement and routing in the data center. I would like to place our content/spyware/web filter in our data center, but I would like to place it in such a way that if it fails or has problems that it does not take everything down. Currently I have a Cisco router with two fast ethernet interfaces, and I have two internet connections to different ISP's. One of the connections is used for download for all of the users and the other connection is used for services (www, ftp, mail, etc). On the cisco router I am policy routing for those services and for the users. The current content filter is inline with the router and the rest of the network as a default route on the switch. 3560switch---content filter---routerinternet (isp1) | -internet (isp2) Is there a way to connect it to the router and use policy routing, and the verify availability option so that if the content filter is down the system still works with out it? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip cef load sharing
Still seem to have the same problem even with this: interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 ip tcp adjust-mss 1300 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip load-sharing per-packet duplex auto speed auto Dan. On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: > On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: >> ip load-sharing per-packet >> >> I tried adding this to F0/1 and the trace route works now(it randomly >> picks either line), but there seems to be issues with maybe the MTU? >> If I try to browse websites i get page errors and some of the pictures >> and pages don't load. > > Yep...try configuring "ip tcp adjust-mss 1300" or so on the > ingress interface from the LAN. > >> >> Any ideas? >> >> Thanks, >> Dan. >> >> On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: >> > Try ip load-sharing per-packet on both egress interfaces. >> > >> > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> >> Hello, >> >> >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> >> sharing to multiple adsl lines. When I do a traceroute on the router >> >> it randomly picks a dsl line and seems to work fine. But when I do >> >> traceroute tests from a workstation it always seems to take the same >> >> adsl line. Is there something else I need to add to the configuration >> >> to make it pick random lines, or is there a timeout of some sorts >> >> before it will select the next ip route >> >> >> >> Here is my config: >> >> >> >> ! >> >> interface FastEthernet0/0 >> >> ip address 10.1.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> interface FastEthernet0/1 >> >> ip address 192.168.10.1 255.255.255.0 >> >> duplex auto >> >> speed auto >> >> ! >> >> ip http server >> >> ip classless >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> >> ! >> >> >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> >> >> Thanks, >> >> Dan. >> >> ___ >> >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip cef load sharing
ip load-sharing per-packet I tried adding this to F0/1 and the trace route works now(it randomly picks either line), but there seems to be issues with maybe the MTU? If I try to browse websites i get page errors and some of the pictures and pages don't load. Any ideas? Thanks, Dan. On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn <[EMAIL PROTECTED]> wrote: > Try ip load-sharing per-packet on both egress interfaces. > > On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: >> Hello, >> >> I have a 2621 router running 12.3(26) and I would like to setup load >> sharing to multiple adsl lines. When I do a traceroute on the router >> it randomly picks a dsl line and seems to work fine. But when I do >> traceroute tests from a workstation it always seems to take the same >> adsl line. Is there something else I need to add to the configuration >> to make it pick random lines, or is there a timeout of some sorts >> before it will select the next ip route >> >> Here is my config: >> >> ! >> interface FastEthernet0/0 >> ip address 10.1.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> interface FastEthernet0/1 >> ip address 192.168.10.1 255.255.255.0 >> duplex auto >> speed auto >> ! >> ip http server >> ip classless >> ip route 0.0.0.0 0.0.0.0 192.168.10.10 >> ip route 0.0.0.0 0.0.0.0 192.168.10.11 >> ! >> >> The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 >> >> Thanks, >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip cef load sharing
Hello, I have a 2621 router running 12.3(26) and I would like to setup load sharing to multiple adsl lines. When I do a traceroute on the router it randomly picks a dsl line and seems to work fine. But when I do traceroute tests from a workstation it always seems to take the same adsl line. Is there something else I need to add to the configuration to make it pick random lines, or is there a timeout of some sorts before it will select the next ip route Here is my config: ! interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto ! ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.10.10 ip route 0.0.0.0 0.0.0.0 192.168.10.11 ! The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] best way to load share adsl
Hello, I would like to setup load sharing on a 2621 for three adsl lines. Currently each of the adsl connections has a modem/router combo which is doing nat. All I need for the cisco router to do is load sharing or load balancing. What would be the best way to do this and could anyone recommend some documentation or a config? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1252ag backwards compatibility
Hello, I'm wondering if anyone that has deployed 802.11n 1252 AP's can tell me if you have 802.11g clients and some 802.11n clients all on 2.4ghz, do the 802.11n clients run at 802.11n and the 802.11g clients run at 802.11g? Or does everything run at 802.11g? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] shaping http traffic on a 2821
Hello, I'm wondering if anyone has some good documentation or examples of shaping http traffic on a router. I have been ask to look into this for an educational institute where they don't want to add more bandwidth, but make better use of what they have. The connection is currently a 20mbit connection. I would also like to prioritize traffic so incoming requests to the http server and voip calls, get a higher priority. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] router as bridge for netflow exports
Hello, I'm wondering if it should work to setup a router as a bridged device to put in between a couple of switches to do some netflow exports? Or is there a better way to get this kind of data from a link? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] route-map local destination device
Hello, I have a router that is doing some route-map's for various destinations. On the fa0/0 port I have "ip policy route-map inet" and the route-map's are done like this route-map inet permit 10 match ip address 111 set ip next-hop 187.174.55.2 ! route-map inet permit 40 match ip address 222 set ip next-hop 187.174.55.2 ! route-map inet permit 50 match ip address 333 set ip next-hop 187.174.55.2 Ip access lists match various internal ip's or ip ranges. Now if have a device that is connected directly to the router with an ip of 10.1.1.1, but none of the internal devices can ping it because they are being route-map'd to different gateway's. Is there a way to bypass the route-map if it is a certain destination? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] combining multiple dsl lines
Yes, I have done that before and it works well. Thanks Dan. On Wed, Jul 23, 2008 at 6:37 PM, Ben Steele <[EMAIL PROTECTED]> wrote: > If you really want to use route-maps to force your traffic down a certain > interface at least use it with verify-availability incase your hop goes down > so you have a back up path, no point forcing traffic down a dsl line that > has died. > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html > > > ----- Original Message - From: "Dan Letkeman" <[EMAIL PROTECTED]> > To: "Ben Steele" <[EMAIL PROTECTED]>; > Sent: Thursday, July 24, 2008 7:42 AM > Subject: Re: [c-nsp] combining multiple dsl lines > > >> The adsl connections are PPPoE and they do not support multilink. I >> am using nat on the router as well. >> >> I guess I will stick with route-map's for now as I know how to >> configure it and it works well in this configuration. >> >> Thanks for the info! >> Dan. >> >> On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele >> <[EMAIL PROTECTED]> wrote: >>> >>> Depends a lot on the adsl connections, are they ppp ? does the remote end >>> support multilink? if so then multilink ppp is a good option providing >>> all 4 >>> lines are the same characteristics. >>> >>> Otherwise other options are cef load balancing, what type will depend on >>> whether you are using NAT or not as you want to make sure the packet flow >>> takes the right path, load balancing using the source/dest port algorithm >>> works quite well though, probably wouldn't reccomend per packet over >>> adsl. >>> >>> The route-map way is ok but wouldn't utilise the links as well as cef >>> load >>> balancing or ppp multlink could. >>> >>> Another option worth throwing in is the use of ip sla on your routes so >>> as >>> to remove them from the equation should one link go down, can also be >>> done >>> with the route-map using verify-availability on the next-hop option. >>> >>> Ben >>> >>> On 23/07/2008, at 1:39 PM, Dan Letkeman wrote: >>> >>>> I have a customer that is wanting to combine 4 adsl connection through >>>> one router. In the past I have setup systems where I have taken >>>> groups of ip's from the internal network and have route-map'd them to >>>> different adsl connections. Is there a way to "combine" the dsl >>>> connections or is using route-map's still the better way to go? >>>> >>>> Thanks, >>>> Dan. >>>> ___ >>>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] combining multiple dsl lines
The adsl connections are PPPoE and they do not support multilink. I am using nat on the router as well. I guess I will stick with route-map's for now as I know how to configure it and it works well in this configuration. Thanks for the info! Dan. On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele <[EMAIL PROTECTED]> wrote: > Depends a lot on the adsl connections, are they ppp ? does the remote end > support multilink? if so then multilink ppp is a good option providing all 4 > lines are the same characteristics. > > Otherwise other options are cef load balancing, what type will depend on > whether you are using NAT or not as you want to make sure the packet flow > takes the right path, load balancing using the source/dest port algorithm > works quite well though, probably wouldn't reccomend per packet over adsl. > > The route-map way is ok but wouldn't utilise the links as well as cef load > balancing or ppp multlink could. > > Another option worth throwing in is the use of ip sla on your routes so as > to remove them from the equation should one link go down, can also be done > with the route-map using verify-availability on the next-hop option. > > Ben > > On 23/07/2008, at 1:39 PM, Dan Letkeman wrote: > >> I have a customer that is wanting to combine 4 adsl connection through >> one router. In the past I have setup systems where I have taken >> groups of ip's from the internal network and have route-map'd them to >> different adsl connections. Is there a way to "combine" the dsl >> connections or is using route-map's still the better way to go? >> >> Thanks, >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] combining multiple dsl lines
I have a customer that is wanting to combine 4 adsl connection through one router. In the past I have setup systems where I have taken groups of ip's from the internal network and have route-map'd them to different adsl connections. Is there a way to "combine" the dsl connections or is using route-map's still the better way to go? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7961G won't boot
Hello, I have a 7961G that won't boot up. It powers on via poe, shows the cisco splash screen with the checkmark in the bottom left corner, then shows the upgrading screen for a few seconds, then says error on the upgrading screen, then goes back to the cisco splash screen and there is a circle with a dot in the middle of it on the bottom left corner. Is there anyway to fix this? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] preventing unwanted devices on the network
Ya, is there any way to do that without third party devices? On Sat, May 31, 2008 at 11:42 PM, Joe Maimon <[EMAIL PROTECTED]> wrote: > You want a product that does nat detection. > > Have a look at this vendor > > https://www.bradfordnetworks.com > > > > Dan Letkeman wrote: >> >> Hello, >> >> I'm looking for the best way to prevent unwanted wireless routers or >> other unwanted bridging devices on a network. For example a wireless >> router with the wan port plugged in to the network or a router in >> bridging mode with dhcp off. >> >>> From other posts I have read about using dhcp snooping. I'm wondering >> >> if it works when someone plugs in a router into a switch because the >> "wan" port will only request an address, the dhcp will be on the >> routers "lan" side. >> >> Also I would like to prevent unwanted static ip addresses on this >> network as well. My current setup is a 3560 switch which has multiple >> 2960 switches connected to it. I would like to prevent this type of >> traffic right at the edge ports. Would an access list be the >> appropriate way to protect this? Unfortunately port security will not >> work for us. >> >> Thanks, >> Dan. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] preventing unwanted devices on the network
Thanks for this info. I will look into this some more, but I think there should be some stuff here that should help me. On Sat, May 31, 2008 at 4:43 PM, <[EMAIL PROTECTED]> wrote: > Hi, > >> Also I would like to prevent unwanted static ip addresses on this >> network as well. My current setup is a 3560 switch which has multiple >> 2960 switches connected to it. I would like to prevent this type of >> traffic right at the edge ports. Would an access list be the >> appropriate way to protect this? Unfortunately port security will not >> work for us. > > you'll probably want the IP source guard functionality. this means > the device will only touch IP addresses that are known via its > IP to MAC binding table generated via DHCP (DHCP snooping drives > the show) > > really its all part of the 'Turn It On' program. > > http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf > > alan > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] preventing unwanted devices on the network
Hello, I'm looking for the best way to prevent unwanted wireless routers or other unwanted bridging devices on a network. For example a wireless router with the wan port plugged in to the network or a router in bridging mode with dhcp off. >From other posts I have read about using dhcp snooping. I'm wondering if it works when someone plugs in a router into a switch because the "wan" port will only request an address, the dhcp will be on the routers "lan" side. Also I would like to prevent unwanted static ip addresses on this network as well. My current setup is a 3560 switch which has multiple 2960 switches connected to it. I would like to prevent this type of traffic right at the edge ports. Would an access list be the appropriate way to protect this? Unfortunately port security will not work for us. Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] blocking skype traffic
Hello, Is there anyway to block skype traffic with the cisco firewall IOS? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1131ag input and crc errors
Hello, I have an 1131ag that has a lot of input and crc errors on both the wlan interface and the ethernet interface. It seems to be an on going thing, it has the latest ios, and is connected to an edge switch which is connected to the core switch. All other traffic seems to be fine on that switch. Could it be a hardware problem? Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
