from:"Hitesh Vinzoda"

Re: [c-nsp] SD-WAN design for large scale

2020-04-07 Thread Hitesh Vinzoda

Look at Aryaka SDWAN which solves all these problems.

Cheers
Hitesh

On Tue, Mar 24, 2020 at 12:38 AM omar parihuana 
wrote:

>  Guys I've just read the follow document:
>
>
> https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html
>
>
> So i am asking about the IPsec tunnel scalability in SD-WAN large
> deployments. One benefit of L3VPN in MPLS are the full mesh connectivity.
> From point of view of CE one default route could be enough. Now in SDWAN
> data plane if I want a full mesh topology a lot of IPsec tunnels are
> established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels
> (without consider the second path) then for example if I have 300 branch I
> could expect 37350 tunnels... really? So hub-and-spoke will be the
> solution... comments please... maybe it is time to say goodbye to full mesh
> in SD-WAN deployments?
>
> --
> Omar E.P.T
> -
> Certified Networking Professionals make better Connections!
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DSL-Qos

2014-09-03 Thread Hitesh Vinzoda

Hi,

I am trying to mark packets at VAI interfaces and then use this markings to
classify traffic in different classes when they exit the router downstream
to carrier. I dont see packet being classified at physical interface yet
the ip precedence accounting shows correct marking

this is on 7200 12.2(33)SRE6 SP services.

Scenario:

Traffic IN >>> LNS>>> VAI (policy outbound mark traffic) >>> Physical
interface >>(Shaping + queueing)

Configuration

VAI Class-maps and policy-map

class-map match-all GOLD
  match access-group 101

class-map match-all SILVER
  match access-group 102

access-list 101 permit icmp host 111.111.111.111 any
access-list 102 permit icmp host 222.222.222.222 any

policy-map STD_POLICY1
  class GOLD
   set dscp af21
  class SILVER
   set dscp af22
  class class-default


Show commands for VAI

LNS#show policy-map session
 SSS session identifier 7 -

  Service-policy output: STD_POLICY1

Class-map: GOLD (match-all)
  4135 packets, 4522926 bytes
  30 second offered rate 9000 bps, drop rate  bps
  Match: access-group 101
  QoS Set
dscp af21
  Packets marked 4138

Class-map: SILVER (match-all)
  3649 packets, 3831450 bytes
  30 second offered rate 9000 bps, drop rate  bps
  Match: access-group 102
  QoS Set
dscp af22
  Packets marked 3653

Class-map: class-default (match-any)
  418 packets, 37270 bytes
  30 second offered rate  bps, drop rate  bps
  Match: any

LNS# show access-lists
Extended IP access list 101
10 permit icmp host 111.111.111.111 any (4171 matches)
Extended IP access list 102
10 permit icmp host 222.222.222.222 any (3685 matches)




Physical Interface Class-map and policy-map Configuration:


class-map match-all EF
  match  dscp ef
class-map match-any CS1
  match  dscp af11
  match  dscp af12
  match  dscp af13
class-map match-any CS2
  match  dscp af21
  match  dscp af22
  match  dscp af23
  match  dscp cs2
class-map match-any CS3
  match  dscp af31
  match  dscp af32
  match  dscp af33
class-map match-any CS4
  match  dscp af41
  match  dscp af42
  match  dscp af43

policy-map CHILD_POLICY
  class EF
priority percent 10
  class CS4
bandwidth percent 30
 random-detect dscp-based
fair-queue
  class CS3
bandwidth percent 20
 random-detect dscp-based
fair-queue
  class CS2
bandwidth percent 10
fair-queue
 random-detect dscp-based
  class CS1
bandwidth percent 5
fair-queue
 random-detect dscp-based
  class class-default

>> Shaping policy

policy-map PARENT_1M_POLICY
  class class-default
shape average 100
   service-policy CHILD_POLICY

SHOW COMMANDS FOR PHYSICAL INT

LNS# show policy-map interface
 FastEthernet0/0

  Service-policy output: PARENT_1M_POLICY

Class-map: class-default (match-any)
  1148 packets, 90689 bytes
  5 minute offered rate  bps, drop rate  bps
  Match: any
  Queueing
  queue limit 64 packets
  (queue depth/total drops/no-buffer drops) 0/0/0
  (pkts output/bytes output) 8439/7685662
  shape (average) cir 100, bc 4000, be 4000
  target shape rate 100

  Service-policy : CHILD_POLICY

queue stats for all priority classes:
  Queueing
  queue limit 64 packets
  (queue depth/total drops/no-buffer drops) 0/0/0
  (pkts output/bytes output) 0/0

Class-map: EF (match-all)
  0 packets, 0 bytes
  5 minute offered rate  bps, drop rate  bps
  Match:  dscp ef (46)
  Priority: 10% (100 kbps), burst bytes 2500, b/w exceed drops: 0


Class-map: CS4 (match-any)
  0 packets, 0 bytes
  5 minute offered rate  bps, drop rate  bps
  Match:  dscp af41 (34)
0 packets, 0 bytes
5 minute rate 0 bps
  Match:  dscp af42 (36)
0 packets, 0 bytes
5 minute rate 0 bps
  Match:  dscp af43 (38)
0 packets, 0 bytes
5 minute rate 0 bps
  Queueing
  queue limit 64 packets
  (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0
  (pkts output/bytes output) 0/0
  bandwidth 30% (300 kbps)
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
dscp   Transmitted  Random drop  Tail/Flow drop
Minimum Maximum Mark
pkts/bytes   pkts/bytes  pkts/bytes
thresh  thresh  prob

  Fair-queue: per-flow queue limit 16

Class-map: CS3 (match-any)
  0 packets, 0 bytes
  5 minute offered rate  bps, drop rate  bps
  Match:  dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
  Match:  dscp af32 (28)
0 packets, 0 bytes
5 minute rate 0 bps
  Match:  dscp af33 (30)
0 packets, 0 bytes
5 minute rate 0 bps

Re: [c-nsp] asr1001 4 full bgp feed

2013-08-01 Thread Hitesh Vinzoda

Thanks all, Looks like we are sorted at the moment.

Cheers
Hitesh


On Thu, Aug 1, 2013 at 2:17 PM, Chris Balmain wrote:

> You will need advipservices for MPLS
>
> On 01/08/2013, at 6:18 PM, "Hitesh Vinzoda"  <mailto:vinzoda.hit...@gmail.com>> wrote:
>
> I think its better to go for 1002-x instead of 1001 as we have to take
> IPv6 route table growth in calculation as well. any comments on licensing.
>
> Thanks
> Hitesh
>
>
> On Thu, Aug 1, 2013 at 1:44 PM, Adam Vitkovsky  <mailto:adam.vitkov...@swan.sk>> wrote:
> > Given the relentless growth of the global v4 table,
> > I wouldn't feel comfortable with a FIB capability of 512K.
> > How long do you think that'll suffice?
>
> Well looking at the weekly GRT report for past few weeks it's roughly 41
> weeks.
> 456943,
> 457245,
> 458665,
> 459588,
> 460435,
>
>
> adam
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] asr1001 4 full bgp feed

2013-08-01 Thread Hitesh Vinzoda

I think its better to go for 1002-x instead of 1001 as we have to take IPv6
route table growth in calculation as well. any comments on licensing.

Thanks
Hitesh


On Thu, Aug 1, 2013 at 1:44 PM, Adam Vitkovsky wrote:

> > Given the relentless growth of the global v4 table,
> > I wouldn't feel comfortable with a FIB capability of 512K.
> > How long do you think that'll suffice?
>
> Well looking at the weekly GRT report for past few weeks it's roughly 41
> weeks.
> 456943,
> 457245,
> 458665,
> 459588,
> 460435,
>
>
> adam
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] asr1001 4 full bgp feed

2013-08-01 Thread Hitesh Vinzoda

Thanks guys,

What license do we need for BGP, MPLS? would Advanced IP services will
suffice as software advisor tool on Cisco is not much of help

Thanks
Hitesh


On Thu, Aug 1, 2013 at 12:45 PM, Łukasz Bromirski wrote:

> Yes, FIB only stores best paths (400k+), so you need to make sure you have
> at least 8GB of RAM and should be good to go.
>
> On the other hand, having better ESP would make sense in terms of future
> growth, so take a look at ASR 1002X.
>
> --
> ./
>
> Dnia 1 sie 2013 o godz. 08:09 Hitesh Vinzoda 
> napisał(a):
>
> > hi all,
> >
> > could anyone confirm if asr1001  can take 4 full bgp feed of 450k routes
> > each.
> >
> > i know that it has limitation of 512k for fib but not sure  if thats for
> > only forwarding table which i reckon would be all best routes around 450k
> > but assuming that we can hold 1.4 million routes that is 450k from each
> > peer in rib using more ram.
> >
> > please comment
> >
> > thanks
> > Hitesh
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] asr1001 4 full bgp feed

2013-07-31 Thread Hitesh Vinzoda

hi all,

could anyone confirm if asr1001  can take 4 full bgp feed of 450k routes
each.

i know that it has limitation of 512k for fib but not sure  if thats for
only forwarding table which i reckon would be all best routes around 450k
but assuming that we can hold 1.4 million routes that is 450k from each
peer in rib using more ram.

please comment

thanks
Hitesh
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTP and shared medium

2012-12-24 Thread Hitesh Vinzoda

hi there,

Can you please share the output of show interface xxx trunk

Thanks


On Mon, Dec 24, 2012 at 10:34 AM, Victor Sudakov  wrote:

> And second question. If one port is in trunk mode and the other in
> access mode, shouldn't the untagged native Vlan1 traffic still flow as
> normal?
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] client VPN

2012-12-23 Thread Hitesh Vinzoda

Whats is the purpose of Cisco router here?  Just set internet modem in
bridged mode and let Cisco ASA have the public IP Address ( ASA can do
pppoe if required)

HTH
Hitesh Vinzoda


On Wed, Dec 19, 2012 at 12:25 AM, osama hammoudeh <
osama.hammou...@ad-tech.com.jo> wrote:

> Dears
>
>
>
> I have cisco router connected to internet modem and the public ip modem
> , and cisco router connected to cisco ASA  as the following :
>
>
>
>
>
> Modem :
>
> Public ip on wan interface 2.2.2.2
>
> Private ip 192.168.200.1 (this interface connected to cisco router )
>
>
>
> Cisco router :
>
> External interface  IP 192.168.200.2 (this interface connected to the
> modem)
>
> Internal interface  ip 192.168.201.1  ((this interface connected to the
> ASA)
>
>
>
>
>
> Cisco ASA :
>
> External interface IP 192.168.201.2 ((this interface connected to the
> cisco router)
>
> Internal interface IP 192.168.1.1  (this interface used as LAN getaway )
>
>
>
> We need to configure client vpn on ASA , how can we do this setup on ASA
> and the Public IP on modem.
>
>
>
>
>
> Best Regards,
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600x - g0/25 ?!

2012-12-23 Thread Hitesh Vinzoda

Looks like a cosmetic bug..

Thanks
Hitesh Vinzoda


On Thu, Dec 20, 2012 at 8:01 PM, Aaron  wrote:

> Doesn't seem to get rid of it.  Here's what I just now did...
>
> - Rebooted.still there.
> - Tried to conf tno int g0/25got message that I can't remove
> hardware int
> - Downloaded nvram:startup-configremoved g0/25 from ascii
> fileuploaded startup-config to nvram...verified g0/25 wasn't in
> therereloadedguess what, g0/25 is not in startup config even after
> reload, but g0/25 is in running config.  Also... conf t, int g0/?  Shows
> options 1-25
>
> Funny and weird
>
> Aaron
>
> -Original Message-
> From: Christian Meutes [mailto:christ...@errxtx.net]
> Sent: Wednesday, December 19, 2012 7:39 PM
> To: Aaron
> Cc: 
> Subject: Re: [c-nsp] me3600x - g0/25 ?!
>
> Happens when you insert SFPs in the SFP+ interfaces. Only way to get rid of
> them is a reboot.
>
> --
>Christian
>
> On 20.12.2012, at 03:29, "Aaron"  wrote:
>
> > Any idea why I see an interface g0/25 on my me3600x?  this may be
> > following the ios upgrade to 15.3(1)S
> >
> >
> >
> > There are only 24 physical sfp interfaces on this box
> >
> >
> >
> > Aaron
> >
> >
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTP and shared medium

2012-12-23 Thread Hitesh Vinzoda

Hi Victor,

Can you post the configuration on the other end. Seems like it hasn't
negotiated the trunk. Further you can also DTP using below command

Switchport nonegotiate

Thanks
Hitesh Vinzoda


On Fri, Dec 21, 2012 at 9:50 AM, Victor Sudakov  wrote:

> >
> > I have configured a VTP domain and a VTP password on all the switches,
> > however changes to the vlan database and other VTP information are not
> > propagated to all the switches, or sometimes to some of the switches.
>
> The possible reason is that some ports are in access mode though
> configured for trunk mode? Why could that be?
>
> !
> interface GigabitEthernet0/1
>  switchport trunk encapsulation dot1q
>  switchport mode trunk
>
> #sh int GigabitEthernet0/1 switchport
>
> Switchport: Enabled
> Administrative Mode: trunk
> Operational Mode: static access
> Administrative Trunking Encapsulation: dot1q
> Operational Trunking Encapsulation: native
> Negotiation of Trunking: On
> Access Mode VLAN: 1 (default)
>
> Why is the port in static access mode while it is configured as
> "switchport mode trunk" and has the administrative mode "trunk"?
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:suda...@sibptus.tomsk.ru
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pptp connection to 2600 with Windows VPN failing.

2012-12-14 Thread Hitesh Vinzoda

just remove the MPPE configuration under virtual-template and try...!

Thanks
Hitesh Vinzoda


On Fri, Dec 14, 2012 at 1:23 AM, Gert Doering  wrote:

> Hi,
>
> On Thu, Dec 13, 2012 at 04:59:10PM +0100, Christophe Lucas wrote:
> > interface Virtual-Template1
> >  ip unnumbered FastEthernet0/0
> >  autodetect encapsulation ppp
> >  peer default ip address pool vpn
> >  ppp encrypt mppe auto
> >  ppp authentication ms-chap-v2
>
> JFTR, I hope everybody on this list is aware that PPTP with MPPE/MS-CHAP-v2
> is about as secure as using PAP and no encryption.
>
> If someone is able to sniff your PPTP/MPPE-Session, all they need is to
> insert $200 into cloudcracker.com, and next morning they will have the
> NTLM HASH needed to authenticate against the server, impersonating the
> VPN client.
>
> See here for a detailed description:
>
>
> http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html
>
> Use IPSEC, SSL-VPN or OpenVPN.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] private vlan ports

2012-12-14 Thread Hitesh Vinzoda

This could be helpful. its excerpt from Cisco's website..

Follow these guidelines when configuring PVLANs:

•To configure a PVLAN correctly, enable VTP in transparent mode.

•Do not include VLAN 1 or VLANs 1002 through 1005 in PVLANs.

•Use only PVLAN commands to assign ports to primary, isolated, or community
VLANs.

Layer 2 interfaces on primary, isolated, or community VLANs are inactive in
PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state.

•You cannot configure Layer 3 VLAN interfaces for secondary VLANs.

Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are
inactive while the VLAN is configured as an isolated or community VLAN.

•Do not configure PVLAN ports as EtherChannel.

EtherChannel ports in PVLANs are inactive.

•Do not configure private VLAN ports as EtherChannels. While a port is part
of the private VLAN configuration, its associated EtherChannel
configuration is inactive.

•Do not apply dynamic access control entries (ACEs) to primary VLANs.

Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive
while the VLAN is part of the PVLAN configuration.

•To prevent spanning tree loops due to misconfigurations, enable PortFast
on the PVLAN trunk ports with the *spanning-tree portfast trunk* command.

•Any VLAN ACL configured on a secondary VLAN is effective in the input
direction, and any VLAN ACL configured on the primary VLAN associated with
the secondary VLAN is effective in the output direction.

•You can stop Layer 3 switching on an isolated or community VLAN by
deleting the mapping of that VLAN with its primary VLAN.

•PVLAN ports can be on different network devices as long as the devices are
trunk-connected and the primary and secondary VLANs remain associated with
the trunk.

•Isolated ports on two different devices cannot communicate with each
other, but community VLAN ports can.

•Private VLANs support the following SPAN features:

–You can configure a private VLAN port as a SPAN source port.

–You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community
VLANs or use SPAN on only one VLAN to monitor egress or ingress traffic
separately.

For more information about SPAN, see Chapter 37, "Configuring SPAN and
RSPAN."

•A primary VLAN can be associated with multiple community VLANs, but only
one isolated VLAN.

•An isolated or community VLAN can be associated with only one primary VLAN.

•If you delete a VLAN used in a private VLAN configuration, the private
VLAN ports associated with the VLAN become inactive.

•VTP does not support private VLANs. You must configure private VLANs on
each device in which you plan to use private VLAN ports.

•To maintain the security of your PVLAN configuration and avoid other use
of VLANs configured as PVLANs, configure PVLANs on all intermediate
devices, even if the devices have no PVLAN ports.

•Prune the PVLANs from trunks on devices that carry no traffic in the
PVLANs.

•With port ACLS functionality available, you can apply Cisco IOS ACLS to
secondary VLAN ports and Cisco IOS ACLS to PVLANS (VACLs). For more
information on VACLs, see Chapter 32, "Configuring Network Security with
ACLs."

•You can apply different quality of service (QoS) configurations to
primary, isolated, and community VLANs. (See Chapter 26, "Configuring
QoS.")
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN
automatically apply to the associated isolated and community VLANs.

•On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic
and a primary VLAN ACL is applied on egress traffic.

•On a promiscuous port the primary VLAN ACL is applied on ingress traffic.

•PVLAN trunk ports support only IEEE 802.1q encapsulation.

•You cannot change the VTP mode to client or server for PVLANs.

•An isolated or community VLAN can have only one primary VLAN associated
with it.

•VTP does not support PVLANs. You must configure PVLANs on each device
where you want PVLAN ports.

•Community VLANs cannot be propagated or carried over private VLAN trunks.

Thanks

Hitesh

On Thu, Dec 13, 2012 at 7:29 PM, Christian Bösch  wrote:

> Hi,
>
> Two questions regarding Cisco private vlan ports:
>
> _I have a switch with a couple of vlans which are carried over 2 trunk
> ports bundled
> to an etherchannel to the upper router where they are routed with L3 vlan
> interfaces.
> On the switch I want some isolated private vlan ports, but I cannot set a
> promicious port because
> it is an etherchannel. Is there a workaround how to solve this or is this
> setup impossible?
>
> _I think private ports are working with an ingress ACL in the background?
> So what about
> IPv6 if the switc

Re: [c-nsp] Multicast through Cisco ME-3600

2012-11-24 Thread Hitesh Vinzoda

HI Reuben,

This is what i thought that we are on very early release of IOS. Show
commands of OSPF doesn't reveal much, while the OSPF debugs reveals that
they are sending hello's but neighbors hello's are not seen on both devices.

This pretty much suggests that ME3600 is unable to handle Multicast through
EFP.

MTU is fine and i also think that it will come only in picture during DBD
exchage, and they get stuck in exstart state, which is not the case here.

Further i don't see any special configuration exists under EFP where we
have to define supportive config for Multicast.

Thanks for the inputs though.

Best regards,
Hitesh

On Sat, Nov 24, 2012 at 4:12 PM, Reuben Farrelly
wrote:

>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Multicast through Cisco ME-3600

2012-11-24 Thread Hitesh Vinzoda

Hi,

I have recently noticed that routers running OSPF connected to two
different ports and communicating via EFP's configured on Cisco ME3600 can
not form OSPF neighborship.

I cant see hello sent from other end while the unicast and broadcast does
work as i can see the arp on both the ends and we have end to end pings.

Does anyone has faced the same issue. I don't think its limitation. My
configuration for the setup is as below

TEST-RTR01 >>> PORT21- ME3600- PORT22 >> TEST-RTR2

Relevant configuration and code.

interface GigabitEthernet0/21
 description TEST-JUNIPER-2200
 port-type nni
 switchport trunk allowed vlan none
 switchport mode trunk
 service instance 1 ethernet
  description OSPF-TEST
  encapsulation dot1q 80
  bridge-domain 5050
 !
end

thn-me09#show run int gi0/22
Building configuration...

Current configuration : 255 bytes
!
interface GigabitEthernet0/22
 description TEST-4200-1-0-22
 port-type nni
 switchport trunk allowed vlan none
 switchport mode trunk
 service instance 1 ethernet
  description OSPF-TEST
  encapsulation dot1q 80
  bridge-domain 5050
 !


Cisco IOS Software, ME360x Software (ME360x-UNIVERSAL-M), Version
12.2(52)EY3, RELEASE SOFTWARE (fc1)


Thanks in advance
Hitesh
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Half duplex VRF

2012-10-12 Thread Hitesh Vinzoda

Hi Gerald,

I have tested this and worked like charm.. thanks for sharing the working
configuration.

Best Regards
Hitesh

On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda wrote:

> Hi Gerald,
>
> Thanks for your inputs. Will try this configuration and let you know how
> it goes..!
>
> Cheers
> Hitesh
>
>
> On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause  wrote:
>
>> Hi Hitesh,
>>
>> just to let you know how our working config looks like. We had some
>> problems in the beginning with Half duplex VRF on earlier IOS versions.
>> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
>>
>> Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
>> LNS) will be directed (egress) to port GE0/3.148 towards the firewall
>> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
>> permit the traffic.
>>
>>
>> LNS CONFIG
>> ==
>>
>> LNS1#sh run vrf CUSTVRF-DOWN
>> Building configuration...
>>
>> Current configuration : 603 bytes
>> ip vrf CUSTVRF-DOWN
>>  rd 100:2
>>  route-target export 100:2
>>  route-target import 100:2
>> !
>> !
>> interface GigabitEthernet0/3.149
>>  encapsulation dot1Q 149
>>  ip vrf forwarding CUSTVRF-DOWN
>>  ip address 10.99.16.227 255.255.255.240
>> !
>> router bgp 1
>>  !
>>  address-family ipv4 vrf CUSTVRF-DOWN
>>   no synchronization
>>   redistribute connected
>>   redistribute static
>>  exit-address-family
>> !
>> end
>>
>>
>> LNS1#sh run vrf CUSTVRF-UP
>> Building configuration...
>>
>> Current configuration : 816 bytes
>> ip vrf CUSTVRF-UP
>>  rd 100:3
>>  route-target export 100:3
>>  route-target import 100:1
>> !
>> !
>> interface GigabitEthernet0/3.148
>>  encapsulation dot1Q 148
>>  ip vrf forwarding CUSTVRF-UP
>>  ip address 10.99.16.243 255.255.255.240
>> !
>> interface Loopback102
>>  description CUSTVRF
>>  ip vrf forwarding CUSTVRF-UP
>>  ip address 10.99.17.254 255.255.255.255
>> !
>> router bgp 1
>>  !
>>  address-family ipv4 vrf CUSTVRF-UP
>>   no synchronization
>>   redistribute connected
>>   redistribute static
>>   default-information originate
>>  exit-address-family
>> !
>> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
>> end
>>
>>
>> RADIUS ACCOUNTS (freeRadius)
>> ===
>>
>> cust-vrfsite1  Password == 
>>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>>   Cisco-AVPair += ip:addr=10.99.17.68
>>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>>   Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
>>
>> cust-vrfsite2  Password == 
>>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>>   Cisco-AVPair += ip:addr=10.99.17.69
>>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>>   Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
>>
>>
>>
>> Gerald
>>
>>
>> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
>> > Hi Arie,
>> >
>> > This is already in place and the virtual-access interfaces belongs to
>> this
>> > vrf and so do their PPP host router.
>> >
>> > This routes are not visible in upstream vrt U which is great but these
>> > routes do appear in Downstream vrf D so that is the reason they route
>> > locally and doesnt go towards hub CE.
>> >
>> > The illustrations that i have seen before have CE sites connected on
>> > different PE routers whereas in my case the CE routers are connected to
>> > same PE and hence we want to avoid local routing on the LNS.
>> >
>> > Please let me know your thoughts over this.
>> >
>> > Thanks
>> > Hitesh
>> >
>> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
>> > wrote:
>> >
>> >>  So basically your PPP connections are in the global routing table…
>> >>
>> >> What is the profile you are downloading from RADIUS (debug radius) for
>> >> them?
>> >>
>> >> ** **
>> >>
>> >> You most likely should be downloading the “ip vrf forwarding U
>> downstream
>> >> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
>> >> forwarding U downstream D”…
>> >>
>> >>
>> >>
>> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp

Re: [c-nsp] Half duplex VRF

2012-10-11 Thread Hitesh Vinzoda

Hi Gerald,

Thanks for your inputs. Will try this configuration and let you know how it
goes..!

Cheers
Hitesh

On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause  wrote:

> Hi Hitesh,
>
> just to let you know how our working config looks like. We had some
> problems in the beginning with Half duplex VRF on earlier IOS versions.
> Now we're running 122-33.SRE on a NPE-G2 and it works as expected.
>
> Traffic from site1 to site2 (both terminated via L2TP/PPP on the same
> LNS) will be directed (egress) to port GE0/3.148 towards the firewall
> 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall
> permit the traffic.
>
>
> LNS CONFIG
> ==
>
> LNS1#sh run vrf CUSTVRF-DOWN
> Building configuration...
>
> Current configuration : 603 bytes
> ip vrf CUSTVRF-DOWN
>  rd 100:2
>  route-target export 100:2
>  route-target import 100:2
> !
> !
> interface GigabitEthernet0/3.149
>  encapsulation dot1Q 149
>  ip vrf forwarding CUSTVRF-DOWN
>  ip address 10.99.16.227 255.255.255.240
> !
> router bgp 1
>  !
>  address-family ipv4 vrf CUSTVRF-DOWN
>   no synchronization
>   redistribute connected
>   redistribute static
>  exit-address-family
> !
> end
>
>
> LNS1#sh run vrf CUSTVRF-UP
> Building configuration...
>
> Current configuration : 816 bytes
> ip vrf CUSTVRF-UP
>  rd 100:3
>  route-target export 100:3
>  route-target import 100:1
> !
> !
> interface GigabitEthernet0/3.148
>  encapsulation dot1Q 148
>  ip vrf forwarding CUSTVRF-UP
>  ip address 10.99.16.243 255.255.255.240
> !
> interface Loopback102
>  description CUSTVRF
>  ip vrf forwarding CUSTVRF-UP
>  ip address 10.99.17.254 255.255.255.255
> !
> router bgp 1
>  !
>  address-family ipv4 vrf CUSTVRF-UP
>   no synchronization
>   redistribute connected
>   redistribute static
>   default-information originate
>  exit-address-family
> !
> ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254
> end
>
>
> RADIUS ACCOUNTS (freeRadius)
> ===
>
> cust-vrfsite1  Password == 
>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>   Cisco-AVPair += ip:addr=10.99.17.68
>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>   Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0
>
> cust-vrfsite2  Password == 
>   Cisco-AVPair += ip:ip-unnumbered=Loopback102
>   Cisco-AVPair += ip:addr=10.99.17.69
>   Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN
>   Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0
>
>
>
> Gerald
>
>
> Am 11.10.2012 07:45, schrieb Hitesh Vinzoda:
> > Hi Arie,
> >
> > This is already in place and the virtual-access interfaces belongs to
> this
> > vrf and so do their PPP host router.
> >
> > This routes are not visible in upstream vrt U which is great but these
> > routes do appear in Downstream vrf D so that is the reason they route
> > locally and doesnt go towards hub CE.
> >
> > The illustrations that i have seen before have CE sites connected on
> > different PE routers whereas in my case the CE routers are connected to
> > same PE and hence we want to avoid local routing on the LNS.
> >
> > Please let me know your thoughts over this.
> >
> > Thanks
> > Hitesh
> >
> > On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
> > wrote:
> >
> >>  So basically your PPP connections are in the global routing table…
> >>
> >> What is the profile you are downloading from RADIUS (debug radius) for
> >> them?
> >>
> >> ** **
> >>
> >> You most likely should be downloading the “ip vrf forwarding U
> downstream
> >> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
> >> forwarding U downstream D”…
> >>
> >>
> >>
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
> >> 
> >>
> >> ** **
> >>
> >> Arie
> >>
> >> ** **
> >>
> >> *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com]
> >> *Sent:* Wednesday, October 10, 2012 00:44
> >>
> >> *To:* Arie Vayner (avayner)
> >> *Cc:* Cisco Mailing list
> >> *Subject:* Re: [c-nsp] Half duplex VRF
> >>
> >> ** **
> >>
> >> Hi Arie,
> >>
> >> ** **
> >>
> >> Below is the desired excerpt. We can't see the VRF config being applied
> to
> >> the interfaces but its visible in "show ip int virtual-access". I have
> >> tried

Re: [c-nsp] Half duplex VRF

2012-10-10 Thread Hitesh Vinzoda

Hi Arie,

This is already in place and the virtual-access interfaces belongs to this
vrf and so do their PPP host router.

This routes are not visible in upstream vrt U which is great but these
routes do appear in Downstream vrf D so that is the reason they route
locally and doesnt go towards hub CE.

The illustrations that i have seen before have CE sites connected on
different PE routers whereas in my case the CE routers are connected to
same PE and hence we want to avoid local routing on the LNS.

Please let me know your thoughts over this.

Thanks
Hitesh

On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner)
wrote:

>  So basically your PPP connections are in the global routing table…
>
> What is the profile you are downloading from RADIUS (debug radius) for
> them?
>
> ** **
>
> You most likely should be downloading the “ip vrf forwarding U downstream
> D” command using the RADIUS attribute “lcp:interface-config=ip vrf
> forwarding U downstream D”…
>
>
> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907
> 
>
> ** **
>
> Arie
>
> ** **
>
> *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com]
> *Sent:* Wednesday, October 10, 2012 00:44
>
> *To:* Arie Vayner (avayner)
> *Cc:* Cisco Mailing list
> *Subject:* Re: [c-nsp] Half duplex VRF
>
> ** **
>
> Hi Arie,
>
> ** **
>
> Below is the desired excerpt. We can't see the VRF config being applied to
> the interfaces but its visible in "show ip int virtual-access". I have
> tried two different way in RADIUS attributes but the results are the same.
> 
>
> ** **
>
> LNS#show ppp all
>
> Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name
>
>  -  ---
> 
>
> Vi4  LCP+ CHAP+ IPCP+  LocalT   192.168.254.200 \
>
> sp...@cerberusnetworks.co.uk
>
> Vi3  LCP+ CHAP+ IPCP+  LocalT   192.168.254.100 \
>
> m...@cerberusnetworks.co.uk
>
> LNS#show run int vir
>
> LNS#show run int virtual-acc
>
> LNS#show run int virtual-access 3
>
> Building configuration...
>
> ** **
>
> Current configuration : 78 bytes
>
> !
>
> interface Virtual-Access3
>
>  ip mtu 1492
>
>  ip verify unicast reverse-path
>
> end
>
> ** **
>
> LNS#show run int virtual-access 4
>
> Building configuration...
>
> ** **
>
> Current configuration : 78 bytes
>
> !
>
> interface Virtual-Access4
>
>  ip mtu 1492
>
>  ip verify unicast reverse-path
>
> end
>
> =
>
> ** **
>
> LNS#show ip int virtual-access 3
>
> Virtual-Access3 is up, line protocol is up
>
>   Interface is unnumbered. Using address of Loopback2 (2.2.2.1)
>
>   Broadcast address is 255.255.255.255
>
>   Peer address is 192.168.254.100
>
>   MTU is 1492 bytes
>
>   Helper address is not set
>
>   Directed broadcast forwarding is disabled
>
>   Outgoing access list is not set
>
>   Inbound  access list is not set
>
>   Proxy ARP is enabled
>
>   Local Proxy ARP is disabled
>
>   Security level is default
>
>   Split horizon is enabled
>
>   ICMP redirects are always sent
>
>   ICMP unreachables are always sent
>
>   ICMP mask replies are never sent
>
>   IP fast switching is enabled
>
>   IP Flow switching is disabled
>
>   IP CEF switching is enabled
>
>   IP CEF switching turbo vector
>
>   IP CEF turbo switching turbo vector
>
>   VPN Routing/Forwarding "U"
>
>   Downstream VPN Routing/Forwarding "D"
>
>   Associated unicast routing topologies:
>
> ipv4 topologies in downstream VRF "D" :
>
> Topology "base", operation state is UP****
>
> ipv4 topologies in upstream(forwarding) VRF "U":
>
> Topology "base", operation state is UP
>
> ===
>
> Thanks
>
> Hitesh
>
> ** **
>
> On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) 
> wrote:
>
> Hitesh, how does your virtual-access look like for the spokes?
>
> Can you please share the “show run interface virtual-access xx” for the
> spokes?
>
>  
>
> Tnx
>
> Arie
>
>  
>
> *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com]
> *Sent:* Tuesday, October 09, 2012 09:0

Re: [c-nsp] Half duplex VRF

2012-10-10 Thread Hitesh Vinzoda

Hi Arie,

Below is the desired excerpt. We can't see the VRF config being applied to
the interfaces but its visible in "show ip int virtual-access". I have
tried two different way in RADIUS attributes but the results are the same.

LNS#show ppp all
Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name
 -  ---

Vi4  LCP+ CHAP+ IPCP+  LocalT   192.168.254.200 \
sp...@cerberusnetworks.co.uk
Vi3  LCP+ CHAP+ IPCP+  LocalT   192.168.254.100 \
m...@cerberusnetworks.co.uk
LNS#show run int vir
LNS#show run int virtual-acc
LNS#show run int virtual-access 3
Building configuration...

Current configuration : 78 bytes
!
interface Virtual-Access3
 ip mtu 1492
 ip verify unicast reverse-path
end

LNS#show run int virtual-access 4
Building configuration...

Current configuration : 78 bytes
!
interface Virtual-Access4
 ip mtu 1492
 ip verify unicast reverse-path
end
=

LNS#show ip int virtual-access 3
Virtual-Access3 is up, line protocol is up
  Interface is unnumbered. Using address of Loopback2 (2.2.2.1)
  Broadcast address is 255.255.255.255
  Peer address is 192.168.254.100
  MTU is 1492 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  VPN Routing/Forwarding "U"
  Downstream VPN Routing/Forwarding "D"
  Associated unicast routing topologies:
ipv4 topologies in downstream VRF "D" :
Topology "base", operation state is UP
ipv4 topologies in upstream(forwarding) VRF "U":
Topology "base", operation state is UP
===
Thanks
Hitesh

On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) wrote:

>  Hitesh, how does your virtual-access look like for the spokes?
>
> Can you please share the “show run interface virtual-access xx” for the
> spokes?
>
> ** **
>
> Tnx
>
> Arie
>
> ** **
>
> *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com]
> *Sent:* Tuesday, October 09, 2012 09:05
> *To:* Arie Vayner (avayner)
> *Cc:* Cisco Mailing list
> *Subject:* Re: [c-nsp] Half duplex VRF
>
> ** **
>
> Hi Arie,
>
> ** **
>
> I have attached topology, .Net file and configs of related devices. R8 and
> R9 are simulating spokes whereas Internet-RTR is simulating Hub.
>
> ** **
>
> Cheers
>
> ** **
>
> Hitesh
>
> On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) 
> wrote:
>
> Hitesh, can you maybe share some of your configs?
> Arie
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:
> cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda
> Sent: Tuesday, October 09, 2012 07:04
> To: Cisco Mailing list
> Subject: [c-nsp] Half duplex VRF
>
> I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone
> has working configuration for spokes and Hub connected on the same PE
> router i.e. LNS. So far i able to export-import the routes but the traces
> from one spoke to other goes directly via LNS instead of via Hub.
>
> Please advise.
>
> TIA
> Hitesh
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ** **
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Half duplex VRF

2012-10-09 Thread Hitesh Vinzoda

Hi Arie,

I have attached topology, .Net file and configs of related devices. R8 and
R9 are simulating spokes whereas Internet-RTR is simulating Hub.

Cheers

Hitesh

On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) wrote:

> Hitesh, can you maybe share some of your configs?
> Arie
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:
> cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda
> Sent: Tuesday, October 09, 2012 07:04
> To: Cisco Mailing list
> Subject: [c-nsp] Half duplex VRF
>
> I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone
> has working configuration for spokes and Hub connected on the same PE
> router i.e. LNS. So far i able to export-import the routes but the traces
> from one spoke to other goes directly via LNS instead of via Hub.
>
> Please advise.
>
> TIA
> Hitesh
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Half duplex VRF

2012-10-09 Thread Hitesh Vinzoda

I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone
has working configuration for spokes and Hub connected on the same PE
router i.e. LNS. So far i able to export-import the routes but the traces
from one spoke to other goes directly via LNS instead of via Hub.

Please advise.

TIA
Hitesh
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 7200 LNS Multilink per-user RADIUS attributes

2012-08-07 Thread Hitesh Vinzoda

Hi,

Try using Radreply as "  Cisco-Avpair += "multilink:max-links=2"  instead
of "="

HTH

Thanks
Hitesh Vinzoda

On Tue, Aug 7, 2012 at 8:27 PM, Steve Glendinning wrote:

> Hi all,
>
> I'm trying to configure multilink PPP on a Cisco 7200 (NPE-G2) LNS
> (12.4(4)XD11), but the LNS is refusing to create the bundle:
>
> Aug  7 15:44:19 BST: Vi714 MLP: Request add link to bundle
> Aug  7 15:44:19 BST: Vi714 MLP: Adding link to bundle
> Aug  7 15:44:19 BST: Vi714 MLP: Missing AAA per-user attributes
> Aug  7 15:44:19 BST: Vi714 MLP: Bundle failed in creation/cloning
> Aug  7 15:44:19 BST: Vi714 MLP: Link not added to bundle
> Aug  7 15:44:19 BST: Vi714 IPCP: LCP not open, discarding packet
> Aug  7 15:44:21 BST: Vi714 IPCP: LCP not open, discarding packet
> Aug  7 15:44:23 BST: Vi714 IPCP: LCP not open, discarding packet
> Aug  7 15:44:25 BST: Vi714 IPCP: LCP not open, discarding packet
>
> Any idea how I can find out which AAA per-user attribute(s) it's
> missing and complaining about?
>
> The RADIUS server is returning these attributes for the account:
>
> Aug  7 15:16:58 BST: RADIUS:  Service-Type[6]   6   Framed
>[2]
> Aug  7 15:16:58 BST: RADIUS:  Framed-Protocol [7]   6   PPP
>[1]
> Aug  7 15:16:58 BST: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255
> Aug  7 15:16:58 BST: RADIUS:  Framed-IP-Address   [8]   6   xx.xx.xx.xx
> Aug  7 15:16:58 BST: RADIUS:  Vendor, Cisco   [26]  46
> Aug  7 15:16:58 BST: RADIUS:   Cisco AVpair   [1]   40
> "ip:dns-servers=xx.xx.xx.xx yy.yy.yy.yy"
> Aug  7 15:16:58 BST: RADIUS:  Vendor, Cisco   [26]  45
> Aug  7 15:16:58 BST: RADIUS:   Cisco AVpair   [1]   39
> "ipv6:prefix#1=:::::/64"
> Aug  7 15:16:58 BST: RADIUS:  Vendor, Cisco   [26]  39
> Aug  7 15:16:58 BST: RADIUS:   Cisco AVpair   [1]   33
> "ipv6:route#1=::::/48"
> Aug  7 15:16:58 BST: RADIUS:  Acct-Interim-Interva[85]  6   3600
>
> And I've tried also adding these with no joy:
>
> Cisco-Avpair = "multilink:max-links=2"
> Cisco-Avpair = "multilink:min-links=1"
> Cisco-Avpair = "multilink:load-threshold=10"
> Cisco-Avpair = "preauth:ppp-multilink=1"
>
> Thanks,
> --
> Steve Glendinning
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 7600 with MWAM as a LNS

2012-04-22 Thread Hitesh Vinzoda

Hi,



I am researching Cisco MWAM with Cisco 7600 for LNS deployment and have few
questions in mind, Hope some one had already worked on it or may be someone
from Cisco can tell me about it, as there are less resources available for
MWAM on Cisco website as well as Internet.



What we are trying to achieve here is traditional wholesale DSL where L2TP
tunnels are handed over to us and we provide them the PPP connections over
VPDN as well as some MLPPP stuff whenever required. I know that MWAM are
end of sale and are replaced by SAMI but still i believe they may fit our
requirement till Dec 2014 when the support for MWAM ends and later we can
move to some other Cisco Kit.



Here is the list of the features or services that we currently use on Cisco
7206 VXR acting as a LNS.



   1. PPPoVPDN
   2. OSPF
   3. VRF over DSL using Cisco Vendor Specific Attribute
   4. VPDN Multi-hop
   5. Multilink PPP
   6. AAA accounting periodic update
   7. PE-CE dynamic routing over PPPoVPDN or just per vrf OSPF/RIP/EIGRP
   8. Some basic subinterfaces for dot1q VLAN tagging to transit VRF's
   through the core.
   9. DHCP Proxy client



Are the above requirement can be accommodated with 7600 with MWAM. I would
appreciate if someone can shed some light on this and share their
experience as well as thoughts on this.



Thanks is advance



Hitesh
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] router does not see IGMP joins

2012-04-18 Thread Hitesh Vinzoda

Hi,

Is PIM enabled on that interface ?

Thanks
Hitesh

On Thu, Apr 19, 2012 at 8:06 AM, Victor Sudakov  wrote:

> Victor Sudakov wrote:
> >
> > What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T)
> > does not see IGMP joins to a particular group? tcpdump shows that the
> > joins are being sent to the network, however "debug ip igmp 224.0.1.3"
> > does not show them.
>
> It seems that the problem disappeared after the host sending IGMP
> joins was moved from a hub (10BASE-T HD) to a switch (100BASE-T FD).
>
> I am still confused about the possible cause of the problem.
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:suda...@sibptus.tomsk.ru
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco SAMI modules

2012-04-18 Thread Hitesh Vinzoda

Hi,

Could anyone confirm whether Cisco SAMI module on 7600 supports traditional
ppp over vpdn wholesale broadband?

Thanks
Hitesh
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP address assignment to pppoe clients - Radius or DHCP

2011-03-21 Thread Hitesh Vinzoda

Thanks for all your support,

Now the scenario is that how to achieve redundancy in LNS environment, I
have heard that HSRP doesnt work in this case.

TIA

Hitesh

On Wed, Mar 9, 2011 at 12:28 AM, Bjørn Mork  wrote:

> Hitesh Vinzoda  writes:
>
> > But the problem is How to assign the
> > DNS ip addresses and default gateway or default route 
> using
> > Radius, though I m carrying wrong perception as there is as such no
> > attribute in Radius which assigns DNS ip addresses from Radius. these
> makes
> > me to think that it is the job of DHCP servers.
>
> There are no standard RADIUS attributes for DNS server assignment, but
> many vendors have vendor specific solutions.  Cisco's would be
>
>  Cisco-AVPair := "ip:dns-servers=10.0.0.1 10.0.0.2"
>
>
> Most ppp clients will point their default route to the other end of the
> ppp link, i.e. whatever unnumbered interface you are referring to in
> your Virtual-Template.  I don't understand why you would want to set via
> RADIUS.  AFAIK, IPCP doesn't include any routing information, so you
> would have to run some other protocol over the PPP link to communicate
> the route to the client. DHCP would fit.
>
>
> Bjørn
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IP address assignment to pppoe clients - Radius or DHCP

2011-03-08 Thread Hitesh Vinzoda

Hi all,



I am trying to assign the ip address to pppoe client using Radius. The
scenario is basically we will have pppoe clients (Not Cisco AFAIK) and they
will authenticated against FreeRadius from LNS. I tried to find out some
documentation about it but found none.



Especially i have seen scenarios where ADSL clients retrieves IP address
automatically with DNS server and default gateway to reach to internet as
soon as pppoe is up, I tried it using Radius using 
attribute and it works like a charm. But the problem is How to assign the
DNS ip addresses and default gateway or default route  using
Radius, though I m carrying wrong perception as there is as such no
attribute in Radius which assigns DNS ip addresses from Radius. these makes
me to think that it is the job of DHCP servers.



Anyone out there who are running ADSL ISP setup are requested to share how
do they basically assign the IP addresses to ADSL PPPOE client, using Radius
or DHCP? and how?



Thanks in Advance



Hitesh Vinzoda
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] High Memory Usage due to NAT

2009-07-23 Thread Hitesh Vinzoda

I m facing a strange issue regarding the NAT. The problem statement is as
below

NAT configured on 3845 with 12.4.24 T ADV ENT SERVICES


   - Have got 64 /25 inside subnets to do the nat with 64 Live IP's. one
   each for /25 inside subnet.
   - I checked the processes and memory on freshly loaded router which comes
   out to be 49 MB of free memory.
   - started the NAT on router with 8 of /25 inside ip pool with policy NAT
   to 8 live IP's. The router withing 3 hours hanged due to no availability of
   free memory. Rebooted it and removed the NAT.
   - Checked Cisco website for NAT it says 312 bytes per translation that
   gives us around 3 MB for 1 translations. Checked the logs and found peak
   translation only to be 15000.
   - Found that problem was NAT ACL with any statement in destination
   portion ( extended one). Changed it with standard ACL with no any statement.
   - Reviewed and resumed the NAT on router. it works now but it uses around
   20 MB of memory for just 1 translation entries.
   - Checked the UDP, TCP and ICMP timeout  Limited UDP to 4 Mins. TCP
   to 25 Mins and ICMP- 5 Mins. was able to free only 2 MB of so from 20 MB.
   - Changed the IOS from ADV ent services to IP base to get rid of unwanted
   processess and services as main AIM of this router is to run NAT.
   - Freshly loaded router gave me 120 MB of free space and was happy now to
   test out the things.
   - Againg started the NAT for 8 pools of /25 inside subnet with 8 live
   IP's ( Policy nat ).
   - At 25000 translations it eats up memory of around 24 MB.
   - Turned of Virtual Reassembly as it was reaching to thresold very often.
   - Migrated another 8 pools of /25 which comes to total of 16 /25 Inside
   subnets and free memory left to 64 MB. with the peak translation upto 42000
   and active translation to 15000 on an average.
   - It often gives the I/O memory errors too ( with only 16 /25 Pools
   configured on it).
   - All this stuff works fine with Netscreen firewall overloaded with only
   4 IP's for all 64 /25 pools. . ( Is netscreen had an edge over cisco
   when it comes to NAT _?? ) I wonder..!

If Cisco says that only 312 bytes are required for storing a single
translation Why i m not able to free my DRAM memory. Tried my luck with
everything. Need some expert advice on this to figure out the High Memory
usage of NAT

NOTE : Only default router and no other services are used on router apart
from Netflow

Thanks in Advance

Regards

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] TCP Reset

2009-05-19 Thread Hitesh Vinzoda

Dear All,
I m facing a problem from some clients behaving suspiciously when they
telnet to squid proxy. ( 10.4.188.180)

After TCP Syn request by client the server is responding with RST.


Wireshark logs from client is attached. Comments are invited for this case.

Thanks in advance

Ronnie
No. TimeSourceDestination   Protocol Info
  6 2.18896410.4.52.5310.4.188.180  TCP  BESApi 
> http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 6 (62 bytes on wire, 62 bytes captured)
Arrival Time: May 19, 2009 17:04:41.083189000
[Time delta from previous captured frame: 0.874347000 seconds]
[Time delta from previous displayed frame: 2.188964000 seconds]
[Time since reference or first frame: 2.188964000 seconds]
Frame Number: 6
Frame Length: 62 bytes
Capture Length: 62 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Foxconn_e4:dc:12 (00:15:58:e4:dc:12), Dst: 
All-HSRP-routers_34 (00:00:0c:07:ac:34)
Destination: All-HSRP-routers_34 (00:00:0c:07:ac:34)
Address: All-HSRP-routers_34 (00:00:0c:07:ac:34)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address 
(factory default)
Source: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address 
(factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.4.52.53 (10.4.52.53), Dst: 10.4.188.180 
(10.4.188.180)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x1672 (5746)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0xdf64 [correct]
[Good: True]
[Bad : False]
Source: 10.4.52.53 (10.4.52.53)
Destination: 10.4.188.180 (10.4.188.180)
Transmission Control Protocol, Src Port: BESApi (3408), Dst Port: http-alt 
(8080), Seq: 0, Len: 0
Source port: BESApi (3408)
Destination port: http-alt (8080)
Sequence number: 0(relative sequence number)
Header length: 28 bytes
Flags: 0x02 (SYN)
0...  = Congestion Window Reduced (CWR): Not set
.0..  = ECN-Echo: Not set
..0.  = Urgent: Not set
...0  = Acknowledgment: Not set
 0... = Push: Not set
 .0.. = Reset: Not set
 ..1. = Syn: Set
 ...0 = Fin: Not set
Window size: 65535
Checksum: 0xbfa3 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (8 bytes)
Maximum segment size: 1460 bytes
NOP
NOP
SACK permitted

No. TimeSourceDestination   Protocol Info
  8 2.19595210.4.188.180  10.4.52.53TCP  
http-alt > BESApi [RST, ACK] Seq=1 Ack=1 Win=29141 Len=0

Frame 8 (60 bytes on wire, 60 bytes captured)
Arrival Time: May 19, 2009 17:04:41.090177000
[Time delta from previous captured frame: 0.004504000 seconds]
[Time delta from previous displayed frame: 0.006988000 seconds]
[Time since reference or first frame: 2.195952000 seconds]
Frame Number: 8
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: Cisco_51:44:00 (00:18:74:51:44:00), Dst: Foxconn_e4:dc:12 
(00:15:58:e4:dc:12)
Destination: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
Address: Foxconn_e4:dc:12 (00:15:58:e4:dc:12)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address 
(factory default)
Source: Cisco_51:44:00 (00:18:74:51:44:00)
Address: Cisco_51:44:00 (00:18:74:51:44:00)
 ...0     = IG bit: Individual address (unicast)
 ..0.     = LG bit: Globally unique address 
(factory default)
Type: IP (0x0800)
Trailer: 
Internet Protocol, Src: 10.4.188.180 (10.4.188.180), Dst: 10.4.52.53 
(10.4.52.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN: 0x01)
 00.. = Differentiated Services Codepoint: Default (0x00)

[c-nsp] Not Allowing Vlan 1 on trunk ports

2009-01-17 Thread Hitesh Vinzoda

Dear All

Is there a way to supress vlan 1 from passing from a trunk link coz i m not
able to shutdown the L2 vlan 1.


Regards

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN 1 through routed ports

2009-01-08 Thread Hitesh Vinzoda

I m havin old setup of two 6509 connected together by means of routed ports.
On one of the 6509 i have vlan 1 with user subnet configured on it along
with DHCP. now when i connect anything on vlan 1 on 2nd 6509, the desktop is
leased with the IP of vlan 1 configured on 6509-1. any idea why i m gettin
ip leased through DHCP.

note: no helper commands are used on vlan 1 of 6509-2 and no ip address
exists on SVI vlan 1.

Regards

On Thu, Jan 8, 2009 at 5:07 PM, Gert Doering  wrote:

> Hi,
>
> On Thu, Jan 08, 2009 at 04:48:37PM +0530, Hitesh Vinzoda wrote:
> > Can vlan 1 pass through routed ports between layer 3 switches. ..??
>
> By definition a VLAN (which is a L2 thing) can't pass through routed ports.
>
> If you need that, you need to setup some sort of bridging-over-L3, either
> with EoMPLS or L2TPv3.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>   //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VLAN 1 through routed ports

2009-01-08 Thread Hitesh Vinzoda

Can vlan 1 pass through routed ports between layer 3 switches. ..??
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA AIP-SSM-10

2008-11-28 Thread Hitesh Vinzoda

I m thru.

Thanks

Ronnie

On Thu, Nov 27, 2008 at 5:58 AM, Joerg Mayer <[EMAIL PROTECTED]> wrote:

> On Thu, Nov 27, 2008 at 03:28:38AM -0800, Hitesh Vinzoda wrote:
> > Does that tftp server need to be of the same subnet for which i had one
> for
> > IPS or nothing to be done.
>
> That tftp-server can be any box reachable by IP (you can set a default-gw
> as well).
>
> The commands are:
>
> hw module 1 recover configure
> (then answer the questions about tftp-server, default-gw etc)
> debug module (just to have something to watch when running the next command
> :-)
> hw module 1 recover boot (this will actually *do* the recovery).
>
> Ciao
> Joerg
> --
> Joerg Mayer   <[EMAIL PROTECTED]>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA AIP-SSM-10

2008-11-27 Thread Hitesh Vinzoda

Does that tftp server need to be of the same subnet for which i had one for
IPS or nothing to be done.

Regards


On 11/26/08, Joerg Mayer <[EMAIL PROTECTED]> wrote:
>
> On Wed, Nov 26, 2008 at 01:30:32AM -0800, Hitesh Vinzoda wrote:
> > We were upgrading the patches on AIP-SSM-10 and IPS seems not to be
> coming
> > up after reload. the module status is UNRESPONSIVE. more over we havent
> > configure recovery on it. please suggest to bring up the IDS from
> scratch.
>
> You configure the recovery on the asa (hw module configure recover or
> something
> to that end). Make sure you have a tftp-server connected to the external
> ge-port of the aip. Start recovery (hw module recover or whatever). The
> commands all need to be typed from the asa command line, the asa acts as
> the
> rommon replacement for the SSMs. There's also a debug (on the asa) that
> let's
> you watch the recovery process but I currently don't remember the exact
> debug
> command.
>
> ciao
>Joerg
>
> --
> Joerg Mayer   <[EMAIL PROTECTED]>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA AIP-SSM-10

2008-11-26 Thread Hitesh Vinzoda

Dear all,

We were upgrading the patches on AIP-SSM-10 and IPS seems not to be coming
up after reload. the module status is UNRESPONSIVE. more over we havent
configure recovery on it. please suggest to bring up the IDS from scratch.


Thanks

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] L2VPN Interworking

2008-11-10 Thread Hitesh Vinzoda

Check for MTU size on interfaces.

Regards

Hitesh Vinzoda


On 11/10/08, Mohammad Khalil <[EMAIL PROTECTED]> wrote:
>
>
> Dears
> i have the following setup:
> CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2
> PE1 is 7609 and has the IOS image
> c7600rsp72043-advipservices-mz.122-33.SRD.bin
> PE2 is a VXR G2 and has the IOS image
> c7200p-spservicesk9-mz.122-33.SRC1.bin
> CE1 --> PE1 is ATM connection
> CE2 --> PE2 Vlan connection (Sub interface)
>
> i have established xconnect between the 2 sides
> the xconnect is up and there is a ping between the 2 sides
> but the problem is in the size
> when i issue the command ping x.x.x.x repeat 1000 size 1500
> i face remarkable packet drop !!
> any ideas ??
> knowing that there is no congestion at all in my links nor through the MPLS
> cloud
>
> _
> News, entertainment and everything you care about at Live.com. Get it now!
> http://www.live.com/getstarted.aspx
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FWSM Access-control lists

2008-11-10 Thread Hitesh Vinzoda

Dear All,

Im having a production server subnet of around 150 servers ( 172.16.2.0/24)
and all of them are sitting behind FWSM. Current ACL applied is permit ip
any any.

Now we have got the details of one server communicating on some ports for
that we are going to apply the ACL. I came to know about the Line numbers in
ACE but for me its not working.

Say e.g. my LAN is untrusted (192.168.0.0/16)

access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq
www
access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq
smtp
access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq
445

now for any other traffic for particular server will be denied

access-list test line 500 extended permit ip any host 172.16.2.20
access-list test line 501 extended permit ip any any

the fascinating thing here is that when i issue "sh access-list" command. it
shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing
added later is appended.

 I want to have ip any any at line 15000 which will removed once all ACE for
each server are in place.

FWSM is running of 3.2

any ideas about getting line 500 & 501 and fixed at there respective places.

Thanks in advance

Hitesh Vinzoda
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Fwd: Delivery Status Notification (Failure)

2008-11-10 Thread Hitesh Vinzoda

-- Forwarded message --
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
Date: Nov 10, 2008 2:01 AM
Subject: Delivery Status Notification (Failure)
To: [EMAIL PROTECTED]

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

[EMAIL PROTECTED]

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient
domain. We recommend contacting the other email provider for further
information about the cause of this error. The error that the other server
returned was: 550 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
(state 14).

  - Original message -

Received: by 10.141.115.6 with SMTP id s6mr3480514rvm.58.1226311300539;
   Mon, 10 Nov 2008 02:01:40 -0800 (PST)
Received: by 10.141.198.17 with HTTP; Mon, 10 Nov 2008 02:01:40 -0800 (PST)
Message-ID: <[EMAIL PROTECTED]>
Date: Mon, 10 Nov 2008 02:01:40 -0800
From: "Hitesh Vinzoda" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cisco ASA 5510 VPN problem
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="=_Part_47910_25183294.1226311300543"

--=_Part_47910_25183294.1226311300543
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

i have a cisco ASA 5510 and i had configured remote access VPN on it. but
for some reason i m not able to ping inside interface from VPN although i
get connected everytime i tried. please advice.

Also,

  - Message truncated -
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Multicast issue

2008-11-10 Thread Hitesh Vinzoda

Hi all,

I had configured multicast in my lan using sparse-dense mode. RP and group
is defined statically on each L3 switches. I'm receiving the multicast
beyond all L3's except ones running HSRP.

Any ideas guyz

Regards

Hitesh Vinzoda
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] HSRP With Multicast

2008-02-16 Thread Hitesh Vinzoda

Hi,

I m having a HSRP running between two 4507 and PIM Sparse on SVI's of both
the interface. I had configured Static RP for multicast for a specific
group. Now the problem is when PIM Sparse is enabled on HSRP interfaces
(SVI's on both 4507 ) multicast doesnt work. when i remove from any one of
them, it works !!!

Can neone tell me that whether it is problem with DR ( Designated router) or
what...  i want to have PIM Sparse enabled on both the SVI's.

Thanks in advance

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 2811

2007-10-06 Thread Hitesh Vinzoda

Can Anyone please tell me the switching fabric capabilities for Cisco 2811.
As due to high IP input rate my CPU utilization is getting high.

Thanks in advance

Regards

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] High CPU Utilization

2007-09-26 Thread Hitesh Vinzoda

Dear All,

I have got a cisco 2800 router. its CPU is continously monitored to be 99%.
it has got only two fast ethernet ports and traffic on these ports reaches
to maximum. when you analyze the traffic goin thru these ports, Max is IP
traffic.(98%). i tried fast switching on these ports using ip route cache on
interfaces . but it didnt help in lowering the CPU utilization.

Advice to lower down the CPU utilization.

Thanks in advance

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Routed Vlans

2007-09-01 Thread Hitesh Vinzoda

Dear All,

I have got a Layer 3 switch attached to a layer 3 switch and ospf running
between them. the link between them is a layer 2 trunk.just because i have
to extend a vlan which is behind the trunk.

when i perform TRACERT i can see the ip of the interfaces of both switches.
does this mean the traffic is routed even if it is going L2 trunk.

I want to route the Vlan over routed link and function as layer 2 vlan. is
it possible...?

means

*PC (VLAN 25) >>> L3 SwitchTrunk + OSPF>>L3 switch >PC
(VLAN25)*

I want the VLans to travel to a routed link instead of that right now it is
going through a configured trunk.

Please advice.

Thanks & Regards

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Fwd: %SCHED-3-STUCKMTMR: Sleep with expired managed timer

2007-08-04 Thread Hitesh Vinzoda

-- Forwarded message --
From: Hitesh Vinzoda <[EMAIL PROTECTED]>
Date: Aug 2, 2007 8:16 AM
Subject: %SCHED-3-STUCKMTMR: Sleep with expired managed timer
To: Cisco Mailing list 

Hi guyz,

I m getting the error " Aug  2 07:56:04.321: %SCHED-3-STUCKMTMR: Sleep with
expired managed timer 528346D0, time 0x32D50DB30 (
16:02:04 ago).
-Process= "SNMP Timers", ipl= 5, pid= 158
-Traceback= 41052F18 410534B0 40E95EB0

I think its a SNMP error. it is also not allowing my NMS to poll the
interfaces of the device.

Any idea how to get rid of it.


Thanks

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] %SCHED-3-STUCKMTMR: Sleep with expired managed timer

2007-08-01 Thread Hitesh Vinzoda

Hi guyz,

I m getting the error " Aug  2 07:56:04.321: %SCHED-3-STUCKMTMR: Sleep with
expired managed timer 528346D0, time 0x32D50DB30 (
16:02:04 ago).
-Process= "SNMP Timers", ipl= 5, pid= 158
-Traceback= 41052F18 410534B0 40E95EB0

I think its a SNMP error. it is also not allowing my NMS to poll the
interfaces of the device.

Any idea how to get rid of it.


Thanks

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP Config

2007-07-12 Thread Hitesh Vinzoda

 hey Guyz,
Thanks for your suggestions... but we are going pretty deep inside.

i dont want to sync my 6509 to sync with any public time sources.

i want 1 out of 4 6509 to act as NTP master and want redundancy in the core
for NTP and want my 350 LAN devices to be able to update the time from NTP
server (6509).

Please advice

thank in advance

Ronnie


On 7/12/07, Tony Li <[EMAIL PROTECTED]> wrote:
>
>
> > I tend to use tick and tock (.usno.navy.mil) for my stratum-2 servers.
> > There are others which allow public access, but why not just go to the
> > horse's mouth?
>
>
> The horse can pretty far away.
>
> If you're topologically distant, then access to tick and tock might
> have substantial amounts of jitter that might affect the quality of
> time that you're able to maintain.  Other nearby servers may provide
> you better chime.
>
> Tony
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NTP Config

2007-07-11 Thread Hitesh Vinzoda

I have got 4 6509 cisco in mesh for the core and i want to enable NTP on
those to act as a master.

i went thru the config, the only option there is

config>ntp master stratum 8 ( 8 is the default value )

does only this command will enable the device to act as a NTP server and
suggestions are invited for config of NTP in mesh of 6509 with etherchannels
for redundancy
of  NTP.


thanks in advance

Ronnie
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

46 matches

Mail list logo