Re: [c-nsp] logging suppress duplicates
On 28 Sep 2020, at 1:38 pm, Eugene Grosbein wrote: > > Is it possible to enable suppression of duplicate lines in the logging buffer? > Less preferably, disable this kind of messages altogether if it ends with "by > snmp" or even "from X.X.X.X by snmp”. The term you’re looking for to filter logs in the buffer is ‘logging discriminator’. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco4k and assync serial
On 10 Nov 2015, at 9:29 PM, Saku Ytti wrote: > That is, no way to get assync ports on Cisco4k. So when Cisco29xx gets > EOLd, there is no way to build OOB network with Cisco? Buy OpenGear. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
On 16 Oct 2015, at 11:23 AM, Lee wrote: > Does anyone know of a program that will check all of the trunk ports > on switches for vlans allowed + vlans allowed and active on both sides > of a trunk port? Netdisco. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Alternate to TOR (4948)
On 15 Apr 2015, at 9:08 am, CiscoNSP List wrote: > > Nexus 3000's ? (Option to do VPC with multiple 3000's in one rack back to > core/agg switches?) Just installed two 3048’s to replace a Cat65k/Sup2. Configured vPC with LACP towards switches, ESX, Filers and Windows machines. Very happy with them, very good price. Haven’t thrashed them particularly hard - just simple L2 - but its seems to ‘just work’. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Troubleshooting vtp pruning
On 10 Nov 2014, at 4:02 pm, Victor Sudakov wrote: > PortVlans in spanning tree forwarding state and not pruned > Gi0/1 1,3,10,20,22,24-28,30,32,34,36,200,308 > Gi0/2 1,3,10,20,22,24-28,30,32,34,36,200,308 VTP won’t prune because you have dual uplinks. It doesn’t know that they both go to the core layer. One could be a downstream switch as far as VTP is concerned. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OOB Device for remote DC's
On 2 Sep 2014, at 11:52 am, CiscoNSP List wrote: > We historically have just used Cisco 2511's with standard modem attached, but > are finding it increasingly difficult to source modems - Can anyone recommend > an alternative(reliable) OOB device? (Built in modem + 4G as backup?) Can’t recommend OpenGear highly enough. The IM7200 offers dual power, dual Ethernet, 3G/4G, Wifi, PSTN, 8/16/32/48 serial, software selectable cable rollover, OpenVPN, SSH, Linux under the hood, great support, the list goes on. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
On 4 Feb 2014, at 10:30 am, Benny Amorsen wrote: > Does that actually work over WAN links that are not just plain optical > paths? I have been wondering if you can get MacSec to work over EoMPLS. It ‘just worked’ in the lab over EoMPLS, but I haven’t experienced it in production. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
On 3 Feb 2014, at 8:10 am, Antonio Soares wrote: > I'm looking for the simplest way to do it. Most customers have L2 > connections between Data Centers. The edge device controlled by the customer > is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on, > need a router in the edge. This implies modification of the customer's > topologies. L2 encryption seems the perfect solution and it seems there are > several options on the market. What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2 encryption. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/swmacsec.html#wp1334072 says: This example shows how to configure Cisco TrustSec authentication in manual mode on an interface: Switch# configure terminal Switch(config)# interface tengiigabitethernet 1/1/2 Switch(config-if)# cts manual Switch(config-if-cts-manual)# sap pmk 1234abcdef mode-list gcm-encrypt null no-encap Switch(config-if-cts-manual)# no propagate sgt Switch(config-if-cts-manual)# exit Switch(config-if)# end (Its a copy and paste, even the typos ;)). Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mac Security
On 20/10/2013, at 10:39 PM, naresh reddy wrote: > is it possible to use macsec taffic for a non supported switch Yep, MacSec just looks like another protocol on top of Ethernet. I had it running in the lab between two 4500s with an EoMPLS VC between them. Keep MTU in mind. 4507R+E/Sup7E[ce1] --> 7606/Sup32[pe1] --MPLS--> 7606/Sup32[pe2] --> 4507R+E/Sup7E[ce2] interface GigabitEthernet1/1 description EoMPLS to ce2 no switchport ip address 10.2.2.1 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip ospf network point-to-point ip ospf dead-interval minimal hello-multiplier 5 ip ospf 1 area 0 cts manual no propagate sgt sap pmk DEADBEEF mode-list gcm-encrypt end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to tell what routes are not in CEF and follow DEFAULT path?
On 03/07/2013, at 6:19 AM, Jeffrey G. Fitzwater wrote: > I would like to find out what routes are NOT in my route table and therefore > follow the DEFAULT path to 0.0.0.0. Take a copy of the DFZ BGP table from http://archive.routeviews.org/oix-route-views/, take a copy from your router, cut out the routes column, then diff them to see what routes you don't have? I'm assuming you're doing this as a precursor to removing the default route, to verify that you have an entire DFZ table? Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS to vPC - vPC to Etherchannel
On 17/03/2013, at 11:23 AM, Jeff Kell wrote: > We had been doing PAgP on Cisco-to-Cisco, but leaning toward LACP today > for anything that supports it. In our VSS clusters (Sup2T), we're using PAgP where possible, and LACP to everything else. PAgP offers dual-active detection for VSS that LACP can't. Yes, I'd love to have one protocol that worked for everything. No, its never going to happen. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Switch lights rapid blinking
On 29/01/2013, at 6:17 AM, Michael Sprouffske wrote: > Can someone please point me in the right direction to correct this issue. I > came into a network that is using the default vlan and for about 2 weeks now, > every switch and port is rapidly blinking. I looked at wireshark and don't > seen anything out of the ordinary. I also checked for loops in the network > and don't see any. Is there some tool I can use to track down what is > causing this? I'm running cisco 2960's all over. I don't have any proof, but I've got a feeling that newer Cisco kit have 'slowed' the blinking, so that even at much higher pps, the rate of blinking is the same. Maybe this is making it look worse than it really is? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN stop dialins
On 16/10/2012, at 6:09 PM, Ali Sumsam wrote: > Can I stop getting more connections to my LNS without dropping the existing > ones by removing "accept-dialin" from the config. The command you're looking for is 'vpdn softshut'. http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/vpdn_tunnel_mgmt.html#wp1089078 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS archive in addition to RANCID
On 10/10/2012, at 8:16 PM, Phil Mayers wrote: > TBH I'm not really sure what you're asking. Yep, sorry was a bit of a brain dump. :) Thanks for your comments. This basically tells me that archive doesn't have any super awesome features that we don't already get from RANCID, and that its not completely solid yet (re 6500). Syslog command logging though is 100 times more convenient than TACACS for short term requirements, while TACACS+gzip+disk storage sorts out the long term/compliance requirements. > Really? We use a home-grown system for this, and back up >1200 devices every > hour. At the moment, ~rancid/var lives on NFS, and the machine does a bunch of other things that chew resources. I've got plans on improving this, but one disaster at a time. :) Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS archive in addition to RANCID
Hi folks, I'm working on updating our base templates using some more modern features and am considering if IOS' built in configuration archiver/change logger have a place in our network. Is anybody using the config archiver in addition to/in place of RANCID? Syslog command logging in addition to/in place of TACACS? Thoughts on pros/cons? Are you using EEM to catch config changes that aren't followed by a 'wr mem'? Any other neat tricks? archive log config record rc logging enable logging size 200 notify syslog contenttype plaintext hidekeys path tftp://tftp/Config-Archive/$h-$t write-memory My thoughts so far: * RANCID is a single solution that works for all vendors and all versions of IOS, no need for separate dirty hacks per vendor, but new vendor/device type maintenance can be tricky. * With a sizeable RANCID installation, collection interval needs to be pushed out to 4 hours plus, which means we could miss changes within the interval. * RANCID does automated diff, having a directory full of router-datetime files isn't as easy to manipulate. * TACACS command logging catches commands performed outside config mode. * Having two methods ensures that if one method breaks, we still have useful logs/archives. This is particularly nice in our environment - if someone deploys hardware without following procedure of adding it to the database that runs RANCID, it still gets config collection (plus they get a bonus larting, but thats another story…). Any additional insight? Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPFv3 in VRF
Hi folks, Does anyone have any updated news from Cisco on when OSPFv3 will be supported within a VRF (lite, no MPLS) on the Sup2T? The most recent info I can find is from April. TIA, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NETCONF replacing SNMP
Hi folks, We've recently deployed some 4500/Sup7Es - pretty cool box, but we've run into problems with our network monitoring system. With the dual core architecture of the Sup7E, SNMP no longer returns correct CPU utilisation values. Cisco suggested using the old school SNMP MIB for the 7500 and similar, but it doesn't return multiple counters. root@monitor1:~# snmpwalk -v2c -c com switch1 .1.3.6.1.4.1.9.9.109.1.1.1.1.5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.3000 = Gauge32: 17 root@monitor1:~# The TAC lodged a bug for this (CSCti07144), but that doesn't really help me now. Had a chat with a few of the folks at Cisco Live in Melbourne last week, the general consensus is that bugs in SNMP won't be fixed anymore, and that we should be using NETCONF. OK, cool, I'm happy with that, but I can't actually find very much useful stuff about NETCONF at all. We're a Nagios/OSS/homegrown shop, so I've got no problems integrating it, but it still seems very much at the "here's an prototype library" stage. Are there any monitoring packages that actually do it? Is anyone using it as a general NMS platform for things like CPU > x%? Thanks all, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interpreting DOM outputs
On 01/01/2012, at 3:52 AM, Robert Hass wrote: > Tx Power '-4.9' better than '-6.9' (i.e. signal is stronger if TX > Power is '-4.9' comparing to '-6.9') This brilliant NANOG talk will help explain power loss over fibre, amongst other optical topics. http://www.nanog.org/meetings/nanog48/presentations/Sunday/RAS_opticalnet_N48.pdf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On 01/01/2012, at 4:33 PM, Eric Rosenberry wrote: > When pinging the loopback IP's of these devices from the Internet, one > responds as expected (from the IP of the loopback), and the other (.255) > responds from a *different* IP address (one of it's interface IP's rather > than the loopback IP). Yep, ran into this one a few years ago. Its not just ping, SNMP does it too. TAC support request tool is offline at the moment, so I can't look up the bug ID, but we eventually just made a rule to never use .255/32 for loopbacks (along with .0/31 and .254/31 to avoid Windows users complaining about failed traceroutes…). Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Telnet session dropped
On 27/12/2011, at 8:08 AM, Roy wrote: > I use RANCID ton a number of routers. About five days ago, it started > failing on three routers. If I manually connect to these routers, it seems > to work for a minute or so and then the telnet session gets disconnected. > The disconnect only occurs during a data transfer such as "show conf" If it only dies on large command outputs, its an MTU problem. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large number of arp entries on 2960G
On 03/10/2011, at 1:09 PM, John Elliot wrote: > interface vlan11 - all entries appear to be "random" IP's, in that they are > routes(IP's) learned from upstream bgp peering sessions and also some from > our internal ospf...none of these bgp sessions or ospf are running in dot1q > vlan11 Smells like one of the devices is doing Proxy ARP. This is usually bad, particularly if its trying to ARP for all hosts on the Internet - will drive up CPU and memory usage. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN groups... pointer/howto/cookbook?
On 29/09/2011, at 4:05 AM, Jeff Kell wrote: > It would be even nicer still if the client could connect either split-tunnel > (from home > or a secure location) or full-tunnel (to encrypt everything, if on a hotspot > or WiFi for > example). Currently this is done with two .pcf files (and two corresponding > groups on > the ASA). I do this at the moment using multiple VPN groups and AnyConnect. When the user auths, RADIUS returns the group name they should use. If the source IP address is known, we send back one group, if the address isn't known, we send back a different group, with a different ACL and split tunnel list. Not sure if you can specify a group via TACACS, though. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyone using 2960-C or 3560-C compact catalyst switches?
On 22/09/2011, at 11:20 PM, Herro91 wrote: > Wondering if anyone out there is using 2960C or 3560C and has feedback on > them? We are considering them for different environments where we need > dedicated switches, but a max of 8-10 ports is all week - 24 ports is way > overkill, not to mention the cost on the 3750s. I've got a 3560CG-8PC-S on my desk. Runs like a trooper, been very pleased with it. Its quiet, it fits into an office environment, its solidly built. Our main fleet of switches are 3560-48PS, so I'm a little concerned that it may not behave exactly the same when testing some of the more esoteric dot1x features, due to the C running EX train, while the larger units run SE. This is just a niggle though, I haven't found any actual issues. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME 3600X questions
On 02/09/2011, at 5:45 PM, Arie Vayner (avayner) wrote: > Why do you want to do this? > What is the objective? > > If these are 2 back-to-back switches, why not just switch? A 'very long patch panel' (whatever comes in, goes out) service? Have done this with both QinQ/L2PT (3750G) and EoMPLS (Junpier EX4200). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Radius -- ISE vs MS NPS
On 24/08/2011, at 1:09 AM, Scott Voll wrote: > Anyone have any comments pro or con for either ISE or NPS when it comes to > Radius service? NPS is exceptionally easy to get running. It works well if all your authentication stores are in AD. By default, it can't authenticate via any other means. While ISE is a tad trickier to get running, it can do all sorts of things with an if-then-else structure and multiple authentication sources. ISE does a lot more than just RADIUS - if thats all you're after, its quite a cost. For all the other things it does (posture assessment, profiling, guest access, centralised management and logging, etc) it looks pretty good. (Note its still cool-lab-toy status here, so we haven't really /used/ it yet). Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN with Local CA on the ASA
On 18/08/2011, at 2:54 AM, Jay Nakamura wrote: > information they store. But don't have the budget nor resources to > keep up the current RSA SecureID server which is a bit overkill for > them. They thought certificate based auth will be not as good as > SecureID but better than just user/pass. There are one-time-password solutions other than SecureID. Check out yubico.com - simple, open source software, cheap hardware ($25USD per user), install your own AES keys (avoids the recent SecureID hack). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] authentication host-mode multi-auth configuration on cisco 2960
On 15/07/2011, at 3:05 AM, pamela pomary wrote: > I want to be able to authenticate the IP Phone via MAC address by-pass and > authenticate the PC that connects to the LAN port of the IP Phone via dot1x > using authentication host-mode multi-auth. How can I achieve that. Use 'host-mode multi-domain' for a phone plus PC. 'multi-auth' is for using a dumb switch (multiple devices, only one of which will be authenticated to open the entire port). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 Ethernet bridging over GRE issues
On 28/01/2011, at 5:17 AM, Roger Wiklund wrote: > I've setup a GRE tunnel from Router A to Router B. > I've configured bridging between Tunnel0 and LAN interface on Router A > and Router B While this is possible, its ten times easier and more reliable to use L2TPv3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
On 02/01/2011, at 2:58 PM, Aaron wrote: > You can get SSH for 2511. Use 12.0s. And be prepared to wait a day or two for your session to connect. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
On 31/12/2010, at 8:36 AM, Kevin Warwashana wrote: > Other than an rare PS failure the Perle CS9000's work good. We also use > 2610's with a NM-16A. We've recently gone Perle IOLAN SCS and they appear to do all the things a good console server should. The only complaint is you can't configure the built in modem for both dial in and dial out. On a 2511, you could use 'modem InOut' and telnet to 2017 so you could use the nearest console server to dial out to the destination you're after. With the Perle, I need a modem on my desk. Yick. As long as you buy something non-Cisco, you'll be fine. 2509/2511 are dog slow and don't support modern features (encryption, dual Ethernet failover, IPv6, etc). 2600/2800 with async NMs are expensive as hell, and still don't do some of the cooler features (multiple user on a single console, console logging, etc). And don't get me started on the number of 2511 AUI adaptors I've had to reseat ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
On 15/12/2010, at 1:54 AM, Garry wrote: > I'm really starting to > wonder whether we're the only ones on this earth still using a dual > switch config for our routers for redundancy purposes ... So you're using backup interface for two Ethernet interfaces, both facing the same switched network? Cool - haven't seen backup interfaces since they were used to dial ISDN terminal adaptors. Is anyone else out there doing this? Out of curiosity, what kind of failover time do you get for IPv4? Does it swap the MAC address too? While I'm on the topic, what are folk's thoughts on setting up a BVI on a router connecting to two separate switches in the same switched network? Its always seemed a bit hacky to me. What are the performance implications on a CPU based platform (7200, etc)? Of course, a routing protocol with link state would be optimal, but you've got to plug those server kids in somewhere. :) Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] New Cisco website
Its blue now. The front page is pretty, but, yet again, Cisco have ignored some of the biggest problems on their site. - The login cookie doesn't actually work. Login on the front page doesn't log you in to ordering support. This happens on various different tools/pages. - Pages even one level deep from the front page haven't been reskinned. - Its slow as hell. - Downloads are impossible to get to, and complicated. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters
On Wed, 2 Jun 2010, Youssef Bengelloun-Zahr wrote: User-Name = *"CONS2.IX1> ### Login failed"* Do you have 'no exec' configured under the async line stanza on CONS1 and CONS2? The config you posted is for CONS3, which does have it configured. line 33 64 exec-timeout 0 0 no exec transport input all escape-character 3 stopbits 1 Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On Wed, 21 Apr 2010, Chris Boyd wrote: +1 for the USA-19HS. Had mine about 4 years now, and it just keeps working despite rattling around in my bag all that time. Agreed, same. I prefer screen over minicom though - 'screen /dev/tty.KeySeriail1' and it just works. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 leaking broadcasts
Hi folks, Has anyone ever seen broadcasts leaking from an SVI into a layer 3 interface on a 3560? We've got a managed Ethernet link between a 3560G-48TS (Auckland, 12.2(50)SE1 IP Services) and a 3750G-24TS (Sydney, 12.2(53)SE IP Services) configured as a /31 layer 3 interface on both sides. The link runs OSPF in area 64, and PIM sparse mode. Both Sydney and Auckland have a number of SVIs. [Hosts] -- VLAN 11 -- SVI11[Sydney]L3 -- /31 link -- L3[Auckland] Sydney config: interface GigabitEthernet1/0/25 description Auckland:Gi0/47 no switchport ip address x.x.x.193 255.255.255.254 no ip redirects no ip proxy-arp ip pim sparse-mode ip ospf cost 50 speed nonegotiate priority-queue out service-policy input SET-DSCP-TRUST Auckland config: interface GigabitEthernet0/47 description Sydney:Gi1/0/25 no switchport ip address x.x.x.192 255.255.255.254 no ip redirects no ip proxy-arp ip pim sparse-mode ip ospf cost 200 speed 100 duplex full priority-queue out service-policy input SET-DSCP-TRUST On the Auckland 3560, OSPF constantly reports a mismatched area ID, even though the area 64 session is up. PIM shows two neighbors, even though its a point to point link. The IP address listed in both messages is the Sydney 3750's Vlan11 address. Mar 10 19:53:14.662 NZDT: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from x.x.x.138, GigabitEthernet0/47 Auckland#show ip pim nei PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, P - Proxy Capable, S - State Refresh Capable Neighbor InterfaceUptime/ExpiresVer DR Address Prio/Mode x.x.x.138 GigabitEthernet0/47 02:25:20/00:01:20 v21 / S P x.x.x.193 GigabitEthernet0/47 02:25:21/00:01:37 v21 / DR S P Some debugging revealed something odd - when performing 'show mac- address ' on the internally assigned VLAN for Gi1/0/25 on Sydney, I see MAC addresses listed against VLAN 11. Sydney#show vlan int usage VLAN Usage 1006 GigabitEthernet1/0/3 1007 GigabitEthernet1/0/25 Sydney#show mac- vlan 1007 Mac Address Table --- VlanMac Address TypePorts --- - All0100.0ccc.STATIC CPU All0100.0ccc.cccdSTATIC CPU All0180.c200.STATIC CPU All0180.c200.0001STATIC CPU All0180.c200.0002STATIC CPU All0180.c200.0003STATIC CPU All0180.c200.0004STATIC CPU All0180.c200.0005STATIC CPU All0180.c200.0006STATIC CPU All0180.c200.0007STATIC CPU All0180.c200.0008STATIC CPU All0180.c200.0009STATIC CPU All0180.c200.000aSTATIC CPU All0180.c200.000bSTATIC CPU All0180.c200.000cSTATIC CPU All0180.c200.000dSTATIC CPU All0180.c200.000eSTATIC CPU All0180.c200.000fSTATIC CPU All0180.c200.0010STATIC CPU All..STATIC CPU 110012.80bf.1718DYNAMIC Gi1/0/24 110012.80bf.1743DYNAMIC Gi1/0/24 110015.c695.b495DYNAMIC Gi1/0/1 110015.c6fa.1e35DYNAMIC Gi1/0/24 Total Mac Addresses for this criterion: 24 Sydney#show run int vlan11 Building configuration... Current configuration : 185 bytes ! interface Vlan11 description ASA Network ip address x.x.x.138 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip pim sparse-mode ip ospf cost 5 end I quickly threw it together in the lab and couldn't ping between a host on the VLAN and Auckland, so suspect its broadcast/multicast traffic only. Hunting around the network, this appears to happen on every 3560, 3560E, and 3750 I could find. 6500 Sup720 doesn't seem to be impacted. Other than the error message (which is uncommon, most links are in the same OSPF area) and the PIM neighbors (new rollout), I can't see anything thats actually causing a problem. Although I'm concerned if there's a broadcast storm, we may exhaust bandwidth on routed links. So, has anyone seen this before? Is it a bug or design limitation on the 3560/3750 platform? Is there any other way to make layer 3 interfaces work other than a hardware upgrade? Thanks, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 over STM1
On Tue, 12 Jan 2010, Ian Henderson wrote: The new carrier has provisioned a 45Mbit clear channel service with a DS3 at the remote site, and a channelised STM1 at the head office. I can't seem to find a combination of router/card/mux to make this work. For the archives, we got this working using an Adtran Opti-6100 for about $5k AUD. It uses an E3M3B card to connect to the head office PA-2T3+, with an OMM3VIR card to connect to the carrier's STM1. Mapping the VC3 to the physical DS3 interface is simply a matter of selecting the inbound circuit on the left side of the screen, and the outbound circuit on the right side of the screen. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DS3 over STM1
Hi all, I'm in the process of moving one of our remote offices from one carrier to another. At the moment we have an L3VPN terminating GigE at the remote end on a 7301 and DS3 on a G1 with PA-2T3 at the head office. Link does 10Mbit about half split between voice and data. The new carrier has provisioned a 45Mbit clear channel service with a DS3 at the remote site, and a channelised STM1 at the head office. I can't seem to find a combination of router/card/mux to make this work. - Cisco 7200 with PA-MC-STM1 can't channelise larger than E1. - Cisco 7600 with SPA-1XCHSTM1/OC3 can do it according to the spec sheet for the SPA, but is incredibly over-speced and pricey. - Adtran Opti-3 is SONET/OC3 only (but I can't find confirmation of this). - Juniper M7i with STM1 IQ PIC can't channelise larger than E1. - Juniper M7i with OC3 IQ PIC can channelise DS3, but doesn't do SDH framing for STM1. - The carrier suggested re-engineering the service to deliver 21 E1s and run MLPPP over them. The data sheet for the PA-MC-T3-EC indicates MLPPP is only possible in hardware up to 12 T1s. I doubt MLPPP in software would perform at all, let alone perform well. I've never worked with channelised services more complicated than DS0s in an E1, so I've got a few questions: - Has anyone ever done this? What config/hardware did you use? - Are there any muxes/converters/router interfaces that can do this at the ~20Mbit end of the market? - Does the Adtran support intermixing of SONET and SDH (DS3 over STM1)? Many thanks, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PXE not working on Cat2948
On Fri, 8 Jan 2010, Jens Neu wrote: Anyone seen this before? Any hints where to start looking? The switch looks as follows: Sounds like you need to enable spanning-tree portfast on the interfaces towards the PXE clients. This reduces the link up delay from 50 seconds to about 3. If the switch doesn't forward traffic quickly enough, the NIC may time out and decide PXE is unavailable. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco VPN and 64 bit Windows
On Wed, 9 Dec 2009, Marc Haber wrote: What are the (dis)advantages of anyconnect? - It works in more places than IPSec - mostly hotels with dodgy firewalls. - Its easier to configure for the user. Send them to a URL, enter username and password, client downloads, installs, configures itself. - I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple only just got around to including IPSec under Snow Leopard, and have had it on the iPhone for ages. But getting the Apples of the world to include Cisco SSL? By then we'll have yet another VPN technology. The Windows client is a bit better. - Modifying VPN filter lists using the IPSec client on the ASA was instant. Anyconnect/SSL requires a reconnect for access-list changes to apply. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Metro Ethernet Switches
On Tue, 24 Nov 2009, Mohammad Khalil wrote:
the tacacs could not work well as it was in the previous image even
though i had the same configuration any thoughts ?
Try adding the plaintext key again ('tacacs-server key xxx'). I've seen
some IOS upgrades need it re-obfuscated to make it work. Just copy/pasting
the existing obfuscated key won't work.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BPDU Guard issue
On Tue, 3 Nov 2009, Stanly Johns wrote: Is it possible for a BPDU guard enabled switch port to get disabled without connecting any other device than the IP Phone and a PC ? I had to do a shut and no shut to bring it up ! I've run into this - Virtualbox uses Windows bridging to handle networking which runs spanning-tree. Google shows the answer as: "You can prevent the Bridge from forwarding packets by editing the registry. In your favorite registry editor, navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP Create a new DWORD value and name it DisableForwarding. Double click the new entry and set its value to 1. You'll need to reboot to apply the change. You can disable the Spanning Tree Algorithm in a similar manner, by creating a DWORD value in the same key called DisableSTA and setting its value to 1." http://articles.techrepublic.com.com/5100-22_11-5569815.html via http://forums.virtualbox.org/viewtopic.php?f=6&t=6264&start=0. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP throughput /WAN delay simulation with back to back routers
On Wed, 19 Aug 2009, Thilak T wrote: I am trying to test TCP throughput with different variables. I want to simulate a delay of aprox 45msec between two test PCs connected two bat to back routers . How do we introduce an artificial delay where in the actual delay is on 2-3 msec.Using cisco routers.? Riverbed introduced us to the Network Nightmare www.networknightmare.net. Its a neat little appliance using the FreeBSD dummynet stuff, without having to maintain it. Incredibly easy to use, although its pricey if you've got the time/expertise to setup dummynet. Their website is truly awful, but ordering/delivery was fast/easy. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR BFD
Nick 'tarantul' Novikov wrote on 2009-07-03: > The question arises, why IOS XR can't run BFD with internal BGP peers > (as old school IOS)? Because its assumed you're already using an IGP with which you can use it? -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Automatically Synchronize IOS Router Configurations?
Felix Nkansah wrote on 2009-04-23: > Among other things, their requirement is for their HSRP or GLBP routers > to automatically synchronize their running configurations. You could avoid the problem entirely, but still meet the objective by using VSS? Rgds, - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Not Allowing Vlan 1 on trunk ports
Hitesh Vinzoda wrote on 2009-01-18: > Is there a way to supress vlan 1 from passing from a trunk link coz i > m not able to shutdown the L2 vlan 1. It depends on the platform and IOS version. If it works, you'll be able to just use a 'switchport trunk allowed vlan 2,5,6-8' or similar. If that command fails, it will tell you to include VLAN 1 and 1002-1005. For example, this is on an a 2950-24 running 12.1(9)EA1. A more modern IOS would work as intended (only trunking VLAN 2, 3, 4, 5): switch-1(config)#int f0/1 switch-1(config-if)#switchport trunk allowed vlan 2-5 Command rejected: Bad VLAN allowed list. VLANs 1,1002-1005 are required. switch-1(config-if)# Rgds, - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3750 stacks with many members
jamie rishaw wrote on 2008-11-15: > Replace them. With Chassis(es). > > Stacks are just a bad idea. Can not agree more. The problems we've seen with stacks seem mostly related to a master crash. If the master disappears, the slaves wouldn't perform a re-election. Also, the stacking cables seem very fragile - even if they are screwed in properly, a bump can cause the stack to go haywire. As many others have said, use the chassis individually. If you really need more bandwidth between devices than an Etherchannel of two to four GigE can give you, the 3750 is probably not the platform you're after. If you're looking for ease of management, use RANCID's 'clogin' and some crafty bash. For example, create a new VLAN on ten switches (I'll ignore the fact VTP can do this for you): for switch in `seq 1 10` do clogin -C 'conf t; vlan 123; name new_vlan; end; copy run start' sw-$switch.foobar.com done -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000
Pete Templin wrote on 2008-11-12: > What vendor would think that operators would _want_ side to back? One that wants operators to purchase the larger, more expensive chassis? :) - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] /31 network
Vikas Sharma wrote on 2008-07-02: > has anyone used /31 network instead of /30? I believe this is > recommended to use /31 network? Need expert comments. Works fine. Just don't use x.x.x.0/31 or x.x.x.254/31 otherwise you'll get complaints from Windows users that traceroute no longer works. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "service unsupported-linecard"
Kevin Graham <> wrote on Saturday, 10 November 2007 7:44 AM: > starting with the Cisco Catalyst 4500 with Cisco IOS Software > Release 12.2(40)SG, the Supervisor Engine 6-E offers Quack > support, which detects, disables, and logs counterfeit > components. And what an awesome feature name. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Small 1U-2U DC powered fixed configuration switch
Patrick Muldoon <mailto:[EMAIL PROTECTED]> wrote on Wednesday, 22 August 2007 1:51 AM: > I thought the number of NNI Ports you can use is dependent upon > image. I think METROIPACCESS removes the limit. We have a nubmer of ME-3400G-12CS-D running METROIPACCESS with all 12 ports set to NNI just fine. But for the original question, I'd suggest 2950-DC if you can order it. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CDP agent for hosts
Dale Shaw wrote: > I'm looking for recommendations for a third party CDP agent for > Windows. We have deployed Compuware network probes on PC hardware > running Windows XP and I'd like to run a CDP agent on them. There are > a number of options out there and I figure some of you may have some > good (or bad) tales to tell. Google provides http://www.tallsoft.com/cdpmonitor.htm. Just quickly installed it on my XP Thinkpad and it works, downside seems to be that it's a bit bloated (client as well as server) and its nagware. - Device ID: BOUNCER(ianh) Entry address(es): IP address: x.x.x.x Platform: CPU:1*586; MEM:510M, Capabilities: Host Interface: FastEthernet0/0, Port ID (outgoing port): Intel(R) PRO/Wireless 2200BG Holdtime : 28 sec Version : windows XP build 2600 Service Pack 2 DISK INFORMATION: C:\ : Fixed Disk D:\ : CDROM Disk advertisement version: 2 - The output is pretty similar to the CallManager/Communicator CDP from Cisco: - Device ID: SEP00123Fxx Entry address(es): IP address: 10.x.x.x Platform: Communicator (Windows XP), Capabilities: Host Phone Interface: FastEthernet0/21, Port ID (outgoing port): Broadcom NetXtreme 57xx Gigab Holdtime : 130 sec Version : 1, 0, 0, 1 advertisement version: 1 Management address(es): - We also have one for Linux as part of our base install, don't have a URL handy though sorry. Rgds, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adequate RAM in 7206VXR/NPE-G1?
Rick Kunkel <mailto:[EMAIL PROTECTED]> wrote on Saturday, 14 April 2007 6:43 AM: > Another GigE port is taken by a 100 Mbps Ethernet connection ot the > Internet. > > We get full routes from the upstream connected to the above port. So there's only one Internet connection, right? Then why waste a whole pile of RAM on routing tables you don't need? Just configure the session to filter them until you need them in the future (second Internet link, etc). Or do you need to send a full table to one of your customers? Rgds, - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] policy routing
Charles J. Boening <mailto:[EMAIL PROTECTED]> wrote on Saturday, 31 March 2007 12:52 PM: > Typical. I think I figured it out after I asked the question. > Didn't think about it before, but looks like I can match both the > source IP and the outbound interface and then set ip next-hop to > force the traffic to the right NAT router. Seems to prevent > inter-vlan routing between (2,3,4) and (4,5,6) and gets me my desired > result. Check out VRF Lite - it does exactly what you're after without the hassle of policy routing (nexthops going down, tracking, etc). Rgds, - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
