Re: [c-nsp] global.xls?

[Jason Gurtz]

[N.B. I hate these kind of threads, but nonetheless think this is a valid
operational concern]

> Cisco sells through Partners. Part of the money Partners make is
> their own set of pricing which they're freely to define.

This is not always true. For example, I work for a quasi-city-government
agency that can leverage a contract the state has negotiated with Cisco
(fixed % discount off list). There are other outside contracts we could
leverage too. If the price is >$12K we have to buy via the state contract,
go out to bid, or do an RFP (in ascending order of badness). It is illegal
for us to do otherwise; we either get nn.n% off list price or Cisco loses
the sale and our project dies. Suckage all around, for sure.

I'm sure they all attempt to make it up in services since clearly there is
little margin on HW (outside of Cisco themselves anyway).

--

I and other customers have presented valid reasons for having list pricing
information, easily available in a self-service way. The evidence (below)
shows this access is very difficult to achieve for a variety of reasons.

BTW, someone replied off-list with another resource; thank you very much
sir! Still, I'd like to see this resolved outside of what I perceive to be
a grey area.

I tried a couple years ago to get direct purchase access added to my CCO
and failed. Now, I tried following through again, having learned here
about the PICA program. One of our partners is CDW-G (government arm of
CDW, Inc.). They are large; you may have heard of them. I've got an
account manager there who has been very helpful in all things for the
6.5ish years I've been here. He had no idea anything like the PICA program
existed prior to my mentioning it. He's been working internally and with
Cisco at my request for about a week now. In the middle of this, an agent
with Profile Management at Cisco confirmed the 4 ways to get list pricing
data [in no particular order and I paraphrase]:

1. Become a partner
2. Get direct purchase access
3. Bother your partner.
4. The PICA Program

As of today I have communication from our account manager stating our only
option with him is #3; he will provide this service as frequently as
monthly, emailing the 13MB file *when I ask*. He also states CDW-G is not
our "Partner of Record," probably because of various deal-making others
here have done during large projects. I give him a lot of credit for
trying to help as the email trail shows his Cisco reps are about as
helpful as our Cisco reps (i.e. not very!). I guess it doesn't help as
much as I thought to be big and platinum coated!

Although he won't say it directly, whomever the Cisco Partner
Administrator is at CDW will not grant us #2 and has determined that the
PICA program grants additional access beyond just pricing information.
They, apparently, have determined these things are not in CDW's best
interest as a profitable entity. Conjecturing, maybe it's the lack of
Partner-of-Record status. Cisco, please address these likely-valid partner
concerns in your tools and programs. Option #3 is like publishing a paper
catalog; it's obsolete. Please fix this.

Asbjorn's earlier "can provide" is certainly not "must provide." I failed
to recognize RFC 2119 applies here ;)

I'm unsure if it is worthwhile to bother our other partner over in Rhode
Island. They are much, much tinier than CDW, probably worsening the odds
of available success outcomes (which I define as #2 or #4). I mentioned
global.xls to our account manager there once a while back and she said,
"what's that?" If I do bother to train and inform them in subjects that
Cisco has not, what should I do if they also refuse to give us access?

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Small, Low Power Cisco Router Recommendation

[Jason Gurtz]

> The Cisco 806, on the other hand, looks great, especially for the 1mbit
> application. Is there another Cisco router like that but with 10/100
> Ethernet ports?

cisco871-sec-k9 is about 100 bucks now. You might save 20 going with the
base model.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] global.xls?

[Jason Gurtz]

> I assume you're talking about the global price list.  If you've got the
> right CCO privileges, you can download it.  It's updated daily.  I think
> you need 'reseller' or 'buys direct from Cisco' status to get access.

Awesome, I don't have that access but last time I think our rep supplied
it when I asked nicely.

Inconvenient, but I guess that's expected.

~JasonG 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] global.xls?

[Jason Gurtz]

Is this file still maintained/made available? Mine is from 24-sep-2010 and
there's been a lot of new stuff since then and I rely on that for
budgeting projects.

~JasonG




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Small DC switch design

[Jason Gurtz]

Your size sounds fairly close to our situation... Do you have a spare
fiber pair going to each location?

> Right now in each of the 7 buildings has a 3560G as an aggregation
> switch connected back to the DC.  The DC also has a few 3560G's and
> 3750G's for the sans and servers.
[...]
> What I would like to know (costs being the biggest factor) is what
> would be a better switch design for the current and future traffic in
> this network.  Some options I was thinking about are as follows:

Without more details I'm guessing here. Like many smaller shops I've been
around the thing has grown from a long time ago and there may be a
primarily flat L2 design in place, maybe there are some vlans. Maybe there
is some (or a lot of) daisy chaining of switches; maybe the spanning-tree
configuration hasn't gotten a lot of thought. OTOH, hopefully you're in a
better spot than this?

In the Cisco world I think you're right on the money with Cat45xx; the
49xx series are related... Skim over this document and see if the general
idea makes sense. You have L3 capable switches everywhere so it's a no
brainer in a way:
https://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigr
ation_09186a00805fccbf.pdf

We used this as a model, a pair of 4900M switches as the core and a few
4507-E w/SUP-6E as our access switches running OSPF; it is collapsed-core
w/10G links fanning out (no separate distribution layer). As a whole we
are very happy with the system. The nice thing about routing everything is
it fails in more pleasant ways than the typical spanning-tree disaster.

The 45xx line has seen a major upgrade. You probably want a "+E" chassis
instead of "-E". Also, the SUP-7E is out and it has netflow amongst other
upgrades. There is an SUP-7L-E as well for a cheaper option. Check with
your rep about bundles as it's definitely money saving. For the core, look
at the 4900M or the newer 4500-X; these two switches are basically a
semi-fixed version of the cat45xx (fixed sup, replaceable line cards).
Note with sup-7 based switches you are going to IOS-XE instead of classic
IOS. Another budget-wise choice for the core and aggregation may be the
ME3600X/ME3800X. It's marketed at the ISP space but search through the
archives of this list for discussion of it.

Even if you aren't going down the road of L3 in the access layer I can't
recommend enough making sure a hierarchical design is in place. It is much
easier to troubleshoot and changes are much easier to implement.

~JasonG



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Network Security.

[Jason Gurtz]

> this. Should I be able to take a personal laptop that is not setup on
our
> domain, plug into our network, obtain an ip address dynamically through
> our cisco router and browse the internet?

As other posts have alluded, there is a lot more to this question than
meets the eye.

If the business policy dictates that byod/guest access is to be allowed (a
likely scenario in many cases IMHO), there is a baseline architecture to
improve security. Create a guest vlan/subnet on the switch to be used by
guests or other unmanaged devices. Create ACL entries on the switch so
guest devices can only access the Internet and can't access the other
internal vlans. Your 861W can do this.

Things start to get more interesting if there will be an AUP/Captive
portal, port security a la 802.1X, a need for guests to access certain
internal resources, or a guest wireless infrastructure.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DC and Campus with N7K

[Jason Gurtz]

> Could you suggest us the best practices to design a DC and Campus?
> 
> Currently we have only 2xN7K and we need deployment both networks
(Campus
> and DC).

It's an interesting question, but could you be a tad more specific?

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches

[Jason Gurtz]

> So finally - a 10G 1RU SFP+ access device.  It seem to be targeted at
> enterprise aggregation but I imagine would have some appeal in service
> provide space too given the form factor and the fact that the only 10G
> alternates are 3560E-12D's (with X2), Nexus, and upwards from there is
> of course the 4500/6500 chassis based units.

Cat45xx-sup7 in a nice little box? Looks like a much improved 4900M in
many ways (1U-ness, SFP+-ness, perf upgrade, airflow path). Moves from 800
to 1100BTU/hr, but can't see that mattering in the applications I'm
thinking of.

Hopefully cheaper than the Nexus5500/2000fex route for us smaller folks.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 8.3 nat question asa

[Jason Gurtz]

> I have defined dynamic source nat rule:
> 
> Here is the relevant config:
> 
> object network obj-10.201.0.0
>  subnet 10.201.0.0 255.255.0.0
> 
> object network obj-2.2.2.102
>  host 2.2.2.102
> 
> nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102

Food for thought (not sure if this is worse/better/same). Say the outside
interface, 2.2.2.102, is part of network 2.2.2.96/28
!
object network Obj-Everything
 subnet 0.0.0.0 0.0.0.0
!
! Subnet that non-employees end up on; they go out via a different
! public IP
object network Obj-Guest-Net
 subnet 172.20.0.0 255.255.0.0
!
object network Obj-Everything
 nat (inside,outside) dynamic interface
object network Obj-Guest-Net
 nat (inside,outside) dynamic 2.2.2.103

> What i am looking to do, if possible (i believe it should be) is do a
> static mapping from the outside of 2.2.2.102:80 to a single ip address
in
> the
> 10.201.0.0/16 net, for ex 10.201.10.10:80
>
> [...]
>
> Is that correct? Also, what is the syntax for mapping only port 80 of
> obj-2.2.2.102 to obj-10.201.10.10?
> so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80

"Map all ports on public IP x to private IP y" should be similar but we
have only implemented the latter, more specific case:

object network HostName1_TCP7979
 host 10.201.1.10
object network HostName1_TCP
 host 10.201.1.10
!
object-group service HostName-Ports tcp
 description GPIM active tcp ports
 port-object eq 7979
 port-object eq 
!
access-list Inbound extended permit tcp any host 10.201.1.10 object-group
HostName-Ports log
!
object network HostName1_TCP7979
 nat (inside,outside) static interface service tcp 7979 7979
object network HostName1_TCP
 nat (inside,outside) static interface service tcp  
!

I do remember the sh run output for the object related commands in 8.3
seemed a little wacky, but looking at this I'm not sure if we tried
something like this or not:

Object network HostName1_PortMap
 host 10.201.1.10
 nat (inside,outside) static interface service object HostName-Ports

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

[Jason Gurtz]

> Since GRE isn't supported on the 3750, it seems like a non-starter.
While
> you can configure GRE, it is all done in software thus impacting all
> control plane traffic. As well bridging isn't supported over GRE.

Quite an interesting point here. I remember looking at the guy funny when
he said it and now I really wonder what the heck he was planning on doing!

Thanks for all the responses everyone,

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?

[Jason Gurtz]

> If I get the pictures right, you could get away with a VLAN on C1 with
> two ports in dot1q tunnel mode + l2protocol tunnel stp, and a similar
> situation in C2, so V1 and V2 will have their own spanning tree and C1
> and C2 will not partecipate in it (if you need also L3 in V1/V2, you
will
> have to use a different physical interface).

Hadn't thought of this little gem but it could be a pretty great solution.
There are L3 needs which could get a little messy, but hey it's messy any
way it goes I think.

> But I'd rather use dark fiber if at all possible, as Gert said.

Unfortunately, there is only two pairs available so it seems to me like
stp is needed in the core to maintain redundancy. Stp is not the end of
the world though it's been a Cadillac ride without :)

> Or elaborate on the fact that Layer 3 is by definition the layer where
> things like forwarding, routing around failures, etc. take place, and
> servers should learn to live with it: this is hard to swallow after
years
> of VMware and Microsoft NLB, but that's the hard truth.

Thankfully, no consultant has uttered NLB yet but I'm not holding my
breath!

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GRE tunnel to do span vlan across two datacenters?

[Jason Gurtz]

A firm has proposed creating a GRE tunnel between two datacenters (using a
3750X stack at each) to create the spanned vlans needed for VMWare
failover application.

Clearly there is tunnel overhead but I sense there are other failure modes
here that aren't so clear to me--I am familiar in concept with GRE tunnels
but don't have a heck of a lot of opex. Can anyone share more insight on
the merit (or lack of) with this proposed design? I am aware (via this
list, thanks!) of several shortcomings surrounding 3750 based stacks, but
cisco alternatives seem pricier still or too big. There is dark fiber
available, what about VPLS w/ LDP or L2TP solution?

Current network is L3 at the access layer w/ OSPF (4507-sup6 access, 4900M
cores):

 A1
 /\
   /\
 C1--C2
   \/
 \/
 A2

Maybe it is better to just overlay stp back on to the network w/root and
alt-root at C1/C2 (V1 and V2 are the proposed 3750X stacks)? Scary to me,
but an an argument can be made for less complexity -vs.- tunnling/vpn
based approach.

 A1 .V1
 /\ . ' /
   /. ' \ /
 C1--C2
   \` . / \
 \/ ' . \
 A2 'V2

OTOH, by the time this actually gets done maybe TRILL will be out ;)
Hopefully this enterprisy topic is not too OT!

~JasonG



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS - Horror stories, show-stoppers, other personal experience?

[Jason Gurtz]

> Has anyone had personal experience with a VSS deployment?  If so, do you
> have any horror stories, caveats, and/or recommendations?  I'm also
> interested in people's experience with IPv6 implementation in a VSS
> environment.

Another BU runs a pair of VSS systems here as cores for a MAN network.
They primarily do Q-in-Q tunneling to extend the reach of L2 networks. It
is a hybrid approach and they have some VLANs in a star topology using
port aggs and also bridged to some attached L2 rings. Lotta L2 going on...

This network was initially not VSS and they decided to add it for
redundancy. We had one crash/reboot recently but did not open a TAC case.
The last thing in the log was a "VSL Down" type error. The VSL is a single
10G link sup to sup. Maybe someone bumped the connector? Interesting that
it would cause an attempted failover and reboot of active sup.

SXH train is running, so a move to SXI would probably be a good idea as
well as configuring additional VSLs on the line cards. The spanning tree
took about 5 min to settle out which is how we discovered the issue. Can't
wait to retire our old 3Com based L2 network trunked to this thing!

The only other weird thing I can think of is their sales rep screwed the
pooch; the initial chassis is a 6509-V-E and the 2nd chassis in 6509-E
(cards horz.) Fugly, but it works and they don't care :)

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] off-topic NMS Suggestion

[Jason Gurtz]

> Commercially talking, I've seen Solarwinds have nice user-friendly
> product family named Orion, there are a few nice tools, it's built on a
> modular base, so you can buy only one, or integrate few of them.
> And is not really expensive, prices are reasonable.

As a Solarwinds customer let me say a few words...

It is a pretty decent product from an interface perspective and yes, not
too expensive in the grand scheme of things. It is fullfeatured and not
too fiddly

However, installation/maintenance of the software is a huge time sink. It
is so bad that our policy is to always hire a consultant to come on-site
and do the upgrade. The consultant is typically on the phone with
Solarwinds support for most of the day dealing with some database or
licensing issues. If it were a free or open source application this would
be expected. In the commercial world, a bit more polish is expected of a
$30K piece of software. Make sure you budget for this kind of time or
level of support if you go there.

The hardware requirements are also a bit of a concern as one scales up;
make sure you have enough RAM and disk I/O.

Caveat Emptor!

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3560 vs 4948 shared buffer memory

[Jason Gurtz]

> We also experience drops on our 3560's - Out of interest, what is the
price
> difference between the 3560's and 4948's?(Im guessing substantial?)

almost an order of magnitude on the cost... Basically you're getting a
4500 in stackable format.

Another option may be the new ME series: ME 3600X. It's a little more than
half the cost of 4948E though is only 24 ports.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Pointer to PPPoE docs for 887 CPE?

[Jason Gurtz]

> This requires pppoeoa support / configuration on BRAS. You can
> configure pppoeoa on CPE but it will not negotiate as ser ver will be
> expecting PPPoA encap and you are sending PPPoE.

Thank you Vikas and Brian,

I'm pretty sure the BRAS is set up in this way as other operational dsl
configs we have with ATT are very similar to what Brian showed.  The
difference in this case is the location is on one of the "extended dslam"
devices.  We are looking at a L1 issue as I went onsite myself and
observed CD light is transitioning from slow blink-> fast blink -> solid
on -> off.

Can't trust the ATT folks as they were even unable to provide correct
VPI/VCI numbers (had to figure out via the ATT equipment).

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Pointer to PPPoE docs for 887 CPE?

[Jason Gurtz]

All the Cisco Documentation seem to assume that the ATM interface will be
used for VDSL or PPPoA.  PPPoE is shown running over Eth0 and we'd like to
ditch the ATT provided "modem" device.

Is there any IOS 15 examples out there for running the PPPoE dialer over
ATM0.1 in on this device?

~JasonG


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CCO Login to ftp.cisco.com hosed [was Re: FYI: SXI5 posted]

[Jason Gurtz]

> What's more while waiting for the server farm to work out how to serve
> web pages I've discovered that my FTP access to CCO has now also been
> lost so I can't get in that way either anymore.  I can log in with my
> CCO login just fine but can't get into the /cisco directory to get at
> the images.  Has anyone else recently lost their FTP access or was it
> just me?
> 
> ftp> cd cisco
> 550 /cisco: Permission denied
> ftp>
> 
> That most definitely used to work.

I got an email notification in September that ftp access was going
anonymous only and things would be restricted in early October.  I guess
we now know how far behind the web team is.  ;)

I had a short conversation with ftp_download_feedb...@cisco.com about how
bad of a decision this was, business cases, etc...  A fruitless waste of
time I see.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Feedback on upcoming removal of FTP access to secured software

[Jason Gurtz]

[Comments in-line]

> From: ftp_download_feedback(mailer list)
> [mailto:ftp_download_feedb...@cisco.com]
> Sent: Monday, September 13, 2010 20:47
> Subject: Important Message from Cisco Technical Support Manager,
Software
> Downloads
> 
>  
> Cisco has recently reviewed its download processes and will only be
> providing anonymous access for software in the future via ftp.cisco.com.
[...]
> This is a courtesy notice informing you that any software requiring
login
> or contract access will no longer be available for download directly
from
> ftp.cisco.com beginning early October 2010.

Dear Cisco Manager:

This is a poor decision and should be reconsidered; Cisco should be
expanding, not reducing FTP access.  One should be able to login via ftp
with their CCO ID/password and download full encryption software.  If
business needs dictate, then via FTP over SSL or a similar secure,
ftp-like protocol such as sftp (part of ssh).

The Cisco website is almost unusably slow and continues to be poorly
organized. It fails to be a good alternative to ftp access.  Often, the
site corrupts its cookies and the user needs to manually delete all
cisco.com cookies to be able to use various features of the site (such as
software download).  This occurs across all browsers and has been
happening FOR YEARS.  I recognize the challenge of designing and running a
very large and complex website.  Somehow though, other very large
companies with very large websites are able to provide a tolerable web
experience.  Cisco has deeper pockets than most; make it work!

> You can use the Software Download
> <http://www.cisco.com/cisco/web/download/index.html>  area on Cisco.com
> to download all software going forward.

This feature of the Cisco website has been somewhat improved since it was
originally rolled out. However it is still slow and very cumbersome to
use. On the other hand, there is the FTP access to software which is
typically fast and has little to complain about, other than the
unavailability of software with encryption capability.

Thank you for your time and consideration,

Jason Gurtz

-- 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pix vs asa

[Jason Gurtz]

> I already have those ru les
> But it can't work
> 
> Any hints?

May be worth asking: are you running 8.3 on the ASA?

Significant changes to NAT there.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anyone else seeing downloads not working

[Jason Gurtz]

> No problems here from 93.160.0.0/13. (I hope I didn't jinx it this
> way. :-)

I was able to get it working by using Internet Explorer.  Strange that a
browser could affect the Java applet.  Perhaps a cookie issue in the
Chrome profile.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Anyone else seeing downloads not working

[Jason Gurtz]

Non-java option gives a 404 or connection reset.  Java download
mis-manager just says error after each item.

Am I the only one seeing this?

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ethernet Interfaces Speed and Duplex - Force or Auto

[Jason Gurtz]

> It's more a matter of personal annoyance at network admins that refuse
> to acknowledge that devices change and problems evolve, and insist that
> "the rules that we have learned last century are cast in stone and must
> be followed to the end".  The auto-neg/no auto-neg discussion is very
> prototypical for that :-)

I've no idea how the CCIE re-cert process goes, but it would be great if
they added something to that process to wake up the elderly CCIEs out
there to this issue.

We have one that comes here from time to time on a contractual basis and
I'm always setting things back to auto after he leaves.  Unfortunately,
he's bringing up the CCNPs in his Co. to do the same thing :(

I have to admit to half-believing this same idea 'till I read a post and
comments on Greg Ferro's blog:
http://etherealmind.com/network-dictionary-mythinformation/

Lately he followed up with details:
http://etherealmind.com/ethernet-autonegotiation-works-why-how-standard-sh
ould-be-set/

There *is* some stuff around here that doesn't auto-neg properly--100% old
scada-related gear.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] What is the secret of getting actual support?

[Jason Gurtz]

I've had a ticket open for 3 weeks now and it's not going anywhere.  I
don't care at all that it's been 3 weeks or even if it had been 6 months,
since this is not a critical "network down" issue.  It has been escalated
to a "Team Leader" and while he is at least reading and understanding the
submitted facts on the case, it seems like he is trying to get me to give
up on getting the bug fixed rather than get something done and make
progress with internal teams.

Should I ask for another escalation?  Will our Cisco account manager
actually do something?  The issue has to do with a bug in a Cisco owned
automated submission system.

I feel like I bought a Huawei or something! ;)

~JasonG



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Lead time abating?

[Jason Gurtz]

We recently placed an order for an ASA 5520.  Vendor reports lead time of
3 weeks.

Seems good :)

~JasonG


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] compact flash modules for Sup720-3bxl..

[Jason Gurtz]

> Unfortunately you can't just use any flash card in the 6500/7600.
> Theoretically all that is required is a standard ATA CF but I have
> found that not all work.
> 
> You can find more info on the CF card like so "show disk0: filesys"
> 
> I have only had good experiences with:
> ATA CARD GEOMETRY
>Manufacturer Name  SanDisk
> 
> ..but I am sure there are others that work okay.

Recently, on another mailing list, a developer working with ATA drivers
made claim that SanDisk is known to follow the ATA specs accurately,
unlike many other manufacturers.  Something about a RESET command or
something.  Maybe the SUP is sensitive to these kind of things and doesn't
have workarounds coded up.

Around here SanDisk isn't too expensive, so it seems like good peace of
mind.

~JasonG


smime.p7s
Description: S/MIME cryptographic signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Comparision between Cisco and Juniper Data Center Switches

[Jason Gurtz]

> 1. [...] few EX4200 Switches (Edge)
> 2. [...] 2 Nexus 5000 + Nexus 2000 fabric extender (Edge).
> 
>Which Proposal is best and why? comments needed.

One trivially obvious difference:  Nexus 5k  + 2K is L2 only while EX4200
is L3 capable.

~JasonG

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] [SUMMARY]: 4900M vs. 4503 for core

[Jason Gurtz]

> Is there anything glaringly wrong with choosing the 4900M using twin-gig
> based connections to the access layer over the 4503 Sup6 and 46xx line
> cards in our situation?

Thanks all for the replies!  A person also responded privately with the
opinion that most people want Netflow down the road.  Unfortunately, since
Netflow has been removed from the 45xx with the Sup6 it would require 65xx
at $$++.  Squarely in the want vs. need bucket for us

Unfortunately, I left out that that most of the gig uplink connections are
fiber so a 3560G doesn't have enough SFP ports.  I did find the
WS-C3750G-12S-E which looks like the good low-cost option.  On the minuses
side, it's a softswitch, and no 10G uplinks for linking in the server
access switches.  The main downside here is advocating for their
replacement and purchasing strategies around here.  eBay, used equip.,
etc... are pretty much verboten.  Basically, if we buy these now, they'll
be here in 5 years and forklifting the network core could be painful.

Point well taken on the stacking related maintenance downtime issue.  We
plan on doing pure routing and GLBP so thankfully this wouldn't affect us.
This issue will bite us with the server access layer. :(  I'll join the
many who want this problem to go away.

The availability issues with 45xx and 49xx shouldn't be a problem as
4507's are being spec'ed for some access switches and we have until
summertime to do this.  It's interesting though, makes me wonder if it's
just really high demand, or C pushing other platforms.

I discovered the 4928-10G, but the 4900M config comes in cheaper,
apparently due to only needing one 8 port card.  I'm assuming the 2:1
oversubscription is not an issue when running these 10G ports at 1G.  Only
thing is 2000W of power supply vs. 600W.  It does seem silly to do the
twingig thing; if only there was a 20-port sfp halfcard!

Thanks again,

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Self rebooting pix?

[Jason Gurtz]

> We had this issue on a 525 and opened a TAC case. We provided Cisco with
> sh tech (I think) and the root cause was a code issue (ver. 6.x)
> concerning the number of connections.

Never called the TAC here but that sounds about right.  At the time we
experienced this we were adding PAT mappings as well as steadily
increasing the amount of IPSEC client connections and adding user
accounts.

7.0 series has user account corruption issue and we have a case open on
it, though I hope to go Justin's way and have an ASA here in the near
future.

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 4900M vs. 4503 for core

[Jason Gurtz]

We are doing a long overdue redesign of our network as part of a voip
implementation, hopefully ending up with a collapsed core w/routed access
layer.  A consultant has proposed the 4507 as access switches and a pair
of 3750-E switches as the core.  The 3750-E seems a strange choice to me
for a few reasons and I'm thinking a pair of 4900M or 4503 switches would
be a better fit looking forward.

We are a smaller shop (7 access switches including the datacenter) with
100Mb desktops and a mix of 100/1000 for servers.  Switch-to-switch trunks
are 1Gb.  The number of access switches is very unlikely to change and we
could, in the future move to a 10Gb.  The 4900M solution would save a
non-trivial amount over 4503 with Sup6.

Is there anything glaringly wrong with choosing the 4900M using twin-gig
based connections to the access layer over the 4503 Sup6 and 46xx line
cards in our situation?

~Jason
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Self rebooting pix?

[Jason Gurtz]

> After each drop this counter returns to 0 which tells me the Pix is
> rebooting for some reason.
[...]
> experienced this.  The software rev is 6.3.

We experienced this on a 515E running 6.3 code.  A move to the 7.0 series
solved this issue.

I can't remember what exactly we saw using console but IIRC was something
like runaway memory use.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Info on the C2350

[Jason Gurtz]

Just got of the horn with a Cisco SE and he related that this switch is
basically a 3560E with toned down features introduced for the "competitive
market."  Is that 4MB shared per 16 ports for the buffers then?

The guy was pushing nexus 5k hard (and FCoE) but I think that's outside of
the budget as is, unfortunately, the 49xx.  I've been burning the brain on
all the iSCSI vs. FC[oE] vs. NFS and have come to the conclusion that in a
VMWare environment the only thing FC has over hardware accelerated iSCSI
is lower latency.  Since we're not a super or scientific computing
facility I'm not sure that even that matters.

Thanks for all the responses on the previous thread; I learned a lot.

~JasonG


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G vs. Nexus for a SAN

[Jason Gurtz]

> I realize this is cisco-nsp, but does anyone have any opinions on the
> Force
> 10 S-series for top-of-rack?  Especially for iSCSI SAN.  I've long been
> frustrated with Cisco's lack of a cost-effective "48 ports of gigE with
a
> 10ge uplink" switch.  I don't really *need* a $12,000 layer 3 switch (or
> two) at the top of every rack in my data center!

Another thing we found when considering 1G w/ 10G uplinks and value is
Fujitsu XG0448.

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G vs. Nexus for a SAN

[Jason Gurtz]

> Any reason why you wouldn't go for fcoe on nexus 5k? :)

It does look like that is what the box is really for.  To answer the
question, it all depends on what SAN goes in.  A lot of the newer stuff
with better value is iSCSI only and eschews FC in any form.

Maybe I better question to ask is how does the nexus 5k fare against 49xx
switch doing iSCSI?

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FTP seems to work

[Jason Gurtz]

> You won't find crypto images there, but it has lots of other stuff, and
> is massively easier to negotiate than the web site.

Ahh yes, thanks for the clarification, that would explain the missing k9

Suckage...back to the perl idea...

~JasonG


smime.p7s
Description: S/MIME cryptographic signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FTP seems to work

[Jason Gurtz]

I was about to write a little perl to further address the recent outcry
over the cisco.com Java misfeatures when lo, I discovered
ftp://download-sj.cisco.com will accept my cco login id/pass.  I poked
around and discovered /cisco/ios and /cisco/ciscosecure/pix seemed to have
what I'd be looking for.

Is this new or just a secret DL feature?

~JasonG

--



smime.p7s
Description: S/MIME cryptographic signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Some advice on switches....

[Jason Gurtz]

> Somewhere between 2012 and 2020 it mentions 40G/100G interfaces.

I'm sitting here wondering if the current "E" backplane is up to that at
80G? So 2x40G ports per chassis looks like 100% subscribed.  100G looks to
me like a no go w/o a forklift?

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Stratum 0 PPS Hardware clock compatibility

[Jason Gurtz]

I have found a lot of documentation online that states the 7200 is the
only Cisco device that supports a PPS hardware clock via the Aux port.  I
see recommendations for Trimble Acutime 2000 since replaced by mfr. and
other solutions but these documents are a few years old.  Has this feature
been added to other platforms such as the 6500 series?

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Stability of PIXOS 7.0.8 interim builds

[Jason Gurtz]

I'm looking to mitigate the recursive DNS behind NAT port de-randomization
issue and see that 7.0.8-1 and greater have the fix (we're on 7.0.8 GD
now).

Please comment on the stability of the 7.0 Interim train or 7.0.9
availability if you have experience.

Thanks,

~JasonG

-- 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPsec Throughput on Cisco 800 series routers

[Jason Gurtz]

> Greetings, anyone have any 800 series routers deployed to remote sites
> to terminate vpn tunnels?  We have an 871 deployed to a remote
> location/country that we are experiencing some throughput issues with.

We have some out there.  They seem to have no problem saturating the
~600Kb of upload bandwidth we have on a PPPoE aDSL line.  Our traffic is
primarily live video, no VoIP so far...

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Error

[Jason Gurtz]

> Then write an updated RFC that changes the standards to reflect this
> behavior, and get it published and accepted.

Looks like 5821 will have to do (3821/4821 already taken) and be great
when everyone's compliant by the year 2030.  In the meantime, BATV (draft
is: draft-levine-smtp-batv-01) can be of help.  Helpfully, it even breaks
most C/R systems as well :)

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] PIX 515E Ethernet MDI/MDIX troubleshooting

[Jason Gurtz]

Is there a way to manually select MDI/MDIX mode on the Ethernet interfaces
of the PIX 515E?  Is there any debugging capability?  From my looks about
at cisco.com it would appear that they're standard MDI ports and no
debugging commands seem applicable... :(  Some background:

We've had a problem with an IPS device (layer7 bump in the wire) deployed
at the edge outside the PIX device and have received a replacement box.
The Ethernet ports on the IPS feature Auto-MDIX capability or can be
manually set to either MDI or MDIX mode.  Previously, we left the IPS in
its default Auto setting and statically configured speed and duplex.  This
worked fine with standard patch cables.  On the replacement box I could
not get the ports to link between it and the PIX no matter if I set the
IPS ports manually at MDIX or MDI mode or left it at auto.  I just
discovered that cross-over cables make the PIX<->IPS link up (crossover
cable works no matter if manually configured or auto). OK, so I figure the
replacement has semi-borked ports.  But... 

More bizarrely, the replacement IPS links just fine using regular or
crossover patch cables to a 3Com 5500 series switch or to an old ThinkPad
G40 laptop with a 10/100 port.  I dunno maybe I'm just wasting time here
but it would make me feel better if I could see some debugging errors and
not feel crazy.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Simulating high Latency on LAN

[Jason Gurtz]

> I am trying to simulate a latency of 128kbps of bandwidth and 50ms+
> latency in a lab.

This came up on nanog just the other day. See the thread, "Introducing
latency for testing," in the archives:


~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Prepare for router Wednesday

[Jason Gurtz]

>   Actually, I know who did this and they're on the list
> last I knew, so there is a chance for your feedback to be read.

Hey that's great. :)

>   I think it's a challenge coming with any system that is
> perfect.  The issue here is balance.  This strikes a balance in
> favor of expecting a level of uptime from your ISPs.  If they
> were rebooting once a month you might not be very happy.

As another person noted, severe issues will be dealt with on demand so
it's not as bad as it could be.  Yet, who decides if an issue is severe?
Why should Cisco be determining the maintenance window to this IMO rather
lengthy degree.  Granted, we're not talking about windows patching, but
still...

Also agreed, it's a tough balance.  However, I'm a big believer in
properly implemented maintenance windows.  This means *actually
communicating* to the customer well ahead of time and then periodic
reminders about these service outage events.  Having a regularly scheduled
window (also w/ reminders all over) also is a big help.  There are always
corner cases, but people can be manipulated into being happily flexible.

My experience has been this:  I call a day ahead of time and let foo
business dept know that I will be taking equipment off line for 10
minutes.  The manager is pissed but generally relents.  On the next day,
the manager stalls and I have to stay later to do the work.  My experience
is also this:  I call a week ahead of time with the same 10 minute outage.
I follow up a couple of days before the event with a reminder, "are you
still all set?"  Manager happily accommodates and everything generally
works out with little fuss (barring technical difficulties). Not only
that, they become happy that the I.T. staff is proactive and looking out
for *their* best interest.  The greater the outage, the further out the
communication...this obviously also varies with what equipment and impact,
etc...

Different markets are different, but I would hope ISPs would consider
taking a similarly proactive approach to patching.  I know none of mine do
:(  I especially hope their vendor will not dictate their approach for
them.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Prepare for router Wednesday

[Jason Gurtz]

> So we need to wait 6 months for security patches if an exploit which
> may affect us is discovered on the fourth Thursday of September?
> That's crazy! Let Enterprise customers wait if they want, I want my
> security patches ASAP so we can test them for a few days then deploy
> network wide. Does anyone else think this is not a rational change?

Monthly has seemed to be a reasonable trade-off between attack window and
manageability.  6 months seems like...yo wtf is in charge there that made
this heinous decision?

Please change this policy Cisco.

~JasonG (med. size enterprise admin)

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 100G Switch

[Jason Gurtz]

Thanks to everyone for all the responses (public and private).
They were all illuminating  :)

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 100G Switch

[Jason Gurtz]

Does anyone have clue about what switch product line(s) will possibly be
line card upgradeable to 802.11ba?

We're in process of building out a citywide MAN with a 10G core and trying
to plan for a possible 5-10 years out upgrade to 100G.  We *don't* want to
get stuck with a forklift upgrade if at all possible.

Any advice appreciated.

~JasonG

-- 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA Firewall vs IOS

[Jason Gurtz]

> Thanks... I was afraid of that.  Have ran FW on IOS for various
> reasons but it's definitely no match for the ASA stuff... got a
> couple of offline replies stating that MSN still isn't
> blockable at the application level in the FW Feature Set..
> shame...

We run a tipping point outside our pix for this type of filtering.  Our
Cisco rep would prefer we not, but it just works, has decent reporting,
etc...

Might be worth a look.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Windows networking across subnets

[Jason Gurtz]

> He will need a WINS server if he is wanting what I think he is (I'm a
> network guy but our shop is an enterprise windows 2003 AD setup).
> What he is most likely wanting is to beable to see other computers on
> differnet subnets through network neighborhood.

If cost of a machine is the issue, it may be worth mentioning that SAMBA
under Linux et al can function perfectly well as a WINS server to provide
cross-subnet browsing through Network Neighborhood.  Besides the browsing
I'm pretty sure there are some other edge/corner cases where WINS is still
a necessity.

Enabling broadcast forwarding just seemseughhh.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] PPPoE L2 timeout recovery

[Jason Gurtz]

I have a 3640A with a WIC1-ADSL residing in an NM-1FE1R2W.  IOS is
12.4(13b)

Periodically, about every month or two, the dsl link will drop and
debugging output shows:
... Sending PADI: vc=0/35
... padi timer expired

Doing a shut no shut on atm2/0 seems to bring the line up back up and it
then works fine for another month or two until I have to do it again.  The
amount of traffic doesn't seem to trigger this behavior.  The shut no shut
seems to cause a line retrain on this platform since the CD light goes out
after the shut.  

Is this necessarily an ISP problem, or is there something I might be
missing on my end like overflowing some NAT table or something?  Any other
config I should provide?

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] counterfeit?

[Jason Gurtz]

> I don't know if the secret key has been compromised, or if the cloners
> just have access to a really large sample set, but these days they
> seem to have no problem defeating the check and producing Cisco-branded
> optics which work in any system.

Back when I was doing my "pre-ebay" research (was buying some used Cisco
gear for home) I came across stories of the actual Cisco contracted
manufacturers running a "fourth shift," with which they churn out some
numbers of off the book production that goes directly on the black market.

Of question, is if this style of counterfeit gear is the testing rejects
or just serial number forgeries.

~JasonG

-- 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Some assitance please...

[Jason Gurtz]

> [...] I imagine I will need the VPI /VCI, but what
> other information would be needed?

You can ask them about the VPI/VCI and they may know but it's usually
0/35.  Other than that there's lots of example configs out there on how to
configure Cisco stuff with dsl.

I'll throw a positive vote for the exercise as Cisco gear at least offers
troubleshooting tools and good hardware support.  I don't find it any more
difficult to troubleshoot than discreet compontentry.

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco PIX Device Manager

[Jason Gurtz]

> Classification INTERNAL :The contents of this mail are restricted to
> being within Patni. Its non-compliance violates the Patni BPO policy

Sorry no one is allowed to answer!

[REDACTED to protect my innocence!]

~JasonG
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: How do you fight spam in your enterprise? I need help

[Jason Gurtz]

> I should be glad that you share with me on how you manage and fight
> spam in your corporate networks.

For a small on topic addition I will start by saying this:  On any Cisco
device between your smtp gateway and the Internet, be sure to save "no
fixup smtp" to your config.  fixup smtp is buggy and will cause heartache
at some point

Wow, I can't believe how many people are recommending the 'cuda!
Definitely do some additional research into this company's quality of
support and especially their technical competence, etc... before going
with this one!  'nuff said  ;)  Hint: search the SPAM-L archives...

Speaking of SPAM-L, it would be a good idea to join and lurk over there.
You'll learn a lot and hey, your question would even be On Topic there.

Control who accesses your SMTP infrastructure:
1. Use the BOGON list in your edge gateway/firewall device.

2. Selectively block IP ranges mentioned on SPAM-L as above

3. Use the Spamhaus ZEN RBL and 5xx reject anything matching at your
public mail exchanger

4. Consider greylisting...although the Ironport will not do this as of
yet, people report that it is still quite effective when properly
implemented.

5. Get rid of any backup mail exchangers you might have.

You will probably be rejecting close to 98-99% of spam just by doing the
above 5 things with virtually no false positives.  Content filtering on
the remaining sludge will eliminate almost all the rest.

Appliance type devices:
I can personally vouch for the Ironport.  We have found it to be extremely
effective both in terms of %spam caught and low false positives.  Once
setup it requires very little administration.  Unfortunately, it is also
extremely expensive (starts somewhere around $7K USD with support) so may
not be an option for many smaller shops.

At the old plaice (where the budget was small to the point of being almost
non-existent) I had rigged up an open source solution consisting of
sendmail and a milter known as MIMEDefang which ran ClamAV and
SpamAssassin and filtered SMTP according to certain rules.  It was
similarly effective to the Ironport here, but took a whole lot more admin
hours to manage.  The Coup de Gras of the mess was MIMEDefang.
Unfortunately, like many powerful tools, it requires an extensive
knowledge (in this case Perl, Sendmail, and SMTP, and the many delicate
interactions in between) in order to get the best use out of it.  I hear
that some people now run MIMEDefang under Postfix, which must certainly be
higher performance.

The developer of MIMEDefang has a commercial product you may want to look
at called CanIT Pro.  Highly recommended and the company clue factor is
high.  The appliance version pricing is competitive with the bargain
basement 'cuda.

No matter what solution you choose, make sure it is capable of doing LDAP
lookups into your active directory in order to 5xx reject (NOT NDR
bounce!!!) mail to invalid users.  The latter 3 solutions can all do that;
I've no clue if the 'cuda can, though most don't. :(

Politics:
We here do not quarantine or drop spam.  Instead we tag the subject line
and have rules setup in the MUAs to filter the spam out of the Inbox.
This way the user is responsible for purging the spam.  Also, this way,
false positives if any are found more often than not w/o a help desk call.
As such, our primary I.T. burden with external mail is LARTing the
"innocent" yet generally clueless senders out there who wish to
communicate with us.  We try to be friendly :)

Finally:
If you don't understand mail, retain the services of someone who does.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS support for blksize / rfc 2348

[Jason Gurtz]

> I use tftpd32 for windows platforms and freebsd or sol9.

I'll second that, lightweight, easy to use, and just works.  We've had no
problem working with a mélange of 87x, a 3640A, PIX 512e, and 3com 5500
series switches.

~JasonG

-- 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DSL router recommendation

[Jason Gurtz]

> Get the ethernet ones only. Your provider can provide the dsl/atm
> modem/bridge.
> 
> Much more flexible and likely to be more reliable, [...]

I can't second that.

It is more flexible (what if we switch to cable internet...), but not
likely to be more reliable.  Add to that the mess of more wires due to the
daisy chaining and increased complexity in troubleshooting (is it the
modem or the router?).

Here in the N.E. of the US we get primarily ADSL from or resold from AT&T.
Bog standard.  Over the years, SNET/SBC/AT&T has supplied consumer grade
speedstream or netopia equipment and neither has been stellar from a
quality standpoint.

Lately they supply a Netopia 3346N mini router/adsl modem unit that can
also be configured as a bridge (plain dsl modem).  For a while these
devices came with an underspeced power supply which resulted in higher
spec circuits spontaneously dropping and retraining.  Rev2 of this
hardware fixed this...

One time a SBC tech was out troubleshooting why a line was intermittently
dropping on a line with the older speedstream CPE.  The noise profile was
marginal and it was the speedstream equipment was at fault (admittedly
years in service).  Cisco hardware with an adsl wic card was brought in to
replace and noise profile became close to perfect.  IOS also has atm and
pppoe debugging which the consumer grade telco equipment lacks.

You are guaranteed compatibility when using telco supplied service but I
would say this is a negligible advantage.  Cisco makes it pretty clear
which dslams they are compatible with and if it turns out to not work,
just RMA...  The only real minus I can think of is lack of auto vpi/vci
(maybe they are just pre-programmed in the telco CPE?) and those aren't
that hard to get.

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 851 3DES Performance

[Jason Gurtz]

> I can't seem to find anything real world as to how much 3des
> throughput these can do


shows 8Mbps.  The 870 series does 30Mbps, is similar to 850 series and
would be much cheaper than a jump to the 18xx

~JasonG

-- 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/