[c-nsp] Unable to remove Netflow Commands from 6503 VSS stack.

[Joseph Hardeman]

Hi Everyone,

I am hoping someone can help me out.  I was recently told by one of our
network engineers that they can not removed the netflow commands from a
pair of VSS stacked 6503's.  We are running s2t54-ADVIPSERVICESK9-M IOS.

He mentioned he needs to reboot the 6503's to hopefully fix it.

Has anyone else run into this problem?  And if so, how did you fix it?

I would prefer not to break the VSS setup and reboot the routers if
possible.

Thanks in advance

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 6503 Sup2T Engine block outbound TCP or UDP Port traffic

[Joseph Hardeman]

Hi Everyone,

I have a SUP2t engine running IOS s2t54-ADVIPSERVICESK9-M version and I am
wondering if there is a way to filter or block TCP or UDP port traffic.

I know how to NULL route IP 's but I don't know if there is a way to block
or deny traffic based on destination port's also based on IP ranges.

Any ideas would be much appreciated.

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Traffic Monitoring Question

[Joseph Hardeman]

Hi Everyone,

Happy Holidays and thank you all for your responses, I am checking out the
different productions people have mentioned on this thread.

Take care and thank you

Joe


On Tue, Dec 17, 2013 at 10:35 AM, Dobbins, Roland wrote:

>
> On Dec 17, 2013, at 10:26 PM, Mark Tinka  wrote:
>
> > The two are detached, in my mind, but I can see how some might not have
> seen that way, hence...
>
> My apologies for being so dense as to fail to understand that you meant
> what you said literally, heh (and I was a bit puzzled, given that we've
> known one another for quite some time).
>
> ;>
>
> Many thanks for hitting me with the clue-bat, heh.
>
> ---
> Roland Dobbins  // 
>
>   Luck is the residue of opportunity and design.
>
>-- John Milton
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Traffic Monitoring Question

[Joseph Hardeman]

Hey Everyone,

I have been having a discussion with some of my guys about the different
ways to monitor network traffic and what is the best products out there to
help do this.

So I got curious to see what everyone thinks and uses to keep an eye on
their networks.  I presume you are using something to monitor the cisco
netflow output.

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 2232PP FEX Switch Question

[Joseph Hardeman]

Hi Everyone,

Thanks for the responses, I appreciate it.

Stephen,

I will probably stick with the 5000 series, maybe just use 5010's since I
have a pair at a facility I am shutting down, I will simply move them over.

Ray,

The TAC guy I was speaking with, said there might be a way to "trick" them,
but I don't want to do something janky.

Phil,

Your correct I shouldn't be calling them switches.

Thanks again everyone.

Joe


On Tue, Dec 10, 2013 at 9:00 PM, Phil Bedard  wrote:

> So the first issue, and probably the root of it, is you are calling the
> FEX a "switch", and it's not a switch.  It doesn't do any local switching
> itself and the FEX ports do not support running STP, so it really is meant
> to connect to L3 devices. There is no way to disable BPDUGuard.
>
> If the switches are just homed to the FEX you could run a VPC and just
> turn off STP on the downstream switch. But if you had say multiple
> switches connected to eachother which then connected to the FEX that's not
> going to work.  The only alternative is use some other method to block
> links like Flex links.
>
> Phil
>
> On 12/10/13, 7:56 PM, "Joseph Hardeman"  wrote:
>
> >Hi Everyone,
> >
> >I knew I should have come here first but I went with the word of a CCXX
> >something or another (Director of IT) from a vendor and a couple links he
> >sent me.  After I explained the setup I was putting together and how
> >everything needed to work together, he told me that the Nexus 2232PP
> >Switch
> >could do what I wanted and needed.
> >
> >I have a pair of 2232PP FEX switches that we just got to extend our 5000
> >series switches from one cage to another (I have never worked with the FEX
> >Switches before, so I should have done better homework).  We were going to
> >use the pair of FEX switches to provide redundant links to additional
> >switches from which I was going to connect to customer switches or
> >firewalls.  Which going through the initial config today on setting up the
> >VPC port on say Eth100/1/1 for my first test switch, I got an error saying
> >that the VPC could not be added that there was one already applied.
> >
> >I reached out to the TAC Contact I have that has helped me out this week,
> >and he told me that the FEX Switches were never meant to connect to other
> >switches and the BPDUGuard would shut down the ports to the switch shortly
> >after the ports come up.  And it was not just this model but any FEX
> >Switch.
> >
> >So my question to you guys is, (drum roll please):
> >
> >Does anyone have a Nexus 2000 FEX Switch Pair doing VPC Port Channel to
> >another switch instead of a host/server?  And if you do how did you make
> >it
> >work.  I am considering returning these switches as I can't use them right
> >now and I really need a usable pair of switches for the 10G+ cage to cage
> >connectivity and then 1 or 10G to either my switches or customer switches.
> > Which my switches then step it down to either 100M or 10M if needed.
> >
> >Is there a FEX switch that will do this? (imagine the full mesh setup)
> >
> >routers -> 5000Switch -> FEX Switch -> 2960G or 3560G (for example) switch
> >-> Possible other switching/firewall gear -> end system
> >
> >Can you recommend any other switch that can do what I want, or should I
> >just get another pair of 5000 series switches?
> >
> >Thanks,
> >
> >Any thoughts or suggestions would be helpful.
> >
> >Joe
> >___
> >cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Nexus 2232PP FEX Switch Question

[Joseph Hardeman]

Hi Everyone,

I knew I should have come here first but I went with the word of a CCXX
something or another (Director of IT) from a vendor and a couple links he
sent me.  After I explained the setup I was putting together and how
everything needed to work together, he told me that the Nexus 2232PP Switch
could do what I wanted and needed.

I have a pair of 2232PP FEX switches that we just got to extend our 5000
series switches from one cage to another (I have never worked with the FEX
Switches before, so I should have done better homework).  We were going to
use the pair of FEX switches to provide redundant links to additional
switches from which I was going to connect to customer switches or
firewalls.  Which going through the initial config today on setting up the
VPC port on say Eth100/1/1 for my first test switch, I got an error saying
that the VPC could not be added that there was one already applied.

I reached out to the TAC Contact I have that has helped me out this week,
and he told me that the FEX Switches were never meant to connect to other
switches and the BPDUGuard would shut down the ports to the switch shortly
after the ports come up.  And it was not just this model but any FEX Switch.

So my question to you guys is, (drum roll please):

Does anyone have a Nexus 2000 FEX Switch Pair doing VPC Port Channel to
another switch instead of a host/server?  And if you do how did you make it
work.  I am considering returning these switches as I can't use them right
now and I really need a usable pair of switches for the 10G+ cage to cage
connectivity and then 1 or 10G to either my switches or customer switches.
 Which my switches then step it down to either 100M or 10M if needed.

Is there a FEX switch that will do this? (imagine the full mesh setup)

routers -> 5000Switch -> FEX Switch -> 2960G or 3560G (for example) switch
-> Possible other switching/firewall gear -> end system

Can you recommend any other switch that can do what I want, or should I
just get another pair of 5000 series switches?

Thanks,

Any thoughts or suggestions would be helpful.

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Per Vlan Bandwidth Policing

[Joseph Hardeman]

Hi Everyone,

I have been asked to look into setting up per vlan bandwidth limiting with
burst.  I was sent this link and was wondering about what everyone else
does.

http://ccietobe.blogspot.com/2009/02/3560-qos-per-port-per-vlan-policing.html

Basically we want to limit a vlan network for normal traffic to say 100M
but also allow for bursting to double that from our edge routers to the
access ports.  I have been told that rate-limiting works great on ports but
might have issues or not work correctly when set on vlan interfaces.

Suggestions are welcome on the best and easiest way to do this.

Thanks in advance.

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS to vPC - vPC to Etherchannel

[Joseph Hardeman]

Hi Gert,

I was thinking about it today and it was only last year that I got this
advice from the CCIE we were working with at the time.  I should have
questioned his recommendation and kept using the mode auto like I had been
doing.

Joe

On Sat, Mar 16, 2013 at 2:36 PM, Gert Doering  wrote:

> Hi,
>
> On Sat, Mar 16, 2013 at 11:28:42AM -0400, Joseph Hardeman wrote:
> > No actually they are configured as "mode on" no LACP.  I spoke with a
> CCIE
> > a couple of years ago and he told me that use mode on from switch to
> switch
> > and lacp from switch to server so thats what I am putting in.
>
> That was years ago, and is not good advice today.  Propably wasn't good
> advice then, but that depends on "how many years ago"...
>
> With LACP you'll *know* that both ports belong to the same channel on the
> other side, and both are ready to be used, not "uh, link up, but line card
> crashed" or "this is a multichannel LAG, and one of the chassis' is just
> booting and not really participating yet", or such.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS to vPC - vPC to Etherchannel

[Joseph Hardeman]

Hey Andrew,

Last night we removed one of the fibers on a port-channel that was showing
up and re-inserted it.  The link stayed down/down.  I decided then to stop
until I had a chance to do more research and try to figure out why the
interfaces and port-channels were coming up with the other side being down.


I want to put in the port channels to the vPC on the 5010 stack for
redundancy and better through put for my customers, but I also don't want
to create issues for myself.  LOL   I have one  2960 that did not come
up/up when I setup the 5010 sides.  I guess I will just have to bite the
bullet and go down and remove the port-channel configurations from the
2960's and redo them one at a time and bring the links up on the 5010's.

I am with you, I think the problem is on the 2960's even though I was told
that dual-sided vPC wasn't supported on the 5010's.  I have one dual-sided
vPC up and running to the 2960's so I don't see how it can't be done.  :-)

Thanks for the advise on defaulting the ports and re-creating the
port-channels.

Joe

On Sat, Mar 16, 2013 at 12:02 PM, Andrew Miehs  wrote:

> The port channel would be up as soon as one of the interfaces is up using
> static port-channels.
> Which interfaces are you using on the 2960? I know you have probably
> checked, but do they stay up when you remove the cables?
> You don't have any like "no negotiate auto" enabled on the interfaces?
>
> What does (on the 2960G - as that is where I would guess the problem is)
> show etherchannel summary
> show int g0/? (channels in etherchannel)
> show run int g0/?
> show run int port?
>
> You may want to try default the old interfaces and creating a new
> port-channel...
> Seems to have helped some people in the past with strange portchannel
> issues...
>
> Good luck...
>
> Andrew
>
>
>
>
>
> On Sun, Mar 17, 2013 at 2:28 AM, Joseph Hardeman wrote:
>
>> Hi Andrew,
>>
>> No actually they are configured as "mode on" no LACP.  I spoke with a
>> CCIE a couple of years ago and he told me that use mode on from switch to
>> switch and lacp from switch to server so thats what I am putting in.
>>
>> Any thoughts on why the 2960's ports would turn up even with the 5010's
>> ports shut down?
>>
>> Joe
>>
>>
>> On Sat, Mar 16, 2013 at 12:30 AM, Andrew Miehs  wrote:
>>
>>> How did you configure the port channels? I assume you have configured
>>> them to use lacp?
>>> Show etherchannel summary shows?
>>>
>>>
>>> Sent from a mobile device
>>>
>>> On 16/03/2013, at 13:14, Joseph Hardeman  wrote:
>>>
>>> > Hi Everyone,
>>> >
>>> > I saw a very strange thing tonight while putting some vPC ports to a
>>> some
>>> > access switches.  So my Topology is a VSS stack to a pair of 5010 over
>>> vPC.
>>> > I then have an active vPC from the 5010's to one 2960G port-channel.  I
>>> > now have this connected to several other 2960G's that are connected
>>> over
>>> > port-channels and I was wanting to connect those 2960's directly to the
>>> > 5010 over vPC,  Just like the first one is, for failover and
>>> redundancy.
>>> > Now with the ports on the 5010 in shutdown and the port channel in
>>> > shutdown, as soon as I apply the config on the port connected to a
>>> 2960,
>>> > the ports on the 2960 go from down/down to up/up even though the 5010
>>> ports
>>> > are shutdown.
>>> >
>>> > So several questions, why would the ports on the 2960's come up and
>>> what
>>> > can I check to see if something else is happening.  Second, is this
>>> path a
>>> > support configuration?  I mean, I have been told that its not
>>> "Supported By
>>> > Cisco" so that is their way of saying "weird stuff will happen".
>>> >
>>> > If I can't have vPC going to my VSS engines and then on the other side
>>> have
>>> > vPC going to another switch, then there goes the benefit of using VSS
>>> or
>>> > vPC and I might as well have just put everything down single links and
>>> not
>>> > even worried about providing instant failover on the chance I loose
>>> one of
>>> > the VSS Engines or a vPC switch.
>>> >
>>> > Any thoughts on what I am seeing?  I haven't seen anything like it
>>> before.
>>> >
>>> > Thanks
>>> >
>>> > Joe
>>> > ___
>>> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS to vPC - vPC to Etherchannel

[Joseph Hardeman]

HI Sander.

I will let you know if I find anything that tells me what is going on.

Thanks

Joe

On Sat, Mar 16, 2013 at 10:17 AM, Sander Steffann wrote:

> Hi Joe,
>
> > Any thoughts on what I am seeing?  I haven't seen anything like it
> before.
>
> I don't know what you are seeing, but I am building a similar setup at the
> moment (6500-Sup2t VSS + 5548 vPC) so I would be very interested if you
> find anything. My current problem is doing VPLS on the VSS, but what you
> describe might affect me as well later in the project.
>
> Thanks,
> Sander
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS to vPC - vPC to Etherchannel

[Joseph Hardeman]

Hi Andrew,

No actually they are configured as "mode on" no LACP.  I spoke with a CCIE
a couple of years ago and he told me that use mode on from switch to switch
and lacp from switch to server so thats what I am putting in.

Any thoughts on why the 2960's ports would turn up even with the 5010's
ports shut down?

Joe

On Sat, Mar 16, 2013 at 12:30 AM, Andrew Miehs  wrote:

> How did you configure the port channels? I assume you have configured them
> to use lacp?
> Show etherchannel summary shows?
>
>
> Sent from a mobile device
>
> On 16/03/2013, at 13:14, Joseph Hardeman  wrote:
>
> > Hi Everyone,
> >
> > I saw a very strange thing tonight while putting some vPC ports to a some
> > access switches.  So my Topology is a VSS stack to a pair of 5010 over
> vPC.
> > I then have an active vPC from the 5010's to one 2960G port-channel.  I
> > now have this connected to several other 2960G's that are connected over
> > port-channels and I was wanting to connect those 2960's directly to the
> > 5010 over vPC,  Just like the first one is, for failover and redundancy.
> > Now with the ports on the 5010 in shutdown and the port channel in
> > shutdown, as soon as I apply the config on the port connected to a 2960,
> > the ports on the 2960 go from down/down to up/up even though the 5010
> ports
> > are shutdown.
> >
> > So several questions, why would the ports on the 2960's come up and what
> > can I check to see if something else is happening.  Second, is this path
> a
> > support configuration?  I mean, I have been told that its not "Supported
> By
> > Cisco" so that is their way of saying "weird stuff will happen".
> >
> > If I can't have vPC going to my VSS engines and then on the other side
> have
> > vPC going to another switch, then there goes the benefit of using VSS or
> > vPC and I might as well have just put everything down single links and
> not
> > even worried about providing instant failover on the chance I loose one
> of
> > the VSS Engines or a vPC switch.
> >
> > Any thoughts on what I am seeing?  I haven't seen anything like it
> before.
> >
> > Thanks
> >
> > Joe
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VSS to vPC - vPC to Etherchannel

[Joseph Hardeman]

Hi Everyone,

I saw a very strange thing tonight while putting some vPC ports to a some
access switches.  So my Topology is a VSS stack to a pair of 5010 over vPC.
 I then have an active vPC from the 5010's to one 2960G port-channel.  I
now have this connected to several other 2960G's that are connected over
port-channels and I was wanting to connect those 2960's directly to the
5010 over vPC,  Just like the first one is, for failover and redundancy.
 Now with the ports on the 5010 in shutdown and the port channel in
shutdown, as soon as I apply the config on the port connected to a 2960,
the ports on the 2960 go from down/down to up/up even though the 5010 ports
are shutdown.

So several questions, why would the ports on the 2960's come up and what
can I check to see if something else is happening.  Second, is this path a
support configuration?  I mean, I have been told that its not "Supported By
Cisco" so that is their way of saying "weird stuff will happen".

If I can't have vPC going to my VSS engines and then on the other side have
vPC going to another switch, then there goes the benefit of using VSS or
vPC and I might as well have just put everything down single links and not
even worried about providing instant failover on the chance I loose one of
the VSS Engines or a vPC switch.

Any thoughts on what I am seeing?  I haven't seen anything like it before.

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Hardware Question

[Joseph Hardeman]

Hi Gert and Saku,

Thanks for everything, it took a night of little sleep and getting up this
morning reading both of your replies for me to go "Joe your an idiot" and
understand what I should have from the previous emails.  LOL

Very cool, I appreciate everything.  Hope you have a great day/evening.

Joe

On Mon, Jul 30, 2012 at 3:13 AM, Gert Doering  wrote:

> Hi,
>
> On Sun, Jul 29, 2012 at 10:15:12PM -0400, Joseph Hardeman wrote:
> > I ran the command Saku gave and it is showing the operating mode :
> PFC3BXL,
> > which I assume means that the CFC card is not bringing the SUP Engine
> down
> > any and it is operating in normal PFC3BXL mode.  Which should mean we get
> > around, if understand Saku's calculations correctly, then the engine
> should
> > be passing around 32Mpps from this card to the SUP engine.
> >
> > Do you know of any specific commands that I should run to help me make
> sure
> > that the hardware is running properly and the Line Card hasn't caused the
> > Engine to fall down to a B or A mode?
>
> As we both said, there is nothing in a CFC card that *could* cause that.
>
> The point is: if you have a *D*FC, it needs to operate the same as the
> system's PFC - and if the DFC is less capable (like: DFC is 3B, PFC is
> 3C-XL) the system will fall down to the lowest common denominator (like:
> 3B).
>
> This will not ever happen with CFC cards, so there is nothing to worry
> about - but if you still do: the command you used is the command used
> to check system operation mode.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Hardware Question

[Joseph Hardeman]

Hi Gert and Saku,

I ran the command Saku gave and it is showing the operating mode : PFC3BXL,
which I assume means that the CFC card is not bringing the SUP Engine down
any and it is operating in normal PFC3BXL mode.  Which should mean we get
around, if understand Saku's calculations correctly, then the engine should
be passing around 32Mpps from this card to the SUP engine.

Do you know of any specific commands that I should run to help me make sure
that the hardware is running properly and the Line Card hasn't caused the
Engine to fall down to a B or A mode?

Thanks

Joe

On Sun, Jul 29, 2012 at 1:48 PM, Gert Doering  wrote:

> Hi,
>
> On Sun, Jul 29, 2012 at 09:59:45AM -0400, Joseph Hardeman wrote:
> > I have been asked an interesting question, if I put a WS-X6724-SFP line
> > card (without the DFC3BXL daughter card) in with a SUP720-3BXL, does it
> > slow the SUP720 down to the SFP card limits?  And I am curious if there
> is
> > a command that would show me that it did or didn't do this.
>
> There will never be a "slow down" - what you can have is "fall down from
> 3BXL to 3B, or even 3A" if the card has a *DFC* with limited capabilities.
>
> CFCs don't come in different flavours.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Hardware Question

[Joseph Hardeman]

Hi everyone,

I have been asked an interesting question, if I put a WS-X6724-SFP line
card (without the DFC3BXL daughter card) in with a SUP720-3BXL, does it
slow the SUP720 down to the SFP card limits?  And I am curious if there is
a command that would show me that it did or didn't do this.

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Monitoring ASA with SSM-20 IPS/IDS Module

[Joseph Hardeman]

Hi Everyone,

I have been searching and hope that someone can help me out.  I would like
to monitor the SSM-20 module and threats detected via SNMP.  I have found
where people are doing this, but I am not able to find a script to help me
out.

Does anyone have one they would mind sharing?

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Crazy Port Channel Question

[Joseph Hardeman]

Hey Guys,

I have a crazy question about Port Channels and I think I already know the
answer but just want clarification from people smarter than I am. :-)

Since you can only have 6 port channels on a switch, if I want to send the
same vlans down to bonded ports on vmware servers, can the same Port Channel
group be assigned to multiple servers?

For example Port Channel 1 running vlans 100-120 is set as the channel group
for vmware server 1 and Port Channel 2 running the same vlans is set as the
channel group for vmware server 2.  Can I use Port Channel 1 to both
servers?  Or does it have to be a single port channel to a single
server/switch?

Thanks
Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA AIP-SSM-20 License

[Joseph Hardeman]

Hey Jay,

Yeah, our vendor came back with crazy costs (in my mind), I was hoping for a
smaller cost for the SSM security updates.

On Wed, Aug 24, 2011 at 10:18 PM, Jay Nakamura  wrote:

> Ha!  I am going through service contract hell for AIP-SSM-10 myself.
> Best thing to do is to ask your account manager.  I can't get a
> straight answer out of our distributor.
>
> So, if you bought the ASA and IPS card bundled, it's one CON-SUx-
> SKU, (x will depend on the service level and  being some # for the
> particular bundle.) if you bought it separate, you have to get
> standard CON-SNT- for the ASA and CON-SUx- for the IPS card.
> At least that's what I have been told so far.  But the SCC quote tool
> won't accept any of the serial for me and Cisco SCC help is less than
> helpful and slow.
>
> It's been 5 weeks since I started looking into it and I can't seem to
> get to the bottom.  (There are other circumstances for my case though)
>
> On Wed, Aug 24, 2011 at 10:01 PM, Joseph Hardeman 
> wrote:
> > Hi Everyone,
> >
> > Can someone point me to the correct license I need to be able to download
> > the updates from Cisco for this SSM?  Do I need to have a smartnet
> account
> > to do it or is there a separate license I can use?
> >
> > Joe
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ASA AIP-SSM-20 License

[Joseph Hardeman]

Hi Everyone,

Can someone point me to the correct license I need to be able to download
the updates from Cisco for this SSM?  Do I need to have a smartnet account
to do it or is there a separate license I can use?

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco BGP Advertised as-path prepends

[Joseph Hardeman]

Hey Guys,

Thanks for the answers and they are all what I am expecting.  I haven't been
able to find the command either.  :-(  I guess I will have to go with
setting up a route server for testing with to make sure my route-maps are
right.

The problem with the route server, Ziv, is that with advertising over
multiple providers I can't be certain that they will display all of the
routes in to me.

I wish the IOS did display the announcements.

Thanks

Joe

On Mon, Aug 8, 2011 at 2:35 AM, Ziv Leyes  wrote:

> I'd like to know if there's a way to see it in my own router, but what I do
> to see the prepends is to get into a route server, such as
> route-views.oregon-ix.net (my favorite) and check how the world sees the
> prefix with "show ip bgp x.x.x.x"
> If the prepends were injected correctly, you will see them on the as-path.
> Hope this helps,
> Ziv
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:
> cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph Hardeman
> Sent: Monday, August 08, 2011 7:59 AM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] Cisco BGP Advertised as-path prepends
>
> Hey Guys,
>
> I have a question regarding displaying the as-path prepends that I am
> announcing to my providers.  With a foundry I could display the prepends
> that I am announcing out, but I don't seem to be able to do that with the
> Cisco or at least I haven't found the command.  Does anyone know the
> command
> I can run on a cisco to show this info?  I would like to make sure my route
> maps are injecting the as-path prepends properly.
>
> Thanks
>
> Joe
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> 
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> 
>
>
>
>
> The information contained in this e-mail message and its attachments is
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this communication in error, please notify us immediately by replying to the
> sender, and then delete the message from your computer.  Thank you!
>
>  This mail was sent via Mail-SeCure System.
>
>
>
>
>
>
> 
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> 
>
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA multicast-routing

[Joseph Hardeman]

Hi Guys,

I have a guy who is wanting to do multicast routing between subnets which
means that the ASA 5520 has to be able to route the traffic between the
interfaces.  I have sent him the Cisco page on how to set it up via the ASDM
but he claims its not working.  So I am wondering what else needs to be done
besides setting "multicast-routing" and on each interface "igmp
forwarding".

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco BGP Advertised as-path prepends

[Joseph Hardeman]

Hey Guys,

I have a question regarding displaying the as-path prepends that I am
announcing to my providers.  With a foundry I could display the prepends
that I am announcing out, but I don't seem to be able to do that with the
Cisco or at least I haven't found the command.  Does anyone know the command
I can run on a cisco to show this info?  I would like to make sure my route
maps are injecting the as-path prepends properly.

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VRF-lite configuration - BGP and Local Routes

[Joseph Hardeman]

Hi Everyone,

I am hoping that someone can give me some guidance with how to setup
VRF-Lite and routing with BGP and intra-vrf routing.  I have been playing
with this for about a week now and figured out how to setup vrf-lite to a
certain point.  I know if I apply the ip vrf xx to an interface such as
physical, loopback, or vlan I can pass traffic up or down it on the same
vrf, including if I set the vrf on an interface going outbound to a BGP
peering neighbor I can pull in their bgp announcements to that vrf, but what
I am having problems with is can this be done via the Global BGP routing
table?  Or can I somehow do a Global Leak so that the VRF can communicate
out of its area to the remote peer?

I hope I am clear here, if not I will be happy to share my testing
configuration.  Basically we are wanting to separate 2 networks so that they
have their own BGP Routing tables so they have different routes out but at
the same time be able to communicate between all of the local networks the
router has installed on it.

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Routing Question

[Joseph Hardeman]

Hey Tony and Gert,

Now this is getting interesting, I wasn't aware that you could run VRF's
without MPLS, I have just recently gotten the Cisco routers and don't know
everything about them or the Cisco configurations I can use.  Once I get
some time today, I will start looking into how to set it up.  If you have an
example of how to set this up, that would be awesome to see.  Or a link that
you could send me, but I believe I would have to do something like the
following:

Setup the VRP instance on the router, use iBGP to pull the BGP routing table
from the router itself, then use either local-prefs or weights to set the
BGP peers I want to use on that instance higher than the others, then after
that is setup, and this is another point I will need to figure out,
associate the different vlans to that VRF, I believe that should be similar
to the k9 unit setup for passing the couple of VLANs we have using it.
Although that does bring up another question, how to tie the k9 unit into
the two VRF's so that I can do the filtering and then route out the
different BGP paths.  I believe I have an idea on how to do it, but wanted
to ask these questions because you guys know a lot more than I do on how
this can be setup and how it will work.  :-)

Thanks for everything

Joe


On Fri, Jun 3, 2011 at 3:32 AM, Gert Doering  wrote:

> Hi,
>
> On Thu, Jun 02, 2011 at 10:28:27PM -0400, Joseph Hardeman wrote:
> > Thanks for the reply, I was hoping there was some way to do it with
> > Local-Prefs or weights setting the BGP routes from peers into a group and
> > then selecting that group from the routing table for the internal IP
> Range I
> > want to use those routes.
>
> There is only one routing table.  And no way to select different bits of
> it according to source address (unless you use policy routing, but that
> won't easily do what you want either).
>
> > I presume there is a way to setup VRFs to do this?
>
> Yes.  As Tony already explained, VRFs are to a router what VLANs are to
> a switch - the router is divided into multiple virtual routers, and all
> of them have their own routing table.
>
> So you put one set of source machines into VRF blue and the other into
> VRF red, and then you can pref the routes individually to whatever you
> want.  Getting the routes into the VRFs depends on your router setup,
> and can be its own challenge.
>
> > Or how would that work?  I believe VRFs are specific for an MPLS
> > network and I have never touched or set one of those up before.
>
> MPLS is just one possible option to transport VRF-belonging packets to
> other routers (like "dot1q tagging for VLAN-packets", in a way).  But
> the VRF functionality is independent of MPLS, and you could, for example,
> connect multiple VRF-enabled routers via a dot1q trunk, with every VLAN
> interconnecting one of the VRFs.  (This gets impractical after a few
> VRF instances, and MPLS/LDP/BGP-AFI-VPNv* makes this all automatic).
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>   //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Routing Question

[Joseph Hardeman]

Hi Gert,

Thanks for the reply, I was hoping there was some way to do it with
Local-Prefs or weights setting the BGP routes from peers into a group and
then selecting that group from the routing table for the internal IP Range I
want to use those routes.  I presume there is a way to setup VRFs to do
this?  Or how would that work?  I believe VRFs are specific for an MPLS
network and I have never touched or set one of those up before.

Thanks

Joe

On Thu, Jun 2, 2011 at 2:02 PM, Gert Doering  wrote:

> Hi,
>
> On Thu, Jun 02, 2011 at 08:14:32AM -0400, Joseph Hardeman wrote:
> > I am wondering, is it possible to route traffic based on the Source IP to
> > specific BGP learned routes?  For instance, if I have IP Range
> > 2.2.2.2/24that I want only to use routes learned from peerings with
> > say AS 444, 555,
> > 666.  But I want to have IP Range 2.2.2.3/24 use the routes learned from
> > peerings with say AS 111, 222, 333.  I know I can do PBR and set the
> > next-hop based on the source IP but it appears that even with multiple
> > entries in that route-map statement it will choose one out of the list
> and
> > use that by default and not choose the best path learned from the
> neighbors
> > I want it too.  Can this be done with local-prefs or weights?
>
> No.
>
> You'd need to do VRFs (and having a full table in multiple VRFs is going
> to eat lots of memory).
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>   //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Routing Question

[Joseph Hardeman]

Hi Everyone,

I am wondering, is it possible to route traffic based on the Source IP to
specific BGP learned routes?  For instance, if I have IP Range
2.2.2.2/24that I want only to use routes learned from peerings with
say AS 444, 555,
666.  But I want to have IP Range 2.2.2.3/24 use the routes learned from
peerings with say AS 111, 222, 333.  I know I can do PBR and set the
next-hop based on the source IP but it appears that even with multiple
entries in that route-map statement it will choose one out of the list and
use that by default and not choose the best path learned from the neighbors
I want it too.  Can this be done with local-prefs or weights?

Thanks

Joe
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/