Re: [c-nsp] Cisco Router 2821 is having issue getting error
There was an issue a while back that Cisco had with faulty memory from a particular vendor. I'm not sure the exact symptoms, but it might be worth reading through this doc:http://www.cisco.com/c/en/us/support/docs/field-notices/634/fn63405.html Cheers,Josh Date: Fri, 24 Apr 2015 06:50:43 +0200 From: swm...@swm.pp.se To: ahsanrashe...@gmail.com Subject: Re: [c-nsp] Cisco Router 2821 is having issue getting error CC: cisco-nsp@puck.nether.net On Thu, 23 Apr 2015, Ahsan Rasheed wrote: Hi Guys, I am having issue in my lab router Cisco 2821. This router is booting on rommon mode all the time. I checked flash of this router in another working router. So flash is working fine in another router. I tried to use another Was this working router also an 2800? What size of CF card are you trying to use? Is it larger than 256MB? http://www.cisco.com/c/en/us/td/docs/routers/access/2800/hardware/installation/guide/hw/01_hw.html External CompactFlash memory cards of the following optional sizes: •64 MB (default) •128 MB •256 MB -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cs.co on IPv6
Hi, Is anyone else having issues with http://cs.co on IPv6? I've been having issues with it over the last little while. It seems to be working on v4, but the record still exists so it's causing some grief. Cheers,Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cs.co on IPv6
I thought as much... I've sent an email to the technical and administrative WHOIS contacts, will see if anything comes of it. Cheers,Josh Date: Wed, 8 Apr 2015 00:17:48 +0100 From: t...@ninjabadger.net To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cs.co on IPv6 On 08/04/15 00:05, Joshua Riesenweber wrote: Is anyone else having issues with http://cs.co on IPv6? I've been having issues with it over the last little while. It seems to be working on v4, but the record still exists so it's causing some grief. Yeah, failing to connect here. IPv6 gets into Rackspace's DFW site but the last hop's black-holing. IPv4 is fine. wget is resolving fine, but then failing to connect via IPv6: $ wget -6 cs.co --2015-04-08 00:14:20-- http://cs.co/ Resolving cs.co (cs.co)... 2001:4800:13c1:10:222:19ff:fe00:cbb Connecting to cs.co (cs.co)|2001:4800:13c1:10:222:19ff:fe00:cbb|:80... failed: Connection timed out. Both paths from here are 20712 via 2914 to Rackspace. I guess someone broke IPv6 on the server and forgot to remove the record... -- Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Restoring switch config to floating spare
Hi all, I'm looking for a bit of advice on a system/process that will allow an end user to restore a switch config. I have a customer with a 24/7 site running a number of Catalyst switches. Due to the nature of the operation, we have a 'warm' spare switch ready to replace any failures. Traditionally we have a standardised configuration across all devices (all the same model as well), but I need to start having unique configurations on the switches. (Getting too many wasted ports due to multiple VLANs etc.)The users on site are electricians, so they're not 'untechnical', but they're certainly not familiar with networking. I'm wondering if anyone has come across this before, and has any ideas?At the moment I'm leaning towards having the spare switch running on the network with an IP address and not much else, then having a script that will prompt the user for the switch that's failed, and then copy it to the startup config and reboot. It's not particularly nice or foolproof... Cheers,Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA
Thanks David and Matt for clearing that up. I only mention it because, in the OP's case, he has an ACL applied to the outside interface. So, it would seem more pertinent than the security levels (at least in the direction outsideinside). Cheers,Josh Date: Wed, 11 Feb 2015 14:00:28 -0500 From: dwhit...@cisco.com To: matt.addi...@lists.evilgeni.us CC: joshua.riesenwe...@outlook.com; dale.shaw+cisco-...@gmail.com; madu...@gmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Hi Matt, You are correct. Once you apply an ACL (any ACL) to an interface, there is an implicit deny ip any any at the end of that ACL. So, that will always take effect when an ACL is applied. It isn't a function of security levels, but rather the ACL itself. Security levels do a few things: 1) permit (or deny) traffic - when no ACLs are applied -- that is what we have mainly been talking about here 2) Determine if you can administer the ASA via that interface over Telnet (a legacy rule, but still there) 3) Affect some policy actions: ie - service reset[inbound|outbound] 4) Affect connection display information and a few more... But, the most noticeable to most people is indeed the permission of traffic based on the security level. Sincerely, David. On 2/11/2015 1:33 PM, Matt Addison wrote: Maybe this is a semantics thing, but isn't implicit rule of 'allow to any less secure interface' replaced by an implicit deny once you apply an inbound access-list to an interface? To some people that might be considered negating the security level of the interface (since the security level doesn't really do anything anymore). Once you have inbound ACLs everywhere you may as well not even have security levels.Hopefully today will be the day I learn there's a knob to turn that implicit deny into an implicit allow-to-less-secure which will make me regret all those hours spent tuning DMZ inbound access-lists. On Wed, Feb 11, 2015 at 8:57 AM, David White, Jr. (dwhitejr) dwhit...@cisco.com wrote: On 2/11/2015 7:29 AM, Joshua Riesenweber wrote: This has a few good examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html I might very well be wrong, but I believe the security levels are negated if an access list is applied to an interface. That is incorrect. Security levels are not negated or affected by applying an ACL (or not) to an interface. Sincerely, David. Cheers,Josh Date: Wed, 11 Feb 2015 20:43:37 +1100 From: dale.shaw+cisco-...@gmail.com To: madu...@gmail.com CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Hi madunix, On Wed, Feb 11, 2015 at 7:26 PM, madu...@gmail.com madu...@gmail.com wrote: I would like to block the following ports: 135,137,138,139,445,593, tcp/udp on my Firewall [...] Well, what you need to do, is figure out how to block those ports, perhaps by modifying the 'in' access-list you've applied to your outside interface. You might even need to Google That. That's assuming it's that direction (outside inside) that you want to block the traffic. Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA
This has a few good examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html I might very well be wrong, but I believe the security levels are negated if an access list is applied to an interface. Cheers,Josh Date: Wed, 11 Feb 2015 20:43:37 +1100 From: dale.shaw+cisco-...@gmail.com To: madu...@gmail.com CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA Hi madunix, On Wed, Feb 11, 2015 at 7:26 PM, madu...@gmail.com madu...@gmail.com wrote: I would like to block the following ports: 135,137,138,139,445,593, tcp/udp on my Firewall [...] Well, what you need to do, is figure out how to block those ports, perhaps by modifying the 'in' access-list you've applied to your outside interface. You might even need to Google That. That's assuming it's that direction (outside inside) that you want to block the traffic. Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic inbound BGP path preferencing query
Hi all, Thanks for all the replies, I had a feeling that with a single /24 there would be very little I could do. I had a read through this doco, which described the scenario I'm talking about.http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf5 They also suggest the way to do it is with AS-path prepend, but in the example they use x2 /24 subnets. I will look into a /23 and try my luck. Cheers,Josh From: steve.hous...@itps.co.uk To: joshua.riesenwe...@outlook.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Basic inbound BGP path preferencing query Date: Tue, 27 Jan 2015 14:52:04 + You could always use an as-path prepend, Announce yours routes with the same prefix from both connections route 1 would show as AS123 AS5089 AS-XX route 2 would show as AS123 AS123 AS174 AS-XX This allows more traffic to come in via route 1, whilst still utilising route 2, (you can also add multiple pre-prends if required). For example AS174 will prefer customer routes so traffic from as174 to your as123 should always come in that path. Any of AS174¹s peerings may prefer that route if they don¹t also peer with AS5089 for example. This obviously only works per entire subnet rather than individual IP¹s but it still allows you to utilise both links un-equally (if that¹s a word? :). SteveH -Original Message- From: Joshua Riesenweber joshua.riesenwe...@outlook.com Reply-To: joshua.riesenwe...@outlook.com joshua.riesenwe...@outlook.com Date: Tuesday, 27 January 2015 01:28 To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: [c-nsp] Basic inbound BGP path preferencing query Resent-From: Steve Housego steve.hous...@it-ps.com Hi all, I'm looking for a bit of insight from someone with more BGP experience than me. (I've tried searching around the 'net trying to find an elegant solution.) I have the common enterprise configuration of 2x WAN links multi-homed with 2x ISPs. I have a single /24 public IP allocation being advertised out both links, and are using MEDs to preference one link. I'd like to load balance across both links, unfortunately, one link is lower-bandwidth and has a smaller data quota from the ISP.One simple solution is upgrading to a /23. Then I can preference a unique /24 subnet over each link, and assign the large bandwidth-consuming devices to that particular subnet on my better WAN link. My only hesitation is that configuration potentially uses more IP addresses than I need. Does anyone have any tips on preferencing certain IP addresses inbound through one link if I am only advertising a single /24? If there's a better way of doing this your ideas are welcome. Cheers,Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] Helping Your ICT Budget Deliver to its Maximum Potential Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.ukmailto:steve.hous...@itps.co.uk Check out our new website at www.it-ps.com http://www.it-ps.com/ and see how we can help your IT budget deliver more for less. [http://itpswebhost01.it-ps.com/customer_images/itps/twitter]http://twitter.com/#!/itpsltd [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] http://www.facebook.com/pages/ITPS/180607505381380 [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] http://uk.linkedin.com/in/itpsltd Company No. 3930001tel:3930001 registered in England VAT No. 734 1935 33tel:734%201935%2033 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Basic inbound BGP path preferencing query
Hi all, I'm looking for a bit of insight from someone with more BGP experience than me. (I've tried searching around the 'net trying to find an elegant solution.) I have the common enterprise configuration of 2x WAN links multi-homed with 2x ISPs. I have a single /24 public IP allocation being advertised out both links, and are using MEDs to preference one link. I'd like to load balance across both links, unfortunately, one link is lower-bandwidth and has a smaller data quota from the ISP.One simple solution is upgrading to a /23. Then I can preference a unique /24 subnet over each link, and assign the large bandwidth-consuming devices to that particular subnet on my better WAN link. My only hesitation is that configuration potentially uses more IP addresses than I need. Does anyone have any tips on preferencing certain IP addresses inbound through one link if I am only advertising a single /24? If there's a better way of doing this your ideas are welcome. Cheers,Josh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VZW 4G LTE Interface Card
Hi Chris, I have a number of the EHWIC-4G-LTE-G models running, mostly as redundant connections. I found them to be extremely reliable in terms of no lockups and reconnecting without issue, but after running for a while they seem to slow. For example, after a few days of running the speed drops about 50%.You restart the interface and it's back up to full speed for a few days again. *Disclaimer, I haven't actually done any investigation or raised any TAC cases so it may be something easily fixed. As I use the links for failover/redundancy in an emergency, this isn't much of an issue for me. Cheers,Josh Date: Tue, 9 Dec 2014 10:35:00 -0500 From: tknch...@gmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] VZW 4G LTE Interface Card Hello, Anyone have any experience with the EHWIC-4G-LTE-V card for VZW 4G? We have a 4G as a backup WAN for a small site and we currently have a cradlepoint bridging the cellular over to a ethernet port and have that connected to our router. The cradlepoint seems to flake out occasionally or completely lock up requiring a hard reset and I was looking at getting this EHWIC thinking it would be more reliable and also if we needed to login to the router we might be able to see more technical info about the radio's status etc. Mainly I am just looking for feedback from someone who has implemented it, how difficult it was to build the configuration, how reliable, if there were any gotcha's etc. TIA, chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SDN setup startup from lab first
Georgia Tech had an online course a little while back on SDN that was pretty good.Goes through a fair bit on mininet, openflow, etc. including setup. The course is over but you can probably get the archive: https://class.coursera.org/sdn-002 Cheers,Josh From: xuhu...@gmail.com Date: Sat, 6 Dec 2014 17:55:27 +0800 To: cisco-nsp@puck.nether.net Subject: [c-nsp] SDN setup startup from lab first Hi folks, I want to start up sdn testing in the lab to practice, any suggestions how to start? Thanks Br, Xuhu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cursed IP address
Do you have control of the devices at each L2 hop? Can you run packet captures and see where the hello is dropped? Date: Thu, 27 Nov 2014 17:08:45 +0600 From: v...@mpeks.tomsk.su To: friedr...@pdv-sachsen.net CC: vlaso...@sibptus.tomsk.ru; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cursed IP address Friedrich, Gregor wrote: Seems to be some multicast receiving problem 224.0.0.5/6? Seems like it. The main engima is why only multicast packets with src=10.65.127.246 are affected and not from other source addresses. Packets from x.x.x.246 addresses in other networks also work without problems. Are there filters / IGMP stuff? No. What kind of L2 design do you have in the segment? Some years ago we had problems with multicast and SDH MUX systems. iPASOLINK radio relay towers, iPASOLINK IDU/ODU. Below is the OSPF hello debug output from 10.65.127.243 where you can see that 10.65.127.243 does not receive hellos from 10.65.127.246. Then it marks 10.65.127.246 as down and then immediately receives a unicast (?) hello from 10.65.127.246. Then the problem is repeated. Nov 27 09:14:17.133: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from LOADING to FULL, Loading Done Nov 27 09:14:26.780: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:14:36.300: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:14:45.586: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:14:55.501: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:02.421: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from FULL to DOWN, Neighbor Down: Dead timer expired Nov 27 09:15:05.257: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:05.257: OSPF: Rcv hello from 10.65.127.246 area 0 from Vlan333 10.65.127.246 Nov 27 09:15:05.257: OSPF: Send immediate hello to nbr 10.65.127.246, src address 10.65.127.246, on Vlan333 Nov 27 09:15:05.257: OSPF: Send hello to 10.65.127.246 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:05.257: OSPF: End of hello processing Nov 27 09:15:05.273: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from LOADING to FULL, Loading Done Nov 27 09:15:14.945: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:24.860: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:34.859: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:44.413: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:52.868: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from FULL to DOWN, Neighbor Down: Dead timer expired Nov 27 09:15:54.043: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:54.051: OSPF: Rcv hello from 10.65.127.246 area 0 from Vlan333 10.65.127.246 Nov 27 09:15:54.051: OSPF: Send immediate hello to nbr 10.65.127.246, src address 10.65.127.246, on Vlan333 Nov 27 09:15:54.051: OSPF: Send hello to 10.65.127.246 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:15:54.051: OSPF: End of hello processing Nov 27 09:15:54.059: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from LOADING to FULL, Loading Done Nov 27 09:16:04.041: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:13.235: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:22.781: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:32.025: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:41.805: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:43.374: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from FULL to DOWN, Neighbor Down: Dead timer expired Nov 27 09:16:51.569: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:51.578: OSPF: Rcv hello from 10.65.127.246 area 0 from Vlan333 10.65.127.246 Nov 27 09:16:51.578: OSPF: Send immediate hello to nbr 10.65.127.246, src address 10.65.127.246, on Vlan333 Nov 27 09:16:51.578: OSPF: Send hello to 10.65.127.246 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:16:51.578: OSPF: End of hello processing Nov 27 09:16:51.586: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from LOADING to FULL, Loading Done Nov 27 09:17:01.350: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:17:10.560: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:17:20.509: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:17:30.063: OSPF: Send hello to 224.0.0.5 area 0 on Vlan333 from 10.65.127.243 Nov 27 09:17:36.690: %OSPF-5-ADJCHG: Process 20, Nbr 10.65.127.246 on Vlan333 from FULL to DOWN, Neighbor Down: Dead timer
Re: [c-nsp] Cursed IP address
Hi Victor, Nothing is wrong with that IP address specifically, but I was wondering if it is being chosen as the ID whether there is a conflict with another router ID, perhaps manually set. Regards,Josh Date: Wed, 26 Nov 2014 15:46:15 +0600 From: v...@mpeks.tomsk.su To: joshua.riesenwe...@outlook.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cursed IP address Joshua Riesenweber wrote: Out of curiosity, is this the highest IP address on the router? On some routers there is no loopback interface, so yes, on some routers 10.65.127.246 may become the router ID. Is it possible that this is being chosen as the OSPF router ID and causing problems? What's wrong with 10.65.127.246 being an OSPF router ID? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
