Re: [c-nsp] Need help with IPv6 CoPP

2013-05-06 Thread Rogelio Gamino 
At that stage, neighbors agree on Master/Slave relationship before moving
to "exchange" DBD's. This traffic is unicast between neighbors.


On Mon, May 6, 2013 at 11:30 AM, "Rolf Hanßen"  wrote:

> Hello,
>
> I used no authentication for testing, but thanks for the hint, need to put
> that on the checklist before implementing. ;)
>
> kind regards
> Rolf
>
> >> If I apply the policy-map after OSPF changes to FULL, it stays in that
> >> status.
> >> If I apply the map and clear OSPF process it flaps the whole time
> >> between
> >> EXSTART and DOWN:
> >
> > Are you using OSPFv3 authentication? In this case the first protocol in
> > the packets is AH, and the next is OSPF. This doesn't fully explain what
> > you're seeing, but is something to check.
> >
> > I have no clue for the other strangenesses you describe.
> >
> > Regards,
> >   Bergonz
> >
> >
> > --
> > Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
> > Phone:+39-051-6781926 e-mail: berg...@labs.it
> > alt.advanced.networks.design.configure.operate
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6509 LACP

2013-02-08 Thread Rogelio Gamino 
I'm surprised portfast is not causing the interfaces to errdisable.

Do you see MAC addresses for the source/destination devices on both
switches?

Rogelio Gamino
On Feb 8, 2013 6:11 PM, "Mack McBride"  wrote:

> Not on a trunk.
> That is for an access port.
>
> LR Mack McBride
> Network Architect
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:
> cisco-nsp-boun...@puck.nether.net] On Behalf Of Mario Ruiz
> Sent: Friday, February 08, 2013 3:05 PM
> To: Andrew Miehs
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Cisco 6509 LACP
>
> Don't you need the vlan statement too.
>
> switchport access vlan 2
>
> On Fri, Feb 8, 2013 at 4:41 PM, Andrew Miehs  wrote:
> > Which VLANs do you want to trunk?
> > Have you created the
> >
> > vlan 
> >   name 
> >
> > entries on the Cisco side yet?
> >
> > show interface trunk
> >
> > would also be interesting.
> >
> >
> >
> >
> > On Sat, Feb 9, 2013 at 7:25 AM, Mike Glass 
> wrote:
> >
> >> I hope somebody can help me, I am trying to configure a 6509 as the
> >> passive receiver from a Dell Force10 10Ge switch with 2 sfp to 2 gig
> >> ports on our 6509 switch, I see LACP is up on both sides but cannot
> >> pass traffic, I have only 2 vlans that will carry across the
> >> aggregate link from our vmware boxes, this is just a temp until I get a
> 10ge in our 6509 chassis.
> >>
> >> Attached is the config on both sides.
> >>
> >> Make sense?
> >>
> >> ---
> >> Cisco 6509 Config
> >> ---
> >>
> >> interface GigabitEthernet6/7
> >>  switchport
> >>  no ip address
> >>  spanning-tree portfast
> >>  switchport mode trunk
> >>  channel-protocol lacp
> >>  channel-group 1 mode passive
> >> !
> >> interface GigabitEthernet6/8
> >>  switchport
> >>  no ip address
> >>  spanning-tree portfast
> >>  switchport mode trunk
> >>  channel-protocol lacp
> >>  channel-group 1 mode passive
> >>
> >>
> >> interface Port-channel1
> >>  description lacp Force10
> >>  switchport
> >>  switchport trunk encapsulation dot1q  Switchport mode trunk  no ip
> >> address  logging event link-status
> >> 
> >>
> >>
> >> -
> >> --
> >> show etherchannel detail
> >>
> >> -
> >> --
> >>
> >> Channel-group listing:
> >> ---
> >>
> >> Group: 1
> >> --
> >> Group state = L2
> >> Ports: 2   Maxports = 16
> >> Port-channels: 1 Max Port-channels = 16
> >> Protocol:   LACP
> >> Minimum Links: 0
> >> Ports in the group:
> >> ---
> >> Port: Gi6/7
> >> 
> >>
> >> Port state= Up Mstr In-Bndl
> >> Channel group = 1   Mode = Active  Gcchange = -
> >> Port-channel  = Po1 GC   =   - Pseudo port-channel = Po1
> >> Port index= 0   Load = 0x55Protocol =   LACP
> >>
> >> Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast
> >> LACPDUs.
> >> A - Device is in active mode.P - Device is in passive
> mode.
> >>
> >> Local information:
> >> LACP port Admin OperPort
> >>  Port
> >> Port  Flags   State Priority  Key   Key Number
> >>  State
> >> Gi6/7 SA  bndl  32768 0x1   0x1 0x607
> >> 0x3D
> >>
> >> Partner's information:
> >>
> >>   Partner Partner   LACP Partner  Partner   Partner  Partner
> >> Partner
> >> Port  Flags   State Port Priority Admin Key Oper Key Port Number
> >> Port State
> >> Gi6/7 FA  bndl  32768 0x0   0x1  0xA5
> >>  0x3F
> >>
> >> Age of the port in the current state: 0d:00h:08m:06s
> >>
> >> Port: Gi6/8
> >> --

[c-nsp] just installed a Huawei...

2011-07-25 Thread Rogelio 
Not sure if it's any interest of this group, but I just installed a
Huawei CX600 router this last week.

It's like Cisco quality (garbage!) for the price that Cisco should be
(low!).  The commands are very similar (e.g. switchport -> portswitch,
no shut -> undo shut, etc), and you configure it almost identical to
what you'd expect on a Cisco.

The worst part about the Huawei is probably the documentation.  It's
scattered all over the place, so if you want something simple (like
telnet access), it's in a completely different PDF than if you want,
say, VLAN configuration commands.  Finding it all is a huge scavenger
hunt.

But hey...for like a 1/4 of the price or whatever (so I've heard), I'd
say it's worth it.  :b


-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Does MTU size matter on layer 2 router interface?

2011-07-23 Thread Rogelio 
If I have an interface that is simply spewing VLAN'd traffic to another 
router or switch (which then does certain things with that VLAN'd 
traffic), does the MTU size on that interface really matter?


(Or does it matter only on L3 interfaces that have IP addresses?)
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] queue drops on interfaces possibly explained by autonegotiate ?

2011-07-23 Thread Rogelio 
I'm comparing two similarly configured Cisco 7201 routers and trying to 
figure out why one (with few L2TP tunnels) is getting more queue drops 
than another (with many L2TP tunnels).


The only difference I see is that one router (with fewer tunnels and 
lots of queue drops) has autonegotiate on his interfaces.


Could that explain the queue drops?  Or should I be looking elsewhere?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] high performance open source DHCP solution?

2011-07-19 Thread Rogelio 
The free DHCP solution, ISC, seems to be having scaling issues (i.e.
handling only about 200 DHCPDISCOVER and 20 DHCPRENEW requests), and I
was wondering if anyone had any open source suggestions of solutions
that could scale much better?

(Ideally, I could find a free version of a solution like Nominum, but
I know that's asking for much.)

Anyone have any suggestions?


--
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] finding unicast flooding in Wireshark sniff

2011-07-19 Thread Rogelio 

Irina Arsenieva wrote:

Hello there,
I believe Wireshark display filter should look something like this:
!(eth.ig == 1) and !(eth.dst == xx.yy.zz.tt.uu.vv),


So, this was very helpful.  Thx again, Irina.  Here's what I'm currently 
doing...


display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33)

Then I'm drilling down from there

display filter: !(eth.ig == 1) && !(eth.dst == Cisco_11:22:33) && l2tp 
&& arp (&& other stuff to narrow down this big list)


Once I find an interesting packet, then I see if it ever originated on 
my segment


e.g.

display filter: eth.src == Apple_99:88:77

Thank you!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] finding unicast flooding in Wireshark sniff

2011-07-19 Thread Rogelio 

Irina Arsenieva wrote:

Hello there,
I believe Wireshark display filter should look something like this:
!(eth.ig == 1) and !(eth.dst == xx.yy.zz.tt.uu.vv),
where
!(eth.ig == 1) - excludes broadcast and multicast
!(eth.dst == xx.yy.zz.tt.uu.vv) - excludes your router mac
xx.yy.zz.tt.uu.vv


Thank you, Irina. I see the display filter,  but don't see  conditions 
(i.e. WHERE statement), so I guess I'll just have export the results of 
one set and run the 2nd filter on that set.


I will try that!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] finding unicast flooding in Wireshark sniff

2011-07-18 Thread Rogelio 
I've got several L2TP tunnels hitting a Cisco 7201 and am trying to
use Wireshark to determine what inside my tunnel responsible  queue
drops on one of interface responsible for the L2TP termination. I
inserted a Wireshark laptop in a hub between  the LAC and the LNS, and
I got a good 24 hour sniff of L2TP traffic.

(A broadcast filter is on the router, so I strongly suspect unicast
garbage is flooding my L2TP tunnels. I am trying to make a case for a
good carrier grade switch that supports the UUFB feature)

I'm relatively new to Wireshark and could use some suggestions on how
to determine what is responsible for the traffic spikes in the IO
graph.  I sorted the traffic by protocol hierarchy and found 99% of it
inside the Ethernet / IP section is TCP, so I know that it's
application level traffic.  I'm hoping to narrow this down a bit more
and  find the smoking gun.

Any ideas where to start?  I feel like I'm poking around here and
could use any pointers or suggestions others might have.  Ideally, I
could make one "find unidentified unicast" filter and scan a big file
for that characteristic.

-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] cheapo UUFB solution for Cisco 7201

2011-07-04 Thread Rogelio 
I've got a Cisco 7201 with about 500 L2TPv2 tunnels, and I suspect
that UUFB (unknown unicast flooding) is resulting in spiking (I put an
ACL on to kill broadcast traffic, so I'm sure that's not related).
I've googled and don't see anything for the 7201, just the 7600
series.  :/

i.e. 
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/blocking.html

Anyone have any suggestions on (something cheap) that I can put in
front of this box to spare it from (what I suspect) is a gateway that
unicast floods when a MAC address has aged?

To add to my challenges, I'm in Brazil and importing gear is insanely
effing difficult.  :/

--
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Huawei equiv of Cisco 7201 and Cisco ME 4924?

2011-06-19 Thread Rogelio 
I am in Brazil and am having a heckuva time finding a Cisco 7201
router and Cisco ME 4924 switch.

Anyone have any ideas on where I could buy these easily?  And if not,
any suggestions on Huawei equivalents?

-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] using RANCID in a CCIE lab

2011-05-27 Thread Rogelio 
I would like to make a public CCIE lab for friends and have it reset
all the configs at pre-set times.

Is a tool like RANCID a good way to do this?  I know that it can log
in and do commands at preset times, and I thought that it's DB
snapshots might be helpful as well.

-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] recommendation on vendor for 8 Cisco 7201 routers?

2011-04-04 Thread Rogelio 
Anyone have any recommendations for a Cisco shop that can sell me 8
new Cisco 7201 routers?

If so, please email me the best person to contact.

Thanks

-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubac...@gmail.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] terminal server suggestions?

2011-01-03 Thread Rogelio 
I recently bought a grip of Cisco routers (2600s, 3600s) and Cisco
switches (3560s) for a few hundred dollars, and now I'm putting
together a setup that will let me do the INE CCIE lab exercises.

I was wondering if anyone had a good suggestion for extremely cheap
terminal servers (Avocent, Xyplex, Cisco, etc).
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Tunneling / Subscription Management Expert with Good R&S Expertise

2010-10-10 Thread Rogelio 
A brand new job R&S posting on Craigslist, in case anyone here is
looking for work

http://sfbay.craigslist.org/sby/res/1998682771.html
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] purchasing Cisco in Brazil (Cisco 7204 w/ NPE G2 card)

2010-09-20 Thread Rogelio 

I am in Sao Paulo, Brazil and need to purchase two things this week:

Cisco 7204 chassis
NPE G2 card

I don't speak Portuguese well, but I have a Portuguese phone number.

Anyone have any suggestions on where who I can contact?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Monitoring Nexus 7000 platform

2009-08-13 Thread Gamino, Rogelio (OCTO-Contractor) 
Cisco DCNM might give you the info you are looking for.





-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ash Net
Sent: Thursday, August 13, 2009 5:01 PM
To: Roland Dobbins; Cisco-nsp
Subject: Re: [c-nsp] Monitoring Nexus 7000 platform

Yep, we know that already. I'm finding that there isn't a lot of
management systems (OV/Concord atleast) that can natively monitor the
7k's since they haven't certified the platform yet.

Wondering how people are monitoring elements such as CPU Health, intf
utilization, topology change event traps of the 7K Chassis etc. There
doesn't appear to be a comprehensive MIB that has all the elements
defined.

It'd be great to hear from folks who have these boxes deployed and
have them in any enterprise monitoring systems.



On 8/13/09, Roland Dobbins  wrote:
>
> On Aug 14, 2009, at 12:07 AM, Ash Net wrote:
>
>> We have recently deployed N7k's in our DC and want to enable
>> monitoring on them.
>
> N7Ks have a dedicated management processor; they also have a
> management software system which I believe ships with every N7K.
>
> They also output operationally useful NetFlow.
>
> ---
> Roland Dobbins  // 
>
>  Unfortunately, inefficiency scales really well.
>
>  -- Kevin Lawton
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] LACP + Wi-Fi = ghettofabulous big wireless pipes?

2009-06-12 Thread Rogelio 
I've got several outdoor Wi-Fi radios that I would like to configure in 
a PtP configuration on multiple 802.11a channels.


My question to the list is, "Can I use LACP on each end (via a network 
switch) to aggregate those PtP connections into one virtual connection?"


e.g.

http://www.cisco.com/en/US/tech/tk389/tk213/technologies_configuration_example09186a0080094470.shtml

So, instead of using ethernet to each switch, I'm connecting an ethernet 
cable from my switch into the 100 Mbps LIM of the radio node, creating a 
PtP link across an area, then coming out that other radio's 100 Mbps LIM 
via ethernet into another LACP-friendly switch.


So, on each port, there is something like...

switch->ethernet->radio-> 5 GHz PtP link->radio->ethernet->switch

Any feedback on this?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] reasons for giving new VLAN int a new IP

2009-05-24 Thread Rogelio 
I've got a general question about VLANs that grew out of two separate 
VLAN implementations -- one on Cisco switches and another one on BelAir 
BA200 radios:


Do you have have to have to put an IP on that VLAN for traffic to flow? 
 Or only if you'd like to manage it from that VLAN?


Obviously, in general, an IP address (or even correct IP address) on a 
layer two device isn't necessary for traffic to flow through it, but I 
was thinking that there might be a possibility that some other "thing" 
(limitation in vendor implementations, practicality, feature set, 
controllers to work, etc) compelled putting an IP address on.


I've always added an IP on each VLAN on Cisco switches and recently 
started doing it on the BelAir BA200 quad radios out of habit.  (A 
coworker said that it wasn't required, and normally I'd test it out, but 
I'm not in a position  to easily test out this theory.)


Nothing earth shattering, but if anyone had any insight on the matter, 
I'd love to hear it.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: SNMP Trap manager recommendation

2009-04-12 Thread Rogelio 

Piotr Nowacki wrote:

 Justin

Hi,
take a look at Opsview (www.opsview.org)
It is basically nagios with heavily patched NDO and Java frontend.
It does support basic SNMP Traps processing.


OpenNMS might also do what you need.

see this URL

http://www.opennms.org/index.php/Event_Configuration_How-To

particularly this section on traps using the trapd process

http://www.opennms.org/index.php/Event_Configuration_How-To#SNMP_Traps

There in eventconf.xml you can write up the details on how you'd like to 
trap things and convert them into something more user friendly.


(Which is what you're trying to do, right?)

HTH
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPSec between Cisco and D-Link

2008-12-12 Thread Gamino, Rogelio (OCTO-Contractor) 
Also, make sure the acl's used to define interesting traffic are
correct.



Rogelio Gamino
rogelio.gam...@dc.gov
(o) 202-741-5853


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 12, 2008 2:33 PM
To: twisted mac
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] IPSec between Cisco and D-Link

It looks like you have a phase 2 problem.  Your IPSec transform-set 
isn't matching up with what the D-Link is offering.  Try changing the 
transform-set to something more useful like this:

crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac

It would be better if you used AES256.

crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac

These are good fallback transform-sets if need be.

crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac


Don't forget to update your crypto maps with the name of the 
transform-set you chose to use.  Also, I would not recommend messing 
with the lifetime values unless the remote end requires it.

Justin



twisted mac wrote:
> Seems fair enough :)
> 
> logs from dlink
> 
>2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
> 82.x.x.x:500 Exchange
> type : Informational ISAKMP Version : 1.0 Flags : E (encryption)
Cookies :
> 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
> length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data
length
> : 20 bytes N (Notification) Payload data length : 396 bytes Protocol
ID :
> ESP Notification : No proposal chosen
> 
> 
> logs from cisco:
> 
> xxx#debug crypto isakmp
> Crypto ISAKMP debugging is on
> xxx#
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
sport
> 500 Global (R) QM_IDLE
> 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 1, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  key length is 128
> 2d23h: ISAKMP:  authenticator is HMAC-MD5
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 2, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  key length is 128
> 2d23h: ISAKMP:  authenticator is HMAC-SHA
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 3, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  authenticator is HMAC-MD5
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 4, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  authenticator is HMAC-SHA
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  authenticator is HMAC-MD5
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  authenticator is HMAC-SHA
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d23h: ISAKMP:  encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:  key length is 128
> 2d23h: ISAKMP:  authenticator is HMAC-MD5
> 2d23h: ISAKMP:  SA life type in seconds
> 2d23h: ISAKMP:  SA life duration (basic) of 3600
> 2d

Re: [c-nsp] OK, what is a cheap and dirty hack to test a port

2008-10-15 Thread Rogelio 

Ted Mittelstaedt wrote:

  My question, is there a way I can configure the router port
so that I can throw a massive amount of (bogus, naturally)
traffic to it, and the traffic will go out the port, through the
DSU, loopback through the hard loopback plug, then come back
into the router and go into the bit bucket?


Try iperf on either Windows or Linux. Either that or rent a Smartbit for 
a few days. :)


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] will L2TP break Kerberos?

2008-10-14 Thread Rogelio 

Will Kerberos break if it goes through an L2TP tunnel?

I have these handheld wireless devices that are currently talk Kerberos 
back to a Symbol access point.  I'm looking to replace these Symbol 
units with BelAir access points.


These BelAir access points will L2TP tunnel back to a central Cisco 
router so that I can manage all of these handheld wireless devices with 
one DHCP and one RADIUS server.


In theory, I would think that L2TP tunneling works fine (the only 
difference being that your pipe gets smaller as go across a WAN), but I 
was hoping to get some feedback from others here before I put this in 
production.


(I'm a little gun shy b/c I've seen things like NAT break IPsec)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router

2008-09-25 Thread Gamino, Rogelio (OCTO-Contractor) 
What happens if you remove the static route?

route outside 10.180.0.0 255.255.0.0 180.200.200.141

I don't think I've had to put static routes on the vpn device for routes
at the other end of the tunnel. The acl (L2L in this case) should take
care of that.


Rogelio Gamino
[EMAIL PROTECTED]
(o) 202-741-5853
(c) 202-716-9965

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz
Sent: Tuesday, July 15, 2008 9:19 AM
To: cisco-nsp
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router

Hi all,

I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?

Tks

Router Output and Config
TEHTCVPNRT01#sh cry ip sa

interface: GigabitEthernet0/1
Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   current_peer 200.150.180.62 port 500
 PERMIT, flags={origin_is_acl,}
#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

 local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62  path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
 current outbound spi: 0xEA23924(245512484)

 inbound esp sas:
  spi: 0x2E3660C5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429641/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:
  spi: 0xEA23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
sa timing: remaining key lifetime (k/sec): (4429640/3573)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

 outbound ah sas:

 outbound pcp sas:



crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac

crypto map ra-L2L-vpn 2 ipsec-isakmp
  set peer 200.150.180.62
 set transform-set aessha-pixrtr
 match address 120
 reverse-route

interface GigabitEthernet0/1
 ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn

access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255



++



PIX output and Config:
local  ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   current_peer: 180.200.200.141:500
 PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0

 local crypto endpt.: 200.150.180.62 , remote crypto endpt.:
180.200.200.141
 path mtu 1500, ipsec overhead 56, media mtu 1500
 current outbound spi: 2e3660c5

 inbound esp sas:
  spi: 0xea23924(245512484)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4607999/3478)
IV size: 8 bytes
replay detection support: Y


 inbound ah sas:


 inbound pcp sas:


 outbound esp sas:
  spi: 0x2e3660c5(775315653)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: L2L-ons
sa timing: remaining key lifetime (k/sec): (4608000/3478)
IV size: 8 bytes
replay detection support: Y


 outbound ah sas:


 outbound pcp sas:


ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside 10.180.0.0 255.255.0.0 180.200.200.141  1
sysopt connection permit-ipsec
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map L2L 1 ipsec-isakmp
crypto map L2L 1 match address L2L
crypto map L2L 1 set peer 180.200.200.141
crypto

Re: [c-nsp] WLC 4404 - Wirelss Lan Controller (DHCP issue)

2008-09-22 Thread Gamino, Rogelio (OCTO-Contractor) 
I'm guessing it is wireless users. I have not seen an AP give the
"limited or no connectivity" alert he mentions.

How big is your dhcp scope? Maybe you're running out of IP's? What is
your lease time?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Wilson
Sent: Monday, September 22, 2008 12:25 PM
To: 'Ahmed Mohamed'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] WLC 4404 - Wirelss Lan Controller (DHCP issue)

By access node, do you mean wireless access point, or wireless user?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ahmed Mohamed
Sent: Monday, September 22, 2008 10:36 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] WLC 4404 - Wirelss Lan Controller (DHCP issue)

Hello,

A WLC4404 was configured with DHCP pool, Access nodes should get an IP
from
it every time it negotiates with the controller

what happens is an intermittent problem where sometimes the access node
does
not negotiate an IP and give alert of "limited or no connectivity"

any suggestions of what coult be the problem ?

Note: the problem is intermittent, it sometimes happens , and other just
simply go fine ..

Thanks in advance
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] can cisco pix "boomerang" mail traffic?

2008-09-09 Thread Rogelio 
Can a Cisco PIX "boomerang" a packet--i.e. route a packet coming from 
the internal network that is destined for an Internet host back into

the internal network via NAT?

I ask because I have have email clients pointing to mail.domain.com, and 
unless I do a split DNS with my mail A record pointing to a 192 address 
inside and an external mail A record pointing to my public IP address, 
I'm not quite sure how to do it.


Users using Microsoft Outlook + Exchange don't have a problem getting 
their email.  But users using other email clients (Thunderbird, Outlook 
Express, etc) obviously cannot resolve the host name if they are on the 
wrong side of the network.  Thunderbird has different identities for 
each email account, but that's too much work for some of the users.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] seeing VLAN-tagged device with layer 2 switch

2008-07-01 Thread Rogelio 
On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan <[EMAIL PROTECTED]> wrote:

> Rogelio wrote:
>
>> I've got an interesting problem.  I've got some non-Cisco wireless units
>> that are VLAN tagged, and for whatever reason, they're not working, and I'm
>> going to need to pull them down from a roof and troubleshoot them.
>>
>> Any ideas on what I might do to see them if I were to use a layer 2
>> non-VLAN-friendly switch?  That's all I have immediately available.
>>
>
> Crossover cable and ifconfig on any *nix box or Macintosh to set up the
> appropriate VLAN.


For what it's worth, here's a HOWTO on doing this

http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html

As you can see, different flavors of Linux do things quite differently...

But here is one method of doing it (according to the above URL)

Create the interface

# vconfig add eth0 5

# ifconfig eth0.5

# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast
192.168.1.255 up

Check the interface
# cat /proc/net/vlan/eth0.5

Kill the interface when you're done

# ifconfig eth0.5 down
# vconfig rem eth0.5
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] seeing VLAN-tagged device with layer 2 switch

2008-07-01 Thread Rogelio 
On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan <[EMAIL PROTECTED]> wrote:

>
> Crossover cable and ifconfig on any *nix box or Macintosh to set up the
> appropriate VLAN.


Wow, this is perfect.  Thanks!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] seeing VLAN-tagged device with layer 2 switch

2008-07-01 Thread Rogelio 
I've got an interesting problem.  I've got some non-Cisco wireless units 
that are VLAN tagged, and for whatever reason, they're not working, and 
I'm going to need to pull them down from a roof and troubleshoot them.


Any ideas on what I might do to see them if I were to use a layer 2 
non-VLAN-friendly switch?  That's all I have immediately available.


Or is doing a hard reset on them my only option?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] bcp on edge filtering & udp

2008-06-30 Thread Rogelio 

matthew zeier wrote:
Trying to find a pre-build set of ACLs for filtering bogus inbound udp, 
if one already exists, otherwise I'll have to build my own :)


Where are you trying to filter this?  At your CPE router?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] BGP vs PepLink / AT&T metrics on BGP

2008-06-29 Thread Rogelio 
For a campus environment, I've got two WAN connections, one through 
Charter (30Mbps) and one through AT&T (50 Mbps). For load balancing, I 
am evaluating whether or not to use BGP or some sort of load sharing 
device, like PepLink.


With BGP, I am told that my AT&T pipe may get saturated quicker, as 
their metrics are better.  Anyone else have problem?  Or does anyone 
have any suggestions for someone who is new to BGP in this sort of 
situation?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/