[c-nsp] Cisco ISE - NMAP Profiling
Hi All, Has anyone got any experience with ISE Profiling in relation to static IP devices and NMAP Scanning? I have the situation where we have some statically addressed devices that do not support EAP. Scenario; I have a ‘catch-all’ MAB authorisation rule matching the built in ‘Wired MAB’ condition but delivering a downloadable ACL permitting return traffic back to ISE to support NMAP scanning (and dhcp but not relevant for this scenario). Once authenticated ISE nmap scans the device and detects the device (finds various ports, SNMP hostnames etc), lets call it a RICOH printer, it sends the COA to the switch and it re-runs through the authorisation rules and now matches a more specific rule which permits full access to the network. All great…. Until I configure another device (evil hax0r’s laptop) with the same mac/ip address, unplug the printer and plug in my laptop.. I gain full network access and seemingly I’m never ‘re-profiled’ (within my test 12 hour window anyway, plenty of time to wreak havoc) Question; Why would ISE not re-scan on each subsequent authentication? I have the NMAP probe enabled, and NMAP scan is in the policy for ‘ricoh-printer’. If ISE inherently has some block that prevents a re-run the nmap scan – what is the point of profiling/nmap scans? ISE is simply using standard MAB at this point, we might as well have stuck with Cisco ACS. Whilst I appreciate an NMAP scan could take anywhere from 5-10 seconds, we would simply scale up the environment to cater for how many concurrent scans would need to take place. Our PSN's are all dual quad cpu's and we’d even be happy to dedicate PSN’s as nmap probes, in theory we should be able to crank out 10’s if not 100’s of nmap scans simultaneously (which would likely never be required scenario anyway). As we don’t use re-authentication timers a device could be on the network for months or even years requiring only 1 nmap scan per host per x weeks/months of use. Even then, the amount of the hosts we’d require the full nmap scan on are so few, as the majority of our estate is EAP-TLS and doesn’t require nmap scanning. I’m either missing something obvious or Cisco have really missed a trick here in relation to static IP devices/NMAP, it seems so sensible to assume there would be a endpoint profile comparison post authentication and a CoA sent if the host has changed, and I can’t think of a downside of doing so. Even if it took 10mins to complete an NMAP scan and feed the info into the DB, at least the attacker would be kicked off, in the current scenario the attacker can stay on the network until someone realises the printer isn’t printing anymore. Further; Im aware I could restrict the printer/potential attackers access with dACL’s etc, however Cisco is banging on about ISE and profiling etc, and it seemingly can’t even protect the low hanging fruit. Thanks SteveH Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Celebrating 15 years of commitment to delivering integrity, quality and expertise in ICT solutions. Thank you to all our valued customers for their years of continued support. Call us to arrange a visit to our new data centre, or check out www.itps.co.uk <http://www.itps.co.uk/> and see how we can help your IT budget deliver more for less. [http://www.it-ps.com/wp-content/themes/itps/images/logo.png], [http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd> Company No. 3930001 registered in England VAT No. 734 1935 33 Disclaimer: The opinions expressed in this email are not necessarily those of ITPS. All emails received and sent to / from ITPS are monitored for information security purposes. This email is intended only for the named addressee - if you are not this person please inform us via supp...@itps.co.uk. Please don’t copy or distribute it. After letting us know it’s not for you, please delete the e-mail. Emails should not be considered to be totally secure as they pass through third party Internet services where it is possible they can be viewed. It is also possible for emails to be delayed, lost, or be potentially altered by unauthorised third parties whilst in transit. For secure email facilities please contact us and we can discuss how we can help you secure your emails. While ITPS takes all reasonable steps to minimise virus transmission risks, we can’t accept liability for any issues or losses you or your organisation may have as a result of a virus being contained wi
Re: [c-nsp] Basic inbound BGP path preferencing query
You could always use an as-path prepend, Announce yours routes with the same prefix from both connections route 1 would show as AS123 AS5089 AS-XX route 2 would show as AS123 AS123 AS174 AS-XX This allows more traffic to come in via route 1, whilst still utilising route 2, (you can also add multiple pre-prends if required). For example AS174 will prefer customer routes so traffic from as174 to your as123 should always come in that path. Any of AS174¹s peerings may prefer that route if they don¹t also peer with AS5089 for example. This obviously only works per entire subnet rather than individual IP¹s but it still allows you to utilise both links un-equally (if that¹s a word? :). SteveH -Original Message- From: Joshua Riesenweber Reply-To: "joshua.riesenwe...@outlook.com" Date: Tuesday, 27 January 2015 01:28 To: "cisco-nsp@puck.nether.net" Subject: [c-nsp] Basic inbound BGP path preferencing query Resent-From: Steve Housego >Hi all, >I'm looking for a bit of insight from someone with more BGP experience >than me. (I've tried searching around the 'net trying to find an elegant >solution.) >I have the common enterprise configuration of 2x WAN links multi-homed >with 2x ISPs. I have a single /24 public IP allocation being advertised >out both links, and are using MEDs to preference one link. >I'd like to load balance across both links, unfortunately, one link is >lower-bandwidth and has a smaller data quota from the ISP.One simple >solution is upgrading to a /23. Then I can preference a unique /24 subnet >over each link, and assign the large bandwidth-consuming devices to that >particular subnet on my better WAN link. >My only hesitation is that configuration potentially uses more IP >addresses than I need. Does anyone have any tips on preferencing certain >IP addresses inbound through one link if I am only advertising a single >/24? >If there's a better way of doing this your ideas are welcome. > >Cheers,Josh >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. [http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS Licensing - Downgrade
Trying to get a straight answer from Cisco and I¹m not getting any definitive answers. Can anyone here comment on if you¹re legally able to downgrade IOS without a SMARTnet contract? A bunch of routers arrived and I want to downgrade the code to match the ones we already have in production (same make/model - 887VA). Getting the IOS of one of the existing routers isn¹t a problem - it¹s the legal issue of using code that it wasn¹t shipped with? The EULA has Œupgrades¹ written all over it, but no mention of downgrade. [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. [http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asa 5510, remote access vpn, resources across lan-to-lan
You will need to add the source/dest networks in the crypto maps, configure your split tunnelling (if your not tunnelling all networks), configure your nat exempt (outside,outside), and as john has mentioned same-security-traffic permit intra-interface. You may need to put in an ACL as well if your not bypassing interface ACL¹s in your VPN config. SteveH -Original Message- From: John Kougoulos Date: Monday, 1 September 2014 16:24 To: ryanL Cc: "cisco-nsp@puck.nether.net NSP" Subject: Re: [c-nsp] asa 5510, remote access vpn, resources across lan-to-lan Resent-From: Steve Housego >Hi, > >it could be nat but this depends on your routing config. It could also be >that this command is required: >same-security-traffic permit intra-interface > >Regards, >John > > >On Mon, Sep 1, 2014 at 4:57 PM, ryanL wrote: > >> hi, >> >> i'm hopefully going to find someone who's done this before, or who has >> better google-fu than me. asa is not my strong suit. >> >> i have users vpn'ing (ipsec) into one 5510, accessing various corp >> resources there. the vpn pool isn't routed - i just nat it to one of the >> various inside interfaces depending on which vlan they're trying to hit. >> works fine. >> >> that particular 5510 has a l-2-l ipsec to a different 5510, which also >>has >> its own inside resources. if i vpn into it directly, i can hit those >>inside >> resources no problem. >> >> the question is - how do i get the vpn users hitting the first 5510 to >> reach the resources behind the second 5510? >> >> i know i'm close, as i'm at least triggering the l-2-l tunnel to be >>setup >> when vpn'd into the first 5510 and trying to reach the second 5510's >> resources. i'm just missing some nat, or something... >> >> appreciated. >> >> ryan >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. [http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin] <http://uk.linkedin.com/in/itpsltd> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ME3800X with EIGRP
Yeah whilst PBR may be activated with a sdm template I don’t think EIGRP v6 will be as its defined as an unsupported feature at the top of the document. I think this document "Configuring Unicast IPv6 routing" is a standard template and they have simply stated eigrpv6 is unsupported despite there being sections about it in the document. Thanks to all who responded :) SteveH -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Reuben Farrelly Sent: 10 March 2014 02:20 To: Chris Russell; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ME3800X with EIGRP On 10/03/2014 11:45 AM, Chris Russell wrote: >> >> A cisco switch/rtr without eigrp.. first time I've encountered it! > > Hi Steve, > > Debated this with Cisco a while back - apparently more aimed at PE > edge, so less routing capabilities more MPLS. > > Last time I asked the scaled metro license was only for scale - > below from an SE 6 months or so back so might have changed: > > > ME3800-X P/PE > · The Metro Aggregation Services license gives you the following > features, MPLS, EoMPLS, MPLS VPN, MPLS TE, FastReroute, VPLS in > addition to the features in the Metro IP Services license. > > · You may also wish to consider the Scaled Metro Aggregation > Services license, the following table shows you the difference in scale: > > Supported feature ... > ACL entries > 4 K (Metro) > 16 K (Scales) Apparently the scaled license is also required in order to support Policy Based Routing. It seems counter-intuitive given it's a "scale" not a "feature" license, but it's documented here: http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-4_1_S/configuration/guide/3800x3600xscg/swpbr.html I ran into this 18 months ago. I think it's inconsistent and a pretty nasty gotcha for the uninitiated. Reuben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ____ [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ME3800X with EIGRP
Hi Sander, Thanks for the reply, that was our first thought as well... we tried, but only the default sdm template was available to us. I've just had a scan through the datasheet and noticed this; Switch Database Management (SDM) templates (with the Scalability license only) This is a £3000+ licence (L-ME3800X-S).. which isn't great just to enable EIGRP! Can anyone here confirm if this would provide EIGRP for IPv6? I'll check with cisco tomorrow. The datasheet does not mention EIGRP under unicast IPv6 routing protocols, regardless of licence. There is one statement "The Services Scalability license enables full scalability for Layer 2, IP routing, MPLS resources and the use of Switch Management Database (SDM) templates." but I assume this simply means more resource being unlocked. A cisco switch/rtr without eigrp.. first time I've encountered it! SteveH -Original Message- From: Sander Steffann [mailto:san...@steffann.nl] Sent: 09 March 2014 22:43 To: Steve Housego Subject: Re: [c-nsp] Cisco ME3800X with EIGRP Hi Steve, > I suspect this is an error in the document as the commands simply aren't there I'm not familiar with that switch, but missing commands on switches are often caused by using the wrong SDM template... You might want to check the options there. Cheers, Sander [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco ME3800X with EIGRP
Hi NSP, Is anyone familiar with the 3800X and why we are unable to configure EIGRP for IPv6 even though its clearly stated in the configuration guide as available? http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_1_S/configuration/guide/3800x3600xscg/swipv6.html#wp1117377 We are a cisco only shop and prefer to use EIGRP to distribute our loopbacks and backbone links and we've came across this issue while trying to dual stack. I suspect this is an error in the document as the commands simply aren't there, if so - anyone got any inside info on if cisco plan to support eigrp for IPv6 on their own switch anytime soon!? Many thanks SteveH [http://www.it-ps.com/wp-content/uploads/2013/12/itps-logo.png] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out our new website at www.it-ps.com <http://www.it-ps.com/> and see how we can help your IT budget deliver more for less. Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Are there any good resources that detail best current practice for route reflector design? Google doesn't bring up much real-world experience, i.e. detailing caveats, redundancy options etc.. SteveH -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: 10 December 2013 12:44 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] C6500 IPv6 redistribute with route-map? On 10/Dec/2013 at 09:22:01 AM, Patrick M. Hausen wrote: > I do have the knowledge and capacity to implement iBGP as my IGP > *now*, except for the route reflectors suggested. Would you recommend > that approach? I.e. going without the route reflectors and the > communities first? It~Rs only 4-5 machines in total, after all, all > Cisco. And no customers with BGP currently. Starting out with route reflectors is a good idea. It makes the network easier to scale as needed. Doing a full IBGP mesh gets messy very quickly. Even if you use peer-groups to simplify things, you're still dealing with a lot of IBGP sessions ((n * (n - 1)) / 2 sessions). With 5 routers, that would mean 10 sessions. With 10 routers, that would mean 45 sessions. Additionally, managing all of those sessions can chew up a lot of resources on your routers. Anything you can simplify will serve you well over time. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://www.it-ps.com/emailimages/itpsmail_r2_c1.gif] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 D. 3037 M. F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out ITPS's website www.it-ps.com<http://www.it-ps.com/> Keep up to date with all the latest Technology News [http://itpswebhost01.it-ps.com/customer_images/itps/twitter.gif]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook.gif] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkin.gif] <http://www.linkedin.com/profile/edit?trk=hb_tab_pro_top> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP on mGRE/DMVPN
Thanks for the reply Chris, I've looked, but not made the investment yet, theres loads on there that i want to look at to be honest :) 110% agree dynamic BGP peer groups is the route we should take but the problem is this new router is to support an existing eigrp dmvpn network which has 2x 3825's at the primary Hub site with around 250 eigrp neighbors per mgre per router (only 1 mgre per router), This new router is to be placed in the DR site location, we dont want to buy 2x routers for the DR site (cost/rack space/power etc..) nor increase the complexity/deployement. Really just looking for a firm answer on how many eigrp neighbors are supported on a single mgre, and what sorts of issues might present themselves when we push it to circa 500 (i.e. slow re-convergage - we can live with that for DR) SteveH From: Chris Marget Sent: 01 November 2013 14:14 To: Steve Housego Subject: Re: [c-nsp] EIGRP on mGRE/DMVPN Have you checked out Ivan Pepelnjak's DMVPN webinars? http://www.ipspace.net/DMVPN_trilogy He get into scaling questions there. We're running BGP for scaling reasons. /chris On Fri, Nov 1, 2013 at 8:15 AM, Steve Housego mailto:steve.hous...@itps.co.uk>> wrote: Hi all, Has anyone ever put more than 500 eigrp nieghbours over an mGRE(DMVPN) interface? If so on what hardware? Any issues encountered? Were looking at either a 3845 or an ASR1002, with approximatly 500 neighbors on a single mgre interface but with potental to grow, we want to standardise our config so would prefer one tunnel endpoint. Based on the DMVPN design guide (see extract below) it suggests well under 500 as a maximum, but is dated in 2008... 5 years later and ASR's are reasonbly priced.. http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp38036 "If the DMVPN subnet is configured with a /24 network prefix, the neighbor count is limited to 254, which is a safe operational limit. Beyond this number, a compromise is required to balance re-convergence with recovery. In very large EIGRP networks, it may be necessary to adjust the EIGRP hold time to allow the hub more time to recover without thrashing. However, the convergence time of the network is delayed. This method has been used in the lab to establish 400 neighbors. " [http://www.it-ps.com/emailimages/itpsmail_r2_c1.gif] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 D. 01914428300 M. F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk><mailto:steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk>> Check out ITPS's website www.it-ps.com<http://www.it-ps.com><http://www.it-ps.com/> Keep up to date with all the latest Technology News [http://itpswebhost01.it-ps.com/customer_images/itps/twitter.gif]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook.gif] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkin.gif] <http://www.linkedin.com/profile/edit?trk=hb_tab_pro_top> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://www.it-ps.com/emailimages/itpsmail_r2_c1.gif] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 D. 01914428300 M. F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out ITPS's website www.it-ps.com<http://www.it-ps.com/> Keep up to date with all the latest Technology News [http://itpswebhost01.it-ps.com/customer_images/itps/twitter.gif]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook.gif] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkin.gif] <http://www.linkedin.com/profile/edit?trk=hb_tab_pro_top> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP on mGRE/DMVPN
Hi all, Has anyone ever put more than 500 eigrp nieghbours over an mGRE(DMVPN) interface? If so on what hardware? Any issues encountered? Were looking at either a 3845 or an ASR1002, with approximatly 500 neighbors on a single mgre interface but with potental to grow, we want to standardise our config so would prefer one tunnel endpoint. Based on the DMVPN design guide (see extract below) it suggests well under 500 as a maximum, but is dated in 2008... 5 years later and ASR's are reasonbly priced.. http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp38036 "If the DMVPN subnet is configured with a /24 network prefix, the neighbor count is limited to 254, which is a safe operational limit. Beyond this number, a compromise is required to balance re-convergence with recovery. In very large EIGRP networks, it may be necessary to adjust the EIGRP hold time to allow the hub more time to recover without thrashing. However, the convergence time of the network is delayed. This method has been used in the lab to establish 400 neighbors. " [http://www.it-ps.com/emailimages/itpsmail_r2_c1.gif] "Helping Your ICT Budget Deliver to its Maximum Potential" Steve Housego Principal Consultant IT Professional Services Axwell House Waterside Drive Metrocentre East Business Park Gateshead Tyne & Wear NE11 9HU T. 0191 442 8300 D. 01914428300 M. F. 0191 442 8301 steve.hous...@itps.co.uk<mailto:steve.hous...@itps.co.uk> Check out ITPS's website www.it-ps.com<http://www.it-ps.com/> Keep up to date with all the latest Technology News [http://itpswebhost01.it-ps.com/customer_images/itps/twitter.gif]<http://twitter.com/#!/itpsltd> [http://itpswebhost01.it-ps.com/customer_images/itps/facebook.gif] <http://www.facebook.com/pages/ITPS/180607505381380> [http://itpswebhost01.it-ps.com/customer_images/itps/linkin.gif] <http://www.linkedin.com/profile/edit?trk=hb_tab_pro_top> Company No. 3930001 registered in England VAT No. 734 1935 33 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
