Re: [c-nsp] Dumb question

[Ziv Leyes]

The RTR1-IN route-map is for filtering the incoming routes

So you're saying that the statement 
match community 100:1 which is the community itself won't work?
Do I need here as well to match the community on a list and then use the 
community list on the route-map in too?
Then why when you configure it lets you do it?
Nevermind, I've adjusted the settings to work with a community list and then 
match the list on the route-map on both directions, incoming route-map from 
RTR1 and outgoing route-map to ISP1 and guess what?
I can see them now going out!

RTR2# sh ip bgp neighbor z.z.z.z advertised
   Network  Next HopMetric LocPrf Weight Path
*>i1.1.1.0/24   y.y.y.y   0100  0 i
*>i2.2.2..0/24   y.y.y.y   0100  0 i

Yeehaw!

So the problem was basically with the route-map in from RTR1 which didn't 
actually match a community list, I tried matching the community itself (duh)

Thanks Gert for all the inline clarifications on every step
And thanks you all the rest for all your help!
Ziv



-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Wednesday, August 03, 2011 7:02 PM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dumb question

Hi,

On Wed, Aug 03, 2011 at 06:44:07PM +0300, Ziv Leyes wrote:
>  neighbor RTR1 route-map RTR1-IN in

What's that for?

>  neighbor ISP1 remote-as 1
>  neighbor z.z.z.z peer-group ISP1
>  neighbor ISP1 send-community
>  neighbor ISP1 route-map ISP1-OUT out
> (similar settings for ISP2, with opposite prepending settings)
>   
> ip bgp-community new-format
> ip community-list standard COMMUNITY-1 permit 100:1 ip community-list 
> standard COMMUNITY-2 permit 100:2 !
> route-map RTR1-IN permit 10
>  match community 100:1
> !
> route-map RTR1-IN permit 20
>  match community 100:2

Whatever it is, it won't work, as you're trying to match on a community list 
named "100:1", not "the community 100:1".

It might actually do interesting things, as the prefixes will never be matched, 
and fall off the end of the route-map - if there's an implicit "deny" there [of 
which I'm never sure with route-maps] RTR2 will just reject prefixes from RTR1, 
and that might be why you don't see the
*outgoing* announcements towards ISP1 and ISP2.

> !
> route-map ISP1-OUT permit 10
>  match community COMMUNITY-1
> !
> route-map ISP1-OUT permit 20
>  match community COMMUNITY-2
>  set as-path prepend 100 100 100 100
> !

Now this looks very reasonable.

> Now, checking what I see, I get the following:
> 
> RTR1# sh ip bgp neighbor x.x.x.x advertised
>Network  Next HopMetric LocPrf Weight Path
> *> 1.1.1.0/24   0.0.0.0  0 32768 i
> *> 2.2.2.0/24   0.0.0.0  0 32768 i
> 
> RTR2# sh ip bgp neighbor y.y.y.y received-routes
>Network  Next HopMetric LocPrf Weight Path
> * i1.1.1.0/24   207.226.45.254   0100  0 i
> * i2.2.2.0/24   207.226.45.254   0100  0 i

Looking in "received-routes" won't tell you whether it actually accepted the 
route...

> RTR2# sh ip bgp 1.1.1.0
> BGP routing table entry for 1.1.1.0/24, version 7234660
> Paths: (1 available, no best path)
>   Not advertised to any peer
>   Local, (Received from a RR-client), (received-only)
> y.y.y.y (metric 100) from y.y.y.y (y.y.y.x)
>   Origin IGP, metric 0, localpref 100, valid, internal
>   Community: 100:1

... which it didn't!  It's "received-only", not "active in RTR2's BGP table".

> BUMMER
> 
> What I do find very strange is the following:
> route-map RTR1-IN, permit, sequence 10
>   Match clauses:
> community (community-list filter): 100:1 
>   Set clauses:
>   Policy routing matches: 0 packets, 0 bytes route-map RTR1-IN, 
> permit, sequence 20
>   Match clauses:
> community (community-list filter): 100:2 
>   Set clauses:
>   Policy routing matches: 0 packets, 0 bytes
> 
> See? all the counters are zero!

Sure.  You have no community-list "100:1" and "100:2".

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.
*

Re: [c-nsp] Dumb question

[Ziv Leyes]

Pete, the 207.226.45.254 is the real IP for "y.y.y.y" peer, I've just forgotten 
to obscure it and it's seen via ISIS topology

You've got a point at the Local Policy Denied Prefixes, this is what I've get:


  OutboundInbound
  Local Policy Denied Prefixes:---
route-map:0  2
prefix-list  568734  0
Total:   568734  2

So they are indeed denied, the question is why?



-Original Message-
From: Peter Rathlev [mailto:pe...@rathlev.dk] 
Sent: Wednesday, August 03, 2011 7:01 PM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dumb question

Hi,

On Wed, 2011-08-03 at 18:44 +0300, Ziv Leyes wrote:
> RTR2# sh ip bgp 1.1.1.0
> BGP routing table entry for 1.1.1.0/24, version 7234660
> Paths: (1 available, no best path)
>   Not advertised to any peer
>   Local, (Received from a RR-client), (received-only)

That's a problem. For some reason the prefix was denied on RTR2 and is
thus not inserted in the RIB. Is the next-hop reachable? I.e. what does
"show ip route 207.226.45.254" say? Does "show ip bgp neighbor y.y.y.y"
say anthing interesting in the "Local Policy Denied Prefixes:" section?

> What I do find very strange is the following:
> route-map RTR1-IN, permit, sequence 10
...
> See? all the counters are zero!

The counters are only for policy routing; the will never increment by
being used for filtrering, so that's irrelevant to this.

-- 
Peter



The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dumb question

[Ziv Leyes]

Didn't get you on that one, please explain


-Original Message-
From: Brault, Ryan [mailto:ryan.bra...@illinois.gov] 
Sent: Wednesday, August 03, 2011 7:07 PM
To: Ziv Leyes
Cc: 'cisco-nsp@puck.nether.net'
Subject: RE: [c-nsp] Dumb question

No synchronization on RTR2?  Not sure if that is part of the obvious and 
irrelevant...

Ryan Brault
Illinois Century Network
Illinois Department of Central Management Services
815-936-4647

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Wednesday, August 03, 2011 10:44 AM
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dumb question

OK, this is what I have configured (omitting the obvious and irrelevant):

RTR1#
router bgp 100
 neighbor RTR2 remote-as 100
 neighbor x.x.x.x peer-group RTR2 
 neighbor RTR2 send-community
 neighbor RTR2 route-map RTR2-OUT out
!
route-map RTR2-OUT permit 10
 match ip address prefix-list COMMUNITY-1
 set community 100:1
!
route-map RTR2-OUT permit 20
 match ip address prefix-list COMMUNITY-2
 set community 100:2 
! 
ip prefix-list COMMUNITY-1 seq 5 permit 1.1.1.0/24
ip prefix-list COMMUNITY-2 seq 5 permit 2.2.2.0/24

RTR2#
router bgp 100
 neighbor RTR1 remote-as 100
 neighbor y.y.y.y peer-group RTR1
 neighbor RTR1 route-map RTR1-IN in 
 neighbor ISP1 remote-as 1
 neighbor z.z.z.z peer-group ISP1
 neighbor ISP1 send-community
 neighbor ISP1 route-map ISP1-OUT out
(similar settings for ISP2, with opposite prepending settings)
  
ip bgp-community new-format
ip community-list standard COMMUNITY-1 permit 100:1
ip community-list standard COMMUNITY-2 permit 100:2
!
route-map RTR1-IN permit 10
 match community 100:1
!
route-map RTR1-IN permit 20
 match community 100:2
!
route-map ISP1-OUT permit 10
 match community COMMUNITY-1
!
route-map ISP1-OUT permit 20
 match community COMMUNITY-2
 set as-path prepend 100 100 100 100
!
route-map ISP2-OUT permit 10
 match community COMMUNITY-2
!
route-map ISP2-OUT permit 20
 match community COMMUNITY-1
 set as-path prepend 100 100 100 100
!

Now, checking what I see, I get the following:

RTR1# sh ip bgp neighbor x.x.x.x advertised
   Network  Next HopMetric LocPrf Weight Path
*> 1.1.1.0/24   0.0.0.0  0 32768 i
*> 2.2.2.0/24   0.0.0.0  0 32768 i

RTR2# sh ip bgp neighbor y.y.y.y received-routes
   Network  Next HopMetric LocPrf Weight Path
* i1.1.1.0/24   207.226.45.254   0100  0 i
* i2.2.2.0/24   207.226.45.254   0100  0 i

RTR2# sh ip bgp 1.1.1.0
BGP routing table entry for 1.1.1.0/24, version 7234660
Paths: (1 available, no best path)
  Not advertised to any peer
  Local, (Received from a RR-client), (received-only)
y.y.y.y (metric 100) from y.y.y.y (y.y.y.x)
  Origin IGP, metric 0, localpref 100, valid, internal
  Community: 100:1

Same result for 2.2.2.0/24, as you can see, community is seen correctly, now, 
if seen, then it must be matched and set to go out to ISPs, theoretically, 
however:

RTR2# sh ip bgp neighbor z.z.z.z advertised

Total number of prefixes 0

BUMMER

What I do find very strange is the following:
route-map RTR1-IN, permit, sequence 10
  Match clauses:
community (community-list filter): 100:1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RTR1-IN, permit, sequence 20
  Match clauses:
community (community-list filter): 100:2 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ISP1-OUT, permit, sequence 10
  Match clauses:
community (community-list filter): COMMUNITY-1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ISP1-OUT, permit, sequence 20
  Match clauses:
community (community-list filter): COMMUNITY-2 
  Set clauses:
as-path prepend 100 100 100 100
  Policy routing matches: 0 packets, 0 bytes

See? all the counters are zero!

I tried resetting all the sessions in and out, soft, hard, harder, nothing!
I'm sure I'm missing something here!
Please help
Ziv

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This m

Re: [c-nsp] Dumb question

[Ziv Leyes]

OK, this is what I have configured (omitting the obvious and irrelevant):

RTR1#
router bgp 100
 neighbor RTR2 remote-as 100
 neighbor x.x.x.x peer-group RTR2 
 neighbor RTR2 send-community
 neighbor RTR2 route-map RTR2-OUT out
!
route-map RTR2-OUT permit 10
 match ip address prefix-list COMMUNITY-1
 set community 100:1
!
route-map RTR2-OUT permit 20
 match ip address prefix-list COMMUNITY-2
 set community 100:2 
! 
ip prefix-list COMMUNITY-1 seq 5 permit 1.1.1.0/24
ip prefix-list COMMUNITY-2 seq 5 permit 2.2.2.0/24

RTR2#
router bgp 100
 neighbor RTR1 remote-as 100
 neighbor y.y.y.y peer-group RTR1
 neighbor RTR1 route-map RTR1-IN in 
 neighbor ISP1 remote-as 1
 neighbor z.z.z.z peer-group ISP1
 neighbor ISP1 send-community
 neighbor ISP1 route-map ISP1-OUT out
(similar settings for ISP2, with opposite prepending settings)
  
ip bgp-community new-format
ip community-list standard COMMUNITY-1 permit 100:1
ip community-list standard COMMUNITY-2 permit 100:2
!
route-map RTR1-IN permit 10
 match community 100:1
!
route-map RTR1-IN permit 20
 match community 100:2
!
route-map ISP1-OUT permit 10
 match community COMMUNITY-1
!
route-map ISP1-OUT permit 20
 match community COMMUNITY-2
 set as-path prepend 100 100 100 100
!
route-map ISP2-OUT permit 10
 match community COMMUNITY-2
!
route-map ISP2-OUT permit 20
 match community COMMUNITY-1
 set as-path prepend 100 100 100 100
!

Now, checking what I see, I get the following:

RTR1# sh ip bgp neighbor x.x.x.x advertised
   Network  Next HopMetric LocPrf Weight Path
*> 1.1.1.0/24   0.0.0.0  0 32768 i
*> 2.2.2.0/24   0.0.0.0  0 32768 i

RTR2# sh ip bgp neighbor y.y.y.y received-routes
   Network  Next HopMetric LocPrf Weight Path
* i1.1.1.0/24   207.226.45.254   0100  0 i
* i2.2.2.0/24   207.226.45.254   0100  0 i

RTR2# sh ip bgp 1.1.1.0
BGP routing table entry for 1.1.1.0/24, version 7234660
Paths: (1 available, no best path)
  Not advertised to any peer
  Local, (Received from a RR-client), (received-only)
y.y.y.y (metric 100) from y.y.y.y (y.y.y.x)
  Origin IGP, metric 0, localpref 100, valid, internal
  Community: 100:1

Same result for 2.2.2.0/24, as you can see, community is seen correctly, now, 
if seen, then it must be matched and set to go out to ISPs, theoretically, 
however:

RTR2# sh ip bgp neighbor z.z.z.z advertised

Total number of prefixes 0

BUMMER

What I do find very strange is the following:
route-map RTR1-IN, permit, sequence 10
  Match clauses:
community (community-list filter): 100:1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RTR1-IN, permit, sequence 20
  Match clauses:
community (community-list filter): 100:2 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ISP1-OUT, permit, sequence 10
  Match clauses:
community (community-list filter): COMMUNITY-1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map ISP1-OUT, permit, sequence 20
  Match clauses:
community (community-list filter): COMMUNITY-2 
  Set clauses:
as-path prepend 100 100 100 100
  Policy routing matches: 0 packets, 0 bytes

See? all the counters are zero!

I tried resetting all the sessions in and out, soft, hard, harder, nothing!
I'm sure I'm missing something here!
Please help
Ziv





-Original Message-
From: Andriy Bilous [mailto:andriy.bil...@gmail.com] 
Sent: Wednesday, August 03, 2011 5:44 PM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dumb question

Yup, match community accepts community-list as an argument, not the
'raw' value. So you need first define them

ip community-list 1 permit xx:1
ip community-list 2 permit xx:2

The whole config should be like that
RTR1
router bgp 100
 nei RTR2 remote-as 100
 nei RTR2 send-community
 nei RTR2 route-map SET_COMM out

route-map SET_COMM permit 10
 match ip addr pref COMM_XX1
 set community xx:1
route-map SET_COMM permit 20
 match ip addr pref COMM_XX2
 set community xx:2
route-map SET_COMM permit 30

ip prefix-list COMM_XX1 permit 1.1.1.0/24 le 32
ip prefix-list COMM_XX2 permit 2.2.2.0/24 le 32


RTR2
router bgp 100
 nei RTR1 remote-as 100
 nei RTR1 send-community
 nei ISP1 remote-as ISP1
 nei ISP1 route-map ISP1_OUT out
 nei ISP2 remote-as ISP2
 nei ISP2 route-map ISP2_OUT out

route-map ISP1_OUT permit 10
 match community ISP1
 set as-path prepend 100 100 100
 set community none
route-map ISP1_OUT permit 20

route-map ISP2_OUT permit 10
 match community ISP2
 set as-path prepend 100 100 100
 set community none
route-map ISP2_OUT permit 20

ip community-list ISP1 permit xx:2
ip community-list ISP2 permit xx:1


And you need to reset the BGP sessions to both peers to propagate
changed information

clear ip bgp ISP[1-2] soft out


On Wed, Aug 3, 2011 at 3:19 PM, Ziv Leyes  wrote:
> Well, I tried to simplify the scenario to only concentrate on my 

Re: [c-nsp] Dumb question

[Ziv Leyes]

-Original Message-
From: Jon Lewis [mailto:jle...@lewis.org] 
Sent: Wednesday, August 03, 2011 4:30 PM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dumb question


>i.e. on RTR1, you'd set multiple community strings on 1.1.1.1/24 and 
>2.2.2.2/24, first a string that indicates this is a route you want to 
>advertise to the internet in general, then a second string that indicates 
>you want some number of prepends when going out ISPx.  In the output 
>route-maps on RTR2, you'd check for these prepend community strings first, 
>and the general "announce to internet" string last.

>--
>  Jon Lewis, MCP :)   |  I route
>  Senior Network Engineer |  therefore you are
>  Atlantic Net|
>_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Hi Jon,
Could you please elaborate? i.e examples on how each one of them is done?
Thanks,
Ziv


The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dumb question

[Ziv Leyes]

Well, I tried to simplify the scenario to only concentrate on my problem, the 
scenario is a little bit more complicated, but not relevant for the question

The question is, given the fact I'm trying to manage the eBGP advertising 
decisions based on what is happening on RTR1.
Let's suppose I need to give operators access only to RTR1 but I want them to 
decide which prefixes will be advertised to which ISP, but they can't get 
access to RTR2 to do it there, so I want to setup RTR2 to do the advertising 
matching the decisions that were made on RTR1.

I just spoke with a friend and he told me that maybe I need to rewrite the 
communities, for example RTR1 advertises prefix 1.1.1.1/24 with community xx:1 
and 2.2.2.2/24 with xx:2
RTR2 has an incoming route-map towards RTR1 that allows filters routes 
according to matching communities.
Now I have two prefixes that are seen with their communities, what I simply 
tried to do was a route-map outgoing towards the ISPs that match the community 
(that came from the RTR1) and then advertise them over the ISPs with or without 
prepending, according to my previously chosen decision.
My friend thinks I need to match the community on the route-map in from RTR1 
and then set a new community, e.g

route-map RTR1-IN permit 10
 match community xx:1
 set community yy:1
route-map RTR1-IN permit 20
 match community xx:2
 set community yy:2
!
route-map ISP1 permit 10
 match community yy:1
route-map ISP1 permit 20
 match community yy:2
 set as-path prepend 

and viceversa for ISP2

What I tried was matching community xx:1 and xx:2 as they came from RTR1, 
perhaps here's the problem?

Ziv


-Original Message-
From: Harold 'Buz' Dale [mailto:buz.d...@usg.edu] 
Sent: Wednesday, August 03, 2011 4:00 PM
To: Ziv Leyes; cisco-nsp@puck.nether.net
Subject: RE: Dumb question

It seems to me that RTR 2 is the one advertising the routes to ISP1 and ISP2 
and the path from RTR2 to both of these nets is RTR1 via the same link. Would 
be much easier to do this from RTR2.

Buz

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Wednesday, August 03, 2011 8:54 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Dumb question

Hi all,
I have the following scenario (excuse my lousy ascii art...)



   ISP1
 /
   /
 /
RTR1 -iBGP- RTR2
\
  \
\
 ISP2

For the simplicity of the case, I have two prefixes, 1.1.1.1/24 and 2.2.2.2/24,
I want to advertise prefix 1.1.1.1/24 to ISP1 as best, and 2.2.2.2/24 to ISP1 
with prepends, and the opposite too, prefix 2.2.2.2/24 to ISP2 as best and 
prefix 1.1.1.1/24 to ISP1 with prepends.

What I'm trying to do is to set up all in a way that the only place I set up my 
decision is on RTR1 only, and that will be reflected via the iBGP to RTR2 about 
how I want the prefixes to be advertised to my eBGP neighbors ISP1 and ISP2
I tried setting communities, but all I got is RTR2 to see and match the 
communities, but based on this, I couldn't get the prefixes advertised to the 
ISPs at all.

What kind of manipulation I need to do in order for the RTR2 after matching the 
communities coming from RTR1, to advertise it to the ISPs according to the 
priorities I've mentioned before?

This sounds very basic and not so complicated to do, but I guess I'm missing 
something here!

Please help, and if possible, don't send me links to cisco web site case 
studies or to some 300 pages PDF about how BGP and communities work. A simple 
straight forward example of how this can be set will be enough.
Thanks!
Ziv

The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https:/

[c-nsp] Dumb question

[Ziv Leyes]

Hi all,
I have the following scenario (excuse my lousy ascii art...)



   ISP1
 /
   /
 /
RTR1 -iBGP- RTR2
\
  \
\
 ISP2

For the simplicity of the case, I have two prefixes, 1.1.1.1/24 and 2.2.2.2/24,
I want to advertise prefix 1.1.1.1/24 to ISP1 as best, and 2.2.2.2/24 to ISP1 
with prepends, and the opposite too, prefix 2.2.2.2/24 to ISP2 as best and 
prefix 1.1.1.1/24 to ISP1 with prepends.

What I'm trying to do is to set up all in a way that the only place I set up my 
decision is on RTR1 only, and that will be reflected via the iBGP to RTR2 about 
how I want the prefixes to be advertised to my eBGP neighbors ISP1 and ISP2
I tried setting communities, but all I got is RTR2 to see and match the 
communities, but based on this, I couldn't get the prefixes advertised to the 
ISPs at all.

What kind of manipulation I need to do in order for the RTR2 after matching the 
communities coming from RTR1, to advertise it to the ISPs according to the 
priorities I've mentioned before?

This sounds very basic and not so complicated to do, but I guess I'm missing 
something here!

Please help, and if possible, don't send me links to cisco web site case 
studies or to some 300 pages PDF about how BGP and communities work. A simple 
straight forward example of how this can be set will be enough.
Thanks!
Ziv

The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Following Up on Netflow Information

[Ziv Leyes]

Well, I can see the similitude, we both try to put a grin on people's face...



-Original Message-
From: Van Der Meulen, Mark [mailto:mark.vandermeu...@travelex.com.au] 
Sent: Monday, July 11, 2011 7:31 AM
To: Ziv Leyes; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] OT: Following Up on Netflow Information

And here we have people, the George Costanza of Network Admins.

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Sunday, 10 July 2011 5:49 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: Following Up on Netflow Information

I've always got the best results using a crowbar
First time you approach the user with the crowbar in hand, and tell him,
in a calm, polite way, that he should refrain from doing that again,
whatever it was he was doing
Second time, after finding out he persisted with his unwanted activity,
you pay him a visit, come calm, and without saying a single word, smash
his computer screen with the crowbar, in front of him (very important),
and go away the same calm way you came.

Third time (on most cases this won't be needed) you beat the heck out of
him with the crowbar and go to jail with a huge smile on your face...

Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Cullimore
Sent: Saturday, July 09, 2011 2:04 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: Following Up on Netflow Information

On 7/8/2011 11:58 AM, Jeff Cartier wrote:
> Hi All,
>
> This might be a little off-topic to Cisco, but what the heck.
>
> I'm just curious as to how 'you' would go about tracking down a user
that *may* possibly be downloading large amounts of data causing
congestion on a link.  For instance, I had a case this morning with an
internal IP address of 10.x.x.x that showed a 900MB conversation over
TCP 80 (HTTP) to an ip address of 174.120.5.220.
>
> Great - so its not that hard to track down the internal user.  Yell at
him to stop, talking to him about what he's doing to the network.  No
biggie.
>
> I'm more curious about options/tools available to find out what he was
doing.  I know that he was downloading something, I know that it was
over HTTP and I know the outside IP address he was accessing.  So I
start off by looking at 174.120.5.220.  I can check the A record which
tells me nothing
> Name:dc.5.78ae.static.theplanet.com
I've encountered organizations that use commercial grade applications to

proactively track this data, such as 
lancope(Stealthwatch)/riverbed(ManageEngine)/sourcefire(RNA). They enjoy

some success when dealing with situations similar to those you describe,

since these tools track netflow data over time, allowing profiles to be 
constructed (which may well contain the information you seek). Some of 
them integrate with user directories, which would certainly improve your

chances. For customers without budget money, I've also deployed ntop 
rather effectively.
>
> I can't browse to that IP address.  I can see who owns that IP address
(XO Communications) though, but in this case its all useless.
>
> The question, more or less, is do I have any options to keep moving
forward in finding out what this user was actually doing?
It depends how long your organization stores log entries. Without a 
proactive monitoring tool in place, you'll almost certainly need to 
interface with individuals managing other parts of the infrastructure 
such as dhcp servers and/or snmp collectors and/or firewalls. The list 
of options often depends upon the higher-level details. As other posters

have noted, it's difficult to outdo packet capture data when you're 
seeking actual insight.
> Thanks in advance!
>
> __
> DISCLAIMER: This e-mail contains proprietary information some or all
of which may be legally privileged.  It is for the intended recipient
only. If an addressing or transmission error has misdirected this
e-mail, please notify the author by replying to this e-mail.  If you are
not the intended recipient you must not use, disclose, distribute, copy,
print, or rely on this e-mail.
>
> This message has been scanned for the presence of computer viruses,
Spam, and Explicit Content.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
*

Re: [c-nsp] OT: Following Up on Netflow Information

[Ziv Leyes]

I've always got the best results using a crowbar
First time you approach the user with the crowbar in hand, and tell him, in a 
calm, polite way, that he should refrain from doing that again, whatever it was 
he was doing
Second time, after finding out he persisted with his unwanted activity, you pay 
him a visit, come calm, and without saying a single word, smash his computer 
screen with the crowbar, in front of him (very important), and go away the same 
calm way you came.
Third time (on most cases this won't be needed) you beat the heck out of him 
with the crowbar and go to jail with a huge smile on your face...

Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Cullimore
Sent: Saturday, July 09, 2011 2:04 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: Following Up on Netflow Information

On 7/8/2011 11:58 AM, Jeff Cartier wrote:
> Hi All,
>
> This might be a little off-topic to Cisco, but what the heck.
>
> I'm just curious as to how 'you' would go about tracking down a user that 
> *may* possibly be downloading large amounts of data causing congestion on a 
> link.  For instance, I had a case this morning with an internal IP address of 
> 10.x.x.x that showed a 900MB conversation over TCP 80 (HTTP) to an ip address 
> of 174.120.5.220.
>
> Great - so its not that hard to track down the internal user.  Yell at him to 
> stop, talking to him about what he's doing to the network.  No biggie.
>
> I'm more curious about options/tools available to find out what he was doing. 
>  I know that he was downloading something, I know that it was over HTTP and I 
> know the outside IP address he was accessing.  So I start off by looking at 
> 174.120.5.220.  I can check the A record which tells me nothing
> Name:dc.5.78ae.static.theplanet.com
I've encountered organizations that use commercial grade applications to 
proactively track this data, such as 
lancope(Stealthwatch)/riverbed(ManageEngine)/sourcefire(RNA). They enjoy 
some success when dealing with situations similar to those you describe, 
since these tools track netflow data over time, allowing profiles to be 
constructed (which may well contain the information you seek). Some of 
them integrate with user directories, which would certainly improve your 
chances. For customers without budget money, I've also deployed ntop 
rather effectively.
>
> I can't browse to that IP address.  I can see who owns that IP address (XO 
> Communications) though, but in this case its all useless.
>
> The question, more or less, is do I have any options to keep moving forward 
> in finding out what this user was actually doing?
It depends how long your organization stores log entries. Without a 
proactive monitoring tool in place, you'll almost certainly need to 
interface with individuals managing other parts of the infrastructure 
such as dhcp servers and/or snmp collectors and/or firewalls. The list 
of options often depends upon the higher-level details. As other posters 
have noted, it's difficult to outdo packet capture data when you're 
seeking actual insight.
> Thanks in advance!
>
> __
> DISCLAIMER: This e-mail contains proprietary information some or all of which 
> may be legally privileged.  It is for the intended recipient only. If an 
> addressing or transmission error has misdirected this e-mail, please notify 
> the author by replying to this e-mail.  If you are not the intended recipient 
> you must not use, disclose, distribute, copy, print, or rely on this e-mail.
>
> This message has been scanned for the presence of computer viruses, Spam, and 
> Explicit Content.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from yo

Re: [c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

[Ziv Leyes]

Radware's DefensePro comes in mind when talking about hardware performance 
during DDOS, you could put the device in the middle of the network, and use 
some redirector such as CID or Alteon to separate customers that pay for the 
service and customers that don't and pass only the traffic of the ones you want 
through the device.
We did a pilot with this setup and it worked great, I didn't see any DDoS that 
could possibly tickle the device's resources...

Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stefan Fouant
Sent: Friday, July 08, 2011 1:51 PM
To: Keegan Holley
Cc: juniper-...@puck.nether.net; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS 
infrastructure...

On 7/8/2011 12:28 AM, Keegan Holley wrote:
> Could be interesting.  I've rarely seen firewall as a service done right
> though.  It's hard to keep, cpu, memory usage, DDOS attacks,
> misconfiguration, etc. of one customers from affecting the other customers
> that share hardware.  That being said there are better platforms to run the
> firewall instances on that are available now, checkpoint VSX comes to mind.

Years ago when I had to develop a Network Based Firewall solution for a 
particular ISP in order to comply with the Federal Government's NetworX 
bid, we chose Juniper's NS-5400 for precisely this reason.  In ScreenOS 
you have the concept of resource profiles with which you can limit the 
amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and 
other user defined objects such as address book entries, etc. that each 
VSYS can avail.

These are essential elements of any multi-tenant firewall solution and 
evaluated platforms should likewise have similar offerings to contain 
resource usage for individual customers.

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Service Provider Anti-Spam

[Ziv Leyes]

The following vendors, among others, supply this kind of solutions:
Fortinet, Barracuda, Commtouch
There are many others, of course, I just mentioned the ones I've worked with to 
our satisfaction.
You can also think about open source solutions, such as spamassasin, assp.
Hope this helps,
Ziv 

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah
Sent: Thursday, July 07, 2011 3:42 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Service Provider Anti-Spam

Hello,

I am interested in deploying an anti-spam solution in an ISP network that
would scan all incoming/outgoing email traffic and block spam to/from
downstream users.

The system should be integrated to work in the ISP network without requiring
any subscriber (business or individual) to make changes on his
network/servers.

I would appreciate your suggestions on a good product/solution and/or
approach.

Thanks. Felix
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] bhupendra singh has invited you to open a Google mail account

[Ziv Leyes]

This looks like a message that was sent years ago, when gmail was possible only 
via invitations.
Perhaps the message was lost and travelling in the stratosphere and arrived 
just now...
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bhupendra singh
Sent: Monday, July 04, 2011 7:16 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] bhupendra singh has invited you to open a Google mail account

I've been using Gmail and thought you might like to try it out. Here's an
invitation to create an account.


  You're Invited to Gmail!

bhupendra singh has invited you to open a Gmail account.

Gmail is Google's free email service, built on the idea that email can be
intuitive, efficient, and fun. Gmail has:

 *Less spam*
Keep unwanted messages out of your inbox with Google's innovative
technology.

*Lots of space*
Enough storage so that you'll never have to delete another message.

*Built-in chat*
Text or video chat with bhupendra singh and other friends in real time.

*Mobile access*
Get your email anywhere with Gmail on your mobile phone.

You can even import your contacts and email from Yahoo!, Hotmail, AOL, or
any other web mail or POP accounts.

Once you create your account, bhupendra singh will be notified of your new
Gmail address so you can stay in touch. Learn
moreor get
started
!
Sign 
up

Google Inc. | 1600 Ampitheatre Parkway | Mountain View, California 94043
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Replacing a 7206VXR w/ NPE-G1 with Sup720-3BXL w/ WS-X6408A-GBIC

[Ziv Leyes]

You're welcome to stick around, this is a very nice and unformal community that 
has always helped me when needed.
I try to help too, when I feel I can.
Welcome to the gang...
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
matthew.coleman-hamil...@servicebirmingham.co.uk
Sent: Thursday, June 30, 2011 12:42 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Replacing a 7206VXR w/ NPE-G1 with Sup720-3BXL w/ 
WS-X6408A-GBIC

This is just a quick note to thank everyone who responded to my post. It's 
the first time I've used this mailing list and I wasn't sure of what kind 
of response to expect (I've had mixed experiences of using the official 
Cisco Support forums) but the volume of detailed replies, advice and 
personal experiences has been incredibly helpful and much appreciated :o)



From:
Gert Doering 
To:
matthew.coleman-hamil...@servicebirmingham.co.uk
Cc:
cisco-nsp@puck.nether.net
Date:
29/06/2011 18:21
Subject:
Re: [c-nsp] Replacing a 7206VXR w/ NPE-G1 with Sup720-3BXL w/ 
WS-X6408A-GBIC



Hi,

On Wed, Jun 29, 2011 at 04:49:12PM +0100, 
matthew.coleman-hamil...@servicebirmingham.co.uk wrote:
> Thanks. I had (perhaps foolishly) assumed that moving from an NPE-G1 to 
a 
> Sup720-3BXL-based platform would represent an upgrade from the 7206VXR 
(as 
> well as having the advantage of bringing our Internet BGP tier in-line 
> with the rest of our core network from a hardware perspective).
> 
> When comparing the NPE-G1 to a Sup720-3BXL for the purposes of being an 
> internet-facing BGP router am I actually proposing a backwards step?

The CPU on the Sup720 is slower, so "load a full BGP table from 5 peers"
will take longer.

OTOH, "100% CPU due to BGP" on the Sup720 doesn't impact packet forwarding
capacity, as that's done by other bits of the hardware - so depending on
traffic mix and BGP churn (and number of peers) the Sup720 will vastly
outperform the NPE-G1 :-)

As a reference: we're currently using Sup720s as peering and upstream
routers, and we've been quite happy most of the time.

Major causes for unhappiness: software bugs (can happen on all platforms),
hardware limitations (some things the hardware just cannot do), political
issues inside Cisco (6500/7600 in-fighting).

gert
-- 
USENET is *not* the non-clickable part of WWW!
 //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
[attachment "att0lq8q.dat" deleted by Matthew Coleman-Hamilton/SBHAM] 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FW: OT: Console cables on new platforms

[Ziv Leyes]

A member of the list told me that he got all the mails I sent, so I went to 
check, after his advise, my mail quarantine, and there they were, all messages 
I sent got blocked by MY system, DUH!
So I apologize for spamming the list with so many repetitive messages...
Ziv
 

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Wednesday, June 29, 2011 12:05 PM
To: cisco-nsp
Subject: [c-nsp] FW: OT: Console cables on new platforms

I think my previous mail was filtered and perhaps blocked?
I didn't see it coming back to my inbox...

Let's try again, please read below
Ziv


-Original Message-----
From: Ziv Leyes 
Sent: Wednesday, June 29, 2011 9:55 AM
To: cisco-nsp
Subject: RE: [c-nsp] OT: Console cables on new platforms

You can get a Cisco original cable for 18 bucks here: http://goo.gl/nM7nQ

Or, if you don't really think you need the original, you can buy a regular USB 
Type-A to Mini-USB Type-B for one buck here: http://goo.gl/fV5br

You'll still need to install the driver on your PC to make the USB port act as 
a serial port, more info about this and links to download the driver here: 
http://www.networkworld.com/community/blog/cisco-usb-console-ports

Hope this helps
Ziv




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
Sent: Tuesday, June 28, 2011 7:58 PM
To: Nikolay Shopik; cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

They are now a $30 list price option.

Jim

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nikolay Shopik
Sent: Tuesday, June 28, 2011 4:56 AM
To: cisco-nsp
Subject: [c-nsp] OT: Console cables on new platforms

Hey everyone,

We just received our 3560X and no console cables included at all, is this new 
policy for new platforms?

I mean no RS-232->RJ45 or new mini-usb console cable at all.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Console cables on new platforms

[Ziv Leyes]

What OS are you using?
IF you have a linux box somewhere, just run "tail -f /var/log/messages" and 
then plug the cable, it will tell you what it sees.
I think in windows you can also see some information about the chip if you go 
to the device manager and check the properties of the detected device, there's 
a lot of cryptographic information about the USB devices, but in one of the 
tabs you can see something like PL230 or the like, if it's a prolific.
Ziv


-Original Message-
From: Nikolay Shopik [mailto:sho...@inblock.ru] 
Sent: Wednesday, June 29, 2011 10:09 AM
To: Ziv Leyes; cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

I wonder what kind chip Cisco using, usual Prolific pl2303?. Just don't 
wanna mess with drivers on OS differ from Windows.

On 29/06/11 10:54, Ziv Leyes wrote:
> You can get a Cisco original cable for 18 bucks here: http://goo.gl/nM7nQ
>
> Or, if you don't really think you need the original, you can buy a regular 
> USB Type-A to Mini-USB Type-B for one buck here: http://goo.gl/fV5br
>
> You'll still need to install the driver on your PC to make the USB port act 
> as a serial port, more info about this and links to download the driver here: 
> http://www.networkworld.com/community/blog/cisco-usb-console-ports
>
> Hope this helps
> Ziv
>
>
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
> Sent: Tuesday, June 28, 2011 7:58 PM
> To: Nikolay Shopik; cisco-nsp
> Subject: Re: [c-nsp] OT: Console cables on new platforms
>
> They are now a $30 list price option.
>
> Jim
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nikolay Shopik
> Sent: Tuesday, June 28, 2011 4:56 AM
> To: cisco-nsp
> Subject: [c-nsp] OT: Console cables on new platforms
>
> Hey everyone,
>
> We just received our 3560X and no console cables included at all, is this new 
> policy for new platforms?
>
> I mean no RS-232->RJ45 or new mini-usb console cable at all.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> 
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals&  computer 
> viruses.
> 
>
>
>
>
> The information contained in this e-mail message and its attachments is 
> confidential information intended only for the use of the individual or 
> entity named above. If the reader of this message is not the intended 
> recipient, you are hereby notified that any dissemination, distribution or 
> copying of this communication is strictly prohibited. If you have received 
> this communication in error, please notify us immediately by replying to the 
> sender, and then delete the message from your computer.  Thank you!
>
>  This mail was sent via Mail-SeCure System.
>
>
>
>
>
> 
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals&  computer 
> viruses.
> 
>
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 
*

Re: [c-nsp] OT: Console cables on new platforms

[Ziv Leyes]

I think my previous mail contained too many hyperlinks and it was filtered and 
perhaps blocked?
Let's try again, please read below

You can get a Cisco original cable for 18 bucks at www.fullsourcesecurity.com, 
go to Home>Cable> and find "Cisco CAB-CONSOLE-USB Console Cable 6 ft with USB 
Type A and mini-B"

Or, if you don't really think you need the original, you can buy a regular USB 
Type-A to Mini-USB Type-B for around $1! Just google the cable type in shopping 
and you'll find tons of websites to buy from

You'll still need to install the driver on your PC to make the USB port act as 
a serial port, more info about this and links to download the driver here:
"http://www.networkworld.com/community/blog/cisco-usb-console-ports";

Hope this helps
Ziv



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
Sent: Tuesday, June 28, 2011 7:58 PM
To: Nikolay Shopik; cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

They are now a $30 list price option.

Jim

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nikolay Shopik
Sent: Tuesday, June 28, 2011 4:56 AM
To: cisco-nsp
Subject: [c-nsp] OT: Console cables on new platforms

Hey everyone,

We just received our 3560X and no console cables included at all, is this new 
policy for new platforms?

I mean no RS-232->RJ45 or new mini-usb console cable at all.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] web redirection

[Ziv Leyes]

It's easy to do it on the webpage itself, if that's what you're asking for
You can use html code on the page to redirect to another webpage, search google 
for "meta http equiv refresh"

If you're talking about doing it with a Cisco device, then look at this PDF
"http://cisco.biz/en/US/docs/ios/isg/configuration/guide/isg_l4_redirect.pdf";

Hope this helps,
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, June 29, 2011 11:56 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] web redirection


is there a way to to redirect a web page when requested to another web page ?
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FW: OT: Console cables on new platforms

[Ziv Leyes]

I think my previous mail was filtered and perhaps blocked?
I didn't see it coming back to my inbox...

Let's try again, please read below
Ziv


-Original Message-----
From: Ziv Leyes 
Sent: Wednesday, June 29, 2011 9:55 AM
To: cisco-nsp
Subject: RE: [c-nsp] OT: Console cables on new platforms

You can get a Cisco original cable for 18 bucks here: http://goo.gl/nM7nQ

Or, if you don't really think you need the original, you can buy a regular USB 
Type-A to Mini-USB Type-B for one buck here: http://goo.gl/fV5br

You'll still need to install the driver on your PC to make the USB port act as 
a serial port, more info about this and links to download the driver here: 
http://www.networkworld.com/community/blog/cisco-usb-console-ports

Hope this helps
Ziv




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
Sent: Tuesday, June 28, 2011 7:58 PM
To: Nikolay Shopik; cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

They are now a $30 list price option.

Jim

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nikolay Shopik
Sent: Tuesday, June 28, 2011 4:56 AM
To: cisco-nsp
Subject: [c-nsp] OT: Console cables on new platforms

Hey everyone,

We just received our 3560X and no console cables included at all, is this new 
policy for new platforms?

I mean no RS-232->RJ45 or new mini-usb console cable at all.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Console cables on new platforms

[Ziv Leyes]

You can get a Cisco original cable for 18 bucks here: http://goo.gl/nM7nQ

Or, if you don't really think you need the original, you can buy a regular USB 
Type-A to Mini-USB Type-B for one buck here: http://goo.gl/fV5br

You'll still need to install the driver on your PC to make the USB port act as 
a serial port, more info about this and links to download the driver here: 
http://www.networkworld.com/community/blog/cisco-usb-console-ports

Hope this helps
Ziv




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
Sent: Tuesday, June 28, 2011 7:58 PM
To: Nikolay Shopik; cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

They are now a $30 list price option.

Jim

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nikolay Shopik
Sent: Tuesday, June 28, 2011 4:56 AM
To: cisco-nsp
Subject: [c-nsp] OT: Console cables on new platforms

Hey everyone,

We just received our 3560X and no console cables included at all, is this new 
policy for new platforms?

I mean no RS-232->RJ45 or new mini-usb console cable at all.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] improving last-mile VDSL2 circuit between two Cisco routers

[Ziv Leyes]

Perhaps something like this could help you:
http://focus.ti.com/docs/prod/folders/print/ths6226.html



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin T
Sent: Monday, June 20, 2011 11:48 AM
To: Walter Keen
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] improving last-mile VDSL2 circuit between two Cisco routers

Walter,
thanks for reply! As I made the connectors as good as I could, I think
I have no other options left other than increase the diameter of the
wire. At least it's worth a try. In addition, aren't there some sort
of amplifiers in use for DSL?

regards,
martin


2011/6/17 Walter Keen :
> Because you are essential increasing the gauge of wire, and therefore
> decreasing the resistance, you *should* have less loss.  Telco's have used
> this in the past to extend DSL beyond the distance limitations before,
> (although not common, each pair in the ground is not a cheap commodity)
>
> If they're in the same cable, or cable group, it's worth a try.  If they
> take different physical paths it may still work, but the capacitance of the
> overall link will have some odd effects.
>
> In theory, it should work, and raise your SNR, (and therefore some more
> potential speed, if it becomes good enough)
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net on behalf of Martin T
> Sent: Thu 6/16/2011 3:43 PM
> To: cisco-nsp@puck.nether.net
>
>
> Subject: [c-nsp] improving last-mile VDSL2 circuit between two Cisco routers
>
> I have connected two Cisco 1841 routers over poor quality POTS cabling
> using the "Ethernet over VDSL2"(profile 17a) converters. SNR is rather
> low and distance is long. Currently I have two POTS wires in use, but
> I could use another pair as well if this would help. I was wondering
> maybe it would help somehow if I use two pairs instead of one pair
> like illustrated here:
> http://img98.imageshack.us/img98/4020/vdsl2w.png
>
> I would for example solder the additional wires to main ones just
> before the RJ14 connecto. I know the VDSL2 converters link this way,
> but would it give some additional improvement? If yes, then why?
>
> regards,
> martin
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP SLA on redundant backhauls

[Ziv Leyes]

I've performed a google search for ip sla + eem, and I've found something that 
may help you

http://fatalerror.info/index.php?o=889&l=3

This article explains how to create an ip sla and a eem script that reacts to 
the ip sla and changes the default route to another provider.
That's not exactly what you need, but with a bit of tweaking you can change it 
to suit your needs.

HTH,
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeferson Guardia
Sent: Sunday, June 12, 2011 10:56 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IP SLA on redundant backhauls

Hi,

I have the following scenario

ISP --- link A  --  CE
   link B   -

I have a lot of voice traffic on this backhaul.. The problem is that when a
circuit has problems in terms of (errors incrementing) but circuit doesnt go
down at all, ospf is stable but voice is not reliable to be routed thru that
circuit.

I want to deploy a IP SLA application to evaluate jitter/loss every 10
seconds and In case there are CRC errors etc. I want to stop routing traffic
out of that circuit for a while.. What would you recommend in terms of IP
SLA and that redundant backhaul setup I have with OSPF ?

Regards,

J
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dynamic dns on a cisco ios router

[Ziv Leyes]

As promised, I report back, sorry for the delay...
I can confirm that this method worked fine for me!

The only captcha that I had (I've forgotten about it and took me a while to 
figure out) is that the address has a question mark that can't be entered if 
you don't do it correctly, and that's why it didn't work for me before.
Before inserting the question mark you need to press  and only then the 
question mark

So, below here are the settings that worked for me, based on what James posted, 
with a little addition I've found on some forum

ip ddns update method DynDNS
 HTTP
  add http://:xxx...@members.dyndns.org/nic/update  
?system=dyndns&hostname=&myip=
 interval maximum 1 0 0 0
!
interface Dialer0
 ip ddns update hostname .ath.cx
 ip ddns update DynDNS host members.dyndns.org

Thanks!
Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Tuesday, May 31, 2011 12:25 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dynamic dns on a cisco ios router

I'll definitely try this at home and report back!
Thanks,
Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Paussa
Sent: Tuesday 31 May 2011 12:05
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dynamic dns on a cisco ios router

Hi,
Had this come up in a job I was just doing on the weekend on a 857w running 
12.4(6)T6 ADVSECURITYK9-M. Here is the config I have working with it:
ip ddns update method domain_ddns
  HTTP
   add
http://:x...@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=
  interval maximum 1 0 0 0
!
interface Dialer1
  ip ddns update hostname domain.ath.cx
  ip ddns update domain_ddns
!

Couple of things to note, I had to clear the dialer to get it to update and 
updates were a bit flakey till I added 'interval maximum 1 0 0 0'.


On 31/05/2011 4:59 AM, ccie wrote:
> Debug ip ddns update
>
> !Nothing
Unfortunately I can't help you with debug on this, worked first time for me.
> ip ddns update method mytest
>
> HTTP
>
>add http://x:x...@members.dyndns.org/nic/update?system=dyndns
> <http://x:x...@members.dyndns.org/nic/update?system=dyndns&hostname=%3ch
> %3e&myip=%3ca>  &hostname=&myip=
>
> interval maximum 1 0 0 0
>
>
I am not sure if your client or mine has added some extra characters to 
that add http line but it doesn't look right.

Regards,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error

Re: [c-nsp] Problem VLAN Flapping between trunk port

[Ziv Leyes]

According to this: http://www.coffer.com/mac_find/?string=0018d1
It says it's a Siemmens Home & Office Communication Device.
Does it shed any light?

Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Md. Jahangir Hossain
Sent: Wednesday, June 01, 2011 11:18 AM
To: 'Peter Rathlev'; j...@ilk.net
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Problem VLAN Flapping between trunk port

Thanks peter and jurgen sharing valued information .

i am also trying to find-out this host.







--- On Wed, 6/1/11, Jurgen Marenda  wrote:

From: Jurgen Marenda 
Subject: RE: [c-nsp] Problem VLAN Flapping between trunk port
To: "'Peter Rathlev'" , "'Md. Jahangir Hossain'" 

Cc: cisco-nsp@puck.nether.net
Date: Wednesday, June 1, 2011, 12:10 AM


Also make sure your virtual mashines 
do not have the same MAC Adresses.

Juergen.

> On Tue, 2011-05-31 at 22:11 -0700, Md. Jahangir Hossain wrote:
> ...
> > *Mar  1 12:43:54: %SW_MATM-4-MACFLAP_NOTIF: Host 0018.d17b.96d7 in
> > vlan 104 is flapping between port Gi1/0/28 and port Gi1/0/27
> 
> What's behind these ports?
> 
> The switch is complaining that the MAC address keeps moving. 
> It could be
> a loop, but most often (in my experience) it's "misconfigured" hosts,
> e.g. a host with dual NICs that's using some kind of load-sharing
> between ports. I also seem to remember seeing it when IP phones roam
> between wireless access points.
> 
> >From the port configuration it must be something you trust 
> not to bridge
> itself. A VMware server maybe?


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Link/Line Testing

[Ziv Leyes]

Download the WANem ISO from here http://wanem.sourceforge.net/
Burn it and boot a PC with the CD.
It can generate for you the traffic you need for your tests
HTH
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Bensley
Sent: Wednesday, June 01, 2011 12:14 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Link/Line Testing

Hi list,

Is there any way from either a router or L3 switch I can saturate a
line/link? I don't want to use a computer or external device.

Lets pretend that $provider has given me a 1Gbps up-link to a device
which terminates various 100 Mbps links, so having a pc with software
to pump out 1Gbps would be no good. Since most people have up links
many times faster that most other ports on their routers/switches how
can I test the up link throughput from the device.

If for what ever reason I had 1Gbps access ports with a 1Gbps up link
I could use a pc/hardware traffic generator and test the link and for
example routers ability to policy route and filter at 1Gbps but I just
want to test the physical link its self for its top end throughput.

Pointers anyone?

-- 
James.

http://www.jamesbensley.co.cc/
There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dynamic dns on a cisco ios router

[Ziv Leyes]

I'll definitely try this at home and report back!
Thanks,
Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Paussa
Sent: Tuesday 31 May 2011 12:05
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dynamic dns on a cisco ios router

Hi,
Had this come up in a job I was just doing on the weekend on a 857w running 
12.4(6)T6 ADVSECURITYK9-M. Here is the config I have working with it:
ip ddns update method domain_ddns
  HTTP
   add
http://:x...@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=
  interval maximum 1 0 0 0
!
interface Dialer1
  ip ddns update hostname domain.ath.cx
  ip ddns update domain_ddns
!

Couple of things to note, I had to clear the dialer to get it to update and 
updates were a bit flakey till I added 'interval maximum 1 0 0 0'.


On 31/05/2011 4:59 AM, ccie wrote:
> Debug ip ddns update
>
> !Nothing
Unfortunately I can't help you with debug on this, worked first time for me.
> ip ddns update method mytest
>
> HTTP
>
>add http://x:x...@members.dyndns.org/nic/update?system=dyndns
>  %3e&myip=%3ca>  &hostname=&myip=
>
> interval maximum 1 0 0 0
>
>
I am not sure if your client or mine has added some extra characters to 
that add http line but it doesn't look right.

Regards,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dynamic dns on a cisco ios router

[Ziv Leyes]

I  wanted to use this feature too but to no avail. Whatever I tried, it didn't 
work, so I opted for the less wanted option and installed the ddns client on my 
PC

Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of ccie
Sent: Monday, May 30, 2011 9:59 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Dynamic dns on a cisco ios router

 

Hi Experts,

 

Even I configure the dydns 100% correctly but it still not working even the
debug doesn't give me any thing

Debug ip ddns update

!Nothing

ip ddns update method mytest

HTTP

  add http://x:x...@members.dyndns.org/nic/update?system=dyndns
 &hostname=&myip=

interval maximum 1 0 0 0

 

Int dialer 1

interface dialer 1

ip ddns update hostname ashrafalbayed.dyndns.org

ip ddns update mytest

 

What is wrong that doesn't show anything in the debug.

 

 

Regards,

Amin

 

 

Amin

AXIZO.COM

Previously name Horizon

' +970-2-2988128 | 7 +970-2-2988128 |P +970-59-9367950 | .
 a...@axizo.com

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Simulate download

[Ziv Leyes]

copy ftp://someserver.com/testfile.zip null:

HTH

Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Monday, May 30, 2011 6:32 PM
To: d...@dcptech.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Simulate download


can you explain more please

> Date: Mon, 30 May 2011 10:42:56 -0400
> Subject: Re: [c-nsp] Simulate download
> From: d...@dcptech.com
> To: eng_m...@hotmail.com
> CC: cisco-nsp@puck.nether.net
> 
> 
> Copy xxx://yyy null:
> 
> >
> > Hi all
> >
> > can i from a Cisco router simulate a download session?
> > as i am on a laptop and downloading a file to see the transfer speed?
> >
> > Thanks
> >
> > Best Regards,
> > Mohammad Khalil
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] off-topic NMS Suggestion

[Ziv Leyes]

+1 for the open source!
There are OpenNMS, Zenoss, and a lot of others, and if you really want to pay, 
you can get an overall support from some of them, from the very first 
implementation as well as ongoing support.

Commercially talking, I've seen Solarwinds have nice user-friendly product 
family named Orion, there are a few nice tools, it's built on a modular base, 
so you can buy only one, or integrate few of them.
And is not really expensive, prices are reasonable.
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Daniel Lacey
Sent: Wednesday, May 18, 2011 6:01 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] off-topic NMS Suggestion

The best NMS solutions are open source. (My opinion... :-)
You can get paid support if that is the issue, from installation to
on-going configuration support.
You should investigate what support teams are using to monitor large
networks.
Papa John's for example monitors 3400 locations requiring only one
person on duty Open source NMS...

You will save a ton of money as well...

|---
| Dan Lacey daniel_p_la...@yahoo.com
| PGP Key: 0xFE94668F @ http://pgp.mit.edu or http://keyserver.pgp.com
| PGP Key fingerprint: 8A97 2996 266D A21C 0277 54EF 40D5 2B80 FE94 668F
|---


On 5/17/11 7:38 PM, omar parihuana wrote:
> Hi List,
>
> Please could you suggest me a NMS for WAN/LAN? the WAN is a MPLS/VPN (300
> remote offices)  and the Switching is a campus LAN (aprox 1000 Network
> Devices) and three remote buildings (aprox Network 200 devices in each
> building). Before I tried Cisco Works but I faced some issues; HP Openview
> was difficult also. We need a easy web interface for monitoring and
> reporting (unfortunately no open source solutions are accepted).
>
> Thank you for your suggestions.
>
> Rgds.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Event manager mail

[Ziv Leyes]

I was about to answer you the same, about the bug.
Do you care to share the tcl script with us?
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan Gregor
Sent: Thursday, April 14, 2011 4:48 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Event manager mail

Hello,

just letting all know, this is a known bug CSCsl53037 which is AFAIK not fixed 
in 12.4 train. I have fixed this  with an Tcl script doing the same thing, only 
correctly.

Best regards,

Jan

On 04/14/2011 10:07 AM, Jan Gregor wrote:
> Hi guys,
> 
> I have stumbled across weird error when configuring mail notification 
> from Event Manager of IOS router. The mail server parses the email and 
> tags it as malformed with this error:
> X-Amavis-Alert: BAD HEADER SECTION MIME error: error: unexpected end 
> of header
> 
> And indeed, when I check the message in quarantine, there is no MIME 
> header there at all.
> 
> The IOS version is c1841-advipservicesk9-mz.124-13.bin (yeah, I know 
> it is old) and configuration is this:
> 
> event manager applet email_configured
>  event syslog pattern ".*%SYS-5-CONFIG_I.*"
>  action 1.0 info type routername
>  action 3.0 mail server "$_email_server" to "y...@dont.need" from 
> "t...@know.this" subject "test $_syslog_msg" body "$_syslog_msg"
> 
> Any ideas how to fix this?
> 
> Best regards,
> 
> Jan
> 
> 
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco-nsp Digest, Vol 101, Issue 21

[Ziv Leyes]

Isn't cisco.com working IN India too?

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Shivlu Jain
Sent: Sunday, April 10, 2011 1:11 PM
To: cisco-nsp@puck.nether.net
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] cisco-nsp Digest, Vol 101, Issue 21

Cisco.com is working from india too.

Regards
Shivlu Jain

Sent from my iPhone

On 10 Apr 2011, at 13:08, cisco-nsp-requ...@puck.nether.net wrote:

> Send cisco-nsp mailing list submissions to
>cisco-nsp@puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
>cisco-nsp-requ...@puck.nether.net
>
> You can reach the person managing the list at
>cisco-nsp-ow...@puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
>   1. Ctrl Shift 6 X (Access-Server) (Alessandro Braga)
>   2. Re: Cisco 12410 vs XR-12410 routers (Drew Weaver)
>   3. cisco web site down ? (John Brown)
>   4. Re: cisco web site down ? (Jeff Orr)
>   5. Re: cisco web site down ? (Engelhard)
>   6. Re: cisco web site down ? (Sungmin Cho (smcho))
>   7. Re: Cisco 12410 vs XR-12410 routers (Dobbins, Roland)
>   8. Re: Safer DDOS drops (Scott Granados)
>   9. Re: Safer DDOS drops (Ziv Leyes)
>
>
> --
>
> Message: 1
> Date: Sat, 9 Apr 2011 13:45:54 -0300
> From: Alessandro Braga 
> To: cisco-nsp 
> Subject: [c-nsp] Ctrl Shift 6 X (Access-Server)
> Message-ID: 
> Content-Type: text/plain; charset=ISO-8859-1
>
> Folks,
>
> how can I switch devices using Cisco Access Server and Terminal for
> Mac with US international layout ?
>
>
>
> Thanks in advance,
> -AB
>
>
> --
>
> Message: 2
> Date: Sat, 9 Apr 2011 18:20:36 -0400
> From: Drew Weaver 
> To: "'Lee Starnes'" , "Dobbins, Roland"
>
> Cc: "cisco-nsp@puck.nether.net" 
> Subject: Re: [c-nsp] Cisco 12410 vs XR-12410 routers
> Message-ID: 
> Content-Type: text/plain; charset="us-ascii"
>
> Lee,
>
> If you are talking about buying new routers today, GSRs probably don't make 
> sense (especially for 1 and 10G).
>
> Keep in mind that the fastest SIP for a 12810 is the SIP-600/601 which is a 
> 10G full-duplex SIP.
>
> This means that if you put two 10G interfaces in a SIP-600/601 that you will 
> be oversubscribed 2:1.
>
> and that the maximum 10G density for a 10 slot chassis is really paltry for 
> the amount of money you would be paying for these routers.
>
> and if you absolutely have to buy a GSR, don't buy a 12810 because of
> the caveat mentioned above there is no real-world difference between a
> 12410 and a 12810. (especially for 1 and 10G)
>
> (Plus finding parts, even new parts for a 12810 is really really awful).
>
> I believe there is a single Engine6 card available that takes advantage of 
> the 12810's enhanced "width" but it's not a 10G card, OC-XXX.
>
>> From an investment standpoint you may be better off going with an
>> ASR9 and if you have the budget I hear CRS-1 is nice too =)
>
> -Drew
>
>
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes
> Sent: Friday, April 08, 2011 11:41 PM
> To: Dobbins, Roland
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Cisco 12410 vs XR-12410 routers
>
> Thanks Roland! So is that to say that the IOS-XR does NOT run on the
> 12410/12810 routers?
>
> -Lee
>
> On Fri, Apr 8, 2011 at 8:25 PM, Dobbins, Roland  wrote:
>
>>
>> On Apr 9, 2011, at 10:05 AM, Lee Starnes wrote:
>>
>>> Just trying to determine which direction to go.
>>
>> Cisco's direction for GSR is XR; you aren't going to get any new
>> features, and slow bug fixes, if you try to stay on IOS.
>>
>> For example, NetFlow telemetry for native IPv6 traffic is only
>> available under XR for the GSR.  There are no plans to support this
>> functionality on the platform under IOS.
>>
>> -
>> -- Roland Dobbins  //
>> <http://www.arbornetworks.com>
>>
>>   The basis of optimism is sheer terror.
>>
>> -- Oscar Wilde
>>
>>
>> ___

Re: [c-nsp] Safer DDOS drops

[Ziv Leyes]

S, HE'S the mysterious Stig!!! Thanks Scott ! Now I can sleep better, 
knowing the truth!


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados
Sent: Sunday, April 10, 2011 9:19 AM
To: Stig Meireles Johansen
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Safer DDOS drops

Some say he fixes networks when not driving Formula cars, others think he wears 
a black suit and appears on Top Gear and secretly has a 6509 chassis as a 
coffee table in the top gear trailer.

We call him the Stig!

:)

On Apr 8, 2011, at 11:16 PM, Stig Meireles Johansen wrote:

> FWIW, The "no ip unreachables" has to be configured on your uplinks for it to 
> have any effect in this setting.
> 
> /Stig
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Kranz
> Sent: 9. april 2011 00:45
> To: 'Peter Rathlev'
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Safer DDOS drops
> 
> Brandon, Peter, Phil thanks..
> 
> I removed 'ip accounting access-violations', used the fragments filter, and 
> changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. 
> another >5Gbps attack in progress currently, but router CPU is happy and 
> customer still in service.
> 
> -peter
> 
> 
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] customer facing edge switch reccomendation?

[Ziv Leyes]

You'll need a metro switch, a ME3400 or the like, will give you most of what 
you need, I think.
Someone correct me if I'm wrong
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike
Sent: Thursday, March 31, 2011 8:26 PM
To: 'Cisco-nsp'
Subject: [c-nsp] customer facing edge switch reccomendation?

Hello,

I will have some customers on copper and fiber and I am interested in 
learning about what cisco switch would offer me port based QoS / rate limiting 
/ QinQ vlan stacking. I don't want IP only qos - I want to be able to say '45 
megs in and out, period' no matter the traffic type. I'd also like to be able 
to apply more than 1 802.1q tag but this isn't a strict requirement. Can anyone 
suggest anything in the reasonable price ballpark that could be used for this 
application?

Thanks.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] graphing bad hop counts

[Ziv Leyes]

As I could'n find a way of sampling anything related to "ip traffic" with SNMP, 
I'd suggest that, if supported,  you use an EEM script on your device, this can 
trigger an action such as an SNMP-Trap, or putting a line in the logging of the 
device, and you can monitor it.
I'm not such an expert with this EEM scripts, but I know there are a few guys 
here that could help you.
Because of my ignorance I need to manage the way I know, so in my case I'd just 
create a script on my cacti server that telnets the device, runs the command I 
want, cuts the result and creates a graph, then you have also a thresholds 
plugin for cacti where you can do some other nice things.
Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brandon Porter
Sent: Thursday, March 31, 2011 8:51 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] graphing bad hop counts

Hi,
I'm looking for a way to graph bad hop counts when you issue the "show ip 
traffic" command.  I have a multicast network and, short of constantly going 
into devices and issuing that command, there is no way of knowing or being 
notified (that I know of) as to when the bad hop count is reaching a certain 
threshold.  Does anyone know of any software or anything that can help me 
accomplish my goal?  Or alert me in some way when the bad hop count reaches a 
threshold?  Any help is appreciated.  Thanks.
-Brandon
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] What is the lowest latency switch?

[Ziv Leyes]

I would love to see a fully functional shell cli on network devices that would 
allow us to gather information more effectively  using grep,awk,sed,etc...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka
Sent: Sunday, March 20, 2011 5:01 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] What is the lowest latency switch?

On Thursday, March 17, 2011 04:09:26 AM Nitzan Tzelniker
wrote:

> ... and at
> last you can do "| include ... " in any command and you can see drops 
> on the output queue.

Interesting how we take these features for granted in more popular platforms 
:-).

Mark.

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VRF and Tacas

[Ziv Leyes]

Could you post your line vty configuration?


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Judith Sanders
Sent: Wednesday, March 16, 2011 10:03 PM
To: 'cisco-nsp@puck.nether.net'
Subject: [c-nsp] VRF and Tacas

I am trying to configure my ASR 1006 to use TACACS+ via my vrf interface, which 
is my gigabitethernet 0 interface.  We use this only for management.  I can 
ping the TAC server from my vrf, but it will not authenticate against it.  Here 
is what I have-

interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.x.x.x  x.x.x.x
negotiation auto

aaa authentication login default group tacacs+ local aaa authorization exec 
default group tacacs+ if-authenticated aaa accounting exec default start-stop 
group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa 
accounting commands 1 default start-stop group tacacs+ aaa accounting commands 
15 default start-stop group tacacs+ aaa accounting connection default 
start-stop group tacacs+

ip tacacs source-interface GigabitEthernet0 tacacs-server host 172.x.x.x 
tacacs-server host 172.x.x.x tacacs-server directed-request tacacs-server key 
x.x.x.x

I can ping the TAC server from my vrf- and here are my debugs-I am not 
successful.


Mar 16 14:52:20: TPLUS: processing authentication start request id 606 Mar 16 
14:52:20: TPLUS: Authentication start packet created for 606(jasanders) Mar 16 
14:52:20: TPLUS: Using server 172.16.1.124 Mar 16 14:52:20: 
TPLUS(025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:25: 
TPLUS(025E)/0/NB_WAIT/4DB519C0: timed out Mar 16 14:52:25: TPLUS: Choosing 
next server 172.16.1.134 Mar 16 14:52:25: TPLUS(025E)/1/NB_WAIT/4DB519C0: 
Started 5 sec timeout Mar 16 14:52:25: TPLUS(025E)/4DB519C0: releasing old 
socket 0 Mar 16 14:52:30: TPLUS(025E)/1/NB_WAIT/4DB519C0: timed out Mar 16 
14:52:30: TPLUS(025E)/1/NB_WAIT/4DB519C0: timed out, clean up Mar 16 
14:52:30: TPLUS(025E)/1/4DB519C0: Processing the reply packet Mar 16 
14:52:38: TPLUS: Queuing AAA Authentication request 606 for processing Mar 16 
14:52:38: TPLUS: processing authentication start request id 606 Mar 16 
14:52:38: TPLUS: Authentication start packet created for 606(jasanders) Mar 16 
14:52:38!
 : TPLUS: Using server 172.16.1.124 Mar 16 14:52:38: 
TPLUS(025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:43: 
TPLUS(025E)/0/NB_WAIT/4DB519C0: timed out Mar 16 14:52:43: TPLUS: Choosing 
next server 172.16.1.134 Mar 16 14:52:43: TPLUS(025E)/1/NB_WAIT/4DB519C0: 
Started 5 sec timeout Mar 16 14:52:43: TPLUS(025E)/4DB519C0: releasing old 
socket 0 Mar 16 14:52:48: TPLUS(025E)/1/NB_WAIT/4DB519C0: timed out Mar 16 
14:52:48: TPLUS(025E)/1/NB_WAIT/4DB519C0: timed out, clean up



Thanks,
Judith Sanders
Pioneer Telephone
Inside Plant Networking Services
jasand...@ptci.com




***
This email message and any files transmitted with it are intended solely for 
the use of the individual or entity  for whom it is addressed.  It may contain 
confidential and privileged information. If you are not the intended recipient, 
please contact the sender and destroy all paper and electronic copies of this 
message and its contents.  Any unauthorized review, use, disclosure or 
distribution of this email or any file attachments is strictly prohibited.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinf

Re: [c-nsp] What is the lowest latency switch?

[Ziv Leyes]

Even if you had the time to test them, how would you exactly be able to confirm 
the specs? Do you have a way to measure the <1.9 µsec forwarding latency and 
confirm it's correct?

Just wondering...

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeroen van Ingen
Sent: Wednesday, March 16, 2011 7:25 PM
To: j...@ilk.net
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] What is the lowest latency switch?

Hi,
> What about "H3C" "3com" S5820X ?
>
> May be renamed or renumbered to hp procurve, but spec says:
>
> "...
>   Additionally, in order to reduce
>   latency in the network core or data center environment, the
>   S5820X features cut-through switching as well as store and
>   forward mode switching.
>   ...
>   Forwarding Latency<1.9 µsec (FIFO 64-byte packets)
>   ...
> "
>
> For a<  200W (under full load) device
> (compared to the 1100W of my 4900M's ) this sounds good for Layer2 
> device.
>
> Any experience with that box ?
>

Well, I have three of those on my desk right now, but to be honest I haven't 
had much time to test them. I'm trying them out for basic L2 switching, a bit 
of routing and a small amount of EoMPLS.

Specs & docs look good, pricing seems OK, but as "experience" with the box goes 
I've only configured an address on them and performed a software upgrade.

If you have specific questions, don't hesitate to ask, perhaps I can get the 
answers quickly.


Regards,
Jeroen

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Prevent DDoS

[Ziv Leyes]

The only way to _prevent_ DDoS attacks is to get your hands on those that are 
planning to attack you and kick their arse before they run the DDoS.

Once the attack is delivered, the only thing you can do is to mitigate it and 
wait till it's over...
A mix of good configured control-plane policy on your core with uRPF towards 
the outside and a blackhole device is the most feasible way without having to 
buy a dedicated device to protect you

Sorry for putting emphasis on semantics... :-)


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tseveendorj
Sent: Monday, March 14, 2011 10:36 AM
To: cisco-nsp
Subject: [c-nsp] Prevent DDoS

Hello,

Is there anyway to prevent DDoS attack on Cisco Router?

regards,
Tseveen.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tool to Calculate Rate Limits

[Ziv Leyes]

Totally agreed, it's a lost battle, even if it's so simple to understand
When I go to the grocery to buy 1 Kg of rice, I'm not expecting to get 1024 g 
of it, right?
1 Kg = 1000 g
1 Km = 1000 m
And so on, but I'd like to see you sending a customer to read RFC1594 and make 
it sound like NOT sending them to hell...

Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Freedman
Sent: Tuesday, February 08, 2011 6:45 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Tool to Calculate Rate Limits

Smales, Robert wrote:
> 
>> 1 mbps = 100 bps, no?
> 
> Arguably, but if you were a customer you could argue that 1M is 1024 x 
> 1024, so I compromise at 1000 x 1024 :-)
> 

One could also argue RFC 1594:

"Kb  Kilobit
10^3 bits of information (usually used to express a
data transfer rate; as in, 1 kilobit/second = 1Kbps = 1Kb).
"

Dave.


-- 


David Freedman
Group Network Engineering
Claranet Group

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Opinions about the next 6500/7600

[Ziv Leyes]

I don't mean to be disrespectful in this "Cisco" list, but perhaps you should 
sharpen your question.
Are you asking what is the next "Cisco" next 6500/7600, or in general, because 
I must remind you all that there are some other platforms out there that can be 
good replacement for those good ole friends...
I'm not going to throw brand names, is not my intention...

Ziv


On 4 Feb 2011, at 16:22, Mack McBride  wrote:

> The most comparable for the 7600 is the ASR 9K but the cost differential is 
> significant.
> 
> The Nexus 7000 is supposed to replace the 6500 for an aggregation 
> switch but the cost and other issues (bugs and lack of XL card) has slowed 
> adoption.
> The other issues are getting sorted out which should help the 7K.
> Cisco seems committed to the 6500 as a services platform.
> So it is likely to be around for a long time.
> 
> Our company tends to stay away from the bleeding edge so we are still using 
> the 6500/7600.
> 
> Mack McBride
> Network Architect
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
> Sent: Friday, February 04, 2011 6:12 AM
> To: cisco-nsp
> Subject: [c-nsp] Opinions about the next 6500/7600
> 
> Howdy,
> 
> I think most folks can agree that the amount of traffic on the Internet is 
> being carried by 6500/7600 series gear is probably a pretty big percentage. 
> This is most likely mainly due to cost, density, and performance (despite 
> their flaws). The other nice thing about them is that they are everywhere, so 
> they have a good community of users.
> 
> What new platform from Cisco or whomever do you think is, or will become the 
> "next 6500/7600" in terms of how many companies are going to use them, 
> performance, cost, density? I don't have any hard numbers to back this up 
> (aside from earnings numbers from Cisco) but I'm guessing the number of Nexus 
> 7000s replacing 6500s has been pretty disappointing to Cisco.
> 
> So is the 6500 = Nexus 7000 and the 7600 = ASR 9K or does the flow chart skew?
> 
> thanks,
> -Drew
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tool to Calculate Rate Limits

[Ziv Leyes]

One formula that always worked fine for me is, when you set 
rate-limit Bandwidth(bits) BC(bytes) BE(bytes)

You calculate both BC and BE like this: BE=BC= Bandwidth / 8 * 1.5

Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Righa Shake
Sent: Sunday, February 06, 2011 4:25 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Tool to Calculate Rate Limits

Hi,

Anyone know of a tool that can be used to calculate rate limits on cisco 
routers.

Regards,
Shake
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SNMP Question

[Ziv Leyes]

Or you could find the index of the interface from within the device itself with 
command:
show snmp mib ifmib ifindex 

HTH
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Per Carlson
Sent: Friday, February 04, 2011 10:17 AM
To: Scott Voll
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SNMP Question

Hi Scott.

> I have found that for my 3845 (running 15.0) with PRI in slots 0/0/0 I 
> can use OID 1.3.6.1.4.1.9.10.19.1.1.9.1.3.0.0

This is the CISCO-POP-MGMT-MIB
(ftp://ftp.cisco.com/pub/mibs/v2/CISCO-POP-MGMT-MIB.my)

The table you are polling is cpmDS0UsageTable where each entry is indexed like:

cpmDS0UsageEntry OBJECT-TYPE
DESCRIPTION  "An entry in the DS0 Usage table."
INDEX {cpmDS1SlotIndex, cpmDS1PortIndex, cpmChannelIndex }

As Jeffery proposed, walk this table (1.3.6.1.4.1.9.10.19.1) to find the OIDs. 
The table contain a mapping (cpmAssociatedInterface) to ifIndex. That way you 
can figure out which slot/post/channel index corresponds to which interfacce of 
the router.

To find the ifIndex of the interfaces, walk the OID ifDescr 
(1.3.6.1.2.1.2.2.1.2). The last ".N" in the OIDs in that table are the ifIndex.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Advice: Which routers to purchase ?

[Ziv Leyes]

Neither was I!
Thanks for the update!


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao
Sent: Friday, January 28, 2011 1:28 AM
To: Łukasz Bromirski
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Advice: Which routers to purchase ?

I wasn't aware that ASR1001 was cheaper than Cisco 7201 ;) Good to know, thanks!

2011/1/28 Łukasz Bromirski 

> On 2011-01-27 23:44, Manu Chao wrote:
>
>> I recommand you two Cisco 7201
>>
>
> This doesn't make sense anymore form price/performance point of view.
>
> The 7201 is a 7200 based off NPE-G1, and it's software-based router 
> priced at 24k$ GPL.
>
> The ASR 1001 is hardware-based router that has 4 GE interfaces and is 
> priced at 17k$ with dual PSUs. The ASR 1001 can with proper license do 
> 5Gbit/s line-rate, while the 7201 is 1Mpps engine that will slow down 
> with every feature turned on.
>
> --
> "There's no sense in being precise when |   Łukasz Bromirski
>  you don't know what you're talking |  
> jid:lbromir...@jabber.org
>  about."   John von Neumann |http://lukasz.bromirski.net
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Advice: Which routers to purchase ?

[Ziv Leyes]

It shouldn't be so complicated, get yourself 2 refurbished 7201 VXR with 1GB 
RAM (it comes with three Gigabit interfaces)
Connect each provider to a different router on one of the Giga interfaces, set 
a bgp peer to each provider and ask them to send you default originate
Connect both routers to your LAN, via a switch and run iBGP sending default 
originate to each other
Set HSRP between routers, then decide which one will be primary and which one 
standby. This is done with HSRP priority.
Set the HSRP virtual IP as default gateway on your LAN devices.
You're done.

Sometimes, less is more...

If and when you want to run MPLS, well, that's a different story, a bit more 
complicated to set in 4 sentences...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dovid Bender
Sent: Thursday, January 27, 2011 6:03 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Advice: Which routers to purchase ?

Hi All,

I am new to Cisco (other than starting a CCNA course 10 years ago but never 
finishing it).

Our company is now becoming multi homed and we need to BGP our own IP's.

We need at least three Ethernet connections. We will be connecting to two 
providers and then a third for our network. The physical connection will be 100 
mbits to the carriers and 1000 mbit to our switch. From the first carrier we 
can use 100 mbits and from the second carrier we will only be using up to 5-10 
mbits. Our total bandwidth usage will most likely be under 100 mbits. We would 
also like to use VPN but it's not a must. We are running a VoIP network. I do 
not know if this is possible but we would like to be able to assign more than 
one IP per interface. Is that possible ? Also we would like to have two routers 
for redundancy. We will have a primary and a standby. We would like to use MPLS.

What do you recommend ?

Regards,

Dovid

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] About Problem on Policay based routing

[Ziv Leyes]

Try using the recursive option, so it forwards packets to default when the 
next-hop is unavailable

route-map dst_80 q
match ip address 101
set ip next-hop recursive 202.53.x.x

Or, if not available in your version (unlikely) ,try adding a secondary 
next-hop to the route-map

route-map dst_80 q
match ip address 101
set ip next-hop 202.53.x.x 202.53.y.y 202.53.z.z 
! and so on...

Or you could use a combination of rtr track and verify-availability, read more 
about this here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html

Hope this helps,
Ziv



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Md. Jahangir Hossain
Sent: Sunday, January 23, 2011 8:28 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] About Problem on Policay based routing

Dear concern:


We faced  problem policy based routing (PBR) on my cisco SAR 7606 router.

When my next hop down into my route-map packet not forwarded to destination 
using by default routing table but we got icmp to any destination. can any one  
please check the config and IOS version  what is wrong my config or IOS ?


Bellow by configuration and IOS version:

ip access-list extended 101 permit tcp any any eq www ip access-list extended 
102 permit tcp any eq www any   
 
route-map dst_80 q
match ip address 101
set ip next-hop 202.53.x.x 

route-map src_80
match ip address 102
set ip next-hop 202.53.x.x 


interface gigabit interface 

description {client}
ip policy route-map dst_80 
 

interface gigabit interface 

description [Internet]
ip policy route-map src_80 


##


SAR-7606#sh version 
Cisco IOS Software, c7600s3223_rp Software (c7600s3223_rp-ADVENTERPRISEK9-M), 
Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 12.2(17r)S6, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600s3223_rp Software 
(c7600s3223_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRD2a, RELEASE SOFTWARE (fc2)

 SAR-7606 uptime is 1 year, 9 weeks, 5 days, 23 hours, 2 minutes
Uptime for this control processor is 1 year, 9 weeks, 5 days, 22 hours, 52 
minutes
System returned to ROM by power-on (SP by power-on)
System restarted at 13:07:24 BD Sun Nov 15 2009
System image file is 
"sup-bootdisk:c7600s3223-adventerprisek9-mz.122-33.SRD2a.bin"
Last reload type: Normal Reload


  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EoMPLS on 7401ASR

[Ziv Leyes]

Jeroen,
We're doing AToM / EoMPLS on a few 7206VXR NPE-G1 with no problems, we're using 
Ver 12.2(33)SRC6 IOS
Hope this helps
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeroen van Ingen
Sent: Friday, January 21, 2011 1:27 AM
To: avay...@cisco.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] EoMPLS on 7401ASR

Hi Arie, list,
> A quick check on the KB shows that 12.4(15)T should have EoMPLS 
> support... Hope my search was not too quick.
>
Alas... tried 12.4(15)T11 (,jk9o3s) but:
* "xconnect" only supports L2TPv3, not MPLS encap
* "mpls l2transport" commands not available
* "show mpls l2transport capability int " only shows "core" 
functionality, edge is not supported:

===
Transport type Eth VLAN
   Core functionality:
 MPLS label disposition supported
 Control word processing supported
 Sequence number processing not supported
 VCCV CC Type CW [1] processing supported
   Edge functionality:
 Not supported

Transport type Ethernet
   Core functionality:
 MPLS label disposition supported
 Control word processing supported
 Sequence number processing not supported
 VCCV CC Type CW [1] processing supported
   Edge functionality:
 Not supported
===

That's about the same output as on my ancient c7200 with NPE-200 and 100FX 
interface. I guess the "edge" functionality is what's missing every time.

I managed to find a 12.2S image, but it is 12.2(14)S5 and AToM support was 
first included in 12.2(14)S8 according to the docs I found. So I guess I'll 
have to give up here and see if I can get some affordable hardware for my AToM 
labbing. What I've found so far is that a 7200VXR with gig interfaces might do 
it...

(open to suggestions and I'd still be eternally grateful to anyone who can 
throw a c7400 12.2(14)S8 or higher image in my direction).

- Jeroen

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Solutions Details Requested

[Ziv Leyes]

I'd rather suggest him to ask himself "What am I trying to ask?"


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Hilliard
Sent: Monday, January 17, 2011 8:37 PM
To: jack daniels
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Solutions Details Requested

On 17/01/2011 17:44, jack daniels wrote:
> Regrets for posting this querry but I'm thinking Day-in -day out to 
> position some of Routers/Switches in Service Providers.Can you please 
> guide me any link which talks about diffrent solutions where
> Routers/Switches have been Positioned  in past in   diffrent Service
> Providers.

JD,

I'll answer your question if you tell me how long is a piece of string, ok?

Advice: sit down, get yourself a nice warm drink, then ask yourself the 
following question: "what am I trying to achieve?"

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Netflow Version 9

[Ziv Leyes]

It was just a curiosity I was asking about.
If the progress over the years made older versions obsolete it's 
understandable, but then, I don't see why is 5 still there and then 9, why not 
1,5,6 , then years later perhaps 5,6,7, and so on, and at the end, 8,9, for 
instance...
I mean, if 8 is obsolete, wouldn't 5 be "more" obsolete and die before?
Maybe I didn't get properly the differences between the versions, I need to get 
back to read more deeply...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of ?ukasz Bromirski
Sent: Sunday, January 16, 2011 12:39 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow Version 9

On 2011-01-16 11:00, Ziv Leyes wrote:
> I knew this is likely to be the answer I get, I was wondering why
 > in a Cisco device you can opt for ip flow-export version 1, 5 or 9,  > not 
 > all the other in between...

Wouldn't it be obvious? Some are long obsoleted and some made to work around 
limitations of specific architecture. The v9 was then made to get the best from 
flexibility. It doesn't make much more sense to keep the obsoleted templates in 
software and hardware just for someone to be able to get back in time a bit :)

-- 
"Everything will be okay in the end.  | Łukasz Bromirski
  If it's not okay, it's not the end." |  http://lukasz.bromirski.net
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Netflow Version 9

[Ziv Leyes]

I knew this is likely to be the answer I get, I was wondering why in a Cisco 
device you can opt for ip flow-export version 1, 5 or 9, not all the other in 
between...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of ?ukasz Bromirski
Sent: Sunday, January 16, 2011 11:37 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow Version 9

On 2011-01-16 10:13, Ziv Leyes wrote:
> I wonder what happened to versions 6 to 8...

Take a look here for example:

http://netflow.caligare.com/netflow_format.htm

-- 
"Everything will be okay in the end.  | Łukasz Bromirski
  If it's not okay, it's not the end." |  http://lukasz.bromirski.net
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Netflow Version 9

[Ziv Leyes]

I wonder what happened to versions 6 to 8...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam Powers
Sent: Friday, January 14, 2011 4:14 PM
To: Dobbins, Roland; cisco-nsp
Subject: Re: [c-nsp] Netflow Version 9

I would say the only drawback is that v9 is a tad bit more complicated to set 
up due to its configurable nature (see Cisco's Flexible NetFlow) but that's 
about it. As Roland said "it's all upside".



On 1/14/11 5:17 AM, "Dobbins, Roland"  wrote:

>
>On Jan 13, 2011, at 9:30 PM, Righa Shake wrote:
>
>> What are the pros and cons as compared to version 5.
>
>v5 is a fixed format which is no longer being developed - all NetFlow 
>implementation moving forward are based upon v9.
>
>v9 gives you egress NetFlow, support for MPLS, and is an extensible 
>telemetry format which enables features like Flexible NetFlow, which 
>provides finer-grained information about network traffic.
>
>> what is version 9 impact on router and traffic
>
> 
>Nil - single-digit CPU, 0.5% - 1.5% of overall traffic volume, 
>multiplied by sampling factor (i.e, for 1:100, you'd multiply by 0.01).
>
>You don't really have a choice; you must implement v9, as v5 is 
>obsolete and is no longer being developed.  But it's all upside, with no 
>drawbacks.
>
>---
>Roland Dobbins  // 
>
>  Sell your computer and buy a guitar.
>
>
>
>
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Protecting Wireless Network from Jammers

[Ziv Leyes]

That sounds similar to what the guys do to find the tagged animals in the 
jungle, with the directional antenna and all that stuff...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados
Sent: Friday, January 14, 2011 8:46 PM
To: Seth Mattinen
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Protecting Wireless Network from Jammers

Or some sort of frequency hopping spread spectrum arrangement but that assumes 
your jammer isn't wacking the whole spectrum.


I haven't been on a ham radio fox hunt in years, they are a blast, right up 
there with field day.

On Jan 14, 2011, at 8:12 AM, Seth Mattinen wrote:

> On 1/13/11 10:00 PM, Christopher J. Wargaski wrote:
>> Hey Felix--
>> 
>>I work in the 802.11 wireless arena and am also an amateur radio 
>> operator. Aside from finding the offending station, there is really 
>> nothing that can be done to prevent RF signal jamming.
>> 
> 
> 
> Sure there is: use a wire. ;)
> 
> ~Seth
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Android or iphone apps?

[Ziv Leyes]

EXACTLY!!!

Like concentrating ONLY on it... (healthiest)

-Original Message-
From: Daniel Hooper [mailto:dhoo...@emerge.net.au] 
Sent: Thursday, January 13, 2011 9:57 AM
To: Ziv Leyes; 'cisco-nsp@puck.nether.net'
Subject: RE: [c-nsp] Cisco Android or iphone apps?

I can think of so many more exciting & better things to do while taking a dump.

-Dan

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes
Sent: Thursday, 13 January 2011 3:30 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Android or iphone apps?

Yeah, should be very useful to be able to open a TAC case while taking a dump...



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger
Sent: Wednesday, January 12, 2011 6:16 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco Android or iphone apps?

I don't know about everyone else, but how cool would it be to have TAC case 
management tools on our smart phones?

I would absolutely love a TAC app on my Android phone. That would be extremely 
useful. I'm surprised out doesn't already exist.

What do you all think?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Android or iphone apps?

[Ziv Leyes]

Yeah, should be very useful to be able to open a TAC case while taking a dump...



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger
Sent: Wednesday, January 12, 2011 6:16 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco Android or iphone apps?

I don't know about everyone else, but how cool would it be to have TAC case 
management tools on our smart phones?

I would absolutely love a TAC app on my Android phone. That would be extremely 
useful. I'm surprised out doesn't already exist.

What do you all think?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] local privilege level question

[Ziv Leyes]

Or, if you're not using nor plan to use any kind of aaa with an external 
device, you can do

no aaa-new model
username johndoe privilege 15 password blabla
!
line vty 0 4
 no password
 login local
!


This works for me for a totally local based authentication

HTH
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Daniele Orlandi
Sent: Wednesday, January 12, 2011 12:42 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] local privilege level question

On Tuesday 11 January 2011 21:58:10 Greg Whynott wrote:
> hello,
> 
> on an ASR1004 we have local accounts where the privilege level is set to
> 15.   when I type 'en' it still asks for the enable password.   is there
> away to prevent this behavior so that persons with local accounts/15 
> priv can execute level 15 commands without being prompted?
> 
> we are not using any external sources for authentication,  its all local.

Hi Greg,

Try enabling "aaa authorization exec default local none" because the privilege 
is assigned in authorization phase.

Ciao,

--
  Daniele "Vihai" Orlandi
  Bieco Illuminista #184213
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Console server

[Ziv Leyes]

We use Moxa products
http://www.moxa.com/product/product.aspx
They have some nice solutions


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Thursday, December 30, 2010 10:02 PM
To: cisco-nsp
Subject: [c-nsp] Console server

Do anyone have recommendation on console server?  I have about 10 devices per 
location I want console port connected for remote access in case of emergency.  
I don't need a modem or cell card or anything.
IP/Ethernet access, preferably able to ssh into it plus web access will be 
nice.(Web access that doesn't lock you down to IE)  I was looking at Avocent 
but getting feedbak on actual field experience is so much more reliable than 
reading through specs and marketing garbage.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] One Entry Point into Cisco network.

[Ziv Leyes]

Here's my suggestion:

no access-list 111

! If you want access only from your PC, then

access-list 11 permit 192.168.20.1

! Or, if you want access from all the network your PC is on, then

access-list 11 permit 192.168.20.0 0.0.0.255

!and at the end:
!
line vty 0 4
access-class 11 in
!

In this case, you don't need to deny anything, only put what you want to allow, 
the deny is an implied rule

Good luck!

Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Oleg Gnedykh
Sent: Thursday, December 16, 2010 3:26 PM
To: cisco-nsp-requ...@puck.nether.net
Subject: [c-nsp] One Entry Point into Cisco network.

Hi Guys!

I want to create a network with one entry point.
AFIK it's a best practise for network designing.
For example it maybe a something router with a Loopback interface.
I've created Loop0, ACL and attached it to "line vty"

 interface Loopback10
 description ### Manage ###
 ip address 192.168.1.1 255.255.255.255

 access-list 111 permit ip any host 192.168.1.1 log  access-list 111 deny ip 
any any log

 line vty 0 4
 access-class 111 in


And as a result I have connection refused
%SEC-6-IPACCESSLOGP: list 111 denied tcp 192.168.20.1(2683) -> 0.0.0.0(23), 1 
packet There is 192.168.20.1 is a local address for on my PC.

What can I do anything???

With best regards, Oleg.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader

[Ziv Leyes]

Send them over, I think I can find what to do with them... ;-)


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Tuesday, December 14, 2010 10:45 PM
To: cisco-nsp
Subject: Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader

Just wanted to mention that someone at Cisco saw my post and gotten it taken 
care of pretty quickly.

Conclusion,
- One 2GB DIMM in slot 0 is supported on 2951.
- ROMMON upgrade is not necessary.

Which leaves me with bad batch of DIMM.

Thanks!

On Tue, Dec 14, 2010 at 1:59 PM, Jaquish, Bret  
wrote:
> This might help you:
>
> The default Cisco 2951 has a unique memory configuration, whereby a 512 MB 
> DIMM is installed in one of the two memory slots on the Cisco 2951. Memory 
> upgrades on the Cisco 2951 can involve the increase in the density of that 
> single DIMM or a combination of DIMMs with BOTH slots populated. The Cisco 
> 2951 allows the use of asymmetric densities of DRAM in both slots.
>
> http://www.cisco.com/en/US/prod/collateral/modules/ps10598/ordering_gu
> ide_c07_557736_ps10537_Products_Data_Sheet.html
>
> It looks like both slots need to be populated.
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Rothera
> Sent: Tuesday, December 14, 2010 12:26 PM
> To: Jay Nakamura
> Cc: cisco-nsp
> Subject: Re: [c-nsp] 2951 memory upgrade to 2GB/Boot loader
>
> Hope you got her name to use when you have to raise a case for a dead 
> 2951 :P
>
>
> On 14 Dec 2010, at 18:09, Jay Nakamura wrote:
>
>> Just a side note so I can vent, just talked to TAC and the lady 
>> suggested to boot with the old RAM and swap it while the router was 
>> powered on
>>
>> On Mon, Dec 13, 2010 at 11:38 PM, Jay Nakamura  wrote:
>>> I was having problems upgrading memory in a ISR G2 2951 from two 
>>> 512M DIMMs to one 2GB DIMM.  Neither of the DIMM I had worked so I 
>>> started to think I may need to upgrade ROMMON/boot loader.  But for 
>>> the life of me, I could not find any release notes on cisco.com for 
>>> it anywhere.  There is newer release of boot loader than what's on 
>>> the router but could not find any release notes.  Anyone know where 
>>> I could find it or if a new boot loader is required for 2GB DIMM?
>>>
>>> With the new RAM, the router keeps repeating this
>>>
>>> Check stop condition detected, resetting the system System 
>>> Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1) Technical 
>>> Support: http://www.cisco.com/techsupport Copyright (c) 2009 by 
>>> cisco Systems, Inc.
>>>
>>> It's possible both DIMMs were bad but it seems unlikely.  It's also 
>>> possible the vendor sent me the wrong type.
>>>
>>
>> ___
>> cisco-nsp mailing list  cisco-...@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> Disclaimer Confidentiality Notice:  This e-mail, and any attachments 
> and/or documents linked to this email, are intended for the addressee 
> and may contain information that is privileged, confidential, 
> proprietary, or otherwise protected by law.  Any dissemination, 
> distribution, or copying is prohibited.  This notice serves as a 
> confidentiality marking for the purpose of any confidentiality or 
> nondisclosure agreement.  If you have received this communication in 
> error, please contact the original sender.
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has b

Re: [c-nsp] ACL querry

[Ziv Leyes]

In your case, fe0 is the outside world, the "untrusted" world, the acl 101 you 
applied in fe0 filters any packet that is coming from the outside world into 
your router, no matter where exactly it goes later.
The acl 1 applied in the line vty filters traffic that is trying to connect to 
the router (most probably telnet/ssh) no matter where they're coming from (fe0, 
fe1, etc)
If you want to telnet the router and you're coming from an external source 
(outside world) you'll have to be allowed both in acl 101 and acl 1.
To protect your servers, you can put it either in on fe0 or out in fe1, it 
gives you the same result, but in this case, you won't need to allow anything 
trying to connect to the router other than in acl 1 only.

Hope this makes sense to you
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Edward avanti
Sent: Wednesday, December 15, 2010 11:57 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ACL querry

Halo all,

I understood that  ACL on int's were transitting traffic and ACL on line was to 
the router?

I ask because I could not access router until I add my home IP on acl 101 (the 
inbound) Is this because the external interface fe0 has inbound rules applied?
For example, fe1 is to our network of servers I apply ingress rules on fe0 
which the SP link, is this right why I denied?

Should I invert this all?, have no rules on fe0 and apply the network-ingress, 
as an outbound rule on fe1 instead?

Which is consider best practise?  Or is this correct but I somehow block myself 
to line


ACL conf data relevant to post,  all IP is changed for protect guilty :->


access-list 1 permit 1.1.1.0 0.0.1.255
line vty 0 4
 access-class 1 in



access-list 101 permit ip host 1.2.3.4 any access-list 101 permit ip host 
15.6.7.8 any
access-list 101 deny   tcp any any eq 22
access-list 101 deny   tcp any any eq telnet
access-list 101 deny   tcp any any eq sunrpc
access-list 101 deny   udp any any eq sunrpc
access-list 101 deny   tcp any any range 135 139
access-list 101 deny   udp any any range 135 netbios-ss
access-list 101 deny   tcp any any eq 445
access-list 101 deny   udp any any eq tftp
access-list 101 deny   tcp any any eq 873
access-list 101 deny   tcp any any eq 2049
access-list 101 deny   tcp any any eq 3306
access-list 101 permit ip any any

interface FastEthernet0
 ip access-group 101 in



thanks you
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Legitimate Access to IOS for Legacy/EOL devices

[Ziv Leyes]

He said "after" maybe try again tomorrow and see if there are any changes... ;-)


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares
Sent: Monday, December 13, 2010 2:19 PM
To: 'Seth Mattinen'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Legitimate Access to IOS for Legacy/EOL devices

Today is the day ? I've just downloaded one 7200 image and I didn't notice any 
difference in the process.


Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoa...@netcabo.pt

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen
Sent: sexta-feira, 19 de Novembro de 2010 22:53
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Legitimate Access to IOS for Legacy/EOL devices

On 11/19/2010 14:07, Brian Raaen wrote:
> I was wondering if there was any legitimate way to get access to IOS 
> for
legacy devices.  I have a 2611, 3725 and pair of 2950's in my home lab that I 
would like to test some things on.  Thanks
> 

Right now any valid service contract will get you access to the ancient stuff 
as well, but my gut feeling is that after Dec. 13 anything EOL will be locked 
away for good.

~Seth
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Script to track memory leaks?

[Ziv Leyes]

Do you have this feature available in your router ?
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_mem-leak-detect.html#wp1027129

If not, you could run a script from a linux box with a remote ssh command and 
cut the output to your needs, and then feed it into a rrd file or whatever.
But given the fact the command "sh proc mem" gives you a lot of colums/lines 
and they change all the time, you need to narrow down and pin a specific value 
you want to graph.

If you have ssh available in your router, it's quite simple to get output using 
remote commands via ssh.
Of course it needs a little tweaking first, but once done, it's very practical

Using Ivan's howto you can achieve the required settings:
http://blog.ioshints.info/2009/10/ssh-rsa-authentication-works-in-ios.html

Then once it's done, you can run a command from any cli ssh client like this:

ssh -i /path/to/id_rsa u...@your_router_address sh proc mem | grep BGP 

HTH
Ziv



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sascha Pollok
Sent: Monday, December 13, 2010 11:02 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Script to track memory leaks?

Hello routing-people out there,

I am currently trying to track down a memory leak on a Cisco router and I'm 
wondering whether there is a script out there to collect sh proc mem 
periodically so that I get the chance to find out which process is leaking. 
Most likely BGP but who knows.

Of course a script to collect sh proc mem is easy but I thought about one that 
e.g. generates RRDs from the processlist or something similar.

Don't want to invite the wheel once again.

Thanks
Sascha

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] which one is ugly

[Ziv Leyes]

I think also "ip classless" together with "ip subnet-zero" will do the trick


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev
Sent: Saturday, December 11, 2010 7:46 PM
To: Good One
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] which one is ugly

On Sat, 2010-12-11 at 19:55 +0500, Good One wrote:
> Thanks Gert. It seems you could not use 192.168.0.0/32 as loopback or
> 192.168.0.0/31 on a point to point interface. So all of Cisco's IOSs 
> are treating class C ending with .0 as a whole /24 network instead of 
> single IP route?

You might need "ip subnet-zero" in you config. It's default on more recent IOS 
versions. What combination of hardware/software are you trying this on?

--
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MSI Cisco VPN Client Software ?

[Ziv Leyes]

I don't know about creating an .MSI, but the way I always did it was by surfing 
to the Cisco VPN folder in program files, there is a folder with .pcf files 
that you can save aside and then from within the VPN Client window you can 
import those files and you get all the profile ready.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Thursday, December 09, 2010 8:02 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] MSI Cisco VPN Client Software ?

Hi

Anyone know if we can create a .MSI of the CIsco VPN IPsec software that 
include all parameter of the connexion ?

Thanks for your help
STephane
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] L2TPv3 question

[Ziv Leyes]

Not sure I understand your answer, Jefri...


-Original Message-
From: je...@grid.ui.edu [mailto:je...@grid.ui.edu] 
Sent: Wednesday, December 08, 2010 3:13 PM
To: Ziv Leyes; cisco-nsp-boun...@puck.nether.net; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] L2TPv3 question

You have to create interworking ip, it's available on pseudo-wires 
configuration.

Powered by Telkomsel BlackBerry(r)

-Original Message-
From: Ziv Leyes 
Sender: cisco-nsp-boun...@puck.nether.net
Date: Wed, 8 Dec 2010 15:00:20
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] L2TPv3 question

We tried to make a pseudowire yesterday with the following setup:

Side A has a certain device connected to C3750 Switch on port 19.
Port 20 on C3750 Switch is set as trunk and it's connected to C7200VXR router 
port g0/1 The xconnect is done on subinterface G0/1.200 (VLAN200 dot1q 
encapsulation The other of the xconnect is a C2811 router on port f0/0 while 
its f0/1 port is connected to the device that needs to communicate with the 
device on the other end of the tunnel.

It didn't work and my colleague suspects it's because one side is tagged as 
vlan while the other is not.
Is there a way to make it work given the above mentioned setup?

Thanks,
Ziv


The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.



The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] L2TPv3 question

[Ziv Leyes]

We tried to make a pseudowire yesterday with the following setup:

Side A has a certain device connected to C3750 Switch on port 19.
Port 20 on C3750 Switch is set as trunk and it's connected to C7200VXR router 
port g0/1
The xconnect is done on subinterface G0/1.200 (VLAN200 dot1q encapsulation
The other of the xconnect is a C2811 router on port f0/0 while its f0/1 port is 
connected to the device that needs to communicate with the device on the other 
end of the tunnel.

It didn't work and my colleague suspects it's because one side is tagged as 
vlan while the other is not.
Is there a way to make it work given the above mentioned setup?

Thanks,
Ziv


The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT translation rate limit issue

[Ziv Leyes]

Hi,

"ip nat trans max-entries list 20 200" will limit ALL users on the acl together 
to a total of 200, I don't think you want this.
You better use "ip nat trans max-entries all-host 200" which will give a limit 
of 200 entries to each host

Hope this helps,
Ziv



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of gregory williamson
Sent: Friday, November 19, 2010 1:20 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] NAT translation rate limit issue

Hi

I could use some assitance. We are trying to limit simaltaneous connections by 
users and 1 for everything else. This is to prevent users from using 
certain programs like bit torrent, etc. When we add the following command to 
the router the NAT translation table fills and crashes and reloads. The 200 
connections command we use does not seem to be doing what we hoped. Does the 
200 rate limit count per user or for all users based on the commands we used? 
What is the best way to fix it.

Thanks for any assistance.

Greg

The following lines were added to the config of our 2811:

ip nat trans max-entries list 20 200  -limits users to 200 NAT Translations

  (ACL 20 selects all 192.168.#.# except 192.168.10.#)

ip nat trans max-entries host 192.168.10.13 1  -allows 1 NAT 
Translations

ip nat trans max-entries host 192.168.10.14 1 ip nat trans max-entries host 
192.168.10.15 1 ip nat trans max-entries host 192.168.10.22 1

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP Nat help

[Ziv Leyes]

You could use a 255 addresses pool like:
ip nat pool NAT 172.16.10.1 172.16.10.254

then perform nat, using the pool, this way:

access-list 1 permit 172.16.1.0 0.0.0.255

ip nat inside source list 1 pool NAT reversible

But this won't guarantee that 172.16.1.x will be necessary mapped to 172.16.10.x
If you want this to be fixed, then yes, you will need one inside/outside 
mapping for each address, but you only need 1 mapping for each, not 2x254 as 
you said.
This mapping is actually for the outside/inside, but will also be used for the 
inside/outside.

It will look something like this:

ip nat inside source static 172.16.1.1 172.16.10.1
ip nat inside source static 172.16.1.2 172.16.10.2
...
...
ip nat inside source static 172.16.1.254 172.16.10.254

Fastethernet 0/0
ip nat outside

Fastethernet 0/1
ip nat inside

Hope this helps
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Tuesday, November 09, 2010 9:23 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IP Nat help

Hi


I request a small help because i never use Nat on Cisco router.


I have a Cisco with two interface:



Fastethernet 0/0
 Description Wan Interface
 ip address 192.168.1.2 255.255.255.252

Fastethernet 0/1
 Description Lan Interface
 ip address 172.16.1.254 255.255.255.0

With BGP, neighborg 192.168.1.1
no NAT.


I want NAT all packet from the LAN interface at destination of on ip class:


if a user of 172.16.1.xx want access to 172.17.1.xx:
   all IP are "changed":
172.16.1.1 => 172.16.10.1
172.16.1.2 => 172.16.10.2
172.16.1.3 => 172.16.10.3
<...>
172.16.1.254 => 172.16.10.254

The 172.17.1.xx see only "172.16.10.xx"


anyone know the process ?

creation 2x254 ip nat inside/outside ?


Thanks for your help
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





The information contained in this e-mail message and its attachments is 
confidential information intended only for the use of the individual or entity 
named above. If the reader of this message is not the intended recipient, you 
are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by replying to the sender, and then 
delete the message from your computer.  Thank you!

 This mail was sent via Mail-SeCure System.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 1841 DHCP CONFIGURATION and NAT NOT WORKING

[Ziv Leyes]

Didn't you all get the guy's second post right after his question?
His problem was a misconfiguration, he had
 ip address 192.168.1.254 255.255.255.252
instead of 
 ip address 192.168.1.254 255.255.255.0

Notice the difference?


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ge Moua
Sent: Wednesday, November 03, 2010 4:27 PM
To: Rocker Feller; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 1841 DHCP CONFIGURATION and NAT NOT WORKING

I don´t see your nat ¨outside¨ reference; see below for a working config on one 
of our routers that is doing what you are looking for:

ip dhcp excluded-address 10.2.10.254
!
ip dhcp pool INSIDE
network 10.2.10.0 255.255.255.0
domain-name comcastbusiness.net
dns-server 68.87.77.130 68.87.72.130
default-router 10.2.10.254
lease 7
!


interface FastEthernet0/0
  description VoicePerfTuning-RR-01-Fa-0-0 * Simulate SIP though NAT behind SOHO
  ip address 173.11.44.235 255.255.255.240
  ip access-group EXT-ACL_BASIC-PROTECTION in
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto

interface FastEthernet0/1
  description VoicePerfTuning-RR-01-Fa-0-1 * Connect to SIP phone clients
  ip address 10.2.10.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto


ip route 0.0.0.0 0.0.0.0 173.11.44.238 name "Default via Comcast Business Class 
Internet"

ip nat inside source list 10 interface FastEthernet0/0 overload





--
Regards,
Ge Moua

Network Design Engineer
University of Minnesota | OIT - NTS
--


On 11/03/2010 09:04 AM, Rocker Feller wrote:
> Hi,
>
> I have done dhcp and nat before, But it does not work on an 1841.
>
> What have I missed out.
>
> The lease is given but the NAT does not work.
>
> I do not see the dhcp ip on arp. but see it on the lease pool-
>
> Please help
>
> ip dhcp excluded-address
> 192.168.1.254
>
> !
>
> ip dhcp pool grm
>
>
> network 192.168.1.0
> 255.255.255.0
>
> dns-server x.x.x.x  x.x.x.x
>
>
> default-router 192.168.1.254
>
> interface FastEthernet0/1
>   description Link to LAN
>   ip address 192.168.1.254 255.255.255.252
>   ip nat inside
>   ip virtual-reassembly
>   duplex auto
>   speed auto
>
>
>
> ip nat inside source list 2 interface FastEthernet0/0 overload ip 
> route 0.0.0.0 0.0.0.0 y.y.y.y !
> access-list 2 permit 192.168.1.0 0.0.0.255
>
>
> Thanks
> Rocker.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN-based EoMPLS

[Ziv Leyes]

What version were you using if you don't mind to share?
It's important to me as I'm just now working on a new MPLS setup with one of 
the latest 12.2 SE versions!


-Original Message-
From: Manaf Al Oqlah [mailto:man...@hotmail.com] 
Sent: Tuesday, November 02, 2010 4:55 PM
To: Ziv Leyes; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] VLAN-based EoMPLS

it was a bug!!! I downgraded the ios to 12.2(44)SE6 and everything is working 
fine now!!

----------
From: "Ziv Leyes" 
Sent: Monday, November 01, 2010 11:32 AM
To: 
Subject: Re: [c-nsp] VLAN-based EoMPLS

> I'm answering but I'm actually more like asking.
> Could it be a MTU issue here?
>
> Ziv
>
>
>
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Riemer
> Sent: Thursday, October 28, 2010 5:43 PM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] VLAN-based EoMPLS
>
> Can you see the far end in your arp table?
>
> On 10/28/2010 1:46 AM, Manaf Al Oqlah wrote:
>>
>> Hi,
>>
>> I have established an EoMPLS circuit on ME3750 switches as below.
>> everything seems to be working fine as my virtual circuit is UP but 
>> my problem is that I cant ping IP address CE02 from CE01
>>
>> PC01---CE01---PE01---PE02---CE02---PC02
>>
>> I have applied the following configuration on PE01&  PE02 ES ports
>>
>> interface loopback 0
>> ip address 1.1.1.1 255.255.255.255
>> !
>> interface GigabitEthernet1/1/1
>> description to PE02
>>   ip address 10.0.0.1 255.255.255.252
>>   mpls ip
>> !
>> interface GigabitEthernet1/1/2
>> description to CE01
>> switchport mode access
>> switchport access vlan 100
>> !
>> vlan 100
>> !
>> interface vlan 100
>> xconnect 2.2.2.2 100 encapsulation mpls
>>
>> where could me my problem!
>>
>> Regards,
>> Manaf Al Oqlah
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Lee Riemer
> Director of Technical Operations
> Bestline Communications, L.P.
> Voice: 1+512.328.9095
> Fax: 1+512.328.0038
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> **
> ** This footnote confirms that this email message has been 
> scanned by PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **
> **
>
>
>
>
>
>
> **
> ** This footnote confirms that this email message has been 
> scanned by PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **
> **
>
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN-based EoMPLS

[Ziv Leyes]

I'm answering but I'm actually more like asking.
Could it be a MTU issue here?

Ziv




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Riemer
Sent: Thursday, October 28, 2010 5:43 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] VLAN-based EoMPLS

Can you see the far end in your arp table?

On 10/28/2010 1:46 AM, Manaf Al Oqlah wrote:
>
> Hi,
>
> I have established an EoMPLS circuit on ME3750 switches as below. 
> everything seems to be working fine as my virtual circuit is UP but my 
> problem is that I cant ping IP address CE02 from CE01
>
> PC01---CE01---PE01---PE02---CE02---PC02
>
> I have applied the following configuration on PE01&  PE02 ES ports
>
> interface loopback 0
> ip address 1.1.1.1 255.255.255.255
> !
> interface GigabitEthernet1/1/1
> description to PE02
>   ip address 10.0.0.1 255.255.255.252
>   mpls ip
> !
> interface GigabitEthernet1/1/2
> description to CE01
> switchport mode access
> switchport access vlan 100
> !
> vlan 100
> !
> interface vlan 100
> xconnect 2.2.2.2 100 encapsulation mpls
>
> where could me my problem!
>
> Regards,
> Manaf Al Oqlah
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Lee Riemer
Director of Technical Operations
Bestline Communications, L.P.
Voice: 1+512.328.9095
Fax: 1+512.328.0038

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SLA tracking, what do you ping?

[Ziv Leyes]

I've answered this on a previous post, here's an example of what I use

==
ip sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1
!
ip sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!

ip sla monitor 2
 type echo protocol ipIcmpEcho 2.2.2.2
!
ip sla monitor schedule 2 life forever start-time now
!
track 2 rtr 2 reachability
!

ip route 10.0.0.0 255.255.255.0 1.1.1.1 100 name track 1
ip route 10.0.0.0 255.255.255.0 2.2.2.2 200 name track 2
==

As long as 1.1.1.1 is available, it's routing will be valid because the smaller 
administrative distance, if not, then the second one will become active.
In any case, you'll always see only one routing line in table.
You could add a few more using the same principle, just bear in mind, ip sla is 
a bit resource consuming, so you better not use it deliberately.

Hope this helps,
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura
Sent: Wednesday, October 20, 2010 4:15 PM
To: cisco-nsp
Subject: Re: [c-nsp] SLA tracking, what do you ping?

On a side note, is there a way to ping several IPs and declare it down if, for 
example, 2 out of 3 is down?  I am mostly interested in removing default route 
via track command.

I read the documentation and couldn't find how you could do that but sometimes 
I just have one of those days.

2010/10/20 Ziv Leyes :
> Yeah, something like "traceroute.org" which is always answering But 
> you better try to get a "closer" IP to ping, one that is reliable and 
> gives you indication of what should be working fine, something like 
> the provider's LNS you're connecting to, or the like
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones
> Sent: Wednesday, October 20, 2010 10:23 AM
> To: Jay Nakamura
> Cc: cisco-nsp
> Subject: Re: [c-nsp] SLA tracking, what do you ping?
>
> Just ping 'the internet'... :)
>
>
> On 20 October 2010 02:35, Jay Nakamura  wrote:
>> When you use IP SLA to track if an upstream is working on a ISP 
>> connection (From customer point of view, and you are not the ISP that 
>> knows what will be safe to ping), what do you usually configure to 
>> ping?  I have found that one hop up from the CPE is not necessary 
>> reliable on DSL/Cable.  I was wondering if anyone can share their 
>> experience on what works well and what to look out for.
>>
>> Thanks,
>> ___
>> cisco-nsp mailing list  cisco-...@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> **
> ** This footnote confirms that this email message has been 
> scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & 
> computer viruses.
> **
> **
>
>
>
>
>
>
> **
> ** This footnote confirms that this email message has been 
> scanned by PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **
> **
>
>
>
>
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SLA tracking, what do you ping?

[Ziv Leyes]

Yeah, something like "traceroute.org" which is always answering
But you better try to get a "closer" IP to ping, one that is reliable and gives 
you indication of what should be working fine, something like the provider's 
LNS you're connecting to, or the like

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones
Sent: Wednesday, October 20, 2010 10:23 AM
To: Jay Nakamura
Cc: cisco-nsp
Subject: Re: [c-nsp] SLA tracking, what do you ping?

Just ping 'the internet'... :)


On 20 October 2010 02:35, Jay Nakamura  wrote:
> When you use IP SLA to track if an upstream is working on a ISP 
> connection (From customer point of view, and you are not the ISP that 
> knows what will be safe to ping), what do you usually configure to 
> ping?  I have found that one hop up from the CPE is not necessary 
> reliable on DSL/Cable.  I was wondering if anyone can share their 
> experience on what works well and what to look out for.
>
> Thanks,
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 12.4 for 7205vxr npe-g2 recommendation?

[Ziv Leyes]

Yeah, I know, my bad, I just chose a bad example, sorry for misleading
I was actually trying to say that not always the newest is the best...
Sorry again for the confusion
Ziv

-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Sunday, October 17, 2010 11:26 AM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 12.4 for 7205vxr npe-g2 recommendation?

Hi,

On Sun, Oct 17, 2010 at 10:13:43AM +0200, Ziv Leyes wrote:
> Does it have to be 12.4?
> Why not going for an older, mature, bug free, that gives you all the same 
> features you need?
> Something like c7200-advipservicesk9-mz.122-33.SRE or the like

Haaahahahaha :-)

Very good joke.  SRE is 1000x more bleeding edge than 12.4 mainline.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 12.4 for 7205vxr npe-g2 recommendation?

[Ziv Leyes]

Does it have to be 12.4?
Why not going for an older, mature, bug free, that gives you all the same 
features you need?
Something like c7200-advipservicesk9-mz.122-33.SRE or the like


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of LM
Sent: Thursday, October 14, 2010 9:01 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 12.4 for 7205vxr npe-g2 recommendation?

just that, any recommendation?

services running:
- nat
- eigrp
- bgp
- hsrp
- pim
- cdp
- gre tunnels
- ipsec

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How to bring one link down if another related link goes down

[Ziv Leyes]

Or, if your equipment supports it, use ip sla and track based routing.
I use this solution for a couple of tunnels, here's an example:

==
ip sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1
!
ip sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!

ip sla monitor 2
 type echo protocol ipIcmpEcho 2.2.2.2
!
ip sla monitor schedule 2 life forever start-time now
!
track 2 rtr 2 reachability
!

ip route 10.0.0.0 255.255.255.0 1.1.1.1 100 name track 1
ip route 10.0.0.0 255.255.255.0 2.2.2.2 200 name track 2
==

As long as 1.1.1.1 is available, it's routing will be valid because the smaller 
administrative distance, if not, then the second one will become active.
In any case, you'll always see only one routing line in table.

Hope this helps,
Ziv



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mikael Abrahamsson
Sent: Tuesday, September 28, 2010 7:52 AM
To: John Neiberger
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] How to bring one link down if another related link goes 
down

On Mon, 27 Sep 2010, John Neiberger wrote:

> That may be the best idea I've seen. It wouldn't even be necessary for 
> it to bring the links back up automatically. If one link goes down, 
> we're going to need to do a lot of careful troubleshooting before we 
> bring it up, so a manual restoration process would be best.

I recommend changing the metric of the routing protocol of the link instead of 
shutting it down. Set it to a very high value indicating the link is "a last 
resort". Do it at both ends.

-- 
Mikael Abrahamssonemail: swm...@swm.pp.se
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT issue

[Ziv Leyes]

Perhaps you have way too much ongoing translations.
You can surpass the problems if you try to tweak the NAT settings a bit.
Try to play with the "ip nat translation timeout" settings, there are absolute 
timeouts or protocol based timeouts.
You can also limit the total amount of translations performed, also globally or 
protocol based
A combination of both may bring you to the optimal settings for you.
Check your "sh ip nat statistics" output for hints on what's causing the 
exhaust.
HTH
Ziv





-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Sunday, September 26, 2010 3:48 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] NAT issue


Hi all

i have configured NAT on Cisco 2811
sometimes we face disconnections and the problem is resolved after clearing the 
NAT translations 

is that logic ? what is the best way to monitor the NAT translations ?

Thanks
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SIP not working behind NAT

[Ziv Leyes]

The function "ip nat piggyback-support" can help you solve issues with SIP 
behind NAT 
Read more about this here: 
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htsmpws.html 

Ziv

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bikash Bhattarai
Sent: Wednesday, September 22, 2010 10:41 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] SIP not working behind NAT

Dear all,

 

I have just configured a Cisco 1811 with c181x-advipservicesk9-mz.124-15.T10. 
If I put my ATA on public IP it works fine but if I put behind NAT it doesn't 
work. Proxy registration works fine and I can get Call from other end. But I 
can't make call to other end.
Please help.

 

Regards,

Bikash Bhattarai

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by PineApp 
Mail-SeCure for the presence of malicious code, vandals & computer viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Quick etherchannel load-balance question...

[Ziv Leyes]

Short answer is yes.
To be more specific, I don't really know the "science" behind this, or about 
why it works, I only know I have two different circuits between two remote 
sites, they're both on etherchannel and the etherchannel is a vlan trunk that 
transfers 3 or 4 vlans and the load balance seems to be working fine with 
src/dst IP setting...


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Kell
Sent: Thursday, September 02, 2010 10:49 PM
To: cisco-nsp
Subject: [c-nsp] Quick etherchannel load-balance question...

 For switches capable of doing etherchannel load-balancing on IP address (e.g.,
src-dst-ip on a 3750)...

If there is a "trunked" port-channel, does this still apply at the vlan src/dst 
IP ?

Jeff
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommendation request for gateway router specs

[Ziv Leyes]

It's ok, my bad, I was talking about the difference between them and the 7201.


-Original Message-
From: Garry [mailto:g...@gmx.de] 
Sent: Tuesday, August 31, 2010 2:58 PM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Recommendation request for gateway router specs

 On 31.08.2010 09:01, Ziv Leyes wrote:
> The 7200 VXR may be a good choice, lower price than ASR and still deliver 
> what you need.
> In case you don't really need all the expansions options perhaps a 7206 is 
> too "big" for you in matters of rack space and you can go for a 7204 or even 
> a 7201, same machine, less space.
Not wanting to nit-pick here, but the 7204 and 7206 are the same
routers, same box, just two less backplane slots ... so no space saving
there ...

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommendation request for gateway router specs

[Ziv Leyes]

The 7200 VXR may be a good choice, lower price than ASR and still deliver what 
you need.
In case you don't really need all the expansions options perhaps a 7206 is too 
"big" for you in matters of rack space and you can go for a 7204 or even a 
7201, same machine, less space.
If I remember right, you can get one of those with 3 Gb interfaces on NPE-G1 or 
NPE-G2 which can be either copper or optic.
For full routing table, even if less may be enough, I recommend you to put 1 GB 
RAM on it.




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen
Sent: Monday, August 30, 2010 11:49 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Recommendation request for gateway router specs

On 8/30/2010 12:30, Nick Voth wrote:
> 
> I'm most familiar with the 7206 VXR series, but that seems like over kill
> for this solution. Anyone have any general recommendations or guidance you'd
> be willing to share?
> 

The 7206 would be appropriate if you need to move a gigabit of traffic.

~Seth
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Don't NAT a Subset of Traffic

[Ziv Leyes]

Where do you want to pass the traffic without NAT? to your own public network? 
What else do you have connected there? Some server?
I can suggest you either create a NAT pool  of a single public IP from your 
range, and  let it access the other public IPs in the same range.
OTOH, if all your devices are on the same network, why don't you just access 
them via the local IPs instead the public ones?



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sridhar Ayengar
Sent: Sunday, August 22, 2010 12:29 PM
To: Cisco NSPs
Subject: [c-nsp] Don't NAT a Subset of Traffic


I have a Verizon FiOS connection with 5 IP addresses attached to my 7505.

So because it's excluded from the access-list, traffic from my private 
network 172.16.16.0 to my public IP addresses is not NATed.  I still 
can't figure out how to pass this traffic without NATing it.  If I 
remove the deny line from the access-list, the traffic is correctly 
passed NATed.  Anyone have any ideas for me?

Thanks.

Peace...  Sridhar

A snippet of my configuration (with irrelevant bits removed) follows:

bridge irb
!
!
interface FastEthernet2/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  no ip mroute-cache
  half-duplex
  no cdp enable
  no mop enabled
  bridge-group 1
!
interface FastEthernet2/1/0
  ip address 172.16.16.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  full-duplex
  no cdp enable
  no mop enabled
!
interface FastEthernet3/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  no ip mroute-cache
  half-duplex
  no cdp enable
  no mop enabled
  bridge-group 1
!
interface BVI1
  ip address 173.50.165.26 255.255.255.0
  ip nat outside
  ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.50.165.1
!
ip nat translation max-entries 300
ip nat inside source list 101 interface BVI1 overload
!
access-list 101 deny   ip 172.16.16.0 0.0.0.255 173.50.165.24 0.0.0.7
access-list 101 permit ip 172.16.16.0 0.0.0.255 any
access-list 101 deny   ip any any

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Why hard-setting speed and duplex on Fast Ethernet is bad

[Ziv Leyes]

Funny, that is, but the "YMMV" here is the most proper way to point this.
I've had experience with so many different problems between devices that I try 
first to leave it as is (autoneg) but on the first time one of the devices 
causes a problem I hardcode it.
I've seen problems when connecting customers back end with a Telindus 1030 
router to a cisco 1841 router where in some cases the auto negotiation went 
fine, and sometimes it didn't, and some cases hardcoded caused CRC errors, so I 
had to evaluate every single case, and we're talking about the same both make 
and models on similar environments, so what would you suggest me to do?
What I just did was to see if the auto worked, and then tried the manual, but 
IF the manual caused problems then I had to make the guys at the E1 circuit 
carrier make some adaptations in the shaping of the line.
Every time I had to connect a new customer all we had to do is plug and pray...
See, sometimes is not only up to IEEE 802.3 stuff, but also on how every device 
handles the stuff.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Neiberger
Sent: Friday, August 20, 2010 4:46 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Why hard-setting speed and duplex on Fast Ethernet is bad

Someone in the other thread mentioned that they were surprised to see
that so many people were against manually configuring speed and
duplex, so I thought I would explain why this is a bad idea most of
the time.

The Fast Ethernet standard does not mention how devices are supposed
to behave when manually configured. It only deals with Nway
autonegotiation. The problem is that there are two possible behaviors
when settings are manually configured:

#1:  Participate in Nway, but only offer the configured settings
#2:  Disable Nway entirely and run at the configured settings

Cisco's older switches, like the XL series, used behavior #1, as do
most PC/Server NICs that I've run across for that past eight years or
so. Beginning around the time the 2950s came out, Cisco decided to
switch to behavior #2. If you connect two devices that use behavior
#1, you'll be fine. If you connect two devices that use behavior #2,
you'll be fine. But what happens if you connect a "#1" device to a
"#2" device? You get a duplex mismatch! The device that still
participates in Nway is going to expect to see an autonegotiating link
partner. When it doesn't detect one, it follows the standard and
assumes it is connected to a hub or some device that can't do full
duplex and it falls back to half duplex, often without telling you.
This creates input errors on the full duplex side and late collisions
on the half duplex side. If you have hard-set your speed and duplex on
a Cisco switch and you're seeing a lot of input errors, you likely
have a duplex mismatch because of this problem. Setting BOTH sides to
auto usually resolves this issue.

Auto is the only reliable way to go these days unless you know ahead
of time which of the two behaviors your devices are choosing. If you
don't know, autonegotiation is the most likely way to get a good
connection at 100/full.

I hope that helps clear some of that up.

-John
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers

[Ziv Leyes]

You're right, but OTOH, if it's working perfectly there is no reason to upgrade 
to 15.0.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of LM
Sent: Wednesday, August 04, 2010 9:05 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 1 
series routers

This is disgusting, specially if your 7200 is at 15% of capacity working 
perfectly.

El 04/08/10 14:40, Mounir Mohamed escribió:
> Yes very interested.
>
> Thus 7200 will get out of the picture, because the SR train is used on the
> 7200 series with NPE-G2 in many small size service providers, and since
> 15.0s will be available for 7600 and 1 only, any small size SP should
> move to ASR1002.
>
>
>
> On Wed, Aug 4, 2010 at 2:54 PM, Antonio Soares  wrote:
>
>
>> This seems interesting:
>>
>>
>>
>> Cisco IOS Release 15S initiates a consolidated support strategy to provide
>> greater consistency in new feature release and rebuild schedules and to
>> simplify the software selection process. The release numbering has changed
>> from 12.2SR to 15S to support this strategy and simplified software
>> selection process.
>>
>>
>>
>> http://www.cisco.com/en/US/docs/ios/15_0s/release/notes/15_0s_rn.html
>>
>>
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoa...@netcabo.pt
>>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>  
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ping Script

[Ziv Leyes]

I suggest you do not use a router for such tasks, a router is not a monitoring 
device.
Better fire up a linux box and install one of the many free programs available 
out there.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Monday, August 02, 2010 5:21 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Ping Script


hi all 

i want to ping several hosts at the same time 
if i use tclsh scripting i will be waiting for each ping session to finish 
what other ways i have to do ?
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Load startup config on flash on Cisco 1721 ?

[Ziv Leyes]

"boot config flash nvbypass" or the like, depending on what's available in your 
router, I'm not totally sure this was supported on 17xx

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephane MAGAND
Sent: Wednesday, July 28, 2010 7:11 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Load startup config on flash on Cisco 1721 ?

Hi

i am search a solution for the cisco 1721 load the startup-config on
the flash and not
on the NVRAM.

It's possible ?

thanks
Stephane
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mysterious GRE tunnel flap

[Ziv Leyes]

Beats me...
I'd love to hear if and when you find the source of the problem


From: Quinn Kuzmich [mailto:lostinmos...@gmail.com]
Sent: Monday, July 26, 2010 3:27 AM
To: Ziv Leyes
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Mysterious GRE tunnel flap

There's nothing under the HSDP events.  The other router has a higher priority 
over 100 set on it's interface.
On Sun, Jul 25, 2010 at 12:26 AM, Ziv Leyes 
mailto:z...@gilat.net>> wrote:
I'll take a wild guess here.
Since you're sourcing the tunnel with the hsrp ip, and you don't have a standby 
priority set it means that there is another device "competing" on the  IP 
address. Could it be that for some strange reason the hsrp is fluctuating 
between them and this causes the tunnel to be unstable?
Can you check the HSRP events and see what happens?
Also, as I said, try to take off the keepalive on the tunnel and set a higher 
standby priority to one of the devices, just to see if it helps.
HTH
Ziv





This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.


 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mysterious GRE tunnel flap

[Ziv Leyes]

I'll take a wild guess here.
Since you're sourcing the tunnel with the hsrp ip, and you don't have a standby 
priority set it means that there is another device "competing" on the  IP 
address. Could it be that for some strange reason the hsrp is fluctuating 
between them and this causes the tunnel to be unstable?
Can you check the HSRP events and see what happens?
Also, as I said, try to take off the keepalive on the tunnel and set a higher 
standby priority to one of the devices, just to see if it helps.
HTH
Ziv


From: Quinn Kuzmich [mailto:lostinmos...@gmail.com]
Sent: Thursday, July 22, 2010 7:08 PM
To: Gert Doering
Cc: Ziv Leyes; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Mysterious GRE tunnel flap

Ok, here's the config for one of the two routers - they have the same basic 
HSRP config so if one is wrong, so is the other.  Remember, the other end of 
the tunnel is NOT exhibiting the problem at all.


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rem16-miramar-r2
!
boot-start-marker
boot-end-marker
!
logging count
logging message-counter syslog
logging buffered 51200
no logging console
!
no aaa new-model
ip source-route
!
!
!
!
no ip cef
ip domain lookup source-interface FastEthernet0/0
ip domain name cell2.psap.bc.local
ip multicast-routing
no ipv6 cef
ntp server 10.3.0.1
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
!
ip tftp source-interface FastEthernet0/0
!
track 1 interface Serial0/1/0 ip routing
!
!
!
!
interface Tunnel16
 description *** TUNNEL FOR VSS 16 (Multicast only) ***
 ip address 10.250.16.1 255.255.255.252
 ip pim query-interval 1
 ip pim state-refresh origination-interval 4
 ip pim dense-mode
 ip tcp adjust-mss 1436
 no ip mroute-cache
 keepalive 1 1
 tunnel source 10.16.15.254
 tunnel destination 10.3.15.254
!
interface FastEthernet0/0
 description *** BACKROOM ***
 ip address 10.16.15.252 255.255.240.0
 ip access-group 100 out
 ip helper-address 10.3.0.1
 ip pim dr-priority 255
 ip pim query-interval 1
 ip pim state-refresh origination-interval 4
 ip pim dense-mode
 no ip mroute-cache
 speed 100
 full-duplex
 keepalive 1
 standby delay minimum 45 reload 60
 standby 1 ip 10.16.15.254
 standby 1 timers 1 3
 standby 1 preempt delay minimum 15 reload 15 sync 15
 standby 1 track Serial0/1/0
!
interface FastEthernet0/1
 description *** CROSSOVER R2 R1 ***
 ip address 10.252.216.2 255.255.255.0
 ip hello-interval eigrp 2604 1
 ip hold-time eigrp 2604 2
 speed 100
 full-duplex
 keepalive 1
!
interface Serial0/1/0
 ip address 10.252.16.2 255.255.255.252
 ip hello-interval eigrp 2604 1
 ip hold-time eigrp 2604 3
 keepalive 4
 no fair-queue
 service-module t1 timeslots 1-24
!
router eigrp 2604
 passive-interface FastEthernet0/0
 network 10.16.0.0 0.0.15.255
 network 10.252.0.0 0.0.255.255
 no auto-summary
 eigrp stub connected
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.252.216.1 240
!
!
no ip http server
ip dns server
ip mroute 10.0.0.0 255.0.0.0 10.250.16.2
!
ip access-list standard AllSites
 permit 10.0.0.0
ip access-list standard MyRemoteSite
 permit 10.16.0.0 0.0.15.255
!
logging source-interface FastEthernet0/0
logging server-arp
logging 10.4.0.1
access-list 100 deny   udp 10.4.0.0 0.0.15.255 any gt 5000
access-list 100 permit ip any any
access-list 101 deny   udp 10.3.0.0 0.0.15.255 any gt 5000
access-list 101 permit ip any any
!
route-map REM-LEAK-LIST permit 10
 match ip address AllSites
 match interface FastEthernet0/1
!
route-map REM-LEAK-LIST permit 20
 match ip address MyRemoteSite
 match interface Serial0/1/0
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line vty 0 4
 exec-timeout 0 0
 login local
 transport input telnet
line vty 5 15
 exec-timeout 0 0
 login
 transport input telnet




This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.


 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A few very Quick IP SLA questions

[Ziv Leyes]

I remember taking the whole core traffic down on a switch when trying a 
deliberate and wrong use of "ip local policy route-map" due to lack of 
experience and understanding. (sh*t happens)
So my suggestion is to do it carefully and understanding what exactly are you 
trying to do... :-)



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev
Sent: Sunday, July 18, 2010 7:34 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] A few very Quick IP SLA questions

On Sun, 2010-07-18 at 13:15 +0200, Mikael Abrahamsson wrote:
> Does policy based routing work on traffic originated by the router
> itself? Then that might be a way as well...

With "ip local policy route-map " it does, and AFAIK that's a smart
way of making sure IP SLA probes choose the right interface or fail.

-- 
Peter



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mysterious GRE tunnel flap

[Ziv Leyes]

Can this be related to keepalive settings?
Do you have a keepalive line in your tunnel configuration? If you don't then it 
means it's defaultly set to 10 seconds, try to put "no keepalive"


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Quinn Kuzmich
Sent: Thursday, July 22, 2010 4:34 AM
To: Pete Lumbis
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Mysterious GRE tunnel flap

No drops of any kinds on the interfaces.  Any of the usual culprits (carrier
resets, IPs reassigned, routing bugaboos etc) do not seem to match this.  We
aren't seeing any hits with EIGRP at ths time this happens, and the
interfaces do not see any hits on the counters.  To make this stranger, it's
only ONE end of the tunnel going down.  The other side stays up.

Q

On Wed, Jul 21, 2010 at 7:24 PM, Pete Lumbis  wrote:

> I would take a box you can log outputs on (like a linux host).
>
> From site A set up a script that every 5 seconds prints the time then pings
> (say 10 packets):
> the local LAN interface, the local WAN interface, local the GRE IP, the
> remote WAN interface, remote LAN interface, remote GRE IP and if possible a
> host on the far side.
>
> Set up the same thing from side B.
>
> See if there are any drops anywhere along the path.
>
> I've seen issues like this where the carrier refreshes the IP but the lease
> always stays the same, or a batch job runs and congests the interface or
> anything else that would run on that kind of timer.
>
> Do you see any drops or anything on the physical interfaces from either
> side?
>
> Good luck, these kinds of problems can be hard to nail down.
>
> -Pete
>
>
> On Wed, Jul 21, 2010 at 8:10 PM, Quinn Kuzmich wrote:
>
>> I appreciate the reply - the tunne source locall is actually an HSRP
>> virtual
>> interface, and it never goes down according to what I'm seeing.  And as
>> far
>> as I can recall, we get no errors on the interface that is acting as the
>> active router.
>>
>> Q
>>
>> On Wed, Jul 21, 2010 at 6:00 PM, Graham Wooden  wrote:
>>
>> > I'll take a stab at this ... I think it's something physical at one of
>> the
>> > sites.  Does any of the two interfaces has their line protocol go down?
>> Can
>> > you access down the link, outside the tunnel, ie. Ping your next hop
>> during
>> > this?
>> >
>> > I had something similar happen with some collocated gear at a remote
>> site.
>> > Around the same time everynight, err counters on an interface would go
>> nuts
>> > for about 2 minutes. Lots of finger pointing between LEC and us. Well,
>> come
>> > to find out that the building's emergency lighting would be tested at
>> this
>> > time, and it's cable run ran next to our T1s for a short distance before
>> > going into our room.
>> >
>> > Long story short here is check the physical layer first!
>> >
>> > -graham
>> >
>> > On 7/21/10 1:17 PM, "Quinn Kuzmich"  wrote:
>> >
>> > > Ok, I have a problem that I'm hoping someone can help out with.  I
>> have
>> > two
>> > > 1841s seperated by a Metro-E WAN.  Over this is a GRE tunnel to route
>> > > multicast.  Every morning at 8AM EST, give or take 3 minutes, the
>> tunnel
>> > > will go down for about 30 seconds.  This happens every morning at this
>> > time,
>> > > there are no errors in EIGRP, nor on the WAN side (plenty of tickets
>> > opened
>> > > and we were watching the circuit when the flap happened, no dice) and
>> > we're
>> > > at a real loss.  Maybe a bug in the IOS?  An angry voodoo priest
>> > somewhere?
>> > >
>> > >
>> > > Ideas?  Thanks in advance!
>> > >
>> > > Q
>> > > ___
>> > > cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>> >
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing

Re: [c-nsp] Hughes v iDirect

[Ziv Leyes]

I second Terry, we have good experience with iDirect too.
Can't tell much about Hughes, don't know their products at all.


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Terry Rupeni (ITS-USP)
Sent: Thursday, July 15, 2010 11:18 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Hughes v iDirect

Hi Felix,

I can't speak for Hughes as I've never had the experience of wuking with 
the gear but we are currently evaluating iDirect for our Distance 
Learning Network(USPNET) of which a heavy component is VOIP, Video 
Conferencing, Video Multicast streaming. Our setup is a typical 
hub/spoke topology covering 12 Pacific Countries. Now Compare to our 
current satellite platform we use, I really like iDirect for two reasons:

1.) QOS provisioning mechanisms (Simple Methodology and configuration, 
don't have to worry about Satellite TimeSlots correlation etc)
2.) iDirect Monitoring/System Visibility  (Gives us real time info of 
what is happening at the IP layer plus its correation to RF)

There are many more reasons i can name but these two I see as a trump 
card compared to other systems I've worked on.

Terry

On 15/07/2010 10:16 PM, Felix Nkansah wrote:
> Hi,
>
> I am evaluating which of these satellite offerings provide the best IPoVSAT
> technology.
>
> The network would heavily use IP Voice and IP Video conferencing among the
> VSAT connected locations in a hub/spoke fashion.
>
> My client (a government agency) intends on installing/managing their own
> VSAT hub based on either Hughes or iDirect.
>
> I wanted to know which of these providers ensure the best performance of IP?
>
> Felix
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A few very Quick IP SLA questions

[Ziv Leyes]

Wouldn't the source issue be solved if you use
  type echo protocol ipicmpEcho x.x.25.97 source-interface Giga0/1
instead of source-ip?


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
Sent: Friday, July 16, 2010 6:15 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] A few very Quick IP SLA questions

Hi all, happy Friday.

A few questions regarding configuring IP SLA.

I've configured two IP SLA probes as such:

ip sla 1
 icmp-echo x.x.25.97 source-ip x.x.25.98
 frequency 10
ip sla schedule 1 life forever start-time now

ip sla 2
 icmp-echo x.x.25.101 source-ip x.x.25.102
 frequency 10
ip sla schedule 2 life forever start-time now

1) If I want this probe to run forever, is it best to configure it as a 
recurring probe or have the lifetime be 'forever'?
2) If the router has multiple paths to the destination does specifying the 
source-address mean that 100% of the time it will use the Interface that the 
indicated source address is assigned to?
3) When using the 'track command' (for example: track 100 ip sla 1 reachability 
| state) What is the functional difference between reachability and state? 
Wouldn't they be the same thing?

Also the main reason for implementing this is because we had an instance where 
a interface didn't go down, but no traffic would pass through it (routing 
protocols failed, etc) and we have our default routes setup as such:

ip route 0.0.0.0 0.0.0.0 Vlan4091 x.x.25.97
ip route 0.0.0.0 0.0.0.0 Vlan4092 x.x.25.101

So return traffic was still being sent down the 'dead but up/up' interface 
which caused obvious heartache.

Would using a track on each of these routes (combined with aforementioned IP 
SLA probes) be a good way to prevent this from occurring in the future?

I basically want to ensure that both the interface is up and that traffic can 
pass from this router to its gateway before the route will be used.

Sorry this is so long, hopefully it makes at least some sense.

I thought about using BFD, but it seems like they have removed support for BFD 
on VLANs in recent code.

Thanks,
-Drew

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] issue with basic access-list reordering

[Ziv Leyes]

I was quite sure that this kind of "bug" was related to having "access-list 
compiled" option enabled, I never had problems before that

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pete Lumbis
Sent: Wednesday, July 07, 2010 10:17 PM
To: Ruben Alvarez
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] issue with basic access-list reordering

This is part of standard ACL optimization. This optimization completely
disregards comments. It's annoying and a bug was filed eons ago about this
and it was junked as part of expected behavior. See CSCdu55701.

-Pete

On Wed, Jul 7, 2010 at 2:58 PM, Ruben Alvarez wrote:

> Thanks.  That sort of worked.  I was doing a 'no access-list 10' before I
> added the new list.  But this time I reordered them and it worked.  So I
> added the remark, added .154, then added .151.  weird.
>
> Ruben Alvarez
> Technical Contractor  |  NWEA
>
> PHONE 503.624.1951  |  FAX 503.639.7873
> DIRECT 503.214.4228
>
> NWEA.ORG |  Partnering to Help All Kids Learn
>
>
> -Original Message-
> From: Gary Buhrmaster [mailto:gary.buhrmas...@gmail.com]
> Sent: Wednesday, July 07, 2010 11:38 AM
> To: Ruben Alvarez
> Subject: Re: [c-nsp] issue with basic access-list reordering
>
> > I wanted to see if anyone knows what's going on with my basic
> access-list.  It's really more annoying than anything, but.  So I type in
> this list:
> >
> > Rtr (config) #access-list 10 remark NTP access
> > Rtr (config) #access-list 10 permit 10.1.0.151
> > Rtr (config) #access-list 10 permit 10.1.0.154
> > Rtr (config) #exit
> > Rtr#sh run | inc access-list
> > access-list 10 permit 10.1.0.154
> > access-list 10 remark NTP access
> > access-list 10 permit 10.1.0.151
> >
> > Does anyone know why this happens?  It's driving me crazy.
>
> Add in a "no access-list 10" before your config
> command..  Your statements are added to the existing
> config, but duplicates are not, and my guess is
> that you had a permit 10.1.0.154... before.
> So, start clean with a "no access-list 10".
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Bandwidth shape on OSI Layer2

[Ziv Leyes]

conf t
mls qos
!
class-map match-all CLASSNAME
  match ip dscp 0
!
policy-map POLICYNAME
  class CLASSNAME
police 100 187500 exceed-action drop
! 
interface GigabitEthernet0/1
 service-policy input POLICYNAME
 service-policy output POLICYNAME
!
end

The numbers in the policy are CIR and BC and the formula I used is BC=CIR/8*1.5
HTH
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tseveendorj Ochirlantuu
Sent: Tuesday, July 06, 2010 2:37 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Bandwidth shape on OSI Layer2

Dear all,

How to make a bandwidth shape with upload and download side on Cisco 3750
Catalyst at OSI Layer2 ?

Best regards,
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] smaller PI

[Ziv Leyes]

That's weird,  "PI" stands for "provider independent". How can one be 
independent with a non-routable IP range???
Where did the "try to aggregate as much as possible" concept go to?
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sascha Pollok
Sent: Wednesday, June 30, 2010 3:28 PM
To: Arie Vayner (avayner)
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] smaller PI

It is like it is. RIPE NCC allocates PI according to the demand
within 12 months. If it is a /26, you'll get a /26. RIPE NCC does
not guarantee that the block they allocate is routable.

Tricky eh? There is a policy proposal to make PI blocks at
least /24 in case it is planned to announce them to the DFZ.

-Sascha

On Wed, 30 Jun 2010, Arie Vayner (avayner) wrote:

> That's an interesting development... I know that some providers run
> filters to filter anything longer than /24, so this may be an
> interesting experience...
>
> Arie
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan Gregor
> Sent: Wednesday, June 30, 2010 14:54
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] smaller PI
>
> Hi guys,
>
> one of our customers requested PI adresses from RIPE (for whatever
> reason) and got back /26.
> Opinions?
>
> Best regards,
>
> Jan
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Centos upload speed slower on 1000m than 100m over WAN links

[Ziv Leyes]

I remember having bad times in the far past with intel NIC's on RedHat 7 that 
used the e100 driver, back then we've just solved those problems by using only 
3com NICs that worked natively fine with linux.
I'd think nowadays those problems were over! I guess not...
Anyway, this is getting too off-topic, since it has nothing to do with Cisco 
devices.
Trying a different NIC, vanilla kernels or a different linux distro is 
definitely the way to go.
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bas
Sent: Sunday, June 27, 2010 4:59 PM
To: Paul
Cc: Gert Doering; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Centos upload speed slower on 1000m than 100m over WAN 
links

Hi,

On Sun, Jun 27, 2010 at 11:20 AM, Paul  wrote:
> Yeah I tried that.. I really think it's a problem with the linux kernel and
> e1000e driver and possibly either limited to that or an
> incompatibility with cisco switch but I doubt that since i get such good
> speeds locally.

We've had a lot of problems with this issue.
transatlantic speeds were faster on FE than on GE.
Local speeds were great.

It is indeed a bug in the kernel driver.

After an upgrade to latest vanilla the problems are gone.
Im not sure if anyone has created a rpm for a fix.

Bas
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Etherchannel load balancing

[Ziv Leyes]

The link doesn't work because the whole line is broken in two, there is a 
missing part in the link that is continued in the line after.
Just copy/paste the whole text that starts at "http" and up to where it ends 
with ".shtml"
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ivan ?imko
Sent: Thursday, June 24, 2010 4:41 PM
To: Billy Guthrie
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Etherchannel load balancing

Hi Billy

thanks a lot. Can you send me that doc? Link isn't working :-(

Regards

Ivan

On 24 June 2010 14:16, Billy Guthrie  wrote:

> When you configure an etherchannel bundle, the frames are distributed
> across the individual bundled links deterministically; however, the load is
> not balanced equally across all the links. You may or may not know, but the
> frames are forwarded on a specific link due to the hashing algorithm that is
> used. The algorithm can use destination IP address, source IP address, or a
> combination of both source and destination IP addresses, source and
> destination MAC addresses, or TCP and UDP port numbers. The hashing
> algorithm computes a binary pattern that selects a link number in a bundle
> to carry each frame.
>
> Document may or may not help:
>
> http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtm
>
>
> Good Luck
> Billy
>
>
> Ivan Šimko wrote:
>
>> Hi all
>>
>> I've got two switches 3560
>> group with 2xFE on both switches and inteconnected together.
>> port channel is L2
>> 2 VRFs - ivan, mark
>> 4 VLANs:
>> - vlan 100 VRF "ivan" for interconnection between swtiches
>> - vlan 11 VRF "ivan" for customer's connection
>>
>> - vlan 200 VRF"mark" for interconnection between switches
>> - vlan 12 VRF "mark" for customer's connection
>>
>> ports 12 and 13 as trunks
>> - interconnection between switches
>>
>> OSPF runs over SVIs of 100 and 200.
>>
>> I'm strugling with load balancing:
>> when I setup port channel load balancing dst-ip switch does correct
>> balancing between interconnected vlans but not for customers' vlans.
>> - vlan 100 would use port 12 - switch interconnection
>> - vlan 200 would use port 13 - switch interconnection
>> - vlan 11 would use port 13 - customer 1
>> - vlan 12 would use port 13 - customer 2
>>
>> when I setup port channel load balancing src-dst-ip switch does correct
>> balance for customers' vlans but not for interconnected vlans.
>> - vlan 100 would use port 13
>> - vlan 200 would use port 13
>> - vlan 11 would use port 12
>> - vlan 12 would use port 13
>>
>> Result is not full bandwidth used for both customers' traffic resp. only
>> 100
>> Mbps.
>>
>>
>> Any ideas how to sort it out?
>>
>> thanks
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.



 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH

[Ziv Leyes]

The problem doesn't seem to be related to preshared key, but more on the 
settings, are you totally sure that the other side has identical configuration?
Could you post the relevant sections of both sides running-config?


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Daniel Dib
Sent: Wednesday, June 23, 2010 11:43 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VPN-tunnel between two Cisco routers stuck in MM_KEY_EXCH

Hi,

I am having some trouble setting up a VPN-tunnel between two Cisco 
routers. One end is my router and the other end is controlled by 
another company.
We seem to get stuck in the key exchange in ISAKMP phase 1. This is 
strange since tunnel has been up before but won't come up again. 
Neither of us
have changed the config.

Config on my side:

crypto isakmp policy 45
encr 3des
authentication pre-share
group 2
lifetime 14400

crypto isakmp key removed address x.x.x.x

crypto map SDM_CMAP_1 24 ipsec-isakmp set peer x.x.x.x
set transform-set ESP-3DES-SHA match address 122

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Other side:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 14400

crypto isakmp key removed address y.y.y.y

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA

crypto map SDM_CMAP_1 3 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA

sh crypto isakmp sa shows the following:

x.x.x.x  y.y.y.y  MM_KEY_EXCH6360

Seems we get stuck in key exchange although we have verified we have 
the same key.
I have ran a debug crypto isakmp, full debug is available at 
http://pastebin.com/uUhBjKK6

Here are some relevant messages from debug:

2010-06-23 08:38:31 Local7.Debug413731: *Jun 23 
07:40:57.897: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
2010-06-23 08:38:31 Local7.Debug413752: *Jun 23 
07:40:57.925: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 
157 mismatch
2010-06-23 08:38:31 Local7.Debug413775: *Jun 23 
07:40:57.925: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
2010-06-23 08:38:31 Local7.Debug413829: *Jun 23 
07:40:58.029: ISAKMP: set new node -560194497 to QM_IDLE

Looks good so far, tunnel is in QM_IDLE but after this the problem starts:

2010-06-23 08:38:31 Local7.Debug413834: 
<009>unauthenticated (missing hash payload).
2010-06-23 08:38:31 Local7.Debug413835: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):Rejecting unauthenticated 
RESPONDER_LIFETIME.
2010-06-23 08:38:31 Local7.Debug413836: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):deleting node -560194497 error FALSE 
reason "Informational (in) state 1"
2010-06-23 08:38:31 Local7.Debug413848: *Jun 23 
07:40:58.029: ISAKMP:(0:628:HW:2):: peer matches *none* of the profiles
2010-06-23 08:38:31 Local7.Debug413853: *Jun 23 
07:40:58.033: ISAKMP:(0:628:HW:2): unable to compute hash!
2010-06-23 08:38:31 Local7.Debug413854: *Jun 23 
07:40:58.033: ISAKMP:(0:628:HW:2): Unable to compute other party's hash!
2010-06-23 08:38:31 Local7.Debug413858: *Jun 23 
07:40:58.033: ISAKMP: reserved not zero on ID payload!
2010-06-23 08:38:31 Local7.Warning  413859: *Jun 23 
07:40:58.033: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x  
failed its sanity check or is malformed
2010-06-23 08:38:32 Local7.Debug413865: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicate of a 
previous packet.
2010-06-23 08:38:32 Local7.Debug413866: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting due to retransmit 
phase 1
2010-06-23 08:38:32 Local7.Debug413867: *Jun 23 
07:40:59.057: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32 Local7.Debug413868: *Jun 23 
07:40:59.441: ISAKMP:(0:621:HW:2):purging node 188143359
2010-06-23 08:38:32 Local7.Debug413869: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH...
2010-06-23 08:38:32 Local7.Debug413870: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2):incrementing error counter on sa: 
retransmit phase 1
2010-06-23 08:38:33 Local7.Debug413871: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): retransmitting phase 1 MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug413872: *Jun 23 
07:40:59.557: ISAKMP:(0:628:HW:2): sending packet to x.x.x.x my_port 
500 peer_port 500 (I) MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug413873: *Jun 23 
07:41:00.077: ISAKMP (0:268436084): received packet from x.x.x.x dport 
500 sport 500 Global (I) MM_KEY_EXCH
2010-06-23 08:38:33 Local7.Debug413874: *Jun 23 
07:41:00.077: ISAKMP:(0:628:HW:2): phase 1 packet is a duplicat

Re: [c-nsp] Console problems

[Ziv Leyes]

Sorry about that, I've missed the very important detail that he was talking 
about NPE-400... Oops.
That's what happens when you read mails fast and answer before it reaches the 
grey brain cells... :-)


-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Thursday, June 17, 2010 11:13 AM
To: Ziv Leyes
Cc: 'Richey'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Console problems

Hi,

On Thu, Jun 17, 2010 at 09:25:43AM +0300, Ziv Leyes wrote:
> You can't have both NPE and I/O card console interfaces to work together.
> I'm not sure if it's configurable but the default will be the I/O card, so if 
> you MUST have the I/O card inserted use the console port on it and not the 
> one on the NPE

The NPE-400 doesn't have a console port :-) - and *does* require an IO board.

(Your statement is correct for NPE-G1 and NPE-G2).

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP routing table !!

[Ziv Leyes]

Can you post your BGP settings with your peer?
Do you have a "maximum-prefix" setting on your neighbor peer?

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Raheel Muhammad
Sent: Thursday, June 17, 2010 2:09 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] BGP routing table !!

Hi guys,

Might be a basic question but i couldnt find anything, i have cisco 7606 i
just had a new peering with our upstream provider, but router rebooted when
routes reached 300k, router is not running anything else as well. Any idea?

Cisco CISCO7606-S (M8500) processor (revision 1.0) with 851968K/65536K bytes
of memory.
Processor board ID FOX1310G2VB
 BASEBOARD: RSP720
 CPU: MPC8548_E, Version: 2.0, (0x80390020)
 CORE: E500, Version: 2.0, (0x80210020)
 CPU:1200MHz, CCB:400MHz, DDR:200MHz,
 L1:D-cache 32 kB enabled
I-cache 32 kB enabled

Regards
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Console problems

[Ziv Leyes]

You can't have both NPE and I/O card console interfaces to work together.
I'm not sure if it's configurable but the default will be the I/O card, so if 
you MUST have the I/O card inserted use the console port on it and not the one 
on the NPE
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Richey
Sent: Thursday, June 17, 2010 6:04 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Console problems

I can't seem to come up with the right keyword combination to google this.
I've got a 7206VXR with an NPE-400 and an I/O 2FE/E card.  Using a Belkin
USB to Serial adaptor I can watch the router boot and get to the Press
Return to get Started prompt.  After I hit return the interfaces go up and
then admin down.  After that I can't get anything out of the console.   I
can insert and remove a DS3 card and I will see a message saying the card
was inserted and removed but I can't interact with the box.   I've connected
to a 3550 I have laying here and I am able to get a console session going
with it. Does anyone have any ideas on this one?   Everything I am
googleing relates to the router crashing or hanging which this one does not
seem to do.

Richey

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Configuration examples for RTBH in both directions

[Ziv Leyes]

As an answer to a previously similar question mail in this list, Steve Bertrand 
wrote a very nice and useful how-to here:
http://ipv6canada.com/?p=59

Thanks again Steve,
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
Sent: Monday, June 07, 2010 5:02 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Configuration examples for RTBH in both directions

Hi,

Can anyone provide configuration examples for Real Time Black Holing (RTBH) 
both source and destination, bonus points if it can also add a 'blackhole' 
community that is sent up to the upstream providers if it is a source address 
on our network.

Does anyone have any good ideas for the best way to handle this? do you use a 
small switch/router that can do BGP, or do you use a linux/vyatta router to do 
the route reflection?

thanks,
-Drew

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Qos Cisco 831

[Ziv Leyes]

I'm not sure regarding the Cisco 831 capabilities, but according to your 
configuration it seems your problem is not marking but matching the packets.
If you see the counters you will notice that none is catched, not by the acl 
and not by the dscp ef, so the question is, what is the origin of the voice 
packets? Is it some voip device at your lan or you're trying to prioritize the 
packets that are coming from the internet?
If the answer is the latter then you may have a problem with your SP removing 
the dscp values of the packets, there are still some problems globally talking 
about conserving the voip priority marking all along the path.
Hope this helps
Ziv


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rocker Feller
Sent: Friday, June 04, 2010 3:44 PM
To: cisco_nsp
Subject: [c-nsp] Qos Cisco 831

Hi,

Am working on prioritising voip traffic on a cisco 831.

The 831 is using ios Version 12.3(14)T1

Issue is that I cannot mark packets so as to prioritise.

Is this possible on this router?

Any assistance appreciated in advance.

Config Example

class-map match-any set_dscp
 match access-group 151
 match ip dscp ef

policy-map Qos2_VoIP
 class set_dscp
  priority 64
 class class-default
  fair-queue

Policy_Map applied stats shows no hits on the VoIP
sh policy-map interface e1
 Ethernet1

  Service-policy output: Qos2_VoIP

Class-map: set_dscp (match-any)
  0 packets, 0 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: access-group 151
0 packets, 0 bytes
5 minute rate 0 bps
  Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
  Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 64 (kbps) Burst 1600 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0

Class-map: class-default (match-any)
  249 packets, 55261 bytes
  5 minute offered rate 4000 bps, drop rate 0 bps
  Match: any
  Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





 
 

This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
viruses.





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/