Cisco introduced 'warm' reload...
Cisco inroduced 'warm' reload http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guid e09186a00801a755a.html 12.3(2)T This feature was introduced. 12.2(18)S This feature was integrated into Cisco IOS Release 12.2(18)S. Did anyone test this yet? Pascal
Re: 92 Byte ICMP Blocking Problem
Steve Carter said: > > I believe it to be true that all policy route traffic is processor switched rather than CEF on the 75xx platform. If so, the 75xx might not be handling all it's being asked to and dropping stuff in a > non-deterministic way. > In my experience you can do the 92 byte blocking on 75's with dCEF provided you are *very* careful about exactly what policy based routes you set up ... Try the following: On the interfaces make sure you have: ip route-cache policy Then apply your PBR the inbound interface: ip policy route-map block92 which looks like: route-map block92 permit 10 match ip address 121 match length 92 92 set interface Null0 route-map block92 permit 20 With access-list 121 looking like access-list 121 permit icmp any any echo The route-map is exteremly critial because some can be done in dCEF and some can't - and you must have the extra permit as well (sorry if I'm teaching grandma to suck eggs) but this seems to work for us.(12.2.15T5) Be sure to check the vip cpu and show cef drop and show cef not-cef-switched for the linecard involved ... BTW we also found that in an earlier release of IOS we needed to reboot the router to get this to work properly. Regards Mark -- Mark Vevers.[EMAIL PROTECTED] / [EMAIL PROTECTED] Principal Internet Engineer, Internet for Learning, Research Machines Plc. (AS5503)
Re: Cisco introduced 'warm' reload...
Pascal, Timo asked the same thing. I'm setting up a 3745 and a 3660 in the lab to test it on. In the Release notes there is a link to Feature Navigator (FN) that will display the platform support for a feature. http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp Currently that shows only 3745 and 3660 support. I'm not sure exactly why that is but I will check and let you know. Also, I'll try to get the Release Notes more clear about how to check for the hardware support especially when it appears to be a platform independent feature. Rodney On Sat, Sep 13, 2003 at 12:19:46PM +0200, Pascal Gloor wrote: > > Cisco inroduced 'warm' reload > > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guid > e09186a00801a755a.html > > 12.3(2)T This feature was introduced. > 12.2(18)S This feature was integrated into Cisco IOS Release 12.2(18)S. > > > Did anyone test this yet? > > > Pascal
Re: More on the DDoS Attack
Eric Gauthier wrote: Take a look and let me know what you think. Any question or comments - editorial or otherwise - would be greatly appreciated. Nice layout. Reverse the the process so default is a good host and integrate it with radius, using access lists versus private/public addresses and you have a nice method for jailing an infected user so that they can still dial up and get virus defs, patches, etc and that's it. Granted, it would take some tweaking. -Jack
RE: Cisco introduced 'warm' reload...
> Pascal Gloor wrote: > Cisco inroduced 'warm' reload > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_ > feature_guide09186a00801a755a.html > 12.3(2)T This feature was introduced. > 12.2(18)S This feature was integrated into Cisco IOS Release 12.2(18)S. > Did anyone test this yet? It's not available on all platforms, at least not on my test one. When doing "reload warm" it does a cold one and takes "warm" as the reason for reload. Michel. cisco7507#sh ver Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-JK9O3SV-M), Version 12.3(2)T, RELEASE SOFTWARE (fc1) Synched to technology version 12.3(1.9) cisco7507#warm? % Unrecognized command cisco7507#warm-reload Translating "warm-reload"...domain server (192.168.222.4) % Unknown command or computer name, or unable to find computer address cisco7507#reload ? LINEReason for reload at Reload at a specific time/date cancel Cancel pending reload in Reload after a time interval
Re: Cisco introduced 'warm' reload...
Michel, Thanks for pointing that out. I'll have it removed from the CLI for any platforms where it's not supported. The currently supported platforms are: 3660 and 3745 in 12.3(2)T 7200 in 12.2(18)S I'll also check on future platform implementations and let you know. While at first the feature seems platform independent it turns out there are some platform dependencies. Thanks, Rodney On Sat, Sep 13, 2003 at 12:01:25PM -0700, Michel Py wrote: > > > Pascal Gloor wrote: > > Cisco inroduced 'warm' reload > > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_ > > feature_guide09186a00801a755a.html > > 12.3(2)T This feature was introduced. > > 12.2(18)S This feature was integrated into Cisco IOS Release > 12.2(18)S. > > Did anyone test this yet? > > It's not available on all platforms, at least not on my test one. When > doing "reload warm" it does a cold one and takes "warm" as the reason > for reload. > > Michel. > > > cisco7507#sh ver > Cisco Internetwork Operating System Software > IOS (tm) RSP Software (RSP-JK9O3SV-M), Version 12.3(2)T, RELEASE > SOFTWARE > (fc1) Synched to technology version 12.3(1.9) > > cisco7507#warm? > % Unrecognized command > cisco7507#warm-reload > Translating "warm-reload"...domain server (192.168.222.4) > % Unknown command or computer name, or unable to find computer address > > cisco7507#reload ? > LINEReason for reload > at Reload at a specific time/date > cancel Cancel pending reload > in Reload after a time interval > >
Rumor: Microsoft preparing a new patch/service pack CD
BetaNews is reporting that Microsoft will release a new Service Pack on September 24 including the various security patches. Because Service Packs are also available as CD distributions (for a shipping charge), this may help customers without high-speed Internet connections obtain all the patches (over 30 Megabytes) needed for their system. Unfortunately, many brand-new PC's include old versions of the Windows Operating system and are immediately infected when connected to the Internet before they can download all the patches. This would be a welcome change from Microsoft's previous public statments that the Windows Update Service is the only way for retail consumers to obtain the patches. http://www.betanews.com/article.php3?sid=1063425644
RE: Cisco introduced 'warm' reload...
Rodney, > Rodney Dunn wrote: > Thanks for pointing that out. I'll have it removed > from the CLI for any platforms where it's not supported. Actually, there's nothing to remove. The > cisco7507#reload ? > LINEReason for reload Is perfectly legitimate. > The currently supported platforms are: > 3660 and 3745 in 12.3(2)T > 7200 in 12.2(18)S > I'll also check on future platform implementations and > let you know. While at first the feature seems platform > independent it turns out there are some platform > dependencies. If I may, it would be a hell of a good idea to make it work on platforms such as the 7500 where one would think it is un-necessary. On paper, having a feature set with rpr/rpr+ would render this command un-necessary on a 7500 with dual RSPs. In practice, there are so many compatibility issues with rpr/rpr+ and other features that some 7500s that have dual RSPs run a non-rpr image and the second RSP is sitting in the router as a spare. Michel.
Re: 92 Byte ICMP Blocking Problem
That's really weird. I've been running with route-map nachiworm permit 10 match ip address nachilist match length 92 92 set interface Null0 ip access-list extended nachilist permit icmp any any echo permit icmp any any echo-reply ip policy route-map nachiworm on transit interfaces and the virtual-templates of all our access servers that can do it properly (just blocking echo/echo-reply on the older ones that can't do the policy) and haven't heard about any customer complaints other than "I can't ping" in the places where we've blocked all echo/echo-reply. The routers doing this (7200/7500)'s are all running 12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code. On Fri, 12 Sep 2003, William Devine, II wrote: > I had the exact same problem. As soon as I turned it on, within minutes I > had customers calling that could no longer FTP into Win2k servers and some > that couldn't SSH into their Linux servers. > I've since turned it off as well. > Are there any other known ways to block this? > > - Original Message - > From: "Chris Adams" <[EMAIL PROTECTED]> > To: "Steven M. Bellovin" <[EMAIL PROTECTED]> > Cc: "Nanog" <[EMAIL PROTECTED]> > Sent: Friday, September 12, 2003 1:32 PM > Subject: Re: 92 Byte ICMP Blocking Problem > > > I don't have it in place anymore (because it caused more problems than > > it fixed), so I can't test this. In any case, the route map only > > matched 92 byte ICMP echo and ICMP echo-reply packets, which is not what > > PMTU uses, so it shouldn't have had a problem. Also, I know that the > > MTU along the path for the person in the office is the same all the way, > > so PMTU shouldn't come into play there. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: 92 Byte ICMP Blocking Problem
Hi. I've been running with the service policy version and haven't seen any problem either. I did notice that it seems to block DOS traceroutes, however. John John Souvestre - Southern Star - (504) 888-3348 - www.sstar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 10:18 PM To: William Devine, II Cc: Nanog Subject: Re: 92 Byte ICMP Blocking Problem Importance: High That's really weird. I've been running with route-map nachiworm permit 10 match ip address nachilist match length 92 92 set interface Null0 ip access-list extended nachilist permit icmp any any echo permit icmp any any echo-reply ip policy route-map nachiworm on transit interfaces and the virtual-templates of all our access servers that can do it properly (just blocking echo/echo-reply on the older ones that can't do the policy) and haven't heard about any customer complaints other than "I can't ping" in the places where we've blocked all echo/echo-reply. The routers doing this (7200/7500)'s are all running 12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code.
MIT still has over 900 network drops disabled
Eight weeks after Microsoft's first announcement concerning RPC vulnerabilities, MIT still has over 900 network drops disabled due to infected machines on the campus. http://www-tech.mit.edu/V123/N39/39SoBig2.39n.html MIT is known for having very bright people. Imagine the difficulty people without an MIT education are having trying to fix their Microsoft computers. MIT is taking the conservative approach. MIT Network Security requires users to reformat their hard drive and re-install their operating system (and I assume install all the patches) before re-enabling the network connection. Could you find your original operating system disks? Did your computer even come with a disc copy of the original operating system? I had some computers which asked the user to "backup" the original operating system on 50-90 floppy disks because the vendor only shipped the OS "pre-installed." Very few people spent the time (or the discs). And you are still face with the problem the patches aren't available yet on physical media (CD, Floppy, etc). So you need to find a friend with a fixed computer to make copies of the patches for you.
Sabotage not backhoes: More cable cuts
Someone climbed a 15-foot tower in Southern Arizona cutting a fiber optic cable used by Broadwing and Tucson Electric Power. This was within five feet of the 138,000-volt power line. The site was also guarded by barbed wire. This is not your typical backhoe. Rural areas have long dealt with the occasional shotgun damaged cable or microwave horn; or the farmer burying the dead cow in the back pasture. But I don't recall two reported acts of sabotage in less than 30 days before. http://www.fox11az.com/news/local/stories/KMSB_local_fiberoptic_091203.9d8bc6ae.html
