It seems that 2851 is more than enough to route two links at 1 or 2 Mb/s. As
Cisco says, 2851 is capable to route at speed of 112 Mb/s, but in real world
you should devide this value by 2 at least.
As I see this devise has 256 Mb of memory. It is enaugh for default and
several specific routes but
Your feature set (IP Base) does not support BGP.
Also you'll need more than 256MB of RAM to take full tables. Taking
full tables for 1mbps or 2mbps transits seems like overkill, but this
depends on your application and requirements.
2800s are software based routers that don't have a very
I agree with the point that you will need more memory for full table,
but afaik know, the ISRs can do BGP with IP Base
(http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf).
Greets, Bernd
Campbell, Alex schrieb:
Your feature set (IP Base) does not support BGP.
Not according to Feature Navigator (http://www.cisco.com/go/fn/)
Alex
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernd
Ueberbacher
Sent: Thursday, 30 August 2007 5:39 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP hardware requirements
Hello,
I need to log traffic going trougth cisco 3825 router to syslog server.
Not all traffic data, i only need to log new connections.
How can i do this?
Thanks
Current config:
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime
You could try an access list, something like this (for example):
ip access-list extended log-syn-in
permit tcp any any syn log
permit ip any any
!
interface wan
ip access-group log-syn-in in
!
The second permit will be neccessary unless you only want TCP SYN packets to
get through (implicit
Thanks Tom. And what about UDP traffic?
Pagarbiai,
Eimantas Zdanevičius
Tinklo administratorius
UAB Oslo products
Žirmūnų g. 27, LT-09105, Vilnius
Tel.: +370 5 276 2002
Faksas: +370 5 270 0204
Mob.: +370 685 18 864
E-paštas: [EMAIL PROTECTED]
www.occ.lt
Tom Storey wrote:
You could try an
I need to log traffic going trougth cisco 3825 router to syslog server.
Not all traffic data, i only need to log new connections.
How can i do this?
there's a few ways you could accomplish this, but I'd recommend option (1):
1. NetFlow export
2. IP accounting
3. an ACL with 'log', something
UDP is connectionless, so it doesnt have SYN packets like TCP.
Cheers,
Tom
- Original Message -
From: Eimantas Zdanevičius [EMAIL PROTECTED]
To: Tom Storey [EMAIL PROTECTED]; cisco-nsp@puck.nether.net
Sent: Thursday, August 30, 2007 6:07 PM
Subject: Re: [c-nsp] logging traffic
Thanks
Feature Navigator is wrong, then. BGP is already available in IPBASE for the
ISRs but only in the T train:
See:
http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00804a19a2.html#wp1451994
Where it states that:
-
BGP in IP Base
BGP is available in the IP base software
Hello,
THanks for the inputs so in summary:
1. My 2851 is already ok for 2x 2MB link BGP
2. I need to upgrade my 256MB memory to 512 MB
3. I need to replace my IOS to support a higher feature of BGP
possibly this:
ADVANCED ENTERPRISE
On Thursday 30 August 2007 17:51, Dracul wrote:
1. My 2851 is already ok for 2x 2MB link BGP
Right.
2. I need to upgrade my 256MB memory to 512 MB
I would say take the full 1GB. It's always best to max. out
the memory on the routers so you have one less problem to
worry about, especially
Please use #1.
#3 causes process switching and that's a very bad thing to do.
Rodney
On Thu, Aug 30, 2007 at 04:41:58PM +0800, Lincoln Dale (ltd) wrote:
I need to log traffic going trougth cisco 3825 router to syslog server.
Not all traffic data, i only need to log new connections.
How
I have put an ME6524 (s6523-advipservicesk9-mz.122-18.ZU2.bin) in to
replace a 7200 and one of the interfaces has a rate-limit. When I do a show
int rate-limit I see:
GigabitEthernet1/1.460
Input
matches: access-group 100
params: 144696000 bps, 1048576 limit, 1048576 extended limit
On Thu, Aug 30, 2007 at 09:09:05AM -0400, Jay Young wrote:
I have put an ME6524 (s6523-advipservicesk9-mz.122-18.ZU2.bin) in to
replace a 7200 and one of the interfaces has a rate-limit. When I do a show
int rate-limit I see:
GigabitEthernet1/1.460
Input
matches: access-group 100
I believe I know why I had the issue I had last evening when a 500Mbps
DDOS hit our network. I believe it is due to queuing issues, but I am not sure,
I wanted to ask you folks what you thought.
The topology of the 'attack ' is as such:
Attacker - Internet - 3Gbps aggregate(4
More information, the traffic they sent looked like this:
1188461504.873821 y.y.y.y - x.x.x.x UDP Source port: 45362 Destination port:
11067[Malformed Packet]
00 18 8b 4e bf df 00 05 dd 27 58 40 08 00 45 00 ...N.'[EMAIL
PROTECTED]
0010 00 1d 00 00 40 00 38 11 94 c9 c1 1b 56 c5 d1
Drew,
a possible cause could be buffer shortage on the linecard. Unless you
limit the queue length on the GSR interfaces, the linecard could
allocate all available buffers (and there are plenty) when one of the
links becomes congested, which could have happened if one of the GE
links needed to
Hi,
Hopefully a simple question...
I currently have a primary and secondary aggregation (distribution)
switches (6500s)with CSMs running in transparent mode. Multicast flows
(PIM SM) pass through the CSMs just fine, but when I fail the primary CSM
to secondary, unicast (icmp) fails over sub 3
Hi Rodney,
Thanks for the response...
was fixed in 12.0(32)SY3.
Is this seen on 32SY3?
Yes, I saw it come up on one of our GSRs running 12.0(32)SY3 several
times but have not noticed it since (not logging to syslog on these
routers so I can't go back very far to make sure).
Here's show
On Wed, 29 Aug 2007, Andy Dills wrote:
Don't forget that you can prepend incoming announcements as well as
outgoing announcements.
For instance, to account for the fact that there is essentially an
extra AS in your transit path to 3356, you might just prepend a
single 22773 to everything
Hi,
* Brett Looney wrote on 30.08.2007 02:33:
Thanks, I'll check it out. Given that there is supposed to be feature parity
between ASA v7.x and VPN3000 this might work.
To lock users into a specific VPN group, set
[3076\033] IPSec-User-Group-Lock
to ON and deliver the VPN group name within
On Thu, Aug 30, 2007 at 11:07:36AM -0400, Jon Lewis wrote:
On Wed, 29 Aug 2007, Andy Dills wrote:
Don't forget that you can prepend incoming announcements as well as
outgoing announcements.
For instance, to account for the fact that there is essentially an
extra AS in your transit
Hi mates.
Maybe somebody can help me.
I configured MLPoATM and LFI.
According this debug, can I be sure both the routers are doing fragmentation?
Router#
*Mar 1 18:27:12.420: Vi3 MLP: I frag C041 size 49 encsize 2
*Mar 1 18:27:12.420: Vi3 MLP: O frag C064 size 57 encsize
Leonardo Souza wrote on Thursday, August 30, 2007 4:23 PM:
Hi mates.
Maybe somebody can help me.
I configured MLPoATM and LFI.
According this debug, can I be sure both the routers are doing
fragmentation?
Router#
*Mar 1 18:27:12.420: Vi3 MLP: I frag C041 size 49 encsize
We have a pair of 6509's running 12.1(27b)E1 native mode, each with a CSM
running 4.2(6) in FT mode.
Can anyone comment on the behavior of the CSMs during failover? In the
section on doing a hitless upgrade in the CSM 4.2 Configuration Guide[1],
it's described as not resulting in any major
Hello
I'm attempting to use IP SLA on an 877W with IOS 12.4(11)XJ3 to run DHCP
requests from a specific VRF. I'm setting rttMonEchoAdminVrfName to the
correct VRF, but when performing a set operation, I get NOSUCHINSTANCE
returned.
More detail:
I can ping successfully from the same VRF when
Hi, when doing a show interface you of course get a 5 minute average
(depending on what you have your interval set to). How many samples are
taken over that 5 minute period to generate that average? It's obviously
not a sample every 5 minutes because the effects of changes of traffic flow
It is actually sampled every 5 seconds and then uses a a weighted
equation to weigh the samples taken more recently higher.
See this CCO link:
http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd3003.html#wp1018413
Brandon Bennett
On 8/30/07, Scott Granados [EMAIL
We have a pair of CSMs running 4.2(4) in 6509s running 12.2(18)SXF6.
During initial testing, I was able to telnet to port 80 on one of the
RIPs and fail it over, and my telnet session stayed open. The most loss
I've seen is a few packets, but I've never lost any connections that
were already
Perfect, thank you!
- Original Message -
From: Brandon Bennett [EMAIL PROTECTED]
To: Scott Granados [EMAIL PROTECTED]
Cc: cisco-nsp@puck.nether.net
Sent: Thursday, August 30, 2007 11:22 AM
Subject: Re: [c-nsp] how many samples in a 5 minute interface average?
It is actually sampled
Message: 3
Date: Thu, 30 Aug 2007 10:32:05 -0400
From: Drew Weaver [EMAIL PROTECTED]
Subject: Re: [c-nsp] DDOS, router acted oddly.
To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
More information, the
They show up on my account.. (as well as 12.4(15)T1).
Maybe the system was just fubar at the time?
Perhaps. Either that or I was just been thrown off by only 12.4(15)T and
not a 12.4(15)T1 rebuild and got paranoid.
Not sure how many people got the boot ROM update to get more than 128M
of
The general consensus is to prepend routes with AS3356 in the path that
don't originate from L3. So to make sure I've got the right logic and
regex in mind to work into my existing config:
ip as-path access-list 100 permit _3356_
!
route-map IN-COX-1 deny 5
match ip address prefix-list
Correct.
I sent ping packets with 1500 bytes .
My problem is that on the other side, I see no debug output for MLP (events,
fragments etc...).
By the way, it´s a C10K.
It seems a bug. I dont know...
Regards.
Oliver Boehmer (oboehmer) [EMAIL PROTECTED] escreveu:
Leonardo Souza
My experiences are quite similar. I'm running 4.1(6) on 12.2(18)SXF7
(There were issues with the 4.2 code when we tried to deploy this
last year and Cisco advised us at the time to stick with 4.1. I'm
sure now, months later, 4.2 is fine.).
I successfully failed over and failed back while
Christian Zeng wrote:
To lock users into a specific VPN group, set
[3076\033] IPSec-User-Group-Lock
to ON and deliver the VPN group name within
[3076\085] Tunnel-Group-Lock
Afaik, the method with the class attribute (OU=) does not work for
the ASA. Of course, group lock does not help if
Message: 2
Date: Thu, 30 Aug 2007 11:06:41 -0700
From: Scott Granados [EMAIL PROTECTED]
Subject: [c-nsp] how many samples in a 5 minute interface average?
To: cisco-nsp@puck.nether.net
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; format=flowed; charset=iso-8859-1;
Hi,
I just upgraded a 7206 NPE 300 router running IOS (C7200-JK9S-M),
Version 12.2(15)T17 to an NPE G1 running (C7200-JK9S-M), Version
12.4(16).
I changed nothing in the configuration except for the interface names
(Fa0/0 bacame Gi0/1).
I was sure the new one had all that the old one had, I had
39 matches
Mail list logo