Dear all,
Please advise if there is any configuration template to enable both telnet and
ssh to have access right into router VTY lines.
Regards,
Tony
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
oh yes most defiantly.
If it's too rough as well, check out zabbix and there is one more I
can't remember(let me google this) ah yes Zenoss which can integrate
with google maps
Cheers
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Riemer
Sent:
tony kam wrote:
Dear all,
Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines.
What do you mean by right into?
--
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
If the switch is purely Layer 2, it would be difficult to classify VoIP
traffic ipso facto, as the factors that differentiate it from other
kinds of traffic are, by definition, = Layer 3.
About the only thing you can do there is use segregated VLANs, and/or
take advantage of the native voice
Jay Nakamura wrote:
What about going with an ASA? Much more performance for the money. But it
depends on what all you want to do on the router. IOS is a lot more
flexible on what you can do.
But, an ASA or PIX is far more optimised for NAT and ACL duty.
--
Alex Balashov
Evariste Systems
Try Opsview. Very nice clean GUI for nagios, nagiosgraph, and MRTG.
Aaron Riemer wrote:
Hi James,
Yes I thought about nagios. Is it possible to put your own background
map in and then position nodes on the map?
Thanks for the suggestion.
Cheers,
Aaron.
-Original Message-
Tseveendorj Ochirlantuu wrote:
If is it possible to choose RTP port on AS5350XM?
for example: don't use all ports 16000-6 on gateway. Only use between
16000-17000.
Not natively, but you could probably do this using NAT on the outgoing
interfaces. Although, for various performance
It meant users can use either telnet or ssh client to log into router VTY
lines. Besides, I think it is possible to use ACL to control which user group
can use telnet and which user group can use ssh.
Please advise if you have such sample configuration. Date: Fri, 5 Sep 2008
02:25:18 -0400
All logins are on VTYs, so that qualification is not needed.
Check out:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/mgaccess.html
tony kam wrote:
It meant users can use either telnet or ssh client to log into router
VTY lines. Besides, I think it is possible to use
Howdy all,
Anyone know if it's possible to get as ASA to spit out the group name in an
av-pair via radius when authenticating a user? (in this case webvpn).
The issue i'm having is multiple clients on the one ASA authenticating via
IAS/AD and the possibility of overlapping usernames
Whoops, that was for ASAs.
Try:
http://articles.techrepublic.com.com/5100-10878_11-5875046.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml
Alex Balashov wrote:
All logins are on VTYs, so that qualification is not needed.
Check
hi all,
firstly i've read the threads about monlib etc, i tend to make it
standard practice to format the flash card in whatever chassis it is
currently in before use, however in this case, i cant even format the
flash cards. we are talking about genuine sandisk 1GB which seem to
work ok
On Fri, 2008-09-05 at 14:08 +0800, tony kam wrote:
Dear all,
Please advise if there is any configuration template to enable both
telnet and ssh to have access right into router VTY lines.
...
line vty x y
transport input telnet ssh
...
hth,
roy
Alex Balashov wrote on Friday, September 05, 2008 8:28 AM:
If the switch is purely Layer 2, it would be difficult to classify
VoIP traffic ipso facto, as the factors that differentiate it from
other kinds of traffic are, by definition, = Layer 3.
Well, even a Layer 2 switch can classify
Also take a look at Zenoss
www.zenoss.org
Aaron
-Original Message-
From: [EMAIL PROTECTED] [mailto:cisco-nsp-
[EMAIL PROTECTED] On Behalf Of Daniel Hooper
Sent: Friday, 5 September 2008 12:55 PM
To: Aaron Riemer
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Dashboard Network
MPLE TE should be in RLS3; probably EoMPLS too.
--
Tassos
Ben Steele wrote on 05/09/2008 07:45:
I'm pretty sure it is scheduled for release in an upcoming update, I know
there was lots of hmmm's when I saw the list of current unsupported
technologies during our companies presentation, but I
Oliver Boehmer (oboehmer) wrote:
Alex Balashov wrote on Friday, September 05, 2008 8:28 AM:
If the switch is purely Layer 2, it would be difficult to classify
VoIP traffic ipso facto, as the factors that differentiate it from
other kinds of traffic are, by definition, = Layer 3.
Well, even
Hi,
Please advise if there is any configuration template to enable
both telnet and ssh to have access right into router VTY lines.
Do you mean like this, or are you talking about something else?
!
line vty 0 4
transport input telnet ssh
!
crypto key generate rsa general-keys modulus 2048
!
Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a
month. Now we are thinking about buying a second FWSM to do failover in
order to limit downtime and facilitate upgrades : most of our servers
are connected to the 6513 carrying this FWSM.
We use the 2 standard virtual contexts
Noticed that the 3750 ios 12.2(46)SE release supports the disabling of
mac address learning per vlan. Does anyone have any experience with
this release yet?
The feature seems to have been introduced earlier in the 3650s and has
obviously been in ME switches for a while.
I think more specifically, he wanted to be able to permit a particular group
of users to use telnet and another to use ssh.
While I'm not sure why it'd be good to use telnet when ssh is available, I
suppose it would be possible to apply an ACL on the VTYs to deny access to
telnet/ssh as required.
Ang Kah Yik wrote:
I think more specifically, he wanted to be able to permit a particular group
of users to use telnet and another to use ssh.
While I'm not sure why it'd be good to use telnet when ssh is available, I
suppose it would be possible to apply an ACL on the VTYs to deny access to
I can't see why you should use an extended acl to do that. transport
input telnet ssh should allow access only through those two
protocols, so filtering that through an ACL is a bit redundant in my
opinion.
You should be able to use a standard acl like:
ip access-list standard vty
permit
Allan Eising wrote:
I can't see why you should use an extended acl to do that. transport
input telnet ssh should allow access only through those two
protocols, so filtering that through an ACL is a bit redundant in my
opinion.
You should be able to use a standard acl like:
ip access-list
Noticed that the 3750 ios 12.2(46)SE release supports the disabling of
mac address learning per vlan. Does anyone have any experience with
this release yet?
The feature seems to have been introduced earlier in the 3650s and has
obviously been in ME switches for a while.
The feature has
On Fri, 5 Sep 2008, Holemans Wim wrote:
Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a
month. Now we are thinking about buying a second FWSM to do failover in
order to limit downtime and facilitate upgrades : most of our servers
are connected to the 6513 carrying this
But make sure you do:
config t
int null 0
no ip unreachables
The ACL drops are, last I checked, rate limit punts.
If it's high CPU at IP Input really need 12.4(20)T and get
a sniffer trace in the punt path to see what traffic it really is.
Rodney
On Thu, Sep 04, 2008 at 03:46:23PM -0400,
You could pass the group as a realm to the RADIUS server by having the
users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them
and return a Class=OU=GROUP; attribute to map them properly.
You could also provide a group list to the user:
Hi,
On Fri, Sep 05, 2008 at 09:52:05AM +1000, Brett Clausenhauf wrote:
I've since tried other ports (Port 23 for example) it still does the same
thing. This has got me stumped... I cannot figure out why it needs the group
command to stay working.
telnet (xinetd/tcpd) usually does a DNS
I'm running 3.2(6) fairly well in production. I would go up to 3.2(4) or
better.
tv
- Original Message -
From: Holemans Wim [EMAIL PROTECTED]
To: cisco-nsp@puck.nether.net
Sent: Friday, September 05, 2008 3:35 AM
Subject: [c-nsp] FWSM failover transparent mode
Just upgraded our
Hi guys,
Could anyone advise free WAN (wide area network) emulator software. I
need to find solution for the following reason. We have some network
application and we want to know how good this applications work over
the WAN with predefined parameters. The better emulator must support
operations
Cisco actually is pretty honest about the performance of the routers with
most/all security features enabled if you go to the QA section of the
product pages and click on router model and look for the question What is
the performance of router XX?. At which point, they'll state that a
Cisco
The opensource options are dummynet on BSD:
http://info.iet.unipi.it/~luigi/ip_dummynet/
Which is good for emulating links 100Mb or slower, I think it needs
patches if you are going to emulate long fat pipes. I used the boot
floppy, it is easier to use if you have some unix experience.
or
Zenoss has two versions, Zenoss Community (free) and Zenoss Enterprise
(not free). The only notable feature, for network management, I see
in Zenoss Enterprise is the RANCID ZenPack.
The community version is pretty full featured, and looks very cool (I
tested it out for a few days).
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I have two 2811s with a full view on each and partial for ibgp, no issues.
Justin M. Streiner wrote:
On Thu, 4 Sep 2008, Dan Letkeman wrote:
I was wondering if anyone has recommendations for a 2800 series router
for a 20-30mbit internet
I would agree.
I've actually found they are a little conversative in their numbers from
their concentrators up to the routers.
tv
- Original Message -
From: Matthew Marlowe [EMAIL PROTECTED]
To: 'Buhrmaster, Gary' [EMAIL PROTECTED]; 'Dan Letkeman'
[EMAIL PROTECTED]; [EMAIL
[EMAIL PROTECTED] wrote:
Noticed that the 3750 ios 12.2(46)SE release supports the disabling of
mac address learning per vlan. Does anyone have any experience with
this release yet?
The feature seems to have been introduced earlier in the 3650s and has
obviously been in ME switches for a
We just moved to Zenoss Ent for server monitoring, and I think it was a
great move. In my tests however, Zenoss simply didn't cut it for
managing/monitoring our network devices - at least not without weeks of
template customization. So my search for the ultimate NMS for network
devices
On Thursday 04 September 2008 22:52:41 Ted Mittelstaedt wrote:
They need a sold ground and suppression such as varistors
connected between that ground and both wires of the pair
that the SHDSL line is on. If you can get the specific
code requirements for your municipality you can threaten
to
Not to hijack this thread, but what modules are you using for server
connectivity in your 6513? We deployed some 6513s as SF switches long
ago (bad decision), and are now swapping them out with the 6509-E
chassis due to the need for additional performance (6748s in all
slots).
--
Eric Cables
Hi,
Is anyone out there using Zenoss for network monitoring? How do you like it?
I worry that I find myself spending too long trying to get
a huge variety of monitoring systems actually working - and
then configured to work properly and 'look nice' or be usable
by our local community (eg
I think there are a few differences between these. The command docs say
the following about RSPAN VLANs:
- All traffic in the RSPAN VLAN is always flooded.
- No MAC address learning occurs on the RSPAN VLAN.
- RSPAN VLAN traffic only flows on trunk ports.
- RSPAN VLANs must be configured in
Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP.
Everything is working and has been working without any issues. However
digging around I came across a weird problem. It seems that from the 7200
terminating router I can't ping any of the pppoe user's ip addresses but I
can from
We experienced the reboots too; there is also bugs in this revision code
train for ethertype ACLs. We migrated to 3.2(4) all is fixed.
Regards,
Ge Moua | Email: [EMAIL PROTECTED]
Network Design Engineer
University of Minnesota | Networking Telecommunications Services
-Original
48 port 10/100/1000mb EtherModule WS-X6148-GE-TX
Bought them without knowing about the 8port 1Gig limit ;
We plan to replace this construction next year with a VSS solution, type
of 65XX not yet chosen.
Wim Holemans
-Original Message-
From: Eric Cables [mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
Hi,
Is anyone out there using Zenoss for network monitoring? How do you like it?
I worry that I find myself spending too long trying to get
a huge variety of monitoring systems actually working - and
then configured to work properly and 'look nice' or be
On Fri, Sep 05, 2008 at 04:36:08PM +0200, Nic Tjirkalli wrote:
howdy ho,
But make sure you do:
config t
int null 0
no ip unreachables
The ACL drops are, last I checked, rate limit punts.
this is interesting - there is a good article detailing cef and CPU
punting at :-
6748s here. The customer was considering VSS but it didn't/doesn't support
FWSM and ACE. So, he's stuck for a bit.
tv
- Original Message -
From: Eric Cables [EMAIL PROTECTED]
To: Holemans Wim [EMAIL PROTECTED]
Cc: cisco-nsp@puck.nether.net
Sent: Friday, September 05, 2008 11:58 AM
Hey Everyone,
I'm running into an issue on a 1841 router where I have an internet feed
coming into one of the integrated switchportsI have the vlan that
the switchport is configured in as a EtherSVI with a public IP address.
I need to configure a policy-map with QoS but it appears you
you can also try a weather map like below...
http://www.network-weathermap.com/
http://netmon.grnet.gr/weathermap/#docs
On Thu, Sep 4, 2008 at 9:00 PM, Aaron Riemer [EMAIL PROTECTED] wrote:
Hi Guys,
Is anyone out there using any open source or free dashboard network
monitoring software? I
On Friday 05 September 2008 12:36:33 Paul A wrote:
Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP.
Everything is working and has been working without any issues. However
digging around I came across a weird problem. It seems that from the 7200
terminating router I can't
Hello,
Paul A wrote:
Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP.
Everything is working and has been working without any issues. However
digging around I came across a weird problem. It seems that from the 7200
terminating router I can't ping any of the pppoe user's ip
Gotcha, I guess the interface showing down/down was weird to me because I
have used other virtual-templates that were always up, but looking back its
because they were ip unnumbered from a real interface this L1/L2 stats.
As for the pings I sourced them from multiple ips/interfaces and I still
Phil, I was thinking that might be the issue and once I assigned an ip it
worked and now I can ping. I was testing from a source interface that was up
with an ip and wasn't getting replies but that's because it was sending
replies to the helper interface.
Thanks for pointing that out to me.
Good afternoon.
After lots of searching, I found that bridging over GRE tunnels is
configurable, but unsupported. (yes, really:
+
cr1-5509-rsfc-1(config)#bridge 1 protocol ieee
cr1-5509-rsfc-1(config)#int tu0
cr1-5509-rsfc-1(config-if)#bridge-group 1
1d04h: %LINEPROTO-5-UPDOWN: Line
Hi,
On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote:
Great...
For the G1-- all we need is BGP and Ethernet-- Nothing special..
Metro E fiber inbound and FIBER out...
I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice
features, as will have 12.4/12.4T, but
for the 7200 with just bgp why not use 12.0S?
On Fri, Sep 5, 2008 at 6:01 PM, Gert Doering [EMAIL PROTECTED] wrote:
Hi,
On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote:
Great...
For the G1-- all we need is BGP and Ethernet-- Nothing special..
Metro E fiber inbound and
Hi All.
I’m I just out of luck or is there something pulling my legs.
I’ve got 3 vpn3002 hardware clients, and I can’t change the password off the
user on any of them. Or rather they won’t save the password for the user right.
When I set them up for they connect fine and all works well, I can
I just went back and forth with TAC regarding IPv6 support on an 877W.
Ultimately, the problem was that there isn't any support for IPv6 IRB, and
IRB is the only way to put the wireless radio on the same segment as the
ethernet ports. Boo. I found a bug id in the c-nsp archives (CSCej50923)
about
Problem with the group selection method is via a debug radius I don't see it
send any attribute about the group to RADIUS(I did try this way at first)
and therefore I can't get RADIUS to match on a group as well as user/pass,
the [EMAIL PROTECTED] might be an option, have you tried this before by
Zenoss is open source.
But you are able to purchase a support contract if your organisation
requires that kind of thing (ours does)
Thanks,
Aaron
-Original Message-
From: Aaron Riemer [mailto:[EMAIL PROTECTED]
Sent: Friday, 5 September 2008 6:50 PM
To: Aaron Daniels - Lists;
Yep weathermap looks awesome. Do you know if its possible for the map to
change the icon of a site if it is down or unreachable? That would be
awesome :)
Aaron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christian Koch
Sent: Saturday, September 06,
We're doing exactly that, although with Radiator vs IAS.
Dave
Ben Steele wrote:
Problem with the group selection method is via a debug radius I don't see it
send any attribute about the group to RADIUS(I did try this way at first)
and therefore I can't get RADIUS to match on a group as well
Is there a reason why I would not be receiving BGP communities? Upstream
says they are sending, but I don't see anything. The only communities I
can see are the one from my cymru bogon route server neighbors.
Upstream's end is a Juniper, if that makes a difference.
I feel like I'm missing
Ben Steele wrote:
Problem with the group selection method is via a debug radius I don't see it
send any attribute about the group to RADIUS(I did try this way at first)
and therefore I can't get RADIUS to match on a group as well as user/pass,
the [EMAIL PROTECTED] might be an option, have you
65 matches
Mail list logo