Hi,
On Fri, Feb 06, 2009 at 04:02:04PM -0500, Alex Balashov wrote:
> >(If you do this, ICMPs sourced by the remote router will send their
> >packets with an RFC1918 source address, which is strictly not allowed.
> >If you filter those packets, you'll break traceroute and PMTUd).
>
> I find that t
Hi,
On Fri, Feb 06, 2009 at 05:08:47PM -0600, Justin Shore wrote:
> Gregory Boehnlein wrote:
> >This is very similar to what we do. While we have several customers that
> >need larger subnets, the majority of our customers are using IP Unnumbered.
> >
> >In some cases, we will provide the customer
Hi,
On Fri, Feb 06, 2009 at 04:32:03PM -0600, Justin Shore wrote:
> Gert Doering wrote:
> >I can only second this. If you have a dedicated point-to-point interface
> >for things, tacking the route on the interface is usually more robust than
> >pointing towards a gateway IP that might not be the
Has the Cisco AXSM line reach end of life?
--
regards,
Nathaniel Bernadeau
Gallant Systems, LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Toll Free: 888-836-3751
Ph: 301-627-6358
Fax: 240-823-6897
Cell: 202-246-2229
nbernad...@gallantsys.com
www.gallantsys.com
_
Justin Shore wrote:
That's not a bad idea. Though wouldn't pointing a default at an
interface force it to ARP constantly? Several hundred CEs ARPing
non-stop could be a load issue on your PE.
It's a serial interface. It doesn't ARP :-)
___
cisco-ns
Thanks for the response...
What we have today is ACL's on the 6500's and then iptables on the Linux
boxes for example. This has worked fairly well and is basic to administer.
My underlying goal is to have an inline IDS solution that will actively
block (inline) on configured severe signatures - o
>> We send our default route out of the interface, rather than to the remote
gateway IP, so if we change the
>> ip of the loopback on our side, we do not need to adjust anything for the
>> customer.
>
> That's not a bad idea. Though wouldn't pointing a default at an
> interface force it to ARP co
Gregory Boehnlein wrote:
This is very similar to what we do. While we have several customers that
need larger subnets, the majority of our customers are using IP Unnumbered.
In some cases, we will provide the customer a /29 if they need additional
external IP addresses, but the configuration on
I would highly recommend keeping some sort of firewall to ACL/NAT
upstream from your hosts...I personally don't put a lot of stock into
host-based firewalling as one's sole means of protection. If the FWSM
didn't serve you well (all my problems with FWSM went away since 3.1.6),
you could look into
Yes, we exclude .255 and .0 in all our DHCP pools. I make sure to not
hand that out manually too. One good thing about IP unnumbered is that
I have to point a static route for the customer's assigned IP at their
interface. This lets me use uRPF again and eliminates the need for a
customer in
Gert Doering wrote:
I can only second this. If you have a dedicated point-to-point interface for
things, tacking the route on the interface is usually more robust than
pointing towards a gateway IP that might not be there, or might be learned
recursively over another interface, etc.
I'm going
Hi there...
Our server farms hang off a pair of 6509's today. The SVI interfaces are
redundant with HSRP for each VLAN that feeds the servers Sup2/MSFC2
running native IOS.
So, we're looking for IDS/firewall solutions to protect a few of the VLAN's
in particular. We did have a pair of FWSM'
Most likely the 5 routes are not reachable. If you just added the routes via
a supernet advertisement
and they do not exist elsewhere, either locally connected or learned via an
IGP this behavior will happen.
This is normal and the correct way for BGP to operate.
mike
On Fri, Feb 6, 2009 at 12:4
Alex Balashov wrote:
Gert Doering wrote:
Hi,
On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
There is no reason why you need to "waste" IP address on the /30s -
who said they have to be public IPs? Just carve out some address
space out of a 10.0.0.0/8 range and use private tra
Gert Doering wrote:
Hi,
On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
There is no reason why you need to "waste" IP address on the /30s - who
said they have to be public IPs? Just carve out some address space out
of a 10.0.0.0/8 range and use private transport IPs.
RFC191
Hello Paul:
>
> Paul A wrote:
> > Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
> > into this.
> >
> >
> >
> > I have two routers, router A and router B doing bgp.
> >
> >
> >
> > Router A is advertising 5 routes to router B, when the session 1st comes
> up,
> > router
>> You can add lines if you use sequence numbers on you acl. What version
>> are you using
>>
>>
I have old rule in the switch but don't know how to add new rule in
the same access-list
When I add new deny rule, it will be put at the end of the
access-list
If I re
I'm sure this is something simple, but I'm not quite seeing it...
I need some help adding a device to an existing, recently created vlan.
Here is the fragment of our network:
[core 4507] -> [8540] -> [3550] -> [1230 WAP]
[configuration excerpts are below]
The 1230 access point described is at
I would turn on debugging and see if 1:15m corresponds to one of the BGP
nexthop scanning or other events. Don't leave debugging on any longer
than needed on production systems. If you can replicate in a lab
scenario, that would be ideal. One thing that looks odd, is that you
have 2 different up
Phil I have a similar config on a few 6500 switches running SXF10 and it
appears to be doing its job. My config is quite similar to yours sans
MPLS. These same switches also do local SPAN to a couple of 10G ports.
C6506E with Sup720-3BXL running 12.2(18)SXF10
vlan access-map VLAN110-MAP 10
matc
Thanks Walter.
I really didn't want to mess with debug as it's a production router and I
would have to do this late night, hopefully without crashing it. I really
was hoping someone ran into this issue before.
FYI the 1st update-source is from router A to my bgp customer on fa1/43 the
other is fr
Hi, I'm having a bgp issue I can't figure out and hoping someone has ran
into this.
I have two routers, router A and router B doing bgp.
Router A is advertising 5 routes to router B, when the session 1st comes up,
router B has 5 routes received from router A. After 1:15 min the learned
rout
Hi all,
I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I
am using DHCP snooping and ARP inspection for security reasons and the leased
time expiration is set for 30 minutes and no excluded-address is configured.
The problem is that I still can see some clients IP
Hi,
I have to give a talk tomorrow that includes a demo/lab with some MPLS VPN
stuff.
I brought a 3750-Metro and a 3560 with me (both running latest code) but just
noticed the 3560s do not support MPLS VPNs at all.
So I'm urgently looking for some MPLS VPN capable device (acting as PE),
prefer
On Friday 06 February 2009 07:53:26 RAZAFINDRATSIFA Rivo Tahina wrote:
> Dear All,
>
> I'm multihomed to 2 upstreams, from time to time, 1 link is full
> while the other has half of its capacity unused, as of now, I have to
> manual announce of /24 to try to balance traffics, are there more
> intel
I would love you to be right, but it is indeed tracking inside the right vrf
I am changing the @IP in the paste below voluntarily (public ips...)
I have pretty similar config running on 6509 12.2.33sxh without this behavior.
The only difference is my 6509 use newer style config (ip sla monitor foo
Someone would say use PfR, but i'm not this one ;)
Great potential, awkward configuration.
--
Tassos
RAZAFINDRATSIFA Rivo Tahina wrote on 06/02/2009 14:53:
Dear All,
I'm multihomed to 2 upstreams, from time to time, 1 link is full while
the other has half of its capacity unused, as of now, I
I'm multihomed to 2 upstreams, from time to time, 1 link is full while the
other has half of its capacity unused, as of now, I have to manual announce
of /24 to try to balance traffics, are there more intelligent way to do
that?
depending on which direction it gets full
you can use dmz-bandwid
Dear All,
I'm multihomed to 2 upstreams, from time to time, 1 link is full
while the other has half of its capacity unused, as of now, I have to
manual announce of /24 to try to balance traffics, are there more
intelligent way to do that?
Regards.
Hello
I have a requirement for a number of low-cost 8 or 24-port PoE switches
on which Cisco 7940 and 7941 IP phones will work successfully. Ideally
they need to support a few VLANs and dot1q, and don't *have* to be Cisco.
Does anyone have recommendations, to save me spending ages buying and
Thanks Arie,
It was a clock issue on modem.
Regards.
At 21:37 22/01/2009, Arie Vayner (avayner) wrote:
No. A regular cable should be fine.
Arie
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of RAZAFINDRATSIFA
Rivo Tahin
Yes, we use Orion Network Configuration Management (old Cirrus) and love it!
The last release finally has a fairly slick web interface...
Paul
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Eric Van Tol
Sent: February 6,
Okay then i guess it happens because you didnt specify the vrf in your sla
configuration.
ip sla monitor 1
type xx
vrf x
I dont know if the 3560 can do that (my guess is no) :)
Can you post your sla config?
2009/2/6
> Just tried : it still installs the route with "global" flag
> ip route vr
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of Joe Loiacono
> Sent: Thursday, February 05, 2009 4:57 PM
> To: Cisco-NSP Mailing List
> Subject: [c-nsp] Rancid and commercial config management tools
>
> I realize RAN
Just tried : it still installs the route with "global" flag
ip route vrf Internet 192.168.0.0 255.255.255.0 Vlan999 9.9.9.9 global track 2
Selon Wouter Prins :
> Can you try to specify the outgoing interface in your static vrf route and
> test again?
>
> 2009/2/6
>
> > Hey,
> >
> > Got a stran
Can you try to specify the outgoing interface in your static vrf route and
test again?
2009/2/6
> Hey,
>
> Got a strange behavior on a C3560 12.2(35)SE5.
>
> I am locally attached interface to 9.9.9.0/24 network where my next hop
> 9.9.9.9
> is. This interface is member of vrf Internet
>
> I hav
Hey,
Got a strange behavior on a C3560 12.2(35)SE5.
I am locally attached interface to 9.9.9.0/24 network where my next hop 9.9.9.9
is. This interface is member of vrf Internet
I have a vrf static route, working perfect :
ip route vrf Internet 192.168.0.0 255.255.255.0 9.9.9.9
As soon as I rem
Alex Balashov writes:
> There is no reason why you need to "waste" IP address on the /30s -
> who said they have to be public IPs? Just carve out some address
> space out of a 10.0.0.0/8 range and use private transport IPs.
You risk that ICMP comes from those addresses. This could happen with
t
Justin,
just be sure not to assign .255 address to the customer, windows is
buggy there: http://support.microsoft.com/kb/281579
We've been bitten there.
Best Regards,
-mat
--
pgp-key 0x1C655CAB
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
htt
Hi,
On Fri, Feb 06, 2009 at 10:48:10AM +0100, Oliver Boehmer (oboehmer) wrote:
> this name stays local to the router, and was/is required for Large-Scale
> Dial-out (LSDO) where the router performed an AAA/Radius request to
> retrieve dial information, and used the name for this..
Ah, so you put
Gert Doering <> wrote on Friday, February 06, 2009 10:39:
>> ip route X.X.X.X 255.255.255.248 Serial10/1/0/3:0 name CustomerRouteA
>
> One can tack a *name* to routes? Need to test this :-)
>
> Does this name get carried in IGPs? Or is it just there in the config
> to document things?
this na
Hi,
On Thu, Feb 05, 2009 at 08:48:35PM -0500, Alex Balashov wrote:
> There is no reason why you need to "waste" IP address on the /30s - who
> said they have to be public IPs? Just carve out some address space out
> of a 10.0.0.0/8 range and use private transport IPs.
RFC1918 (indirectly) sa
Hi,
On Thu, Feb 05, 2009 at 08:09:43PM -0500, Gregory Boehnlein wrote:
> We send our default route out of the
> interface, rather than to the remote gateway IP, so if we change the ip of
> the loopback on our side, we do not need to adjust anything for the
> customer.
I can only second this. If
Hi,
On Thu, Feb 05, 2009 at 06:01:09PM -0600, Justin Shore wrote:
> I'm curious to see what everyone's take is on handling the addressing of
> customer-facing DS1s.
We run all our customers "ip unnumbered", whether it's E1/E3 or DSL
customers. Since the first 64 kbit ISDN leased line...
Exce
Hi,
On Thu, Feb 05, 2009 at 04:50:47PM +, Gary Roberton wrote:
> Can someone look up which AS is advertising the 146.105.0.0 /16 network for
> me, thanks.
Try: "telnet route-views.oregon-ix.net" and then "show ip bgp ..."
route-views.oregon-ix.net>sh ip b 146.105.0.0
BGP routing table entry
Hi,
On Thu, Feb 05, 2009 at 08:49:58AM -0800, Jay Hennigan wrote:
> You don't. You do it in the router. A layer 2 switch is unaware of IP
> addresses or applications with regard to traffic passing through the
> switch. Because the switch doesn't examine or process IP address,
> protocol, or
Hi,
> Like I said, if he doesn't have sequences (which based on the
> information given in the original question I can only assume he doesn't
> have an IOS that supports it on old-skool access lists).
edit the access list on an tftp server and then eg
copy tftp://server/accesslist-name.acl runni
We have this config on a 6500/sup720
int Vlan3799
description upstream
ip address ...
int Vlan4000
descripion core
ip address ...
mpls ip
vlan filter CAPTURE_HTTP vlan 3799
int Gi9/1
switchport
switchport mode access
switchport access vlan 3799
switchport capture
switchport capture al
Hi.
> What is the easy way to put access-list for permit and deny to access http
> in the router?
If you want an *easy* way, you can protect the http process with a ACL:
ip http access-class
See:
http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1020105
This not as "
49 matches
Mail list logo