On Sunday 15 March 2009 04:40:27 am Tim Durack wrote:
Guess this is due to the lack of IPv6 LDP. Hopefully this
will get fixed sooner rather than later.
The draft is already out.
Indications from the leading vendors are that it'll be in
the code by the end of the year.
Your guess is as good
Hi,
On Sat, Mar 14, 2009 at 08:34:07PM -0500, Justin Shore wrote:
7201-1.dc(config)#service unsupported-transceiver
It's a switch thing.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich,
I am getting full internet route from ISP-1 and getting just a default
route from ISP-2. ( Both ISP connection is terminated on the one central
site router.) What i am trying to do , to make an ISP-2 connection is
completly backup for inbound traffic. To achieve that ,i am trying to use
BGP
I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL with
SXF15a), but I think I am hitting some limitations because of this:
%EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM
Utilization [99%]
The setup of netflow looks like this (globally):
ip
Burak,
ip as-path access-list 1 permit ^200 !!! (ISP-1 AS number) !!!
access-list 65 permit any !!! (permit any packet from ISP-2) !!!
route-map NON-EXIST permit 10 !!! (this matches any route from AS200) !!!
match ip address 65
match as-path 1
you can match only on ACL and prefix-list int
Gert Doering wrote:
Hi,
On Sat, Mar 14, 2009 at 08:34:07PM -0500, Justin Shore wrote:
7201-1.dc(config)#service unsupported-transceiver
It's a switch thing.
D'oh! You're breaking my heart, Gert.
Justin
___
cisco-nsp mailing list
Hi,
Does anyone here have any real world experience with Cisco Guard or other
products such as Arbor's Peakflow that they can share?
If you've tried multiple systems and ended up with a specific one, please share
the reasoning behind it.
Also, without a dedicated DDoS system deployed, what is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Sunday 15 March 2009 15:45:30 Andy BIERLAIR wrote:
I'm trying to run netflow on one of our Cisco core routers (SUP720-3BXL
with SXF15a), but I think I am hitting some limitations because of this:
mls aging fast time 5 threshold 32
On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
Also, without a dedicated DDoS system deployed, what is the most
reliable/fastest way to determine the destination(s) of the attacks
(SNMP, NetFlow, etc)?
With or without a dedicated DDoS mitigation system, NetFlow-based
anomaly-detection
I am not sure if I can upgrade this box to SXH. If would help, since a lot
of interfaces on that box are for customers who don't need the flow
counting.
This is a critical environment and I cannot afford the downtime and possible
side effects with a new IOS I haven't tested so far.
The mission I
On Mar 16, 2009, at 12:39 AM, Roland Dobbins wrote:
Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch
Xe are three commercial NetFlow-based anomaly-detection systems.
I forgot to add Q1 Labs Q1Radar, and I believe NetQoS now have an
anomaly-detection module, as well,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Sunday 15 March 2009 17:46:52 Andy BIERLAIR wrote:
This is a critical environment and I cannot afford the downtime and
possible side effects with a new IOS I haven't tested so far.
I understand - quite a few threads related to SXH bugs
Hi Mateusz ,
For better understanding , i have attached the topology screenshot and the
router's configuration files. (By the way , this is a lab config.)
In the attached Router's configuration ,
access-list 65 permit 172.16.1.0 0.0.0.255
command is used and with this command bgp conditional
Searching for netflow ids
(
http://www.google.com/search?q=netflow+idsie=utf-8oe=utf-8aq=trls=org.mozilla:en-US:officialclient=firefox-a)
returns some very interesting results.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Roland Dobbins wrote:
On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
Also, without a dedicated DDoS system deployed, what is the most
reliable/fastest way to determine the destination(s) of the attacks
(SNMP, NetFlow, etc)?
With or without a dedicated DDoS mitigation system,
Hi,
On Sun, Mar 15, 2009 at 07:04:26PM +0100, Andreas Bourges wrote:
I understand - quite a few threads related to SXH bugs appeared on the list,
but most of them seem to be fixed in SXH3 if I remember correctly...
SXH3a. SXH3 has the BGP ghost bug.
(SXI has slow memory leaks in BGP, at
You can't use permit any because it would match any route in the IP
routing table (including the connected interfaces). The access list used in
NON-EXIST-MAP is used on the IP routing table, not on the BGP table (that's
why the AS path doesn't work either).
Ivan
-Original Message-
Hi Ivan ,
Ok than , what should i use for NON-EXIST route-map's access-list ? Which
prefix should i trust from ISP-1 (Primary ISP) ?
Is it necessary to use match ip address and match as-path statements
together in the NON-EXIST route-map ?
On Sun, Mar 15, 2009 at 8:46 PM, Ivan Pepelnjak
If you want ISP 2 to be used as a backup for ISP1 inboud traffic could you just
advertise your routes to ISP2 with, say bigger AS path to the point where even
ISP2 thinks it is best to go somewhere else than directly to you?
As far as conditional advertisement goes. Mateusz is absolutely
That's the problem everyone has with the NON-EXIST-MAP :) Usually the IP
prefix used to address the ISP-1 infrastructure is the best bet.
The match as-path statement in the NON-EXIST-MAP is irrelevant (unless I'm
totally wrong about the match being made with the routes in the IP routing
table
Ivan,
2009/3/15 Ivan Pepelnjak i...@ioshints.info:
You can't use permit any because it would match any route in the IP
routing table (including the connected interfaces).
is permit any matching 0.0.0.0/0 le 32 or just 0.0.0.0/0, I was
thinking that the latter?
The access list used in
I agree with Ivan in that the tracked prefix in the Non-Exist-Map should
be the ISP-1 infrastructure address because in its absence you wouldn't be
receiving any other routes from ISP-1
However, the match of the tracked prefix is from the BGP table *not* the
IP routing table and match-as-path
I have made a change on the lab with the commands which are written below ,
but ISP-2 still getting my announcment. No success...
ip as-path access-list 1 permit ^200 (ISP-1 AS number)
ip prefix-list AS200-track seq 5 permit 192.168.200.0/24 (subnet
between multihoming router and ISP-1
One gotcha I ran into sometime ago - on 12.4 T
the neighbor 192.168.100.1 advertise-map ADVERTISE non-exist-map
NON-EXIST has to be configured in the address-family ipv4
conf t
router bgp 10
address-family ipv4
neighbor 192.168.100.1 advertise-map ADVERTISE non-exist-map NON-EXIST
You can use this kind of configuration option , new style config. But , the
old sytle is still supported. Here is the configs and show commands ;
Router#show run
!
interface FastEthernet0/0
description ISP-1_connection
ip address 192.168.200.2 255.255.255.0
duplex auto
speed auto
!
Hi Burak,
On Mon, Mar 16, 2009 at 12:06 AM, Burak Dikici bdik...@gmail.com wrote:
i am trying to use
BGP conditional advertisemet configuration. I have got a problem with
NON-EXIST route map's access-list. In the NON-EXIST router map i am using
the commands which is written below ;
Here are
Roland Dobbins wrote:
On Mar 16, 2009, at 12:39 AM, Roland Dobbins wrote:
Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe
are three commercial NetFlow-based anomaly-detection systems.
I forgot to add Q1 Labs Q1Radar, and I believe NetQoS now have an
anomaly-detection
On Mar 16, 2009, at 8:03 AM, Justin Shore wrote:
Would its Netflow abilities be useful here?
As with any tool, it's a good idea to test and compare in order to
ensure one's requirements are met.
---
Roland Dobbins
On Mar 15, 2009, at 12:46 PM, Yan Filyurin wrote:
If you want ISP 2 to be used as a backup for ISP1 inboud traffic
could you just advertise your routes to ISP2 with, say bigger AS
path to the point where even ISP2 thinks it is best to go somewhere
else than directly to you?
Providers
29 matches
Mail list logo