ip access-list extended IP-Pool-Allowed
permit ip any 192.168.0.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended IP-All
permit ip any any
Class-map match-all IP-Pool-Allowed
match access-group name IP-Pool-Allowed
Class-map match-all IP-All
match access-group name IP-All
Hello,
Is it possible to use policy-map if the packet goes to specific IP address.
example:
If packet goes to subnet 192.168.0.0/24 then router should use
policy-map 512Kbps.
If packet goes to subnet any then router should use policy-map 256Kbps.
How to do it with PPPoE.
Really appreciat
Hey all, I was just going to download the latest IOS for a Cisco 877 and below
is the current list of 800 series routes on the Cisco website.
What caught my eye was the 3 entries for the Cisco 887 (887, 887W, 887SRSTW).
I was like "WHAT THE" ??!?!?!?
Went to the product pages... nothing
W
Good Afternoon,
I’m in the process of setting up a proof of concept on our network for the
Cisco Guard and Detector. I had them up and running for a small /28 test
zone (I’ve attached configs and diagrams) However, in thinking through fully
implementing this into production, I realized that I need
Hi Peter,
Thanks for the detailed reply. I forgot to include the router platforms
we are using for this.
[GROUP1] --> [ POP1] <--> [POP2] --> [HOSTED SERVICES + INTERNET]
POP1 = Cisco 7204VXR (NPE-G1) GigE Interface running 12.2(31)SB13
POP2 = Cisco 7606 with 4-subslot SPA Interface (7600-SIP-4
Hi Andy,
On Wed, 2009-03-25 at 11:15 +1100, Andy Saykao wrote:
> 1/ We have a 200mb link between two POPS that is being congested in the
> evening. Congestion is happening on the outbound direction from POP2 to
> POP1, so from a user's perspective in GROUP1 it would be impacting their
> download.
Hi All,
Two questions...
1/ We have a 200mb link between two POPS that is being congested in the
evening. Congestion is happening on the outbound direction from POP2 to
POP1, so from a user's perspective in GROUP1 it would be impacting their
download.
[GROUP1] --> [ POP1] <--> [POP2] --> [HOS
Hi,
Thank you for the off-list replies. I've read some more documentation
regarding the ASRs and I'm a bit unsure what the advantages of running
a sub-packaged image are. According to the Cisco website:
" Individual sub-package upgrades are atypical on the Cisco ASR 1000
Series Routers, because i
Hi.
Which direction are you trying to prioritize? In the first post the
policy were on the Dialer0-interface (traffic from LAN towards DSL),
but in the last post it's on the Fa4-interface (traffic from DSL
towards LAN).
I assume it's the first one because there is less point shaping when
going fr
Hi,
We're considering getting some ASR (1004 and 1006) as peering routers.
I would like to know what sort of experience you had with them.
What are the advantages of running the 'modular' IOS XE? We tried the
'modular' software on 6500 and we ran into some issues that we didn't
have on the integra
On Tue, 2009-03-24 at 14:39 -0500, John Lange wrote:
> I followed the examples on that page but I'm not having any luck. As
> far as I can tell the queue is dropping at least some packets that it
> should be prioritizing (look for 582 below).
...
> policy-map parent_shaping
> class class-default
>
I would defiantly check out http://onesc.net/communities/ it lists communities
of major providers. You can see if your ISP_2 is on there and supports
modifying the LOCAL_PREF with communities. That happened to me before where one
ISP was setting a higher preference for a path with longer AS.
To
On Mon, 2009-03-23 at 23:50 +0100, zarenks wrote:
> I wonder if anyone had experienced the problem I have noticed with
> dynamic routing (BGP) running over IPSec link.
...
> I decide to use VTI (Virtual Tunnel Interface) configuration instead
> of IPSec+GRE to support dynamic routing.
>
> Untill
On Sun, Mar 15, 2009 at 10:54 AM, Drew Weaver wrote:
> Does anyone here have any real world experience with Cisco Guard or other
> products such as Arbor's Peakflow that they can share?
>
> If you've tried multiple systems and ended up with a specific one, please
> share the reasoning behind it.
>
oh, thank you, I see how direct and precise this is, and if I wanted to
drop the person in several vlans, I assume I could do
mac-address-table static 0016.6f99.9e61 vlan 3030 drop
mac-address-table static 0016.6f99.9e61 vlan 3010 drop
mac-address-table static 0016.6f99.9e61 vlan 3020 drop
but
You can just do
mac-address-table static 0016.6f99.9e61 vlan 3030 drop.
Schilling
On Tue, Mar 24, 2009 at 3:42 PM, Rick Coloccia wrote:
> Is anyone doing anything like this in a Catalyst 6500? I'm running a sup
> 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
> regardless
Thank you to Ian who replied off list with an example of an
unproblematic implementation of exactly this. I'm more calm now. :-)
On Mon, 2009-03-23 at 19:09 -0400, Jeff Kell wrote:
> AFAIK, etherchannel will select one physical path per flow (based on
> src/dst ip/mac), so there is no out-of-orde
Is anyone doing anything like this in a Catalyst 6500? I'm running a
sup 720 with ios 12.2(33)SXH4. I have a "bad user" that I need to block,
regardless of where or how they connect to the lan. I hoped that by
blocking their mac address, where-ever it may appear, I might be able to
accomplish
On Tue, 2009-03-24 at 13:29 +0100, BALLA Attila wrote:
> Hi,
>
>you should use hierarchical QoS. First of all you should shape the
> output traffic down to the upstream speed, then you can use the llq inside
> the shaped class:
> http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_
Hi
> As far as I have heard, most people are at 12.0(32)SY, which is (I would
> say) a better bet.
If you have Eng5 LC's and is doing MPLS-VPNs there is a bug
(CSCsq83540) potentially killing 0.0.0.0/0 in VRFs. Affected are
basically everything upto 32S11, 32SY6 and 33S1. 32S12, 32SY7/8 and
33S2
Hi.
> So just a final question, would the solution have worked if it was on a
> regular interface? I just want to make sure I had the right idea.
Yes, in this case the ATM-interface where the PVC lives. But the PVC
must be something else than the default "ubr" class of service. The U
in UBR stand
Also take a look at flow-tools / FlowViewer. Uses netflow and keeps up to
three years based on filtering by AS, combination AS's, exclusion of AS's
etc. Open-source.
http://ensight.eos.nasa.gov/FlowViewer/
Joe
"Jeff Crowe"
Sent by: cisco-nsp-boun...@puck.nether.net
03/23/2009 04:17 PM
To
> http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note0918
> > 6a00800b2d29.shtml
>
> Basically, the virtual interfaces "do not implement the
> "back-pressure algorithm" necessary to signal that excess
> packets should be queued by the Layer 3 (L3) queueing system."
>
> Ok, so I'm
That does sound correct, I will schedule some testing time, thanks for
your input!
David Freedman wrote:
Chris, the key thing here are the vrf address-families
"> address-family ipv4 vrf -Voice" e.g
Imagine these like the equivalent of the normal ipv4 address-family, but
for each VRF proce
Chris, the key thing here are the vrf address-families
"> address-family ipv4 vrf -Voice" e.g
Imagine these like the equivalent of the normal ipv4 address-family, but
for each VRF process.
These do not currently have "redistribute static" in them so you can
quite safely install "ip route vrf
Hi Mike,
Actually I need both conditions set, because the community-list
PREPEND-X-PEERING may contain prefixes that we don't want to announce to our
peerings, that is why I was looking for some sort of AND logic here.
A real-life example with ASN 1234 would be:
Customer sends us three prefixe
Hi,
I am familiar with auto rollover of CA certificates but is there also a way to
do an automatic rollover for pre-shared keys?
I am looking to do this in a still to be deployed DMVPN environment and
security people would like a policy to change the keys periodically.
Kind regards
Nasir Shaikh
Robert Johnson wrote:
> Hello list,
> I have a small network with four 3640s. Each router has 128/32MB ram, and a
> single FE interface connected to a catalyst 2924. Two of the routers are
> running BGP, each with a session to a (single) other provider, and a session
> between themselves. These are
I have a Sprint MPLS cloud for which they extend the VRF configs down to
the CE. I am in the middle of divesting a section of these MPLS
routers/subnets off of the main cloud and onto their own VRFs. I
essentially want to start by making a handfull of the sites, change
their default route for I
Andy,
Try using policy-list which don't get merged like community-lists...
ip policy-list PERMIT200 permit
match community 2
!
ip policy-list PERMIT100 permit
match community 1
!
ip community-list 1 permit 123:100
ip community-list 2 permit 123:200
!
!
!
route-map OUT permit 10
match pol
On Tue, 24 Mar 2009, Brandon Ewing wrote:
Note that 12.0(32)S12 contains the 4-byte ASN problems discussed here
and on NANOG, so 12.0(32)S11 is your best bet.
As far as I have heard, most people are at 12.0(32)SY, which is (I would
say) a better bet.
I've also been told there will be no 12.
On Tue, Mar 24, 2009 at 08:59:17AM -0700, Michael K. Smith - Adhost wrote:
> Hello All:
>
> I just want to make sure I haven't lost my mind. I logged into CCO looking
> for 12.0S images for the GRP and all I see is PRP images. Has Cisco stopped
> supplying images for the GRP-based GSR's?
>
>
Hello Andy:
I don't think you want the two match-community statements in your first two
route-map statements. So, that would be:
>
> route-map IX-TEST-OUT permit 10
> match community PREPEND-1-PEERING
-- match community PEERING-OUT
> set as-path prepend 65001
>
> route-map IX-TEST-OUT pe
Hi all!
I need some help!
Can somebody give me a curriculum or e-book, or link for MARS, CSA, IDS,
IPS.
I want to learn about them, but I can't find materials.
config guides, 'howto's, e-learning materials, e-book web pages...
everything can be good.
thank you
Gabor
___
Hello All:
I just want to make sure I haven't lost my mind. I logged into CCO looking for
12.0S images for the GRP and all I see is PRP images. Has Cisco stopped
supplying images for the GRP-based GSR's?
Regards,
Mike
--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Intern
That 12.4(3) IOS is pretty old. Trying a newer one might help, as
you're vulnerable to many things. It's possible there are bugs you're
hitting that are affecting performance. If you could consolidate some
things, that may help. You're matching RTP, but also matching packet
length, that might b
I have read that multiple match lines in a route-map are treated with AND
logic.
But this scenario here does not do AND, but OR:
route-map IX-TEST-OUT permit 10
match community PREPEND-1-PEERING
match community PEERING-OUT
set as-path prepend 65001
route-map IX-TEST-OUT permit 20
match c
A cisco router, even a SOHO97 is still more expensive than any little simple
DSL modem, isn't it?
Anyway, shouldn't you get a modem from your DLS provider?
But if you can spare a 827 or a SOHO then go for it, it will work good, that we
can be sure, and you can still get the added value of monitor
How is it too expensive? If you are doing DSL1, 827/837's, even SOHO87 can be
had for a few $$$
...Skeeve
--
Skeeve Stevens, CEO/Technical Director
eintellego Pty Ltd - The Networking Specialists
ske...@eintellego.net / www.eintellego.net
Phone: 1300 753 383, Fax: (+612) 8572 9954
Cell +61 (0)4
Hello list,
I have a small network with four 3640s. Each router has 128/32MB ram, and a
single FE interface connected to a catalyst 2924. Two of the routers are
running BGP, each with a session to a (single) other provider, and a session
between themselves. These are not carrying full tables. All f
First, thanks to those who pointed out my (should have been obvious)
error where I named the access-list qos1 but then tried to reference it
with al-qos1. When you're looking for a big problem it's easy to
overlook the obvious.
On Tue, 2009-03-24 at 12:56 +, Tim Franklin wrote:
> On Tue, March
It's possible, but as Matheusz said, it would be too expensive to use Cisco
router as a modem
You lose every advantage you have on the router, also the possibility to remote
manage it, you can only control it via console/aux.
You can configure the ATM (DSL) interface to match your needs, and the
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a78c.shtml
Run each of the 5 routers into separate interfaces (or subinterfaces) on
the 1811, config it as a PPPoE client on each interface and then do
MLPPP across the dialers.
Rich.
Skeeve Stevens wro
Skeeve,
> I am wondering if it is possible to use a 827, 828, 837, 877, 878, 888 as a
> bridge modem?
>
> What I want to do is have a router like an 1811, with say 5 xDSL devices
> which hold their connection up, but the 1811 does the Dialer part, so they
> can be multi-linked, or other load b
Hey all,
I am wondering if it is possible to use a 827, 828, 837, 877, 878, 888 as a
bridge modem?
What I want to do is have a router like an 1811, with say 5 xDSL devices which
hold their connection up, but the 1811 does the Dialer part, so they can be
multi-linked, or other load balancing.
On Tue, March 24, 2009 12:12 pm, Ivan Pepelnjak wrote:
> What is your upstream connection? If you're using PPPoE, you won't be able
> to do any output queuing, as the outbound LAN interface is never saturated
> (the bottleneck is experienced by the DSL modem).
If you know what your upstream bandw
Hi,
you should use hierarchical QoS. First of all you should shape the
output traffic down to the upstream speed, then you can use the llq inside
the shaped class:
http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800b2d29.shtml
BR, A.
On Tue, 24 Mar 2009, Ivan Pepe
I'd recommend getting a Cisco 2651xm with a cisco WS-C3550-24-EMI switch off of
ebay. Be patience and you can get both for about $500-$600.
The router will need 256MB of RAM and at least 48MB of Flash if you want to run
the latest 12.4T ios. For the switch, you want 64MB of ram and 16MB of flash
Hi
I need to get chespest cisco router to learn VPN vlan tcsh
Could you suggest model?
Thank you
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-
Exactly true ... That would be my next answer :)
However, the problem is that it's somewhat hard to estimate what the shaping
bandwidth should be in DSL environments (you have the cell tax on top of
PPPoE plus unknown amount of oversubscription in the SP network) if you want
to squeeze as much out
> I have crafted and applied some rules which I thought would
> prioritize traffic from an 871w (via ADSL) to one specific
> host. The idea is that any traffic destined to this host
> should be prioritized over all other traffic.
What is your upstream connection? If you're using PPPoE, you won'
Should I be worried about these?, do these come from the line?, the PA?
the PCI bus? , I can't tell, all normal "show interface" counters are clean
#sh int Se6/0.1/1/2/3:0 controller | in FCS
PCI system errors 0, PCI parity errors 0 Rx FCS errors 1065313702
#sh int Se6/0.1/1/2/3:0 controller
52 matches
Mail list logo