> are there any (cisco)-NAT-devices which enable the NAT after the user
> has done some kind of authentication - which is checked against a
> radius-server or an active directory for example ?
You're probably looking for the IOS auth-proxy feature. A configuration
example is here:
http://www.cisc
On Wed, 16 Dec 2009, Tony Varriale wrote:
gets the ACL exploded so much that it does not fit into the network
processors anymore - then the previously compiled version is being used -
but generally you get a pretty prominent warning about that.
Nope...NP was fine. How we found it was the AC
Grzegorz Janoszka wrote:
> We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon
> after the upgrade one of our customers complained that he started to see
> RA messages. From the beginning on his interface we have "ipv6 nd ra
> suppress", I added "ipv6 nd ra mtu suppress",
Tony,
Yes EEM does not screen on the syslog messages that it emits. When we built
the EEM syslog Event Detector the test team insisted that we implement it
this way to prevent recursion. ;-)
You can always use an application specific event to trigger policy B from
policy A. You could use a trigge
Does anyone have any experience with the SIP-600 for the 7600/6500 Platform?
The PFC-3CXL/3BXL does not provide TCP flags in netflow data.
We are interested in potentially using the SIP-600 with a 10GE SPA to
work around the limitation of the PFCs on the non-NPU blade we currently use.
Does anyone
Tony,
Why do you want to look for the Syslog event? It would happen anyway
inside your original script, right?
Maybe try something like this:
event manager applet BGPADJ_SHUT
event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
Down" period 600 maxrun 700
action 100 cli comman
Felix, I'd take a look at the recent info from NSS Labs and some of the
responses from TP if you're looking at evaluating them.
http://www.networkworld.com/news/2009/120709-ips-tests.html
http://nsslabs.blogspot.com/2009/12/tippingpoint-tests.html
http://tippingpointblog.com/2009/12/04/update-on-
On Wed, 2009-12-16 at 08:45 -0500, Lobo wrote:
[...]
> There are times when the link is only capable of hitting say 80Mbps
> (we're a wireless isp) or less.
>
> Since we have to use a FE port for this type of connection, do the
> switches believe that they have 100Mbps of bandwidth to play with w
Anything is better than the Cisco IPS in our testing. The Tipping point is
quite good as is the Juniper IDP (75, 250, 800, 8200 etc) I've used the
tipping point and it was quite good and the reporting functionality was
superior. If you're interested in this space also check out Juniper, ISS,
Hi All,
I would like to know how the TippingPoint IPS platform compare with the
Cisco IPS in terms of functionality and effectiveness.
My experience is with the Cisco offering, but I have read some very good
reviews about TippingPoint IPS and wanted to read your experience with it.
Thanks. Felix
> We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had
> any major problems with it but today it stopped terminating sessions.
> When I enabled terminal monitoring (with no additional debug) I
started
> getting messages like this one:
>
>
>
> %L2TP-3-ILLEGAL: _:_: ERRO
- Original Message -
From: "Andrew Yourtchenko"
To: "Tony Varriale"
Cc:
Sent: Wednesday, December 16, 2009 12:54 PM
Subject: Re: [c-nsp] FWSM logging problem
That's indeed the proper thing to do. And please, after making sure - also
let the case owner know, that it did fix the pr
Oops..sorry for the confusion.
We are working with TAC and the BU directly with this. They are aware of the
issue and acknowledge that it is happening across all code releases
A2(1.x/2.x/3.x)
Unfortunately when this happens you can't even run any diag commands. I have a
plugin from TAC that
On Wed, 16 Dec 2009, Holemans Wim wrote:
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).
I added the following line in the ACL (even raised priority), you can
see that the rule
On Wed, 16 Dec 2009, Tony Varriale wrote:
Try to get a bugid and make sure the recommended upgrade fixes your problem.
That's indeed the proper thing to do. And please, after making sure - also
let the case owner know, that it did fix the problem - it's a step
sometimes overseen :-)
I'
On Wed, 2009-12-16 at 14:44 +0530, jack daniels wrote:
> Hi,
>
>
> I have a topolgy
>
> MPLS INTERNET
> | |
> | |
> CE1
> CE2-
> (172.16.1.1/30
> )
Sorry...Access Control Entry in an ACL on FWSM.
What code are you running on 6500 and ACE that you are having these issues?
I seen that on the appliances in some early 2.x.
tv
- Original Message -
From:
To: ;
Sent: Wednesday, December 16, 2009 12:03 PM
Subject: RE: [c-nsp] FWSM l
What does the output of 'show logging queue' look like? Are msgs being
actively discarded? How large of a queue depth is too large -- 2048, 4096,
8192?
-- Eric Cables
On Wed, Dec 16, 2009 at 10:03 AM, wrote:
> Tony,
> > As a side note, have you had the issue of traffic blowing by an ACE? :)
Tony,
> As a side note, have you had the issue of traffic blowing by an ACE? :)
What you referring to here? I run both the FWSM and ACE module. We have had a
plethora of problems with the ACE. The best is it just stops responding and
passing traffic and it doesn't failover when that happens.
N
The cisco ASA proxy authentication would authenticate you prior to being
NAT'd, if that fails you are prevented from gaining external access. Thsi
can be accomplished for any application you wish. I am sure most if not all
enterprise class firewalls have this feature.
Mike
On Wed, Dec 16, 2009
Well, did a bunch of testing and I am still stuck. So here's the basic idea
and config.
When the peer is actually shut, I log a message to syslog (info simplified
and anonymized to protect innocent).
event manager applet BGPADJ_SHUT
event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 1
What code are you on?
These types of items have been going on for a while in various iterations of
code. There's been so many it's hard for me to keep them straight LOL!
But, if you post your code I'll try and look up my notes. In the end,
you'll have to call TAC and they will tell you to u
yup our geografic area is relative short no more than 400 km around and all
the branch use an static ip address and now they arent connected
Please tell me more about it
thanks in advanced
On Wed, Dec 16, 2009 at 10:19 AM, Richard Golodner <
rgolod...@infratection.com> wrote:
> On Wed, 2009
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Advisory ID: cisco-sa-20091216-webex
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml
Revision 1.0
For Public Release 2009 December 16 1600 UTC (GMT
If you need branch to branch communications you might want to consider DMVPN
(Dynamic Multipoint VPN).
cf. http://www.cisco.com/en/US/products/ps6658/index.html
-mtw
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net
> [mailto:cisco-nsp-boun...@puck.nether.net] On Beha
This sounds like a good candidate for VPN.
We personally use the ASA5520 for a concentrator in a similar application
providing both LAN to LAN (branch office connectivity) and VPN Client access
for mobile end users and their laptops. Depending on the pipe size and
forwarding requirements / br
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).
I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the addres
Hi folks
I'm new here and searching for help because i have to prepare a good network
topology in which can stablish a connesction between 5 offices, but now i
dont have any idea about what kind of router and switch do i use. the
scenary is this
main office with 30 pcs 1 dns server, 1 mail server
Hello,
We had the same issue on couple of links. We solved it with the
following command. The number on the end is a percentage of link speed in 1
percent increments. This was done on a 3750G running 12.2(44)SE6, this command
might or might not work on other platforms.
srr-queue bandwi
did you look at VLAN segregation pre/post authentication with either
802.1x (integrated auth) or VMPS (external auth)?
Dave.
Andreas Mueller wrote:
>
> Hello,
>
> are there any (cisco)-NAT-devices which enable the NAT after the user
> has done some kind of authentication - which is checked
Try searching for Document ID: 13890. It is about setting up auth-proxy with
nat. If you can't find it I can send you a pdf I had downloaded.
--
--
Brian Raaen
Network Engineer
bra...@zcorum.com
On Wednesday 16 December 2009, Andreas Mueller wrote:
>
> Hello,
>
We're doing some Catalyst testing to roll out QoS on our Ethernet
network and have come up against a hurdle. On most of our backbone
links in a MAN, the actual bandwidth between one C/O to another C/O is
not always 100Mbps. There are times when the link is only capable of
hitting say 80Mbps (
Hello,
are there any (cisco)-NAT-devices which enable the NAT after the user
has done some kind of authentication - which is checked against a
radius-server or an active directory for example ? What I need is like a
captive portal connected to a NAT-device.
The scenario I try to have
On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:
I have 5 remote sites where I'm doing FTTH and transporting the traffic over
a third-party transport gear to our HQ. Each site-HQ link is a separate
VLAN and uniquely numbered.
Have you considered re-tagging the VLANs on a cheaper device befor
> Cisco doesn't appear to have the engineering resources and/or
> will-power to move IOS into the 20th Century (pre-emptive multitasking
> with memory and process containment.) It is more beneficial for them
> to sell you new products with "better" versions of IOS.
>
> Tim:>
That's not really su
Hi List,
We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had
any major problems with it but today it stopped terminating sessions.
When I enabled terminal monitoring (with no additional debug) I started
getting messages like this one:
%L2TP-3-ILLEGAL: _:_: ERROR: [
Hi Lee,
You're right and I'm wrong. Have to use BITW.
Thanks for the advise, back to reading more documentation for me.
Best regards,
.pelle
On Tue, Dec 15, 2009 at 4:20 PM, Lee wrote:
> On Tue, Dec 15, 2009 at 8:45 AM, Pär Åslund wrote:
>>
>> Hi Lee,
>>
>> No, I don't have it configured with
Hi,
I have a topolgy
MPLS INTERNET
| |
| |
CE1
CE2-
(172.16.1.1/30
) (
172.16.2.1
HYG
RMS-7606-LB#sh platform hardware capacity system
System Resources
PFC operating mode: PFC3C
Supervisor redundancy mode: administratively sso, operationally sso
Switching resources: Module Part number Series CEF
mode
17600-SIP-400
39 matches
Mail list logo