Yep, Donn is right. VPNs just kill the CPU on a router even if you
have the AIM card that offloads the encryption and decryption. Routers
can serve as VPN end points, but they are not optimized for that task.
If you are trying to push 10 to 11 Mbps of VPN traffic through a 2811,
it is amazing that
1: yes but if there is address overlap you should nat the vpn one way
2: insufficient info. Provide more details on topology, devices, versions, etc
--Original Message--
From: Deric Kwok
Sender: cisco-nsp-boun...@puck.nether.net
To: Cisco Network Service Providers
Subject: [c-nsp] two qu
Hi guys,
I'm learning about Nexus arch because I'll work with this in the future.
Could you give me some good books to start this arch?
Best Regards,
AB
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/
Hi all,
I'm running some 7200's terminating PPPoE for BB subscribers.
The sessions are being forwarded using L2TP to some l2tpns LNS's.
I am experiencing what seems to be an issue with LCP negotiation
with the cisco LAC and the l2tpns LNS causing an mtu mismatch
in the path for subscribers.
Hi
I would like to ask two questions to setup vpn
1/ My home internal network is 192.168.1.0. Can I setup my office
remote access vpn network as same 192.168.1.0?
2/ I can access remote vpn successful. But I can't go to internet.
What should I check?
Thank you
__
James G-
What do you see when you do:
sh ip tra
--
Regards,
Ge Moua
Network Design Engineer
University of Minnesota | OIT - NTS
--
On 10/7/10 1:45 PM, Lasher, Donn wrote:
In my experience, two things hammer the CPU for IPSEC tunnels:
1. mGRE is not accelerated by the hardware.
2. Fragmentin
12.2SRDlatest is a good mix of features, maturity and stability.
--
Pelle
(sorry about the top-posting, I'm on a mobile device)
On 7 Oct 2010 23:26, "Dominic" wrote:
> Hi,
>
> Installing a new Cisco LNS router, I have Cisco 7200 NPE-G2
> router. Would support VPDN and L2TP tunnels. Any recommen
Hi,
Installing a new Cisco LNS router, I have Cisco 7200 NPE-G2
router. Would support VPDN and L2TP tunnels. Any recommendations for IOS image?
Regards.
Dominic
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listi
Hi,
On Thu, Oct 07, 2010 at 08:04:56PM +, Felix Nkansah wrote:
> I like to know of an effective solution for blocking transiting spam
> originating from downstream subscribers, in the ISP network.
Disallow outgoing connections on port 25. Require transmission via
the ISP mail server, and imp
Hi,
I know a big network service provider (mobile, fixed lines, DSL, leased
lines) whose entire IP block and ASN has been blacklisted.
They blame it on their subscribers, and they are looking for an effective
solution to the problem.
The spam firewall solutions I know (like Barracuda, IronPort)
>> I didn't realise until today that you can't do CEF per-packet
>> load-sharing on hardware-based platforms, ie. 6500/7600, this is
>> purely because I haven't tried to implement it until now. The traffic
>> I'm trying to load-balance is a single flow, encapsulated inside a
>> port-based pseudowir
In my experience, two things hammer the CPU for IPSEC tunnels:
1. mGRE is not accelerated by the hardware.
2. Fragmenting Packets, lower MTU/MSS, CPU driven.
Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a
tunnel, in my experience.
-Original Message-
From: cis
Okay that¹s good to know.
Thanks for the help
Kind regards,
Sigurbjörn
From: Harold Ritter
Date: Thu, 7 Oct 2010 13:12:34 -0400
To: "Sigurbjörn B. Lárusson"
Cc:
Subject: Re: [c-nsp] Weird 6PE problem on ASR1k
Hi Sigurbjörn,
I believe the behavior has been explicitly changed. You would see
I am trying to configure a router with couple VRF and I need to be
able to ssh/telnet to vty through VRF interface. I haven't had this
problem with other routers prior to 15.0M. Am I missing a command I
don't know about to enable this?
With 12.4x, I used "access-class vrf-also" and that see
I have a 2811 w/ AIM module terminating two 10m ipsec tunnels that is
nearly always above 80% and often above 95% cpu util during the day.
Buffers show no significant number of misses. sh int switching shows
that 100% of the outbound encrypted packets are being process switched.
IOS C2800NM-
That worked!
At least that¹s a usable workaround until this is fixed (I¹m assuming this
is a bug, might be wrong though)
Kind regards,
Sigurbjörn B. Lárusson
From: Harold Ritter
Date: Thu, 7 Oct 2010 11:59:51 -0400
To: "Sigurbjörn B. Lárusson"
Cc:
Subject: Re: [c-nsp] Weird 6PE problem on AS
Hi Sigurbjörn,
I believe the behavior has been explicitly changed. You would see the same
behavior on the 7200 if you used SRD4. So going forward, you should configure
the "set mpls-label" whenever a route-map is used.
Regards
Le 2010-10-07 à 12:13, Sigurbjörn Birkir Lárusson a écrit :
> That
> Hi
>
> I didn't realise until today that you can't do CEF per-packet
> load-sharing on hardware-based platforms, ie. 6500/7600, this is
> purely because I haven't tried to implement it until now. The traffic
> I'm trying to load-balance is a single flow, encapsulated inside a
> port-based pseudo
Hi Sigurbjörn,
Try configuring "set mpls-label" in the route-map.
Regards
Le 2010-10-07 à 06:30, Sigurbjörn Birkir Lárusson a écrit :
> I'm having a weird issue with BGP peering in address-family ipv6 unicast
> from a ASR1002-F running 3.1.1S (15.0(1)S) to a 7200 running 12.2(33)SRD3
> and anot
Hi
I didn't realise until today that you can't do CEF per-packet
load-sharing on hardware-based platforms, ie. 6500/7600, this is
purely because I haven't tried to implement it until now. The traffic
I'm trying to load-balance is a single flow, encapsulated inside a
port-based pseudowire, therefor
It's a while since I was involved with a LNS, but 12.2SB was the
favourite, is 15 still a bit new?
Is output interpreter giving any bugs?
What do TAC recommend?
Ian
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of D
My Cisco 7206VXR with NPE-G2 runs as an LNS terminating PPPOE sessions. It also
terminates a DS3 used for data T1s. About once a week or so, a SegV exception
happens, and the router resets itself. I have no idear why.
The documentation says this is invariably a software error, and we have
upg
We've tried disabling those traps, but the router still sends link
up/down messages because of the PIM neighbor changes. It's really
frustrating. We assumed that disabling link-status traps at the
interface level would actually disable link-status traps. ;) What were
we thinking?? lol
In fact, it
Theses are the only traps for pim that I could find.
traps pim neighbor-change rp-mapping-change invalid-pim-message
Link up-down is disabled per interface with the following.
notproduction(config)#int g0/1
notproduction(config-if)#no snmp trap link-status
You may not want to do this depending
I was looking for that command! lol I think that's exactly what I
want. The document I was looking at last night didn't have it, at
least that I saw. I was wondering if there was a way to disable them.
One potential hitch is that these aren't showing up in the NMS as
neighbor changes. They are sh
I'm having a weird issue with BGP peering in address-family ipv6 unicast
from a ASR1002-F running 3.1.1S (15.0(1)S) to a 7200 running 12.2(33)SRD3
and another ASR1002-F running the same software, that I have setup in a lab.
When a route-map (regardless of the contents, even route-map XXX permit 10
26 matches
Mail list logo