[c-nsp] Galvanic eletrical / optical fiber switchers for lab. Anyone know where to buy???

Dear co-workers, I'm building a new lab with multiple servers and complex networks. We're building two different network setups for testing. Subnetting / IP address scheme will be same for both setups in the lab. We don't want to rewire 1xx servers and devices whenever we have to switch from Ne

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Jan 6, 2011, at 1:28 PM, Mikael Abrahamsson wrote: > Nope, because it's not in the protocol at all: You're absolutely correct - thanks for the clue! Roland Dobbins // Most software today

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Thu, 6 Jan 2011, Dobbins, Roland wrote: Um, I thought multiple vendors supported MD5 for OSPFv3, do they not? Nope, because it's not in the protocol at all: http://tools.ietf.org/html/draft-ietf-ospf-ospfv3-auth-08 1. Introduction OSPF (Open Shortest Path First) Version 2 [N1] defines

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/6/2011 12:50 AM, Dobbins, Roland wrote: > Um, I thought multiple vendors supported MD5 for OSPFv3, do they not? > That's what I was alluding to when I said that MD5 should suffice. > > If I'm wrong about this, thanks much for the schooling! If a

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Jan 6, 2011, at 12:45 PM, Mikael Abrahamsson wrote: > It's usually not about intentional attacks, it's also about unintentional > consequences of mistakes. Concur 100%. > Short, not adding MD5 support in OSPFv3 was a design mistake, I'm sure it > looked good on paper but it's not good in r

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Thu, 6 Jan 2011, Dobbins, Roland wrote: I'll buy that - but since I've yet to see/posit a practical attack on MD5-based IGP authentication, and since if an attacker has enough access to one's network infrastructure to play games with one's IGP, IGP authentication ought to be the least of on

Re: [c-nsp] How to limit bandwidth on CISCO switch interfaces

http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a00800a3a25.shtml <<< should cover you off. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of JA Colmenares Sent: Thursday, 6 January 2011 2:54 PM To:

[c-nsp] How to limit bandwidth on CISCO switch interfaces

I need to limit bandwidth on the trunk ports of two connected switches(2960 to 3750). It is currently transmitting at 100 mbps and I want to limit it to 50 mbps How can this be done? can anyone provide any steps or resources to get this done. Thanks Juan  _

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Jan 6, 2011, at 10:54 AM, Pete Lumbis wrote: > I would see the benefit more from authentication than from encryption. I'll buy that - but since I've yet to see/posit a practical attack on MD5-based IGP authentication, and since if an attacker has enough access to one's network infrastructur

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

Let's just hope that this isn't one of those "well, it was broken when we first did it, and it's always been that way, so we aren't going to change it". e.g, port numbers in hex in "show ip cache flow". On Wed, Jan 5, 2011 at 10:39 PM, Brandon Applegate wrote: > On Wed, 5 Jan 2011, Aaron wrote:

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

I would see the benefit more from authentication than from encryption. My understanding is that instead of doing MD5 hashing as a function of OSPF, OSPFv3 simply leverages the built in IPSec functionality of IPv6. I would imagine the end goals are the same. On Wed, Jan 5, 2011 at 10:28 PM, Dobbin

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Devon, I just did some checking and it looks like support for this on the Sup720 is slated for late spring of 2012. Given this is so far out I wouldn't hold my breath that it will hit that target. -Pete On Wed, Jan 5, 2011 at 10:19 PM, Devon True wrote: > -BEGIN PGP SIGNED MESSAGE- > Ha

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

On Wed, 5 Jan 2011, Aaron wrote: So, how would you propose that the system know that you are looking for an IPV6 config vs something else like a description or named acl/tunnel/etc? Yeah I thought of that but failed to mention it. In short, one wouldn't put the (impossible ?) burden on the

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Jan 6, 2011, at 10:19 AM, Devon True wrote: > Does not work on the 6500/7600 unfortunately, but worked beautifully in my > GNS3 lab. And encrypting one's IGP updates via IPSEC contributes materially to one's network security posture in what specific way(s)?

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/5/2011 7:57 PM, Rubens Kuhl wrote: > IPSEC ? > > http://packetlife.net/blog/2008/sep/3/ospfv3-authentication/ Does not work on the 6500/7600 unfortunately, but worked beautifully in my GNS3 lab. - -- Devon -BEGIN PGP SIGNATURE- Version:

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

IPSEC ? http://packetlife.net/blog/2008/sep/3/ospfv3-authentication/ Rubens On Wed, Jan 5, 2011 at 6:46 PM, Devon True wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > All: > > Since OSPFv3 authentication is not supported on 6500/7600 series > routers, I am curious to know how peop

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

On Jan 6, 2011, at 7:24 AM, Pete Lumbis wrote: > Off the top of my head I think the best bet would be Ipv6 ACLs that allow > multicast ospf packets and only unicast ospf packets from known > neighbors. The biggest win in this regard is all the standard hardening/access BCPs for network infras

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

So, how would you propose that the system know that you are looking for an IPV6 config vs something else like a description or named acl/tunnel/etc? On Wed, Jan 5, 2011 at 13:31, Nick Hilliard wrote: > On 05/01/2011 16:01, Brandon Applegate wrote: > >> Is there a reason that ipv6 addresses are s

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Unfortunately OSPF unicast neighbors are only available for non-broadcast network types. http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_cfg_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054321 Off the top of my head I think the best bet would be Ipv6 ACLs that a

Re: [c-nsp] ARP strangeness

This information is golden. To make sure I'm understanding you correctly, are you implying that because the CPE uses BOOTP with a broadcast flag, that when the FTTH access equipment has expired its bridge forwarding table it doesn't re-populate, and therefore incoming traffic towards the CPE

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete, > You could use inbound ACLs or CoPP policies that restrict inbound > OSPF traffic from only the neighbors you know about. We have CoPP deployed, but it is not that restrictive today (since our v4 OSPF uses authentication). > You could also mo

Re: [c-nsp] Strange new PIM Tunnel interfaces after upgrade to 12.2(33)SRC

IIRC, these are used for pim registers and other messages. You see the same thing in IOS-XE on the ASR1000 Router(config)#int t0 %Tunnel0 used by PIM for Registering, configuration not allowed Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of G

[c-nsp] Strange new PIM Tunnel interfaces after upgrade to 12.2(33)SRC

We recently upgraded several 7600s from 12.2(18) to 12.2(33)SRC. After the upgrade, we noticed several new tunnel interfaces. According to the output of "show int tunnel1", as an example, this is a transmit-only PIM tunnel between that router and a 4948 in another data center. We have absolutely no

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Of course this doesn't prevent spoofing :( On Wed, Jan 5, 2011 at 4:27 PM, Pete Lumbis wrote: > You could use inbound ACLs or CoPP policies that restrict inbound OSPF > traffic from only the neighbors you know about. You could also move to > unicast OSPF neighbor relationships to prevent any rogu

Re: [c-nsp] Securing OSPFv3 on 6500/7600 Routers?

You could use inbound ACLs or CoPP policies that restrict inbound OSPF traffic from only the neighbors you know about. You could also move to unicast OSPF neighbor relationships to prevent any rogue OSPF speakers from peering. On Wed, Jan 5, 2011 at 3:46 PM, Devon True wrote: > -BEGIN PGP SIG

Re: [c-nsp] What is the fpd package used for in newer IOS releases?

Also FlexWANs On Wed, Jan 5, 2011 at 10:18 PM, John Neiberger wrote: > On Wed, Jan 5, 2011 at 2:13 PM, Robert Hass wrote: >> On Wed, Jan 5, 2011 at 9:09 PM, John Neiberger wrote: >>> I've done some recent upgrades from 12.2(18) up to 12.2(33) and we've >>> been having to put an fdp package on f

Re: [c-nsp] What is the fpd package used for in newer IOS releases?

On Wed, Jan 5, 2011 at 2:13 PM, Robert Hass wrote: > On Wed, Jan 5, 2011 at 9:09 PM, John Neiberger wrote: >> I've done some recent upgrades from 12.2(18) up to 12.2(33) and we've >> been having to put an fdp package on flash along with the actual IOS. >> I've yet to find out exactly what those a

Re: [c-nsp] What is the fpd package used for in newer IOS releases?

On Wed, Jan 5, 2011 at 9:09 PM, John Neiberger wrote: > I've done some recent upgrades from 12.2(18) up to 12.2(33) and we've > been having to put an fdp package on flash along with the actual IOS. > I've yet to find out exactly what those are for. I was told by another > more senior engineer that

[c-nsp] Securing OSPFv3 on 6500/7600 Routers?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All: Since OSPFv3 authentication is not supported on 6500/7600 series routers, I am curious to know how people are securing their deployments. We take the precautionary steps of "passive-interface default" and only turning up OSPF on network segments

Re: [c-nsp] What is the fpd package used for in newer IOS releases?

On Wed, Jan 5, 2011 at 1:24 PM, David Prall wrote: > FPD Field Programmable Device. Typically WAN Interface firmware updates. > Typically you'll have "upgrade fpd auto" in the configuration. > > A quick search: > http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/conf > igurat

Re: [c-nsp] What is the fpd package used for in newer IOS releases?

FPD Field Programmable Device. Typically WAN Interface firmware updates. Typically you'll have "upgrade fpd auto" in the configuration. A quick search: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/conf iguration/7600series/76fpd.html David -- http://dcp.dcptech.com

Re: [c-nsp] Tool To Backup Configurations

Use the kron command? kron occurrence backup at 5:38 recurring policy-list backup ! kron policy-list backup cli show run | redirect tftp://10.1.1.2/sw1-confg.txt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Righa

[c-nsp] What is the fpd package used for in newer IOS releases?

I've done some recent upgrades from 12.2(18) up to 12.2(33) and we've been having to put an fdp package on flash along with the actual IOS. I've yet to find out exactly what those are for. I was told by another more senior engineer that they need to be there, but that's the extent of my knowledge o

Re: [c-nsp] Tool To Backup Configurations

Tue, Jan 04, 2011 at 11:06:28PM +1300, Terry Rupeni: > previously we had used a commercial product Solarwinds Configuration/Policy > Manager. One thing we found useful in Solarwinds was a policy Reporter where > you could easily script the manager to go through device configs and flag > those devic

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

On 05/01/2011 16:01, Brandon Applegate wrote: Is there a reason that ipv6 addresses are stored with uppercase letters in config ? yes. See rfc4291, section 2.2, where all of the examples are in upper case. These examples caused people to prefer upper case notation for ipv6 address represent

Re: [c-nsp] ARP strangeness

This is a problem with how the linksys sends out the DHCP request for renewal. The BEFSR41 and BEFSR81 use a broadcast bootp flag, whereas all other CPE devices use a unicast bootp flag. When using the broadcast bootp flag the Cisco will send an arp broadcast which is dropped by the access equipm

[c-nsp] 3G cisco cpe in Slovenia

Hello I'm working on a networ design which requires Integrated 3G Wireless WAN CPE in Slovenia (Europe). The CPE model should be: CISCO881G-G-K9 Cisco 881 Fast Ethernet Security Router supporting HSPA/UMTS/EDGE/GPRS - Global SKU with 2 modems option: PCEX-3G-HSPA-R6 PCEX-3G-HSPA-G Which is the

Re: [c-nsp] ARP strangeness

Yes, broken spoke would be one thing to call it. Another cisco-nsp reader guessed what FTTH platform I have, because they've seen the same issue. I've also posted on the vendor's closed web forum and I'll see if I get any responses there. With the current settings our test CPE remains a "live spo

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

A few things: On Jan 5, 2011, at 11:51 AM, Sascha Pollok wrote: >> Is there a reason that ipv6 addresses are stored with uppercase letters in >> config ? > [...] >> At issue is when I do 'show run | inc 2607:ff70' and get nothing I scratch >> my head for a second. Then I try 'show run | inc 26

Re: [c-nsp] IOS - ipv6 uppercase in config - why ?

Is there a reason that ipv6 addresses are stored with uppercase letters in config ? [...] At issue is when I do 'show run | inc 2607:ff70' and get nothing I scratch my head for a second. Then I try 'show run | inc 2607:FF70' and get what I expected. This seems inefficent, error-prone, and lik

[c-nsp] IOS - ipv6 uppercase in config - why ?

Is there a reason that ipv6 addresses are stored with uppercase letters in config ? We can type them in either case and it's understood. Why convert to upper when writing config ? At issue is when I do 'show run | inc 2607:ff70' and get nothing I scratch my head for a second. Then I try 's

[c-nsp] AltDB?

Anyone here use AltDB? It seems their servers have been down for two days. I have emailed their admin alias but have gotten nothing. Anyone? whois -h whois.altdb.net 199.48.252.0 [Querying whois.altdb.net] [Unable to connect to remote host] -- It has to start somewhere, it has to start somet

Re: [c-nsp] 7600 updates

On Wed, 5 Jan 2011, MKS wrote: Does anyone know if/when 40/100 is coming to the ASR9000 or if 40G is coming to the 7600? Hi, 40G can be expected in 2011 (or early 2012) for ASR9K, Nexus 7000/5000, Cat 6500. I assume you are talking about 40G Ethernet? Yes 40GE. 100G can be expected i

Re: [c-nsp] ARP strangeness

> > We have one of those NMS systems that periodically "reads L2 devices for > mac-address/port mapping" and "reads L3 devices ARP for mac-to-IP > mapping". Ideally, there should be no missing links (if the MAC is > found, hopefully the ARP/IP is found, and vice-versa). > > For the default mac-add

Re: [c-nsp] 7600 updates

>> Does anyone know if/when 40/100 is coming to the ASR9000 or if 40G is >> coming to the 7600? > > Hi, > > 40G can be expected in 2011 (or early 2012) for ASR9K, Nexus 7000/5000, Cat > 6500. I assume you are talking about 40G Ethernet? > 100G can be expected in 2011 (or early 2012) for ASR9K and

Re: [c-nsp] Warm reload in Cisco 6500

On Tuesday, January 04, 2011 11:45:15 am Keegan Holley wrote: > The link above says it's available on the 6500 which is definitely not CPU > based or non-distributed. I was hoping for something like NSF where it just > trusts the info in TCAM while the reload/re-convergence happens in the > contro

Re: [c-nsp] redistribute routes leaked from another VRF?

Jeff Bacon wrote: > > The unicast I want to switch out into a VRF. > > I get the notion of using VRF source-selection but I'm uncomfortable > with it, and I'm not sure how well it works in hdw at line rate, which > it needs to. Besides, I'd like to drive the source select map from the > routing

Re: [c-nsp] DSCP Trust on 67xx cards

On Wed, 2011-01-05 at 14:54 +0100, Robert Hass wrote: > On Wed, Jan 5, 2011 at 2:17 PM, Peter Rathlev wrote: > >> QOS scheduling:rx-(1q8t), tx-(1p3q8t) > >> QOS queueing mode: rx-(cos), tx-(cos) > > > > This is CoS *scheduling*, i.e. in what queue do I place a packet. > > Peter &

Re: [c-nsp] DSCP Trust on 67xx cards

On Wed, Jan 5, 2011 at 2:17 PM, Peter Rathlev wrote: >>   QOS scheduling:        rx-(1q8t), tx-(1p3q8t) >>   QOS queueing mode:     rx-(cos), tx-(cos) > > This is CoS *scheduling*, i.e. in what queue do I place a packet. Peter & Phil - thank you. I've got idea now. So, DSCP trust will work as-wel

Re: [c-nsp] ARP strangeness

On 1/4/11 11:43 PM, Jeff Kell wrote: On 1/4/2011 9:01 PM, Rodney Dunn wrote: There were some changes to ARP at one point to provide some more triggered capability. I don't recall exactly what that was but the default behavior for many years was that we send a unicast arp to the destination 60

Re: [c-nsp] ARP strangeness

On 1/5/11 2:01 AM, Frank Bulk - iName.com wrote: Rodney: I can't recall seeing that ARP refresh documented anywhere, but it's obviously happening. Yea. Arp is a lot more complicated than folks think. ;) I agree with you about the race condition. Yesterday I set the FTTH MAC timeout to b

Re: [c-nsp] ARP strangeness

On 1/5/11 1:55 AM, Frank Bulk - iName.com wrote: Jared: Thanks. We're running 12.2(33)SRE2, which is pretty recent. I could only hope that those CEF-MFI re-writes made it in the SR code line. Yes. As mentioned in the original post, the CAM timers are 540 seconds, and that's because Cis

Re: [c-nsp] DSCP Trust on 67xx cards

On Wed, 2011-01-05 at 13:10 +, Phil Mayers wrote: > I highly recommend googling for "qos srnd" and giving it a careful > read. It is very illuminating for QoS on the catalyst platforms. Also "Understanding Quality of Service on the Catalyst 6500 Switch" is worth a read: http://www.cisco.com/

Re: [c-nsp] DSCP Trust on 67xx cards

On Wed, 2011-01-05 at 13:59 +0100, Robert Hass wrote: > I'm a little confused regarding DSCP Trust support at 67xx linecards > at 6500 platform. Documentation says that COS Trust should be used. > Same shows me sh int capability. Exception is WS-X6708-10GE card where > DSCP is also supported. > >

Re: [c-nsp] DSCP Trust on 67xx cards

On 01/05/2011 12:59 PM, Robert Hass wrote: I'm a little confused regarding DSCP Trust support at 67xx linecards at 6500 platform. Documentation says that COS Trust should be used. Same shows me sh int capability. Exception is WS-X6708-10GE card where DSCP is also supported. The important thing

[c-nsp] DSCP Trust on 67xx cards

I'm a little confused regarding DSCP Trust support at 67xx linecards at 6500 platform. Documentation says that COS Trust should be used. Same shows me sh int capability. Exception is WS-X6708-10GE card where DSCP is also supported. Slot 1 - module WS-X6748-GE-TX, Sup720-3B, 6509-E, IOS 12.2(33)SXI

Re: [c-nsp] redistribute routes leaked from another VRF?

On Tuesday, January 04, 2011 11:12:05 pm Phil Mayers wrote: > It's also worth knowing that there's an evolved set of > this called mvpn-ng (not on Cisco IOS yet unfortunately) > which dispenses with various of the PIM-in-PIM layering. > Since 6500/SXI doesn't support it, I've never bothered > to d

Re: [c-nsp] redistribute routes leaked from another VRF?

On Tuesday, January 04, 2011 10:56:47 pm Jeff Bacon wrote: > I'm sure it works, though I haven't tried it. But it > means you have mcast (in global) carrying GRE-encap > mcast for the VRFs floating around your net. I think you > have to set up PIM in global to carry the transport > groups. Merely

Re: [c-nsp] 7600 updates

On Wed, 5 Jan 2011, MKS wrote: Hi list It's been some time since we have received a 7600 update, but I was checking the cisco site any found out the the only platform supporting anything bigger than 10gig interfaces is the CRS (40G pos and 100G ethernet) (on a side note, is the 100G orderabl

Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX

On Wed, 2011-01-05 at 12:47 +0200, Hank Nussbacher wrote: > At 10:56 05/01/2011 +0100, Peter Rathlev wrote: > >Do you have QoS enabled? What does "show queueing interface Gi9/29" tell > >you? ... > gp#show queueing interface Gi9/29 > Interface GigabitEthernet9/29 queueing strategy: Weighted Round-

[c-nsp] 7600 updates

Hi list It's been some time since we have received a 7600 update, but I was checking the cisco site any found out the the only platform supporting anything bigger than 10gig interfaces is the CRS (40G pos and 100G ethernet) (on a side note, is the 100G orderable now?) Does anyone know if/when 40/

Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX

At 10:56 05/01/2011 +0100, Peter Rathlev wrote: Content-Transfer-Encoding: 7bit On Wed, 2011-01-05 at 11:36 +0200, Hank Nussbacher wrote: > We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. > We have a 48 port WS-X6748-GE-TX. On one interface we > continue to see output drops when traffic

Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX

At 10:56 05/01/2011 +0100, Peter Rathlev wrote: Do you have QoS enabled? What does "show queueing interface Gi9/29" tell you? Output drops are "egress buffer overflow" drops, so technically it happens because the box tries to send a packet out an interface already in use (transmitting another p

Re: [c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX

On Wed, 2011-01-05 at 11:36 +0200, Hank Nussbacher wrote: > We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. > We have a 48 port WS-X6748-GE-TX. On one interface we > continue to see output drops when traffic goes above 200Mb/sec. [snip] Do you have QoS enabled? What does "show queueing in

Re: [c-nsp] bbq 2970

Hi, > > > I'd advise you look at the current open caveat list - you may be affected > > by less (or more) > > > > Would you happen to have a link? IOS download/info links on cisco.com - not sure if you need CCO. if you check the cisco support forums you wil see a swathe of issues relating to

[c-nsp] Need help w/ output drops on 7613 WS-X6748-GE-TX

We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. We have a 48 port WS-X6748-GE-TX. On one interface we continue to see output drops when traffic goes above 200Mb/sec. The interface is defined as follows (very straightforward): interface GigabitEthernet9/29 mtu 9000 bandwidth 100 no