Hi,
On Wed, Oct 26, 2016 at 9:06 PM, Scott Voll wrote:
> So I have a 2951 setup with a Port-channel to a set of L3 Nexus 5548's on a
> VPC.
>
>
Well, I don't know specifically about IPv6, but in general, connectivity
between a router and nexus using vPC is not recommended, but the result is
also
Hi,
On Fri, Oct 23, 2015 at 10:37 AM, james list wrote:
>
> I’d like to share experience, receive suggestions if any, alternatives if
> any, recommendations, scalability numbers if any, etc.
>
Make sure to handle the MTU appropriately or your routers will start
fragmenting packets
Regards,
Jo
Hi,
perhaps here:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/521_N1_8/n5k_upgrade_downgrade_521.html#pgfId-641259
or here: http://www.mostlynetworks.com/2013/07/no-issu-for-you/
Regards,
John
On Mon, Sep 28, 2015 at 2:35 PM, Harry Hambi - Atos
wrote:
> Hi all
Hi,
it could be nat but this depends on your routing config. It could also be
that this command is required:
same-security-traffic permit intra-interface
Regards,
John
On Mon, Sep 1, 2014 at 4:57 PM, ryanL wrote:
> hi,
>
> i'm hopefully going to find someone who's done this before, or who has
Hi,
just a few debugging ideas:
You could put an ACL on 2911 outbound interface to 2960 an ACL like
permit ip any host 239.xxx.xx.xx (the multicast group)
permit ip any any
and check if you get counters increasing on the first line
you could also enable ip flow and then with show ip cache flow
The interesting thing, is that SOME macs are learned and some are not.
Increasing the mac aging helped quite a bit, but there's still a problem.
>
> I'm curious if my copp default is limiting ARP.
>
> http://www.gossamer-threads.com/lists/cisco/nsp/125236
>
>
I don't know if copp would prevent th
Hi,
Did you issue "clear arp" after changing the mac aging on both switches so
that they update their mac tables?
Other than that, are there any eg trunk ports flapping without portfast
configured that could cause a lot of TCNs ?
When you see the traffic from the span, does the destination mac a
Hi,
since you don't lose the OSPF session between 5520 and 2921, I would say
that this is not related to ASA CPU, DoS from Internet etc.
This would also suggest that 2950G in general works ok. The vlan that
connects 3750 to 5520 exists only in 2950G and only these 2 devices are
connected? Would i
On Wed, Dec 4, 2013 at 6:18 PM, Eugeniu Patrascu wrote:
> On Wed, Dec 4, 2013 at 5:53 PM, Herro91 wrote:
>
> > Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now
> called
> > Cisco Cloud Web Security - as a means of providing protection in the
> cloud
> > that would potentially
h.. maybe you could adjust ips throughput to 8Gbps so that you'll get
the 3240C model...
the model number could apply to juniper, cisco, hp, xtreme ...etc
John
On Sat, Nov 30, 2013 at 6:13 PM, madu...@gmail.com wrote:
> Dear Experts,
>
> I am in the process to acquire and implement network
Hi,
to be honest, I don't understand why losing the arp entry (btw in 5
minutes?) would make the device unreachable. Perhaps you block somewhere
the broadcasts?
So if you put a static arp on the device, everything works fine?
Regards,
John
On Thu, Oct 24, 2013 at 12:18 AM, Jason Lixfeld wrote:
hmmm
"The Cisco 4451-X data plane uses an emulated Quantum Flow Processor (QFP)
that delivers application-specific integrated circuit (ASIC)-like
performance that does not degrade as services are added."
--koug
On Fri, 28 Jun 2013, Antoine Monnier wrote:
but does that new 4400 have hardwar
It looks a bit strange that it takes 40 seconds to respond to the DPD
requests and then they all come together?
Is there any kind of QoS / wan accelerators in the path?
Is this Ipsec over TCP? have you tried UDP?
Regards,
John
On Thu, 25 Oct 2012, Joseph Mays wrote:
We have a client on a c
On Tue, 4 Oct 2011, Martin T wrote:
WS-C2960G-24TC-L[Gi0/22] <-> [Gi3/4]WS-C4506
SFP in WS-C2960G-24TC-L is a noname 1000BASE-LX10 transceiver working
thanks to "service unsupported-transceiver". GBIC in WS-C4506 is an
Avago AFCT-5611Z 1000BASE-LX10. Linecard model in WS-C4506 is
WS-X4306-GB.
Martin,
have a look also at the posts by Brad Hedlund:
http://bradhedlund.com/topics/cisco-ucs/
Regards,
John
On Fri, 22 Jul 2011, Martin T wrote:
2011/7/22 Pete Templin :
On 7/21/2011 4:25 PM, Martin T wrote:
Chris,
I have no hands-on experience with those servers, but as much as I
have r
On Wed, 13 Jul 2011, Peter Rathlev wrote:
On Wed, 2011-07-13 at 10:01 +0200, Matteo Castelli ML wrote:
I am starting a project to implement VRF-lite for some customers,
does anybody know (or have a link to some Cisco documentation) the
maximum number of VRF-lite instances in the different ISR
> Been googling but haven't found a good example to work with. Does anyone
> have an example configuration for a Cisco IAD device so that when a user
> picks up an attached handset it auto dials a number. This is for a
> outside office phone to ring in to the building type arrangement. Any
> po
On Fri, 8 Apr 2011, Arne Larsen / Region Nordjylland wrote:
When I did the tracing on the FWSM I could se that it was sending
traffic in both direction on the connection and on the wireshark I could
se that both ends ended up asking for each other, and after a while
retransmitting the websi
On Wed, 16 Feb 2011, Adam Greene wrote:
Anyone seen this behavior before?
We have set MTU to 1404 on all interfaces of the 1841 ... does not help.
Is there some feature I should enable on the 1841? Stumped ...
have you tried "ip tcp adjust-mss 1360" on the interfaces?
Regards,
John
Hello,
On Thu, 3 Feb 2011, Ge Moua wrote:
If there were ISR on both end then I'd just do vrf-aware IPSec and plumb
L2TPv3 inside of this to transport the vlan; of course this doesn't answer
the original question of doing this with ASA
I believe that you can use ASA for the IPsec part and
I believe that you can use ASA for the IPsec part and create GRE tunnels
between the PE and CE (one for each VRF). You would need though something
like ISR on both ends or switches that support GRE in hardware, so
3560/3750 should change.
Regards,
John
On Tue, 1 Feb 2011, Jeff Kell wrote:
On Thu, 25 Nov 2010, Jason Charlton wrote:
I am trying to setup my ASA to do authentication for VPN useres, where
specific group-policy will be assigned based on the AD group membership.
I know this can be achieved though the below commands:
ldap attribute-map CISCOMAP
map-name memberOf IE
Hello,
On Tue, 23 Nov 2010, Elmar K. Bins wrote:
I am trying to set up a test port - for an IP phone actually - with
the office WS VLAN (402) native untagged, and the Voice VLAN (498)
tagged on this 3560-48 (12.2(25)SEE4).
My config looks like this:
#sh run int f0/44
interface FastEthernet0/4
Hello,
you can use "show crypto ipsec sa detail" and check the counters.
Maybe you need to increase the "replay window-size". see:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html
If you can't find what is wrong, try also to switch to tunnel mode, just
in case this
we are using Cisco ACS with RSA ACE integration for these devices.
You will get a standard prompt like:
TACACS+ Username: myuser
Password: +
The login is fast, and from what I hear the ACS+ACE setup is stable
enough to not being punished by your server operations team for
choosing this soluti
Thanks John.
That seems viable. My only concern is if I have more and more customers
coming into distribution, the config could get hairy.
I was hoping I could make a different isolated vlan on the second 3750
switch. And then I was hoping that a ping from isolated vlan to isolated vlan
fr
pvlans do not work only local. just configure the uplink to 6509 as
regular trunk, and allow 810,666. And you should configure the vlans on
6509 as private also (as you configure them on 3750)
John
On Fri, 9 Jul 2010, Erik Witkop wrote:
So I have two 3750 (no stackwise) that uplink to a 6
On Wed, 7 Jul 2010, Pete Lumbis wrote:
This is part of standard ACL optimization. This optimization completely
disregards comments. It's annoying and a bug was filed eons ago about this
and it was junked as part of expected behavior. See CSCdu55701.
-Pete
On Wed, Jul 7, 2010 at 2:58 PM, Ruben
On Tue, 6 Jul 2010, Rin wrote:
I have two questions here:
1. Is there any method that the router does not additional
configuration on port configured with port-security MAC sticky?
2. Anyone has other idea rather than configure port-security to detect
same MAC address on CPE?
mayb
On Tue, 11 May 2010, Felix Nkansah wrote:
To "informally" permit employees to watch the upcoming soccer world cup
without consuming all the bandwidth through the use of web TV, one of my
customers came up with this requirement:
What would you recommend? Thanks.
Get the stream using eg VLC
Config example. The remote end is the same.
Tunnel73
ip address yy.yy.yy.yy 255.255.255.252
ip mtu 1476
ip tcp adjust-mss 1460
tunnel source x
tunnel destination z
tunnel path-mtu-discovery
The two tunnel endpoints are ME3400s. I expected that this
configuration would reduce the q
On Fri, 23 Apr 2010, Geert Nijs wrote:
A customer of us has a really strange problem. He can't download anything
from ftp.cisco.com
He is sitting behind a Checkpoint Firewall. The Firewall admin says that
everything is configured correctly (we can download from other FTP sites).
Did you try to
On Thu, 1 Apr 2010, Mark Tinka wrote:
Anyone else experiencing login troubles to www.cisco.com ?
Have you tried clearing the cookies from *cisco* ? usually this works for
me...
John
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://
164 dec == A4 hex
it seems that all your macs on other vlans start with 00
On Fri, 12 Mar 2010, Drew Weaver wrote:
Sorry, I promise this will be my last odd-ball question for awhile.
[r...@nessie html]# snmpwalk -v2c -c st...@511 10.1.0.1 .1.3.6.1.2.1.17.4.3.1.1
SNMPv2-SMI::mib-2.17.
On Thu, 11 Mar 2010, Peter Rathlev wrote:
On Thu, 2010-03-11 at 08:39 -0500, David Prall wrote:
I specifically tested if the router would MPLS tag the packets
correctly, and could see that it would. And I also tested the whole
stack (IP/GRE/IPSec/MPLS), but only with traffic originated by the
On Mon, 8 Mar 2010, Peter Rathlev wrote:
crypto isakmp profile Crypto-Profile-TEST
vrf INSIDE-VRF
keyring Crypto-Keyring-TEST
match identity address 172.16.0.1 255.255.255.255 OUTSIDE-VRF
initiate mode aggressive
!
not sure, but maybe you should put this profile in vrf OUTSIDE-VRF ?
Regards
Hello,
somewhere in an old document (CatOS) it states the problem:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
Known Limitations of VACLs and PVLANs
Unicast Reverse Path Forwarding (uRPF) does not work well with PVLAN host
ports, so uRPF must
Hello,
User credentials are not cached, machine ones are - of course.
I think windows caches users credentials, so that you can logon to a PC
when there is no network connectivity. I really don't know how WPA2/802.1x
uses domain authentication. Is it Kerberos enabled EAP?
They really woul
We offer wireless connectivity to about 500 to 1000 user/devices that
authenticate with machine & domain credentials via WPA2.
My thought is that our wireless traffic is likely more secure that our plain
wired networks - at this point without 802.1x on lan.
but the wireless signal trave
On Mon, 8 Feb 2010, Muhammad Jawwad Paracha wrote:
Dear All,
We are facing problem in Cisco 6506 equipment regarding ACL's. It has
occured 3 times that ACL's that are being implement on device stops working
for 1,2 minute.
Hello,
I think that I recently saw somewhere to prefer named ACLs in
On Thu, 21 Jan 2010, Gerald Krause wrote:
For now I see 3 options for us:
a) implement dedicated VRFs for each branch and map VRFn<->VLANn on the RTRs
b) build a brigded L2 "LAN" from the CPE Dialer-Interfaces up to the
Firewall-Ethernet Interface (how? bad idea?)
c) some other brilliant appro
Is there any way to run subinterfaces across a MLPPP bundle in IOS?
maybe you could also use eg l2tpv3 over mlppp or frame-relay with
frf.16.1 and DLCIs?
Haven't tried it though...
John
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
ht
On Tue, 24 Nov 2009, Lin wrote:
I tried to do a "no ip nat service sip tcp port 5060" command. This removes
the "482 Loop Detected Error" and allows the client ip phone to register.
However, outgoing calls fail, because the SBC on the other end responds with
an "403" error. Apparently, the he
Is it as easy as that? Can we just insert an adapter cable to convert
from coax to RJ45 and then use e.g. the NM-CEM-4TE1?
Yes. Cisco also has such cables eg. I think CAB-ADPT-75-120 was the part
number, but I guess it will be much cheaper if you get a eg. Krone
_
it's useful if you want 10G to the desk. Otherwise, it's too fragile and
sensitive for the average office environment.
Maybe plastic optical fibers are not so fragile/sensitive, but I haven't
seen them in production
John
___
cisco-nsp mailing l
Hello,
somewhere at the start of syslog.conf you will see something like:
*.err /dev/sysmsg
*err;kern.debug/var/adm/messages
*.alert;kern.err operator
etc.
change it to something like:
*.err;local0.none /dev/sysmsg
*err;kern.debug;local0.non
On Thu, 17 Sep 2009, David Hughes wrote:
On 16/09/2009, at 6:06 PM, Gert Doering wrote:
Just imagine how much functionality NX-OS could get if they would stop
wasting effort on 17 different software trains for "classic IOS" and
instead focus on getting NX-OS on all hardware platforms, and g
have you enabled "crypto logging session" ?
On Thu, 27 Aug 2009, Paul Stewart wrote:
Hi folks...
We have a site that runs a Cisco 2800 with a IOS VPN server. Users connect
via their Cisco VPN clients to gain access to an internal network there...
I would like to start auditing it a bit m
I think it will also show Null when it is forwarded but goes through a
permit ACL with log keyword
John
On Wed, 5 Aug 2009, Rodney Dunn wrote:
There are scenarios (nat, acl drops, etc.) where the dst in the netflow will
show null.
For a transit packet that is forwarded out will not (shoul
Hello,
The standard approach is to send at authentication via a eg. radius
attribute a session timeout calculated to the end of the work-day. ACLs
may not work because the sessions are already established. You could
experiment with stateless ACLs on a router somewhere "above" your ASA, but
I
Hello,
I remember cisco boxes having CPU problems with retrieving arp / route
table entries via SNMP more than ten years ago. Maybe someone must create
some kind of snmp proxy that retrieves those tables from cli
Regards,
John
On Fri, 24 Jul 2009, Jeff Fitzwater wrote:
Hello Bill,
Ho
Hello,
I had once tried to use the NAT controls on the interfaces on a PIX and I
was dissappointed because things didn't work as expected, but I don't
remember the exact details. What I remember is that if you want to be
safe, you must put access-list everywhere. So I use now "no nat-control"
On Fri, 22 May 2009, Jon Lewis wrote:
On Fri, 22 May 2009, Benny Amorsen wrote:
Jonathan Brashear writes:
As an aside, PVST can become an issue when you're scaling up into
dozens/hundreds of VLANs.
The 3560/3750 series supports only 128 PVST instances. I discovered this
the hard way.
I
hem to agree to our
usage terms.
On Wed, May 6, 2009 at 9:41 AM, John Kougoulos wrote:
Hello,
have a look at consent feature for routers
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html
you can also setup something like chillispot:
http://www.chillispot.info/
Regards,
John
O
Hello,
have a look at consent feature for routers
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html
you can also setup something like chillispot:
http://www.chillispot.info/
Regards,
John
On Wed, 6 May 2009, Johnny Ramirez Colmenares wrote:
We have a guest network and I would li
Hi,
do you run 12.0 mainline?
perhaps you are affected by: CSCdw36579
Regards,
John
On Fri, 27 Mar 2009, Sebastian Ganschow wrote:
Hi,
as far as i know and cisco says, a lightstream should be hot-swap capable.
Does anyone know which reason could be, that a lightstream freezes, if you
pull
Hello,
you could split the usage of nat pools based on statistics of the source
IP addresses eg use 1 ip/overloaded nat pool for even source IPs and
another IP for the odd source IPs
Best Regards,
John
On Wed, 25 Feb 2009, nasir.sha...@bt.com wrote:
Hi,
I have a client who has moved their
Hello,
perhaps you are looking for this:
Consent Feature for Cisco IOS Routers 12.4(15)T
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html
However you can also use the embedded captive portal when you use Cisco
WLC controllers or you can also try Chillispot
--koug
On Tue, 25 Nov
Hello,
try removing the following lines:
acl 100
include-local-lan
netmask 255.255.255.0
The IP address that will be used is the one assigned by the pool VPNPool1,
unless you configure some kind of NAT translation
BR,
John
On Tue, 22 Jul 2008, Paul Stewart wrote:
Hi there...
We have a re
On Thu, 22 May 2008, Eric Cables wrote:
>
> The above, however, doesn't seem to work in some cases. Users as these
> sites complain of intermittent connectivity problems, which seem to be
> solved rather quickly by reducing the IP MTU, and configuring TCP
> adjust-mss. I do have concern as to
>
> Certainly Cisco must (should) have had numbers demonstrating the split
> was reasonable, and it's possible the group of people on this list,
> myself included, who dislike the split are a self-selecting minority.
>
> It doesn't mean I have to like it though.
Time and customers will show if thi
On Wed, 2 Apr 2008, Tim Franklin wrote:
> On Wed, April 2, 2008 10:47 am, Dale Shaw wrote:
>> From the same people responsible for the VMS wombats? Did Cisco hire a
> bunch of ex-DEC folks?
... It was founded by ex-DEC folks
http://en.wikipedia.org/wiki/Len_Bosack
:)
Hello,
mgen was very useful in some tests I have done in the past:
http://cs.itd.nrl.navy.mil/work/mgen/index.php
John
On Tue, 1 Apr 2008, Robert Hass wrote:
> Hi
> I'm currently looking for some software which can help us test new
> Multicast configuration
> in our network. Is any free softwa
You could use also https with some kind of authentication (you can even
integrate something like SecurID) and of course you may use PGP encrypted
files.
WebDAV would be a candidate also...
John
On Wed, 5 Mar 2008, Mike wrote:
> Not 100% Cisco related, but supported by Cisco technology ultimat
do you have "logging event link-status" on the interfaces?
On Mon, 4 Feb 2008, William wrote:
> Hi,
>
> I have a Cisco 4500 running 12.1 IOS code.
>
> It would seem we are not getting up/down port events in the log
> buffer, to setup logging we have:
>
> logging source-interface Vlan1
> logging
if you use cbac you need to permit only port 21. The rest will be handled
by cbac. if you use extended only acls (no reflexive, no cbac) you need to
permit a lot more:
example:
active (port)
outacl (to server)
client gt 1023 -> server eq 21
client gt 1023 -> server eq 20 established
(assumi
> The only option I can think of here if for you to grant access to a
> userid that is allowed to run 'copy running-config
> tftp://aaa.bbb.ccc.ddd/upload/pix.cfg' where aaa.bbb.ccc.ddd is the IP
> of the authorized TFTP server on a secured portion of your LAN. That
I think that you could also u
Hello,
Based on what I remember from some tests a few years ago, IOS will use the
use the CBAC configuration that it will match first, but the first packet
must be permitted through all the ACLs.
So in case on Vlan1 you have "ip inspect fw in" and on Dialer1 you have
"ip inspect fw2 out", in case
check out this url, it has some tools, I don't know if they do what you
want:
http://www.caida.org/tools/measurement/Mantra/other-tools/other-tools.html
--koug
On Thu, 27 Sep 2007, Xavier Beaudouin wrote:
> Hello,
>
> I am looking for a good tool to use and see what multicast groups I have
Hello,
I've done this in vpn concentrators with radius:
Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml
It applies to VPN concentrators using Radius, but I guess that it will
pro
Ian MacKinnon wrote:
>
>>
>> On Thu, Jun 07, 2007 at 02:50:14PM +0100, Ian MacKinnon wrote:
>>> Hi All,
>>>
>>> Given the config below for a vpn tunnel, when I add the command "qos
>>> pre-classify" to the crypto map and the tunnel interface, I get really
>>> bad slowdown of traffic.
>>>
>>> 2. Qu
I think that at least on 3550 you couldn't apply concurrently port acls
(on layer 2 ports) and vlan acls (on Layer 3 ports/SVIs).
I'm not sure if this restriction applies on 3560 too.
Tom Zingale (tomz) wrote:
> Yes on a vlan or port you can allow/deny tcp/ip traffic. See the docs
> http://www.ci
my preferred method is to upload the acl with tftp, ofcourse with the
first line "permit tcp any any established"
also I have created a script on the tftp server (which works only with
non-named access-lists), which extracts the acls from a router
configuration file, and places each acl on a d
rsus
policy-map/class-map style:
service-object proto tcp src-port gt 1023 dst-port 2121 inspect-type ftp
Best Regards,
John Kougoulos
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Robert Blayzor wrote:
> Rodney Dunn wrote:
>> Good suggestion. Let me see if I can convince development to code it.
>
>
> Well there already begin, inc, exc, etc...
>
> It would be nice to add "last" and "top", etc:
>
> sh log | top (shows top 10 lines)
> sh log | last(shows last 10 lin
I will enhance this with show logging | begin ^000699:)
Ed Ravin wrote:
>> On Thu, May 24, 2007 at 05:26:01PM +0300, Tassos Chatzithomaoglou wrote:
>>> I was wondering
>>>
>>> Is there a way to display the x last lines of the log of a router (through
>>> the cli) ?
>>> Like the CatOS "sh
gt; upgraded it to 12.4(11)Txx to try to fix it.
>
> ...Skeeve
>
> -Original Message-
> From: John Kougoulos [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 17 April 2007 2:19 AM
> To: [EMAIL PROTECTED]
> Cc: 'Cisco-nsp'
> Subject: Re: [c-nsp] Cisco 1811 DN
also if you are using 12.4(11)Txx, consider moving back to 12.4(6)Tyy.
Skeeve Stevens wrote:
> I have an 1811 temporarily doing NAT for about 200 clients and at the moment
> and while it generally is working ok, the DNS facility of the router is
> freaking out.
>
> Some show logging:
>
> *Apr 1
/guest/products/ps4830/c1237/ccmigration_09186a00803704f5.pdf
Also search in cisco site with keywords: md110 pbx interoperability
Also you may think of the option of using native MD110 voip trunks
Best Regards,
John Kougoulos
Mad Unix wrote:
> MD110 with Cisco VOIP
> anyone got any doc
79 matches
Mail list logo