Hi,
I'm exploring redundancy possibilities for a router hand off without a
dynamic routing protocol. It's ugly and I'm not going to explain all the
details here, but I basically have this configuration on a router:
interface Gi1/1
backup interface Gi1/2
ip address 192.168.1.1 255.255.255.252
Hi,
On Wed, Aug 13, 2014 at 6:14 PM, Gert Doering g...@greenie.muc.de wrote:
Hi,
On Wed, Aug 13, 2014 at 04:44:49PM +0100, Sam Stickland wrote:
I'm exploring redundancy possibilities for a router hand off without a
dynamic routing protocol. It's ugly and I'm not going to explain all
Doering g...@greenie.muc.de wrote:
Hi,
On Wed, Aug 13, 2014 at 04:44:49PM +0100, Sam Stickland wrote:
I'm exploring redundancy possibilities for a router hand off without a
dynamic routing protocol. It's ugly and I'm not going to explain all the
details here, but I basically have
Hi,
I have a very simple TACACS+ configuration that is still using the local
enable secret and not the the TACACS server:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa session-id common
tacacs-server host x.x.x.x key 7
devices:
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Javier Henderson
jav...@cisco.com
On Jul 30, 2014, at 8:39 AM, Sam Stickland s...@spacething.org wrote:
Hi,
I have a very simple TACACS+ configuration
I think some of you might get enjoyment out of this...
After four and a half years and around 5,000 man hours we finally
finished our feature film comedy about networking. If nothing else I
think this must be the only film in existence that has eight CCIEs in
the cast and a song about EIGRP :)
All,
I encountered some strange, but beneficial, behaviour in the lab. We connected
a server with teamed NICs to two 6500s running SXH2a. The NIC teaming is
active/standby using only a single MAC and IP address. The server joins a
multicast group and starts receiving traffic. We found that if
On 9 Feb 2011, at 17:51, Phil Mayers p.may...@imperial.ac.uk wrote:
On 09/02/11 16:57, Sam Stickland wrote:
All,
I encountered some strange, but beneficial, behaviour in the lab. We
connected a server with teamed NICs to two 6500s running SXH2a. The
NIC teaming is active/standby using only
we really should have been doing all along.
-Ben
On Feb 9, 2011, at 11:57 AM, Sam Stickland wrote:
All,
I encountered some strange, but beneficial, behaviour in the lab. We
connected a server with teamed NICs to two 6500s running SXH2a. The NIC
teaming is active/standby using only
Sam Stickland sam_mailingli...@spacething.org 6/8/2010 5:25 PM
Hi Steve,
I can't see any mention of aggregate policers for the Sup 6, but I could be
being blind:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/12.2/52sg/configuration/guide/qos.html#wp1474085
If you want
Hi Steve,
The Sup6 and above use a more MQC based setup, that you may have encountered
on the WAN platforms (e.g. 7200, ASR). None of the commands starting qos
are available.
Create class-maps to match the DCSP values you want in each queue (DSCP
trust is on by default), then match these in a
All,
I'd appreciate any feedback people have on tuning iBGP for faster
convergence, particularly dead peer detection for indirect Loopback to
Loopback peerings.
There seems to be two viable options:
1) Reduce the iBGP timers to 1/3
2) Use fall-over (fast peering session deactivation), with a
On Tue, Jun 8, 2010 at 7:31 PM, Richard A Steenbergen r...@e-gerbil.netwrote:
On Tue, Jun 08, 2010 at 05:14:58PM +0100, Sam Stickland wrote:
All,
I'd appreciate any feedback people have on tuning iBGP for faster
convergence, particularly dead peer detection for indirect Loopback
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfis...@dps.k12.oh.us
Sam Stickland sam_mailingli...@spacething.org 6/8/2010 12:02 PM
Hi Steve,
The Sup6 and above use a more MQC based setup, that you
Chris Hale wrote:
We have a set of 7206VXR's, NPE400 CPUs on each end of a point to point OC3
using PA-POS-OC3 cards. We bridge these circuits through a PA-GE interface
(essentially turning the 7206's into a OC-3 to GigE converter) with a single
bridge group.
We are trying to push nearly
Hi,
I've read:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html
If I'm understanding this correctly, communication between each bank of
8 ports on a 6716-10G will be line-rate, but communication between the
first and second groups of 8
Roland Dobbins wrote:
But even more than that, putting your public-facing DNS (or any other
kind of server) behind a firewall is a very serious architectural
mistake; firewalls in front of public-facing servers provide no
security value whatsoever, and degrade the overall security posture
due
Hi,
Is anyone able to confirm whether the onboard X2 slots on the 4900M
support the twin-gig modules?
Some of the documentation suggests they are only supported on the 8-Port
(2:1) 10 Gigabit Ethernet (X2) Half Card, but I haven't seen any that
definitively rules out there use on the
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
ACLs and no
inspection so I'm not sure it's really that useful?
Sam
Sam Stickland wrote:
Hi,
Has anyone here deployed the Nexus V1000? I'm interested in feedback
(good, back or indifferent).
Thanks,
Sam
___
cisco-nsp mailing list cisco-nsp
Hi,
Has anyone here deployed the Nexus V1000? I'm interested in feedback
(good, back or indifferent).
Thanks,
Sam
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
Hi,
What's the maximum length of you can run async-serial (9600 baud) over
CAT5e (from a terminal server to console port).
My google-fu has failed me.
Sam
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Hi,
I'm in the middle of preparing a patch for SNMP::Info to detect the
operating systems and versions running on a wider range of Cisco equipment.
It's left me somewhat stumped what to write in the os field for most
of the devices below. IOS has a name, CatOS has a name, but what on
earth
Module
Version 3.2(10)
I can't get SNMP to work on a IDSM2 or I'd send you that output too.
Justin
Sam Stickland wrote:
Hi,
I'm in the middle of preparing a patch for SNMP::Info to detect the
operating systems and versions running on a wider range of Cisco
equipment.
It's left me somewhat
Hey guys,
It looks like we are seeing bogus interface counters (SNMP and CLI) in
12.2(33)SB2 on a 7304 NSE150.
I'm just trying good ol' bog standard MRTG to rule out our monitoring
systems, but I'm curious if anyone else has seen this?
Sam
___
Sam Stickland wrote:
Hey guys,
It looks like we are seeing bogus interface counters (SNMP and CLI) in
12.2(33)SB2 on a 7304 NSE150.
I'm just trying good ol' bog standard MRTG to rule out our monitoring
systems, but I'm curious if anyone else has seen this?
MRTG just started graphing
Hi,
We do have a TAC case on this, I'm just wondering if anyone here has
seen something similar.
We upgraded from 3.1(1) to 3.1(9) on our context based L3, FWSMs. Now,
if an incoming SYN has timestamps there's a 50% chance that the FWSM
generates a bad checksum when it NAT translates the
Hi,
I've trying to graph some MIB values from a Cisco Content Engine
(CISCO-CONTENT-ENGINE-MIB)
All of the OIDs work fine except the ones below. They all return values,
but they are static and unchanging. Has anyone else tried this with
success? I'm assuming this is a counter bug, but
Phil Mayers wrote:
Sam Stickland wrote:
Hi,
We have a pair of 4948s and some DDOS devices configured in this
topology (this is an inheritated design btw!):
SW1 SVI ---VLANA-- SW2 SVI
| |
DDOS Std DDOS Act
| |
SW1 (L2) --VLANB-- SW2 (L2)
X
Hi,
We have a pair of 4948s and some DDOS devices configured in this
topology (this is an inheritated design btw!):
SW1 SVI ---VLANA-- SW2 SVI
| |
DDOS Std DDOS Act
| |
SW1 (L2) --VLANB-- SW2 (L2)
X |
| |
Inside
Lincoln Dale wrote:
Sam Stickland wrote:
Hi,
We have a pair of 4948s and some DDOS devices configured in this
topology (this is an inheritated design btw!):
SW1 SVI ---VLANA-- SW2 SVI
| |
DDOS Std DDOS Act
| |
SW1 (L2) --VLANB-- SW2 (L2)
X
Hi,
Does anyone know of a way to SNMP poll for module status on devices that
don't support STACK-MIB (e.g. 4500s). (With STACK-MIB this is as simple
as walking .1.3.6.1.4.1.9.5.1.3.1.1.10)
I've been looking at the ENTITY-MIB but that doesn't seem to have the
neccessary data?
Annoying the
Ha, I've been looking for this for a week, and then just after I send
the email I finally find it.
http://www.oidview.com/mibs/9/CISCO-ENTITY-FRU-CONTROL-MIB.html
cefcModuleOperStatus 1.3.6.1.4.1.9.9.117.1.2.1.1.2
Sam
Sam Stickland wrote:
Hi,
Does anyone know of a way to SNMP poll
Hi,
In the sh span vlan X detail command there's output similar to the
following:
Root port is 47 (GigabitEthernet1/47), cost of root path is 14
Topology change flag not set, detected flag not set
Number of topology changes 11 last change occurred 2d00h ago
from
[EMAIL PROTECTED] wrote:
Hi,
logging event link-status (or spanning-tree logging was not configured
on any switch so don't know if any of the ports went up or down.
no syslog either. what about the uptime of the switches...did one or
more fail due to loss of power?
are you running
Hi Jeff,
I'm not sure I understand the problem with identity NAT (no
nat-control). It does default to all interfaces, but the ACL checks will
happen before the NAT translation is built so you can control your
access there?
Sam
Jeff Kell wrote:
I seem to have backed myself into a corner and
Gert Doering wrote:
Hi,
On Fri, Jul 11, 2008 at 08:12:44PM +0300, Eugeniu Patrascu wrote:
If the PIX would be compromised, the attacker could also setup ACLs/NATs
so that he has access to the network.
Only if he gets enable access.
Still, it's not really a reason - on the old
Justin Shore wrote:
Felix Nkansah wrote:
Thanks guys.
I thought it has some special shutdown procedures or commands.
Some of the linecards should be commanded to shutdown prior to cutting
power to the chassis. Interface linecards aren't a concern but those
that have special functions are
Vinny Abello wrote:
Also, minus the added hardware in the ASA which handles things like SSL VPN's
and the other optional hardware options, you can run the same code (not image,
but code) on the PIX 515 and higher models that the ASA devices run (7.x and
8.x), providing you have enough memory.
Apologies I pasted some info where the path costs didn't total up to be
the same. Here's the correct one.
The total path cost is 723 on every interface, the port priority on the
Serial interface is higher.
The only logical conclusion appears to be that it's comparing the bridge
IDs before
I can buy the comprising argument for a reason not to do this.
I think the reason most people here want to be able to do outbound
telnet is for troubleshooting - checking port connectivity and protocol
banners. Many times administrators are insistent that a server is
listening on such and
Hi,
Is there some way to disable/work-around RSVPs split horizon checks?
Currently it will log messages like this when receiving path requests on
the same interface it needs to forward out of:
RSVP: can't forward Path out received interface
This could be fixed in the topology, but I'm
Daniel Hooper wrote:
Hi,
I'm currently using Cacti to graph my interfaces, this doesn't seem to
be real time enough.
What are others using for graphing and data collection?
I was playing around with the realtime plugin for Cacti this morning,
comparing the graphs taken with 5 second polling
Oliver Boehmer (oboehmer) wrote:
Sam Stickland wrote on Monday, June 30, 2008 12:48 PM:
Hi,
Is there some way to disable/work-around RSVPs split horizon checks?
Currently it will log messages like this when receiving path requests
on the same interface it needs to forward out of:
RSVP
Oliver Boehmer (oboehmer) wrote:
Sam Stickland wrote on Monday, June 30, 2008 12:48 PM:
Hi,
Is there some way to disable/work-around RSVPs split horizon checks?
Currently it will log messages like this when receiving path requests
on the same interface it needs to forward out of:
RSVP
Felix Nkansah wrote:
HI,
I would like to know how to telnet FROM a CLI session on the PIX.
After logging into a CLI session on the PIX, the need arises that I
sometimes telnet to another device from the PIX. I dont seem to find the
command for doing so on the PIX
Along with being able to
Higham, Josh wrote:
[mailto:[EMAIL PROTECTED] On Behalf Of Ziv Leyes
I guess it's more as a working right educational purpose,
so you won't use your firewall as a debugging client.
In newer versions there's the packet tracker that can help
you debug connectivity problems.
Ziv
As an
Tony Varriale wrote:
Any chance you could give the group more details before saying it
can't be trusted?
I'm afraid I don't have any concrete details to add, but I've found
capture expressions on Firewall Service Modules to be quite
inconsistent. Presumably this is something to do with the
info
0x412517881481472 12342 Init
0x41B3D2F413759204095 PM vlan non trunk portlist
0x40FBD4201063744 67 List Elements
Sam
On 7/06/2008, at 12:57 AM, Sam Stickland wrote:
Sam Stickland wrote:
Hi,
Does anyone know what the maximum number of (IPv4 unicast) routes
(Just forwarding this helpful answer back to the list so it hits the
archives)
Kevin Graham wrote:
Does anyone know what the maximum number of (IPv4 unicast) routes these
can take? They have 512MB of RAM, which I believe is the maximum for
this model.
Presumably you mean 7304?
Hi,
Does anyone know what the maximum number of (IPv4 unicast) routes these
can take? They have 512MB of RAM, which I believe is the maximum for
this model.
Thanks,
Sam
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
Sam Stickland wrote:
Hi,
Does anyone know what the maximum number of (IPv4 unicast) routes
these can take? They have 512MB of RAM, which I believe is the maximum
for this model.
Actually, I should clarify. We need to know if it can take two full
feeds in a VRF (VRF lite, with minimal
://www.cisco.com/en/US/docs/ios/ipsla/command/reference/sla_01.html
Look at the commands starting with history
Arie
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sam Stickland
Sent: Tuesday, June 03, 2008 12:20 PM
To: Cisco-nsp
Subject: [c-nsp] SAA
Richey wrote:
I've got a customer with a T1. They have been bought out by a large hotel
chain. They are pretty much demanding that they have SNMP full read access
to our router that is at their location as well as a copy of the config for
the router. This is not their router, it is ours and
Rick Martin wrote:
What is your routing policy when a customer owns their own router and
connects it to your network? In our case we discourage customer owned
routers but we do not totally ban it. Our policy is that we do not share
any dynamic routing protocol with routers not under our
A few things that would make my day-to-day life a litlte bit easier,
that I really don't think are that hard:
A text pager that lets you scroll backwards
Outbound telnet from FWSMs/PIXs (to check port connectivity)
Show running-config all for showing full configuration (including
defaults).
Hi,
I'm trying to come up with a system to better determine which is the
management address on a device. Some of our devices have multiple
loopbacks, some don't have loopbacks, so it's immediately easy to tell
how to do this.
It occurs to me that looking at the interfaces specified in the
Saku Ytti wrote:
In my opinion cisco is lacking some elementary L2 security features,
like not being able to limit MAC addresses per port, without also
having port-security on
I think the following config should limit the MAC addresses for you:
switchport port-security
switchport
Saku Ytti wrote:
On (2007-11-06 16:56 +), Sam Stickland wrote:
switchport port-security
switchport port-security maximum x
switchport port-security aging time 5
switchport port-security violation restrict
Port security doesn't permamently learn MAC addresses unless switchport
Chris Woodfield wrote:
BFD is a lifesaver where you have circuits such as metro ethernet
links that don't lose link state when something in the middle blocks
connectivity. It's less useful across WAN links that depend on end-to-
end connectivity to maintain line protocol.
As Arie, said,
Hi,
Is anybody here running 12.2(18)SFX10a or 11 yet? With any service
modules (CSMs, FWSMs, ACEs). They've only been out a month. (On the face
of it they've only fixed bugs, but the fact that 10a was released to fix
CSCsj92874
Take some time out of your busy working day for a film noir classic!
Detective Cisco is hired by Mrs Packet to find her missing husband. On
the way he meets different routing protocols who help him along on his
journey until he finally tracks down Mr Packet, and in the process gets
more than
Hi,
Gert Doering wrote:
Hi,
On Wed, Apr 04, 2007 at 03:46:27PM +0100, Sam Stickland wrote:
I've run some testing, and different Cisco platforms update the
SNMP-viewable
counters at different intervals.
[..]
Thanks Gert, this is very helpful. I'm guessing
64 matches
Mail list logo