Hey all,
I'm just wondering if the aforementioned switches will listen for NTP
requests by default.
We have a rigid Change Management policy, and unfortunately I have no
spares for these units. I'm trying to come up with the appropriate
config so that these units both sync time off the
On 11/06/2012 10:46 AM, Steve Bertrand wrote:
I'm just wondering if the aforementioned switches will listen for NTP
requests by default.
Thank you everyone for all of the on and off-list replies. I've got my
answer and will be implementing tomorrow morning.
This setup is only for one
On 2010.11.17 10:35, Peder wrote:
I have several border routers connected to different Internet providers. I
want to be able to blackhole inbound traffic from certain IPs. My hope is
that there is a way that I can set it in one spot and then have to duplicate
to the other routers. My
Hi all,
I've got a client that has ~15 sites on the fibre side of my network.
Most of these sites have redundant links via SDSL. All of the sites
(even the single-homed ones) do BGP to me (private AS, I announce
default and a small subset of specifics).
Most of the sites are small, and I usually
On 2010.07.13 09:55, Mohammad Khalil wrote:
Dears
what is the best free logging server to implement ?
I like syslog-ng
http://www.balabit.com/network-security/syslog-ng/
Steve
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
On 2010.07.06 08:53, Thierry wrote:
1.The two main routers connected to the upstreams (both get full
internet table from them) will be Route Reflectors. We will create a cluster
on these two routers.
Since nobody responded yet, I'll put my neck on the line...
Personally, I wouldn't use
On 2010.06.07 10:01, Drew Weaver wrote:
Does anyone have any good ideas for the best way to handle this? do you use a
small switch/router that can do BGP, or do you use a linux/vyatta router to
do the route reflection?
I have three such boxes for redundancy and testing.
Two are FreeBSD
On 2010.06.02 14:04, jack daniels wrote:
Hi Guys,
I'm facing a issue and stuck on a thought process , would appreciate if some
way you guys can show with your experience in industry -
ISSUE
user X spoofs IP ADDRESS OF ISP-A and sends traffic out to internet...
now when traffic is
On 2010.05.26 15:50, Christian MacNevin wrote:
Hi
Is it generally done to exchange ipv6 info with bgp peers defined only by
ipv4 router ids?
Ie:
Router bgp 65001
Neighbor 1.2.3.4 remote-as 65001
!
Address-family ipv6
Neighbor 1.2.3.4 activate
If I understand your question correctly,
On 2010.04.16 14:29, Grzegorz Janoszka wrote:
Does anybody know how to receive both v4 and v6 prefixes onto one BGP
session? There is a RFC document about it RFC2858 which is quite old (10
years). I know some other vendors support it, as we have just got a peer
which feeds us with both
On 2010.04.08 06:46, Reuben Farrelly wrote:
I've been reading up about uRPF on Cisco's website, at:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
I've heard many people suggest that having uRPF filtering on in an ISP
environment is a good idea (and best
On 2010.04.08 08:48, Steve Bertrand wrote:
On 2010.04.08 06:46, Reuben Farrelly wrote:
I've been reading up about uRPF on Cisco's website, at:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
I've heard many people suggest that having uRPF filtering on in an ISP
Hi all,
I'm going to be deploying some old 3550's as CPE on a
Fibre-over-Ethernet network. I've never used a layer-3 switch for this
job before, I've always used a router with a separate switch. I'm
looking for some advice, as the setup is a bit different from what I'm
used to.
What I think I
On 2010.03.25 10:33, Harold 'Buz' Dale wrote:
Why mess with VLAN 768 - just give the upstream port the correct ip address
and don't use it as a switchport.
If you only have one uplink and one client/VLAN off of this box then there is
really only one route off of that box as well. I'm not
Hi all,
This is a rather basic question, but it's my first attempt at rate
limiting a non-receive interface on a Cisco device.
Cisco recommends a particular mathematical formula when using the
rate-limit command, which I've executed in the example below.
After scouring the web and Cisco docs, I
On 2010.02.26 08:51, Stephane MAGAND wrote:
Hi
actually, i have a small labs:
1 Cisco 6506/Sup720
2 Cisco 7301
1 Cisco 7204
All are connected to the 6500 with IPv4, ISIS and MPLS (MP BGP)
The first Cisco 7301 are connected to a ISP A and the Second connected
to the ISP B
in
Frederic LOUI wrote:
Hi Luismi,
Freeradius is a good alternative and can be used to cover all the needs
you mentioned.
Coupled with openldap, you can benefit from having all the LDAP
Directory GUI for user creation.
In addition, you can use MySQL backend for accounting purposes.
As far
jack daniels wrote:
Hi,
please help me with any link or book which can help enhace knowledge in SP
(MPLS/ISP) products/cards/design BASICALLY for a Solution architect guy.
google.ca?
I was going to name books, but your question is pretty undefined. The
mentioned link will get you
Richard A Steenbergen wrote:
On Sat, Jan 09, 2010 at 11:31:47PM +, Bob Arthurs wrote:
Hi all,
A colleague recently told me not to use BGP peer groups because he
insists that there a drawbacks to using them.
Does anyone know of any drawbacks to peer groups
I dug the following up on
vijay gore wrote:
Dear All,
i have one question regarding subneting,
in my network i have given ip for FastEthernet1 192.168.9.65/27
this interface is connected to local LAN - in the local machine ip i have
given 192.168.9.66 TO 192.168.9.75 using subnet /24
my question is that if
Mikael Abrahamsson wrote:
On Thu, 7 Jan 2010, Andy Saykao wrote:
What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
VLAN2, it takes a very long time for the SSH login promtp to appear. If
I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
on with my
abs wrote:
that is what i was thinking as well so i removed that line but that caused
all responses to internal traffic to be blocked. What do you exactly mean by
specific? Wouldn't I have to put a rule for each type of traffic?
On an inbound ACL, allowing established TCP sessions means
abs wrote:
ip access-list extended WANInBoundACL
permit udp any range bootps bootpc any range bootps bootpc
permit tcp any any established
permit udp any eq domain any
permit tcp any any eq 22
deny ip any any log
When I run a port scan I see port 1720 as well as port 1863 open.
abs wrote:
i tried what you mentioned that did not seem to close the port. i also
tried the following in the config but that didn't seem to work either:
voice service voip
shutdown
any other thoughts?
Show the relevant config bits, and the command you are using to scan
(along with the
Dobbins, Roland wrote:
S/RTBH is definitely something I'd recommend as a good first step,
...which in the case of a significant (relative) attack is enough to
mitigate the DoS long enough so you can get your upstream(s) to combat
it before it reaches you (looking at it from a 'small'
Steve Bertrand wrote:
After a long day, I'm certain that I'm missing something simple. I'm
trying to get a loopback address advertised into OSPF, after a direct
ptp setup has already been established ( I can ping6 from ptp interface
to ptp interface ).
...
ps. usually things just 'click
After a long day, I'm certain that I'm missing something simple. I'm
trying to get a loopback address advertised into OSPF, after a direct
ptp setup has already been established ( I can ping6 from ptp interface
to ptp interface ).
I'm working from a C2961, and in this case, its peer is Quagga. I
Paul G. Timmins wrote:
You can subnet ipv6 with your eyeballs, just add or subtract 4 from the
prefix length for every character you move to the left or right.
1234:1234:1234:1234::/64
1234:1234:1234:123X::/60
1234:1234:1234:12XX::/56
1234:1234:1234:1XXX::/52
1234:1234:1234::/48
ipv6gen
ML wrote:
I'm trying to block a customer from using tcp/25 by filtering inbound on
their circuit. When I check the counters for the ACL they don't
increase and I can see that the customer is still able to use tcp/25
outbound.
ACL:
access-list 143 permit tcp 23.45.67.0 0.0.0.255 host
Mike wrote:
Gang,
I have a 3725 with some t1 interfaces. I want to be a good netizen and
establish urpf on my customer facing interfaces to ensure they can't
send me spoofed traffic. When I enable 'ip verify unicast source
reachable-via rx' however, suddenly I can't ping the router on the
Richey, I am very sorry. My response is not typical of my normal actions.
I've had a significant tragedy happen, and I completely took it out on
you. This is no excuse, but nonetheless.
There are no words that can describe how bad that I feel. If words
could describe it, they would be ashamed,
Naveen Nathan wrote:
Hi,
I am new to the list, so please go easy on me.
I'm in need of assistance configuring remote trigger blackhole in
IOS. This feature is supported by our transit provider. I'm unsure
if it's working or not, but since the nulled routes don't appear to
be advertised
Naveen Nathan wrote:
If I understand you correctly, wouldn't one need an extra entry in the
OUTBOUND prefix-list that allows host routes to be advertised to the
transit?:
Steve, that was exactly the problem. I've been meaning to give an update.
Kevin helped me off-list find the issue.
Richey wrote:
We are a small provider that's going to start offering access to customers
over ATT's Premium Metro E product.Can someone share some best
practices and maybe some config pointers? I've not make a decision on what
router to use on our end that we will bring remote sites back
Shaun R. wrote:
Your message is intoxicable ;)
I worked for a company in the past that had a very large flat network.
The network consisted of two /20's (255.255.240.0) that were configured
on a 7206 npe-300 router that connected to a bunch of catalyst 2924
switches (the old school ones).
Hi all,
I've finally got some new routers in that I'll be using for testing (the
IPv6 BGP route-reflector situation is on the top of the list).
The lab area is very close to my workstation. Before I have the devices
connected to a network, I prefer to use my workstation to copy config
snips
Aleksandr Gurbo wrote:
On Sat, 11 Jul 2009 19:08:17 -0400
Steve Bertrand st...@ibctech.ca wrote:
Over the weekend, I'll find out how the OP can fix the routes, and
moreover, why they are broken in the first place.
Steve
Have you any ideas how to fix reflected routes?
I will be working
Ivan Pepelnjak wrote:
This scheme also doesn't work. I added next-hop-self on
rtr2_RR for both peers with rtr3 and rtr4.
I haven't been following this thread too closely, but it's worth mentioning
that the next-hop is not changed on reflected routes (even if you configure
next-hop-self on
Aleksandr Gurbo wrote:
On Thu, 09 Jul 2009 14:35:59 -0400
Steve Bertrand st...@ibctech.ca wrote:
Aleksandr Gurbo wrote:
rtr4#show ip bgp ipv6 unicast 2001:1020:100::3/128
BGP routing table entry for 2001:1020:100::3/128, version 0
Paths: (1 available, no best path)
Not advertised to any
Aleksandr Gurbo wrote:
How to setup reflected route in route table with correct next-hop?
I have iBGP RR on IPv6 addresses with two rr-clients. All ibgp peers between
routers from Loopbacks. For announce ipv6 Loopback addresses used OSPFv3.
rtr4#show ip bgp ipv6 unicast
Aleksandr Gurbo wrote:
rtr4#show ip bgp ipv6 unicast 2001:1020:100::3/128
BGP routing table entry for 2001:1020:100::3/128, version 0
Paths: (1 available, no best path)
Not advertised to any peer
Local, (received used)
2001:1020:100::3 (inaccessible) from 2001:1020:100::2
Paul Stewart wrote:
We are advertising a specific /22 that belongs to a /18 block via one
specific upstream BGP connection. The /18 is advertised to all upstreams,
the /22 is only advertised to one upstream as a method of influencing
traffic via that carrier (knowing that if that particular
Hi all,
I've got a few protocol 41 tunnels configured on a few different
routers, all for IPv6 only.
Some of the tunnels are used for BGP peering with transit providers, and
the rest join my PoPs together.
If I understand the Cisco documentation correctly, the BW is used
exclusively for link
Renelson Panosky wrote:
Hello fellow Engineers
We are getting ready to start testing IPv6 at my job, if you are running
IPv6 right now please let me how is it working fo you?
It works just as well as IPv4 does :)
I would like to know
the good,
- it's just emerging so
Paul Stewart wrote:
Thanks what's happening (and perhaps I should have explained this a bit
better) is the session is starting to become established and then dropping.
This is repeated every 30-60 seconds over and over and the BGP session never
actually establishes.
Paul,
Does the
luismi wrote:
We use here IPPlan.
Us too. The only drawback is that it doesn't handle IPv6.
Steve
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
Hi everyone,
I think I'm overlooking something here, but can't pinpoint what.
From a couple of eBGP peers, I'm receiving a few dozen routes which I
then pass along to specific PE routers via iBGP.
What I've done up until this point is accept the routes, and then tag
them with specific internal
What I'd like to do, is re-tag the routes inbound from the eBGP peers,
and then let the PE deal with things when the routes are received.
I've tried setting attributes via route-map as the prefixes are received
from the eBGP peers, but for some reason, they don't appear to stick
(per what
Inca wrote:
Does anyone know of a free (open source or otherwise) or low cost
traffic generator that we can use to stress test multiple gigabit
links simultaneously? Ideally, it would be a software package that one
can install on *nix/OSX/Windows.
iperf. Single binary application for both
Robert Johnson wrote:
Hello list,
I have a small network with four 3640s. Each router has 128/32MB ram, and a
single FE interface connected to a catalyst 2924. Two of the routers are
running BGP, each with a session to a (single) other provider, and a session
between themselves. These are not
Deric Kwok wrote:
Hi All
Could you explain to me what is function of access-list in switch?
It looks like to do prevent access to switch only?
Am I right?
Yes. So long as the switch is a Layer-2 device only.
Steve
___
cisco-nsp mailing list
ann kok wrote:
Hi
I see there is setting in switch
why disable?
no ip directed-broadcast
Because this allows the switch to broadcast packets to a specific VLAN
(more specifically, to an IP subnet) from hosts outside of the VLAN.
Enabling this provides a nice vector for a specific
Jay Hennigan wrote:
ann kok wrote:
no ip route-cache
This is generally NOT a good thing, other than for debugging during
low-traffic scenarios. It forces traffic to be process-switched and
will cause high (or very high) router CPU utilization.
...I had a misunderstanding about this
Max Palatnik wrote:
No ip-route cache with no keywords afterwards refers to the fast-switch
handling of packets. CEF is usually enabled globally on the device (and
thus is enabled for each interface), so this forces the interface to use CEF
and ensures fast-switching is not enabled on the
Gert Doering wrote:
Hi,
On Wed, Feb 25, 2009 at 07:10:51PM -0600, Max Palatnik wrote:
No ip-route cache with no keywords afterwards refers to the fast-switch
handling of packets. CEF is usually enabled globally on the device (and
thus is enabled for each interface), so this forces the
Geoffrey Pendery wrote:
Hypothetically, if there is no L2 or L3 security in place, would it
be as simple as creating a sw acc vlan 230, and allowing 230 on the
trunk port on my switch to start scoping about at the other end?
Well, the L2 security in question is that on the other end of the
I have a shared L2 environment with a local company, in which we have
numerous VLANs over fibre. I'm in the process of moving to transparent
on all of my switches, and during the work, I'm checking things out.
Doing a sh vlan produces output that includes VLANs that I shouldn't see:
230
Kevin Edmunds wrote:
Hi list,
I have a L3 3750, it has a 10MB circuit attached to one of its routed ports
which connects to another L3 3750 (again routed port).
I've started getting into the habit of using EIGRP instances to monitor
these type of circuits to see when the line goes down
Deric Kwok wrote:
Hi Tony
You are right. i think my IOS (version 12.0) can't support the numbering
switch#sh access-list 140
Extended IP access list 140
deny udp any host 192.168.1.118 eq ntp log (643 matches)
permit udp host 192.186.1.114 host 192.168.1.118 eq snmp log (5950
Oliver Boehmer (oboehmer) wrote:
Steve Bertrand wrote on Thursday, February 05, 2009 15:26:
I'm having a little more trouble trying to put my finger on why a PtP
address block, announced successfully via iBGP is improperly routed
recursively if I don't put it into my OSPF config.
Right
Mikael Abrahamsson wrote:
On Thu, 5 Feb 2009, Steve Bertrand wrote:
I'm not using next-hop-self. I've read that it is preferable to not use
it, but I will if I have to. My point was that when I remove .68 from
OSPF (which is my objective), the BGP learnt route automatically sets
the next
Deric Kwok wrote:
Hi All
I am new in cisco and trying to config the access list in my switch
My switch ip is 192.168.0.118
I am trying to block the http traffic in the host 192.168.0.115
When I do it in, I can not accces the switch !
But I can access http://192.168.0.115
Can you
Deric Kwok wrote:
Hi Steve
Thank you.
I don't understand why I can access http://192.168.0.115
http://192.168.0.115/ if this access-list is valid ?
My access list doesn't block www traffic to http://192.168.0.115
http://192.168.0.115/
but block telnet / www to switch 192.168.0.118
Hi everyone,
I've got a couple of questions regarding the use of iBGP and OSPF.
I've got:
rtrA - connected to Internet, and routes some prefixes of my /21 (and v6
/32) to the infrastructure/servers
rtrB - private eBGP peering with another company, and connects some
multihome clients with eBGP
Mark Tinka wrote:
On Tuesday 03 February 2009 09:31:49 pm Steve Bertrand
wrote:
Thanks for the feedback Mark,
For customer aggregation edge routers, prefixes used to
assign /30 (/126 for v6, or whatever you use for this
purpose) point-to-point addresses, as well as assignments
Hi everyone,
I've got a bit of confusion about how to prevent an eBGP peer from
redistributing an announced route to outside AS's.
What I want to do is advertise a single route to an eBGP peer, and
somehow ensure that they will not advertise it to any of its external
peers. (I don't want them to
Eric Cables wrote:
I'm in the middle of a transition from HP - Cisco, with an HP 2848 as the
core, so sorry if this e-mail is off topic. I am having a hard time
getting DHCP relay to work, and was hoping someone with HP experience could
chime in with some assistance.
I've created a new
Hi everyone,
We have a scenario regarding VLANs in which I'm confused as to how to
access the remote switches:
COE
2924 XL
native vlan 1
|
|
trunk
|
vlans 500, 501, 502
|
|
intermediary network
Roy wrote:
Hi,
Hi. My message is long, but its from one small op to apparently another.
It appears as the OP is on a similar page I am on. I am always willing
to accept criticism, on, and/or off-list.
We are working with a new ISP for service. This one is via metro
ethernet. They
Steve Bertrand wrote:
Roy wrote:
Scenario evaluation is much easier for me if I can have provided to me
the real-life scenario from an outside source, as opposed to trying to
document/learn as I go when I have the same issues on my own networks...
...meh, that's not true. What I meant
FWIW, I have a Cisco router handling two IPv6 BGP peerings accepting
full tables, and advertise to them my /32 without any difficulty.
However, currently, an upstream is managing the advertisement of our
IPv4 route.
We are trying to evaluate multiple platforms of routers so we can
Aaron wrote:
Did you setup ebgp multihop since you are doing peering to the loopbacks?
Yes.
Curious on why you would want to use the loopback instead of the
interface for ebgp. Definitely not the recommended way unless you are
trying to load balance on multiple links.
Here is my (slightly
Hi everyone,
I'm having an issue delivering packets in a test environment that I have.
To make it as simple as possible, I'll describe what I have with all
links disconnected except for the problematic one. My inquiries are not
really regarding the packet loss, but more about BGP
[EMAIL PROTECTED] wrote:
I wouldn't give them any access. You manage the router, not them. I would offer
to give them a copy of the configuration MINUS any information that they can
use to harm YOUR network (IP Addressing, SNMP information, passwords, and etc).
I concur.
It's not their
Christian wrote:
I've had to deal with the same scenario on multiple occasions
It comes down to if we give customer access to the router, then the
managed service disappears - as it defeats the purpose of managed services
...and as a small ISP myself, not only is the 'sale' of a managed
Richey wrote:
Thanks for the replies. I am getting the feeling that after talking to our
sales guy who is dealing with them that they want to second guess everything
I am doing because we are a small ISP and not the big billion dollar a year
ISP of their choice.
Also, going a bit OT, if your
My suggestion would be to leave IPv4 for all the core services,
routers, maybe even servers, ... and move all cable/DSL users,
web-enabled cell phones, PDAs, UMTS cards, (all those not so vital
devices) to IPv6.
Wouldn't this type of deployment tactic ensure that we would require
Bottom line is that the new version of the Sup is the same price as the
old version. No sense in buying the old one unless you just want to
make the color scheme on the cards match up. :-)
Or unless you have sparing/logistics economies of scale.
What I'd give to have spares...
Peter Rathlev wrote:
On Fri, 2007-12-14 at 13:30 -0800, Daniel Faubel wrote:
Thanks for your help. It looks like Cisco can't do what I want.
In Foundry, if I wanted to look at what routes are being filtered from a
BGP peer I just have to do this.
snip
AFAIK you can't just have the Cisco
Is multihoming a valid reason even if they can't justify a /24 worth
of IP addresses? I would have thought that ASNs were hard to get
since there's a finite number of them (currently anyways).
Please don't spread FUD. Multihoming has been and continues to be valid
justification for ONE
Seth Mattinen wrote:
Steve Bertrand wrote:
- 'A' routes a /24 to OP
- OP advertises the /24 to provider A and B via BGP with personal local
preferences in place
- A advertises it's aggregate including the /24 to the 'net
- B advertises the more specific /24 prefix to the 'net
- OP uses
Just looking for a thought - ethernet cable from switch to switch. One side
is up/up but other side is up/down
What does a:
# sh int x/x
...say for each relevant interface on both switches say?
Steve
___
cisco-nsp mailing list
Pete Templin wrote:
Paul Stewart wrote:
Just looking for a thought - ethernet cable from switch to switch. One side
is up/up but other side is up/down
Cabling problem? It's a new connection...
The problem(s) could be:
1: Transmitter on up/up side.
2: Cabling problem.
3:
Adam Greene wrote:
Hi,
I'm trying to configure a DSL line on a Cisco 1841 (C1841-IPBASE-M), Version
12.4(1c).
The atm interface is plugged into a DSL line, it shows up/up, I have packets
going out, but none coming back in.
What is the IP address on the ATM interface after negotiation?
Adam Greene wrote:
Steve,
As far as I can tell, I'm not receiving an IP address. Yes, I'm
performing reachability tests directly from the router.
You are right, it appears as though you may not be getting an IP.
I have two ADSL connections bonded on one router, here is what I see on
my
Problem: Since we cannot run BGP on any network smaller than a /24, how do
we connect all the networks together, so that we can route internet
connectivity to the small subnets (smaller than class C)?
I'm very new to this game, but from my understanding I will try. Please
correct me if I am
Hi all,
Out of curiosity...
I have a 100Mb fibre Ethernet connection, and an ADSL connection to a
single provider via one router at my end.
Currently, said provider maintains an EIGRP setup between our router and
their own, so when the LANx connection goes down, our /21 is transits
over the
87 matches
Mail list logo