I imagine there are just a few CCIE's for R&S on the list (maybe? :). I'm
interested in any opinions on study materials you found helpful, but most
particularly if you have experience with
http://www.ine.com
and
https://www.ipexpert.com
Because I am trying to decide between them.
Thanks in a
On Mon, Nov 1, 2010 at 5:22 PM, Arie Vayner (avayner) wrote:
> Tim,
>
> Yes, in order to create the new command you had in mind, we need some
> string parsing capabilities we do not have in SXI...
> Let's wait a bit, and try again...
>
Roger.
Seems funny to me that NX-OS repeats the same problem
On 11/1/10, David Rothera wrote:
> On 1 Nov 2010, at 23:57, Lee wrote:
>
>> On 11/1/10, Nick Hilliard wrote:
>>> On 01/11/2010 19:55, Lee wrote:
At 2am all my managers are busy sleeping :) But regardless, doesn't
if-authenticated fix that horrible timeout wait? - ie:
aaa authoriz
On 1 Nov 2010, at 23:57, Lee wrote:
> On 11/1/10, Nick Hilliard wrote:
>> On 01/11/2010 19:55, Lee wrote:
>>> At 2am all my managers are busy sleeping :) But regardless, doesn't
>>> if-authenticated fix that horrible timeout wait? - ie:
>>> aaa authorization exec default group tacacs+ if-authen
On 11/1/10, Nick Hilliard wrote:
> On 01/11/2010 19:55, Lee wrote:
>> At 2am all my managers are busy sleeping :) But regardless, doesn't
>> if-authenticated fix that horrible timeout wait? - ie:
>> aaa authorization exec default group tacacs+ if-authenticated
>
> It does, yes. But it also auth
Hi,
{cut}
> *When sessions are created and QoS policy maps are attached in both the
> ingress and egress directions, only 2000 sessions are supported. Sessions
> that exceed this limit can still be created, but the QoS policy maps will
> not be applied to the session.*
>
>
> *Here we could see th
On Nov 1, 2010, at 5:00 PM, Robert Hass wrote:
> Is any way to export NetFlow (v5 or v9) information for packets coming
> to RP/SP only ?
You can do ip route-cache flow on the RP, which will result in punted packets
being converted into flows. In fact, this is the only aspect of 6500 NetFlow
On 01/11/2010 21:13, Nick Hilliard wrote:
> It does, yes. But it also authorises anything if you're authenticated.
> You may not want this.
Saku Ytti points out that "if-authenticated" will Do The Right Thing. i.e.
if authenticated locally, it will not bother trying to contact a tacacs+
server.
I need some assistance for Data Center product of Cisco - ASR 1002. I will
have 2 of these devices working in Multi homing topology with two service
providers using BGP(that is the plan if we take this devices finally). I
need to know something regarding the support of MQC and policing and shaping
Tim,
Yes, in order to create the new command you had in mind, we need some
string parsing capabilities we do not have in SXI...
Let's wait a bit, and try again...
Arie
-Original Message-
From: Tim Durack [mailto:tdur...@gmail.com]
Sent: Monday, November 01, 2010 16:23
To: Arie Vayner (a
On Mon, Nov 1, 2010 at 3:55 PM, Lee wrote:
> On 11/1/10, Nick Hilliard wrote:
> ... snip...
> > If you're using authorization, you'll also need to create a DR procedural
> > note to permit authorization to be disabled if the tacacs server is
> > completely unavailable, and to document how to do
On Mon, Nov 1, 2010 at 5:03 PM, Phil Mayers wrote:
> On 11/01/2010 08:02 PM, Keegan Holley wrote:
>
>> What do you mean by hierarchy? Most of the companies I've seen have a
>> single level of access and just use tacacs as a way to grant or revoke
>> access to everything at once. The biggest pro
On 01/11/2010 19:55, Lee wrote:
> At 2am all my managers are busy sleeping :) But regardless, doesn't
> if-authenticated fix that horrible timeout wait? - ie:
> aaa authorization exec default group tacacs+ if-authenticated
It does, yes. But it also authorises anything if you're authenticated.
Y
On 11/01/2010 08:02 PM, Keegan Holley wrote:
What do you mean by hierarchy? Most of the companies I've seen have a
single level of access and just use tacacs as a way to grant or revoke
access to everything at once. The biggest problem with local passwords
Interesting. I was under the impress
On Mon, Nov 1, 2010 at 1:38 PM, Phil Mayers wrote:
> On 01/11/10 16:35, Jeremy Bresley wrote:
>
>
>> In a properly designed network, the only times I've had to use the
>> locally configured username/password is when the links into the site are
>>
>
> Sure. But maybe the OP just prefers EEM, right
On Mon, Nov 01, 2010 at 05:20:52PM +, Phil Mayers wrote:
> >
> >I've read in another article (sorry, don't have the URL handy at the
> >moment but I think I saw in a PDF from cisco.com) that either implied
> >the use of NSF and HSRP together was OK thru config examples or
> >something or else e
On 11/1/10, Nick Hilliard wrote:
... snip...
> If you're using authorization, you'll also need to create a DR procedural
> note to permit authorization to be disabled if the tacacs server is
> completely unavailable, and to document how to do this on whatever device.
> Otherwise you need to wait
On 11/1/10, Saxon Jones wrote:
..snip..
>
> We use randomly generated passwords that are unique for every device
> in our environment, so could be a PITA when we have to change
> passwords but I've got that process scripted so it's only half bad.
> It's the testing that's time consuming, though
On 01/11/2010 18:43, David Rothera wrote:
> You could configure an ACL to block access to the TACACS server on an
> upstream device and then test?
typically you will need to test two scenarios: 1. the tacacs daemon being
down, resulting in TCP RSTs being sent to the router/switch, and 2. the
tacac
You could configure an ACL to block access to the TACACS server on an
upstream device and then test?
On Mon, Nov 1, 2010 at 6:31 PM, Saxon Jones wrote:
> though maybe there's a way to
> test that the enable secret works when TACACS+ is still available, I
> just haven't cared enough to look into
Using offline files and folders on our laptops (generally just for the
keepass and a few other folders, because it's annoying). On our
Blackberries and iPhones it gives the option to re-fetch or use the
previous copy, which is often recent enough that I'm not too
concerned. Having our passwords dis
Something else I just recently came across release notes from SXI2 (might be
in other release notes as well with differing information) in regard to BFD
and SSO:
When evaluating BFD SSO for the network, the customer should note the
following considerations.
. Cisco Catalyst 6500 series switches ty
With regards to SSO-NSF and HSRP I've read documents on ciscos site that
conflict when discussing the use of NSF.
One indicates do not use HSRP and NSF together on the same box.
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsnsf20s.html#wp1467556
http://www.cisco.com/en/US/customer/doc
On Mon, Nov 1, 2010 at 5:54 PM, Phil Mayers wrote:
> ...which is what I'm asking: how do you ensure you have fast, reliable
> access to that database during a (sufficiently large, probably rare) outage?
> How do you know you won't be blocking on availability of that database?
>
> I can think of a
On 01/11/10 17:46, David Rothera wrote:
We use it simply because if one person leaves the organization it is as
simple as removing one user and then they no longer have access.
Sure. TACACS has a lot of plusses (pardeon the pun) we just feel
relatively few of them are a big win for us e.g. we
On Mon, Nov 1, 2010 at 5:38 PM, Phil Mayers wrote:
> On 01/11/10 16:35, Jeremy Bresley wrote:
>
>
>> In a properly designed network, the only times I've had to use the
>> locally configured username/password is when the links into the site are
>>
>
> Sure. But maybe the OP just prefers EEM, right
I know there are a lot of 6500 users out there, wanted to give a heads-up that
SXI5 has reached CCO.
- Jared
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/piper
On Sat, Oct 30, 2010 at 11:55 AM, Dmitry Kiselev wrote:
> ...
> Pluggable Present : yes
> Pluggable Type : OC48-LR
you've got to plug a 10Gb capable optic into a ten gig ethernet port
to make it work!
HTH,
aaron
___
cisco-nsp mailing list
On 01/11/10 16:35, Jeremy Bresley wrote:
In a properly designed network, the only times I've had to use the
locally configured username/password is when the links into the site are
Sure. But maybe the OP just prefers EEM, right?
Having said that, I'm (genuinely) curious - where do you store
On 01/11/10 16:13, Nick Hilliard wrote:
On 01/11/2010 15:41, Phil Mayers wrote:
This is a bug, CSCtf64231, and SXI5 is now out I see, claiming to fix it:
"Inbound route-map change shouldn't be effective immediately"
Pfft, yeah! That's one way to put it!
This is a fundamental problem of the t
On 01/11/10 17:11, Justin Krejci wrote:
With regards to SSO-NSF and HSRP I've read documents on ciscos site that
conflict when discussing the use of NSF.
One indicates do not use HSRP and NSF together on the same box.
http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsnsf20s.html#wp146755
On Sat, 30 Oct 2010, Dmitry Kiselev wrote:
Thanks for Your answer, but seems this is not enough to forse OEM module to
work:
RP/0/RSP0/CPU0:ios#sh run int te0/0/0/0
interface TenGigE0/0/0/0
transceiver permit pid all
Strange, "transceiver permit pid all" does the job for me, however in 1G
p
On 11/1/2010 7:16 AM, Tim Durack wrote:
On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers wrote:
On 31/10/10 15:39, Keegan Holley wrote:
If you are simply trying to disable a command have you thought about doing
so in tacacs? It sounds like it would be simpler and it also has the
benefit of being c
On 01/11/2010 15:41, Phil Mayers wrote:
This is a bug, CSCtf64231, and SXI5 is now out I see, claiming to fix it:
"Inbound route-map change shouldn't be effective immediately"
Pfft, yeah! That's one way to put it!
This is a fundamental problem of the traditional IOS way of doing things.
The
On Mon, Nov 1, 2010 at 3:09 PM, Phil Mayers wrote:
> That seems like a bit of a dangerous "feature" to introduce with no warning,
> if that's what's really happening; what if you have a complex multi-edit
> sequence to go through when rebuilding a route-map?
>
> I'm not seeing the behaviour - a q
On 01/11/10 15:37, Phil Mayers wrote:
On 01/11/10 14:09, Phil Mayers wrote:
That seems like a bit of a dangerous "feature" to introduce with no
warning, if that's what's really happening; what if you have a complex
multi-edit sequence to go through when rebuilding a route-map?
I'm not seeing
On 01/11/10 14:09, Phil Mayers wrote:
That seems like a bit of a dangerous "feature" to introduce with no
warning, if that's what's really happening; what if you have a complex
multi-edit sequence to go through when rebuilding a route-map?
I'm not seeing the behaviour - a quick test on an eBGP
Hi,
my experience is the same with 7600, Sup720, IOS 12.2(33r)SRB3, so I don't
think its some new feature.. maybe some config issue?
As soon as I edit something in (inbound/outbound) route map, this change is
applied to bgp neighbor(s) instantly.. quite boring, for example when I want
to add new
On 01/11/10 14:08, Keegan Holley wrote:
On Mon, Nov 1, 2010 at 8:16 AM, Tim Durack wrote:
On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers
wrote:
On 31/10/10 15:39, Keegan Holley wrote:
If you are simply trying to disable a command have you thought about
doing
so in tacacs? It sounds like it
On Fri, Oct 29, 2010 at 07:14:58PM +0100, Nick Hilliard wrote:
> On 29/10/2010 18:24, srg wrote:
>> At this moment we know that ASA5585-X does not support BGP.
>
> I'm sure it doesn't. Routers are routers, firewalls are firewalls.
>
> Probably some day, someone will build something which incorpora
On Mon, Nov 1, 2010 at 9:24 AM, Arie Vayner (avayner) wrote:
> BTW, In SXI we have enough EEM support to block the command.
Nice - I'll give this a spin.
> In later EEM versions we can do really cool stuff, like adding new commands,
> string parsing etc, but unfortunately, its not in SXI yet..
On Mon, Nov 1, 2010 at 10:08 AM, Keegan Holley
wrote:
> I'm not sure I understand the drawback of TACACS. It's obvious that
> redundancy is needed there. If you're already using TACACS it seems easier
> to place it there. I'm not sure I like the idea of a network using local
> auth everywhere
Not sure if 1gb will work. I know the smaller ones did (32, 64, 128).
On Fri, Oct 29, 2010 at 16:01, Jay Nakamura wrote:
> Couple people responded off-list that any PCMCIA-CF adapter will work.
> Thanks! Was there any CF size limitation or something about boot ROM
> update I needed or something
On Mon, Nov 1, 2010 at 8:16 AM, Tim Durack wrote:
> On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers
> wrote:
> > On 31/10/10 15:39, Keegan Holley wrote:
> >>
> >> If you are simply trying to disable a command have you thought about
> doing
> >> so in tacacs? It sounds like it would be simpler and i
On 01/11/10 13:19, Robert Hass wrote:
On Mon, Nov 1, 2010 at 12:59 PM, Phil Mayers wrote:
3) Automatic BGP refresh
When I change something in route-map for inbound BGP prefixes I
noticed that Cat6500 automatically refresh inbound BGP router
(automatically doing something like clear ip bgp x.x
On 30/10/2010 09:13, Dean Smith wrote:
I'd just like to be able to be sure that its only SSL/TLS going out on Port
443 rather than RTMP or other protocol trying to find a hole in the
firewall.
ah, enforcement of SSL/tcp on a particular port?
Be careful with what you wish for. You might just g
On 01/11/10 13:48, Robert Hass wrote:
Not sure about that, but you can use SPAN to monitor the SP/RP:
mon sess 1 type ...
source cpu rp
source cpu sp
Is it possible to forward these traffic from RP/SP to Remote-SPAN-Vlan
Yes - any "monitor" type will work including ERSPAN or (new in SXI)
> Not sure about that, but you can use SPAN to monitor the SP/RP:
>
> mon sess 1 type ...
> source cpu rp
> source cpu sp
Is it possible to forward these traffic from RP/SP to Remote-SPAN-Vlan
or PCAP file instead of local GE port ? Unfortunately I don't have any
monitoring machine directly conn
On Sun, Oct 31, 2010 at 6:49 PM, kmedc...@dessus.com
wrote:
>>On Sun, Oct 31, 2010 at 6:18 PM, wrote:
>>> "speed 1000" on a copper port capable of 10/100/1000 disables 10 and 100
>>> Mb/s operation by removing those modes from the list of those advertised to
>>> the link partner.
>>>
>>> This ma
Tim,
BTW, In SXI we have enough EEM support to block the command.
See the following script:
event manager applet BLOCK-ALLOWED-VLAN-RANGE
event cli pattern "switchport trunk allowed vlan\s+[0-9]" skip yes sync no
action 1.0 syslog msg "switchport trunk allowed vlan is not allowed"
Router(co
On Mon, Nov 1, 2010 at 12:59 PM, Phil Mayers wrote:
>> 3) Automatic BGP refresh
>>
>> When I change something in route-map for inbound BGP prefixes I
>> noticed that Cat6500 automatically refresh inbound BGP router
>> (automatically doing something like clear ip bgp x.x.x.x in). Is is
>> new feat
On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers wrote:
> On 31/10/10 15:39, Keegan Holley wrote:
>>
>> If you are simply trying to disable a command have you thought about doing
>> so in tacacs? It sounds like it would be simpler and it also has the
>> benefit of being centralized so you won't need t
On 01/11/10 10:00, Robert Hass wrote:
1) mls rate-limit
My current configuration only consist few rate-limiters:
mls rate-limit unicast ip rpf-failure 300 30
mls rate-limit unicast ip icmp unreachable no-route 300 30
mls rate-limit unicast ip icmp unreachable acl-drop 300 30
mls rate-limit uni
On 31/10/10 15:39, Keegan Holley wrote:
If you are simply trying to disable a command have you thought about doing
so in tacacs? It sounds like it would be simpler and it also has the
benefit of being centralized so you won't need to configure it on each
individual router.
It also has the disa
Hi
I'm looking for best practices for configuring few features on
Cat6500/Sup720 (running IOS SXI4a). This machine is mainly acts as
edge switch (a lot of VLANs, a lot of GE ports to customers and other
our switches) and edge router (BGP full-feeds, EIGRP for backbone).
1) mls rate-limit
My curr
I'm answering but I'm actually more like asking.
Could it be a MTU issue here?
Ziv
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Riemer
Sent: Thursday, October 28, 2010 5:43 PM
To: cisco-nsp@puck.nether.net
Subje
56 matches
Mail list logo
