Hi,
On Wed, Aug 03, 2022 at 07:05:59PM -0400, Joe Maimon via cisco-nsp wrote:
> Even with switchport mode trunk and switchport allowed vlan none, with
> input counters in single digits, storm control immediately takes the
> port down after link up. There was negligible traffic on the link before
HI,
On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp wrote:
> Recently Shodan has been showing how it probes all our IOS-XE routers
> via SNMP even though we have an ACL on all our SNMP. We then found that
> there is a bugid on the issue (ILMI can't be blocked by ACL):
>
Hi,
On Mon, Sep 19, 2022 at 03:47:09PM +0300, Hank Nussbacher via cisco-nsp wrote:
> On 19/09/2022 15:40, Gert Doering wrote:
> > On Mon, Sep 19, 2022 at 02:29:06PM +0300, Hank Nussbacher via cisco-nsp
> > wrote:
> >> Recently Shodan has been showing how it probes all our IOS-XE routers
> >> via
Hi,
On Wed, Sep 21, 2022 at 08:14:30AM +0300, Hank Nussbacher wrote:
> Indeed the SNMP leaks appear to be exactly CSCtw74132 which we did not
> know about nor did Cisco TAC :-(
The more I dive into this, the more I want to return to my bed and
pull the blanket over my head...
So, the Cisco bug
Hi,
so, more on this...
- on ASR9k, SNMPv3 is subject to regular control plane ACLs, so
unless a SNMPv3 sender shows up in
control-plane
management-plane
inband
interface all
allow all peer
address ipv4 1.2.3.4/32
!
allow SNMP peer
Hi,
On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> How are you integrating NTP into your infrastructures? Is it part of your
> management network(s)?
NTP servers (appliances from Meinberg and regular FreeBSD servers, basically)
are just sitting "on the Internet" and ou
Hi,
On Fri, Oct 14, 2022 at 02:41:45PM -0400, harbor235 wrote:
> I hear what your saying but NTP is an active attack vector, I don't trust
> outside resources implicitly and traffic segmentation is a prudent measure
> especially if you are getting internet time. Now if you have your own
> stratum1
Hi,
On Fri, Oct 14, 2022 at 03:07:47PM -0400, Aaron wrote:
> You can setup a raspberry pi as a server and do GPS. Not sure on the
> scalability (how many devices it can handle) of that but it does work.
For a true time geek, the time the rPIs provide is just not good
enough (fluctuates +/- 20 use
Hi,
On Wed, Jan 04, 2023 at 03:45:51PM +, Drew Weaver via cisco-nsp wrote:
> I'm trying to put together an order for some Cisco switches.
Cisco licensing shit has made us decide that we're just not going to
buy any new Cisco products. Period.
Yes, these really look nice, and the base price
hi,
On Wed, Feb 22, 2023 at 06:29:00PM +, Eric Louie via cisco-nsp wrote:
> We tried an NCS-5501 and it was a disaster, in a word. The 10G interface,
> uRPF, source-based blackholing, and routing table depth with Cisco is a
> limiting factor in their product line.
Do not forget the licensi
Hi,
On Thu, Feb 23, 2023 at 09:40:26AM +0200, Mark Tinka via cisco-nsp wrote:
> The issue they face is Ethernet-centric platforms are much more
> optimized for today's Internet, and platforms like the ASR1000 simply
> don't make sense anymore. Why pay all that to get some Ethernet on an
> ASR10
Hi,
On Fri, Feb 24, 2023 at 05:00:52AM +0200, Mark Tinka via cisco-nsp wrote:
> For IOS XR, it's just too heavy for that sort of thing. Okay in the data
> centre where we are aggregating a ton of customers and/or Metro-E rings,
> but not out in the Metro. The Metro calls for a more agile OS. The
Hi,
On Sun, Feb 26, 2023 at 02:29:13PM +, Phil Bedard wrote:
> XR for a number of years now has had the concept of a ?golden ISO?. It?s a
> single image either built by Cisco or customers can build their own that
> include the base software and the SMUs in a single image. You just issue a
Hi,
On Sun, Feb 26, 2023 at 08:21:01PM +, Phil Bedard wrote:
> The newer software is packaged that way already, if you don?t need SMUs. If
> you want to customize it with SMUs and whatnot it takes a few minutes,
> depends on your processor and storage speed of course.
The question was not
Hi,
On Tue, Feb 28, 2023 at 08:33:47AM -0800, William McCall via cisco-nsp wrote:
> My long-term solution to this problem is to install with iPXE. That lets
> you do it via HTTP and without all the nonsense :)
This sounds like a fairly long downtime to do upgrades... not exactly
what I want eithe
Hi,
On Sun, Mar 12, 2023 at 08:51:36PM +0200, Saku Ytti via cisco-nsp wrote:
> You might want add-path or best-external for predictability and
> improved convergence time.
Last time we did best-external with ASR9k it only worked in a useful
way if you are using labeled-unicast. That was many yea
Hi,
On Tue, Aug 29, 2023 at 02:28:53PM +0200, Mark Tinka via cisco-nsp wrote:
> So yes, our default routes point to Null0. I changed that to something
> useful and it still didn't work. It's almost as if the traffic exiting the
> VRF toward the global table wanted to follow a label switched path,
Hi,
On Wed, Sep 27, 2023 at 08:48:44AM +0800, Barry Greene via cisco-nsp wrote:
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
> peering Sessions?
Not me. Not sure if my vendors do support it (IOS XR and Arista EOS),
but I do not see significant benefit.
TBH, most of
Hi,
On Mon, Oct 02, 2023 at 09:13:55AM +0300, Hank Nussbacher via cisco-nsp wrote:
> When comparing traffic stats with SNMP, Netflow stats always appear too low
> (see attachment).
>
> Opened a TAC case and their recommendation is to do 1:1 and I quote:
>
> "Irrespective of the rate at which the
Hi,
On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote:
> We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform.
>
> Had a user under udp/0 attack. Tried to block it via standard ACL:
>
>
> ipv4 access-list block-zero
> 20 deny udp any any eq 0
>
Hi,
On Wed, Dec 06, 2023 at 09:00:58AM +, Dobbins, Roland wrote:
> On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp
> wrote:
>
> > deny ipv4 any any fragments
>
> This is approach is generally contraindicated, as it tends to break EDNS0, &
> DNSSEC along
hi,
On Tue, Apr 09, 2024 at 03:20:15PM +0200, Mark Tinka via cisco-nsp wrote:
> https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dos-Hq4d3tZG
I'm so glad our single box with SUP-2T has been retired many years ago...
(We still do have one (1) Sup720-10G 6
Hi,
On Mon, Jun 10, 2024 at 11:05:18AM +0300, Hank Nussbacher via cisco-nsp wrote:
> If the feed sets the IP to 192.0.2.2 then the BGP routes appear in the
> routing table. If I then change the IP address on interface
> GigabitEthernet0/0/0/43.1 to 192.0.2.2 then the routes disappear as well
> af
Hi,
On Wed, Jun 19, 2024 at 08:44:20AM +0300, Hank Nussbacher via cisco-nsp wrote:
> RP/0/RSP0/CPU0:2024 Jun 19 05:12:47 : ipv4_acl_mgr[343]:
> %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list log-traffic (10) permit udp
> 192.114.102.104(55638) -> 192.0.2.2(53), 1 packet
You might actually have a clie
Hi,
On Tue, Mar 04, 2025 at 10:40:08PM +0800, Pengembara T. via cisco-nsp wrote:
> Our concern more toward CPU utilization when handling bgp. Cpu will
> constantly high, long before the throughput hit 10G.
On proper routers, packets forwarded will not be a concern to the CPU :-)
With "5x 10Gbps"
Hi,
On Tue, Mar 04, 2025 at 06:34:29PM +0200, Mark Tinka wrote:
> Either I've been somewhat out of the loop of the latest & greatest from
> Cisco, or it's just seeming rather dull with their latest compliment of
> switches and routers.
I'm somewhat out of the loop myself, but the last time I look
Hi,
On Wed, Mar 05, 2025 at 07:52:42AM +1000, Ted Pelas Johansson wrote:
> The downside with Arista, at this point, is that they lack a pay as you grow
> (PayG) model, which is a must for an SP.
Well... if you compare the Arista boxes to Cisco PayG (like the NCS 5700),
you pay the same price for
hi,
On Tue, Mar 04, 2025 at 02:26:28PM +0800, Pengembara T. via cisco-nsp wrote:
> I am looking for recommendations on a Cisco model that meets the
> following requirements:
>
> - Supports 4 BGP peers (both eBGP and iBGP), each with a full BGP
> table for IPv4 and IPv6
> - Smallest possible physi
Hi,
On Wed, Mar 05, 2025 at 06:52:08PM +1000, Ted Pelas Johansson via cisco-nsp
wrote:
> > Well... if you compare the Arista boxes to Cisco PayG (like the NCS 5700),
> > you pay the same price for the Arista as for the first 3 ports on Cisco, and
> > get the remaining 37 for free...
>
> That's n
Hi,
On Tue, Mar 04, 2025 at 08:08:50PM +, Drew Weaver via cisco-nsp wrote:
> [ASR990x]
> I don't believe the 9902 uses a proprietary algo to achieve its maximum route
> scale.
As in "nobody knows how the ASR9k does anything, but they at least do not
*state* 'it's proprietary'"?
> Downsides
Hi,
On Mon, Aug 04, 2025 at 02:09:18PM +0200, Simon Leinen via cisco-nsp wrote:
> > I'd be keen to hear what your experience running IOS XR on the NCS540
> > (especially if it's in a high-volume metro setting) has been.
>
> Works nicely, like on the bigger routers (NCS-55A1 / Cisco 8000) as far
>
Hi,
On Mon, Aug 04, 2025 at 03:40:35PM +0200, Simon Leinen wrote:
> The NCS540 (using IOS-XR) actually reboot faster than the ASR920s (IOS-XE).
Yeah, *that* is an amazing failure in the ASR920 platform... it boots
up to a point, then sits there doing "nothing" (nothing visible, at least)
for 10+
Hi,
On Mon, Aug 04, 2025 at 05:32:15PM +0200, Marc Binderberger wrote:
> Out of curiosity: you probably asked Cisco (SE? TAC?) "what is going on?!"
> They think this is okay? Uhm, "normal"?
I've long given up on asking TAC about minor annoyances, given the
fights I've had to fight about serious
33 matches
Mail list logo
