Cisco :: ASR9k Control Plane Protection Rate-limits On IOS-XR

Jul 26, 2012

I'm doing a large-scale snmpwalk against an ASR9k (with IOS-XR v4.2.0) running as a provider edge router (full bgp table) and pulling the full contents of the BGP route table.  On other routers, this completes within my timeout window, but not on the ASR9k.Figuring that this has to do with CoPP rate-limits, I've adjusted the rate-limits to ridiculously high values. 
But still, the walk doesn't complete in an acceptable amount of time.  Manual snmpwalks display a rate slower than even 7600s, with occassional stutters.  CPU on the box doesn't even register that anything extraordinary is going on (@ 2 - 3%), and "show lpts pifib hardware police location" shows that there are 0 drops against SNMP.I haven't turned yet - either some traffic shaping mechanism or some combination of process scheduling/priority with SNMP.

View 1 Replies


Cisco Switches :: SG-300 - Back Plane Utilization

Dec 18, 2011

How can i get information about the back plane utilization. is there any command for the SB-switches (sg300).

View 2 Replies View Related

Cisco Switching/Routing :: Get Back-plane Load Of Cat4506-e Chassis With Sup6-E Supervisory Card

Jan 15, 2012

A customer wants to get the back-plane load of a cat4506-e chassis with a sup6-E supervisory card.A would like to check how many bus are used on the backplane and if the command "sh envi chassis" is the good and only command to be used ?I'm not sur that there is only one bus on the cat4506-E as with a sup7 card the backbone speed can change.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASR9K Integrated With ACS 3.3 Equipment

Jun 2, 2013

I am currently deploying Cisco ASR9K BNG solution and it needs to be integrated with a Cisco ACS 3.3 (yes that old .. going to migrate to new product in the future) equipment. There are several specific attributes need that are not on the base config of the ACS 3.3 but it seems that i can configure them manually:In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26..This is from the ACS 3.3 configuration manual.I have never done this user defined VSAs.

View 1 Replies View Related

Cisco WAN :: Access And Trunks Ports On ASR9K?

Feb 5, 2012

I need to adapt a Cisco Catalyst switch configuration into a new ASR9000 router and I do not know how to configure trunks and access ports on an ASR9K router.
This is the configuration of the catalyst switch I want to replace.
interface GigabitEthernet1/0/1
description Access-Port -> SERVER
switchport access vlan 5
spanning-tree portfast

Am I right? Or do I need to use the command “rewrite ingress tag pop 1 symmetric”on any of the interfaces o subinterfaces? Do I have to configure the command “encapsulation dot1q untagged“ on the GigabitEthernet0/0/0/0.5 subinterface?

View 5 Replies View Related

Cisco WAN :: Multiples AS-Numbers On ASR1K Or ASR9K?

Sep 7, 2011

I want to know, if it is possible to create multiples BGP AS Numbers on a ASR1K6 Router or ASR9K6 Router.

View 3 Replies View Related

Cisco WAN :: To Abort Stalled Remote Install On ASR9k

Apr 11, 2013

I have an installation of a new SMU on an ASR9k.  Unfortunately, a previous install from a remote FTP source has stalled at 1%.  The router is currently running v4.2.1, and the stalled installation was for a 4.2.0 SMU.

View 1 Replies View Related

Cisco WAN :: Migrate BGP Border Router / C7600 IOS To ASR9K?

Dec 28, 2012

Doing a migration. During comparison of "show bgp nei x.x.x.x advertised-routes" between existing C7600 vs new ASR9K. Found that there were some r>i (RIB-Failure) route in C7600 doesn't flagged w/ r>i in ASR9K. Is it normal behaviour in ASR9K? How can I perserve r>i on ASR9K? Due to my IGP (e.g. AD etc) issue or ASR9K IOS-XR hidden config / default config issue?

View 5 Replies View Related

Cisco :: ASR9K Series Devices Inventory Is Not Working

Apr 7, 2012

Inventory in CiscoWorks with new devices ASR9K Series is not working. CW version: LMS3.2.1. Device: ASR-9006 AC Chassis. Credentials correct. Screenshot1: inventory request fail.

View 8 Replies View Related

Cisco WAN :: 7600 / 6500 / ASR9K - Route Processor Information

Feb 19, 2012

I am very new to high end Cisco devices.(like 7600/6500 or ASR9K).
Why do we log in on RP. What actions we can perform after logging-on RP (route processor) or Why they are required ? Cant we  make those by normal router mode (router#) .

View 2 Replies View Related

Cisco Application :: PAT Limits And Monitoring - ACE 20?

Dec 14, 2011

How to confirm the PAT limit on the ACE-20s. I initially read it as 1 million (the NAT limit), however I have since read that for PAT, its 4 million as it uses the connection record information and not xlate.

I've always wondered why the xlate line under 'show resource usage' is zero. If PAT does use the connection record then this would explain why, however its confusing as when running a 'show xlate' command you do see all the current PAT entries.

View 5 Replies View Related

Set Bandwidth Limits To Certain Devices On Network?

Mar 18, 2012

I've been having a bit of a problem lately trying to play Battlefield 3 on my PS3 when other computers are running on my network.

I'm looking for a program or method to set bandwidth limits on some devices to try to guarantee the PS3 enough bandwidth to play without lagging.

With the research I have done what I can find is that there is something called Quality of Service (QoS), and traffic shaping -- which are good and fine but I don't believe my Westell router supports them and I don't want to have to do anything crazy with my router.

Also I am currently dual booting Ubuntu Linux alongside Windows XP, and I don't have XP set up because I want to install Windows 7 on that partition once I can read DVDs (in the hardware forum), therefor I would really like to find a Linux program that I can use to shape my network traffic.

View 2 Replies View Related

D-Link DIR-655 :: Setting Up Download Limits?

Apr 6, 2011

I dont know if there is a way to set up donwload limits per I.P. address on my home network.

View 3 Replies View Related

Cisco Firewall :: ASA 5550 - Source IP Connection Limits?

Jul 1, 2012

I am running a Cisco ASA 5550 in active/standby mode.  We are currently running ASA OS v8.2(3)5.  I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface.  Does the ASA have a feature/ACL syntax that supports this?

View 2 Replies View Related

Range Extending - Cables And Speed Limits?

Jun 3, 2011

I'm an electrical engineer by trade, and fairly inept at networking. That being said, I am looking to extend the maximum range of my networking equipment. I have a job which requires around 500' between switches, and am trying to find a clever way to bridge the gap. The span is direct-burial cat5e, and has very low bandwidth requirements. I know you can buy off-the-shelf range extenders, but they are expensive, so I thought maybe I could avoid it.

1. It my understanding that the lower speed protocols (10 Mbps rather that 100, 1000) have a longer maximum operating length, because they utilize a lower frequency and consequently see a lower impedance. If so, are there network switches that I can force to use the lower baseband frequencies?

2. Should I bother trying to find a cable with the lowest characteristic impedance (or will they all be similar)? Cat 5e is pretty good, yes?

3. Should I do half or full-duplex; is this something I can control as well?

4. What network switches are cheap and allow this type of configurability?

5. If I attach other switches to the ends of this 500' ethernet bridge with auto-negotiating feature, will there be any conflicts or they will all get along?

View 12 Replies View Related

Apartment Complex Limits Each Connection / How To Combine Them

May 6, 2012

My apartment complex limits each connection to 200KBps but each connection has the same IP so I thought there has to be an easy way to combine the connections. Is there a way to connect the wired network i'm connected to with the wireless one?

View 3 Replies View Related

HG556a Firmware - Router LAN Speed Limits?

Nov 26, 2012

My router that i am currently using has 1gbp/s lan and i seem to be limited to 10mbp/s when i try to transfer files across the network. I have the HG556a firmware.

View 4 Replies View Related

Cisco :: 5508 - Wireless Guest Account Lifetime Limits?

Jun 6, 2013

We currently have ACS 5.4 and Cisco WLC 5508's deployed. We have wireless lobby admin accounts that can login and successfully create and modify guest wireless accounts. What we are trying to do, however, is give the lobby admins the ability to create wireless accounts with lifetimes longer than 30 days. Currently our setup will only allow the creation of permanent accounts (by entering all 0's in the lifetime fields) or accounts that last up to thirty days.     

View 4 Replies View Related

Cisco Switching/Routing :: 1801 - VLan Database Limits

May 21, 2012

I am wondering what are the limits per routers for creating the vlans in vlan database? I have a 1801 router with the c180x-broadband-mz.151-3.T2 IOS and cant create more than 14 vlans.. How many does 2800 router support? Why I can't find this information anywhere on

View 7 Replies View Related

Linksys Wireless Router :: EA6500 Media Prioritization Limits?

Sep 24, 2012

How can I increase the number of devices in the GUI since is only allowing 3 devices.

View 5 Replies View Related

Cisco Wireless :: Aironet 1410 Bridge Power Injector Coax Cable Length Limits?

Apr 19, 2011

how far apart an Aironet 1410 Bridge can be from the Power Injector (Dual Coax feeds).  I just can't find the specification details.  The device comes with a 20' and 50' F-type and I'm looking at 150' runs for both ends of the bridge pair.

View 2 Replies View Related

Cisco Switches :: SG300-10P SYN Protection

Mar 1, 2013

Yesterday I upgraded my SG300-10P to firmware I was curious about the new SYN Protection feature, but it seems to do nothing on my installation.
The switch is running in Layer 2 mode. I have ACLs in place and DoS prevention is not enabled. I also tried clearing ACLs and enabling DoS prevention. As I understood the Admin Guide enabling DoS in the Security Suite Settings is not necessary for using the SYN Protection.
In my firewall I see about 300 pps with SYN flags only arriving. What "they" do is sending me SYN packest to port 80 from forged IPs, so that my system should send SYN-ACKs to the victim system. In this case it is the Arab Bank. They are down at the moment...I think that is called a spoofed SYN flood attack.
So I thougt the SYN Protection feature should exactly solve that problem but it does not and does not show any "Last Attack" entries.
If I put a SYN filter in place it works, even if I put SYN Rate Protection in place. But that is just a dirty workaround. My firewall blocks those SYN packets with a SNORT rule.

View 1 Replies View Related

How To Setup E-mail Protection

Apr 25, 2011

My taskbar is telling me I have no AVG security for my e-mails

View 1 Replies View Related

Cisco Routers :: RV042 Protectlink Web Protection

Aug 23, 2011

We have implemented Cisco Protectlink Web Protection on our network.
By choosing the categories that we want to block everything worked well until we have noticed that when users try to browse social networking sites like [URL] this site is blocked but when users type in [URL] users that go directly to facebook.
and also with youtube if they add https:// users can then bypass our network block.
Is this somewhat a bug on the Protectlink Categories blocking?

View 3 Replies View Related

What Is The Function Of Anti Static Protection

Jul 26, 2011

what is the function of anti static protection

View 1 Replies View Related

Cisco WAN :: Internet Interface Protection On ASR 10001 Router?

Apr 30, 2013

I want to provide some outside interface protection on an ASR 10001 router. The Internet facing interface is the ingress for all remote access home users that have created a DMVPN. I want to protect the network from the Internet but, at the same time protect against breaking the tunnels created from the home users.We are running EIGRP between the home users and the HQ router. How would you build the access-list applied to the outside interface and what protocols would you allow through?

View 2 Replies View Related

Cisco Firewall :: ASA 5540 Use For Protection From Internet Zone

Mar 7, 2012

-1x Cisco ASA5540
-1x Catalyst 3750x-48T (L3 Core Switch)
Id like to seek expertise on validating a simple firewall setup.
Do i trunk core switch traffic to the cisco ASA OR assign L3 link instead? It is basic understanding that the Cisco ASA is usually use for protection from our internet zone.A typical Cisco ASA setup would consist of outside, inside, dmz zone.
L3 core switch consist of 20 VLANS20 vlan needs to be blocked from each other. Eg Wireless Vlan does not have access to Server Vlan etc etc. 

what is the best practise to filter ip address within vlan from reaching each other.Should i trunk all my vlan to the Cisco firewall? (For easy vlan restrictions: but is that best practise?)Or do ACL on the core switch itself? but what if i have tons of servers ip that needs specific ports blocking or etc.How would i be able to manage all my ACL on the core switch. 

View 1 Replies View Related

Cisco Firewall :: PIX 525 Anti-Spoofing Attack Protection

Mar 19, 2011

I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.

1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation5. IOS and ASDM Backup
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.

How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?

View 1 Replies View Related

Does A Spanned Drive Have Any Protection Against Disk Failures

Apr 28, 2012

does a spanned drive have any protection against disk failures?

View 2 Replies View Related

Linksys Cable / DSL :: SPI Firewall And DoS Protection On WAG320N?

Mar 2, 2011

I want to make use of the SPI Firewall and DoS Protection features of the WAG320N.  What are these for?  How do you configure them on WAG320N? 

View 1 Replies View Related

Cisco Switching/Routing :: 2950 - Bridging Loops / STP Protection

Jan 20, 2012

I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.

View 5 Replies View Related

Accidentally Deleted The Network Protection Key And Now Can't Access The Internet

Jan 29, 2012

I accidentally deleted the network protection key from my laptop and now can't access the internet. I have tried re-entering it but still can't connect to the internet.

View 10 Replies View Related

Cisco Switching/Routing :: C3750 / Layer 2 Loop Protection Enhancement?

Feb 19, 2012

we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect  a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).

View 3 Replies View Related

Copyrights 2005-15, All rights reserved