IIS en SSL settings
http://www
https://ww
H-VPLS/P2MP style functionality with L2TPv3 inside VFI
I’m trying to lab up a hub and spoke L2 VPN scenario using L2TPv3.
CPEs are ISR G2s such as 1941 and the PE/Hub is an ME3600. I’m not having much luck so I wondered if I’m chasing a ghost; Has anyone used
L2TPv3 xconnects (due to lack of MPLS) into a VFI on an ME3600 to get this scenario to work?
Perhaps you used something else that worked? Or do you think this simply can’t be done?
When mixing L2TPv3 with VFIs, is the logic present to do things like MAC learning, I’ve never tried this without MPLS and/or BGP.
Something like;
pseudowire-class l2tpv3-class
encapsulation l2tpv3
interworking ethernet
ip local interface looopback 0
l2 vfi TEST manual
vpn id 100
bridge-domain 200
neighbor 1.1.1.1 pw-class l2tpv3-class
neighbor 2.2.2.2 pw-class l2tpv3-class
int gi0/2
switchport mode trunk
switchport trunk allow vlan none
service instance 200 ethernet
uncapsulation untagged
bridge-domain 200
int vlan200
no ip address
ASR1k capacity/operate
Operating an ASR 1000 | https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKARC-2019.pdf
http://www.slideshare.net/RouterAnalysis/cisco-asr-1000-series-testing-results-and-analysis
It would be a single pass through the QFP. The SIP could also be a limiting factor, but since you are split between SIPs that shouldn’t be an issue.
The SIP 40 has 2x 40Gig lanes on the backplane. Are you doing crypto or anything like that which would impact performance?There is a great Cisco Live preso on the ASR1k architecture that might help you get some ammo to go back to TAC with.
http://d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKARC-2001.pdf
The SIP 40 has 2x 40Gig lanes on the backplane. Are you doing crypto or anything like that which would impact performance?There is a great Cisco Live preso on the ASR1k architecture that might help you get some ammo to go back to TAC with.
http://d2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKARC-2001.pdf
According to cisco’s literature the 40G capacity is outbound direction only.
This includes traffic replication so you could have 1G in and 40G out or
50G in and 40G out but you should be able to get 40G out unless you are
using features that are causing core congestion on the QFP (which is possible).
This includes traffic replication so you could have 1G in and 40G out or
50G in and 40G out but you should be able to get 40G out unless you are
using features that are causing core congestion on the QFP (which is possible).
Cisco to support flow spec
Looks like 5.2.0 has been available since July.
http://www.cisco.com/c/en/us/
http://www.cisco.com/c/en/us/
7.3, last I heard..
Also, is this RFC 5575-compliant flowspec?
yes, with some recent enhancements to the specs (v6 support, relaxed origin check, extra redirect options, and a few more)
Cross cloud sync tool
sanderev66 4 november 2014 18:35
Als je dit nu al op je PC wil heb ik al een tijd geleden een tool gemaakt die dit voor je kan regelen. Werkt ook met andere cloud opslag providers. http://cloudmanageroffice.codeplex.com/ Gratis en open source
Zoek in project Uni1c0rn
Project Un1c0rn is a search engine exposing open, vulnerable and weak services since May 2014 ... Leaking mysql, mongo and heartbleed services worldwide ... Disclosure is the solution ... Un1c0rn won't die ... We don't ask, we host ... Back online, uptime should now be good, DB migration coming later. Leakhorn
Traffic Generators
opensource solutions, scapy will probably be able
to do the job.
> IMIX and other standard load tests.I’m using IPERF now, but this is
> simply a load gen. No IMIX etc Suggestions ?A little script with bwping (TOS, MTU) is not enough to try to make a ~~pseudo~~ RFC2544 test ?
Sorry if it is not what you are searching for.
Sorry if it is not what you are searching for.
So I have started playing with this, I think it should do we you want (I have the same requirement);http://traffic.comics.unina.
> When it comes to minimum size packets, I’m not aware of open source
> software that can congest 1GE port. Operating systems are not really
> tuned to do 1Gbps UDP streams on small packets. You can achieve that,
> even more, but you need to go quite low level, UDP socket you must
> forget immediately event with sendmmsg/recvmmsg. Raw sockets and
> modern CPU and you’ll probably be able to reach 1Gbps per core, but I
> don’t know software available that would be productized even to iperf level here, would love to hear about one.
Some open source software I am writing can do 1Gbps (and likely beyond, I don’t have any 10G NICs to test on, yet!), although it’s for testing at the Ethernet layer so not really applicable here;
https://github.com/jwbensley/
One of the main features I am working on now (as I’m still writing the initial version) is loading the frame payload from file so that payload data *could* be UDP but it’s not really ment for testing higher than Ethernet and/or MPLS level.
Cheers,
James.
>
> When it comes to minimum size packets, I’m not aware of open source
> software that can congest 1GE port. Operating systems are not really
> tuned to do 1Gbps UDP streams on small packets. You can achieve that,
> even more, but you need to go quite low level, UDP socket you must
> forget immediately event with sendmmsg/recvmmsg. Raw sockets and
> modern CPU and you’ll probably be able to reach 1Gbps per core, but I
> don’t know software available that would be productized even to iperf level here, would love to hear about one.
> software that can congest 1GE port. Operating systems are not really
> tuned to do 1Gbps UDP streams on small packets. You can achieve that,
> even more, but you need to go quite low level, UDP socket you must
> forget immediately event with sendmmsg/recvmmsg. Raw sockets and
> modern CPU and you’ll probably be able to reach 1Gbps per core, but I
> don’t know software available that would be productized even to iperf level here, would love to hear about one.
Scapy [1] should be able to do that easily, so should mausezahn [2]. Of course you don’t open use regular TCP/UDP socket API for this, but some raw form of it and generate the whole packet in userspace.[1] http://www.secdev.org/
[2] http://www.perihel.at/sec/mz/
routed PW in ASR1K
Yes, looks officially supported since IOS XE 3.6S:
VPLS hub & spoke
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l2_vpns/configuration/xe-3s/mp-l2-vpns-xe-3s-book/vpls-auto-bgp-xe.html
Hi everyone. I’m trying to understand vpls with a hub & spoke topology
a little better but I’m having a hard time grasping which site(s) need
to have the no split-horizon configuration added to them. Not sure if
this is even possible with the autodiscovery option vs using manual.So right now I’ve got four sites setup in a full mesh with the following
configuration on each PE router (ME3600X):
to have the no split-horizon configuration added to them. Not sure if
this is even possible with the autodiscovery option vs using manual.So right now I’ve got four sites setup in a full mesh with the following
configuration on each PE router (ME3600X):
l2 vfi TEST1 autodiscovery
vpn id 3000
!
interface GigabitEthernet0/4
service instance 3000 ethernet
encapsulation dot1q 3000
rewrite ingress tag pop 1 symmetric
bridge-domain 3000
!
!
interface Vlan3000
no ip address
xconnect vfi TEST1
!
So if I want sites 2, 3 and 4 to not be able to talk to each other
except by going via site 1 what configuration change would I need to
do? I thought that adding “split horizon” to the bridge-domain under
the service instance was the way to go but I’m not so sure.
Ideally, I’d like a scenario where I can have one site as the hub and be
able to take advantage of the autodiscovery for instances when a new
spoke is added to the domain. Granted only the hub is benefiting from
this auto discovery but does that mean that the spokes should be
configured as “manual”?
Thanks for any suggestions.
Jose
Jose,
On the hub device you would have a VFI instance.
The spokes would be configured just as if they were running a point to point xconnect (i.e. xconnect statement on the service-instace)On the hub, under the VFI, you need to configure your pseudowires as “neighbors” – this is where you would put the no-split-horizon statements for the spokes:
l2 vfi aaa manual
vpn id 1
neighbor 1.1.1.1 encapsulation mpls no-split-horizon
neighbor 2.2.2.2 encapsulation mpls no-split-horizon
HTH
Arie
Ahh I see, thanks for the examples Arie. Makes sense now.
Jose
Jose,If you are using BGP auto-discovery then you could look into disabling ”
*auto-route-target*” and play with route-targets import/export to have Hub and Spoke topology like you do for L3VPN’s.
*auto-route-target*” and play with route-targets import/export to have Hub and Spoke topology like you do for L3VPN’s.
HTH
Uitschakelen Windows tunnel interfaces
https://www.asmus-consulting.com/en/blog-category-active-directory-and-windows-server/item/41-disable-ipv6-tunnel-adapter
Use these 3 lines to disable the Adapters by netsh:
1 |
netsh int ipv6 isatap set state disabled |
2 |
netsh int ipv6 6to4 set state disabled |
3 |
netsh interface teredo set state disable |
You can also disable Tunnel Adapters by GPO
– open Group Policy Management Editor
– select an existing or create a new GPO
– Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
Configure all of the Settings below – enable the Setting but select “disable” within.
– “Set 6to4 State”
– “Set ISATAP State”
– “Set Teredo State”
thats it