From jhumphris@nexagent.com Wed Jan 23 08:05:52 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0ND5DBR080320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:05:52 -0500 (EST) (envelope-from jhumphris@nexagent.com) X-Envelope-From: jhumphris@nexagent.com Received: from mail70.messagelabs.com (mail70.messagelabs.com [193.109.255.115]) by npd.nether.net (8.13.8/8.12.9) with SMTP id m0NCLsJL014178 for ; Wed, 23 Jan 2008 12:21:55 GMT (envelope-from jhumphris@nexagent.com) X-VirusChecked: Checked X-Env-Sender: jhumphris@nexagent.com X-Msg-Ref: server-11.tower-70.messagelabs.com!1201086773!105930662!55 X-StarScan-Version: 5.5.12.14.2; banners=-,-,- X-Originating-IP: [217.28.130.38] Received: (qmail 1086 invoked from network); 23 Jan 2008 11:13:02 -0000 Received: from hostedexchange.hostedservice.com (HELO hostedexchange.hostedservice.com) (217.28.130.38) by server-11.tower-70.messagelabs.com with SMTP; 23 Jan 2008 11:13:02 -0000 Received: from THHS2EXBE2X.hostedservice2.net ([192.168.33.21]) by hostedexchange.hostedservice.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 11:11:17 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jan 2008 11:11:16 -0000 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Cisco ME-6524 platform architecture thread-index: AchdsKxpA2SBwoZTR+GVDUDHJSK0wg== From: "James Humphris" To: X-OriginalArrivalTime: 23 Jan 2008 11:11:17.0974 (UTC) FILETIME=[AD185760:01C85DB0] X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:05:52 -0500 (EST) X-Greylist: Delayed for 01:00:01 by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 12:21:55 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] Cisco ME-6524 platform architecture X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:05:52 -0000 Dear all, =20 I stumbled across this excellent forum yesterday whilst trying to gain some information on the platform architecture of the Cisco ME-6524. I have been extensively testing this device for a couple of months now, using a mixture of local switching, multiplex-uni and EoMPLS with MPLS-TE & FRR. So far, it has performed remarkably well, especially considering its price point as an entry level device to the Cisco 6500 family. =20 I do however have a question regarding the platform architecture of the box. As I'm sure you all know, the architecture of the modular 6500 series is very well documented by Cisco, including details of the modules (PFC, MSFC etc..),types of ASIC (Pinnacle, Medusa, Earl, Tycho and Superman etc..) and how they interoperate at a high level.=20 =20 The part I'm struggling with is how this relates to the fixed configuration of the ME-6524. I appreciate that its based upon the SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a "show asic-version slot 1", I don't see any ASIC names that I recognise: =20 nsn1#sho asic-version slot 1 Module in slot 1 has 5 type(s) of ASICs ASIC Name Count Version KUMA 1 (2.0) HYPERION 1 (6.0) R2D2 1 (2.0) DHANUSH 2 (2.0) VISHAKHA 8 (1.0) =20 Can anyone help with some more detailed information relating to the platform configuration of this device? =20 Many thanks in advance =20 James Humphris IP Engineering, Nexagent Ltd. =20 From alaerte.vidali@nsn.com Wed Jan 23 08:07:18 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0ND5DC5080320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:07:18 -0500 (EST) (envelope-from alaerte.vidali@nsn.com) X-Envelope-From: alaerte.vidali@nsn.com Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0NBg8nn012977 for ; Wed, 23 Jan 2008 11:42:09 GMT (envelope-from alaerte.vidali@nsn.com) Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m0NBTjBP005462; Wed, 23 Jan 2008 05:30:07 -0600 Received: from daebh102.NOE.Nokia.com ([10.241.35.112]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 13:28:54 +0200 Received: from daebe103.NOE.Nokia.com ([10.241.35.24]) by daebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 05:28:52 -0600 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 05:28:38 -0600 Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901351FD2@daebe103.NOE.Nokia.com> In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78404D2946F@xmb-ams-333.emea.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN Thread-Index: AchdDe+ZV1cPvlRZRH+OOQu6MsNwEQACmhHQAApobHAAHDzCMA== References: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901351DD9@daebe103.NOE.Nokia.com> <70B7A1CCBFA5C649BD562B6D9F7ED78404D2946F@xmb-ams-333.emea.cisco.com> From: To: , X-OriginalArrivalTime: 23 Jan 2008 11:28:52.0891 (UTC) FILETIME=[21DFE6B0:01C85DB3] X-Nokia-AV: Clean X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:07:18 -0500 (EST) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 11:42:09 +0000 (UTC) Subject: Re: [c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:07:18 -0000 Thanks Oli. I will test today on PFC3xx with SRB2 and post the result. Br, Alaerte=20 -----Original Message----- From: ext Oliver Boehmer (oboehmer) [mailto:oboehmer@cisco.com]=20 Sent: Tuesday, January 22, 2008 8:01 PM To: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN alaerte.vidali@nsn.com <> wrote on Tuesday, January 22, 2008 6:09 PM: > Hi, >=20 > PIM considers source of multicast to perform load splitting when the=20 > command "ip multicast multipath" is entered. When using multicast over > L3 MPLS VPN, the source IP is the IP of PEx for any customer group=20 > connected to PEx. > Any way to overcome this limitation and achieve load splitting of=20 > multicast over L3 MPLS VPN? >=20 > For example, consider this scenario: >=20 > Sender for group G1 and > G2---CE1-----PE1------P1-----PE2----CE2----receiver of G1 and G2 > | | > |_______P2______| >=20 > The goal is having one G1 taking path PE1--P1--PE2 and G2 taking path=20 > PE1--P2--PE2. > (but without using GRE encapsulation to have multicast encapsulated=20 > into unicast) 12.2SRB for the 7600 introduced "ip multicast multipath s-g-hash basic" which allows you to do the hash on source+group.. Platform support for this is still limited, not sure about your environment. oli From jeff.nsp@gmail.com Wed Jan 23 08:10:08 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vD089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:06 -0500 (EST) (envelope-from jeff.nsp@gmail.com) X-Envelope-From: jeff.nsp@gmail.com Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.232]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N9ZhVE009623 for ; Wed, 23 Jan 2008 09:35:44 GMT (envelope-from jeff.nsp@gmail.com) Received: by hu-out-0506.google.com with SMTP id 16so1077457hue.17 for ; Wed, 23 Jan 2008 01:28:52 -0800 (PST) Received: by 10.82.187.2 with SMTP id k2mr16734480buf.16.1201080531966; Wed, 23 Jan 2008 01:28:51 -0800 (PST) Received: from JEFFTTM5XP ( [155.53.1.254]) by mx.google.com with ESMTPS id g11sm8158632gve.6.2008.01.23.01.28.47 (version=SSLv3 cipher=RC4-MD5); Wed, 23 Jan 2008 01:28:49 -0800 (PST) From: "Jeff Tantsura" To: "'Matyas Koszik'" , "'Drew Weaver'" References: Date: Wed, 23 Jan 2008 10:28:44 +0100 Message-ID: <001901c85da2$5cdf91e0$6402a8c0@ad.redback.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: AchdJ59u65srYyWHTwSKHR/5zlFlSwAeS+yA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:08 -0500 (EST) X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 09:35:45 +0000 (UTC) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RTBH - anyone using this? X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:10 -0000 Or make it multihop. I got bitten by this many years ago (on both cisco and juniper) but it = seems that till now documentation hasn't been changed to reflect it. If you are going to allow your customers to use it (usually done with communities) be sure to filter accordingly, so the customers'd blackhole their own prefixes only :) Cheers, Jeff > -----Original Message----- > From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp- > bounces@puck.nether.net] On Behalf Of Matyas Koszik > Sent: dinsdag 22 januari 2008 19:41 > To: Drew Weaver > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] RTBH - anyone using this? >=20 >=20 >=20 > You need to add disable-connected-check to the peer's bgp = configuration. > (I know the documentation doesn't say so but that's what makes it work = for > me.) >=20 >=20 > On Tue, 22 Jan 2008, Drew Weaver wrote: >=20 > > I=E2?Tm following this guide: > > > > > = http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/= p > rod_white_paper0900aecd80313fac.pdf > > > > if anyone knows of a better one please do enlighten me =E2=98=BA > > > > Everything works a lot better than I imagined it would except for = one > issue and one question. > > > > Question: There is simply no reason to be exporting the routes from = the > edge routers to the triggers if I am reading this document correctly. > Rather than using prefix or filter lists, is there a handy way to make = the > edge routers not send routes to the trigger server (using a command in > that peer-group?) > > > > The issue I am having is kind of strange and I=E2?Tve never ran = across it > before like many of my issues=E2?=A6.. > > > > RTBH has you add a static route on the edge routers which acts as a > next-hop for the routes which are sent by the trigger server/router. = For > whatever reason the routes sent by the trigger server/router = aren=E2?Tt > being entered into my routing table on the Edge routers because it is > giving me RIB failures: > > > > LAB01#sh ip bgp nei 10.1.0.11 routes > > BGP table version is 476702490, local router ID is 10.1.0.9 > > Status codes: s suppressed, d damped, h history, * valid, > best, i = - > internal, > > r RIB-failure, S Stale > > Origin codes: i - IGP, e - EGP, ? - incomplete > > > > Network Next Hop Metric LocPrf Weight Path > > r>iblocked/28 > > 192.0.2.1 0 200 0 i > > > > LAB01#sh ip route 192.0.2.1 > > Routing entry for 192.0.2.1/32 > > Known via "static", distance 1, metric 0 (connected) > > Tag 50 > > Redistributing via ospf 1 > > Routing Descriptor Blocks: > > * directly connected, via Null0 > > Route metric is 0, traffic share count is 1 > > Route tag 50 > > > > Clearly there is a route to 192.0.2.1 with a destination of Null so = it > does appear to be a valid route, yet bgp refuses to add the > =E2?=B6blocked/28=E2?=BB route to the routing table. > > > > Has anyone ran into this before? > > > > Thanks! > > > > -Drew > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ >=20 > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom@snnap.net Wed Jan 23 08:10:14 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vN089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:14 -0500 (EST) (envelope-from tom@snnap.net) X-Envelope-From: tom@snnap.net Received: from building-vm.adl.snnap.net (building.adl.snnap.net [150.101.183.195]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N8OgpC007965 for ; Wed, 23 Jan 2008 08:24:43 GMT (envelope-from tom@snnap.net) Received: from [172.25.144.40] (unknown [172.25.144.40]) by building-vm.adl.snnap.net (Postfix) with ESMTP id 555A11156F; Wed, 23 Jan 2008 18:47:07 +1030 (CST) Message-Id: From: Tom Storey To: Sridhar Ayengar In-Reply-To: <47961910.9050102@gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Wed, 23 Jan 2008 18:47:06 +1030 References: <47961910.9050102@gmail.com> X-Mailer: Apple Mail (2.915) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:14 -0500 (EST) X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 08:24:43 +0000 (UTC) Cc: Cisco NSPs Subject: Re: [c-nsp] ADSL X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:14 -0000 Would be a bit of a waste of an entire PA slot though wouldnt it? :-) You could always use something like an 857 (on the cheaper side if you want to stick with Cisco, otherwise any el cheapo yum-cha brand) in bridge mode hooked up to an ethernet port to do PPPoE, provided PPPoE client is supported of course. On 23/01/2008, at 2:55 AM, Sridhar Ayengar wrote: > > I *really* wish Cisco had made an ADSL PA. > > Peace... Sridhar > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben@internode.com.au Wed Jan 23 08:10:17 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vT089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:16 -0500 (EST) (envelope-from ben@internode.com.au) X-Envelope-From: ben@internode.com.au Received: from mail.internode.com.au (mail.internode.com.au [192.83.231.27]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N6Y9Fj005438 for ; Wed, 23 Jan 2008 06:34:09 GMT (envelope-from ben@internode.com.au) Received: from [172.16.0.183] (staffnet.internode.com.au [203.26.95.65]) by mail.internode.com.au (8.13.7/8.12.1) with ESMTP id m0N6Jq42002160 for ; Wed, 23 Jan 2008 16:49:52 +1030 (CST) Message-Id: From: Ben Steele To: cisco-nsp@puck.nether.net Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Wed, 23 Jan 2008 16:49:52 +1030 X-Mailer: Apple Mail (2.915) X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on mail X-Virus-Status: Clean X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:16 -0500 (EST) X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 06:34:10 +0000 (UTC) Subject: [c-nsp] ASA 8.0 Webvpn MAPI X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:17 -0000 X-List-Received-Date: Wed, 23 Jan 2008 13:10:17 -0000 Howdy, Anyone had any experience with getting MS Exchange to work with a webvpn client on ASA 8.0(2) or greater without using the AnyConnect client (ie clientless) now that MAPI support isn't available? Doesn't look like smart tunnels will do the job either and can't find anything else hinting in the Cisco doc's or google. Cheers Ben From jjackson@aninetworks.com Wed Jan 23 08:10:20 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vV089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:17 -0500 (EST) (envelope-from jjackson@aninetworks.com) X-Envelope-From: jjackson@aninetworks.com Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N5M9ka001861 for ; Wed, 23 Jan 2008 05:22:09 GMT (envelope-from jjackson@aninetworks.com) Received: by py-out-1112.google.com with SMTP id a25so3251654pyi.13 for ; Tue, 22 Jan 2008 21:15:24 -0800 (PST) Received: by 10.142.11.2 with SMTP id 2mr4573725wfk.233.1201064930397; Tue, 22 Jan 2008 21:08:50 -0800 (PST) Received: by 10.142.213.12 with HTTP; Tue, 22 Jan 2008 21:08:50 -0800 (PST) Message-ID: <52e40b5d0801222108g5508412fxb5f07475d82e3dc6@mail.gmail.com> Date: Tue, 22 Jan 2008 21:08:50 -0800 From: "Joseph Jackson" To: Cisco MIME-Version: 1.0 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:20 -0500 (EST) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 05:22:09 +0000 (UTC) Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] Tacacs+ accounting on ASA/PIX 7.x X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:20 -0000 Hey all, I know in the past the pix/asa would not generate account records of what command were entered on the device. Does anyone know if this has changed? I've read some docs that talk about accounting traffic that passes THROUGH the device but not accounting for what commands are entered on the device from what user, like you get on a IOS router. Thanks Joseph From frnkblk@iname.com Wed Jan 23 08:10:22 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vd089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:22 -0500 (EST) (envelope-from frnkblk@iname.com) X-Envelope-From: frnkblk@iname.com Received: from smtp1.mtcnet.net (smtp1.mtcnet.net [199.120.69.26]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N3j2jB023312 for ; Wed, 23 Jan 2008 03:45:27 GMT (envelope-from frnkblk@iname.com) X-ASG-Debug-ID: 1201056486-421a02bc0000-2USAGh X-Barracuda-URL: http://199.120.69.26:8000/cgi-bin/mark.cgi Received: from Franknewlaptop (localhost [127.0.0.1]) by smtp1.mtcnet.net (Spam Firewall) with ESMTP id DA2065A828B; Tue, 22 Jan 2008 20:48:06 -0600 (CST) Received: from Franknewlaptop (premiercommunications.mtcnet.net [199.120.69.4]) by smtp1.mtcnet.net with ESMTP id nzK6tImLB50gOSyx; Tue, 22 Jan 2008 20:48:06 -0600 (CST) From: "Frank Bulk - iNAME" To: "'Kristofer Sigurdsson'" , "Cisco NSP" References: <7dea31f60801220542o2b61317la8109eaaf6fc6fa8@mail.gmail.com> In-Reply-To: <7dea31f60801220542o2b61317la8109eaaf6fc6fa8@mail.gmail.com> X-ASG-Orig-Subj: RE: [c-nsp] EzVPN drops packets after first data burst Date: Tue, 22 Jan 2008 20:47:46 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Achc/QRbU0z1Ha+MS3aqU3UFzcSeBgAbUmhw Content-Language: en-us X-Barracuda-Connect: premiercommunications.mtcnet.net[199.120.69.4] X-Barracuda-Start-Time: 1201056487 X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at mtcnet.net X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:22 -0500 (EST) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 03:45:27 +0000 (UTC) Subject: Re: [c-nsp] EzVPN drops packets after first data burst X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: frnkblk@iname.com List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:22 -0000 Anything to do with packet size? Frank -----Original Message----- From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Kristofer Sigurdsson Sent: Tuesday, January 22, 2008 7:42 AM To: Cisco NSP Subject: [c-nsp] EzVPN drops packets after first data burst Hi list, I have a Cisco 1841 router, IOS 12.4(12), Adv. IP Services. I'm using it for an EzVPN server where clients can VPN into a VRF which contains a local network. Clients can connect and start to use eg. Remote Desktop to a computer on the inside network, but as soon as some traffic starts flowing (like opening a browser in Remote Desktop), the session hangs and, according to the show crypto session remote detail, no new outbound (from the VPN server) packets come and I start seeing dropped inbound packets (dec'ed). Sample output: Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: x.x.x.x port 4406 fvrf: (none) ivrf: xx Phase1_id: xxxx Desc: (none) IKE SA: local x.x.x.x/4500 remote x.x.x.x/4406 Active Capabilities:CXN connid:233 lifetime:07:58:49 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.210.158 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 279 drop 69 life (KB/Sec) 4587796/86332 Outbound: #pkts enc'ed 432 drop 0 life (KB/Sec) 4587562/86332 Whatever the user tries to do on the VPN, the only thing that changes (apart from time) is the dec'ed drop packets. The number of packets dec'ed/enc'ed is not exactly consistant, but this always happens at the first burst of data across the link. The counters go to a few hundred, then this happens. The VPN connection stays up, nothing unusual in the client. It says "transparent tunneling: active on UDP port 4500", so it probably doesn't matter that the client is behind NAT, right? The problem only depends on data going over the link, not time. If I'm just using ping, traceroute and SSH terminal access, there is no problem. As soon as I put a burst on the link, it hangs and does not recover. We have a few customers on the router, each using a different profile (pretty much same configuration) and different VRFs for inside networks. Same problem for all of them. Thanks in advance, Kristo Here's the relevant configuration: aaa group server radius RADIUS-XX server-private x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx ip vrf forwarding xx aaa authentication login AAA-XX group RADIUS-XX aaa authorization network vpn local ip vrf xx description xx rd 65365:7 route-target export 65365:7 route-target import 65365:7 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group xxxx key xxxxxxxxx dns x.x.x.x pool xx acl xx group-lock save-password max-users 50 netmask 255.255.255.255 ! crypto isakmp profile xxxx vrf xx self-identity address match identity group xxxx client authentication list AAA-XX isakmp authorization list vpn client configuration address respond initiate mode aggressive local-address FastEthernet0/0 ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac ! ! dynamic-map vpn 1-6 and 8-... are other customers who also have the same problem ! crypto dynamic-map vpn 7 set transform-set vpn set isakmp-profile xxxx reverse-route ! crypto map vpn 65535 ipsec-isakmp dynamic vpn ! interface FastEthernet0/0 description Uplink ip address x.x.x.x 255.255.255.128 duplex auto speed auto crypto map vpn ! interface FastEthernet0/1.930 encapsulation dot1Q 930 ip vrf forwarding xx ip address 10.9.8.2 255.255.255.252 ! ! The RIP is to advertise the host routes to the VPN clients to another router on the inside (and receive routes from there) ! router rip version 2 ! address-family ipv4 vrf xx redistribute connected redistribute static network 10.0.0.0 network 192.168.0.0 network 192.168.124.0 no auto-summary version 2 exit-address-family ! ip local pool xx 10.10.210.100 10.10.210.200 group xx ! ip access-list extended xx (lots of networks) _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk@iname.com Wed Jan 23 08:10:23 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vf089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:22 -0500 (EST) (envelope-from frnkblk@iname.com) X-Envelope-From: frnkblk@iname.com Received: from smtp1.mtcnet.net (smtp1.mtcnet.net [199.120.69.26]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N3P2B3021489 for ; Wed, 23 Jan 2008 03:25:32 GMT (envelope-from frnkblk@iname.com) X-ASG-Debug-ID: 1201057167-421e02ac0000-2USAGh X-Barracuda-URL: http://199.120.69.26:8000/cgi-bin/mark.cgi Received: from Franknewlaptop (localhost [127.0.0.1]) by smtp1.mtcnet.net (Spam Firewall) with ESMTP id CC6C35A89B2; Tue, 22 Jan 2008 20:59:27 -0600 (CST) Received: from Franknewlaptop (premiercommunications.mtcnet.net [199.120.69.4]) by smtp1.mtcnet.net with ESMTP id yhPazZFlqrw4J64d; Tue, 22 Jan 2008 20:59:27 -0600 (CST) From: "Frank Bulk - iNAME" To: "'Richey'" , References: <007e01c85d11$bd336b70$379a4250$@com> In-Reply-To: <007e01c85d11$bd336b70$379a4250$@com> X-ASG-Orig-Subj: RE: [c-nsp] access-list question Date: Tue, 22 Jan 2008 20:59:07 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchdEbz3EbQM3lCPS9efFcwzP8giMAAWhUKg Content-Language: en-us X-Barracuda-Connect: premiercommunications.mtcnet.net[199.120.69.4] X-Barracuda-Start-Time: 1201057167 X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at mtcnet.net X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:23 -0500 (EST) X-Greylist: Delayed for 00:30:41 by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 03:25:32 +0000 (UTC) Subject: Re: [c-nsp] access-list question X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: frnkblk@iname.com List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:23 -0000 You may be interested in looking aggregate an microflows: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_ paper0900aecd803e5017.html Frank -----Original Message----- From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Richey Sent: Tuesday, January 22, 2008 10:14 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] access-list question If I do the following will it rate-limit each IP to 1.8Mb or will it limit the group of IPs to 1.8Mb? I want for each IP to get 1.8Mb. interface Ethernet1/1 description EB1 - Wireless ip address 69.18.x.x 255.255.255.224 rate-limit input access-group 199 1800000 337500 675000 conform-action transmit exceed-action drop rate-limit output access-group 199 1800000 337500 675000 conform-action transmit exceed-action drop half-duplex access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rdobbins@cisco.com Wed Jan 23 08:10:24 2008 Received: from npd.nether.net (npd-la.nether.net [129.250.11.22]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NDA6vh089536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 08:10:23 -0500 (EST) (envelope-from rdobbins@cisco.com) X-Envelope-From: rdobbins@cisco.com Received: from ind-iport-1.cisco.com (ind-iport-1.cisco.com [64.104.129.195]) by npd.nether.net (8.13.8/8.12.9) with ESMTP id m0N3OwX3021486 for ; Wed, 23 Jan 2008 03:25:29 GMT (envelope-from rdobbins@cisco.com) X-IronPort-AV: E=Sophos;i="4.25,235,1199644200"; d="scan'208";a="95955873" Received: from hkg-dkim-2.cisco.com ([10.75.231.163]) by ind-iport-1.cisco.com with ESMTP; 23 Jan 2008 21:48:40 +0530 Received: from hkg-core-1.cisco.com (hkg-core-1.cisco.com [64.104.123.94]) by hkg-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m0N3Hq2s003437 for ; Wed, 23 Jan 2008 11:17:52 +0800 Received: from [10.0.11.120] (hkidc-vpn-client-233-81.cisco.com [10.75.233.81]) by hkg-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m0N3HosQ011555 for ; Wed, 23 Jan 2008 03:17:51 GMT Message-Id: From: Roland Dobbins To: Cisco NSP In-Reply-To: Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v915) Date: Wed, 23 Jan 2008 11:17:49 +0800 References: X-Mailer: Apple Mail (2.915) Authentication-Results: hkg-dkim-2; header.From=rdobbins@cisco.com; dkim=pass ( sig from cisco.com/hkgdkim2001 verified; ); X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 08:10:24 -0500 (EST) X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0rc2 (npd.nether.net [129.250.11.22]); Wed, 23 Jan 2008 03:25:30 +0000 (UTC) Subject: Re: [c-nsp] RTBH - anyone using this? X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 13:10:24 -0000 On Jan 23, 2008, at 2:15 AM, Drew Weaver wrote: > Question: There is simply no reason to be exporting the routes from =20= > the edge routers to the triggers if I am reading this document =20 > correctly. Rather than using prefix or filter lists, is there a =20 > handy way to make the edge routers not send routes to the trigger =20 > server (using a command in that peer-group?) I set up outgoing prefix-lists on the edge routers so that no routes =20 are sent down, and incoming prefix-lists on the trigger, too, just to =20= be sure. > The issue I am having is kind of strange and I=92ve never ran across =20= > it before like many of my issues=85.. I always set local-pref on routes received from the trigger to be =20 high, and they end up being the preferred routes for the prefixes in =20 question, which ends up triggering the recursive lookup to null0 and =20 thus the packet drops. ----------------------------------------------------------------------- Roland Dobbins // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company From kajtzu@basen.net Wed Jan 23 09:16:32 2008 Received: from mailout1.bnsvcs.net (mailout1.bnsvcs.net [87.108.20.68]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NEGS8M031289 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 23 Jan 2008 09:16:30 -0500 (EST) (envelope-from kajtzu@basen.net) X-Envelope-From: kajtzu@basen.net Received: from localhost (localhost.localdomain [127.0.0.1]) by mailout1.bnsvcs.net (Postfix) with ESMTP id 4D8A63BC00F; Wed, 23 Jan 2008 14:16:23 +0000 (UTC) X-Virus-Scanned: amavisd-new-snap at mailout1.bnsvcs.net Received: from mailout1.bnsvcs.net ([127.0.0.1]) by localhost (mailout1.bnsvcs.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhLZN0vgO+pS; Wed, 23 Jan 2008 14:16:07 +0000 (UTC) Received: from [10.10.0.156] (vpn-d50.fi.basen.net [212.226.42.50]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: kajtzu@fi.basen.net) by mailout1.bnsvcs.net (Postfix) with ESMTPSA id C555E3BC00C; Wed, 23 Jan 2008 14:16:04 +0000 (UTC) Message-Id: <9D75F0D9-6003-41F4-A139-B8CC57189CE5@basen.net> From: Kaj Niemi To: "Joseph Jackson" In-Reply-To: <52e40b5d0801222108g5508412fxb5f07475d82e3dc6@mail.gmail.com> Content-Type: multipart/signed; boundary=Apple-Mail-15--547741066; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v915) Date: Wed, 23 Jan 2008 22:15:58 +0800 References: <52e40b5d0801222108g5508412fxb5f07475d82e3dc6@mail.gmail.com> X-Mailer: Apple Mail (2.915) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 09:16:32 -0500 (EST) X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Cc: Cisco Subject: Re: [c-nsp] Tacacs+ accounting on ASA/PIX 7.x X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 14:16:32 -0000 --Apple-Mail-15--547741066 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi, Yes, it's possible to log commands, logins, etc. to the PIX/ASA itself. aaa accounting command tacacs-group aaa accounting enable console tacacs-group aaa accounting ssh console tacacs-group Available as of 7.0 or so. Kaj On Jan 23, 2008, at 13:08, Joseph Jackson wrote: > Hey all, > > I know in the past the pix/asa would not generate account records of > what > command were entered on the device. Does anyone know if this has > changed? > I've read some docs that talk about accounting traffic that passes > THROUGH > the device but not accounting for what commands are entered on the > device > from what user, like you get on a IOS router. > > > Thanks > > Joseph > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ HTH Kaj -- Kaj J. Niemi +358 45 63 12000 --Apple-Mail-15--547741066-- From psirt@cisco.com Wed Jan 23 11:54:19 2008 Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NGsJmb060497 for ; Wed, 23 Jan 2008 11:54:19 -0500 (EST) (envelope-from psirt@cisco.com) X-Envelope-From: psirt@cisco.com X-TACSUNS: Virus Scanned Received: from rooster.cisco.com (localhost [127.0.0.1]) by av-tac-rtp.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id m0NGsDq15087 for ; Wed, 23 Jan 2008 11:54:14 -0500 (EST) Received: from clubhouse.cisco.com (clubhouse-5.cisco.com [64.100.21.5]) by rooster.cisco.com (8.11.7p3+Sun/8.11.7) with SMTP id m0NGsju04567; Wed, 23 Jan 2008 11:54:45 -0500 (EST) Sender: nobody@cisco.com From: Cisco Systems Product Security Incident Response Team To: cisco-nsp@puck.nether.net Date: Wed, 23 Jan 2008 11:33:55 -0500 Message-id: <200801231138.asa@psirt.cisco.com> Errors-to: nobody@cisco.com Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Prevent-NonDelivery-Report: Content-Return: Prohibited X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 11:54:19 -0500 (EST) Cc: psirt@cisco.com Subject: [c-nsp] Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 16:54:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability Advisory ID: cisco-sa-20080123-asa http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable. By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows: ASA#show running-config | include decrement-ttl set connection decrement-ttl ASA# The set connection decrement-ttl command is part of a configured class-map. In order for this command to take effect it must be applied using a policy-map (assigned globally or to an interface). For more information about the Modular Policy Framework on the Cisco ASA and PIX refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3): ASA#show version Cisco Adaptive Security Appliance Software Version 7.2(3) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following: PIX Version 7.2(3) Products Confirmed Not Vulnerable +-------------------------------- Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable. Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details ======= A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Cisco PIX and ASA TTL Vulnerability (CSCsk48199) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability described in this advisory will result in a reload of the affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition. Software Versions and Fixes =========================== This vulnerability is fixed in software version 7.2(3)6 or 8.0(3) and later. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== Disable the TTL decrement feature using the no set connection decrement-ttl command in class configuration mode. ASA(config)#policy-map localpolicy1 ASA(config-pmap)#class local_server ASA(config-pmap-c)#no set connection decrement-ttl ASA(config-pmap-c)#exit For additional information on identifying and mitigating TTL based attacks, please refer to the Cisco Applied Intelligence White Paper "TTL Expiry Attack Identification and Mitigation", available at: http://cisco.com/web/about/security/intelligence/ttl-expiry.html Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-January-23 | public | | | | release | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +---------------------------------------------------------------------- All contents are Copyright (C) 2006-2008 Cisco Systems, Inc. All rights reserved. +---------------------------------------------------------------------- Updated: Jan 21, 2008 Document ID: 100314 +---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHl2u286n/Gc8U/uARAguWAJsHVKpw/9IghAIFi+f6aueoyc8+pQCaAxsH 44Maa1texObtmaCxvo4ucN8= =lT07 -----END PGP SIGNATURE----- From rubensk@gmail.com Wed Jan 23 12:02:32 2008 Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.228]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NH2WaQ062523 for ; Wed, 23 Jan 2008 12:02:32 -0500 (EST) (envelope-from rubensk@gmail.com) X-Envelope-From: rubensk@gmail.com Received: by nz-out-0506.google.com with SMTP id q3so1759898nzb.7 for ; Wed, 23 Jan 2008 09:02:32 -0800 (PST) Received: by 10.141.204.16 with SMTP id g16mr6496087rvq.113.1201107751873; Wed, 23 Jan 2008 09:02:31 -0800 (PST) Received: by 10.141.179.8 with HTTP; Wed, 23 Jan 2008 09:02:31 -0800 (PST) Message-ID: <6bb5f5b10801230902l1f6cf914h7b30fb81cacda42@mail.gmail.com> Date: Wed, 23 Jan 2008 15:02:31 -0200 From: "Rubens Kuhl Jr." To: "James Humphris" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 12:02:32 -0500 (EST) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ME-6524 platform architecture X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 17:02:33 -0000 > The part I'm struggling with is how this relates to the fixed > configuration of the ME-6524. I appreciate that its based upon the > SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a "show Actually it's closer to SUP-32, as the ME-6524 is a classic-bus only device. > KUMA 1 (2.0) > HYPERION 1 (6.0) > R2D2 1 (2.0) > DHANUSH 2 (2.0) > VISHAKHA 8 (1.0) My guess is the Vishakha ASICs are the ones connected to the customer ports; it's documented that there 8 ASICs for the customer ports, each 1 serving groups of 3 ports. Rubens From psirt@cisco.com Wed Jan 23 12:38:27 2008 Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NHcQ2M070085 for ; Wed, 23 Jan 2008 12:38:27 -0500 (EST) (envelope-from psirt@cisco.com) X-Envelope-From: psirt@cisco.com X-TACSUNS: Virus Scanned Received: from rooster.cisco.com (localhost [127.0.0.1]) by av-tac-rtp.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id m0NHcL719450 for ; Wed, 23 Jan 2008 12:38:21 -0500 (EST) Received: from clubhouse.cisco.com (clubhouse-5.cisco.com [64.100.21.5]) by rooster.cisco.com (8.11.7p3+Sun/8.11.7) with SMTP id m0NHcqu28691; Wed, 23 Jan 2008 12:38:52 -0500 (EST) Sender: nobody@cisco.com From: Cisco Systems Product Security Incident Response Team To: cisco-nsp@puck.nether.net Date: Wed, 23 Jan 2008 12:28:29 -0500 Message-id: <200801231230.avs@psirt.cisco.com> Errors-to: nobody@cisco.com Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Prevent-NonDelivery-Report: Content-Return: Prohibited X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 12:38:27 -0500 (EST) Cc: psirt@cisco.com Subject: [c-nsp] Cisco Security Advisory: Default Passwords in the Application Velocity System X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 17:38:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Default Passwords in the Application Velocity System Advisory ID: cisco-sa-20080123-avs http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Versions of the Cisco Application Velocity System (AVS) prior to software version AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system. After upgrading to software version AVS 5.1.0, users will be prompted to modify these credentials. Cisco will make free upgrade software available to address this vulnerability for affected customers. The software upgrade will be applicable only for the AVS 3120, 3180, and 3180A systems. The workaround identified in this document describes how to change the passwords in current releases of software for the AVS 3110. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml. Affected Products ================= Vulnerable Products +------------------ This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A Management Station appliances that are running software versions prior to AVS 5.1.0. Administrators can determine the software version of the AVS appliances by logging in to the Management Station web-based user interface or from the command-line interface (CLI) of the appliance operating system. Customers who use the AVS 3180 or 3180A Management Station can determine their node software versions by navigating to the Cluster Information Page. Each registered node will display the corresponding software version when the node is selected. The AVS appliance version can also be determined from the host operating system by using the "Show Version" command. The following example shows "Show Version" output for an AVS 3120 appliance that is running version 5.1.0: velocity>Show Version **************************************** Cisco Application Velocity System,(AVS) ---------------------------------------- AVS 3120-K9 005.001(000.034) **************************************** The following example shows "Show Version" output for an AVS 3180 or 3180A appliance that is running version 5.1.0: velocity>Show Version **************************************** Cisco Application Velocity System,(AVS) ---------------------------------------- AVS 3180-MGMT 005.001(000.034) **************************************** Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco AVS 3110 and 3120 are enterprise data center appliances for improving web application performance, measuring end-user response time, and managing application security. The Cisco AVS 3120 enforces application security with an integrated web application firewall. The Cisco AVS 3180 and 3180A Management Stations provide web-based tools for the configuration and application performance monitoring for a cluster of AVS 3110s and 3120s or individual nodes. The Cisco AVS 3110, 3120, 3180, and 3180A Management Stations use some system accounts that are initially configured with default passwords. Vulnerable versions of the AVS software do not prompt the administrator to change the passwords for these accounts, including accounts with root privileges, during the initial configuration process. Non-vulnerable versions of AVS software will now prompt administrators to change these accounts after installation. Note: If the passwords for the AVS 3110 or 3120 are changed on the device itself and it has previously been registered with an AVS 3180 or 3180A Management Station, the node must be re-registered with the Management Station console. Otherwise, communication between the AVS 3180 or 3180A Management Station and AVS 3110 or 3120 node will be lost. For additional details about the AVS node registration process, refer to the "Register Node" section of the Cisco AVS User's Guide. After upgrading the appliance software to version AVS 5.1.0 and logging in for the first time, the administrator will now be prompted to change the system account passwords. The following example shows the new password change prompts and the subsequent password change dialog for the AVS 3120 after upgrade: velocity login: fgn Password: **WARNING** System wide secrets are in factory default state. Would you like to change these now? [y/n] y changing root password enter password: enter password again: changing fgn password enter password: enter password again: changing DB password enter password: enter password again: Please wait...The DB password change will take a few minutes. changing node manager password enter password: enter password again: changing condenser password enter password: enter password again: changing console password enter password: enter password again: The following example shows the new password change prompts and the subsequent password change dialog for the AVS 3180 and 3180A after upgrade: velocity login: fgn Password: **WARNING** System wide secrets are in factory default state. Would you like to change these now? [y/n] y changing root password enter password: enter password again: changing fgn password enter password: enter password again: changing DB password enter password: enter password again: Please wait...The DB password change will take a few minutes. changing console password enter password: enter password again: This issue is documented in Cisco Bug ID CSCsd94732. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * AVS Default Account Passwords Don't Require Change (CSCsd94732) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in full administrative control of the Cisco AVS system or user-level access to the host operating system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. AVS software version 5.1.0 contains the fix for the vulnerability described in this document. AVS software is available for download from the following locations on cisco.com: * AVS 3120 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3120-5.1) * AVS 3180 5.1.0 (http://www.cisco.com/pcgi-bin/tablebuild.pl/AVS3180-5.1) Workarounds =========== The following workarounds are applicable only for the AVS 3110 and are performed on the system shell. The AVS 3110 does not have a CLI. The use of strong passwords is encouraged. Changing the Root Password +------------------------- Complete these steps: 1. Change the root password by using the following command: shell# passwd 2. Reboot to activate the new settings by using the following command: shell# reboot Changing the Management Console Username and Password +---------------------------------------------------- Complete these steps: 1. Open the following file in a text editor: $AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/ fgconsole.war/users.properties Use the line admin=admin to set the username and password. The username appears before the equal sign (=) and the password appears after the equal sign (=). For example, to change the username to Cisco and the password to accelerate, change the admin=admin line to Cisco=accelerate. 2. If you change the username, you must also change this file: $AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/deploy/ fgconsole.war/roles.properties The username is set by the line that contains admin=. The username appears before the equal sign (=). For example, to change the user name to Cisco, change the admin= line to Cisco=. Do not change the text after the equal sign (=) in this file; this field specifies the account privileges. The username that you enter here must match the one in the users.properties file in the preceding step. Changing the Database Username and Password +------------------------------------------ There are two steps required to change the database password: 1. First change the database password. 2. Then update the Management Console configuration file with the new database password. Complete these steps: 1. Log in to the database using the old password, and then use the alter SQL command to change to the new password. /usr/local/fineground/console/postgres/bin/psql -U fineground -p 5432 fgnlog Password : Welcome to psql 7.3.4, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit fgnlog=# alter user fineground password ''; \q 2. The username and password to access the Management Console database are set during the Management Console installation process. If you want to change these later, you can modify an XML configuration file that the Management Console server reads at start-up. a. Open the following file in a text editor: $AVS_HOME/console/jboss-3.0.1_tomcat-4.0.4/server/default/ deploy/postgres-service.xml Look for the following section in this file: fineground condenser b. To change the username, change the value for the UserName configuration property (fineground in this example). c. To change the password, change the value for the Password configuration property (condenser in this example). d. Save and close the file. Changing the Node Manager Password +--------------------------------- Complete these steps: 1. Log in as fgn, and then use the su command to switch to the superuser. 2. Stop the Condenser and Node Manager: /etc/init.d/fgnpn stop Press Tab to have the interface complete the command. 3. Go to the $AVS_HOME/perfnode/node_manager/conf directory. 4. Back up the file named passwords. 5. Change the password with the following command: $AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new admin In the preceding command, passwords.new is the name of the file in which the passwords are stored. Currently only the user admin is supported. 6. Install the file with the following command: install -m 400 -o nobody -g nobody passwords.new passwords 7. Restart the appliance with the reboot command. 8. Re-register the node from the Management Console for which the node manager password was changed. Changing the Condenser Password +------------------------------ Complete these steps: 1. Log in as fgn, and then use the su command to switch to the superuser. 2. Stop the Condenser and Node Manager: /etc/init.d/fgnpn stop Press Tab to have the interface complete the command. 3. Go to the $AVS_HOME/perfnode/passwd directory. 4. Backup the file named .htpasswd. 5. Change the password with the following command: $AVS_HOME/perfnode/bin/htpasswd -bcm passwords.new fineground In the preceding command, passwords.new is the name of the file in which the passwords are stored. Currently only the user fineground is supported. 6. Install the file with the following command: install -m 400 -o nobody -g nobody passwords.new .htpasswd 7. Restart the appliance with the reboot command. 8. Re-register the node from the Management Console for which the Condenser password was changed. Obtaining Fixed Software ======================== Cisco has released software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was identified through internal testing. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------+ | Revision 1.0 | 2008-January-23 | Initial public release | +-------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +---------------------------------------------------------------------- All contents are Copyright (C) 2006-2008 Cisco Systems, Inc. All rights reserved. +---------------------------------------------------------------------- Updated: Jan 21, 2008 Document ID: 100212 +---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHl3j486n/Gc8U/uARArPpAJwJaihdYFR6B+ljPNEYLq6nCfluxgCbB85h UYvka5159PAAagGuJDiS10E= =PnnY -----END PGP SIGNATURE----- From Vijay.Nangia@patni.com Wed Jan 23 12:59:09 2008 Received: from BPORELAYSRV1.patni.com (BPOmail01s.patni.com [202.54.213.93] (may be forged)) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NHx7OU074050 for ; Wed, 23 Jan 2008 12:59:08 -0500 (EST) (envelope-from Vijay.Nangia@patni.com) X-Envelope-From: Vijay.Nangia@patni.com Received: from exchnod01.patni.com ([172.30.0.20]) by BPORELAYSRV1.patni.com with InterScan Message Security Suite; Wed, 23 Jan 2008 22:43:33 +0530 X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 Content-class: urn:content-classes:message x-titus-version: 2.30.0.22 Date: Wed, 23 Jan 2008 22:43:32 +0530 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Cisco PIX Device Manager Thread-Index: Achd40Y6QsORzdKCSie2Sb9olOaJ4g== X-Priority: 1 Priority: Urgent importance: high From: "Nangia, Vijay" To: X-imss-version: 2.049 X-imss-result: Passed X-imss-scanInfo: M:B L:E SM:2 X-imss-tmaseResult: TT:1 TS:-12.0604 TC:1F TRN:47 TV:5.0.1023(15684.001) X-imss-scores: Clean:100.00000 C:0 M:0 S:0 R:0 X-imss-settings: Baseline:1 C:1 M:1 S:4 R:3 (0.0000 0.0000) X-Greylist: Delayed for 00:45:30 by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 12:59:09 -0500 (EST) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] Cisco PIX Device Manager X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 17:59:09 -0000 Classification INTERNAL :The contents of this mail are restricted to being within Patni. Its non-compliance violates the Patni BPO policy Hi, Can you tell me why Cisco PDM(GUI) does not take same credentials from ACS that work for telnet(CLI). =20 Thanks Vijay From sagupta@cisco.com Wed Jan 23 13:16:19 2008 Received: from sj-iport-3.cisco.com (sj-iport-3-in.cisco.com [171.71.176.72]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NIGIPA002776 for ; Wed, 23 Jan 2008 13:16:19 -0500 (EST) (envelope-from sagupta@cisco.com) X-Envelope-From: sagupta@cisco.com Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-3.cisco.com with ESMTP; 23 Jan 2008 10:16:14 -0800 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m0NIGE9W016465; Wed, 23 Jan 2008 10:16:14 -0800 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m0NIFtjF013342; Wed, 23 Jan 2008 18:16:14 GMT Received: from xmb-sjc-229.amer.cisco.com ([128.107.191.122]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 10:16:04 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 10:16:03 -0800 Message-ID: <55C7D0A26108FD47BFEDF55BCBFAD93C0505C31B@xmb-sjc-229.amer.cisco.com> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [c-nsp] Cisco ME-6524 platform architecture Thread-Index: AchdsKxpA2SBwoZTR+GVDUDHJSK0wgAOwjDQ From: "Sachin Gupta (sagupta)" To: "James Humphris" , X-OriginalArrivalTime: 23 Jan 2008 18:16:04.0819 (UTC) FILETIME=[04704230:01C85DEC] Authentication-Results: sj-dkim-4; header.From=sagupta@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; ); X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 13:16:19 -0500 (EST) Subject: Re: [c-nsp] Cisco ME-6524 platform architecture X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 18:16:20 -0000 Hi James, I am the Product Manager for the ME-6524 platform. I am very interested to hear about your deployment scenario and can help answer your questions.=20 The ME-6524 has a similar architecture to Sup32 with the one key difference that it supports PFC3C rather than the PFC3B on the Sup32. Sup32 architecture documents can be leveraged to understand the ME-6524. Please feel free to contact me directly if you have any more questions. Sachin=20 -----Original Message----- From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of James Humphris Sent: Wednesday, January 23, 2008 3:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ME-6524 platform architecture Dear all, =20 I stumbled across this excellent forum yesterday whilst trying to gain some information on the platform architecture of the Cisco ME-6524. I have been extensively testing this device for a couple of months now, using a mixture of local switching, multiplex-uni and EoMPLS with MPLS-TE & FRR. So far, it has performed remarkably well, especially considering its price point as an entry level device to the Cisco 6500 family. =20 I do however have a question regarding the platform architecture of the box. As I'm sure you all know, the architecture of the modular 6500 series is very well documented by Cisco, including details of the modules (PFC, MSFC etc..),types of ASIC (Pinnacle, Medusa, Earl, Tycho and Superman etc..) and how they interoperate at a high level.=20 =20 The part I'm struggling with is how this relates to the fixed configuration of the ME-6524. I appreciate that its based upon the SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a "show asic-version slot 1", I don't see any ASIC names that I recognise: =20 nsn1#sho asic-version slot 1 Module in slot 1 has 5 type(s) of ASICs ASIC Name Count Version KUMA 1 (2.0) HYPERION 1 (6.0) R2D2 1 (2.0) DHANUSH 2 (2.0) VISHAKHA 8 (1.0) =20 Can anyone help with some more detailed information relating to the platform configuration of this device? =20 Many thanks in advance =20 James Humphris IP Engineering, Nexagent Ltd. =20 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From prvs=jasongurtz=901ee2820@npumail.com Wed Jan 23 13:23:46 2008 Received: from mxgateway.npumail.com (mxgateway.npumail.com [69.183.133.202]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NINjWx004336 for ; Wed, 23 Jan 2008 13:23:45 -0500 (EST) (envelope-from prvs=jasongurtz=901ee2820@npumail.com) X-Envelope-From: prvs=jasongurtz=901ee2820@npumail.com X-IronPort-AV: E=Sophos;i="4.25,239,1199682000"; d="scan'208";a="659938" Received: from exchgsrv.nputilities.local ([172.16.2.1]) by mxgateway.npumail.com with ESMTP; 23 Jan 2008 13:23:35 -0500 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Wed, 23 Jan 2008 13:23:31 -0500 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [c-nsp] Cisco PIX Device Manager Thread-Index: Achd40Y6QsORzdKCSie2Sb9olOaJ4gACaG2A References: From: "Jason Gurtz" To: X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 13:23:46 -0500 (EST) Subject: Re: [c-nsp] Cisco PIX Device Manager X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 18:23:46 -0000 PiBDbGFzc2lmaWNhdGlvbiBJTlRFUk5BTCA6VGhlIGNvbnRlbnRzIG9mIHRoaXMgbWFpbCBhcmUg cmVzdHJpY3RlZCB0bw0KPiBiZWluZyB3aXRoaW4gUGF0bmkuIEl0cyBub24tY29tcGxpYW5jZSB2 aW9sYXRlcyB0aGUgUGF0bmkgQlBPIHBvbGljeQ0KDQpTb3JyeSBubyBvbmUgaXMgYWxsb3dlZCB0 byBhbnN3ZXIhDQoNCltSRURBQ1RFRCB0byBwcm90ZWN0IG15IGlubm9jZW5jZSFdDQoNCn5KYXNv bkcNCg== From madunix@gmail.com Wed Jan 23 14:44:21 2008 Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.227]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NJiK5u029860 for ; Wed, 23 Jan 2008 14:44:21 -0500 (EST) (envelope-from madunix@gmail.com) X-Envelope-From: madunix@gmail.com Received: by wr-out-0506.google.com with SMTP id c38so1258798wra.16 for ; Wed, 23 Jan 2008 11:44:20 -0800 (PST) Received: by 10.142.222.21 with SMTP id u21mr5201545wfg.189.1201117459388; Wed, 23 Jan 2008 11:44:19 -0800 (PST) Received: by 10.142.80.18 with HTTP; Wed, 23 Jan 2008 11:44:19 -0800 (PST) Message-ID: <4d3f56c90801231144s7e6a6c7i9523d853d6c66e69@mail.gmail.com> Date: Wed, 23 Jan 2008 21:44:19 +0200 From: "Mad Unix" To: cisco-nsp@puck.nether.net MIME-Version: 1.0 X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 14:44:21 -0500 (EST) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] MUX X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 19:44:21 -0000 Dear ALL We are looking to get a MUX for the Fiber between our 2 buildings... out of your experience , what do you think about getting "*Marconi OMS" * http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml since our LAN and WAN built on Cisco and Exterme devices. Thanks -- madunix From alaerte.vidali@nsn.com Wed Jan 23 15:54:16 2008 Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NKsEmm043760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 23 Jan 2008 15:54:16 -0500 (EST) (envelope-from alaerte.vidali@nsn.com) X-Envelope-From: alaerte.vidali@nsn.com Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m0NKruv0031881 for ; Wed, 23 Jan 2008 22:54:09 +0200 Received: from daebh102.NOE.Nokia.com ([10.241.35.112]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 22:53:49 +0200 Received: from daebe103.NOE.Nokia.com ([10.241.35.24]) by daebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 14:53:46 -0600 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 14:53:31 -0600 Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC29013521B2@daebe103.NOE.Nokia.com> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: VPLS Error Message: Output interface: if-?(0), imposed label stack {} Thread-Index: Achd4fORii0TNbaoS0+tMBCmTgoVzQAHufQA References: From: To: X-OriginalArrivalTime: 23 Jan 2008 20:53:46.0506 (UTC) FILETIME=[0C0B1EA0:01C85E02] X-Nokia-AV: Clean X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 15:54:16 -0500 (EST) Subject: [c-nsp] VPLS Error Message: Output interface: if-?(0), imposed label stack {} X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 20:54:16 -0000 In a very simple lab setup, VPLS is not working. I am wondering if it is platform/hardware issue (for example WS-X6548-GE-TX issue). Any idea? Topology: CE1a---PE1-----PE2---CE2a Here is result of related command: sh mpls l2transport vc 60 det Local interface: VFI vlan60 VFI up MPLS VC type is VFI, interworking type is Ethernet Destination address: 200.222.117.41, VC ID: 60, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured =20 Default path: no route No adjacency Create time: 00:19:18, last status change time: 00:06:28 Signaling protocol: LDP, peer 200.222.117.41:0 up Targeted Hello: 200.222.117.42(LDP Id) -> 200.222.117.41 MPLS VC labels: local 21, remote 16=20 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description:=20 Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Configuration: l2 vfi vlan60 manual vpn id 60 neighbor 200.222.117.41 encapsulation mpls ! interface Vlan60 xconnect vfi vlan60 ! mpls label protocol ldp mpls ldp discovery targeted-hello accept mpls ldp router-id Loopback0 force ! interface Loopback0 ip address 10.10.10.101 255.255.255.255 ! Ip cef sh ver Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M),=20 Version 12.2(33)SRB2, RELEASE SOFTWARE (fc1) show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAD092604Y5 2 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAL10489531 3 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAL10425G69 Mod Sub-Module Model Serial Hw Status=20 ---- --------------------------- ------------------ ----------- ------- ------- 1 Policy Feature Card 3 WS-F6K-PFC3B SAD09240BDE 2.1 Ok 1 MSFC3 Daughterboard WS-SUP720 SAD0925023U 2.3 Ok Tks, Alaerte From leonardo.souza@nec.com.br Wed Jan 23 16:12:52 2008 Received: from srvmail00.nec.com.br (ns1.nec.com.br [200.169.165.2]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NLCpA0048092 for ; Wed, 23 Jan 2008 16:12:51 -0500 (EST) (envelope-from leonardo.souza@nec.com.br) X-Envelope-From: leonardo.souza@nec.com.br Received: from srvmail00.nec.com.br (unknown [127.0.0.1]) by srvmail00.nec.com.br (Symantec Mail Security) with ESMTP id 99D0B1153 for ; Wed, 23 Jan 2008 19:09:26 -0200 (BRST) X-AuditID: 0a0a0a3f-ae7e5bb000000953-1c-4797ad06e9f8 Received: from spsrvmail03.nec.br (unknown [10.10.10.45]) by srvmail00.nec.com.br (Symantec Mail Security) with ESMTP id 81E4F7FE11 for ; Wed, 23 Jan 2008 19:09:26 -0200 (BRST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jan 2008 19:10:15 -0300 Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1DEB4D16@spsrvmail03.nec.br> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Key-chain and MD5 authentication for IS-IS Thread-Index: AcheDLsbN+S2PjUYRRi/tAe5edd8vQ== From: "Leonardo Gama Souza" To: X-Brightmail-Tracker: AAAAAA== X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 16:12:52 -0500 (EST) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] Key-chain and MD5 authentication for IS-IS X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:12:52 -0000 Hello everybody, =20 Do you know whether I have to update the key chain string after an IOS = upgrade? Let=B4s fancy from 12.2S to 12.0S... I'm only using it for IS-IS instance authentication. =20 Have anyone ever run into this situation? =20 I'll appreciate any clue or recommendation. =20 Leonardo. From avayner@cisco.com Wed Jan 23 16:42:08 2008 Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NLg7Xc053637 for ; Wed, 23 Jan 2008 16:42:07 -0500 (EST) (envelope-from avayner@cisco.com) X-Envelope-From: avayner@cisco.com X-IronPort-AV: E=Sophos;i="4.25,240,1199660400"; d="scan'208";a="3808890" Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 23 Jan 2008 22:42:02 +0100 Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m0NLg1or019949; Wed, 23 Jan 2008 22:42:01 +0100 Received: from xbh-ams-331.emea.cisco.com (xbh-ams-331.cisco.com [144.254.231.71]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m0NLg1lJ020249; Wed, 23 Jan 2008 21:42:01 GMT Received: from xmb-ams-331.cisco.com ([144.254.231.76]) by xbh-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 22:42:01 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 22:41:58 +0100 Message-ID: <67F7C1FAF83A074AA3520D8F155782A5E0982A@xmb-ams-331.emea.cisco.com> In-Reply-To: <4d3f56c90801231144s7e6a6c7i9523d853d6c66e69@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [c-nsp] MUX Thread-Index: Achd+O9PdDxd088OS0qmtunsE5FqewAD7/lA References: <4d3f56c90801231144s7e6a6c7i9523d853d6c66e69@mail.gmail.com> From: "Arie Vayner (avayner)" To: "Mad Unix" , X-OriginalArrivalTime: 23 Jan 2008 21:42:01.0568 (UTC) FILETIME=[C9A28600:01C85E08] Authentication-Results: ams-dkim-2; header.From=avayner@cisco.com; dkim=pass ( sig from cisco.com/amsdkim2001 verified; ); X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 16:42:08 -0500 (EST) Subject: Re: [c-nsp] MUX X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:42:08 -0000 Mr. madunix,=20 Not sure what your requirements are, but if all you need is multiple GigE links over the same fiber, take a look at this: http://www.cisco.com/en/US/products/ps6575/index.html Arie -----Original Message----- From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Mad Unix Sent: Wednesday, January 23, 2008 21:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MUX Dear ALL We are looking to get a MUX for the Fiber between our 2 buildings... out of your experience , what do you think about getting "*Marconi OMS" * http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml since our LAN and WAN built on Cisco and Exterme devices. Thanks -- madunix _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter@rathlev.dk Wed Jan 23 16:47:03 2008 Received: from ns.auh.dk ([130.225.15.254]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NLl1mG055054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 16:47:02 -0500 (EST) (envelope-from peter@rathlev.dk) X-Envelope-From: peter@rathlev.dk Received: from [192.168.1.143] (563460fe.rev.stofanet.dk [86.52.96.254]) (authenticated bits=0) by ns.auh.dk (8.13.1/8.13.1) with ESMTP id m0NLi9c0014475 for ; Wed, 23 Jan 2008 22:44:10 +0100 From: Peter Rathlev To: cisco-nsp@puck.nether.net In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC29013521B2@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29013521B2@daebe103.NOE.Nokia.com> Content-Type: text/plain Date: Wed, 23 Jan 2008 22:46:50 +0100 Message-Id: <1201124810.3542.6.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.8.0 (2.8.0-40.el5) Content-Transfer-Encoding: 7bit X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 16:47:03 -0500 (EST) Subject: Re: [c-nsp] VPLS Error Message: Output interface: if-?(0), imposed label stack {} X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:47:03 -0000 With the LAN cards, like the 6548, you can only use subinterface or port mode EoMPLS. Local switching (which VFIs provide) needs OSM/SPA/ES card on the backbone side. A "debug mpls l2transport vc event" should give you a bunch of messages about the switch being unable to find a suitable tunnel label. You can use a set of looped ports do provide local switching, looping between a trunk interface and an EoMPLS port mode interface on each side of the tunnel. But it's not very "neat". :-) Regards, Peter On Wed, 2008-01-23 at 14:53 -0600, alaerte.vidali@nsn.com wrote: > In a very simple lab setup, VPLS is not working. I am wondering if it is > platform/hardware issue (for example WS-X6548-GE-TX issue). Any idea? > > Topology: > > CE1a---PE1-----PE2---CE2a > > Here is result of related command: > > sh mpls l2transport vc 60 det > Local interface: VFI vlan60 VFI up > MPLS VC type is VFI, interworking type is Ethernet > Destination address: 200.222.117.41, VC ID: 60, VC status: down > Output interface: if-?(0), imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:19:18, last status change time: 00:06:28 > Signaling protocol: LDP, peer 200.222.117.41:0 up > Targeted Hello: 200.222.117.42(LDP Id) -> 200.222.117.41 > MPLS VC labels: local 21, remote 16 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, send 0 > > > Configuration: > > > l2 vfi vlan60 manual > vpn id 60 > neighbor 200.222.117.41 encapsulation mpls > ! > interface Vlan60 > xconnect vfi vlan60 > ! > mpls label protocol ldp > mpls ldp discovery targeted-hello accept > mpls ldp router-id Loopback0 force > ! > interface Loopback0 > ip address 10.10.10.101 255.255.255.255 > ! > Ip cef > > sh ver > Cisco IOS Software, c7600s72033_rp Software > (c7600s72033_rp-ADVIPSERVICESK9-M), > Version 12.2(33)SRB2, RELEASE SOFTWARE (fc1) > > > show module > > Mod Ports Card Type Model > Serial No. > --- ----- -------------------------------------- ------------------ > ----------- > 1 2 Supervisor Engine 720 (Active) WS-SUP720-3B > SAD092604Y5 > 2 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC > SAL10489531 > 3 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX > SAL10425G69 > > Mod Sub-Module Model Serial Hw > Status > ---- --------------------------- ------------------ ----------- ------- > ------- > 1 Policy Feature Card 3 WS-F6K-PFC3B SAD09240BDE 2.1 > Ok > 1 MSFC3 Daughterboard WS-SUP720 SAD0925023U 2.3 > Ok > > > Tks, > Alaerte > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter@rathlev.dk Wed Jan 23 16:53:44 2008 Received: from ns.auh.dk ([130.225.15.254]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NLrgPF060070 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 16:53:43 -0500 (EST) (envelope-from peter@rathlev.dk) X-Envelope-From: peter@rathlev.dk Received: from [192.168.1.143] (563460fe.rev.stofanet.dk [86.52.96.254]) (authenticated bits=0) by ns.auh.dk (8.13.1/8.13.1) with ESMTP id m0NLooKI014493; Wed, 23 Jan 2008 22:50:50 +0100 From: Peter Rathlev To: Mad Unix In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A5E0982A@xmb-ams-331.emea.cisco.com> References: <4d3f56c90801231144s7e6a6c7i9523d853d6c66e69@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A5E0982A@xmb-ams-331.emea.cisco.com> Content-Type: text/plain Date: Wed, 23 Jan 2008 22:53:42 +0100 Message-Id: <1201125222.3542.11.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.8.0 (2.8.0-40.el5) Content-Transfer-Encoding: 7bit X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 16:53:44 -0500 (EST) Cc: cisco-nsp Subject: Re: [c-nsp] MUX X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 21:53:44 -0000 Hi Mad, CWDM is a nice and (relatively) cheap solution, but of course it requires special colour GBICs at each end. The cost of the passive CWDM muxer and special GBICs + stock for a rainy day can sometimes make provisioning an extra physical fiber look more attractive than otherwise, especially for short distances. But YMMV. Regards, Peter On Wed, 2008-01-23 at 22:41 +0100, Arie Vayner (avayner) wrote: > Mr. madunix, > > Not sure what your requirements are, but if all you need is multiple > GigE links over the same fiber, take a look at this: > http://www.cisco.com/en/US/products/ps6575/index.html > > Arie > > -----Original Message----- > From: cisco-nsp-bounces@puck.nether.net > [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Mad Unix > Sent: Wednesday, January 23, 2008 21:44 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] MUX > > Dear ALL > > We are looking to get a MUX for the Fiber between our 2 buildings... > out of your experience , what do you think about getting "*Marconi OMS" > * > http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml > since our LAN and WAN built on Cisco and Exterme devices. > > Thanks > -- > madunix > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ras@gerbil.cluepon.net Wed Jan 23 18:04:01 2008 Received: from gerbil.cluepon.net (root@e-gerbil.net [69.31.1.2]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NN40kV071583 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 23 Jan 2008 18:04:00 -0500 (EST) (envelope-from ras@gerbil.cluepon.net) X-Envelope-From: ras@gerbil.cluepon.net Received: from gerbil.cluepon.net (ras@localhost.nlayer.net [127.0.0.1]) by gerbil.cluepon.net (8.13.8/8.13.8) with ESMTP id m0NN88nq082391; Wed, 23 Jan 2008 18:08:08 -0500 (EST) (envelope-from ras@gerbil.cluepon.net) Received: (from ras@localhost) by gerbil.cluepon.net (8.13.8/8.13.8/Submit) id m0NN88HE082390; Wed, 23 Jan 2008 17:08:08 -0600 (CST) (envelope-from ras) Date: Wed, 23 Jan 2008 18:08:08 -0500 From: Richard A Steenbergen To: mack Message-ID: <20080123230808.GN43750@gerbil.cluepon.net> References: <859D2283FD04CA44986CC058E06598F8551200B13B@exchange4.exchange.alphared.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <859D2283FD04CA44986CC058E06598F8551200B13B@exchange4.exchange.alphared.local> User-Agent: Mutt/1.5.13 (2006-08-11) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 18:04:01 -0500 (EST) Cc: "cisco-nsp@puck.nether.net" Subject: Re: [c-nsp] SXH1 - lab tested/live router X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 23:04:01 -0000 On Tue, Jan 22, 2008 at 12:01:37PM -0600, mack wrote: > Has anyone other than cisco lab tested or put SXH1 into production yet? > I am still waiting on approval for lab time. > > The bug fixes most relevant to me are: > > DOM support for older XENPAKs (supposedly fixed) > Stability Improvements (a number of bug fixes) > Insertion of a line into an active BGP loopback group leading to uneven traffic distribution requiring hard bgp reset to rectify. > memory/cpu usage tracking via SNMP in the modular version. > > The DOM support had kept us from considering upgrading to SXH. > The SNMP cpu usage tracking kept us from considering modular versions. DOM is most definitely fixed in SXH1 and SRC, which is a Very Good Thing (tm). I'm personally still torn about which way to go after SXF. SXH seems to have mostly good reviews as far as stability, and offers modular code that does MPLS and IPv6 now, but seems to be missing a few critical features that only exist in SRB+ (such as a functional route-map continue for outbound routes, and netflow sampling which stands at least the slightest chance of being usable by only sampling packets on interfaces you actually WANT sampled in netflow). Honestly neither train seems to offer a complete solution, which seems to prove that Cisco is doing its customers a great disservice by playing business unit games with the 6500/7600 software. I don't know if I have the balls to run SRC so soon after its initial release, but maybe SRB3 will have the DOM fix. Also, for the love of god, can someone please encourage Cisco to fix ip policy-list so it can match NAMED community-lists instead of just numbered lists. This is the only way to do a logical and on component policies and make route-maps suck even the slightest bit less, and its all but unusable because of such a simple oversight. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From tomz@cisco.com Wed Jan 23 18:41:47 2008 Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0NNfkhR077376 for ; Wed, 23 Jan 2008 18:41:46 -0500 (EST) (envelope-from tomz@cisco.com) X-Envelope-From: tomz@cisco.com X-IronPort-AV: E=Sophos;i="4.25,240,1199692800"; d="scan'208";a="3958135" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-4.cisco.com with ESMTP; 23 Jan 2008 15:41:41 -0800 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m0NNfeKQ023121; Wed, 23 Jan 2008 15:41:40 -0800 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m0NNfej5029951; Wed, 23 Jan 2008 23:41:40 GMT Received: from xmb-sjc-23b.amer.cisco.com ([128.107.191.31]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 23 Jan 2008 15:41:40 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 23 Jan 2008 15:41:34 -0800 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [c-nsp] 3560/3750 12.2(44) Thread-Index: AQHIXPAmV8JXSPbRDESAyTwJ6wPit40pij7AgAAbRCCAAdNc4A== References: <4C3B8C75B5899943AEC675BA6DD46273B08104@uspalex02.epri.com> From: "Tom Zingale (tomz)" To: "Mike Louis" , "Higham, Josh" , X-OriginalArrivalTime: 23 Jan 2008 23:41:40.0696 (UTC) FILETIME=[80BA8580:01C85E19] Authentication-Results: sj-dkim-3; header.From=tomz@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Wed, 23 Jan 2008 18:41:47 -0500 (EST) Subject: Re: [c-nsp] 3560/3750 12.2(44) X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2008 23:41:47 -0000 There is a bug in the release and the command is not available. This will be fixed in the next maintenance release. > -----Original Message----- > From: cisco-nsp-bounces@puck.nether.net [mailto:cisco-nsp- > bounces@puck.nether.net] On Behalf Of Mike Louis > Sent: Tuesday, January 22, 2008 11:49 AM > To: Higham, Josh; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] 3560/3750 12.2(44) >=20 > Its not being dropped from the configuration, its not available in the global > configuration. (config)# >=20 > -----Original Message----- > From: Higham, Josh [mailto:jhigham@epri.com] > Sent: Tuesday, January 22, 2008 1:12 PM > To: Mike Louis; cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] 3560/3750 12.2(44) >=20 > > [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Mike Louis > > > > I recently upgraded some switches 3750 from 12.2(35) ipbase > > to 12.2(44) and now the "ip tacacs source-interface command > > is missing" Anyone else seen this?. I upgraded my lab 3560 to > > same rev of code and found the same command missing. >=20 > I believe that the source-interface command is silently dropped if the > interface doesn't exist. Not sure if that's what you hit, but it's > caught me on several occasions. >=20 > Thanks, > Josh >=20 > Note: This message and any attachments is intended solely for the use of the > individual or entity to which it is addressed and may contain information that is > non-public, proprietary, legally privileged, confidential, and/or exempt from > disclosure. If you are not the intended recipient, you are hereby notified that > any use, dissemination, distribution, or copying of this communication is > strictly prohibited. If you have received this communication in error, please > notify the original sender immediately by telephone or return email and > destroy or delete this message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From joe@via.net Thu Jan 24 00:56:48 2008 Received: from smtp1.via.net (smtp1.via.net [209.81.9.19]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0O5ulNj024267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 00:56:48 -0500 (EST) (envelope-from joe@via.net) X-Envelope-From: joe@via.net Received: from mail.via.net (mail.via.net [209.81.9.12]) by smtp1.via.net (8.13.3/8.12.11-VIANET) with ESMTP id m0O1wNjf002494 for ; Wed, 23 Jan 2008 17:58:23 -0800 (PST) Received: from monk.via.net (monk.via.net [209.81.2.10]) by mail.via.net (8.13.3/8.12.11-VIANET) with ESMTP id m0O1wMkB000999 for ; Wed, 23 Jan 2008 17:58:22 -0800 (PST) Message-Id: <16A8CABF-5F09-4126-A558-8289ADD906AA@via.net> From: joe mcguckin To: cisco-nsp@puck.nether.net Mime-Version: 1.0 (Apple Message framework v915) Date: Wed, 23 Jan 2008 17:58:12 -0800 X-Mailer: Apple Mail (2.915) X-Virus-Scanned: ClamAV 0.88.6/5531/Wed Jan 23 02:32:09 2008 on smtp1.via.net X-Virus-Scanned: ClamAV 0.88.6/5531/Wed Jan 23 02:32:09 2008 on mail.via.net X-Virus-Status: Clean X-Greylist: Delayed for 03:58:23 by milter-greylist-4.0 (puck.nether.net [204.42.254.5]); Thu, 24 Jan 2008 00:56:48 -0500 (EST) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0rc7 (smtp1.via.net [209.81.9.19]); Wed, 23 Jan 2008 17:58:23 -0800 (PST) Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.9 Subject: [c-nsp] Cisco WIC-1DSU-T1-V2 + 2811 + 12.4(11)T ?? X-BeenThere: cisco-nsp@puck.nether.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: "list for people using cisco in a NSP \(Network service provider\) environment" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 05:56:48 -0000 I can't get this combination to bring up a T1. Configured as encaps hdlc service-module t1 clock source line service-module t1 line b8zs service-module t1 frame esf service-module t1 timeslots all Indicator LED on WIC is green, with no alarms. Turning on debugging shows no keepalives seen: yourname#debug serial event Serial interface event debugging is on yourname#debug serial interface Serial network interface debugging is on yourname#debug serial packet Serial network packets debugging is on yourname# *Jan 23 22:30:23.227: DTE idb->dte_interface = DTE *Jan 23 22:30:23.227: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:30:25.227: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up *Jan 23 22:30:26.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up *Jan 23 22:30:30.391: Serial0/0/0: HDLC myseq 0, mineseen 0, yourseen 0, line up *Jan 23 22:30:40.391: Serial0/0/0: HDLC myseq 1, mineseen 0, yourseen 0, line up *Jan 23 22:30:50.391: gt96k_mbrd_serial_mode_reg_init:: was DTE, now set to DTE *Jan 23 22:30:50.391: DTE idb->dte_interface = DTE *Jan 23 22:30:50.391: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:30:50.391: Serial0/0/0: HDLC myseq 2, mineseen 0, yourseen 0, line down *Jan 23 22:30:51.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down *Jan 23 22:31:00.391: Serial0/0/0: HDLC myseq 3, mineseen 0, yourseen 0, line down *Jan 23 22:31:10.391: Serial0/0/0: HDLC myseq 4, mineseen 0, yourseen 0, line down *Jan 23 22:31:20.391: Serial0/0/0: HDLC myseq 5, mineseen 0, yourseen 0, line down *Jan 23 22:31:21.391: Serial0/0/0: attempting to restart *Jan 23 22:31:21.391: gt96k_mbrd_serial_mode_reg_init:: was DTE, now set to DTE *Jan 23 22:31:21.391: DTE idb->dte_interface = DTE *Jan 23 22:31:21.391: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:31:30.391: Serial0/0/0: HDLC myseq 6, mineseen 0, yourseen 0, line down *Jan 23 22:31:40.391: Serial0/0/0: HDLC myseq 7, mineseen 0, yourseen 0, line down no deb all All possible debugging has been turned off If I plug the T1 circuit into a 1760 w- a V1 WIC-1DSU-T1, it comes right up... Any ideas?? Joe Joe McGuckin ViaNet Communications joe@via.net 650-207-0372 cell 650-213-1302 office 650-969-2124 fax From jay@west.net Thu Jan 24 01:05:00 2008 Received: from red.impulse.net (red.impulse.net [207.154.64.11]) by puck.nether.net (8.14.2/8.12.9) with ESMTP id m0O64xHM026924 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 24 Jan 2008 01:04:59 -0500 (EST) (envel