From adrian.minta at gmail.com Thu Mar 1 04:20:07 2012 From: adrian.minta at gmail.com (Adrian M) Date: Thu, 1 Mar 2012 11:20:07 +0200 Subject: [c-nsp] if cisco 7609 router reserve port bandwrith for routing protocol In-Reply-To: <4F4EE177.108@gmail.com> References: <4F4EE177.108@gmail.com> Message-ID: Routing protocol packets are put first in the output queues. From vineeth.mohan at sifycorp.com Thu Mar 1 05:57:24 2012 From: vineeth.mohan at sifycorp.com (Vineeth Mohan) Date: Thu, 01 Mar 2012 16:27:24 +0530 Subject: [c-nsp] Cisco Asset Management and Discovery Toll In-Reply-To: References: Message-ID: <4F4F5614.4010406@sifycorp.com> Alan , I have nearly 3.5 K Cisco network devices on my network with specific snmp password My ultimate aim is just scan the with snmp key and find out all the cisco devices and get the sl number including the chassis and daughter card. Could you let me know the name of cisco tools and specific orion tolls Regards Vineeth On 2/29/2012 12:58 PM, Alan Buxey wrote: > netdisco is my favourite. Then there's Cisco tools and other offerings > such as Orion NPM..most of the kiwisoft things are now on Orion > products (they had some great tools) > > alan > Get your world in your inbox! Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! Log on to http://www.sify.com ********** DISCLAIMER ********** Information contained and transmitted by this E-MAIL is proprietary to Sify Technologies Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail & notify us immediately at admin at sifycorp.com From nsp at rhanssen.de Thu Mar 1 10:30:57 2012 From: nsp at rhanssen.de (=?iso-8859-1?Q?=22Rolf_Han=DFen=22?=) Date: Thu, 1 Mar 2012 16:30:57 +0100 Subject: [c-nsp] replacing CARP with Cisco possible ? Message-ID: Hello, we have a few setups that do gateway failover with Linux + CARP and are thinking if we can replace them with HRSP (or VRRP). The CARP setups are configured that way now: -a small non-public network (something like 192.168.0.0/30) is configured on the interfaces and used to run CARP to avoid waste of public IPs. -public IPs and static routes are enabled/disabled with the up/down-Scripts (ip addr add/del x.x.x.x/y dev ethX, ip route add/del ...) Looking into the config syntax im wondering if this setup can be done at all with VRRP/HSRP. Is there a way to configure virtual IPs that do not belong to the "hard-coded" network (ip address x.x.x.x y.y.y.y) of the interface ? I see that it is possible to configure other IPs, but this results in a warning and there is no possibility to set the netmask at all. Is there a possibility to have static routes that are only active if the node has enabled the virtual IP ? Is there anything else to take care of ? Any limitations except the 4096 HSRP-IDs ? We will be using SUP720-3B with 6548, 6748 and 6704 LCs, no DFCs. All Layer 3 stuff is configured winside vlan-interfaces, all physical interfaces are configured as switchports. kind regards Rolf From mack.mcbride at viawest.com Thu Mar 1 11:34:15 2012 From: mack.mcbride at viawest.com (Mack McBride) Date: Thu, 1 Mar 2012 08:34:15 -0800 Subject: [c-nsp] if cisco 7609 router reserve port bandwrith for routing protocol In-Reply-To: <4F4EE177.108@gmail.com> References: <4F4EE177.108@gmail.com> Message-ID: <2503DE55BA5E394390F26298212B1381026F3F69C6A0@EXVMBX017-1.exch017.msoutlookonline.net> IF the packets are marked into queue 7 then they will be output first. HOWEVER SPD is used on input, there have been other threads about the OSPF dropping on BGP updates Which happens fairly regularly on the 7600 code. Mack -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of zhangyongshun Sent: Wednesday, February 29, 2012 7:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] if cisco 7609 router reserve port bandwrith for routing protocol Hi,everybody: I always thought if cisco router reserve 10-15% port bandwith for transport routing protocol packages(e.g. rip,ospf). in the FIFO Output queue port(default config).how to guarantee the protocol packages always first to be transported. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Mar 1 12:00:20 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 01 Mar 2012 18:00:20 +0100 Subject: [c-nsp] replacing CARP with Cisco possible ? In-Reply-To: References: Message-ID: <1330621220.1160.6.camel@abehat.dyn.net.rm.dk> On Thu, 2012-03-01 at 16:30 +0100, "Rolf Han?en" wrote: > Is there a way to configure virtual IPs that do not belong to the > "hard-coded" network (ip address x.x.x.x y.y.y.y) of the interface ? > I see that it is possible to configure other IPs, but this results in a > warning and there is no possibility to set the netmask at all. I was wondering the same some years ago. Take a look at this thread: http://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html We never got it to work. ARP requests are sourced from the real address, and you cannot add a "connected static" route for a VRF enabled interface, i.e. "ip route vrf A 192.168.1.0 255.255.255.0 Vlan50" fails. Also keep in mind that TTL exceeded replies (traceroute) would source from the "real" interface address. > Is there a possibility to have static routes that are only active if the > node has enabled the virtual IP ? This in itself would be possible with an EEM script that follows the HSRP log messages and adjusts the configuration. It would trigger a configuration change, so Rancid or whatever you might use would log a change every time the HSRP state changes. > Is there anything else to take care of ? > Any limitations except the 4096 HSRP-IDs ? That's 256 for HSRPv1 by the way. -- Peter From peter at rathlev.dk Thu Mar 1 12:07:15 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 01 Mar 2012 18:07:15 +0100 Subject: [c-nsp] BFD flapping on 6509 SUP720-3BXL In-Reply-To: References: Message-ID: <1330621635.1160.11.camel@abehat.dyn.net.rm.dk> On Wed, 2012-02-29 at 13:37 -0500, Ross Halliday wrote: > I'm getting a load of BFD flaps on all ISIS (MPLS) links to a specific > PE router. The router core-site_1-c6509 is at a central site that > provides connectivity for our MPLS network such as linsite_3 to our > Internet edge router, subscriber termination, VoIP access, etc. Based > on my searching I'm guessing that is CPU load on core-site_1-c6509 is > too high or erratic for the low BFD timers. It's doing all of this > with a SUP720-3BXL. What software are you using? SXF is said to be terrible regarding BFD, SXH/SXI a little better. ... > configured with "bfd interval 50 min_rx 50 multiplier 4", yet these > are not experiencing the same flaps. I think this is much too low for the Sup720. We're using "bfd interval 100 min_rx 100 multiplier 5" without any problems on SXI. > > The interfaces with the flaps don't have any errors, and links whose > fibers have nothing to do with each other are sometimes blowing up at > the same time (see below). The one thing I do see are some QoS drops. Maybe the output from "show interface GiX/Y | incl drop" and "show ibc | incl spd drop" would shed light on it. -- Peter From ross.halliday at wtccommunications.ca Thu Mar 1 12:42:36 2012 From: ross.halliday at wtccommunications.ca (Ross Halliday) Date: Thu, 1 Mar 2012 12:42:36 -0500 Subject: [c-nsp] BFD flapping on 6509 SUP720-3BXL In-Reply-To: <1330621635.1160.11.camel@abehat.dyn.net.rm.dk> References: <1330621635.1160.11.camel@abehat.dyn.net.rm.dk> Message-ID: > What software are you using? SXF is said to be terrible regarding BFD, > SXH/SXI a little better. Of course I forgot to include that... the SUP720s are running 12.2(33)SXI4a. The lone 7204 VXR is an NPE-G2 box with 12.4(24)T1. > > configured with "bfd interval 50 min_rx 50 multiplier 4", yet these > > are not experiencing the same flaps. > > I think this is much too low for the Sup720. We're using "bfd interval > 100 min_rx 100 multiplier 5" without any problems on SXI. Okay, sort of good to hear :) Guessed as much! > Maybe the output from "show interface GiX/Y | incl drop" and "show ibc > | > incl spd drop" would shed light on it. >From the 4 routers from my previous post, note that I also included interfaces that are connected elsewhere which do not exhibit this problem (core-site_2-c6509 Gi6/2, despite the drops, has no problems) core-site_1-c6509#sh int gig 6/1 | incl drop Input queue: 0/75/33/33 (size/max/drops/flushes); Total output drops: 0 core-site_1-c6509#sh int gig 7/1 | incl drop Input queue: 0/75/12/10 (size/max/drops/flushes); Total output drops: 115015 core-site_1-c6509#sh int gig 7/6 | incl drop Input queue: 0/75/4/4 (size/max/drops/flushes); Total output drops: 5943 core-site_1-c6509#sh int gig 7/13 | incl drop Input queue: 0/75/30/30 (size/max/drops/flushes); Total output drops: 0 core-site_1-c6509#show ibc | inc spd drop Potential/Actual paks copied to process level 1169099650/1167989541 (1110109 dropped, 276692 spd drops) core-site_4-c7204#sh int gig 0/1 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 212 0 unknown protocol drops core-site_4-c7204#sh int gig 0/2 | inc drop Input queue: 0/75/19/0 (size/max/drops/flushes); Total output drops: 21475 0 unknown protocol drops core-site_2-c6509#sh int gig 4/17 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 4/19 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 4/21 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 5/1 | inc drop Input queue: 0/75/4044/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 5/2 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 6/1 | inc drop Input queue: 0/75/4145/0 (size/max/drops/flushes); Total output drops: 0 core-site_2-c6509#sh int gig 6/2 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 75569 core-site_2-c6509#show ibc | inc spd drop Potential/Actual paks copied to process level 955918870/955929609 (4294956557 dropped, 693 spd drops) core-site_3-c6513#sh int gig 7/1 | inc drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 core-site_3-c6513#sh int gig 8/1 | inc drop Input queue: 0/75/2/0 (size/max/drops/flushes); Total output drops: 2 core-site_3-c6513#sh ibc | inc spd drop Potential/Actual paks copied to process level 233788359/233637166 (151193 dropped, 0 spd drops) I don't quite understand what the IBC stuff is about. Does this indicate process-switched packets? Thanks! Ross From madunix at gmail.com Thu Mar 1 16:28:00 2012 From: madunix at gmail.com (madunix at gmail.com) Date: Thu, 1 Mar 2012 23:28:00 +0200 Subject: [c-nsp] ultrasurf Message-ID: How can I prevent Ultrasurf from being used on my network? From andrew at 2sheds.de Thu Mar 1 16:58:50 2012 From: andrew at 2sheds.de (Andrew Miehs) Date: Fri, 2 Mar 2012 08:58:50 +1100 Subject: [c-nsp] ultrasurf In-Reply-To: References: Message-ID: <3B2816BE-31B6-43AC-A3FA-6DBED72199FB@2sheds.de> On 02/03/2012, at 8:28 AM, madunix at gmail.com wrote: > How can I prevent Ultrasurf from being used on my network? Is this a serious questions? As a service provider, I would hope that you would not have the requirement to filter users traffic. But if you really think that you must do this... http://lmgtfy.com/?q=block+ultrasurf or spend a lot of money on some inline packet inspection box. Regards Andrew From peter at rathlev.dk Thu Mar 1 18:50:11 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 02 Mar 2012 00:50:11 +0100 Subject: [c-nsp] BFD flapping on 6509 SUP720-3BXL In-Reply-To: References: <1330621635.1160.11.camel@abehat.dyn.net.rm.dk> Message-ID: <1330645811.7107.25.camel@abehat.dyn.net.rm.dk> On Thu, 2012-03-01 at 12:42 -0500, Ross Halliday wrote: > the SUP720s are running 12.2(33)SXI4a. The lone 7204 VXR is an NPE-G2 > box with 12.4(24)T1. BFD should work okay on SXI in my experience. We haven't run SXI4a though, so a weakness specific to this and not to SXI1 or SXI5 or later is theoretically possible. I don't think so though. BFD is a process thing, so the more BFD sessions active the more CPU load. Might the device with the problems have a lot more BFD sessions than the others perhaps? > core-site_1-c6509#sh int gig 6/1 | incl drop > Input queue: 0/75/33/33 (size/max/drops/flushes); Total output drops: 0 > core-site_1-c6509#sh int gig 7/1 | incl drop > Input queue: 0/75/12/10 (size/max/drops/flushes); Total output drops: 115015 > core-site_1-c6509#sh int gig 7/6 | incl drop > Input queue: 0/75/4/4 (size/max/drops/flushes); Total output drops: 5943 > core-site_1-c6509#sh int gig 7/13 | incl drop > Input queue: 0/75/30/30 (size/max/drops/flushes); Total output drops: 0 > core-site_1-c6509#show ibc | inc spd drop > Potential/Actual paks copied to process level 1169099650/1167989541 (1110109 dropped, 276692 spd drops) The per interface "flush" counter describes SPD drops specific to this interface. Can you tell if the flush counter increments together with the adjacency drops? I wonder if BFD is actually allowed to enter the SPD "headroom", or if it would be discarded together with regular traffic. I would certainly assume it's headroom elegible. Anybody happen to know that? You might have luck raising the input hold-queue a little; we use "hold-queue 256 in" on our TGE core interfaces. Beware that a hardware forwarding device might not always benefit from raising this though. The input queue only serves traffic that has to be processed by the CPU for one reason or another, and having a lot of this traffic is probably a sign of something not being right. On the other hand the 75 packets default is not a lot on an interface that can do something like 10-20 Mpps. Even a short burst of maybe 200 packets probably arrives too fast for the CPU to receive them, even though it might be able to process them fine. I'd definitely lower the BFD timers. We use 100/100/5 and each device typically has between 2 and 6 such neighbors. More neighbors and lower timers are worse. > I don't quite understand what the IBC stuff is about. Does this > indicate process-switched packets? The IBC interface is the way traffic finds its way to the CPU for software switching/processing. The "show ibc" command lists a lot about thisinterface , drops and rates being relatively interesting. If your IBC interface carries too much traffic ("show ibc | incl rate") you should investigate why. The most busy of our devices typically have a rate of 300-500 pps rx on the IBC interface. A rate of more than twice this would call for investigation IMO. I only have experience with our local setup though, and other networks might work fine with higher rates. If you want to look at the CPU traffic you have at least two options: 1) "debug netdr capture rx" and "show netdr captured-packets". This gives you a lot of nice information about IBC specific things and runs locally on the box. (Remember to undebug.) 2) Use a SPAN session to send traffic to a seperate box where you can use Wireshark or another tool. Take a look at here for a how-to: http://cisco.cluepon.net/index.php/6500_SPAN_the_RP -- Peter From jkrejci at usinternet.com Thu Mar 1 19:21:58 2012 From: jkrejci at usinternet.com (Justin Krejci) Date: Thu, 01 Mar 2012 18:21:58 -0600 Subject: [c-nsp] Trunking Private VLANs on 6509 Message-ID: <1330647718.2463.10.camel@sysadmin3a> I am trying to trunk private vlans from a Cisco 6509 to some other switches. There does not appear to be a way to do this but it works great on a Cisco 4948. Does the 6509 not support doing this or is there something else needed to make this work? Here is some sample config. ############ Cisco 4948 ############ vlan 850 private-vlan isolated vlan 851 private-vlan primary private-vlan association 850 interface GigabitEthernet1/34 switchport trunk encapsulation dot1q switchport trunk allowed vlan 850,900,910,911 switchport private-vlan trunk allowed vlan 850,900,910,911 switchport private-vlan association trunk 851 850 switchport private-vlan association trunk 901 900 switchport private-vlan association trunk 909 910 switchport private-vlan association trunk 912 911 switchport private-vlan association trunk 853 852 switchport mode private-vlan trunk interface Vlan851 ip address x.x.x.1 255.255.255.0 private-vlan mapping 850 ############ Cisco 6509 Sup720-3BXL WS-X6748-GE-TX or WS-X6548-GE-TX IOS Version 12.2(33)SXI6 Advanced Enterprise ############ vlan 850 private-vlan isolated vlan 851 private-vlan primary private-vlan association 850 interface GigabitEthernet1/1 switchport trunk encapsulation dot1q (everything after this point errors out because "trunk" is not an option for any of these) switchport private-vlan trunk allowed vlan 850,900,910,911 switchport private-vlan association trunk 851 850 switchport private-vlan association trunk 901 900 switchport private-vlan association trunk 909 910 switchport private-vlan association trunk 912 911 switchport private-vlan association trunk 853 852 switchport mode private-vlan trunk From chuckchurch at gmail.com Thu Mar 1 23:30:54 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Thu, 1 Mar 2012 23:30:54 -0500 Subject: [c-nsp] ARP behavior Message-ID: <000301ccf82d$42dd06e0$c89714a0$@com> Hey all, I'm curious as to how ARP behaves on a LAN. After looking at a router with high amounts of process switched traffic, I discovered that it's mostly ARP traffic, both in and out. Looking at CEF statistics, I see a lot of encapsulation failed type drops. Which are tied to an 'Incomplete' entry in the ARP table. Nothing new there. But thinking about it: If a router gets a packet destined to a (potentially) locally connected Ethernet host, does it ARP for that host (if unknown) for every packet destined to the host? If not, does it just drop packets for a certain time frame, maybe tied into how long the 'incomplete' entry stays in the ARP table? Reading the RFC didn't really clarify the behavior, nor did googling 'ARP incomplete timeout' or other variants. It's hard to determine how long a router maintains that 'incomplete' entry. Anyone have an idea? Thanks, Chuck From vas at mpeks.tomsk.su Fri Mar 2 00:07:24 2012 From: vas at mpeks.tomsk.su (Victor Sudakov) Date: Fri, 2 Mar 2012 12:07:24 +0700 Subject: [c-nsp] router does not see IGMP joins Message-ID: <20120302050724.GA57590@admin.sibptus.tomsk.ru> Colleagues, What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T) does not see IGMP joins to a particular group? tcpdump shows that the joins are being sent to the network, however "debug ip igmp 224.0.1.3" does not show them. Here is the packet dump: http://zalil.ru/32803276 and the configuration: kedrovy#sh ip igmp interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 10.14.128.129/26 IGMP is enabled on interface Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds IGMP querier timeout is 120 seconds IGMP max query response time is 10 seconds Last member query count is 2 Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 8 joins, 6 leaves Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 10.14.128.129 (this system) IGMP querying router is 10.14.128.129 (this system) Multicast groups joined by this system (number of users): 224.0.1.40(1) 224.0.1.1(1) kedrovy# I can forcibly join the interface to the 224.0.1.3 group and then the traffic begins to flow: kedrovy(config-if)#ip igmp join-group 224.0.1.3 kedrovy(config-if)#^Z kedrovy# 1w2d: IGMP(0): WAVL Insert group: 224.0.1.3 interface: FastEthernet0/0Successful 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for 224.0.1.3 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from 10.14.128.129 for 0 sources 1w2d: IGMP(0): Switching to EXCLUDE mode for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 4 1w2d: %SYS-5-CONFIG_I: Configured from console by vty0 (10.14.134.125) kedrovy# 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/0 1w2d: IGMP(0): Set report delay time to 2.8 seconds for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/1 kedrovy# 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for 224.0.1.3 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from 10.14.128.129 for 0 sources 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru From joshua.morgan at gmail.com Fri Mar 2 00:52:22 2012 From: joshua.morgan at gmail.com (Joshua Morgan) Date: Fri, 2 Mar 2012 16:52:22 +1100 Subject: [c-nsp] ARP behavior In-Reply-To: <000301ccf82d$42dd06e0$c89714a0$@com> References: <000301ccf82d$42dd06e0$c89714a0$@com> Message-ID: CEF has ARP throttling. Essentially, it installs a drop adjacency for the host whilst it is waiting for an ARP reply from the host. So, the first packet should result in an ARP being sent out but subsequent packets will just be dropped. I'm not sure of the timing of ARP throttling. That is, how long the drop adjacency lives for. Maybe someone else can chime in about that. Josh On Fri, Mar 2, 2012 at 3:30 PM, Chuck Church wrote: > Hey all, > > > > I'm curious as to how ARP behaves on a LAN. After looking > at a router with high amounts of process switched traffic, I discovered > that it's mostly ARP traffic, both in and out. Looking at CEF statistics, > I > see a lot of encapsulation failed type drops. Which are tied to an > 'Incomplete' entry in the ARP table. Nothing new there. But thinking > about > it: > > > > If a router gets a packet destined to a (potentially) locally connected > Ethernet host, does it ARP for that host (if unknown) for every packet > destined to the host? > > > > If not, does it just drop packets for a certain time frame, maybe tied into > how long the 'incomplete' entry stays in the ARP table? > > > > Reading the RFC didn't really clarify the behavior, nor did googling 'ARP > incomplete timeout' or other variants. It's hard to determine how long a > router maintains that 'incomplete' entry. Anyone have an idea? > > > > Thanks, > > > > Chuck > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From artem at aws-net.org.ua Fri Mar 2 03:13:20 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Fri, 02 Mar 2012 10:13:20 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE Message-ID: <4F508120.6020105@aws-net.org.ua> Hi, List! May be these questions was discussed earlier... can't find it... Please give me some links than. I'm tring to clarify my understanding of switching paths on these line cards. From one point of view, Cisco docs says that if the traffic should ingress via one port on the line card and then should egress through another port on the same line card it will never leave this line card. So it will be switched via internal bus. Right? At one of our POPs we have Cisco 7606-S chassis with the folowing: Mod Ports Card Type Model --- ----- -------------------------------------- ------------------ 2 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE 3 48 CEF720 48 port 1000mb SFP WS-X6748-SFP 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX 5 2 Route Switch Processor 720 (Active) RSP720-3CXL-GE At peaks we see total ingress thraffic on all 10GE ports around 30-32Gbps and increase of overruns on all 10GE ports. Utilization of the fabric and forwarding performance are as folows: Switch Fabric Resources Bus utilization: current: 10%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 Fabric utilization: Ingress Egress Module Chanl Speed rate peak rate peak 2 0 20G 15% 46% @22:57 30Jan12 15% 49% @22:02 31Jan12 2 1 20G 15% 49% @20:08 01Feb12 15% 46% @20:14 25Feb12 3 0 20G 0% 2% @10:49 02Feb12 0% 1% @14:16 30Jan12 3 1 20G 1% 1% @14:16 30Jan12 0% 2% @19:25 30Jan12 4 0 20G 1% 16% @19:22 11Feb12 3% 11% @19:40 04Feb12 4 1 20G 3% 9% @22:23 31Jan12 1% 10% @19:23 11Feb12 5 0 20G 0% 1% @14:16 30Jan12 0% 2% @21:24 10Feb12 Switching mode: Module Switching mode 2 compact 3 compact 4 compact 5 compact a L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 5 0 98304 292 1% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources Module FIB TCAM usage: Total Used %Used 5 72 bits (IPv4, MPLS, EoM) 524288 13963 3% 144 bits (IP mcast, IPv6) 262144 316 1% detail: Protocol Used %Used IPv4 7057 1% MPLS 6897 1% EoM 9 1% IPv6 117 1% IPv4 mcast 196 1% IPv6 mcast 3 1% Adjacency usage: Total Used %Used 1048576 7759 1% Forwarding engine load: Module pps peak-pps peak-time 5 1965007 10703659 21:31:21 EET Sat Feb 18 2012 Actually, typical PPS is about 5-6 millions at peak times in evening and bus utilization is about 20%. I made simple calculations and found that about 16Gbps switched via internal bus at line card and about 14-15 Gbps switched via fabric. So the problem is internal 16Gbps (atually 16Gbps+16Gbps?) bus on linecard. So, the possible solution seems to install additional 6704 line card ad distribute links between them according to main traffic flows. Is it correct that CFC is not an issue in this particular situation? D-Bus is not overutilized yet. I agree that this is goog to install DFC dauter cards (or even 6708 with DFC), but not now. I kbow that WS-X6708 much better option (and it is DFC), but now we have no possibility to replace all 6704 by 6708 ones. Is it all correct or I'm missing something? Is it possible somehow to disable switching via internal bus on linecard and reroute all traffic via fabric? Similar problem was found on another router with WS-X6708 line card. After swapping some 10GE links between ports most part of traffic starts to go via fabric. And overruns disappeared. Thanks in advance! -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From nsp at rhanssen.de Fri Mar 2 04:34:43 2012 From: nsp at rhanssen.de (=?iso-8859-1?Q?=22Rolf_Han=DFen=22?=) Date: Fri, 2 Mar 2012 10:34:43 +0100 Subject: [c-nsp] replacing CARP with Cisco possible ? In-Reply-To: <1330621220.1160.6.camel@abehat.dyn.net.rm.dk> References: <1330621220.1160.6.camel@abehat.dyn.net.rm.dk> Message-ID: Hi, any idea how other providers offer such redundancy to end customers (if they do at all) ? We have a mass of customers with /29 or /28 networks and losing IPs isn't an option in such cases imo. Using bigger networks would require giving up vlan separation each customer, no option either. regards Rolf > On Thu, 2012-03-01 at 16:30 +0100, "Rolf Han??en" wrote: >> Is there a way to configure virtual IPs that do not belong to the >> "hard-coded" network (ip address x.x.x.x y.y.y.y) of the interface ? >> I see that it is possible to configure other IPs, but this results in a >> warning and there is no possibility to set the netmask at all. > > I was wondering the same some years ago. Take a look at this thread: > > http://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html > > We never got it to work. ARP requests are sourced from the real address, > and you cannot add a "connected static" route for a VRF enabled > interface, i.e. "ip route vrf A 192.168.1.0 255.255.255.0 Vlan50" fails. > > Also keep in mind that TTL exceeded replies (traceroute) would source > from the "real" interface address. > >> Is there a possibility to have static routes that are only active if the >> node has enabled the virtual IP ? > > This in itself would be possible with an EEM script that follows the > HSRP log messages and adjusts the configuration. It would trigger a > configuration change, so Rancid or whatever you might use would log a > change every time the HSRP state changes. > >> Is there anything else to take care of ? >> Any limitations except the 4096 HSRP-IDs ? > > That's 256 for HSRPv1 by the way. > > -- > Peter > > > From vas at mpeks.tomsk.su Fri Mar 2 05:01:58 2012 From: vas at mpeks.tomsk.su (Victor Sudakov) Date: Fri, 2 Mar 2012 17:01:58 +0700 Subject: [c-nsp] A switch with PoE support and powered by 48V DC Message-ID: <20120302100158.GA64036@admin.sibptus.tomsk.ru> Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru From A.L.M.Buxey at lboro.ac.uk Fri Mar 2 05:03:01 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 2 Mar 2012 10:03:01 +0000 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE Message-ID: without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy alan From artem at aws-net.org.ua Fri Mar 2 05:45:35 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Fri, 02 Mar 2012 12:45:35 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: References: Message-ID: <4F50A4CF.6060109@aws-net.org.ua> On 02.03.2012 12:03, Alan Buxey wrote: > without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy > > alan > This is already clear. :) The only not-so-clear thing now is the internals of these line cards. Thank you! -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From dv at dv.ru Fri Mar 2 06:03:50 2012 From: dv at dv.ru (Dmitry Valdov) Date: Fri, 2 Mar 2012 15:03:50 +0400 (MSK) Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50A4CF.6060109@aws-net.org.ua> References: <4F50A4CF.6060109@aws-net.org.ua> Message-ID: <20120302145651.O48933@xkis.kis.ru> I had a simular problem a few months ago. I saw overruns and loss of packets when much traffic flowed from one port of 6704 to another port of the same card. (Actually it was port mirroring). The problem was fixed by configuring "fabric buffer-reserve low" (or medium). On Fri, 2 Mar 2012, Artyom Viklenko wrote: > On 02.03.2012 12:03, Alan Buxey wrote: >> without DFC cards, some work/decisions still have to go to the supervisor. >> DFC (distributed) is what gives your modules autonomy >> >> alan >> > > This is already clear. :) The only not-so-clear thing now is the internals of > these line cards. > > Thank you! -- Dmitry Valdov CCIE #15379 (R&S and SP) From lukasz at bromirski.net Fri Mar 2 06:07:16 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Fri, 02 Mar 2012 12:07:16 +0100 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F508120.6020105@aws-net.org.ua> References: <4F508120.6020105@aws-net.org.ua> Message-ID: <4F50A9E4.6060209@bromirski.net> On 2012-03-02 09:13, Artyom Viklenko wrote: > I'm tring to clarify my understanding of switching paths on these > line cards. From one point of view, Cisco docs says that if the > traffic should ingress via one port on the line card and then > should egress through another port on the same line card it will > never leave this line card. So it will be switched via internal > bus. Right? No, and if it says so somewhere, please point it to the doc team to fix it. Both 6704 and 6708 have two complex of Fabric ASICs. The 6708 you can see on figure 21 here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html The port mappings for Fabric ASICs should be found in the hardware installation notes under the 'Switch fabric connections' in the tables for specific LC: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/02ethern.html#wp1048010 Essentially, traffic from one Fabric ASIC to the ports on the other Fabric ASIC will go over the fabric itself. Only traffic belonging the the same Fabric ASIC will be switched locally if of course there's a DFC installed. -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From artem at aws-net.org.ua Fri Mar 2 06:44:09 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Fri, 02 Mar 2012 13:44:09 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50A9E4.6060209@bromirski.net> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> Message-ID: <4F50B289.2020309@aws-net.org.ua> On 02.03.2012 13:07, ?ukasz Bromirski wrote: > On 2012-03-02 09:13, Artyom Viklenko wrote: > >> I'm tring to clarify my understanding of switching paths on these >> line cards. From one point of view, Cisco docs says that if the >> traffic should ingress via one port on the line card and then >> should egress through another port on the same line card it will >> never leave this line card. So it will be switched via internal >> bus. Right? > > No, and if it says so somewhere, please point it to the doc team > to fix it. > > Both 6704 and 6708 have two complex of Fabric ASICs. > The 6708 you can see on figure 21 here: > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html > > > The port mappings for Fabric ASICs should be found in the hardware > installation notes under the 'Switch fabric connections' in the > tables for specific LC: > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/02ethern.html#wp1048010 > > > Essentially, traffic from one Fabric ASIC to the ports on the > other Fabric ASIC will go over the fabric itself. Only traffic > belonging the the same Fabric ASIC will be switched locally if of > course there's a DFC installed. ok. Now I see Switch Fabric Resources Bus utilization: current: 13%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 Fabric utilization: Ingress Egress Module Chanl Speed rate peak rate peak 2 0 20G 23% 46% @22:57 30Jan12 18% 49% @22:02 31Jan12 2 1 20G 21% 49% @20:08 01Feb12 25% 46% @20:14 25Feb12 I.e. 4,6 Gbps on channel 0 and 4,2 Gbps on channel 1. No DFC on module. Total input on all four 10GE ~ 19 Gbps. Fabric switching only 8,8 Gbps. Similar approach I see on 6708 with DFC. Some part of traffic goes via fabric and some in line card itself. AFAIK, presense of DFC influence only forwarding decisions process (and policyng, for example) but not on moving traffic itself? Anyway, if traffic should be switched in ASIC what is the limitations in terms of bandwidth or PPS? -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From saku at ytti.fi Fri Mar 2 06:50:11 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 2 Mar 2012 13:50:11 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50A9E4.6060209@bromirski.net> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> Message-ID: <20120302115011.GA24208@pob.ytti.fi> On (2012-03-02 12:07 +0100), ?ukasz Bromirski wrote: > Essentially, traffic from one Fabric ASIC to the ports on the > belonging the the same Fabric ASIC will be switched locally if of > course there's a DFC installed. You don't need DFC for this, DFC has nothing to do with moving actual bits, it is just for lookups. So without DFC, you're still asking over DBUS from SUP PFC about egress, but once answer from RBUS comes, you're copying inside the linecard the packet to egress, without going through fabric. -- ++ytti From lukasz at bromirski.net Fri Mar 2 06:57:17 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Fri, 02 Mar 2012 12:57:17 +0100 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <20120302115011.GA24208@pob.ytti.fi> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> <20120302115011.GA24208@pob.ytti.fi> Message-ID: <4F50B59D.2050106@bromirski.net> On 2012-03-02 12:50, Saku Ytti wrote: > On (2012-03-02 12:07 +0100), ?ukasz Bromirski wrote: > >> Essentially, traffic from one Fabric ASIC to the ports on the >> belonging the the same Fabric ASIC will be switched locally if of >> course there's a DFC installed. > > You don't need DFC for this, DFC has nothing to do with moving actual bits, > it is just for lookups. That was my oversimplification. What I've meant to say, if the DFC is installed the process will be "just as simple". For CFC, the process of moving the data will be similar, but will require request and answer from Sup over the shared bus. > So without DFC, you're still asking over DBUS from SUP PFC about egress, > but once answer from RBUS comes, you're copying inside the linecard the > packet to egress, without going through fabric. Yes. -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From lukasz at bromirski.net Fri Mar 2 07:17:11 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Fri, 02 Mar 2012 13:17:11 +0100 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50B289.2020309@aws-net.org.ua> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> <4F50B289.2020309@aws-net.org.ua> Message-ID: <4F50BA47.4040800@bromirski.net> On 2012-03-02 12:44, Artyom Viklenko wrote: > Switch Fabric Resources > Bus utilization: current: 13%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 > Fabric utilization: Ingress Egress > Module Chanl Speed rate peak rate peak > 2 0 20G 23% 46% @22:57 30Jan12 18% 49% @22:02 31Jan12 > 2 1 20G 21% 49% @20:08 01Feb12 25% 46% @20:14 25Feb12 > > I.e. 4,6 Gbps on channel 0 and 4,2 Gbps on channel 1. No DFC on module. > Total input on all four 10GE ~ 19 Gbps. Fabric switching only 8,8 Gbps. > Similar approach I see on 6708 with DFC. Some part of traffic goes via > fabric and some in line card itself. That's normal for "non-optimized" traffic patters, so in real life :) You can check for example using NetFlow, if there are flows that could be optimized within one Port ASIC on one LC. Some people decide it's worth and do it, some skip it. > AFAIK, presense of DFC influence only forwarding decisions process (and > policyng, for example) but not on moving traffic itself? Yes, see my answer to Ytti. > Anyway, if traffic should be switched in ASIC what is the limitations > in terms of bandwidth or PPS? The bandwidth for 6704 is line rate of front ports, as it connects using 2x20Gbit/s channels to the fabric. The DFC however is limited to 48Mpps and the traffic through the fabric uses additional headers. So if you have 4 10GE ports doing forwarding for 64B packets fully locally, it will be 4x14.8Mpps=59.2Mpps, while the DFC can only do 48Mpps. Depending on your traffic profile, you'll either hit PPS limitation of the DFC (or the centrally located PFC) or the bandwidth constrain for the 64B packets (DDoS for example). -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From artem at aws-net.org.ua Fri Mar 2 08:17:05 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Fri, 02 Mar 2012 15:17:05 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <20120302145651.O48933@xkis.kis.ru> References: <4F50A4CF.6060109@aws-net.org.ua> <20120302145651.O48933@xkis.kis.ru> Message-ID: <4F50C851.9050007@aws-net.org.ua> On 02.03.2012 13:03, Dmitry Valdov wrote: > > > > I had a simular problem a few months ago. > I saw overruns and loss of packets when much traffic flowed from one > port of 6704 to another port of the same card. (Actually it was port > mirroring). > > The problem was fixed by configuring "fabric buffer-reserve low" (or > medium). Hm.. this increase space for incoming packets? Correct? Interesting. Do I need to reload router after this command applied? > > > On Fri, 2 Mar 2012, Artyom Viklenko wrote: > >> On 02.03.2012 12:03, Alan Buxey wrote: >>> without DFC cards, some work/decisions still have to go to the >>> supervisor. DFC (distributed) is what gives your modules autonomy >>> >>> alan >>> >> >> This is already clear. :) The only not-so-clear thing now is the >> internals of these line cards. >> >> Thank you! > -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From dfarrell at tibus.com Fri Mar 2 09:55:01 2012 From: dfarrell at tibus.com (David Farrell) Date: Fri, 02 Mar 2012 14:55:01 +0000 Subject: [c-nsp] A switch with PoE support and powered by 48V DC In-Reply-To: <4F50DE4F.7070305@tibus.com> References: <20120302100158.GA64036@admin.sibptus.tomsk.ru> <4F50DE4F.7070305@tibus.com> Message-ID: <4F50DF45.3060006@tibus.com> On 02/03/2012 14:50, David Farrell wrote: > On 02/03/2012 10:01, Victor Sudakov wrote: >> Colleagues, >> >> I need a switch with PoE support and powered by 48V DC, do you know of >> such? >> >> TIA for any advice. > > Hi Victor, > > If you are looking for PoE access switches, I believe the 3560-E and > -X series might be worth looking at as there are some DC power options > for that series. > > David. The ME3600X/ME3800X also have DC power options. David. From dfarrell at tibus.com Fri Mar 2 09:50:55 2012 From: dfarrell at tibus.com (David Farrell) Date: Fri, 02 Mar 2012 14:50:55 +0000 Subject: [c-nsp] A switch with PoE support and powered by 48V DC In-Reply-To: <20120302100158.GA64036@admin.sibptus.tomsk.ru> References: <20120302100158.GA64036@admin.sibptus.tomsk.ru> Message-ID: <4F50DE4F.7070305@tibus.com> On 02/03/2012 10:01, Victor Sudakov wrote: > Colleagues, > > I need a switch with PoE support and powered by 48V DC, do you know of > such? > > TIA for any advice. Hi Victor, If you are looking for PoE access switches, I believe the 3560-E and -X series might be worth looking at as there are some DC power options for that series. David. From dfarrell at tibus.com Fri Mar 2 11:10:21 2012 From: dfarrell at tibus.com (David Farrell) Date: Fri, 02 Mar 2012 16:10:21 +0000 Subject: [c-nsp] A switch with PoE support and powered by 48V DC In-Reply-To: <4F50DF45.3060006@tibus.com> References: <20120302100158.GA64036@admin.sibptus.tomsk.ru> <4F50DE4F.7070305@tibus.com> <4F50DF45.3060006@tibus.com> Message-ID: <4F50F0ED.9000506@tibus.com> On 02/03/2012 14:55, David Farrell wrote: > > On 02/03/2012 14:50, David Farrell wrote: >> On 02/03/2012 10:01, Victor Sudakov wrote: >>> Colleagues, >>> >>> I need a switch with PoE support and powered by 48V DC, do you know of >>> such? >>> >>> TIA for any advice. >> >> Hi Victor, >> >> If you are looking for PoE access switches, I believe the 3560-E and >> -X series might be worth looking at as there are some DC power >> options for that series. >> >> David. > > The ME3600X/ME3800X also have DC power options. > > David. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ However, no PoE in ME switches (it's definitely Friday afternoon with me). David. From dv at dv.ru Fri Mar 2 11:30:20 2012 From: dv at dv.ru (Dmitry Valdov) Date: Fri, 2 Mar 2012 20:30:20 +0400 (MSK) Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50C851.9050007@aws-net.org.ua> References: <4F50A4CF.6060109@aws-net.org.ua> <20120302145651.O48933@xkis.kis.ru> <4F50C851.9050007@aws-net.org.ua> Message-ID: <20120302202022.U30141@xkis.kis.ru> Hi! No reload required. I guess this command increases buffers between a card and fabric. Well.. When a packet arrives.. It must come to the fabric and return back to the card.. What happend when two packets arrive at the same time? On Fri, 2 Mar 2012, Artyom Viklenko wrote: > On 02.03.2012 13:03, Dmitry Valdov wrote: >> >> >> >> I had a simular problem a few months ago. >> I saw overruns and loss of packets when much traffic flowed from one >> port of 6704 to another port of the same card. (Actually it was port >> mirroring). >> >> The problem was fixed by configuring "fabric buffer-reserve low" (or >> medium). > > Hm.. this increase space for incoming packets? Correct? > Interesting. Do I need to reload router after this command applied? > >> >> >> On Fri, 2 Mar 2012, Artyom Viklenko wrote: >> >>> On 02.03.2012 12:03, Alan Buxey wrote: >>>> without DFC cards, some work/decisions still have to go to the >>>> supervisor. DFC (distributed) is what gives your modules autonomy >>>> >>>> alan >>>> >>> >>> This is already clear. :) The only not-so-clear thing now is the >>> internals of these line cards. >>> >>> Thank you! >> > > > -- > Sincerely yours, > Artyom Viklenko. > ------------------------------------------------------- > artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem > artem at viklenko.net | JID: artem at jabber.aws-net.org.ua > FreeBSD: The Power to Serve - http://www.freebsd.org > -- Dmitry Valdov CCIE #15379 (R&S and SP) From vic at waveci.com Fri Mar 2 12:11:21 2012 From: vic at waveci.com (Victor Matherly) Date: Fri, 2 Mar 2012 12:11:21 -0500 Subject: [c-nsp] Cisco BPX Repairing BXM Module NVRAM In-Reply-To: References: Message-ID: Hello Everyone, I'm trying to repair a BPX 8620 BPX-BXM-155-8DX card that has a bad NVRAM chip.I have successfully replaced the chip however now i need to burn the board identification values to it. These values include the board serial number so copying over the values from another card wont be an option. There is an official method of doing this. When logged in as the StrataCom user I found the command setnovram that walks me though resetting everything. However before the changes can be written to NVRAM it asks for a password. Has anyone on the list successfully used this command and know the password? I have tried all system passwords (Service, SuperUser, StrataCom) without success. Thanks -- Victor Matherly From ESundberg at nitelusa.com Fri Mar 2 14:57:02 2012 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Fri, 2 Mar 2012 13:57:02 -0600 Subject: [c-nsp] Config Backups Message-ID: Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From scott at granados-llc.net Fri Mar 2 15:17:52 2012 From: scott at granados-llc.net (Scott Granados) Date: Fri, 2 Mar 2012 15:17:52 -0500 Subject: [c-nsp] Config Backups In-Reply-To: References: Message-ID: <27511227-CA56-4E97-856C-09870CEDB2EA@granados-llc.net> It's all about RANCID. Easy, very easy to modify and just works. That's my opinion anyway. Thanks Scott On Mar 2, 2012, at 2:57 PM, Erik Sundberg wrote: > Quick question/poll > > What is everyone using for router/switch/firewall config backups? > > Is rancid still the one to use? > > Thanks > > Erik > > > ________________________________ > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From fsmendoza at gmail.com Fri Mar 2 15:30:51 2012 From: fsmendoza at gmail.com (Frank) Date: Sat, 3 Mar 2012 04:30:51 +0800 Subject: [c-nsp] Config Backups In-Reply-To: References: Message-ID: ...If you dont mind paying.. we're using kiwicattools to backup thousand of devices. /fRank Sent from my iPhone On 3 Mar, 2012, at 3:57 AM, Erik Sundberg wrote: > Quick question/poll > > What is everyone using for router/switch/firewall config backups? > > Is rancid still the one to use? > > Thanks > > Erik > > > ________________________________ > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rick.martin at arkansas.gov Fri Mar 2 15:53:28 2012 From: rick.martin at arkansas.gov (Rick Martin) Date: Fri, 2 Mar 2012 14:53:28 -0600 Subject: [c-nsp] Config Backups In-Reply-To: References: Message-ID: <2007EDBC2B3C3F41A73166A968BCE076270475BA3B@CMS01.sas.arkgov.net> We are actually using 2 commercial products today; 1. Cisco Works 2. HP Network Automation And one home grown script on Linux that runs out and grabs the config on all firewall enabled routers every night to assure that the firewall is still applied - some of our techs disable firewall while troubleshooting issues and "forget" to re-enable it. We initially used Cisco Works only - then the security group developed the Linux script for the reason state above. After a few negative audit findings we purchased HP NA for the same thing so I suspect we will disable the Linux script. HP NA has turned out to be the easier product to use to fetch the old config. We can compare current config to any previous config, we can see each configuration change that has been made and we also use it for change management on firewall enabled devices. If a change is made outside of the tool then an event is triggered that the security group will investigate. A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS mostly in the area of user friendliness. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Erik Sundberg Sent: Friday, March 02, 2012 1:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Config Backups Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From joshbaird at gmail.com Fri Mar 2 15:59:38 2012 From: joshbaird at gmail.com (Josh Baird) Date: Fri, 2 Mar 2012 15:59:38 -0500 Subject: [c-nsp] Config Backups In-Reply-To: <2007EDBC2B3C3F41A73166A968BCE076270475BA3B@CMS01.sas.arkgov.net> References: <2007EDBC2B3C3F41A73166A968BCE076270475BA3B@CMS01.sas.arkgov.net> Message-ID: I have also used Solarwinds' tool - NCM (formerly known as Cirrus). Works well with a nice interface, but obviously is not free. I believe it is licensed per device. Josh On Fri, Mar 2, 2012 at 3:53 PM, Rick Martin wrote: > We are actually using 2 commercial products today; > > 1. Cisco Works > 2. HP Network Automation > > ?And one home grown script on Linux that runs out and grabs the config on all firewall enabled routers every night to assure that the firewall is still applied - some of our techs disable firewall while troubleshooting issues and "forget" to re-enable it. > > > ?We initially used Cisco Works only - then the security group developed the Linux script for the reason state above. After a few negative audit findings we purchased HP NA for the same thing so I suspect we will disable the Linux script. > > ?HP NA has turned out to be the easier product to use to fetch the old config. We can compare current config to any previous config, we can see each configuration change that has been made and we also use it for change management on firewall enabled devices. If a change is made outside of the tool then an event is triggered that the security group will investigate. > > ?A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS mostly in the area of user friendliness. > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Erik Sundberg > Sent: Friday, March 02, 2012 1:57 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Backups > > Quick question/poll > > What is everyone using for router/switch/firewall config backups? > > Is rancid still the one to use? > > Thanks > > Erik > > > ________________________________ > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alex2176 at gmail.com Fri Mar 2 16:03:37 2012 From: alex2176 at gmail.com (Alex Moya) Date: Fri, 2 Mar 2012 16:03:37 -0500 Subject: [c-nsp] Config Backups In-Reply-To: References: <2007EDBC2B3C3F41A73166A968BCE076270475BA3B@CMS01.sas.arkgov.net> Message-ID: Kiwi Catools works great. Alex Moya On Fri, Mar 2, 2012 at 3:59 PM, Josh Baird wrote: > I have also used Solarwinds' tool - NCM (formerly known as Cirrus). > Works well with a nice interface, but obviously is not free. I > believe it is licensed per device. > > Josh > > On Fri, Mar 2, 2012 at 3:53 PM, Rick Martin > wrote: > > We are actually using 2 commercial products today; > > > > 1. Cisco Works > > 2. HP Network Automation > > > > And one home grown script on Linux that runs out and grabs the config > on all firewall enabled routers every night to assure that the firewall is > still applied - some of our techs disable firewall while troubleshooting > issues and "forget" to re-enable it. > > > > > > We initially used Cisco Works only - then the security group developed > the Linux script for the reason state above. After a few negative audit > findings we purchased HP NA for the same thing so I suspect we will disable > the Linux script. > > > > HP NA has turned out to be the easier product to use to fetch the old > config. We can compare current config to any previous config, we can see > each configuration change that has been made and we also use it for change > management on firewall enabled devices. If a change is made outside of the > tool then an event is triggered that the security group will investigate. > > > > A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS > mostly in the area of user friendliness. > > > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Erik Sundberg > > Sent: Friday, March 02, 2012 1:57 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Config Backups > > > > Quick question/poll > > > > What is everyone using for router/switch/firewall config backups? > > > > Is rancid still the one to use? > > > > Thanks > > > > Erik > > > > > > ________________________________ > > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, > files or previous e-mail messages attached to it may contain confidential > information that is legally privileged. If you are not the intended > recipient, or a person responsible for delivering it to the intended > recipient, you are hereby notified that any disclosure, copying, > distribution or use of any of the information contained in or attached to > this transmission is STRICTLY PROHIBITED. If you have received this > transmission in error please notify the sender immediately by replying to > this e-mail. You must destroy the original transmission and its attachments > without reading or saving in any manner. Thank you. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Fri Mar 2 16:09:30 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 2 Mar 2012 21:09:30 +0000 Subject: [c-nsp] Config Backups Message-ID: RANCID and a couple of home-made scripts for custom jobs alan From mcn4 at leicester.ac.uk Fri Mar 2 16:14:37 2012 From: mcn4 at leicester.ac.uk (Matthew Newton) Date: Fri, 2 Mar 2012 21:14:37 +0000 Subject: [c-nsp] Config Backups In-Reply-To: References: Message-ID: <20120302211437.GA14774@rootmail.cc.le.ac.uk> On Fri, Mar 02, 2012 at 01:57:02PM -0600, Erik Sundberg wrote: > What is everyone using for router/switch/firewall config backups? A short local bash script that does an SNMP write to the correct OID on each switch to tell it to copy its config file to the tftp server. > Is rancid still the one to use? Last I looked you had to give it telnet access to the switches - I didn't like giving a script that sort of access, or storing core router passwords (even for unpriv accounts) in plaintext anywhere. Maybe it's changed recently. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, From A.L.M.Buxey at lboro.ac.uk Fri Mar 2 17:33:36 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 2 Mar 2012 22:33:36 +0000 Subject: [c-nsp] Config Backups Message-ID: <86D45A17-48A0-47A0-8378-F48A9FA09B1E@lboro.ac.uk> Can do SSH. Use read-only account though, no need for a powerful account to read the config. Also stores the config with revision control/history and the file stored has obfuscated passwords/credentials. alan From msprouffske at yahoo.com Fri Mar 2 17:55:14 2012 From: msprouffske at yahoo.com (msprouffske at yahoo.com) Date: Fri, 02 Mar 2012 14:55:14 -0800 Subject: [c-nsp] preference on bgp route advertisements Message-ID: <4F514FD2.4000007@yahoo.com> I currently have prefix list filtering in place on my core routers and I advertise a default route to my dsl routers. My question is, what is the best practice for advertising bgp routes in the core? I would like to redistribute connected and static in bgp instead of adding network statements under the bgp process. Just trying to get some feedback on this before I start changing my core network. From ESundberg at nitelusa.com Fri Mar 2 18:28:49 2012 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Fri, 2 Mar 2012 17:28:49 -0600 Subject: [c-nsp] Config Backups In-Reply-To: References: Message-ID: Thanks everyone, I just finished installing rancid and have it up and running already. What web front end are you using to browse the CVS tree? Thanks Erik ________________________________ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From rwest at zyedge.com Fri Mar 2 18:35:12 2012 From: rwest at zyedge.com (Ryan West) Date: Fri, 2 Mar 2012 23:35:12 +0000 Subject: [c-nsp] Config Backups In-Reply-To: References: , Message-ID: Websvn here. Sent from handheld On Mar 2, 2012, at 6:30 PM, "Erik Sundberg" wrote: > Thanks everyone, I just finished installing rancid and have it up and running already. > > What web front end are you using to browse the CVS tree? > > > Thanks > > Erik > > > ________________________________ > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ESundberg at nitelusa.com Fri Mar 2 18:35:31 2012 From: ESundberg at nitelusa.com (Erik Sundberg) Date: Fri, 2 Mar 2012 17:35:31 -0600 Subject: [c-nsp] A switch with PoE support and powered by 48V DC In-Reply-To: <4F50F0ED.9000506@tibus.com> References: <20120302100158.GA64036@admin.sibptus.tomsk.ru> <4F50DE4F.7070305@tibus.com> <4F50DF45.3060006@tibus.com> <4F50F0ED.9000506@tibus.com> Message-ID: David, Check out the Cisco Switch Catalog Doc. It covers all Cisco switches by models and specs in one place and list the power options too. http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf Erik -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Farrell Sent: Friday, March 02, 2012 10:10 AM To: c-nsp Subject: Re: [c-nsp] A switch with PoE support and powered by 48V DC On 02/03/2012 14:55, David Farrell wrote: > > On 02/03/2012 14:50, David Farrell wrote: >> On 02/03/2012 10:01, Victor Sudakov wrote: >>> Colleagues, >>> >>> I need a switch with PoE support and powered by 48V DC, do you know of >>> such? >>> >>> TIA for any advice. >> >> Hi Victor, >> >> If you are looking for PoE access switches, I believe the 3560-E and >> -X series might be worth looking at as there are some DC power >> options for that series. >> >> David. > > The ME3600X/ME3800X also have DC power options. > > David. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ However, no PoE in ME switches (it's definitely Friday afternoon with me). David. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. From taosysnet at gmail.com Fri Mar 2 22:48:05 2012 From: taosysnet at gmail.com (tao liu) Date: Sat, 3 Mar 2012 11:48:05 +0800 Subject: [c-nsp] router does not see IGMP joins In-Reply-To: <20120302050724.GA57590@admin.sibptus.tomsk.ru> References: <20120302050724.GA57590@admin.sibptus.tomsk.ru> Message-ID: you may check "IGMP activity: 8 joins, 6 leaves" to see if new join is received. maybe something is wrong with multicast router config. On 3/2/12, Victor Sudakov wrote: > Colleagues, > > What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T) > does not see IGMP joins to a particular group? tcpdump shows that the > joins are being sent to the network, however "debug ip igmp 224.0.1.3" > does not show them. > > Here is the packet dump: http://zalil.ru/32803276 > and the configuration: > > > kedrovy#sh ip igmp interface fastEthernet 0/0 > FastEthernet0/0 is up, line protocol is up > Internet address is 10.14.128.129/26 > IGMP is enabled on interface > Current IGMP host version is 2 > Current IGMP router version is 2 > IGMP query interval is 60 seconds > IGMP querier timeout is 120 seconds > IGMP max query response time is 10 seconds > Last member query count is 2 > Last member query response interval is 1000 ms > Inbound IGMP access group is not set > IGMP activity: 8 joins, 6 leaves > Multicast routing is enabled on interface > Multicast TTL threshold is 0 > Multicast designated router (DR) is 10.14.128.129 (this system) > IGMP querying router is 10.14.128.129 (this system) > Multicast groups joined by this system (number of users): > 224.0.1.40(1) 224.0.1.1(1) > kedrovy# > > I can forcibly join the interface to the 224.0.1.3 group and then the > traffic begins to flow: > > kedrovy(config-if)#ip igmp join-group 224.0.1.3 > kedrovy(config-if)#^Z > kedrovy# > 1w2d: IGMP(0): WAVL Insert group: 224.0.1.3 interface: > FastEthernet0/0Successful > 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 > 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for > 224.0.1.3 > 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from > 10.14.128.129 for 0 sources > 1w2d: IGMP(0): Switching to EXCLUDE mode for 224.0.1.3 on FastEthernet0/0 > 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 4 > 1w2d: %SYS-5-CONFIG_I: Configured from console by vty0 (10.14.134.125) > kedrovy# > 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/0 > 1w2d: IGMP(0): Set report delay time to 2.8 seconds for 224.0.1.3 on > FastEthernet0/0 > 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/1 > kedrovy# > 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 > 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for > 224.0.1.3 > 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from > 10.14.128.129 for 0 sources > 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:sudakov at sibptus.tomsk.ru > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From panocisco77 at gmail.com Fri Mar 2 22:49:25 2012 From: panocisco77 at gmail.com (Renelson Panosky) Date: Fri, 2 Mar 2012 22:49:25 -0500 Subject: [c-nsp] McAfee M-4050 Console Message-ID: Good evening I have this M-4050 IPS i am trying to console into and i am have a lot difficulties. Is anybody in here familiar with them ? any advice ? I am using the following set up.. Baud rate: 38400 Number bits: 8 Parity: None Stop bits: 1 Flow Control: None I am not able please help.... From darkbasic at linuxsystems.it Sat Mar 3 17:19:32 2012 From: darkbasic at linuxsystems.it (=?ISO-8859-15?Q?Niccol=F2_Belli?=) Date: Sat, 03 Mar 2012 23:19:32 +0100 Subject: [c-nsp] ipv6 nd raguard Message-ID: <4F5298F4.6040307@linuxsystems.it> Hi, Is there any news about Catalyst 3560 raguard support? Cheers, Niccol? From eng_mssk at hotmail.com Sat Mar 3 19:58:53 2012 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 4 Mar 2012 02:58:53 +0200 Subject: [c-nsp] Cisco Watchdog Message-ID: Hi , I am trying to configure an event manager with WD functionality When i configure Rack12R1(config-applet)#event ioswdsysmon sub1 cpu-proc ? op Collected usage sample comparison operator period Time period for collection samples to be averaged taskname Name of IOS process to be monitored val The value to be compared I will have to choose a task from the table that show processes cpu gives me , suppose i want to monitor all using WD what should i do ? BR, Mohammad From saku at ytti.fi Sun Mar 4 04:01:35 2012 From: saku at ytti.fi (Saku Ytti) Date: Sun, 4 Mar 2012 11:01:35 +0200 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <4F5298F4.6040307@linuxsystems.it> References: <4F5298F4.6040307@linuxsystems.it> Message-ID: <20120304090135.GA5786@pob.ytti.fi> On (2012-03-03 23:19 +0100), Niccol? Belli wrote: > Is there any news about Catalyst 3560 raguard support? Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked about schedule lately. -- ++ytti From darkbasic at linuxsystems.it Sun Mar 4 08:29:40 2012 From: darkbasic at linuxsystems.it (=?ISO-8859-1?Q?Niccol=F2_Belli?=) Date: Sun, 04 Mar 2012 14:29:40 +0100 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <20120304090135.GA5786@pob.ytti.fi> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> Message-ID: <4F536E44.20502@linuxsystems.it> Il 04/03/2012 10:01, Saku Ytti ha scritto: > Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked > about schedule lately. I have a WS-C3560-24PS-E, the point is: when? Cheers, Niccol? From peter at rathlev.dk Sun Mar 4 12:07:49 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 04 Mar 2012 18:07:49 +0100 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <4F536E44.20502@linuxsystems.it> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> <4F536E44.20502@linuxsystems.it> Message-ID: <1330880869.4909.2.camel@abehat.dyn.net.rm.dk> On Sun, 2012-03-04 at 14:29 +0100, Niccol? Belli wrote: > Il 04/03/2012 10:01, Saku Ytti ha scritto: > > Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked > > about schedule lately. > > I have a WS-C3560-24PS-E, the point is: when? That would be never, since that's not an E or X model. The "-E" in your model name makes it a device bought with "IP Services" software from the beginning. "IP Base" images end in "-S" and "LAN Base" in "-L". The E model that Saku refers to is e.g. "WS-C3560E-24TD-S", with the E placed just after "3560". -- Peter From pavel.skovajsa at gmail.com Sun Mar 4 12:12:24 2012 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Sun, 4 Mar 2012 18:12:24 +0100 Subject: [c-nsp] Trunking Private VLANs on 6509 In-Reply-To: <1330647718.2463.10.camel@sysadmin3a> References: <1330647718.2463.10.camel@sysadmin3a> Message-ID: Hi, indeed there is no option for 'Private Vlan Trunk' on a 6500 nowdays. Some time ago this was possible with CatOS but somehow the support for this did not get into Native IOS. The only real 'solution' is to use some loopback cables that 'translate' the incoming dot1q tag. Obviously you would need twice as many ports as there are vlans for this this, so I would not call it a solution. Alternatively if you have the possibility to configure private vlans on the other switches, you can simply trunk the private vlans using a normal 'switchport mode trunk' on 6500 and allowing both primary and secondary over the trunk. Hope it helps. -pavel On Fri, Mar 2, 2012 at 1:21 AM, Justin Krejci wrote: > I am trying to trunk private vlans from a Cisco 6509 to some other > switches. There does not appear to be a way to do this but it works > great on a Cisco 4948. Does the 6509 not support doing this or is there > something else needed to make this work? > > Here is some sample config. > > ############ > Cisco 4948 > ############ > > vlan 850 > private-vlan isolated > vlan 851 > private-vlan primary > private-vlan association 850 > > interface GigabitEthernet1/34 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 850,900,910,911 > switchport private-vlan trunk allowed vlan 850,900,910,911 > switchport private-vlan association trunk 851 850 > switchport private-vlan association trunk 901 900 > switchport private-vlan association trunk 909 910 > switchport private-vlan association trunk 912 911 > switchport private-vlan association trunk 853 852 > switchport mode private-vlan trunk > > interface Vlan851 > ip address x.x.x.1 255.255.255.0 > private-vlan mapping 850 > > > > ############ > Cisco 6509 > Sup720-3BXL > WS-X6748-GE-TX or WS-X6548-GE-TX > IOS Version 12.2(33)SXI6 Advanced Enterprise > ############ > > vlan 850 > private-vlan isolated > vlan 851 > private-vlan primary > private-vlan association 850 > > interface GigabitEthernet1/1 > switchport trunk encapsulation dot1q > (everything after this point errors out because "trunk" is not an option > for any of these) > switchport private-vlan trunk allowed vlan 850,900,910,911 > switchport private-vlan association trunk 851 850 > switchport private-vlan association trunk 901 900 > switchport private-vlan association trunk 909 910 > switchport private-vlan association trunk 912 911 > switchport private-vlan association trunk 853 852 > switchport mode private-vlan trunk > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Sun Mar 4 12:18:04 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 04 Mar 2012 18:18:04 +0100 Subject: [c-nsp] replacing CARP with Cisco possible ? In-Reply-To: References: <1330621220.1160.6.camel@abehat.dyn.net.rm.dk> Message-ID: <1330881484.4909.10.camel@abehat.dyn.net.rm.dk> On Fri, 2012-03-02 at 10:34 +0100, "Rolf Han?en" wrote: > any idea how other providers offer such redundancy to end customers > (if they do at all) ? We have a mass of customers with /29 or /28 > networks and losing IPs isn't an option in such cases imo. I don't think there's a way around using the extra IP addresses if you want FHRP. Otherwise customers would typically get two /30 networks and two BGP sessions, providing bette redundancy. > Using bigger networks would require giving up vlan separation each > customer, no option either. You could use private VLANs (or protected ports of the access layer is not too large) and still have customers layer 2 separated within that same VLAN. -- Peter From artem at aws-net.org.ua Sun Mar 4 13:59:12 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Sun, 04 Mar 2012 20:59:12 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <20120302202022.U30141@xkis.kis.ru> References: <4F50A4CF.6060109@aws-net.org.ua> <20120302145651.O48933@xkis.kis.ru> <4F50C851.9050007@aws-net.org.ua> <20120302202022.U30141@xkis.kis.ru> Message-ID: <4F53BB80.1000407@aws-net.org.ua> 02.03.2012 18:30, Dmitry Valdov ?????: > Hi! > > No reload required. > I guess this command increases buffers between a card and fabric. > So... it doesn't help much. Last thing to try is to swap some ports. Think we really hit hardware limitations between pairs of ports. Anyway, thaks to all! > Well.. When a packet arrives.. It must come to the fabric and return > back to > the card.. What happend when two packets arrive at the same time? > > > On Fri, 2 Mar 2012, Artyom Viklenko wrote: > >> On 02.03.2012 13:03, Dmitry Valdov wrote: >>> >>> >>> >>> I had a simular problem a few months ago. >>> I saw overruns and loss of packets when much traffic flowed from one >>> port of 6704 to another port of the same card. (Actually it was port >>> mirroring). >>> >>> The problem was fixed by configuring "fabric buffer-reserve low" (or >>> medium). >> >> Hm.. this increase space for incoming packets? Correct? >> Interesting. Do I need to reload router after this command applied? >> >>> >>> >>> On Fri, 2 Mar 2012, Artyom Viklenko wrote: >>> >>>> On 02.03.2012 12:03, Alan Buxey wrote: >>>>> without DFC cards, some work/decisions still have to go to the >>>>> supervisor. DFC (distributed) is what gives your modules autonomy >>>>> >>>>> alan >>>>> >>>> >>>> This is already clear. :) The only not-so-clear thing now is the >>>> internals of these line cards. >>>> >>>> Thank you! >>> >> >> >> -- >> Sincerely yours, >> Artyom Viklenko. >> ------------------------------------------------------- >> artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem >> artem at viklenko.net | JID: artem at jabber.aws-net.org.ua >> FreeBSD: The Power to Serve - http://www.freebsd.org >> > -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | ================================ FreeBSD: The Power to Serve - http://www.freebsd.org From darkbasic at linuxsystems.it Sun Mar 4 14:25:00 2012 From: darkbasic at linuxsystems.it (=?UTF-8?B?TmljY29sw7IgQmVsbGk=?=) Date: Sun, 04 Mar 2012 20:25:00 +0100 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <1330880869.4909.2.camel@abehat.dyn.net.rm.dk> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> <4F536E44.20502@linuxsystems.it> <1330880869.4909.2.camel@abehat.dyn.net.rm.dk> Message-ID: <4F53C18C.8010409@linuxsystems.it> Il 04/03/2012 18:07, Peter Rathlev ha scritto: > That would be never, since that's not an E or X model. Oh that sounds bad, I didn't think Cisco considered the WS-C3560-24PS-E as a low end device :( From peter at rathlev.dk Sun Mar 4 15:16:32 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 04 Mar 2012 21:16:32 +0100 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <4F53C18C.8010409@linuxsystems.it> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> <4F536E44.20502@linuxsystems.it> <1330880869.4909.2.camel@abehat.dyn.net.rm.dk> <4F53C18C.8010409@linuxsystems.it> Message-ID: <1330892192.6361.8.camel@abehat.dyn.net.rm.dk> On Sun, 2012-03-04 at 20:25 +0100, Niccol? Belli wrote: > Il 04/03/2012 18:07, Peter Rathlev ha scritto: > > That would be never, since that's not an E or X model. > > Oh that sounds bad, I didn't think Cisco considered the WS-C3560-24PS-E > as a low end device :( I wouldn't call it low end, at least not among (user) access switches which is where RA Guard would make most sense. But the "original" 3560 has more or less been superseded by the -E and -X models. It's probably a priority thing for Cisco. But since we have no real hard facts, someone need to ask their AM what status really is. You can always use a manual traffic-filter: ipv6 access-list Deny-RA deny icmp any any router-advertisement permit ipv6 any any exit ! interface GigabitEthernet0/1 ipv6 traffic-filter Deny-RA in ! That should work just as well as RA Guard. (Beware that neither this nor "RA Guard" probably solves draft-gont-v6ops-ra-guard-evasion.) -- Peter From zhangyongshun1986 at gmail.com Sun Mar 4 20:14:23 2012 From: zhangyongshun1986 at gmail.com (zhangyongshun) Date: Mon, 05 Mar 2012 09:14:23 +0800 Subject: [c-nsp] if cisco 7609 router reserve port bandwrith for routing protocol In-Reply-To: <2503DE55BA5E394390F26298212B1381026F3F69C6A0@EXVMBX017-1.exch017.msoutlookonline.net> References: <4F4EE177.108@gmail.com> <2503DE55BA5E394390F26298212B1381026F3F69C6A0@EXVMBX017-1.exch017.msoutlookonline.net> Message-ID: <4F54136F.9000002@gmail.com> but the default output quenue is fifo quenue.there is no priority quenue in output quenueing strategy. GigabitEthernet2/22 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001b.d4ec.e2ad (bia 001b.d4ec.e2ad) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 24/255, rxload 20/255 Encapsulation ARPA, loopback not set Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/509319/0 (size/max/drops/flushes); Total output drops: 0 /*/ Queueing strategy: fifo/ Output queue: 0/40 (size/max)*/ 5 minute input rate 79621000 bits/sec, 17407 packets/sec 5 minute output rate 97469000 bits/sec, 15490 packets/sec 102001870122 packets input, 65464468703867 bytes, 0 no buffer Received 113016587 broadcasts, 0 runts, 0 giants, 0 throttles 509319 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 100567604392 packets output, 80794980598966 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out > IF the packets are marked into queue 7 then they will be output first. > HOWEVER SPD is used on input, there have been other threads about the OSPF dropping on BGP updates > Which happens fairly regularly on the 7600 code. > > Mack > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of zhangyongshun > Sent: Wednesday, February 29, 2012 7:40 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] if cisco 7609 router reserve port bandwrith for routing protocol > > Hi,everybody: > I always thought if cisco router reserve 10-15% port bandwith for transport routing protocol packages(e.g. rip,ospf). > in the FIFO Output queue port(default config).how to guarantee the protocol packages always first to be transported. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vas at mpeks.tomsk.su Sun Mar 4 21:51:09 2012 From: vas at mpeks.tomsk.su (Victor Sudakov) Date: Mon, 5 Mar 2012 09:51:09 +0700 Subject: [c-nsp] A switch with PoE support and powered by 48V DC In-Reply-To: References: <20120302100158.GA64036@admin.sibptus.tomsk.ru> <4F50DE4F.7070305@tibus.com> <4F50DF45.3060006@tibus.com> <4F50F0ED.9000506@tibus.com> Message-ID: <20120305025109.GA6680@admin.sibptus.tomsk.ru> Erik Sundberg wrote: > > Check out the Cisco Switch Catalog Doc. It covers all Cisco switches by models and specs in one place and list the power options too. > > http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf A great resource, thank you very much. I think WS-C3560X-24P or WS-3560E-24TD with DC power supplies should do for my purposes. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru From vas at mpeks.tomsk.su Sun Mar 4 21:58:29 2012 From: vas at mpeks.tomsk.su (Victor Sudakov) Date: Mon, 5 Mar 2012 09:58:29 +0700 Subject: [c-nsp] router does not see IGMP joins In-Reply-To: References: <20120302050724.GA57590@admin.sibptus.tomsk.ru> Message-ID: <20120305025829.GA7485@admin.sibptus.tomsk.ru> tao liu wrote: > you may check "IGMP activity: 8 joins, 6 leaves" to see if new join is received. "debug ip igmp 224.0.1.3" shows no reports received UNLESS I forcibly join the interface to the 224.0.1.3 group. > maybe something is wrong with multicast router config. I posted the output of "sh ip igmp interface", do you see anything wrong with the config? > > On 3/2/12, Victor Sudakov wrote: > > Colleagues, > > > > What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T) > > does not see IGMP joins to a particular group? tcpdump shows that the > > joins are being sent to the network, however "debug ip igmp 224.0.1.3" > > does not show them. > > > > Here is the packet dump: http://zalil.ru/32803276 > > and the configuration: > > > > > > kedrovy#sh ip igmp interface fastEthernet 0/0 > > FastEthernet0/0 is up, line protocol is up > > Internet address is 10.14.128.129/26 > > IGMP is enabled on interface > > Current IGMP host version is 2 > > Current IGMP router version is 2 > > IGMP query interval is 60 seconds > > IGMP querier timeout is 120 seconds > > IGMP max query response time is 10 seconds > > Last member query count is 2 > > Last member query response interval is 1000 ms > > Inbound IGMP access group is not set > > IGMP activity: 8 joins, 6 leaves > > Multicast routing is enabled on interface > > Multicast TTL threshold is 0 > > Multicast designated router (DR) is 10.14.128.129 (this system) > > IGMP querying router is 10.14.128.129 (this system) > > Multicast groups joined by this system (number of users): > > 224.0.1.40(1) 224.0.1.1(1) > > kedrovy# > > > > I can forcibly join the interface to the 224.0.1.3 group and then the > > traffic begins to flow: > > > > kedrovy(config-if)#ip igmp join-group 224.0.1.3 > > kedrovy(config-if)#^Z > > kedrovy# > > 1w2d: IGMP(0): WAVL Insert group: 224.0.1.3 interface: > > FastEthernet0/0Successful > > 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 > > 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for > > 224.0.1.3 > > 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from > > 10.14.128.129 for 0 sources > > 1w2d: IGMP(0): Switching to EXCLUDE mode for 224.0.1.3 on FastEthernet0/0 > > 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 > > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 > > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 4 > > 1w2d: %SYS-5-CONFIG_I: Configured from console by vty0 (10.14.134.125) > > kedrovy# > > 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/0 > > 1w2d: IGMP(0): Set report delay time to 2.8 seconds for 224.0.1.3 on > > FastEthernet0/0 > > 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/1 > > kedrovy# > > 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 > > 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for > > 224.0.1.3 > > 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from > > 10.14.128.129 for 0 sources > > 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 > > 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 > > -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov at sibptus.tomsk.ru From p.ambedkar at gmail.com Sun Mar 4 23:51:35 2012 From: p.ambedkar at gmail.com (Ambedkar) Date: Mon, 5 Mar 2012 10:21:35 +0530 Subject: [c-nsp] Configuration of E1.. Message-ID: Hi, i am having cisco 2911 router, in which it is having E1 card. Please give me some configuration examples on E1. second thing is, if i want to test back to back connection with E1, what type of cable is required. Thanks in Advance, bye Ambi From achatz at forthnetgroup.gr Mon Mar 5 05:12:24 2012 From: achatz at forthnetgroup.gr (Tassos Chatzithomaoglou) Date: Mon, 05 Mar 2012 12:12:24 +0200 Subject: [c-nsp] MPLS load-balancing on ME-3800X Message-ID: <4F549188.7090403@forthnetgroup.gr> Looking for MPLS load-balancing on ME-3800X, the page http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/12.2_52_ey/configuration/guide/swmpls.html includes just the following note: ================================================================================ /For information about load balancing, see this URL: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/pfc3mpls.html#wp1347055 / ================================================================================ which leads to the following: ================================================================================ /Basic MPLS Load Balancing The maximum number of load balancing paths is 8. The PFC forwards MPLS labeled packets without explicit configuration. If the packet has three labels or less and the underlying packet is IPv4, then the PFC uses the source and destination IPv4 address. If the underlying packet is not IPv4 or more than three labels are present, the PFC parses down as deep as the fifth or lowest label and uses it for hashing. MPLS Layer 2 VPN Load Balancing Load balancing is based on the VC label in the MPLS core if the first nibble of the MAC address in the customer Ethernet frame is not 4. Note Load balancing is not supported at the ingress PE for Layer 2 VPNs. Load balancing is done based on the VC label and it is pre-selected. MPLS Layer 3 VPN Load Balancing MPLS Layer 3 VPN load balancing is similar to basic MPLS load balancing. / ================================================================================ Is this the way ME-3800X also works? -- Tassos From achatz at forthnetgroup.gr Mon Mar 5 05:18:27 2012 From: achatz at forthnetgroup.gr (Tassos Chatzithomaoglou) Date: Mon, 05 Mar 2012 12:18:27 +0200 Subject: [c-nsp] MPLS load-balancing on ME-3800X In-Reply-To: <4F549188.7090403@forthnetgroup.gr> References: <4F549188.7090403@forthnetgroup.gr> Message-ID: <4F5492F3.1090509@forthnetgroup.gr> To correct my first email, i'm looking for ether-channel load-balancing of MPLS traffic. The page at http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/12.2_52_ey/configuration/guide/swethchl.html#wp1116754 doesn't have any reference to usage of labels. -- Tassos Tassos Chatzithomaoglou wrote on 5/3/2012 12:12: > Looking for MPLS load-balancing on ME-3800X, the page > http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/12.2_52_ey/configuration/guide/swmpls.html > includes just the following note: > > ================================================================================ > /For information about load balancing, see this URL: > > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/pfc3mpls.html#wp1347055 > / > ================================================================================ > > which leads to the following: > > ================================================================================ > /Basic MPLS Load Balancing > The maximum number of load balancing paths is 8. The PFC forwards MPLS labeled packets > without explicit configuration. If the packet has three labels or less and the > underlying packet is IPv4, then the PFC uses the source and destination IPv4 address. If > the underlying packet is not IPv4 or more than three labels are present, the PFC parses > down as deep as the fifth or lowest label and uses it for hashing. > > MPLS Layer 2 VPN Load Balancing > Load balancing is based on the VC label in the MPLS core if the first nibble of the MAC > address in the customer Ethernet frame is not 4. > Note Load balancing is not supported at the ingress PE for Layer 2 VPNs. Load balancing > is done based on the VC label and it is pre-selected. > > MPLS Layer 3 VPN Load Balancing > MPLS Layer 3 VPN load balancing is similar to basic MPLS load balancing. / > ================================================================================ > > Is this the way ME-3800X also works? > From taglio at gmail.com Mon Mar 5 05:19:38 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Mon, 5 Mar 2012 11:19:38 +0100 Subject: [c-nsp] help with the correct choice of a cisco router Message-ID: Hello there, first of all nice to talk with us for the first time in this ml. My name is Riccardo Giuntoli and i'm writing from Spain, how're you guys? I've got a customer that have some simple task to do and we want to realize this with a cisco router, those are the points to comply: 1. ISP will give my customer access with a normal UTP cable and forward him 50/50mbps internet access bandwidth 2. ISP will statically assign to my customer a /29 of IPv4 address that my client will forward to others machines in the DMZ 3. My customer want to statically shape bandwidth to the publics ips (like 3/3 to one ip, 10/10 to another) and reserve a piece to dynamically assign between user of diferrent VLAN that will use internet behind nat. 4. It will be appreciated IPSec VPN support for site-to-site and roadwarrior users. I've thought about 1941 with no expansion slot or 1921. Any suggestions? Best Regards, RG. Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From smccrory at gcicom.net Mon Mar 5 06:06:42 2012 From: smccrory at gcicom.net (Steve McCrory) Date: Mon, 5 Mar 2012 11:06:42 -0000 Subject: [c-nsp] help with the correct choice of a cisco router References: Message-ID: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> Hi Riccardo, The Cisco recommended WAN speed for the 1941 is 30Mbp which I think rules this model out for you as you will be enabling a number of services (NAT, IPSec and Shaping from what I can see) I'd suggest looking at the 2900s or even 3900s for your deployment. Have a look at the Miercom reports for the ISR G2's as they have tested certain models fully loaded with services. Regards Steven -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli Sent: 05 March 2012 10:20 To: cisco-nsp at puck.nether.net Subject: [c-nsp] help with the correct choice of a cisco router Hello there, first of all nice to talk with us for the first time in this ml. My name is Riccardo Giuntoli and i'm writing from Spain, how're you guys? I've got a customer that have some simple task to do and we want to realize this with a cisco router, those are the points to comply: 1. ISP will give my customer access with a normal UTP cable and forward him 50/50mbps internet access bandwidth 2. ISP will statically assign to my customer a /29 of IPv4 address that my client will forward to others machines in the DMZ 3. My customer want to statically shape bandwidth to the publics ips (like 3/3 to one ip, 10/10 to another) and reserve a piece to dynamically assign between user of diferrent VLAN that will use internet behind nat. 4. It will be appreciated IPSec VPN support for site-to-site and roadwarrior users. I've thought about 1941 with no expansion slot or 1921. Any suggestions? Best Regards, RG. Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Steve McCrory Senior Network Engineer GCI Com Cedar Court Office Park Denby Dale Road Calder Grove Wakefield WF4 3QZ Office: 0844 443 3537 Fax: 0844 443 3540 http://www.gcicom.net/ This email has been swept by Webroot for viruses. Any files transmitted with it are confidential and intended solely for the email recipient. If you are not the intended recipient please delete this email immediately. Be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error please notify the system administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. GCI Com incorporates the following Group Companies: GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in England and Wales, Registered Office: Global House, 2 Crofton Close, Lincoln, LN3 4NT From taglio at gmail.com Mon Mar 5 06:42:45 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Mon, 5 Mar 2012 12:42:45 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> Message-ID: Ok thank you Steve for rapid reply. >From what i can see in the report ( https://docs.google.com/viewer?url=http%3A%2F%2Fwww.miercom.com%2Fpdf%2Freports%2F20100528.pdf) it seem to be that the minimum complain to my points is 2900 series and i think that i'll buy 2901. It'll be better 2951 one but the prices are so high rounding 5000$ correct? Nice Regards to all the list. On Mon, Mar 5, 2012 at 12:06 PM, Steve McCrory wrote: > Hi Riccardo, > > The Cisco recommended WAN speed for the 1941 is 30Mbp which I think rules > this model out for you as you will be enabling a number of services (NAT, > IPSec and Shaping from what I can see) > > I'd suggest looking at the 2900s or even 3900s for your deployment. Have a > look at the Miercom reports for the ISR G2's as they have tested certain > models fully loaded with services. > > Regards > > Steven > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli > Sent: 05 March 2012 10:20 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] help with the correct choice of a cisco router > > Hello there, first of all nice to talk with us for the first time in this > ml. My name is Riccardo Giuntoli and i'm writing from Spain, how're you > guys? > > I've got a customer that have some simple task to do and we want to realize > this with a cisco router, those are the points to comply: > > > 1. ISP will give my customer access with a normal UTP cable and forward > him 50/50mbps internet access bandwidth > 2. ISP will statically assign to my customer a /29 of IPv4 address that > my client will forward to others machines in the DMZ > 3. My customer want to statically shape bandwidth to the publics ips > (like 3/3 to one ip, 10/10 to another) and reserve a piece to > dynamically > assign between user of diferrent VLAN that will use internet behind nat. > 4. It will be appreciated IPSec VPN support for site-to-site and > roadwarrior users. > > I've thought about 1941 with no expansion slot or 1921. Any suggestions? > > Best Regards, > > RG. > > > Email: taglio at gmail.com > Location: Canyelles, BCN, Espa?a > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Steve McCrory > Senior Network Engineer > > GCI Com > Cedar Court Office Park > Denby Dale Road > Calder Grove > Wakefield > WF4 3QZ > > Office: 0844 443 3537 > Fax: 0844 443 3540 > http://www.gcicom.net/ > > > > This email has been swept by Webroot for viruses. Any files transmitted > with it are confidential and intended solely for the email recipient. If > you are not the intended recipient please delete this email immediately. Be > aware that any disclosure, copying, distribution or use of the contents of > this information is prohibited. If you have received this email in error > please notify the system administrator. Please note that any views or > opinions presented in this email are solely those of the author and do not > necessarily represent those of the company. Finally, the recipient should > check this email and any attachments for the presence of viruses. > > > GCI Com incorporates the following Group Companies: > GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd > Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures > Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd Reg. > No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in England > and Wales, Registered Office: Global House, 2 Crofton Close, Lincoln, LN3 > 4NT > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From nick at foobar.org Mon Mar 5 07:03:00 2012 From: nick at foobar.org (Nick Hilliard) Date: Mon, 05 Mar 2012 12:03:00 +0000 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <4F54AB74.4050203@foobar.org> On 05/03/2012 11:42, Riccardo Giuntoli wrote: > From what i can see in the report ( > https://docs.google.com/viewer?url=http%3A%2F%2Fwww.miercom.com%2Fpdf%2Freports%2F20100528.pdf) > it seem to be that the minimum complain to my points is 2900 series > and i think that i'll buy 2901. As with all tests, you need to be careful to understand who designed and who paid for the tests. It's not clear in this instance, but there are at least a couple of Cisco kit tests out there (including at least one from Miercom) which provide results which are quite misleading due to deliberate test design decisions. Nick From taglio at gmail.com Mon Mar 5 07:13:11 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Mon, 5 Mar 2012 13:13:11 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: <4F54AB74.4050203@foobar.org> References: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> <4F54AB74.4050203@foobar.org> Message-ID: Do you have any particular recommendation and/or link to some tests that you consider interesting? On Mon, Mar 5, 2012 at 1:03 PM, Nick Hilliard wrote: > On 05/03/2012 11:42, Riccardo Giuntoli wrote: > > From what i can see in the report ( > > > https://docs.google.com/viewer?url=http%3A%2F%2Fwww.miercom.com%2Fpdf%2Freports%2F20100528.pdf > ) > > it seem to be that the minimum complain to my points is 2900 series > > and i think that i'll buy 2901. > > As with all tests, you need to be careful to understand who designed and > who paid for the tests. It's not clear in this instance, but there are at > least a couple of Cisco kit tests out there (including at least one from > Miercom) which provide results which are quite misleading due to deliberate > test design decisions. > > Nick > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From nick at foobar.org Mon Mar 5 07:52:13 2012 From: nick at foobar.org (Nick Hilliard) Date: Mon, 05 Mar 2012 12:52:13 +0000 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> <4F54AB74.4050203@foobar.org> Message-ID: <4F54B6FD.3090109@foobar.org> On 05/03/2012 12:13, Riccardo Giuntoli wrote: > Do you have any particular recommendation and/or link to some tests that > you consider interesting? Unfortunately not. Just in case it isn't clear from my previous email, the test results they provide should be considered accurate in the context of the methodology they used. I'm not suggesting for a moment that the results aren't repeatable and consequently an accurate portrayal of what they're testing. The problem is that vendors often suggest subtle configuration tweaks which make a dramatic difference to the results. E.g. two that come to mind are the EANTC c6500 10G test: > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd800c958a.pdf In this case, the choice of port used by the tester turned out to be critical due to ASIC layout. Also, the Miercom N5K vs Arista 7124: > http://www.cisco.com/web/strategy/docs/finance/miercom_n5k_testrpt.pdf ... where it turned out that the entire test was designed in favour of the N5K, even down to the exact choice of packet size used in the testing configuration. What's important to understand about both of these tests are that they are completely repeatable and consequently completely accurate in terms of providing a result about the particular methodology used. However, you cannot generalise the test results and say that in general a sup720 + ws-x6704-10ge handles 10G at line rate or that in general an Arista 7124 drops packets all over the floor in situations where an N5k wouldn't. This is because the tests are loaded. I haven't looked at the miercom ISR G2 tests and can't comment on them other than to say that I'm sure they're repeatable. But as with all vendor tests, I remain sceptical about whether they provide a good overall view of the ISR G2 products. Nick From taosysnet at gmail.com Mon Mar 5 08:10:09 2012 From: taosysnet at gmail.com (tao) Date: Mon, 5 Mar 2012 21:10:09 +0800 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F50A9E4.6060209@bromirski.net> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> Message-ID: 2012/3/2 ?ukasz Bromirski > On 2012-03-02 09:13, Artyom Viklenko wrote: > > I'm tring to clarify my understanding of switching paths on these >> line cards. From one point of view, Cisco docs says that if the >> traffic should ingress via one port on the line card and then >> should egress through another port on the same line card it will >> never leave this line card. So it will be switched via internal >> bus. Right? >> > > No, and if it says so somewhere, please point it to the doc team > to fix it. > > Both 6704 and 6708 have two complex of Fabric ASICs. > The 6708 you can see on figure 21 here: > http://www.cisco.com/en/US/**prod/collateral/switches/** > ps5718/ps708/prod_white_**paper0900aecd80673385.html > > suppose there are port A and port B belong to fabric channel 1 and port C belongs to fabric channel 2. how does traffic pass from port A to port B with/without DFC ? and any difference for traffic passing from port A to port C ? I am wondering whether the traffic pass through switch fabric ? Is switch fabric a passive component? thanks. The port mappings for Fabric ASICs should be found in the hardware > installation notes under the 'Switch fabric connections' in the > tables for specific LC: > http://www.cisco.com/en/US/**docs/switches/lan/** > catalyst6500/hardware/Module_**Installation/Mod_Install_** > Guide/02ethern.html#wp1048010 > > Essentially, traffic from one Fabric ASIC to the ports on the > other Fabric ASIC will go over the fabric itself. Only traffic > belonging the the same Fabric ASIC will be switched locally if of > course there's a DFC installed. > > -- > "There's no sense in being precise when | ?ukasz Bromirski > you don't know what you're talking | jid:lbromirski at jabber.org > about." John von Neumann | http://lukasz.bromirski.net > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > From taglio at gmail.com Mon Mar 5 10:28:59 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Mon, 5 Mar 2012 16:28:59 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: <4F54B6FD.3090109@foobar.org> References: <1C748D48EFD36B4AA0B934E8B4E2998003E682EC@ipi-cc-srv04.ipinfrastructures.com> <4F54AB74.4050203@foobar.org> <4F54B6FD.3090109@foobar.org> Message-ID: Ok thanks for your time and explanation. Cheers. On Mon, Mar 5, 2012 at 1:52 PM, Nick Hilliard wrote: > On 05/03/2012 12:13, Riccardo Giuntoli wrote: > > Do you have any particular recommendation and/or link to some tests that > > you consider interesting? > > Unfortunately not. > > Just in case it isn't clear from my previous email, the test results they > provide should be considered accurate in the context of the methodology > they used. I'm not suggesting for a moment that the results aren't > repeatable and consequently an accurate portrayal of what they're testing. > The problem is that vendors often suggest subtle configuration tweaks > which make a dramatic difference to the results. E.g. two that come to > mind are the EANTC c6500 10G test: > > > > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd800c958a.pdf > > In this case, the choice of port used by the tester turned out to be > critical due to ASIC layout. > > Also, the Miercom N5K vs Arista 7124: > > > http://www.cisco.com/web/strategy/docs/finance/miercom_n5k_testrpt.pdf > > ... where it turned out that the entire test was designed in favour of the > N5K, even down to the exact choice of packet size used in the testing > configuration. > > What's important to understand about both of these tests are that they are > completely repeatable and consequently completely accurate in terms of > providing a result about the particular methodology used. However, you > cannot generalise the test results and say that in general a sup720 + > ws-x6704-10ge handles 10G at line rate or that in general an Arista 7124 > drops packets all over the floor in situations where an N5k wouldn't. This > is because the tests are loaded. > > I haven't looked at the miercom ISR G2 tests and can't comment on them > other than to say that I'm sure they're repeatable. But as with all vendor > tests, I remain sceptical about whether they provide a good overall view of > the ISR G2 products. > > Nick > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From rockwilder101 at gmail.com Mon Mar 5 15:23:34 2012 From: rockwilder101 at gmail.com (David Farje) Date: Mon, 5 Mar 2012 15:23:34 -0500 Subject: [c-nsp] ASR9k for NAT Message-ID: Hi, We currently have ASR 1006 with RP1 and ESP20, but it is running some things that are killing the memory. 1. Full internet routing table from 3 peers. 2. NAT 3. NAT logging via Netflow We are a small-to-medium sized ISP and we are looking for a cheap way to support many NAT translations. I would like to know if ASR9k can support NAT, but without the ISM module that offers CGN (carrier grade nat) but it's too much, and too expensive. Or maybe other solutions? From merlyn at geeks.org Mon Mar 5 16:27:55 2012 From: merlyn at geeks.org (Doug McIntyre) Date: Mon, 5 Mar 2012 15:27:55 -0600 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: Message-ID: <20120305212755.GA39976@geeks.org> On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: > Hello there, first of all nice to talk with us for the first time in this > ml. My name is Riccardo Giuntoli and i'm writing from Spain, how're you > guys? > > I've got a customer that have some simple task to do and we want to realize > this with a cisco router, those are the points to comply: Why a router, and not a firewall instead? They will more easily hit your requirements at a chaper price point. From taglio at gmail.com Mon Mar 5 16:36:13 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Mon, 5 Mar 2012 22:36:13 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: <20120305212755.GA39976@geeks.org> References: <20120305212755.GA39976@geeks.org> Message-ID: Yuhm, i've not think about a firewall for sure... do you speak about some ASA machine? Do you have some suggestions? Regards, On Mon, Mar 5, 2012 at 10:27 PM, Doug McIntyre wrote: > On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: > > Hello there, first of all nice to talk with us for the first time in this > > ml. My name is Riccardo Giuntoli and i'm writing from Spain, how're you > > guys? > > > > I've got a customer that have some simple task to do and we want to > realize > > this with a cisco router, those are the points to comply: > > Why a router, and not a firewall instead? They will more easily hit > your requirements at a chaper price point. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From rockwilder101 at gmail.com Mon Mar 5 16:44:23 2012 From: rockwilder101 at gmail.com (David Farje) Date: Mon, 5 Mar 2012 16:44:23 -0500 Subject: [c-nsp] ASR9k for large scale NAT? Message-ID: Hi, We currently have ASR 1006 with RP1 and ESP20, but it is running some things that are killing the memory. 1. Full internet routing table from 3 peers. 2. NAT 3. NAT logging via Netflow We are a small-to-medium sized ISP and we are looking for a cheap way to support many NAT translations. I would like to know if ASR9k can support NAT, but without the ISM module that offers CGN (carrier grade nat) but it's too much, and too expensive. Or maybe other solutions? From nick at foobar.org Mon Mar 5 17:19:00 2012 From: nick at foobar.org (Nick Hilliard) Date: Mon, 05 Mar 2012 22:19:00 +0000 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: References: Message-ID: <4F553BD4.5090404@foobar.org> On 05/03/2012 21:44, David Farje wrote: > Hi, > > We currently have ASR 1006 with RP1 and ESP20, but it is running some > things that are killing the memory. > 1. Full internet routing table from 3 peers. > 2. NAT > 3. NAT logging via Netflow not surprised it's bombing out on memory. You could separate out the NAT functionality from the transit router functionality here - e.g. 1 or more routers acting as transit routers and then a NAT layer between that and your customers. That would certainly give you lots of breathing room. You could also put more DRAM into the ASR1k - the RP1 will take up to 4G. Alternatively, you could upgrade to an RP2 and bump the RAM up to 16G. I.e. lots of options without having to go to the expense of an asr9k. Nick > We are a small-to-medium sized ISP and we are looking for a cheap way to > support many NAT translations. > I would like to know if ASR9k can support NAT, but without the ISM module > that offers CGN (carrier grade nat) but > it's too much, and too expensive. > > Or maybe other solutions? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mike.bushard at arvig.com Mon Mar 5 17:28:40 2012 From: mike.bushard at arvig.com (Mike Bushard) Date: Mon, 5 Mar 2012 16:28:40 -0600 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: <4F553BD4.5090404@foobar.org> References: <4F553BD4.5090404@foobar.org> Message-ID: <3aee227684409f1ce19ff9f973ab98ec@mail.gmail.com> If you're not at 4Gig RAM already go that route. The newer IOS-XE trains with 2 BGP peers put 90%+. We went to 4GB ram with latest IOS, 2 upstream BGP peers with full tables and 2 downstream peers, and 4,000+ NAT entries (Long story, don't ask. Migrating them out as fast as we can) and sit at about 35% according to Orion NPM. Mike Bushard, Jr | Network Engineer IV | Arvig -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Hilliard Sent: Monday, March 05, 2012 4:19 PM To: David Farje Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASR9k for large scale NAT? On 05/03/2012 21:44, David Farje wrote: > Hi, > > We currently have ASR 1006 with RP1 and ESP20, but it is running some > things that are killing the memory. > 1. Full internet routing table from 3 peers. > 2. NAT > 3. NAT logging via Netflow not surprised it's bombing out on memory. You could separate out the NAT functionality from the transit router functionality here - e.g. 1 or more routers acting as transit routers and then a NAT layer between that and your customers. That would certainly give you lots of breathing room. You could also put more DRAM into the ASR1k - the RP1 will take up to 4G. Alternatively, you could upgrade to an RP2 and bump the RAM up to 16G. I.e. lots of options without having to go to the expense of an asr9k. Nick > We are a small-to-medium sized ISP and we are looking for a cheap way > to support many NAT translations. > I would like to know if ASR9k can support NAT, but without the ISM > module that offers CGN (carrier grade nat) but it's too much, and too > expensive. > > Or maybe other solutions? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From josh at base-2.co.nz Mon Mar 5 18:47:01 2012 From: josh at base-2.co.nz (Josh Farrelly) Date: Tue, 6 Mar 2012 12:47:01 +1300 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: <20120305212755.GA39976@geeks.org> Message-ID: <33EEA0B0474D634BA31117F32099CBF40282FC46@b2dcsbsmteden.base-2.co.nz> >From what you've mentioned there'd likely be no reason you couldn't use an ASA5510 for the requirements you've laid out below. We have 2x ASA5510's in an active/passive cluster at a customer site. It's connected to a 100/100Mbps link and it quite happily handles several thousand connections and throughputs at full rates in either direction. We've had no issues with them, apart from a PSU failure and a few configuration issues with WCCP. They've been in service for the better part of 2 years now. I guess it comes down to what you're most comfortable with at the end of the day. Regards, Josh. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli Sent: Tuesday, 6 March 2012 10:36 a.m. To: Doug McIntyre; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] help with the correct choice of a cisco router Yuhm, i've not think about a firewall for sure... do you speak about some ASA machine? Do you have some suggestions? Regards, On Mon, Mar 5, 2012 at 10:27 PM, Doug McIntyre wrote: > On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: > > Hello there, first of all nice to talk with us for the first time in > > this ml. My name is Riccardo Giuntoli and i'm writing from Spain, > > how're you guys? > > > > I've got a customer that have some simple task to do and we want to > realize > > this with a cisco router, those are the points to comply: > > Why a router, and not a firewall instead? They will more easily hit > your requirements at a chaper price point. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From herro91 at gmail.com Mon Mar 5 21:37:44 2012 From: herro91 at gmail.com (Herro91) Date: Mon, 5 Mar 2012 21:37:44 -0500 Subject: [c-nsp] IPv6 RA filter on Layer 2 switch with edge ports configured as trunk Message-ID: Hi, Trying to figure out a solution on how to implement an IPv6 Traffic Filter to block RA messages on a 4948 that is configured as an L2 switch. More specifically the edge ports are configured as trunks to an ESX host which has many VMs (Windoze, Linux, etc). Given the trunk port config, I know I could do a VACL, but those lack direction (input/output) so it seems like a non-starter Appreciate any thoughts/advice From keegan.holley at sungard.com Mon Mar 5 22:09:11 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Mon, 5 Mar 2012 22:09:11 -0500 Subject: [c-nsp] twin-gig converters Message-ID: I seem to remember someone posting that using twin-gig converters on a 4900M shrinks the buffers on the resulting gig interfaces. I can only find complaints about the 3560 and 3750 (non-x) in the archives though. Can anyone fill in the blanks in my memory. From mtinka at globaltransit.net Tue Mar 6 00:54:16 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 Mar 2012 13:54:16 +0800 Subject: [c-nsp] preference on bgp route advertisements In-Reply-To: <4F514FD2.4000007@yahoo.com> References: <4F514FD2.4000007@yahoo.com> Message-ID: <201203061354.19572.mtinka@globaltransit.net> On Saturday, March 03, 2012 06:55:14 AM msprouffske at yahoo.com wrote: > I currently have prefix list filtering in place on my > core routers and I advertise a default route to my dsl > routers. My question is, what is the best practice for > advertising bgp routes in the core? I would like to > redistribute connected and static in bgp instead of > adding network statements under the bgp process. Just > trying to get some feedback on this before I start > changing my core network. For static routes, assigning a tag to the routes and referencing that in a route-map which is attached to a BGP policy will get you what you want. The tag is useful to ensure you don't end up redistributing more routes into BGP than you should. For Connected routes, well, to ensure you don't redistribute interface routes that shouldn't be in BGP, you'd need to add another match condition such as a prefix list. You need to evaluate whether the efforts of both options above are more or less efficient than the 'network' statement option, in your particular environment. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Mar 6 01:01:47 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 Mar 2012 14:01:47 +0800 Subject: [c-nsp] MPLS load-balancing on ME-3800X In-Reply-To: <4F5492F3.1090509@forthnetgroup.gr> References: <4F549188.7090403@forthnetgroup.gr> <4F5492F3.1090509@forthnetgroup.gr> Message-ID: <201203061401.48315.mtinka@globaltransit.net> On Monday, March 05, 2012 06:18:27 PM Tassos Chatzithomaoglou wrote: > To correct my first email, i'm looking for ether-channel > load-balancing of MPLS traffic. AFAIK, you don't get any MPLS-based load balancing options for 802.1AX on the ME3600X/3800X as you would on the 6500. However, we do have some ME3600X's running as pure Layer 2 core switches in some small PoP's, and they are able to load share MPLS traffic coming from MPLS-speaking/encapsulating routers. Not quite sure how that is happening, but compared to the Juniper EX4200's we had there before that failed completely to do the same, something is happening on the ME3600X's in a good way. Just been too busy to follow-up with Cisco. Maybe Waris can chime in if he sees this. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Mar 6 01:07:24 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 Mar 2012 14:07:24 +0800 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: <4F553BD4.5090404@foobar.org> References: <4F553BD4.5090404@foobar.org> Message-ID: <201203061407.24354.mtinka@globaltransit.net> On Tuesday, March 06, 2012 06:19:00 AM Nick Hilliard wrote: > not surprised it's bombing out on memory. You could > separate out the NAT functionality from the transit > router functionality here - e.g. 1 or more routers > acting as transit routers and then a NAT layer between > that and your customers. That would certainly give you > lots of breathing room. You could also put more DRAM > into the ASR1k - the RP1 will take up to 4G. > Alternatively, you could upgrade to an RP2 and bump the > RAM up to 16G. Agree - I'd go RP2 than looking at anything bigger, especially since RAM is your issue, not forwarding capacity. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From reuben-cisco-nsp at reub.net Tue Mar 6 03:29:45 2012 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 06 Mar 2012 19:29:45 +1100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <201203061354.19572.mtinka@globaltransit.net> References: <4F514FD2.4000007@yahoo.com> <201203061354.19572.mtinka@globaltransit.net> Message-ID: <4F55CAF9.1040504@reub.net> On 6/03/2012 4:54 PM, Mark Tinka wrote: > For static routes, assigning a tag to the routes and > referencing that in a route-map which is attached to a BGP > policy will get you what you want. The tag is useful to > ensure you don't end up redistributing more routes into BGP > than you should. > > For Connected routes, well, to ensure you don't redistribute > interface routes that shouldn't be in BGP, you'd need to add > another match condition such as a prefix list. > > You need to evaluate whether the efforts of both options > above are more or less efficient than the 'network' > statement option, in your particular environment. It's actually rather topical that your two postings today Mark have been separately about BGP route advertisements and the ME3600's because just a few hours ago I logged a TAC case on the BGP route-map broken-ness I am currently seeing on the ME3600/ME3800s I have. This config (simplified a bit): router bgp 38858 address-family ipv6 redistribute static route-map IBGP-STATICS exit-address-family route-map IBGP-STATICS permit 10 description Customer Subnet match ip address prefix-list PERMIT-CUSTOMER-SUBNET set origin igp set community 38858:2504 ! route-map IBGP-STATICS permit 100 description Set a community on static routed internal only subnets which are not otherwise defined above set community 38858:201 no-export ip prefix-list PERMIT-CUSTOMER-SUBNET seq 20 permit 203.56.29.0/24 ipv6 route 2401:8C00:99::/64 Null0 Gives this: sw7.nsw#show ip bgp ipv6 unicast 2401:8C00:99::/64 BGP routing table entry for 2401:8C00:99::/64, version 271 Paths: (2 available, best #2, table default) Not advertised to any peer Local 2401:8C00::42 (metric 1) from 2401:8C00::41 (124.158.18.41) Origin IGP, metric 0, localpref 100, valid, internal Community: 38858:2504 Originator: 203.56.29.230, Cluster list: 124.158.18.41 Local 2401:8C00::42 (metric 1) from 2401:8C00::40 (124.158.18.40) Origin IGP, metric 0, localpref 100, valid, internal, best Community: 38858:2504 Originator: 203.56.29.230, Cluster list: 124.158.18.40 sw7.nsw# WTF? The IPv6 prefix has been matched by the IPv4 specific route-map sequence 10, and the community from that route map of 38858:2504 'set' on the router. It should be falling through to sequence 100 on account of a no-match on sequence 10, I thought. I mean it's not even the same friggin protocol... (And no, there's no IPv6 prefix lists defined at all, anywhere, on that switch) On other platforms such as ISR G1s and ISR G2s running 15.1(4)M3 this works as expected. IPv4 and IPv6 routes that fall through have these community values set right. 15.1(2)EY1a, TAC case SR 620949745 for anyone who is interested. The TAC engineer is currently assessing the business impact and researching. Bit hard to emphasize the severity of this one in terms of impact to end users............... Reuben From saku at ytti.fi Tue Mar 6 04:18:29 2012 From: saku at ytti.fi (Saku Ytti) Date: Tue, 6 Mar 2012 11:18:29 +0200 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <20120304090135.GA5786@pob.ytti.fi> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> Message-ID: <20120306091829.GA30111@pob.ytti.fi> On (2012-03-04 11:01 +0200), Saku Ytti wrote: > On (2012-03-03 23:19 +0100), Niccol? Belli wrote: > > > Is there any news about Catalyst 3560 raguard support? > > Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked > about schedule lately. I'm just going through slide-deck which confirms this. Not coming for 3560, 3560G 2012Q3 for 3560[EX], 2960[ESX] 2012H2 for CAT7600 2013Q1 for CAT4500 -- ++ytti From erey at ernw.de Tue Mar 6 04:34:20 2012 From: erey at ernw.de (Enno Rey) Date: Tue, 6 Mar 2012 10:34:20 +0100 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <20120306091829.GA30111@pob.ytti.fi> References: <4F5298F4.6040307@linuxsystems.it> <20120304090135.GA5786@pob.ytti.fi> <20120306091829.GA30111@pob.ytti.fi> Message-ID: <20120306093420.GV55132@ernw.de> Hi, On Tue, Mar 06, 2012 at 11:18:29AM +0200, Saku Ytti wrote: > On (2012-03-04 11:01 +0200), Saku Ytti wrote: > > On (2012-03-03 23:19 +0100), Niccol? Belli wrote: > > > > > Is there any news about Catalyst 3560 raguard support? > > > > Last I heard 3560G won't get it, ever. 3560[EX] should. But haven't asked > > about schedule lately. > > I'm just going through slide-deck which confirms this. > > Not coming for 3560, 3560G > 2012Q3 for 3560[EX], 2960[ESX] > 2012H2 for CAT7600 > 2013Q1 for CAT4500 that would be strange as it has been available for CAT4500 for quite some time now. thanks Enno > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Final round of Troopers 2012 talks announced. See http://www.insinuator.net/2012/01/troopers-2012-%E2%80%93-final-round-of-talks-selected/ Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de ======================================================= From mtinka at globaltransit.net Tue Mar 6 05:46:16 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 Mar 2012 18:46:16 +0800 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F55CAF9.1040504@reub.net> References: <4F514FD2.4000007@yahoo.com> <201203061354.19572.mtinka@globaltransit.net> <4F55CAF9.1040504@reub.net> Message-ID: <201203061846.20041.mtinka@globaltransit.net> On Tuesday, March 06, 2012 04:29:45 PM Reuben Farrelly wrote: > WTF? The IPv6 prefix has been matched by the IPv4 > specific route-map sequence 10, and the community from > that route map of 38858:2504 'set' on the router. It > should be falling through to sequence 100 on account of > a no-match on sequence 10, I thought. I mean it's not > even the same friggin protocol... > > (And no, there's no IPv6 prefix lists defined at all, > anywhere, on that switch) Interesting. Well, that's one of the reasons we use dedicated routing policies for both IPv4 and IPv6, including different route- map names as well, to avoid potential issues such as these (unintended or otherwise). Have you tested whether having a dedicated route-map for the IPv6 session works around this problem? Then again, IPv6 on the ME3600X is still new. I'm happy to report that the bug which causes application of an egress IPv4 ACL to block all IPv6 traffic on a dual-stack interface has been identified and fixed in the next maintenance release, but can't say for sure whether the issue you're facing is in that list. But very good thing you've reported it. Thanks for sharing the SR number. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Tue Mar 6 05:47:31 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 Mar 2012 18:47:31 +0800 Subject: [c-nsp] ipv6 nd raguard In-Reply-To: <20120306093420.GV55132@ernw.de> References: <4F5298F4.6040307@linuxsystems.it> <20120306091829.GA30111@pob.ytti.fi> <20120306093420.GV55132@ernw.de> Message-ID: <201203061847.31516.mtinka@globaltransit.net> On Tuesday, March 06, 2012 05:34:20 PM Enno Rey wrote: > that would be strange as it has been available for > CAT4500 for quite some time now. That's what I'm thinking - many times, commands that shouldn't be there are, and vice versa. So while the plan is not to have the capability in the 3560, who knows, maybe an engineer may fat finger the keyboard and paste the code in anyway :-). Of course, that isn't comforting either... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From reuben-cisco-nsp at reub.net Tue Mar 6 06:29:52 2012 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 06 Mar 2012 22:29:52 +1100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <201203061846.20041.mtinka@globaltransit.net> References: <4F514FD2.4000007@yahoo.com> <201203061354.19572.mtinka@globaltransit.net> <4F55CAF9.1040504@reub.net> <201203061846.20041.mtinka@globaltransit.net> Message-ID: <4F55F530.6020407@reub.net> On 6/03/2012 9:46 PM, Mark Tinka wrote: > On Tuesday, March 06, 2012 04:29:45 PM Reuben Farrelly > wrote: > >> WTF? The IPv6 prefix has been matched by the IPv4 >> specific route-map sequence 10, and the community from >> that route map of 38858:2504 'set' on the router. It >> should be falling through to sequence 100 on account of >> a no-match on sequence 10, I thought. I mean it's not >> even the same friggin protocol... >> >> (And no, there's no IPv6 prefix lists defined at all, >> anywhere, on that switch) > > Interesting. > > Well, that's one of the reasons we use dedicated routing > policies for both IPv4 and IPv6, including different route- > map names as well, to avoid potential issues such as these > (unintended or otherwise). > > Have you tested whether having a dedicated route-map for the > IPv6 session works around this problem? Yes - it doesn't work around it. I have just replicated the route-map exactly but removed the IPv4 specific match (seq 10) from the new copy and it works as expected (ie correct community set as a default/fall through even for IPv6 routes). And...get this...if I add: ipv6 prefix-list PERMIT-IPV6-ANY seq 10 permit ::/0 le 48 route-map IBGP-STATICS permit 5 match ipv6 address prefix-list PERMIT-IPV6-ANY set origin igp set community 38858:202 at the top of the route-map sequence (which should match first for IPv6 routes, right?), then IPv6 BGP routes seemingly do NOT match that route-map even across session resets - as that (unique) community value is never set. So it looks to me very likely it's a matching problem in that the match ip prefix list is matching IPv6 routes when it should be an IPv4 only match and then, only a specific IPv4 match. Only reason I've kept route-maps and other things constant is to essentially overlay IPv6 atop of the existing IPv4 network as far as possible. Much easier to administer and support if the communities/policies/route-maps are the same etc but obviously this has the drawback that a problem with one part of the config can then screw up both protocols, or as I have just found out it makes it a bit more tricky to work around bugs in one or the other :-(. Reuben From taglio at gmail.com Tue Mar 6 06:33:56 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Tue, 6 Mar 2012 12:33:56 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: <33EEA0B0474D634BA31117F32099CBF40282FC46@b2dcsbsmteden.base-2.co.nz> References: <20120305212755.GA39976@geeks.org> <33EEA0B0474D634BA31117F32099CBF40282FC46@b2dcsbsmteden.base-2.co.nz> Message-ID: Dear Josh, to do routing i imagine that you're using some L3 switches correct? ASA can do router-on-a-stick config? Regards, On Tue, Mar 6, 2012 at 12:47 AM, Josh Farrelly wrote: > From what you've mentioned there'd likely be no reason you couldn't use an > ASA5510 for the requirements you've laid out below. > > We have 2x ASA5510's in an active/passive cluster at a customer site. It's > connected to a 100/100Mbps link and it quite happily handles several > thousand connections and throughputs at full rates in either direction. > > We've had no issues with them, apart from a PSU failure and a few > configuration issues with WCCP. They've been in service for the better part > of 2 years now. > > I guess it comes down to what you're most comfortable with at the end of > the day. > > Regards, > > Josh. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli > Sent: Tuesday, 6 March 2012 10:36 a.m. > To: Doug McIntyre; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] help with the correct choice of a cisco router > > Yuhm, i've not think about a firewall for sure... do you speak about some > ASA machine? Do you have some suggestions? > > Regards, > > On Mon, Mar 5, 2012 at 10:27 PM, Doug McIntyre wrote: > > > On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: > > > Hello there, first of all nice to talk with us for the first time in > > > this ml. My name is Riccardo Giuntoli and i'm writing from Spain, > > > how're you guys? > > > > > > I've got a customer that have some simple task to do and we want to > > realize > > > this with a cisco router, those are the points to comply: > > > > Why a router, and not a firewall instead? They will more easily hit > > your requirements at a chaper price point. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > Name: Riccardo Giuntoli > Email: taglio at gmail.com > Location: Canyelles, BCN, Espa?a > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key > server: hkp://wwwkeys.eu.pgp.net_______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From chuckchurch at gmail.com Tue Mar 6 08:51:11 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Tue, 6 Mar 2012 08:51:11 -0500 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: <4F553BD4.5090404@foobar.org> References: <4F553BD4.5090404@foobar.org> Message-ID: <004401ccfba0$31ef3080$95cd9180$@gmail.com> I'm curious what the default NAT timeouts for IOS-XE are. A lot of the normal IOS ones are 24 hours, which is WAY too long for dynamic large scale use. An hour is much more reasonable. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Hilliard Sent: Monday, March 05, 2012 5:19 PM To: David Farje Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASR9k for large scale NAT? On 05/03/2012 21:44, David Farje wrote: > Hi, > > We currently have ASR 1006 with RP1 and ESP20, but it is running some > things that are killing the memory. > 1. Full internet routing table from 3 peers. > 2. NAT > 3. NAT logging via Netflow not surprised it's bombing out on memory. You could separate out the NAT functionality from the transit router functionality here - e.g. 1 or more routers acting as transit routers and then a NAT layer between that and your customers. That would certainly give you lots of breathing room. You could also put more DRAM into the ASR1k - the RP1 will take up to 4G. Alternatively, you could upgrade to an RP2 and bump the RAM up to 16G. I.e. lots of options without having to go to the expense of an asr9k. Nick > We are a small-to-medium sized ISP and we are looking for a cheap way > to support many NAT translations. > I would like to know if ASR9k can support NAT, but without the ISM > module that offers CGN (carrier grade nat) but it's too much, and too > expensive. > > Or maybe other solutions? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shopik at inblock.ru Tue Mar 6 09:14:16 2012 From: shopik at inblock.ru (Nikolay Shopik) Date: Tue, 06 Mar 2012 18:14:16 +0400 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: <004401ccfba0$31ef3080$95cd9180$@gmail.com> References: <4F553BD4.5090404@foobar.org> <004401ccfba0$31ef3080$95cd9180$@gmail.com> Message-ID: <4F561BB8.2050603@inblock.ru> On 06/03/12 17:51, Chuck Church wrote: > I'm curious what the default NAT timeouts for IOS-XE are. A lot of the > normal IOS ones are 24 hours, which is WAY too long for dynamic large scale > use. An hour is much more reasonable. As soon IOS NAT sees close/fin or fin/ack bits, it set session to 5 minutes to expire. So only not proper closed session become there for 24 hours iirc. From richih.mailinglist at gmail.com Tue Mar 6 10:53:32 2012 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Tue, 6 Mar 2012 16:53:32 +0100 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? Message-ID: Hi all, I am somewhat confused/annoyed by the ME 3600X's lack of support for VLAN mapping. The ME-C3750 offers this, listing the feature as "metro Ethernet service" for obvious reasons. I would go as far as saying that this is, in fact, a requirement for a device sold as offering ME capabilities. >From what I understand of the hardware side, this should be a software, not a hardware, limitation. Is anyone able to confirm/falsify this? Assuming it's a software issue, has anyone heard of an ETA for this highly advanced and cutting-edge technology's arrival on the poor, down-trodden ME 3600X? Thanks, Richard From nick at foobar.org Tue Mar 6 12:09:04 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 06 Mar 2012 17:09:04 +0000 Subject: [c-nsp] ASR9k for large scale NAT? In-Reply-To: <4F561BB8.2050603@inblock.ru> References: <4F553BD4.5090404@foobar.org> <004401ccfba0$31ef3080$95cd9180$@gmail.com> <4F561BB8.2050603@inblock.ru> Message-ID: <4F5644B0.4030205@foobar.org> On 06/03/2012 14:14, Nikolay Shopik wrote: > As soon IOS NAT sees close/fin or fin/ack bits, it set session to 5 minutes > to expire. So only not proper closed session become there for 24 hours iirc. that would make a nice nat slot DoS vector. Sounds like on a public facing device you would want to tune this down to something quite small. Nick From josh at base-2.co.nz Tue Mar 6 13:07:18 2012 From: josh at base-2.co.nz (Josh Farrelly) Date: Wed, 7 Mar 2012 07:07:18 +1300 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: <20120305212755.GA39976@geeks.org> <33EEA0B0474D634BA31117F32099CBF40282FC46@b2dcsbsmteden.base-2.co.nz> Message-ID: Hi Riccardo. The ASA can route between VLANs, though dependant on your configuration and requirements you can route before the firewalls if you prefer. Thanks, Josh Farrelly On 7/03/2012, at 0:34, "Riccardo Giuntoli" wrote: > Dear Josh, to do routing i imagine that you're using some L3 switches correct? ASA can do router-on-a-stick config? > > Regards, > > On Tue, Mar 6, 2012 at 12:47 AM, Josh Farrelly wrote: > From what you've mentioned there'd likely be no reason you couldn't use an ASA5510 for the requirements you've laid out below. > > We have 2x ASA5510's in an active/passive cluster at a customer site. It's connected to a 100/100Mbps link and it quite happily handles several thousand connections and throughputs at full rates in either direction. > > We've had no issues with them, apart from a PSU failure and a few configuration issues with WCCP. They've been in service for the better part of 2 years now. > > I guess it comes down to what you're most comfortable with at the end of the day. > > Regards, > > Josh. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli > Sent: Tuesday, 6 March 2012 10:36 a.m. > To: Doug McIntyre; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] help with the correct choice of a cisco router > > Yuhm, i've not think about a firewall for sure... do you speak about some ASA machine? Do you have some suggestions? > > Regards, > > On Mon, Mar 5, 2012 at 10:27 PM, Doug McIntyre wrote: > > > On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: > > > Hello there, first of all nice to talk with us for the first time in > > > this ml. My name is Riccardo Giuntoli and i'm writing from Spain, > > > how're you guys? > > > > > > I've got a customer that have some simple task to do and we want to > > realize > > > this with a cisco router, those are the points to comply: > > > > Why a router, and not a firewall instead? They will more easily hit > > your requirements at a chaper price point. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > Name: Riccardo Giuntoli > Email: taglio at gmail.com > Location: Canyelles, BCN, Espa?a > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > Name: Riccardo Giuntoli > Email: taglio at gmail.com > Location: Canyelles, BCN, Espa?a > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net From jayruu77 at yahoo.com Tue Mar 6 14:23:47 2012 From: jayruu77 at yahoo.com (Jarrod Raines) Date: Tue, 6 Mar 2012 11:23:47 -0800 (PST) Subject: [c-nsp] router does not see IGMP joins Message-ID: <1331061827.94046.YahooMailNeo@web161302.mail.bf1.yahoo.com> what's the source IP of the device sending the join?? maybe an RPF issue? From lukasz at bromirski.net Tue Mar 6 16:54:40 2012 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 06 Mar 2012 22:54:40 +0100 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> Message-ID: <4F5687A0.4060106@bromirski.net> On 2012-03-05 14:10, tao wrote: > Both 6704 and 6708 have two complex of Fabric ASICs. > The 6708 you can see on figure 21 here: > http://www.cisco.com/en/US/__prod/collateral/switches/__ps5718/ps708/prod_white___paper0900aecd80673385.html > > > suppose there are port A and port B belong to fabric channel 1 and port C > belongs to fabric channel 2. > > how does traffic pass from port A to port B with/without DFC ? It goes up to the Port ASIC. CFC requests decision to be taken by a PFC on the Supervisor and DFC can take the decision locally. It is then looped back to port B. The CFC communication takes place over the shared bus which is limiting factor for packets per second (on each of it the CFC has to query PFC for decision). The limit for such system is 15 or 30Mpps. The limit for DFC system is 48Mpps per linecard. > and any difference for traffic passing from port A to port C ? Yes, the CFC/DFC decision process will be the same, but the traffic will leave the LC using channel 1, and then come back to the LC using channel 2 to leave out of port C. > I am wondering whether the traffic pass through switch fabric ? Is switch > fabric a passive component? Passive in what sense? It doesn't do any network operations as is, but it's powered up and processing traffic by means of frames + additional headers. Switch fabric physically is a either a compex of, or in the newer versions, single pretty large ASIC on the Supervisor under the heatsink. -- "There's no sense in being precise when | ?ukasz Bromirski you don't know what you're talking | jid:lbromirski at jabber.org about." John von Neumann | http://lukasz.bromirski.net From reuben-cisco-nsp at reub.net Tue Mar 6 17:01:41 2012 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Wed, 07 Mar 2012 09:01:41 +1100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F55F530.6020407@reub.net> References: <4F514FD2.4000007@yahoo.com> <201203061354.19572.mtinka@globaltransit.net> <4F55CAF9.1040504@reub.net> <201203061846.20041.mtinka@globaltransit.net> <4F55F530.6020407@reub.net> Message-ID: <4F568945.6050500@reub.net> On 6/03/2012 10:29 PM, Reuben Farrelly wrote: >> Have you tested whether having a dedicated route-map for the >> IPv6 session works around this problem? > > Yes - it doesn't work around it. I have just replicated the route-map > exactly but removed the IPv4 specific match (seq 10) from the new copy > and it works as expected (ie correct community set as a default/fall > through even for IPv6 routes). > > And...get this...if I add: > > ipv6 prefix-list PERMIT-IPV6-ANY seq 10 permit ::/0 le 48 > > route-map IBGP-STATICS permit 5 > match ipv6 address prefix-list PERMIT-IPV6-ANY > set origin igp > set community 38858:202 > > at the top of the route-map sequence (which should match first for IPv6 > routes, right?), then IPv6 BGP routes seemingly do NOT match that > route-map even across session resets - as that (unique) community value > is never set. > > So it looks to me very likely it's a matching problem in that the match > ip prefix list is matching IPv6 routes when it should be an IPv4 only > match and then, only a specific IPv4 match. Correction. I made a mistake in my testing there... If I have: ipv6 prefix-list PERMIT-IPV6-ANY seq 10 permit ::/0 le 64 Then yes the IPv6 specific route-map matches first and the correct community is set. Reuben From mike-cisconsplist at tiedyenetworks.com Tue Mar 6 19:49:47 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 06 Mar 2012 16:49:47 -0800 Subject: [c-nsp] access-list calling another access-list Message-ID: <4F56B0AB.7000900@tiedyenetworks.com> Hello, I am trying to devise some acl's and am comming from a linux fw background, which allowed me to split my acl's into seperate tables and effectively call one from the other. This allowed me to have, say, 'filter everyhting going to/from rfc 1918 space', and combine that with another table saying 'only permit SMTP to this list of servers', and apply it to a single interface such as 'ppp0'. The point in doing so is easier and more accurate acl management, such that you're not replicating lines everytime you want a custom set which combines 'filters to rfc 1918 space' with something else. I realise there's got to be a cisco way of doing this, and I'd appreciate any pointers anyone cares to share. Mike- From zwilliams360 at gmail.com Tue Mar 6 21:55:14 2012 From: zwilliams360 at gmail.com (Zach Williams) Date: Tue, 6 Mar 2012 18:55:14 -0800 Subject: [c-nsp] Question on the Use of Policy Based Routing Message-ID: Hello. I have a question regarding the use of policy based routing. I've always thought of it as a way to selectively change routing in exceptional circumstances. I've come across an implementation where it is being used to explicitly set a next-hop ip for 99% of all traffic headed from an application behind a pair of of stacked 3750s. The default route on these layer 3 switches is set to a 192.168.x.x IP which is part of a management network. The PBR is in place to send the outbound application traffic towards a firewall and out to the internet. Part of the reasoning for doing this was because the application will require only a few separate class C's and the management network has many more routes. A route-map matching an access-list or prefix-list for the basis of PBR on the outbound application traffic would contain fewer lines of configuration and thus it was deemed more elegant to set up PBR for the application traffic rather than the management traffic. I'm having a tough time finding best-practices information on the use of PBR and was wondering what cisco-nsp thought of this setup. From rtrinkle at heartofiowa.coop Tue Mar 6 22:22:17 2012 From: rtrinkle at heartofiowa.coop (Rich Trinkle) Date: Wed, 7 Mar 2012 03:22:17 +0000 Subject: [c-nsp] Network Security. In-Reply-To: <8a14139e-4a73-4f55-9dc2-8383f98e5369@blur> References: <8a14139e-4a73-4f55-9dc2-8383f98e5369@blur> Message-ID: <9904f875-6995-477c-be24-9eeb428e40f5@blur> I apologize if this seems like a "rookie" question. A colleague and I have a stance that neither want to budge on. We have a cisco 861w core router for our internal network and a typical domain server/client access. All of our internal pc's are part of this domain and our client pc's obtain a dynamic ip from an internal dhcp server. The question is this. Should I be able to take a personal laptop that is not setup on our domain, plug into our network, obtain an ip address dynamically through our cisco router and browse the internet? -----Original message----- From: Zach Williams To: "cisco-nsp at puck.nether.net" Sent: Wed, Mar 7, 2012 03:02:08 GMT+00:00 Subject: [c-nsp] Question on the Use of Policy Based Routing Hello. I have a question regarding the use of policy based routing. I've always thought of it as a way to selectively change routing in exceptional circumstances. I've come across an implementation where it is being used to explicitly set a next-hop ip for 99% of all traffic headed from an application behind a pair of of stacked 3750s. The default route on these layer 3 switches is set to a 192.168.x.x IP which is part of a management network. The PBR is in place to send the outbound application traffic towards a firewall and out to the internet. Part of the reasoning for doing this was because the application will require only a few separate class C's and the management network has many more routes. A route-map matching an access-list or prefix-list for the basis of PBR on the outbound application traffic would contain fewer lines of configuration and thus it was deemed more elegant to set up PBR for the application traffic rather than the management traffic. I'm having a tough time finding best-practices information on the use of PBR and was wondering what cisco-nsp thought of this setup. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Tue Mar 6 22:24:39 2012 From: dcp at dcptech.com (David Prall) Date: Tue, 6 Mar 2012 22:24:39 -0500 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: References: Message-ID: <001401ccfc11$d6783ef0$8368bcd0$@com> The PBR performance on the 3K is wonderful if you only need it for a few Mbps. I would always recommend routing over PBR, unless there is just no other way. My house I use PBR so that certain servers return to the correct Internet Connection Symmetrically and are NAT'd and Firewalled correctly. I would review the management traffic requirements, and use ip local policy route-map for that instead. Perhaps all management traffic is sourced from the loopback, therefore the policy will only be a single /32. David -- http://dcp.dcptech.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Zach Williams Sent: Tuesday, March 06, 2012 9:55 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Question on the Use of Policy Based Routing Hello. I have a question regarding the use of policy based routing. I've always thought of it as a way to selectively change routing in exceptional circumstances. I've come across an implementation where it is being used to explicitly set a next-hop ip for 99% of all traffic headed from an application behind a pair of of stacked 3750s. The default route on these layer 3 switches is set to a 192.168.x.x IP which is part of a management network. The PBR is in place to send the outbound application traffic towards a firewall and out to the internet. Part of the reasoning for doing this was because the application will require only a few separate class C's and the management network has many more routes. A route-map matching an access-list or prefix-list for the basis of PBR on the outbound application traffic would contain fewer lines of configuration and thus it was deemed more elegant to set up PBR for the application traffic rather than the management traffic. I'm having a tough time finding best-practices information on the use of PBR and was wondering what cisco-nsp thought of this setup. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From joshuaatterbury at gmail.com Tue Mar 6 22:35:29 2012 From: joshuaatterbury at gmail.com (Josh Atterbury) Date: Wed, 7 Mar 2012 13:35:29 +1000 Subject: [c-nsp] Network Security. In-Reply-To: <9904f875-6995-477c-be24-9eeb428e40f5@blur> References: <8a14139e-4a73-4f55-9dc2-8383f98e5369@blur> <9904f875-6995-477c-be24-9eeb428e40f5@blur> Message-ID: Technical considerations aside, the answer for that one should come from company policy regarding byod. On Wed, Mar 7, 2012 at 1:22 PM, Rich Trinkle wrote: > I apologize if this seems like a "rookie" question. A colleague and I > have a stance that neither want to budge on. We have a cisco 861w core > router for our internal network and a typical domain server/client access. > All of our internal pc's are part of this domain and our client pc's obtain > a dynamic ip from an internal dhcp server. The question is this. Should I > be able to take a personal laptop that is not setup on our domain, plug > into our network, obtain an ip address dynamically through our cisco router > and browse the internet? > > > -----Original message----- > From: Zach Williams > To: "cisco-nsp at puck.nether.net" > Sent: Wed, Mar 7, 2012 03:02:08 GMT+00:00 > Subject: [c-nsp] Question on the Use of Policy Based Routing > > Hello. I have a question regarding the use of policy based routing. I've > always thought of it as a way to selectively change routing in exceptional > circumstances. > > I've come across an implementation where it is being used to explicitly set > a next-hop ip for 99% of all traffic headed from an application behind a > pair of of stacked 3750s. The default route on these layer 3 switches is > set to a 192.168.x.x IP which is part of a management network. The PBR is > in place to send the outbound application traffic towards a firewall and > out to the internet. > > Part of the reasoning for doing this was because the application will > require only a few separate class C's and the management network has many > more routes. A route-map matching an access-list or prefix-list for the > basis of PBR on the outbound application traffic would contain fewer lines > of configuration and thus it was deemed more elegant to set up PBR for the > application traffic rather than the management traffic. > > I'm having a tough time finding best-practices information on the use of > PBR and was wondering what cisco-nsp thought of this setup. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dcp at dcptech.com Tue Mar 6 22:40:25 2012 From: dcp at dcptech.com (David Prall) Date: Tue, 6 Mar 2012 22:40:25 -0500 Subject: [c-nsp] Network Security. In-Reply-To: <9904f875-6995-477c-be24-9eeb428e40f5@blur> References: <8a14139e-4a73-4f55-9dc2-8383f98e5369@blur> <9904f875-6995-477c-be24-9eeb428e40f5@blur> Message-ID: <001501ccfc14$0a8d7550$1fa85ff0$@com> DHCP servers could care less about who you are. They will give out an address to just about anyone. Now MBA or 802.1x authentication can be used to block this. With MBA or 802.1x you could place the authenticated users in to a different vlan, where all of your domain related information resides. Then you could use a web based auth mechanism on the router, that is linked to credentials, in order to require for external access they have a user id and password. David -- http://dcp.dcptech.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rich Trinkle Sent: Tuesday, March 06, 2012 10:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Network Security. I apologize if this seems like a "rookie" question. A colleague and I have a stance that neither want to budge on. We have a cisco 861w core router for our internal network and a typical domain server/client access. All of our internal pc's are part of this domain and our client pc's obtain a dynamic ip from an internal dhcp server. The question is this. Should I be able to take a personal laptop that is not setup on our domain, plug into our network, obtain an ip address dynamically through our cisco router and browse the internet? -----Original message----- From: Zach Williams To: "cisco-nsp at puck.nether.net" Sent: Wed, Mar 7, 2012 03:02:08 GMT+00:00 Subject: [c-nsp] Question on the Use of Policy Based Routing Hello. I have a question regarding the use of policy based routing. I've always thought of it as a way to selectively change routing in exceptional circumstances. I've come across an implementation where it is being used to explicitly set a next-hop ip for 99% of all traffic headed from an application behind a pair of of stacked 3750s. The default route on these layer 3 switches is set to a 192.168.x.x IP which is part of a management network. The PBR is in place to send the outbound application traffic towards a firewall and out to the internet. Part of the reasoning for doing this was because the application will require only a few separate class C's and the management network has many more routes. A route-map matching an access-list or prefix-list for the basis of PBR on the outbound application traffic would contain fewer lines of configuration and thus it was deemed more elegant to set up PBR for the application traffic rather than the management traffic. I'm having a tough time finding best-practices information on the use of PBR and was wondering what cisco-nsp thought of this setup. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From josh at base-2.co.nz Tue Mar 6 22:47:36 2012 From: josh at base-2.co.nz (Josh Farrelly) Date: Wed, 7 Mar 2012 16:47:36 +1300 Subject: [c-nsp] Network Security. Message-ID: <33EEA0B0474D634BA31117F32099CBF40282FDD4@b2dcsbsmteden.base-2.co.nz> I would assume you and your CTO (or closest match) would get together and develop a network/security policy which would define the guidelines around this. Regards, Josh Farrelly. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rich Trinkle Sent: Wednesday, 7 March 2012 4:22 p.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] Network Security. I apologize if this seems like a "rookie" question. A colleague and I have a stance that neither want to budge on. We have a cisco 861w core router for our internal network and a typical domain server/client access. All of our internal pc's are part of this domain and our client pc's obtain a dynamic ip from an internal dhcp server. The question is this. Should I be able to take a personal laptop that is not setup on our domain, plug into our network, obtain an ip address dynamically through our cisco router and browse the internet? From jneiberger at gmail.com Tue Mar 6 23:17:48 2012 From: jneiberger at gmail.com (John Neiberger) Date: Tue, 6 Mar 2012 21:17:48 -0700 Subject: [c-nsp] Replacing route policies in IOS XR Message-ID: I'm relatively new to route policies in IOS XR. I have a route policy on a production router that needs to be replaced. The documentation doesn't exactly make it clear how to do this properly. Is it as simple as pasting an entirely new route policy in config mode and committing it? I see that there are methods for editing the policy directly from the CLI, but that doesn't seem like what I want or need. Since route policies don't use line numbering, I'm worried that I might end up with some weird merged policy. If we're just replacing the entire thing, is it a simple paste and commit? From andrew at 2sheds.de Tue Mar 6 23:47:28 2012 From: andrew at 2sheds.de (Andrew Miehs) Date: Wed, 7 Mar 2012 15:47:28 +1100 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: References: Message-ID: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> On 07/03/2012, at 1:55 PM, Zach Williams wrote: > I'm having a tough time finding best-practices information on the use of > PBR and was wondering what cisco-nsp thought of this setup. I wouldn't use it at all - other than perhaps for a short term migration issue. 6 months later, debugging will be a nightmare as no one will remember exactly what was configured. Does PBR still cause the performance issues it did in the past, forcing every packet through the CPU? Andrew From oliver at g.garraux.net Tue Mar 6 23:56:35 2012 From: oliver at g.garraux.net (Oliver Garraux) Date: Tue, 6 Mar 2012 23:56:35 -0500 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> References: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> Message-ID: On Tue, Mar 6, 2012 at 11:47 PM, Andrew Miehs wrote: > On 07/03/2012, at 1:55 PM, Zach Williams wrote: >> I'm having a tough time finding best-practices information on the use of >> PBR and was wondering what cisco-nsp thought of this setup. > > I wouldn't use it at all - other than perhaps for a short term migration issue. > 6 months later, debugging will be a nightmare as no one will remember exactly what was configured. > > Does PBR still cause the performance issues it did in the past, forcing every packet through the CPU? > > Andrew I think it varies by platform. IIRC, PBR can usually be done in hardware, except if denies are used in the ACL's. We use PBR quite a bit to route return traffic back through our load balancers. That's a bit different situation than the poster mentioned though. We've run into issues with it periodically on our Nexus 7k's though due to the buggy version of NX-OS we're on. Oliver From andrew at 2sheds.de Wed Mar 7 00:07:03 2012 From: andrew at 2sheds.de (Andrew Miehs) Date: Wed, 7 Mar 2012 16:07:03 +1100 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: References: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> Message-ID: <5D2C19E7-7F86-4EFC-82B9-6667D93AE4E8@2sheds.de> On 07/03/2012, at 3:56 PM, Oliver Garraux wrote: > On Tue, Mar 6, 2012 at 11:47 PM, Andrew Miehs wrote: >> Does PBR still cause the performance issues it did in the past, forcing every packet through the CPU? >> >> Andrew > > I think it varies by platform. IIRC, PBR can usually be done in > hardware, except if denies are used in the ACL's. Just found my own answer! http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html "IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be process-switched, which meant that on most platforms the switching rate was approximately 1000 to 10,000 packets per second. This speed was not fast enough for many applications. Users who need PBR to occur at faster speeds can now implement PBR without slowing down the router." and "Beginning in Cisco IOS Release 12.0, PBR is supported in the Cisco Express Forwarding (CEF) switching path. CEF-switched PBR has better performance than fast-switched PBR and, therefore, is the optimal way to perform PBR on a router." - I would still try and look for normal routing alternatives though as you could very quickly set up a routing loop in larger installations. Regards Andrew From kgraham at industrial-marshmallow.com Wed Mar 7 00:22:28 2012 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 6 Mar 2012 21:22:28 -0800 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: References: Message-ID: <3975F9A3-B55D-4034-A0D5-CFB4BD7A4460@industrial-marshmallow.com> >From the limited details, it sounds like what you really want is vrf-lite. Assuming the application traffic can be split into its own subnetwork, stick them in a VRF whose "normal" routing table matches what you're forcing via PBR. On Mar 6, 2012, at 6:55 PM, Zach Williams wrote: > Hello. I have a question regarding the use of policy based routing. I've > always thought of it as a way to selectively change routing in exceptional > circumstances. > > I've come across an implementation where it is being used to explicitly set > a next-hop ip for 99% of all traffic headed from an application behind a > pair of of stacked 3750s. The default route on these layer 3 switches is > set to a 192.168.x.x IP which is part of a management network. The PBR is > in place to send the outbound application traffic towards a firewall and > out to the internet. > > Part of the reasoning for doing this was because the application will > require only a few separate class C's and the management network has many > more routes. A route-map matching an access-list or prefix-list for the > basis of PBR on the outbound application traffic would contain fewer lines > of configuration and thus it was deemed more elegant to set up PBR for the > application traffic rather than the management traffic. > > I'm having a tough time finding best-practices information on the use of > PBR and was wondering what cisco-nsp thought of this setup. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Wed Mar 7 03:08:41 2012 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 7 Mar 2012 09:08:41 +0100 Subject: [c-nsp] access-list calling another access-list In-Reply-To: <4F56B0AB.7000900@tiedyenetworks.com> References: <4F56B0AB.7000900@tiedyenetworks.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F06B8EB3C@XMB-AMS-103.cisco.com> > > I am trying to devise some acl's and am comming from a linux fw > background, which allowed me to split my acl's into seperate tables and > effectively call one from the other. [...] > > I realise there's got to be a cisco way of doing this, and I'd > appreciate any pointers anyone cares to share. ACLs are used for a variety of things, so there is a "it depends" answer: you can achieve the splitting (via route-maps and policies) when you deal with ACLs for routing, however interface/traffic ACLs can't be split this way, you can only apply a single ACL as an input/output ACL to an interface. When it comes to firewall filtering, PIX/ASAs support object groups which you can use to compile your ACLs, and one could also aruge that the Zone-based IOS FW's class-maps for traffic classification also allow a more modular approach. hope this helps.. oli From Grzegorz at janoszka.pl Wed Mar 7 03:20:51 2012 From: Grzegorz at janoszka.pl (Grzegorz Janoszka) Date: Wed, 07 Mar 2012 09:20:51 +0100 Subject: [c-nsp] Replacing route policies in IOS XR In-Reply-To: References: Message-ID: <4F571A63.7020008@Janoszka.pl> On 07-03-12 05:17, John Neiberger wrote: > I'm relatively new to route policies in IOS XR. I have a route policy > on a production router that needs to be replaced. The documentation > doesn't exactly make it clear how to do this properly. Is it as simple > as pasting an entirely new route policy in config mode and committing > it? I see that there are methods for editing the policy directly from > the CLI, but that doesn't seem like what I want or need. Since route > policies don't use line numbering, I'm worried that I might end up > with some weird merged policy. If we're just replacing the entire > thing, is it a simple paste and commit? John, In the configuration mode you just replace the whole policy. Remember you can always use "commit confirmed" if you are unsure. -- Grzegorz Janoszka From saku at ytti.fi Wed Mar 7 03:30:16 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 7 Mar 2012 10:30:16 +0200 Subject: [c-nsp] WS-X6704-10GE, WS-X6708-10GE In-Reply-To: <4F5687A0.4060106@bromirski.net> References: <4F508120.6020105@aws-net.org.ua> <4F50A9E4.6060209@bromirski.net> <4F5687A0.4060106@bromirski.net> Message-ID: <20120307083016.GA32718@pob.ytti.fi> On (2012-03-06 22:54 +0100), ?ukasz Bromirski wrote: > (on each of it the CFC has to query PFC for decision). The limit > for such system is 15 or 30Mpps. The limit for DFC system is > 48Mpps per linecard. Just to help other people on the list understand where this difference comes from. The PFC in DFC and SUP are same, i.e. 48Mpps or so. But SUP PFC under-performs DFC PFC is because we are unable to send work to it. DBUS is 62.5MHz and does 32B per cycle. IPv4 lookups are 2 cycles (64B) and IPv6 (and MPLS) lookups are 3 cycles (96B). So 62.5/2 = 31.25Mpps (IPv4) and 62.5/3 = 20.83Mpps (IPv6, MPLS). There are many situation where circulation occurs, this will of course halve the performance. Especially in use of tunnels and L3 MPLS VPN. (As trivia, as far I understand, there probably isn't technical reason why SUP couldn't do ~48Mpps of MPLS lookups by sending just 32B of packet, you'd lose ability to do MPLS ECMP based on IP headers though. But I'm not at all sure about this) -- ++ytti From gert at greenie.muc.de Wed Mar 7 03:51:47 2012 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 7 Mar 2012 09:51:47 +0100 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: <5D2C19E7-7F86-4EFC-82B9-6667D93AE4E8@2sheds.de> References: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> <5D2C19E7-7F86-4EFC-82B9-6667D93AE4E8@2sheds.de> Message-ID: <20120307085147.GK1359@greenie.muc.de> Hi, On Wed, Mar 07, 2012 at 04:07:03PM +1100, Andrew Miehs wrote: > >> Does PBR still cause the performance issues it did in the past, forcing every packet through the CPU? [..] > Just found my own answer! > > http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html > > "IP PBR can now be fast-switched. Prior to Cisco IOS Release 12.0, PBR could only be process-switched, which meant that on most platforms the switching rate was approximately 1000 to 10,000 packets per second. This speed was not fast enough for many applications. Users who need PBR to occur at faster speeds can now implement PBR without slowing down the router." Well, that answer is relevant for software-forwarding platforms, where "can use CEF!" will indeed bring a major performance boost. Unfortunately, it's fully irrelevant for the 3750 in use here, as it's CPU is tiny and "can use CEF" doesn't tell wether the hardware forwarding machinery can handle PBR or not. As for the original question: sounds like an attempt to ensure job security to me... "make the setup so convoluted that nobody else can manage it". If management needs to use some other routing than production traffic, well, then use "ip local policy" for management traffic (or a management VRF). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Mar 7 04:35:34 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 07 Mar 2012 09:35:34 +0000 Subject: [c-nsp] Network Security. In-Reply-To: <9904f875-6995-477c-be24-9eeb428e40f5@blur> References: <8a14139e-4a73-4f55-9dc2-8383f98e5369@blur> <9904f875-6995-477c-be24-9eeb428e40f5@blur> Message-ID: <4F572BE6.3010704@imperial.ac.uk> On 03/07/2012 03:22 AM, Rich Trinkle wrote: > I apologize if this seems like a "rookie" question. A colleague and > I have a stance that neither want to budge on. We have a cisco 861w > core router for our internal network and a typical domain > server/client access. All of our internal pc's are part of this > domain and our client pc's obtain a dynamic ip from an internal dhcp > server. The question is this. Should I be able to take a personal > laptop that is not setup on our domain, plug into our network, obtain > an ip address dynamically through our cisco router and browse the > internet? What does "should" mean here? Technically, would it work? Or policy, ought it to work? If the former, it will depend how you've got things set up. If the latter, there's no right answer to that. It depends on your security policy and what you want to achieve. At our site: no; you get assigned into a VLAN and directed to a "register your machine" page, so we've got machine -> owner tracking in the event of an abuse or operational problem. Some places don't care about that, and just absorb the costs of such events in order to achieve ease-of-use. From peter at rathlev.dk Wed Mar 7 04:39:09 2012 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 07 Mar 2012 10:39:09 +0100 Subject: [c-nsp] Question on the Use of Policy Based Routing In-Reply-To: <20120307085147.GK1359@greenie.muc.de> References: <872891B4-BF41-48DC-8ABB-51B29209E200@2sheds.de> <5D2C19E7-7F86-4EFC-82B9-6667D93AE4E8@2sheds.de> <20120307085147.GK1359@greenie.muc.de> Message-ID: <1331113149.21568.0.camel@abehat.dyn.net.rm.dk> On Wed, 2012-03-07 at 09:51 +0100, Gert Doering wrote: > Well, that answer is relevant for software-forwarding platforms, where > "can use CEF!" will indeed bring a major performance boost. > > Unfortunately, it's fully irrelevant for the 3750 in use here, as it's > CPU is tiny and "can use CEF" doesn't tell wether the hardware forwarding > machinery can handle PBR or not. Correct. And the 3750 actually does PBR in hardware with a few caveats: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swiprout.html#wp1210866 We use PBR on 3560s with no performance problems at all. -- Peter From oboehmer at cisco.com Wed Mar 7 05:45:22 2012 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 7 Mar 2012 11:45:22 +0100 Subject: [c-nsp] Replacing route policies in IOS XR In-Reply-To: References: Message-ID: <6E4D2678AC543844917CA081C9D6B33F06B8EC71@XMB-AMS-103.cisco.com> > I'm relatively new to route policies in IOS XR. I have a route policy > on a production router that needs to be replaced. The documentation > doesn't exactly make it clear how to do this properly. Is it as simple > as pasting an entirely new route policy in config mode and committing > it? I see that there are methods for editing the policy directly from > the CLI, but that doesn't seem like what I want or need. Since route > policies don't use line numbering, I'm worried that I might end up > with some weird merged policy. If we're just replacing the entire > thing, is it a simple paste and commit? you only have two options: 1) replace the "whole thing" when you do this within the "config" mode (you'll get a warning that the full policy will be replaced) 2) edit selective part of it using the built-in editor ("edit route-policy ...") If I recall correctly, both will eventually do a full replace (if you check "show conf commit changes .."), the latter is just looks more incremental :-) you can also check out https://supportforums.cisco.com/docs/DOC-22031 oli From cstand141 at gmail.com Wed Mar 7 09:16:52 2012 From: cstand141 at gmail.com (chris stand) Date: Wed, 7 Mar 2012 08:16:52 -0600 Subject: [c-nsp] port channel numbering schemes Message-ID: Hello, Anyone use clever port channel numbering schemes ? We have a number of facilities that have access closets that connect either directly to a 7K or the access closets connect to 5Ks which then connect to the 7Ks. I have co-workers who want to take a trunk that might be carrying vlan 1300,1302,1304 and make the port channel 1300. The next closet might have vlan 1306,08,10,12.14,16 so its port channel is 1306 The next closet might have vlan 1318, 1320 so ... po 1318 While this seems to have some value in terms of identifying .something ... I don';t think I have ever encountered such a scheme that does not seem to be flexible for moves/add/changes in terms of addressing. I want to use po10, po11, po12, po13,po14 like we have on every other device up until now and put the appropriate vlans in the correct port channels. thoughts/ideas/concerns ??? Thanks, From nick at foobar.org Wed Mar 7 09:23:07 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 07 Mar 2012 14:23:07 +0000 Subject: [c-nsp] port channel numbering schemes In-Reply-To: References: Message-ID: <4F576F4B.4020203@foobar.org> On 07/03/2012 14:16, chris stand wrote: > thoughts/ideas/concerns This works fine until you try it on smaller boxes and you find out that they only support port-channel names up to 48 or whatever. Then you have a moment of extreme facepalm and go back to Po1, Po2 and Po3. Nick From ml at kenweb.org Wed Mar 7 09:32:06 2012 From: ml at kenweb.org (ML) Date: Wed, 07 Mar 2012 09:32:06 -0500 Subject: [c-nsp] ASR9001 Message-ID: <4F577166.3020406@kenweb.org> Has anyone else been looking at this device? Does anyone know details on the RSP and RAM inside? Seems like an impressive little box good for an edge device if you aren't in need of huge quantities of BW. Does anyone know what the price point is going to be? From jared at puck.nether.net Wed Mar 7 09:34:46 2012 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 7 Mar 2012 09:34:46 -0500 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <4F576F4B.4020203@foobar.org> References: <4F576F4B.4020203@foobar.org> Message-ID: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> On Mar 7, 2012, at 9:23 AM, Nick Hilliard wrote: > On 07/03/2012 14:16, chris stand wrote: >> thoughts/ideas/concerns > > This works fine until you try it on smaller boxes and you find out that > they only support port-channel names up to 48 or whatever. Then you have a > moment of extreme facepalm and go back to Po1, Po2 and Po3. I've found 'show interface description' and a well thought out (and machine parseable) standard for naming works well. This way you can just find what you want quickly. CDP and LLDP can also assist you in documenting ports as well, though some people don't like the information leakage. - Jared From geoff at pendery.net Wed Mar 7 09:36:31 2012 From: geoff at pendery.net (Geoffrey Pendery) Date: Wed, 7 Mar 2012 08:36:31 -0600 Subject: [c-nsp] port channel numbering schemes In-Reply-To: References: Message-ID: I think there's definitely value in putting some thought into any numbering/naming scheme you use anywhere, but the answer you come up with will depend on your organization and the situation. If you have excellent documentation systems which are quick and easy to use and always kept up to date, then I would say just serialize them (first port-channel you ever set up is 1, the 37th you set up is 37) then whenever someone is servicing or troubleshooting that connection they can just plug it into the doc system and get whatever information is useful about it (which closet it connects and which VLANs it carries, in your case) For those less fortunate with documentation, it might be helpful for the name of the LAG to have some descriptive value. If you do not have CDP enabled in most places, then troubleshooting a device with LAG issues you might first want to know where that LAG goes, so you could use a locally significant scheme like "Port1 is the primary uplink to upstream device, Port2 is a secondary uplink where applicable, Port 3 is always the sideways link between an A/B pair, etc" If you have CDP (or LLDP, or whatever) in place and identifying "where does this port go" is not a regular issue, then it might be more helpful to have the numbers be globally unique and identify it's place or role in the network - say "Port 100-199 connects to closet 1, Port 200-299 connects to closet 2, Port X01 is the primary uplink, X02 is the secondary" so when an alarm goes off for Port202, you immediately recognize that's the secondary uplink from Closet 2. Of course if your network is only 10 nodes, maybe it's a waste to bother with the scheme at all, just pick something an everyone will remember it. Up to you what you choose, but I'd definitely put thought into any naming scheme before you roll it out, as it will likely be with you for a long time. -Geoff On Wed, Mar 7, 2012 at 8:16 AM, chris stand wrote: > Hello, > > ?Anyone use clever port channel numbering schemes ? > > We have a number of facilities that have access closets that connect > either directly to a 7K or the access closets connect to 5Ks which > then connect to the 7Ks. > > I have co-workers who want to take a trunk that might be carrying vlan > 1300,1302,1304 and make the port channel 1300. > The next closet might have vlan 1306,08,10,12.14,16 so its port channel is 1306 > The next closet might have vlan 1318, 1320 so ... po 1318 > > While this seems to have some value in terms of identifying .something > ... I don';t think I have ever encountered such a scheme that does not > seem to be flexible for moves/add/changes in terms of addressing. > > I want to use po10, po11, po12, po13,po14 like we have on every other > device up until now and put the appropriate vlans in the correct port > channels. > > thoughts/ideas/concerns > > ??? > > Thanks, > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From taglio at gmail.com Wed Mar 7 09:39:06 2012 From: taglio at gmail.com (Riccardo Giuntoli) Date: Wed, 7 Mar 2012 15:39:06 +0100 Subject: [c-nsp] help with the correct choice of a cisco router In-Reply-To: References: <20120305212755.GA39976@geeks.org> <33EEA0B0474D634BA31117F32099CBF40282FC46@b2dcsbsmteden.base-2.co.nz> Message-ID: Ok i've investigated a little bit more. ISP will give my customer a preconfigured and totally closed (we cannot enter in it) 2811 with a LAN port where i can connect the equipment that i want to comply to all the points that i've explained in my first email in this thread. They will statically route the /29 to a host (one interface of my router or firewall) on the same subnet . So seeing this point i think that absolutely now the best choice will be use the ASA5510 and for now directly connect distribution layer 2 core switches to it and do shaping, router-on-a-stick and an ipsec concentrator with it. In a future will be more interesting add a distribution layer 3 switches. Any more suggestions? Regards, and thank you for your time. On Tue, Mar 6, 2012 at 7:07 PM, Josh Farrelly wrote: > Hi Riccardo. > > The ASA can route between VLANs, though dependant on your configuration > and requirements you can route before the firewalls if you prefer. > > Thanks, > > Josh Farrelly > > On 7/03/2012, at 0:34, "Riccardo Giuntoli" wrote: > > Dear Josh, to do routing i imagine that you're using some L3 switches > correct? ASA can do router-on-a-stick config? > > Regards, > > On Tue, Mar 6, 2012 at 12:47 AM, Josh Farrelly wrote: > >> From what you've mentioned there'd likely be no reason you couldn't use >> an ASA5510 for the requirements you've laid out below. >> >> We have 2x ASA5510's in an active/passive cluster at a customer site. >> It's connected to a 100/100Mbps link and it quite happily handles several >> thousand connections and throughputs at full rates in either direction. >> >> We've had no issues with them, apart from a PSU failure and a few >> configuration issues with WCCP. They've been in service for the better part >> of 2 years now. >> >> I guess it comes down to what you're most comfortable with at the end of >> the day. >> >> Regards, >> >> Josh. >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto: >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Riccardo Giuntoli >> Sent: Tuesday, 6 March 2012 10:36 a.m. >> To: Doug McIntyre; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] help with the correct choice of a cisco router >> >> Yuhm, i've not think about a firewall for sure... do you speak about some >> ASA machine? Do you have some suggestions? >> >> Regards, >> >> On Mon, Mar 5, 2012 at 10:27 PM, Doug McIntyre wrote: >> >> > On Mon, Mar 05, 2012 at 11:19:38AM +0100, Riccardo Giuntoli wrote: >> > > Hello there, first of all nice to talk with us for the first time in >> > > this ml. My name is Riccardo Giuntoli and i'm writing from Spain, >> > > how're you guys? >> > > >> > > I've got a customer that have some simple task to do and we want to >> > realize >> > > this with a cisco router, those are the points to comply: >> > >> > Why a router, and not a firewall instead? They will more easily hit >> > your requirements at a chaper price point. >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> >> >> -- >> Name: Riccardo Giuntoli >> Email: taglio at gmail.com >> Location: Canyelles, BCN, Espa?a >> PGP Key: 0x67123739 >> PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key >> server: hkp://wwwkeys.eu.pgp.net_______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > -- > Name: Riccardo Giuntoli > Email: taglio at gmail.com > Location: Canyelles, BCN, Espa?a > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net > > -- Name: Riccardo Giuntoli Email: taglio at gmail.com Location: Canyelles, BCN, Espa?a PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net From bhmccie at gmail.com Wed Mar 7 09:49:50 2012 From: bhmccie at gmail.com (-Hammer-) Date: Wed, 07 Mar 2012 08:49:50 -0600 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> References: <4F576F4B.4020203@foobar.org> <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> Message-ID: <4F57758E.80605@gmail.com> +1 We don't have a formal port channel naming schema. I usually use 1-10 for things like ISLs between core and stuff and then start with 11-XXX for all the port channels to various downstream devices. That said, the interface description is still the most important part of our gear. Now on the interfaces, if it's just L2, I use something like: interf gi0/1 desc hostname of device I'm connecting to (port I'm connecting to) And then if it's L3 desc hostname of device I'm connecting to (IP of device) Works for port channels too.... -Hammer- "I was a normal American nerd" -Jack Herer On 3/7/2012 8:34 AM, Jared Mauch wrote: > On Mar 7, 2012, at 9:23 AM, Nick Hilliard wrote: > >> On 07/03/2012 14:16, chris stand wrote: >>> thoughts/ideas/concerns >> This works fine until you try it on smaller boxes and you find out that >> they only support port-channel names up to 48 or whatever. Then you have a >> moment of extreme facepalm and go back to Po1, Po2 and Po3. > I've found 'show interface description' and a well thought out (and machine parseable) standard for naming works well. > > This way you can just find what you want quickly. CDP and LLDP can also assist you in documenting ports as well, though some people don't like the information leakage. > > - Jared > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From skeeve+cisconsp at eintellego.net Wed Mar 7 10:06:00 2012 From: skeeve+cisconsp at eintellego.net (Skeeve Stevens) Date: Wed, 7 Mar 2012 15:06:00 +0000 Subject: [c-nsp] ASR9001 In-Reply-To: <4F577166.3020406@kenweb.org> References: <4F577166.3020406@kenweb.org> Message-ID: To me it seems to be Ciscos response to Junipers MX80.... in fact it even looks like the MX80. The ASR9001 looks very impressive... wonder if it does VC/VSS at all. *Skeeve Stevens, CEO* eintellego Pty Ltd skeeve at eintellego.net ; www.eintellego.net Phone: 1300 753 383 ; Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego twitter.com/networkceoau ; www.linkedin.com/in/skeeve PO Box 7726, Baulkham Hills, NSW 1755 Australia The Experts Who The Experts Call Juniper - Cisco ? Brocade - IBM On Wed, Mar 7, 2012 at 14:32, ML wrote: > Has anyone else been looking at this device? > > Does anyone know details on the RSP and RAM inside? > > Seems like an impressive little box good for an edge device if you aren't > in need of huge quantities of BW. Does anyone know what the price point is > going to be? > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > From gert at greenie.muc.de Wed Mar 7 10:14:49 2012 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 7 Mar 2012 16:14:49 +0100 Subject: [c-nsp] port channel numbering schemes In-Reply-To: References: Message-ID: <20120307151449.GM1359@greenie.muc.de> Hi, On Wed, Mar 07, 2012 at 08:16:52AM -0600, chris stand wrote: > We have a number of facilities that have access closets that connect > either directly to a 7K or the access closets connect to 5Ks which > then connect to the 7Ks. > > I have co-workers who want to take a trunk that might be carrying vlan > 1300,1302,1304 and make the port channel 1300. > The next closet might have vlan 1306,08,10,12.14,16 so its port channel is 1306 > The next closet might have vlan 1318, 1320 so ... po 1318 This is a particularily weird one :-) - what will your co-worker do if vlan 1200 gets added to po1318? Renumber the port-channel? We usually decide on a case-by-case basis how to number the port-channels, and then it's usually something like: - from distribution router (6500) to distribution switches (whatever) port-channel 1, 2, 3, 4... to dist-switch 1, 2, 3, 4... - from distribution router to core router port-channel 100, 101, 102, ... > I want to use po10, po11, po12, po13,po14 like we have on every other > device up until now and put the appropriate vlans in the correct port > channels. That's about what we use. Tacking port-channel numbers to vlans on the channel will give you headaches some day - vlan distribution tends to change all the time. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jasongurtz at npumail.com Wed Mar 7 11:49:19 2012 From: jasongurtz at npumail.com (Jason Gurtz) Date: Wed, 7 Mar 2012 11:49:19 -0500 Subject: [c-nsp] Network Security. Message-ID: > this. Should I be able to take a personal laptop that is not setup on our > domain, plug into our network, obtain an ip address dynamically through > our cisco router and browse the internet? As other posts have alluded, there is a lot more to this question than meets the eye. If the business policy dictates that byod/guest access is to be allowed (a likely scenario in many cases IMHO), there is a baseline architecture to improve security. Create a guest vlan/subnet on the switch to be used by guests or other unmanaged devices. Create ACL entries on the switch so guest devices can only access the Internet and can't access the other internal vlans. Your 861W can do this. Things start to get more interesting if there will be an AUP/Captive portal, port security a la 802.1X, a need for guests to access certain internal resources, or a guest wireless infrastructure. ~JasonG From jwbensley at gmail.com Wed Mar 7 16:13:31 2012 From: jwbensley at gmail.com (James Bensley) Date: Wed, 7 Mar 2012 21:13:31 +0000 Subject: [c-nsp] ASR9001 In-Reply-To: <4F577166.3020406@kenweb.org> References: <4F577166.3020406@kenweb.org> Message-ID: On 7 March 2012 14:32, ML wrote: > Has anyone else been looking at this device? > > Does anyone know details on the RSP and RAM inside? > > Seems like an impressive little box good for an edge device if you aren't in > need of huge quantities of BW. ?Does anyone know what the price point is > going to be? This was recently discussed on NANOG, read all about it here; http://mailman.nanog.org/pipermail/nanog/2012-January/044053.html It was a thread comparing the ASR1k to an MX80, but the ASR9k1 is more in line with the MX80, so skip through a bit, and the discussion become more informative. From jneiberger at gmail.com Wed Mar 7 18:00:51 2012 From: jneiberger at gmail.com (John Neiberger) Date: Wed, 7 Mar 2012 16:00:51 -0700 Subject: [c-nsp] Replacing route policies in IOS XR In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F06B8EC71@XMB-AMS-103.cisco.com> References: <6E4D2678AC543844917CA081C9D6B33F06B8EC71@XMB-AMS-103.cisco.com> Message-ID: Thanks to all for clearing that up! On Wed, Mar 7, 2012 at 3:45 AM, Oliver Boehmer (oboehmer) wrote: > > >> I'm relatively new to route policies in IOS XR. I have a route policy >> on a production router that needs to be replaced. The documentation >> doesn't exactly make it clear how to do this properly. Is it as simple >> as pasting an entirely new route policy in config mode and committing >> it? I see that there are methods for editing the policy directly from >> the CLI, but that doesn't seem like what I want or need. Since route >> policies don't use line numbering, I'm worried that I might end up >> with some weird merged policy. If we're just replacing the entire >> thing, is it a simple paste and commit? > > you only have two options: > 1) replace the "whole thing" when you do this within the "config" mode > (you'll get a warning that the full policy will be replaced) > 2) edit selective part of it using the built-in editor ("edit > route-policy ...") > > If I recall correctly, both will eventually do a full replace (if you > check "show conf commit changes .."), the latter is just looks more > incremental :-) > > you can also check out https://supportforums.cisco.com/docs/DOC-22031 > > ? ? ? ?oli > From mtinka at globaltransit.net Wed Mar 7 22:48:30 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 8 Mar 2012 11:48:30 +0800 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F568945.6050500@reub.net> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> Message-ID: <201203081148.33600.mtinka@globaltransit.net> On Wednesday, March 07, 2012 06:01:41 AM Reuben Farrelly wrote: > Correction. I made a mistake in my testing there... > > If I have: > > ipv6 prefix-list PERMIT-IPV6-ANY seq 10 permit ::/0 le 64 > > Then yes the IPv6 specific route-map matches first and > the correct community is set. You mean as opposed to "... le 48"? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From reuben-cisco-nsp at reub.net Wed Mar 7 23:30:16 2012 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Thu, 08 Mar 2012 15:30:16 +1100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <201203081148.33600.mtinka@globaltransit.net> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> Message-ID: <4F5835D8.8050800@reub.net> No - as opposed to having no route-map matching IPv6 at all. So, if I have a route-map that (after my correction) actually matches an IPv6 route at the top of the route-map sequence and sets the community value of that IPv6 matched route, then it works as expected. If I have a route-map that parses IPv6 routes, but does not match any IPv6 routes (no match ipv6 ... defined anywhere in any of the route-map sequence entries) then it matches on the first _IPv4_ route map entry and sets the community of that IPv6 route to the IPv4 match instead. That's the bug :) Reuben On 8/03/2012 2:48 PM, Mark Tinka wrote: > On Wednesday, March 07, 2012 06:01:41 AM Reuben Farrelly > wrote: > >> Correction. I made a mistake in my testing there... >> >> If I have: >> >> ipv6 prefix-list PERMIT-IPV6-ANY seq 10 permit ::/0 le 64 >> >> Then yes the IPv6 specific route-map matches first and >> the correct community is set. > > You mean as opposed to "... le 48"? > > Cheers, > > Mark. From gert at greenie.muc.de Thu Mar 8 02:44:47 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Mar 2012 08:44:47 +0100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F5835D8.8050800@reub.net> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> Message-ID: <20120308074447.GO1359@greenie.muc.de> Hi, On Thu, Mar 08, 2012 at 03:30:16PM +1100, Reuben Farrelly wrote: > No - as opposed to having no route-map matching IPv6 at all. > > So, if I have a route-map that (after my correction) actually matches an > IPv6 route at the top of the route-map sequence and sets the community > value of that IPv6 matched route, then it works as expected. > > If I have a route-map that parses IPv6 routes, but does not match any > IPv6 routes (no match ipv6 ... defined anywhere in any of the route-map > sequence entries) then it matches on the first _IPv4_ route map entry > and sets the community of that IPv6 route to the IPv4 match instead. > That's the bug :) As far as I have interpreted this behaviour: for an IPv6 route, the "match ip" statements are just not evaluated, as if "not there at all", and vice versa for IPv4 routes and "match ipv6". So you could do something like: route-map foo permit 10 match ip address prefix-list foov4 match ipv6 address prefix-list foov6 set community 1234:456 if both match statements were applied, this wouldn't match anything ever, and so only the corresponding AFI matches are used. So, "feature", not bug :-) OTOH, we don't use this in practice, but have separate route-maps for IPv4 and IPv6 - not because it wouldn't work, but it's somewhat easier to see "which applies where?", and also because there might be differences in routing policy ("prefer AS X over uplink Z" might not be needed for IPv4, but not make sense for IPv6) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Mar 8 04:08:11 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 08 Mar 2012 09:08:11 +0000 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <20120308074447.GO1359@greenie.muc.de> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> <20120308074447.GO1359@greenie.muc.de> Message-ID: <4F5876FB.2010304@imperial.ac.uk> On 03/08/2012 07:44 AM, Gert Doering wrote: >> If I have a route-map that parses IPv6 routes, but does not match any >> IPv6 routes (no match ipv6 ... defined anywhere in any of the route-map >> sequence entries) then it matches on the first _IPv4_ route map entry >> and sets the community of that IPv6 route to the IPv4 match instead. >> That's the bug :) > > As far as I have interpreted this behaviour: for an IPv6 route, the > "match ip" statements are just not evaluated, as if "not there at all", > and vice versa for IPv4 routes and "match ipv6". Yeah, this behaviour is pretty well documented, and I found it quite surprising the first time I ran into it: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml#cmdsredist The occasion I ran into it was an attempt at laziness, to use the same route-map for "redis connected" and "redis static". I wanted to use a tag on static routes to signal "no-export" and wrote a route-map like this: route-map redis2bgp permit 10 match tag 100 set community no-export route-map redis2bgp ... Of course, this fails for "connected" routes; because "match tag" is not a "supported command" for connected, it's just ignored, meaning the 1st statement matches for all connected routes. Basically - match statements that are inapplicable are just IGNORED as opposed to the match FAILING. From gert at greenie.muc.de Thu Mar 8 04:37:23 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Mar 2012 10:37:23 +0100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F5876FB.2010304@imperial.ac.uk> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> <20120308074447.GO1359@greenie.muc.de> <4F5876FB.2010304@imperial.ac.uk> Message-ID: <20120308093723.GP1359@greenie.muc.de> Hi, On Thu, Mar 08, 2012 at 09:08:11AM +0000, Phil Mayers wrote: > The occasion I ran into it was an attempt at laziness, to use the same > route-map for "redis connected" and "redis static". I wanted to use a > tag on static routes to signal "no-export" and wrote a route-map like this: > > route-map redis2bgp permit 10 > match tag 100 > set community no-export > route-map redis2bgp ... > > Of course, this fails for "connected" routes; because "match tag" is not > a "supported command" for connected, it's just ignored, meaning the 1st > statement matches for all connected routes. Now *that* brings me to another favourite soapbox rant :-) - why oh why is "tag" not supported on connected routes? (Along with "why is there no way to make HSRP-slave interfaces really passive, not showing up in the local FIB and in 'redist connected' etc?"... none of this is "my network will stop working if I can't have that!" critical, but it would save oh so many workarounds). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mtinka at globaltransit.net Thu Mar 8 06:32:32 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 8 Mar 2012 19:32:32 +0800 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <4F57758E.80605@gmail.com> References: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> <4F57758E.80605@gmail.com> Message-ID: <201203081932.36163.mtinka@globaltransit.net> On Wednesday, March 07, 2012 10:49:50 PM -Hammer- wrote: > +1 > > We don't have a formal port channel naming schema. We just go serially. Cisco's start at "1", Juniper's start at "0", so documentation is useful, although interface descriptions on both sides of the link help a lot too. We try not to match interface numbers to VLAN ID's. That works out alright when you're starting out, but as the network grows, many face-palm and hair-pulling moments :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From p.mayers at imperial.ac.uk Thu Mar 8 07:34:52 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 08 Mar 2012 12:34:52 +0000 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <20120308093723.GP1359@greenie.muc.de> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> <20120308074447.GO1359@greenie.muc.de> <4F5876FB.2010304@imperial.ac.uk> <20120308093723.GP1359@greenie.muc.de> Message-ID: <4F58A76C.6050708@imperial.ac.uk> On 08/03/12 09:37, Gert Doering wrote: >> Of course, this fails for "connected" routes; because "match tag" is not >> a "supported command" for connected, it's just ignored, meaning the 1st >> statement matches for all connected routes. > > Now *that* brings me to another favourite soapbox rant :-) - why oh why > is "tag" not supported on connected routes? Interesting question. Where would the "tag" go? On the whole interface (what about "ip ... secondary") or on the IP/IPv6 address? > > (Along with "why is there no way to make HSRP-slave interfaces really > passive, not showing up in the local FIB and in 'redist connected' > etc?"... none of this is "my network will stop working if I can't have > that!" critical, but it would save oh so many workarounds). I do still pine for the Extreme ESRP model (separate ethertype PDUs used to determine master/slave status, slave shuts down all layer3 and layer2 [except control PDU] forwarding). Solves spanning tree and return-path asymmetry at a stroke. It would be nice to have that option in Cisco-landia. From p.mayers at imperial.ac.uk Thu Mar 8 07:36:18 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 08 Mar 2012 12:36:18 +0000 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <201203081932.36163.mtinka@globaltransit.net> References: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> <4F57758E.80605@gmail.com> <201203081932.36163.mtinka@globaltransit.net> Message-ID: <4F58A7C2.50506@imperial.ac.uk> On 08/03/12 11:32, Mark Tinka wrote: > We try not to match interface numbers to VLAN ID's. That > works out alright when you're starting out, but as the > network grows, many face-palm and hair-pulling moments :-). Agreed. "Clever" numbering schemes can just be misleading when they don't "line up". From gert at greenie.muc.de Thu Mar 8 08:45:44 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 8 Mar 2012 14:45:44 +0100 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F58A76C.6050708@imperial.ac.uk> References: <4F514FD2.4000007@yahoo.com> <4F55F530.6020407@reub.net> <4F568945.6050500@reub.net> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> <20120308074447.GO1359@greenie.muc.de> <4F5876FB.2010304@imperial.ac.uk> <20120308093723.GP1359@greenie.muc.de> <4F58A76C.6050708@imperial.ac.uk> Message-ID: <20120308134543.GR1359@greenie.muc.de> Hi, On Thu, Mar 08, 2012 at 12:34:52PM +0000, Phil Mayers wrote: > >Now *that* brings me to another favourite soapbox rant :-) - why oh why > >is "tag" not supported on connected routes? > > Interesting question. Where would the "tag" go? On the whole interface > (what about "ip ... secondary") or on the IP/IPv6 address? On the "ip address" thing, because I might want to tag things differently, like "this needs to get a different BGP metric than that one" (which is something we currently do with prefix-lists to get around the HSRP-slave annoyance...). > >(Along with "why is there no way to make HSRP-slave interfaces really > >passive, not showing up in the local FIB and in 'redist connected' > >etc?"... none of this is "my network will stop working if I can't have > >that!" critical, but it would save oh so many workarounds). > > I do still pine for the Extreme ESRP model (separate ethertype PDUs used > to determine master/slave status, slave shuts down all layer3 and layer2 > [except control PDU] forwarding). Solves spanning tree and return-path > asymmetry at a stroke. It would be nice to have that option in Cisco-landia. Well, using a separate ethertype PDU might simplify this somewhat from the control-plane PoV ("I can't send HSRP packets to an IP interface that is down"), but since the HSRP/VRRP packets are sent to a multicast address anyway, and not to anything bound to that interface IP config, it should not pose unsolvable problems either. It's more a "nobody said they would buy $millions of devices if we implement this" thing (and *then* they would only implement it for the specific platform ordered, in the specific operating-system of the week used there)... I'm not sure if cisco internal software development has "protocol owners" (like "this person decides what gets added to BGP, that person decides about HSRP and VRRP"), but this sort of feature is something the protocol owner would need to see the need for, and then get it pushed through *all* the BUs. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From mtinka at globaltransit.net Thu Mar 8 09:06:33 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 8 Mar 2012 22:06:33 +0800 Subject: [c-nsp] ME3600 BGP Route-Maps and IPv6 (WAS: Re: preference on bgp route advertisements) In-Reply-To: <4F5835D8.8050800@reub.net> References: <4F514FD2.4000007@yahoo.com> <201203081148.33600.mtinka@globaltransit.net> <4F5835D8.8050800@reub.net> Message-ID: <201203082206.37624.mtinka@globaltransit.net> On Thursday, March 08, 2012 12:30:16 PM Reuben Farrelly wrote: > If I have a route-map that parses IPv6 routes, but does > not match any IPv6 routes (no match ipv6 ... defined > anywhere in any of the route-map sequence entries) then > it matches on the first _IPv4_ route map entry and sets > the community of that IPv6 route to the IPv4 match > instead. That's the bug :) Ah, now I understand. I believe this would be expected behaviour, given that you're applying the policy on an IPv6 session as well. I can't confirm this as we run a different setup, but it would theoretically make sense to be expected. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From chuckchurch at gmail.com Thu Mar 8 09:49:49 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Thu, 8 Mar 2012 09:49:49 -0500 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <201203081932.36163.mtinka@globaltransit.net> References: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> <4F57758E.80605@gmail.com> <201203081932.36163.mtinka@globaltransit.net> Message-ID: <000301ccfd3a$bb412140$31c363c0$@gmail.com> We kind of grouped ours: Small range dedicated to uplinks Maybe 1 through 5 Small range dedicated to cross links (VSS or VPC) Maybe 6 through 9 Large range dedicated to downlinks - Majority are here, 10 up to the max. Works good for a normal 3 layer campus design. Since they're only locally significant, we reuse them. So on any given access layer switch, we know its uplink is a certain number assuming just one. I suppose you could break up the downlinks to correspond to a floor number in a building maybe. 10 - 19 first floor, etc. Whatever you design, plan for growth. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Thursday, March 08, 2012 6:33 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] port channel numbering schemes On Wednesday, March 07, 2012 10:49:50 PM -Hammer- wrote: > +1 > > We don't have a formal port channel naming schema. We just go serially. Cisco's start at "1", Juniper's start at "0", so documentation is useful, although interface descriptions on both sides of the link help a lot too. We try not to match interface numbers to VLAN ID's. That works out alright when you're starting out, but as the network grows, many face-palm and hair-pulling moments :-). Mark. From harbor235 at gmail.com Thu Mar 8 11:15:17 2012 From: harbor235 at gmail.com (harbor235) Date: Thu, 8 Mar 2012 11:15:17 -0500 Subject: [c-nsp] IPv6 RA filter on Layer 2 switch with edge ports configured as trunk In-Reply-To: References: Message-ID: Herro91 (what kind of name is that?), Looks like the ASA 1000v and the Nexus 1000v should be able to do this as part of a clear data center strategy for Cisco. But ......... IPV6 ACLs are still not supported on the *1000v products, doh !!!!!!!! Your best bet may be to police the vlans on the switches that connect the L3 interface for each vlan (VACL, PVLAN) as well as use any safeguards available on the L3 interface, ACLs, PVLANs, RA-guard etc ...... Cisco is dropping the ball again !!! Mike On Mon, Mar 5, 2012 at 9:37 PM, Herro91 wrote: > Hi, > > Trying to figure out a solution on how to implement an IPv6 Traffic Filter > to block RA messages on a 4948 that is configured as an L2 switch. More > specifically the edge ports are configured as trunks to an ESX host which > has many VMs (Windoze, Linux, etc). Given the trunk port config, I know I > could do a VACL, but those lack direction (input/output) so it seems like a > non-starter > > Appreciate any thoughts/advice > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mike-cisconsplist at tiedyenetworks.com Thu Mar 8 12:05:33 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Thu, 08 Mar 2012 09:05:33 -0800 Subject: [c-nsp] PPPoe Intermediate agent attribute handling Message-ID: <4F58E6DD.3070501@tiedyenetworks.com> Hi, I am working with a 7201 and trying to follow cisco's pppoe interediate agent documentation. I find that what the box is doing, is encapsulating the vendor tags in a Cisco-AVPair tag, such as: Cisco-AVPair = "circuit-id-tag=someif atm 0/1/36" Cisco-AVPair = "remote-id=some admin defined string" My current radius (freeradius) is configured to use the existing and defined attribute values such as ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id directly, which are sent from my current pppoe termination solution. It keys off of the presence of the attribute ADSL-Agent-Circuit-Id and calls an external perl module to handle these. I can certainly extend my code to look inside the Cisco-AVPair attributes and extract the adsl-agent information and act on it, but I am wondering how others have implemented this and wether I am just creating work for myself? Mike- From svoll.voip at gmail.com Thu Mar 8 13:11:17 2012 From: svoll.voip at gmail.com (Scott Voll) Date: Thu, 8 Mar 2012 10:11:17 -0800 Subject: [c-nsp] Moving ports on ASA's Message-ID: I have two ASA's running in Active / Standby. I need to move a set of interfaces (non production DMZ set) from one switch to a different switch. if I don't want the ASA's to failover during the move, can I just shut the interface do the move and then no shut the interfaces? I don't want to affect other traffic on the ASA's with a Failover. TIA Scott From bep at whack.org Thu Mar 8 13:25:20 2012 From: bep at whack.org (Bruce Pinsky) Date: Thu, 08 Mar 2012 10:25:20 -0800 Subject: [c-nsp] Moving ports on ASA's In-Reply-To: References: Message-ID: <4F58F990.3000903@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Voll wrote: > I have two ASA's running in Active / Standby. I need to move a set of > interfaces (non production DMZ set) from one switch to a different switch. > > if I don't want the ASA's to failover during the move, can I just shut the > interface do the move and then no shut the interfaces? I don't want to > affect other traffic on the ASA's with a Failover. > How do you have your failover rules set? You could change a number of factors that would prevent a failover from occurring for just one interface. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Y+ZAACgkQE1XcgMgrtyb72wCg3mgVK28XIemVs8eRAawgzAp2 xXUAnRG8cTzAbJ0g2fLEPY3In0/+jk/C =t7tJ -----END PGP SIGNATURE----- From streiner at cluebyfour.org Thu Mar 8 13:26:55 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 8 Mar 2012 13:26:55 -0500 (EST) Subject: [c-nsp] Moving ports on ASA's In-Reply-To: References: Message-ID: On Thu, 8 Mar 2012, Scott Voll wrote: > I have two ASA's running in Active / Standby. I need to move a set of > interfaces (non production DMZ set) from one switch to a different switch. > > if I don't want the ASA's to failover during the move, can I just shut the > interface do the move and then no shut the interfaces? I don't want to > affect other traffic on the ASA's with a Failover. That would depend on your topology. Are you talking about physical interfaces or logical interfaces? jms From rwest at zyedge.com Thu Mar 8 13:41:09 2012 From: rwest at zyedge.com (Ryan West) Date: Thu, 8 Mar 2012 18:41:09 +0000 Subject: [c-nsp] Moving ports on ASA's In-Reply-To: References: Message-ID: <5DC4853C6CC3EE4788779E0726E034DD0107209D@zy-ex1.zyedge.local> On Thu, Mar 08, 2012 at 13:11:17, Scott Voll wrote: > Subject: [c-nsp] Moving ports on ASA's > > I have two ASA's running in Active / Standby. I need to move a set of > interfaces (non production DMZ set) from one switch to a different switch. > > if I don't want the ASA's to failover during the move, can I just shut > the interface do the move and then no shut the interfaces? I don't > want to affect other traffic on the ASA's with a Failover. > no monitor-interface dmz Stops the interface monitoring status states that would cause a failover. -ryan From A.L.M.Buxey at lboro.ac.uk Thu Mar 8 17:52:03 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 8 Mar 2012 22:52:03 +0000 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <4F58A7C2.50506@imperial.ac.uk> References: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> <4F57758E.80605@gmail.com> <201203081932.36163.mtinka@globaltransit.net> <4F58A7C2.50506@imperial.ac.uk> Message-ID: <20120308225203.GB12360@lboro.ac.uk> Hi, > > We try not to match interface numbers to VLAN ID's. That > > works out alright when you're starting out, but as the > > network grows, many face-palm and hair-pulling moments :-). > > Agreed. "Clever" numbering schemes can just be misleading when they > don't "line up". another 'agreed' - however, we do try to use standard numbers for particular types of port-channel - ie doing something like ensuring the po1 on an aggregator switch is ALWAYS the link up to the core (and not a port-channel to a stack of access switches or a workstation) - this simplifies a lot of monitoring and sanity checking of configs/status of links etc. alan From keegan.holley at sungard.com Thu Mar 8 18:13:23 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Thu, 8 Mar 2012 18:13:23 -0500 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> References: <4F576F4B.4020203@foobar.org> <2CF3E7D7-028F-44D6-AD42-D472CFAD638E@puck.nether.net> Message-ID: 2012/3/7 Jared Mauch > > On Mar 7, 2012, at 9:23 AM, Nick Hilliard wrote: > > > On 07/03/2012 14:16, chris stand wrote: > >> thoughts/ideas/concerns > > > > This works fine until you try it on smaller boxes and you find out that > > they only support port-channel names up to 48 or whatever. Then you > have a > > moment of extreme facepalm and go back to Po1, Po2 and Po3. > > I've found 'show interface description' and a well thought out (and > machine parseable) standard for naming works well. > > This way you can just find what you want quickly. CDP and LLDP can also > assist you in documenting ports as well, though some people don't like the > information leakage. > > +1 interface descriptions are the way to go here. I try to stay away from clever numbering. I find that it's hard for people other than the person that thought of the scheme to remember it. Not only that what happens to your numbering scheme if you need to move vlan1300 or add it to more than one port channel. Numbers don't convey enough information to be used as an inventory system. From jason at lixfeld.ca Thu Mar 8 19:56:33 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Thu, 8 Mar 2012 19:56:33 -0500 Subject: [c-nsp] Layer 3 and locally significant layer 2 on an ES port? Message-ID: <383ED98B-8AC9-4FB9-80A2-DF3C65D7D382@lixfeld.ca> Is there a way to leverage VLAN local significance on a 7600-ES20-GE3CXL port, whilst performing layer 3 termination on that same service instance? I need to avoid using SVI/global VLAN space. ie: ! int Gi7/0/19 service instance 920 ethernet encapsulation dot1q 920 ip address 1.1.1.1 255.255.255.0 ! This is on a Sup720/12.2(33)SRE5. Thanks in advance. From johnelliot67 at hotmail.com Thu Mar 8 20:19:28 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Fri, 9 Mar 2012 12:19:28 +1100 Subject: [c-nsp] Smartnet on ASR1006-10G-HA/K9 Message-ID: Hi Guys, Looking at getting one of these(second hand), but want to smartnet it....specifically for XE support(config support/updates) - Do I need anything additional/different to SMARTNET 24X7X4 ASR1006 HA Bundle w/2xESP-10G,2xRP1 ? Or do I need to smartnet all components? Cheers. From mtinka at globaltransit.net Fri Mar 9 00:09:27 2012 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 9 Mar 2012 13:09:27 +0800 Subject: [c-nsp] port channel numbering schemes In-Reply-To: <20120308225203.GB12360@lboro.ac.uk> References: <4F58A7C2.50506@imperial.ac.uk> <20120308225203.GB12360@lboro.ac.uk> Message-ID: <201203091309.27858.mtinka@globaltransit.net> On Friday, March 09, 2012 06:52:03 AM Alan Buxey wrote: > another 'agreed' - however, we do try to use standard > numbers for particular types of port-channel - ie doing > something like ensuring the po1 on an aggregator switch > is ALWAYS the link up to the core (and not a > port-channel to a stack of access switches or a > workstation) - this simplifies a lot of monitoring and > sanity checking of configs/status of links etc. What happens when you introduce a new vendor that starts numbering bundled interfaces with "0" :-)? Or when a new BU in Cisco decide to do something different with their bundle links that is quite different from the BU whose systems you're currently using :-)? Of course, maybe corner cases for most folk, but then again, I realize that one can't possibly conceieve every possible eventuality. Only time and joy/pain will truly determine your thoughts on the matter. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From saku at ytti.fi Fri Mar 9 01:35:16 2012 From: saku at ytti.fi (Saku Ytti) Date: Fri, 9 Mar 2012 08:35:16 +0200 Subject: [c-nsp] Layer 3 and locally significant layer 2 on an ES port? In-Reply-To: <383ED98B-8AC9-4FB9-80A2-DF3C65D7D382@lixfeld.ca> References: <383ED98B-8AC9-4FB9-80A2-DF3C65D7D382@lixfeld.ca> Message-ID: <20120309063516.GA24608@pob.ytti.fi> On (2012-03-08 19:56 -0500), Jason Lixfeld wrote: > Is there a way to leverage VLAN local significance on a 7600-ES20-GE3CXL port, whilst performing layer 3 termination on that same service instance? I need to avoid using SVI/global VLAN space. There is no way not to use global VLAN space in 7600. For QinQ interfaces ES20 allows mapping them to internal global VLAN-ID, so you can have same QinQ set in another interface. ES+ allows this for single tagged interfaces also, giving you illusion of no global VLAN space. In ES20 if you want same Q in two interfaces, you must use EVC + bridge-group, it will never get support for single Q<->internal VLAN-ID mapping. -- ++ytti From A.L.M.Buxey at lboro.ac.uk Fri Mar 9 03:59:27 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 9 Mar 2012 08:59:27 +0000 Subject: [c-nsp] port channel numbering schemes Message-ID: <310C82BD-300F-48DD-A93A-727BB168988E@lboro.ac.uk> As I said, we TRY . The vendors will do their best to scupper us, other things will come up to b0rk it. But as a rule of thumb its a starting point (i'm more concerned that other things change such as the MIB value between different platforms) alan From sf at lists.esoteric.ca Fri Mar 9 10:35:19 2012 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Fri, 09 Mar 2012 10:35:19 -0500 Subject: [c-nsp] VPDN-aware VRF Message-ID: <4F5A2337.5050305@lists.esoteric.ca> Hi all, I want to terminate a VPDN tunnel within a VRF, but have the actual sessions exist within the global routing table. For example, provider XYZ has provided RFC1918 addresses for their LAC's, which I do not want to expose in my global table, but my customer's PPPoE sessions which would be delivered by provider XYZ must be within my global table with public IP addresses. From my understanding of the documentation, it seems possible but I want to confirm with my learned brethren. Thanks, -- Stephen From chris at uplogon.com Fri Mar 9 11:52:28 2012 From: chris at uplogon.com (Chris Gotstein) Date: Fri, 09 Mar 2012 10:52:28 -0600 Subject: [c-nsp] Cisco WS-C3560G-24TS-S Port Mirring Issue Message-ID: <4F5A354C.8080808@uplogon.com> I have a WS-C3560G-24TS-S running 15.0(1)SE2. I have a simple port mirror setup to mirror traffic from gi0/1 to gi0/2: monitor session 1 source interface Gi0/1 monitor session 1 destination interface Gi0/2 Over the course of last couple months, the monitor session stops working. If I remove the above commands and reenter them with a new session number, the mirror comes back up. This has happened about a dozen times so far. Is there a known bug in the code? Could the equipment that is plugged into gi0/2 cause problems and break the monitor session? Any suggestions appreciated. Thanks, -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com From bjorn at mork.no Sat Mar 10 15:26:35 2012 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Sat, 10 Mar 2012 21:26:35 +0100 Subject: [c-nsp] PPPoe Intermediate agent attribute handling In-Reply-To: <4F58E6DD.3070501@tiedyenetworks.com> (Mike's message of "Thu, 08 Mar 2012 09:05:33 -0800") References: <4F58E6DD.3070501@tiedyenetworks.com> Message-ID: <87wr6s9p8k.fsf@nemi.mork.no> Mike writes: > I am working with a 7201 and trying to follow cisco's pppoe > interediate agent documentation. I find that what the box is doing, is > encapsulating the vendor tags in a Cisco-AVPair tag, such as: > > Cisco-AVPair = "circuit-id-tag=someif atm 0/1/36" > Cisco-AVPair = "remote-id=some admin defined string" > > My current radius (freeradius) is configured to use the > existing and defined attribute values such as ADSL-Agent-Circuit-Id > and ADSL-Agent-Remote-Id directly, which are sent from my current > pppoe termination solution. It keys off of the presence of the > attribute ADSL-Agent-Circuit-Id and calls an external perl module to > handle these. I can certainly extend my code to look inside the > Cisco-AVPair attributes and extract the adsl-agent information and act > on it, but I am wondering how others have implemented this and wether > I am just creating work for myself? I have no idea how people usually deal with this, but you could configure FreeRADIUS with "with_cisco_vsa_hack = yes". See freeradius/src/modules/rlm_preprocess/rlm_preprocess.c for docs. You might need to define the "circuit-id-tag" and "remote-id" strings as attribute aliases for ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id to make this work. Bj?rn From netfortius at gmail.com Sat Mar 10 17:30:35 2012 From: netfortius at gmail.com (Stefan) Date: Sat, 10 Mar 2012 16:30:35 -0600 Subject: [c-nsp] "%HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error" + server losing default GW Message-ID: Problem: solaris server connected to a port on a 3750 switch. Reported problem: solaris server lost capability to communicate over the network (checks performed from remote location / different VLAN - important to know!) Immediate reaction - network folks engaged: switch investigation reveals error from $subj: %HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error so decision taken to immediately reload the switch Phase II: switch recovers, no more errors, server still reported unreachable from monitoring tool; a quick test from within switch reveals reachability of server from within its own VLAN, though (all tests = ICMP)! Phase III: finally server folks involved - reached out to "down" server via another one, on the same VLAN, connected to the same switch - found missing gateway on the "down" server (allegedly there for the last 4xx days of uptime) Phase III - post-mortem monitoring: no more TCAM errors but also no more problems (obviously) after re-adding the default GW on the server What we are missing: test at the time of reported failure in communication with server did not include an ICMP from within its own VLAN (as the apparent problem was the error reported on the switch TCAM) My question to the audience: having done a little research on old solaris behavior (as we have it), I found this: http://www.tek-tips.com/viewthread.cfm?qid=211132 and now I wonder - is it possible that solaris mechanisms of spewing whatever traffic, in missing the default GW, caused the TCAM issue, or (and how come) the TCAM issue causing the "disappearance" of the solaris default GW. Anybody having experienced the problem described? ***Stefan From paul at gtcomm.net Sat Mar 10 23:15:12 2012 From: paul at gtcomm.net (Paul) Date: Sat, 10 Mar 2012 23:15:12 -0500 Subject: [c-nsp] sup720/6704 error PM_SCP-SP-2-LCP_FW_ERR_INFORM Message-ID: <4F5C26D0.5050805@gtcomm.net> Seeing this error on a 6506 with sup720-3bxl Module was originally in slot 1, which showed this error consistently, moved to slot 4 and it did not show error until hours later. Passes all diagnostics thrown at it. Tried different xenpaks, googled the error but could not find the exact one. Module 3 works fine. I'm wondering if it's the actual 6704 module. Both have DFC 3BXL. Going to get a replacement for it, but was curious if anyone else has seen this error because I could not find it with internet search. Port 2 on module 4 works, even worked in slot 1. Just seems port 4 is bad? Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI6, RELEASE SOFTWARE (fc4) 3 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL 4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD 5 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL 6 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL SAD Log: Mar 10 11:57:17 UTC: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to down Mar 10 11:57:20 UTC: %LINK-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to up Mar 10 11:57:20 UTC: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to up Mar 10 11:57:22 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to up Mar 10 11:57:21 UTC: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to up Mar 10 11:57:33 UTC: %PM_SCP-SP-2-LCP_FW_ERR_INFORM: Module 4 is experiencing the following error: RO[3]: 125056 noncritical interrupts last 10s, now disabled. ROINTMSK[3]: 2E9:0xC 00F:0x728 024:0x1FF9 0E8:0x4 052:0x0 04C:0x1E 049:0x0 09D:0x2FF9 009:0x0 00C:0x0 Mar 10 12:11:13 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to down Mar 10 12:11:13 UTC: %LINK-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to down Mar 10 12:11:13 UTC: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to down Mar 10 12:11:13 UTC: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to down Mar 10 12:11:32 UTC: %LINK-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to up Mar 10 12:11:32 UTC: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet4/4, changed state to up Mar 10 12:11:35 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to up Mar 10 12:11:35 UTC: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet4/4, changed state to up Thanks! -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 paul at gtcomm.net http://www.gtcomm.net From netfortius at gmail.com Sun Mar 11 01:06:33 2012 From: netfortius at gmail.com (Stefan) Date: Sun, 11 Mar 2012 00:06:33 -0600 Subject: [c-nsp] "%HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error" + server losing default GW In-Reply-To: References: Message-ID: Thanks for reply, James. I assume you meant "proxy arp shouldn't", right? Will get more details form the server folks on Monday (if willing top share ;-)). To me the interesting part was "all but one functional ports (1) + TCAM errors (2) + one port w/a server having lost its default GW (3)" - I could see (2) and (3), as (2) => (3), but then why (1)? ... unless (3) => (2) ***Stefan On Sat, Mar 10, 2012 at 9:40 PM, James S. Smith wrote: > Did the Solaris system have the gateway in the defaultrouter file, or did it need to be added? > > It's possible that it never did have a default gateway, and your local router was doing proxy arp. ?I've run into that a few times where a server isn't given the proper gateway but still ends up getting connectivity because the local router is responding to the arps. ?Or perhaps someone had added the default route by cli and never added it to the defaultrouter file, and then it somehow got lost. > > It's an odd chain of events, but proxy arp should cause issues with the TCAM. > > > ----- Original Message ----- > From: Stefan [mailto:netfortius at gmail.com] > Sent: Saturday, March 10, 2012 05:30 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] "%HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error" + server losing default GW > > Problem: solaris server connected to a port on a 3750 switch. > > Reported problem: solaris server lost capability to communicate over > the network (checks performed from remote location / different VLAN - > important to know!) > > Immediate reaction - network folks engaged: switch investigation > reveals error from $subj: > > %HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to > recover the error > > so decision taken to immediately reload the switch > > Phase II: switch recovers, no more errors, server still reported > unreachable from monitoring tool; a quick test from within switch > reveals reachability of server from within its own VLAN, though (all > tests = ICMP)! > > Phase III: finally server folks involved - reached out to "down" > server via another one, on the same VLAN, connected to the same switch > - found missing gateway on the "down" server (allegedly there for the > last 4xx days of uptime) > > Phase III - post-mortem monitoring: no more TCAM errors but also no > more problems (obviously) after re-adding the default GW on the server > > What we are missing: test at the time of reported failure in > communication with server did not include an ICMP from within its own > VLAN (as the apparent problem was the error reported on the switch > TCAM) > > My question to the audience: having done a little research on old > solaris behavior (as we have it), I found this: > > http://www.tek-tips.com/viewthread.cfm?qid=211132 > > and now I wonder - is it possible that solaris mechanisms of spewing > whatever traffic, in missing the default GW, caused the TCAM issue, or > (and how come) the TCAM issue causing the "disappearance" of the > solaris default GW. > > Anybody having experienced the problem described? > > ***Stefan > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rus-p at inbox.ru Sun Mar 11 00:53:58 2012 From: rus-p at inbox.ru (Ruslan Pustovoytov) Date: Sun, 11 Mar 2012 09:53:58 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes Message-ID: <4F5C3DF6.3010007@inbox.ru> Hi all Does anybody explain me what is the best way to do CGN on Cisco boxes ? I look for powerfull solution with price congruous with other vendor. Recently I closely looked at ISM-100 card for asr9k platform. I was negativly surprised that performance of this card is about 10 Gbit/s half-duplex.. Card is occupied full slot in chassis and costs about 200.000$ in GPL with license for 10 miilion sessions. I know that other vendors with more ancient NATs has double performance for this price. Also, I look in CGSE blade for CRS-1 and CRS-3 platform. Presentation says it has 10 Gbit/s full-duplex performance and card occupy one slot. Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this is the sort of marketing game ? From kevin.hodle at gmail.com Sun Mar 11 13:14:54 2012 From: kevin.hodle at gmail.com (Kevin Hodle) Date: Sun, 11 Mar 2012 12:14:54 -0500 Subject: [c-nsp] Does SPA-2X1GE supports 100M with SFP-GE-T? In-Reply-To: <59835842-2800-4B33-8093-477E6E11AFDC@gmail.com> References: <4ABB6A47-2436-4D84-BADA-DC363ED8F1D9@gmail.com> <59835842-2800-4B33-8093-477E6E11AFDC@gmail.com> Message-ID: Hi Joe, The interface itself should have no issues running at 100M/fastE, but the transceiver (SFP) could very well give you problems.. Most of the cheaper off the shelf copper SFPs are not capable of running at symbol rates != 1G, and thus only support 1000Base-T. You will need to look around for a true multi-rate copper SFP to do this, I assume Cisco sells a rate adaptable 10M/100M/1000M SFP, and there are most likely cheaper alternatives as well. ... That said, have you inquired with your carrier whether they can hand-off native 1000Base-LH optical or full gigabit copper with a 100M CIR/CDR? Most carriers I know would *prefer* to offer native gigE hand-off for most provisioning scenarios. Even in a typical enterprise optical loop where $carrier pulls in a native STS3c/STS12c and utilizes high order VCAT+GFP to give you 2x51M tributaries, sub-rate over native gigE is now pretty standard in most metro areas :) Regards, Kevin On Fri, Feb 24, 2012 at 6:50 AM, Joe Myatt wrote: >> Hi >> >> unusual situation but we need to connect to a new carrier service at 100M and we only have SPA-2XG1E in a SIP-400 7613 chassis. Can you force these to run a 100M with copper SFP? ?As below: >> >> Router#sh run int gi 10/3/0 >> Building configuration... >> >> Current configuration : 173 bytes >> ! >> interface GigabitEthernet10/3/0 >> description ?Telstra BDAS Standard POI >> no ip address >> speed 100 >> no negotiation auto >> no snmp trap link-status >> end > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ================================================================ ?:: :: Kevin Hodle | http://www.linkedin.com/in/kevinhodle ?:: :: PGP Key ID? | fingerprint ?:: :: 0x803F24BE? | 1094 FB06 837F 2FAB C86B E4BE 4680 3679 803F 24BE "Elegance is not a dispensable luxury but a factor that decides between success and failure. " -Edsgar Dijkstra ================================================================ From oliver.eyre at cirruscomms.com.au Sun Mar 11 19:10:34 2012 From: oliver.eyre at cirruscomms.com.au (Oliver Eyre) Date: Mon, 12 Mar 2012 10:10:34 +1100 Subject: [c-nsp] VPDN-aware VRF In-Reply-To: <4F5A2337.5050305@lists.esoteric.ca> Message-ID: Definitely possible. Create the VRF and interface like normal and then supply your VPDN group with the following line: vpn vrf ProvXYZ Any resultant sessions will assume default routing table unless explicitly specified in your Virtual-Template or via RADIUS. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftvpdnmh.htm l Oliver -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton Sent: Saturday, 10 March 2012 2:35 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VPDN-aware VRF Hi all, I want to terminate a VPDN tunnel within a VRF, but have the actual sessions exist within the global routing table. For example, provider XYZ has provided RFC1918 addresses for their LAC's, which I do not want to expose in my global table, but my customer's PPPoE sessions which would be delivered by provider XYZ must be within my global table with public IP addresses. From my understanding of the documentation, it seems possible but I want to confirm with my learned brethren. Thanks, -- Stephen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From janardhan632 at gmail.com Sun Mar 11 21:26:44 2012 From: janardhan632 at gmail.com (janardhan madabattula) Date: Sun, 11 Mar 2012 18:26:44 -0700 Subject: [c-nsp] Configuring a cisco switch trunk port to allow dot1q and dot1ad frames Message-ID: Hi, I am trying to configure a cisco port (7600) as a trunk port to allow both dot1q and dot1ad (ether type 88a8) frames. I tried following two configs but both of them are not working. Any one can suggest me the right configuration. interface GigabitEthernet5/42 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2501-2503 switchport mode dot1q-tunnel no cdp enable spanning-tree bpdufilter enable end The above configuration is allows all dot1ad frames. I expect this port should allow only 2501:* - 2503:*, instead it allows all *.* traffic. ====================== interface GigabitEthernet5/42 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2501-2503 switchport mode trunk no cdp enable spanning-tree bpdufilter enable end The abover configuration does not allow any dot1ad traffic . It just allowing dot1q traffic with vlans 2501-2503. If I send 2501:1 it doesn't go thru. ====================== My need is I should be able to send traffic over cisco port for dot1q vlan 2501 and dot1ad vlan 2503:1 (outer tag 88a8). Pl suggest me. Thanks, Janardhan From jstuxuhu0816 at gmail.com Mon Mar 12 02:06:21 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Mon, 12 Mar 2012 14:06:21 +0800 Subject: [c-nsp] high CPU usage when coyping to flash In-Reply-To: <75AFB6FE184CBF4EBA1F7ADFFF88942EB97EBE7D@mail1.slepicka.net> References: <4F49F0A6.2060503@superhosting.cz> <75AFB6FE184CBF4EBA1F7ADFFF88942EB97EBE7D@mail1.slepicka.net> Message-ID: So the problem cannot solved by TAC? 2012/2/28 James Slepicka (c-nsp) > I previously ran into this issue w/ 4500 + Sup6E running 12.2(52)SG. OSPF > adjacencies would drop during file transfers. TAC pointed me to CSCsw84727: > > Writing to bootflash creates instabilities when using low timers > Symptom: > Writing to bootflash creates instabilities when using low timers (< 10 sec) > > Conditions: > - low timers for control protocols are in use (e.g. HSRP, OSPF, BGP) > - supervisor/switch is one of: Sup6-E, Sup6L-E, 4900M, 4948-E > > Workaround: > Avoid lengthy bootflash operations, like copying really large files in IOS. > Upgrade to 12.2(50)SG06, 12.2(53)SG02, 12.2(54)SG or above. > > I'm running 12.2(54)SG now. It's been a while, but I seem to recall still > seeing high CPU utilization during flash operations, but OSPF would remain > stable. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Jiri Prochazka > Sent: Sunday, February 26, 2012 2:43 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] high CPU usage when coyping to flash > > Hi, > > I've came to a strange behaviour on 4900M. When trying to copy a new IOS > to flash, CPU utilization rises from usual 15% to 100%, even ssh stops > answering, some ports are being disabled due to UDLD error, some were > unbundled from etherchannels because of LACP-PDU not being generated. > > The switch is just absolutely overloaded which cause a lot of issues. I > did not want to believe simple 'copy tftp:// bootflash:' could cause this > so I tried it once more, with the same result. > > > I am now trying to figure it in a lab, but it seems I am in a dead end. > > > I tried in on 4948E, 4900M, different IOSes (12.2(54)SG1, 15.0(2)SG1, > 15.0(2)SG3). > > I tried to use tftp, scp, http, all with the same result of 100% CPU usage. > > > I am not concerned about the high cpu usage itself, but I do absoltely do > not understand why it effectively stops the rest of the switch to work > properly.. > > > > Thank you for your advice. > > -- > > Jiri Prochazka > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ggumus at gmail.com Mon Mar 12 08:09:24 2012 From: ggumus at gmail.com (=?UTF-8?B?R8O2a2hhbiBHw7xtw7zFnw==?=) Date: Mon, 12 Mar 2012 13:09:24 +0100 Subject: [c-nsp] Recertify CCIE Written Exam Message-ID: Dear community, I know that once you get CCIE written exam, you must attend to CCIE Lab exam in 18 months otherwise you are not allowed to. My CCIE written certificate will expire in August 2012 and i can not attend to CCIE Lab exam before August 2012 due to private reasons. Is there any possibility / way to recertify or extend this duration to attend CCIE Lab exam later August 2012? Thanks in advance. Gokhan From alumbis at gmail.com Mon Mar 12 08:59:42 2012 From: alumbis at gmail.com (Pete Lumbis) Date: Mon, 12 Mar 2012 08:59:42 -0400 Subject: [c-nsp] Recertify CCIE Written Exam In-Reply-To: References: Message-ID: Taking the written again should reset the timer. On Mon, Mar 12, 2012 at 8:09 AM, G?khan G?m?? wrote: > Dear community, > > I know that once you get CCIE written exam, you must attend to CCIE Lab > exam in 18 months otherwise you are not allowed to. > My CCIE written certificate will expire in August 2012 and i can not attend > to CCIE Lab exam before August 2012 due to private reasons. > Is there any possibility / way to recertify or extend this duration to > attend CCIE Lab exam later August 2012? > > Thanks in advance. > > Gokhan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hnyhus at gmail.com Mon Mar 12 10:12:38 2012 From: hnyhus at gmail.com (=?UTF-8?Q?H=C3=A5vard_Staub_Nyhus?=) Date: Mon, 12 Mar 2012 15:12:38 +0100 Subject: [c-nsp] Configuring a cisco switch trunk port to allow dot1q and dot1ad frames In-Reply-To: References: Message-ID: > My need is I should be able to send traffic over cisco port for dot1q > vlan 2501 and dot1ad vlan 2503:1 (outer tag 88a8). Pl suggest me. > Do you have ES-cards in this 7600? You need something that can do selective QinQ to accomplish this. Otherwise you could just do the filtering on the connected device? -- H?vard Staub Nyhus Atea AS From matt at melbourne.org.uk Mon Mar 12 12:14:15 2012 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Mon, 12 Mar 2012 16:14:15 -0000 Subject: [c-nsp] VASI interface and NAT on ASR1k Message-ID: <001801cd006b$2cc0dcb0$86429610$@melbourne.org.uk> Hi, Does anyone have any pointers to some real-world use cases for VASI interfaces on an ASR1k? I have a corner case where I can't use MP-BGP to import a route from one VRF into another, when the next-hop of the route is in a separate VRF (the case is VRF-aware IPsec with FVRF/iVRF configuration). It looks like the issue can be worked around using VASI interfaces (i.e. a vasileft/vasiright pair). I have used a /30 to address the VASI interfaces and this appears to work, but is this best practice? NAT may be another useful requirement in this scenario, but I have seen other cisco-nsp postings which suggests 'ip nat outside' shouldn't be configured on an interface which isn't in the global table. A suggestions is that "ip nat enable" and hence NVI be used in preference to classic NAT for VASI interfaces? VASI does appear to be a rather poorly documented feature in IOS-XE :) Cheers, ? Matt ? -- Matthew Melbourne From nargosftw at gmail.com Mon Mar 12 13:25:44 2012 From: nargosftw at gmail.com (Nargos Ftw) Date: Mon, 12 Mar 2012 14:25:44 -0300 Subject: [c-nsp] About a post made from user lpd@cisco.com Message-ID: Hello. Hope you read it. I was on google looking for information about differences between OTV and Fabricpath and found this post of yours: http://www.gossamer-threads.com/lists/cisco/nsp/134263?do=post_view_threaded#134263 In that post, you mention that: "OTV is a technology that allows us to extend L2 across any L3 (IP) infrastructure. Cisco Fabric Path is in essence the ability to run L2 networks without spanning tree and all links active." I have 2 datacenters and must extend 2 VLANs. So i tought "Wow, thats OTV for sure." Then, after researching a little i found that Fabricpath would do the job too. All i need is interconnect 2 DCs with DWDM and 2 VLANs must be extended. Fabricpath is cheaper than OTV. I feel dumb, but i cant see the difference between them. Both maps L2 address dynamically. Both uses routing logic. I know that cisco recommends OTV in this case, but Fabricpath would work fine. *What should i do and could you please show me the differences between OTV and Fabricpath?* All i see on cisco webpage are presales webpages and configuration guides. Thank you so much. From keegan.holley at sungard.com Mon Mar 12 13:52:39 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Mon, 12 Mar 2012 13:52:39 -0400 Subject: [c-nsp] About a post made from user lpd@cisco.com In-Reply-To: References: Message-ID: I think the information you posted pretty much sum's it up. OTV can span layer-3 hops, fabric-path is all layer-2. I'm sure someone from cisco can elaborate further, but the differences are simple since there are existing protocols that do the same things. OTV is like VPLS/L2VPN without mpls (the good and the bad). Last I checked they used ISIS behind the scenes to send mac address information about and handle loop avoidance similar to what VPLS does. Fabric-path is similar to TRILL or DCB/PBB. It just finds a way around the spanning-tree limitations of blocked ports allowing layer-2 domains to scale further. I think fabric-path also supports FCoE. I will admit I know more about the standards based stuff than the cisco proprietary protocols. 2012/3/12 Nargos Ftw > Hello. > > Hope you read it. > I was on google looking for information about differences between OTV and > Fabricpath and found this post of yours: > > http://www.gossamer-threads.com/lists/cisco/nsp/134263?do=post_view_threaded#134263 > > In that post, you mention that: > "OTV is a technology that allows us to extend L2 across any L3 (IP) > infrastructure. Cisco Fabric Path is in essence the ability to run L2 > networks without spanning tree and all links active." > > I have 2 datacenters and must extend 2 VLANs. So i tought "Wow, thats OTV > for sure." > Then, after researching a little i found that Fabricpath would do the job > too. > All i need is interconnect 2 DCs with DWDM and 2 VLANs must be extended. > Fabricpath is cheaper than OTV. > I feel dumb, but i cant see the difference between them. > Both maps L2 address dynamically. > Both uses routing logic. > I know that cisco recommends OTV in this case, but Fabricpath would work > fine. > > *What should i do and could you please show me the differences between OTV > and Fabricpath?* All i see on cisco webpage are presales webpages and > configuration guides. > > Thank you so much. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From avayner at cisco.com Mon Mar 12 14:24:26 2012 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 12 Mar 2012 19:24:26 +0100 Subject: [c-nsp] About a post made from user lpd@cisco.com In-Reply-To: References: Message-ID: Hi, Well, OTV is there to mostly allow L2 interconnections across an IP cloud, while FabricPath is mostly designed to scale up the L2 domain in a really large L2 environment (often in the same location). Mind you, this is a very simplistic view of both technologies, which would most likely require a couple of hours to cover completely... For Layer 2 DCI there are quite a few other solutions you may look at. The differences are around scale, capacity (bandwidth/number of vlans/hosts etc), convergence speeds, available infrastructure (IP, MPLS etc), and some other factors. Some references: http://www.cisco.com/en/US/netsol/ns975/index.html http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_p aper_c11_493718.html http://blogs.cisco.com/datacenter/introduction-to-%E2%80%9Ccisco-datacen ter-interconnect-dci%E2%80%9D/ Also, I would recommend this Cisco Press book: http://www.ciscopress.com/bookstore/product.asp?isbn=1587059924 Layer 2 DCI is most likely something you want to discuss with your account team, as there are quite a few pit falls as well as quite a few different design alternatives. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nargos Ftw Sent: Monday, March 12, 2012 19:26 To: cisco-nsp at puck.nether.net Subject: [c-nsp] About a post made from user lpd at cisco.com Hello. Hope you read it. I was on google looking for information about differences between OTV and Fabricpath and found this post of yours: http://www.gossamer-threads.com/lists/cisco/nsp/134263?do=post_view_thre aded#134263 In that post, you mention that: "OTV is a technology that allows us to extend L2 across any L3 (IP) infrastructure. Cisco Fabric Path is in essence the ability to run L2 networks without spanning tree and all links active." I have 2 datacenters and must extend 2 VLANs. So i tought "Wow, thats OTV for sure." Then, after researching a little i found that Fabricpath would do the job too. All i need is interconnect 2 DCs with DWDM and 2 VLANs must be extended. Fabricpath is cheaper than OTV. I feel dumb, but i cant see the difference between them. Both maps L2 address dynamically. Both uses routing logic. I know that cisco recommends OTV in this case, but Fabricpath would work fine. *What should i do and could you please show me the differences between OTV and Fabricpath?* All i see on cisco webpage are presales webpages and configuration guides. Thank you so much. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chuckchurch at gmail.com Mon Mar 12 14:39:30 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Mon, 12 Mar 2012 14:39:30 -0400 Subject: [c-nsp] ISR C-Series Message-ID: <007301cd007f$77317930$65946b90$@gmail.com> NSP, Looking through some release notes for 15.1 on ISRs, and I'm seeing references to a 'C Series' of ISRs, with names such as 2811C, 3825C, etc. Ran across this: https://supportforums.cisco.com/thread/2124901 Anyone have any details on these? Were they shipped under a new part number, or the original ones? Since they appear to require a 15.x release, I'm guessing they're really recent. Does a 'sh ver' or other similar command reference it being a 'C-Series'? Will they not boot with a 12.x release? Searching around didn't find much. Just curious if they could have crept into my network and not have noticed it. Thanks, Chuck From daniel at fnutt.net Mon Mar 12 15:18:29 2012 From: daniel at fnutt.net (Daniel Husand) Date: Mon, 12 Mar 2012 20:18:29 +0100 Subject: [c-nsp] ISR C-Series In-Reply-To: <007301cd007f$77317930$65946b90$@gmail.com> References: <007301cd007f$77317930$65946b90$@gmail.com> Message-ID: <4F5E4C05.4060006@fnutt.net> On 12/3/12 19:39 , Chuck Church wrote: > Looking through some release notes for 15.1 on ISRs, and I'm > seeing references to a 'C Series' of ISRs, with names such as 2811C, 3825C, > etc. Ran across this: They are special made models for the China marked and therefore only available there. -- Daniel From bep at whack.org Mon Mar 12 17:01:58 2012 From: bep at whack.org (Bruce Pinsky) Date: Mon, 12 Mar 2012 14:01:58 -0700 Subject: [c-nsp] VASI interface and NAT on ASR1k In-Reply-To: <001801cd006b$2cc0dcb0$86429610$@melbourne.org.uk> References: <001801cd006b$2cc0dcb0$86429610$@melbourne.org.uk> Message-ID: <4F5E6446.8030503@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Melbourne wrote: > Hi, > > Does anyone have any pointers to some real-world use cases for VASI > interfaces on an ASR1k? I have a corner case where I can't use MP-BGP to > import a route from one VRF into another, when the next-hop of the route is > in a separate VRF (the case is VRF-aware IPsec with FVRF/iVRF > configuration). It looks like the issue can be worked around using VASI > interfaces (i.e. a vasileft/vasiright pair). I have used a /30 to address > the VASI interfaces and this appears to work, but is this best practice? NAT > may be another useful requirement in this scenario, but I have seen other > cisco-nsp postings which suggests 'ip nat outside' shouldn't be configured > on an interface which isn't in the global table. A suggestions is that "ip > nat enable" and hence NVI be used in preference to classic NAT for VASI > interfaces? VASI does appear to be a rather poorly documented feature in > IOS-XE :) > VASI interfaces are really designed to allow for services (encryption for example) to be applied prior to label imposition on packets that would be label forwarded toward the core. The VASI-left interface serves as a pseudo-CE and the VASI-right serves as a pseudo-PE. In the VASI scenarios I've seen, BGP is used to send routes learned from the MP-BGP sessions to the PE-CE BGP sessions and vice versa. So, in essence, you have three different BGP domains, the PE-CE, the MP-BGP, and the inter-VASI. In effect, you have two different "redistributions" going on. This is the result of having the VASI interfaces "shimmed" between the real interfaces facing the CE and the P/PE MPLS core. In those scenarios, the VASI interfaces were addressed out of the same /30 subnet. A BGP session was then established between those VASI interface addresses to advertise the routes from the VASI-left VRF to the VASI-right VRF. The VASI-right VRF was the same VRF (same RD/RTs) as the VPN on the other PEs and the VASI-left was a separate VRF (different RD) that serves as the pseudo-CE. There was no need to have the VASI-left pseudo-CE configured for import/export of route targets and the VASI-right VRF was not configured to import the VASI-left route targets. The BGP session between the VASI interfaces propagates the routes without the need for import/export of the RTs. In the scenario we were testing, we were able to have GETVPN on the MPLS P/PE side providing PE to PE encryption within the MPLS core. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9eZEUACgkQE1XcgMgrtyYc7QCghIFYcYdVAIhLa6Z8BG9KPjPD H0sAn3OISw2e7oq8QxNVqFSiocTA4dLS =pklf -----END PGP SIGNATURE----- From dwinkworth at att.net Mon Mar 12 21:11:05 2012 From: dwinkworth at att.net (Derick Winkworth) Date: Mon, 12 Mar 2012 18:11:05 -0700 (PDT) Subject: [c-nsp] VASI interface and NAT on ASR1k In-Reply-To: <001801cd006b$2cc0dcb0$86429610$@melbourne.org.uk> References: <001801cd006b$2cc0dcb0$86429610$@melbourne.org.uk> Message-ID: <1331601065.21031.YahooMailNeo@web180012.mail.gq1.yahoo.com> Matt: As of IOS-XE 3.5, I am happy to report that "match-in-vrf" is supported. ?This means you can merrily apply "ip nat outside" to a VASI interface. We use VASI interfaces for this purpose. ?VRFs are "paired" and linked together via VASI. ?The global MPLS interfaces are "ip nat inside" and the VASI interfaces are "ip nat outside." ?This gives us NAT overload in both directions. ?Keep in mind that *all* NATs must be configured with the "match-in-vrf" keyword. Additionally the VASI interface gives us an air-gap between disparate private networks. ?Static routes are put into the VRFs pointing to the VASI interface (and thus to the opposite VRF in the pair). ?These are redistributed into BGP against a route-map. ?This route-map matches on a tag: ?"ip route vrf CUST-A-TO-B-VRF x.x.x.x ... tag 1000" ? If the tag is 1000, it gets redistributed with a local-preference of 1000. ?If its 500 it gets redistributed with a tag of 500. ?So we have a redundant ASR with the same config, different route-tags. ?If the primary dies (or otherwise loses both links into the P core) then traffic will automatically re-route through the secondary ASR. I believe you can get up to 500 pairs of VRFs in this scenario (only can configure 500 VASI pairs at this time). ?The ASR itself is limited to an embarrassing 16k configured static NATS (boooo!). ? Lastly, if you intend to scale this configuration, then you will need to get an RP2 w/16GB of RAM and an ESP-40. ?Not for throughput mind you, but because of how ridiculously memory hungry IOS-XE is. ?The ESP-20 has 1GB of high-speed RAM shared between forwarding logic and NAT sessions. ?With minimal routes you can support close to a million concurrent NAT sessions. ?But if you put 500k routes across 500 VRFs on that box, you will only be able to support 400k of concurrent NAT sessions. ?You'll want to go ahead and configure timeouts of one hour for NAT sessions in general on the box. The ESP-40, on the other hand, has a different memory area for forwarding-logic vs NAT sessions. ?Presumably the forward-logic will not step on the NAT, and you can get the million concurrent sessions. Lastly there are only two real options to consider when buying a processor for the ASR 1K: ?RP2 w/8GB of RAM or RP2 w/16GB of RAM. ?Frankly Cisco shouldn't be selling anything less because of how much memory is required of newer versions of code. ?Plus the performance of the RP1 from the CLI is *awful.* ? Or you could just go the way of linux and hack out a solution using iptables in containers and veth interface pairs... if it meets your requirements...? *ahem* shameless plug: ?http://packetpushers.net/network-interrupted? ? Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://packetpushers.net/author/dwinkworth/ ________________________________ From: Matthew Melbourne To: cisco-nsp at puck.nether.net Sent: Monday, March 12, 2012 11:14 AM Subject: [c-nsp] VASI interface and NAT on ASR1k Hi, Does anyone have any pointers to some real-world use cases for VASI interfaces on an ASR1k? I have a corner case where I can't use MP-BGP to import a route from one VRF into another, when the next-hop of the route is in a separate VRF (the case is VRF-aware IPsec with FVRF/iVRF configuration). It looks like the issue can be worked around using VASI interfaces (i.e. a vasileft/vasiright pair). I have used a /30 to address the VASI interfaces and this appears to work, but is this best practice? NAT may be another useful requirement in this scenario, but I have seen other cisco-nsp postings which suggests 'ip nat outside' shouldn't be configured on an interface which isn't in the global table. A suggestions is that "ip nat enable" and hence NVI be used in preference to classic NAT for VASI interfaces? VASI does appear to be a rather poorly documented feature in IOS-XE :) Cheers, ? Matt ? -- Matthew Melbourne _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ismath.shaan at gmail.com Tue Mar 13 03:24:05 2012 From: ismath.shaan at gmail.com (Shanawaz Batcha) Date: Tue, 13 Mar 2012 18:24:05 +1100 Subject: [c-nsp] IPSG vs DAI, is there an use case for IPSG? Message-ID: Hey Guys, I understand the differences between IP Source guard and Dynamic Arp Inspection. One looks at IP packets and one looks at arp packets. But if we had DHCP snooping configured and DAI configured, do we really need IPSG? Lets say on a port configured with DHCP snooping and DAI only, somebody has plugged a machine and configured himself with a static ip address and a static arp entry for the default gateway. DHCP snooping wont catch him because he doesnot send any DHCP packets. But Dynamic arp inspection will catch him because he cannot do any ARP replies. And other machines will require his arp reply to communicate to him. So static or spoofed IP addresses will fail. Then I am missing the point of why the IPSG is needed? Regards, Shaan From paul at gtcomm.net Tue Mar 13 04:43:36 2012 From: paul at gtcomm.net (Paul) Date: Tue, 13 Mar 2012 04:43:36 -0400 Subject: [c-nsp] Cisco WS-C3560G-24TS-S Port Mirring Issue (Chris Gotstein) In-Reply-To: References: Message-ID: <4F5F08B8.6090906@gtcomm.net> Nothing the server can do or the mirrored server would stop the mirror from working. I've never had one stop no matter how much I blasted it or how long. Capacity issues, and packet drops, yes, but never quit. I would assume it's a bug in the code. -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 paul at gtcomm.net http://www.gtcomm.net From p.mayers at imperial.ac.uk Tue Mar 13 04:48:06 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 13 Mar 2012 08:48:06 +0000 Subject: [c-nsp] IPSG vs DAI, is there an use case for IPSG? In-Reply-To: References: Message-ID: <4F5F09C6.5070903@imperial.ac.uk> On 03/13/2012 07:24 AM, Shanawaz Batcha wrote: > because he doesnot send any DHCP packets. But Dynamic arp inspection will > catch him because he cannot do any ARP replies. And other machines will > require his arp reply to communicate to him. So static or spoofed IP > addresses will fail. > > Then I am missing the point of why the IPSG is needed? Yes. Many attacks do not require (indeed, do not want) a reply packet. It's enough to just be able to emit the IP packet. For example: sending DNS queries with a source IP that exists in the real world, causing the real owner of the IP to be overwhelmed with DNS packets i.e. DNS amplification attack. Many of those same attacks can be stopped at the router by uRPF, but some may not be; intra-subnet spoofing may be a valuable attack vector in some cases. Certainly DAI stops many layer2 attacks. But not all. From david.freedman at uk.clara.net Tue Mar 13 05:02:21 2012 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 13 Mar 2012 09:02:21 +0000 Subject: [c-nsp] ASN32 in Netflow (6500 / 12.2SX) Message-ID: Not seeing this in SXI3, Whilst doing some reading (http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html) , I came across: "The initial release supports all existing BGP features including IPv4, IPv6, VPNv4, and VPNv6 address and sub-address families, with the exception of "IOS NetFlow"" This initial release is billed as SXI1, does anybody happen to know in which SX release netflow support can (and should) be found? http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/features.html (release notes) are not helpful Dave. From paul at gtcomm.net Tue Mar 13 05:05:19 2012 From: paul at gtcomm.net (Paul) Date: Tue, 13 Mar 2012 05:05:19 -0400 Subject: [c-nsp] Configuring a cisco switch trunk port to allow dot1q and, dot1ad frames In-Reply-To: References: Message-ID: <4F5F0DCF.4020405@gtcomm.net> It is my understanding that you put switchport access vlan XX on the dot1q-tunnel port and this encapsulates all traffic coming in there to that specified vlan. (So it's basically an access port to the customer, which instead of being a normal access port it accepts ALL tagged frames (encaps them in vlan XX) and shoves them out the other vlan XX ports you have with dot1q-tunnel after unencap from vlan XX. The port does not operate in trunk mode at all and thus will ignore any trunk based commands. Tunnel ports also don't work on certain modules. Which module are you using? -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 paul at gtcomm.net http://www.gtcomm.net From paul at gtcomm.net Tue Mar 13 05:11:12 2012 From: paul at gtcomm.net (Paul) Date: Tue, 13 Mar 2012 05:11:12 -0400 Subject: [c-nsp] Configuring a cisco switch trunk port to allow dot1q and, dot1ad frames In-Reply-To: <4F5F0DCF.4020405@gtcomm.net> References: <4F5F0DCF.4020405@gtcomm.net> Message-ID: <4F5F0F30.4080108@gtcomm.net> If you want to do what you described you need a switch that supports vlan mapping (switchport vlan mapping 1-2 dot1q-tunnel 3) to filter only those vlans you want into the tunnel vlan. Or are you suggesting that you want to use the port as a trunk and a tunnel at the same time where some vlans get tunneled and some go direct to the switch vlan FIB? (I think this is possible with selective q-in-q, but as the other poster said I believe you need the ES modules for the 7600) -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 paul at gtcomm.net http://www.gtcomm.net From p.mayers at imperial.ac.uk Tue Mar 13 06:44:22 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 13 Mar 2012 10:44:22 +0000 Subject: [c-nsp] ASN32 in Netflow (6500 / 12.2SX) In-Reply-To: References: Message-ID: <4F5F2506.8010508@imperial.ac.uk> On 13/03/12 09:02, David Freedman wrote: > Not seeing this in SXI3, Are you using Netflow v9? (I have no idea if it's supported, but I'm certain that, if it is, it will require v9) From nick at foobar.org Tue Mar 13 06:58:17 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 13 Mar 2012 10:58:17 +0000 Subject: [c-nsp] ASN32 in Netflow (6500 / 12.2SX) In-Reply-To: <4F5F2506.8010508@imperial.ac.uk> References: <4F5F2506.8010508@imperial.ac.uk> Message-ID: <4F5F2849.7090302@foobar.org> On 13/03/2012 10:44, Phil Mayers wrote: > (I have no idea if it's supported, but I'm certain that, if it is, it will > require v9) +1 nf <9 hardcodes the as fields to be 16 bits. It's a TLV in netflow v9. Nick From gert at greenie.muc.de Tue Mar 13 07:03:04 2012 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2012 12:03:04 +0100 Subject: [c-nsp] ASN32 in Netflow (6500 / 12.2SX) In-Reply-To: <4F5F2849.7090302@foobar.org> References: <4F5F2506.8010508@imperial.ac.uk> <4F5F2849.7090302@foobar.org> Message-ID: <20120313110303.GF1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 10:58:17AM +0000, Nick Hilliard wrote: > On 13/03/2012 10:44, Phil Mayers wrote: > > (I have no idea if it's supported, but I'm certain that, if it is, it will > > require v9) > > +1 > > nf <9 hardcodes the as fields to be 16 bits. It's a TLV in netflow v9. Now this is going to be interesting. Has anybody tested how "the usual suspect software" reacts when fed with netflow v9 flows with 32bit ASNs? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jckdaniels12 at gmail.com Tue Mar 13 07:56:35 2012 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 13 Mar 2012 17:26:35 +0530 Subject: [c-nsp] Nexus network Design - Switching LOOP Message-ID: Hi Guys, I have a scenario for which I'm scratching my head since long - please help Nexus 5K-1---------Nexus5K-2 | | | | Nexus2K-1 Nexus2K-2 | | Port eth 1/1 | | Cisco 3750----------------------- In this scenario Switching LOOP is getting formed. Only way I'm able to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this case. Thanks in anticipation in adavance. Regards From sandro.unix at gmail.com Tue Mar 13 08:28:42 2012 From: sandro.unix at gmail.com (Alessandro Braga) Date: Tue, 13 Mar 2012 09:28:42 -0300 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: Message-ID: <506A261A-3C2A-4315-853E-B033E1CDB299@gmail.com> On Nexus devices, Ensure that you are configuring the ports correctly for the type of device to which the interface is connected. Att, Alessandro Braga CCIE #30393 On Mar 13, 2012, at 8:56, jack daniels wrote: > Hi Guys, > > I have a scenario for which I'm scratching my head since long - please help > > > Nexus 5K-1---------Nexus5K-2 > | | > | | > Nexus2K-1 Nexus2K-2 > | | Port eth 1/1 > | | > Cisco 3750----------------------- > > > In this scenario Switching LOOP is getting formed. Only way I'm able > to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this > case. > > Thanks in anticipation in adavance. > > Regards > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jckdaniels12 at gmail.com Tue Mar 13 08:53:07 2012 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 13 Mar 2012 18:23:07 +0530 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: <506A261A-3C2A-4315-853E-B033E1CDB299@gmail.com> References: <506A261A-3C2A-4315-853E-B033E1CDB299@gmail.com> Message-ID: Hi Alessandro, Please suggest the configuration , if that can help avoid loop. Regards On Tue, Mar 13, 2012 at 5:58 PM, Alessandro Braga wrote: > On Nexus devices, Ensure that you are configuring the ports correctly for the type of device to which the interface is connected. > > Att, > Alessandro Braga > CCIE #30393 > > > On Mar 13, 2012, at 8:56, jack daniels wrote: > >> Hi Guys, >> >> I have a scenario for which I'm scratching my head since long - please help >> >> >> Nexus 5K-1---------Nexus5K-2 >> | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >> | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >> Nexus2K-1 ? ? ? ? ?Nexus2K-2 >> | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | ?Port eth 1/1 >> | ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? | >> Cisco 3750----------------------- >> >> >> In this scenario Switching LOOP is getting formed. Only way I'm able >> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this >> case. >> >> Thanks in anticipation in adavance. >> >> Regards >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick at foobar.org Tue Mar 13 08:56:21 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 13 Mar 2012 12:56:21 +0000 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: Message-ID: <4F5F43F5.3090802@foobar.org> On 13/03/2012 11:56, jack daniels wrote: > In this scenario Switching LOOP is getting formed. Only way I'm able > to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this > case. are the 3750 and both the n5k boxes running spanning tree? Nick From joe at netbyjoe.com Tue Mar 13 08:59:15 2012 From: joe at netbyjoe.com (Joe Freeman) Date: Tue, 13 Mar 2012 08:59:15 -0400 Subject: [c-nsp] Current SP Cloud Security models Message-ID: Does anyone have any info (or even links) they'd care to share on the current state of cloud security models with regards to the managed service provider perspective of a public cloud offering? I'm working on a design for a public cloud offering and the security guys are screaming that I need to implement network access control (from what they describe, it's 802.1x) in the underlying network as they claim the VRF/MPLS/VPLS/vlan model doesn't scale well in a cloud. That all news to me. I've been doing SP networks for a long time, but have never heard of a requirement for the SP to maintain 802.1x across the network, with a master AD/Radius instance controlling access to the network by customers and hosted servers. I've asked them for links to where they're getting their information, but so far haven't gotten anything definitive from them, and it's holding up progress on this project. Any ideas, thoughts, etc are greatly appreciated. Joe From nick at foobar.org Tue Mar 13 09:12:19 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 13 Mar 2012 13:12:19 +0000 Subject: [c-nsp] Current SP Cloud Security models In-Reply-To: References: Message-ID: <4F5F47B3.7020403@foobar.org> On 13/03/2012 12:59, Joe Freeman wrote: > I'm working on a design for a public cloud offering and the security guys > are screaming that I need to implement network access control (from what > they describe, it's 802.1x) in the underlying network as they claim the > VRF/MPLS/VPLS/vlan model doesn't scale well in a cloud. There are many scaling issues associated with virtualised environments, that's for sure. > That all news to me. I've been doing SP networks for a long time, but have > never heard of a requirement for the SP to maintain 802.1x across the > network, with a master AD/Radius instance controlling access to the network > by customers and hosted servers. Tell your security people that as soon as there are cloud systems which provide L2 environments which support .1x to the client, that you'll certainly look at them. But that in the interim, you have a business to run. As an almost unrelated aside (as this argument seems to be completely political rather than technical in nature), I'm completely failing to understand how .1x is relevant to your virtual network security. Most environments these days support at least some level of mac address spoofing control, which is all you really need. .1x is useful for large campuses and enterprise environments, but it really isn't relevant at all to virtual hosting so far as I can see. Nick From joe at netbyjoe.com Tue Mar 13 09:16:00 2012 From: joe at netbyjoe.com (Joe Freeman) Date: Tue, 13 Mar 2012 09:16:00 -0400 Subject: [c-nsp] Current SP Cloud Security models In-Reply-To: <4F5F47B3.7020403@foobar.org> References: <4F5F47B3.7020403@foobar.org> Message-ID: That's exactly my argument at the moment, but I thought I'd reach out to minds brighter than mine to see if I've missed something somewhere. Sent from my iPhone On Mar 13, 2012, at 9:12 AM, Nick Hilliard wrote: > On 13/03/2012 12:59, Joe Freeman wrote: >> I'm working on a design for a public cloud offering and the security guys >> are screaming that I need to implement network access control (from what >> they describe, it's 802.1x) in the underlying network as they claim the >> VRF/MPLS/VPLS/vlan model doesn't scale well in a cloud. > > There are many scaling issues associated with virtualised environments, > that's for sure. > >> That all news to me. I've been doing SP networks for a long time, but have >> never heard of a requirement for the SP to maintain 802.1x across the >> network, with a master AD/Radius instance controlling access to the network >> by customers and hosted servers. > > Tell your security people that as soon as there are cloud systems which > provide L2 environments which support .1x to the client, that you'll > certainly look at them. But that in the interim, you have a business to run. > > As an almost unrelated aside (as this argument seems to be completely > political rather than technical in nature), I'm completely failing to > understand how .1x is relevant to your virtual network security. Most > environments these days support at least some level of mac address spoofing > control, which is all you really need. .1x is useful for large campuses > and enterprise environments, but it really isn't relevant at all to virtual > hosting so far as I can see. > > Nick > From nick at foobar.org Tue Mar 13 09:30:05 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 13 Mar 2012 13:30:05 +0000 Subject: [c-nsp] Current SP Cloud Security models In-Reply-To: References: <4F5F47B3.7020403@foobar.org> Message-ID: <4F5F4BDD.3030006@foobar.org> On 13/03/2012 13:16, Joe Freeman wrote: > That's exactly my argument at the moment, but I thought I'd reach out to > minds brighter than mine to see if I've missed something somewhere. Ask them what specific problem they are attempting to solve with 802.1x and how .1x specifically solves this problem. If they're intent on hanging themselves with their own policies, I would not hesitate to hand them some rope. Nick > Sent from my iPhone > > On Mar 13, 2012, at 9:12 AM, Nick Hilliard wrote: > >> On 13/03/2012 12:59, Joe Freeman wrote: >>> I'm working on a design for a public cloud offering and the security guys >>> are screaming that I need to implement network access control (from what >>> they describe, it's 802.1x) in the underlying network as they claim the >>> VRF/MPLS/VPLS/vlan model doesn't scale well in a cloud. >> >> There are many scaling issues associated with virtualised environments, >> that's for sure. >> >>> That all news to me. I've been doing SP networks for a long time, but have >>> never heard of a requirement for the SP to maintain 802.1x across the >>> network, with a master AD/Radius instance controlling access to the network >>> by customers and hosted servers. >> >> Tell your security people that as soon as there are cloud systems which >> provide L2 environments which support .1x to the client, that you'll >> certainly look at them. But that in the interim, you have a business to run. >> >> As an almost unrelated aside (as this argument seems to be completely >> political rather than technical in nature), I'm completely failing to >> understand how .1x is relevant to your virtual network security. Most >> environments these days support at least some level of mac address spoofing >> control, which is all you really need. .1x is useful for large campuses >> and enterprise environments, but it really isn't relevant at all to virtual >> hosting so far as I can see. >> >> Nick >> > From smccrory at gcicom.net Tue Mar 13 09:39:03 2012 From: smccrory at gcicom.net (Steve McCrory) Date: Tue, 13 Mar 2012 13:39:03 -0000 Subject: [c-nsp] Recommended IPv6 Resources Message-ID: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> Hi Guys, I'm dipping my toe into the world of IPv6 and I'm looking for recommendations on resources - books, design guides, white papers, tutorials etc. I'm attending a course at the end of the month on the subject but would like to get a head start as I find I generally get more out of a course if I'm at least familiar with the material to begin with. My last exposure to IPv6 was several years ago while I was studying for the CCNP and not had much reason for a refresh since then. I've pretty much forgotten everything I learned back then and I'm also thinking that things may have moved on in the intervening period. There is obviously a plethora of resources out there but I'm looking for those that carry personal recommendations. If it helps narrow things down, I'm interested in resources that are up to date, covers the basics through to deployment strategies and those that have a slant towards service providers. Thanks in advance Steven This email has been swept by Webroot for viruses. Any files transmitted with it are confidential and intended solely for the email recipient. If you are not the intended recipient please delete this email immediately. Be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error please notify the system administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. GCI Com incorporates the following Group Companies: GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in England and Wales, Registered Office: Global House, 2 Crofton Close, Lincoln, LN3 4NT From chuckchurch at gmail.com Tue Mar 13 09:44:41 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Tue, 13 Mar 2012 09:44:41 -0400 Subject: [c-nsp] Nexus network Design - Switching LOOP Message-ID: <003401cd011f$7233e530$569baf90$@gmail.com> Jack, On the Nexus 2K, I believe it's still the case where you can't disable BPDU guard (port shuts down if BPDU received). For the 3750 to attach, I'm guessing you disabled the sending of BPDUs (enabled BPDU filter). If so, a loop would be expected. I wish there was a way to do this, especially with the original 2Ks not supporting 10/100. You probably need to home the 3750 to the 5Ks. Chuck -----Original Message----- Subject: [c-nsp] Nexus network Design - Switching LOOP In this scenario Switching LOOP is getting formed. Only way I'm able to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this case. From rwest at zyedge.com Tue Mar 13 09:46:38 2012 From: rwest at zyedge.com (Ryan West) Date: Tue, 13 Mar 2012 13:46:38 +0000 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: <4F5F43F5.3090802@foobar.org> References: , <4F5F43F5.3090802@foobar.org> Message-ID: N2k's do not run spanning-tree and will block ports if a bpdu is detected. You can disable spanning tree on those ports, but your 3750 will be flat at that point. Sent from handheld On Mar 13, 2012, at 8:57 AM, "Nick Hilliard" wrote: > On 13/03/2012 11:56, jack daniels wrote: >> In this scenario Switching LOOP is getting formed. Only way I'm able >> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this >> case. > > are the 3750 and both the n5k boxes running spanning tree? > > Nick > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Mar 13 09:49:28 2012 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2012 14:49:28 +0100 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <20120313134928.GK1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 01:39:03PM -0000, Steve McCrory wrote: > I'm dipping my toe into the world of IPv6 and I'm looking for > recommendations on resources - books, design guides, white papers, > tutorials etc. "96 more bits, no magic" gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From chrisccnpspam2 at gmail.com Tue Mar 13 09:51:44 2012 From: chrisccnpspam2 at gmail.com (Chris Evans) Date: Tue, 13 Mar 2012 09:51:44 -0400 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: <4F5F43F5.3090802@foobar.org> Message-ID: Switch the 3750 to use flex links. That way you can have redundancy without causing a loop. On Mar 13, 2012 9:50 AM, "Ryan West" wrote: > N2k's do not run spanning-tree and will block ports if a bpdu is detected. > You can disable spanning tree on those ports, but your 3750 will be flat at > that point. > > Sent from handheld > > On Mar 13, 2012, at 8:57 AM, "Nick Hilliard" wrote: > > > On 13/03/2012 11:56, jack daniels wrote: > >> In this scenario Switching LOOP is getting formed. Only way I'm able > >> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this > >> case. > > > > are the 3750 and both the n5k boxes running spanning tree? > > > > Nick > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Tue Mar 13 09:58:18 2012 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 13 Mar 2012 19:28:18 +0530 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: <4F5F43F5.3090802@foobar.org> Message-ID: Hi Chris, I appriciate your suggestion , for Flex links this can surely help. Hi All, Request your suggestion support on this. Regards On Tue, Mar 13, 2012 at 7:21 PM, Chris Evans wrote: > Switch the 3750 to use flex links. That way you can have redundancy without > causing a loop. > > On Mar 13, 2012 9:50 AM, "Ryan West" wrote: >> >> N2k's do not run spanning-tree and will block ports if a bpdu is detected. >> You can disable spanning tree on those ports, but your 3750 will be flat at >> that point. >> >> Sent from handheld >> >> On Mar 13, 2012, at 8:57 AM, "Nick Hilliard" wrote: >> >> > On 13/03/2012 11:56, jack daniels wrote: >> >> In this scenario Switching LOOP is getting formed. Only way I'm able >> >> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this >> >> case. >> > >> > are the 3750 and both the n5k boxes running spanning tree? >> > >> > Nick >> > >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Mar 13 10:06:08 2012 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2012 15:06:08 +0100 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <20120313134928.GK1359@greenie.muc.de> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> Message-ID: <20120313140608.GL1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 02:49:28PM +0100, Gert Doering wrote: > On Tue, Mar 13, 2012 at 01:39:03PM -0000, Steve McCrory wrote: > > I'm dipping my toe into the world of IPv6 and I'm looking for > > recommendations on resources - books, design guides, white papers, > > tutorials etc. > > "96 more bits, no magic" This might have been a bit too terse, though :-) - what I was trying to say: IPv6 is not *that* different from IPv4. It has longer addresses, the addresses are written in a weird way, and people have all of a sudden started to waste addresses like crazy ("because we can!") - but the underlying principles of BGP, OSPF, RIP, "longest-match-wins", etc. are basically still the same. So just go and experiment :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jlewis at lewis.org Tue Mar 13 10:13:45 2012 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 13 Mar 2012 10:13:45 -0400 (EDT) Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> Message-ID: On Tue, 13 Mar 2012, Steve McCrory wrote: > I'm dipping my toe into the world of IPv6 and I'm looking for > recommendations on resources - books, design guides, white papers, > tutorials etc. It's really not all that different from IPv4 other than much larger address space, conservative IP assignment gets flipped around 180*, and watch out for things like needing IPv6 ACLs on things like router/switch vty lines, and RA / SLAAC automatically enabling IPv6 on hosts before they've been configured for it (ACLs). ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From smccrory at gcicom.net Tue Mar 13 10:13:28 2012 From: smccrory at gcicom.net (Steve McCrory) Date: Tue, 13 Mar 2012 14:13:28 -0000 Subject: [c-nsp] Recommended IPv6 Resources References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> <20120313140608.GL1359@greenie.muc.de> Message-ID: <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> Gert, Not at all, I took it in the nature it was intended :o) I appreciate this list doesn't look favourably on the 'I can't figure this out and can't be bothered looking for myself, please do it for me' type of posts but that's not what I'm looking for here. I'm more than prepared to hunt for resources and have a play with IPv6 for myself, I just wanted a pointer in the direction of good, informative, up-to-date material. Cheers Steven -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: 13 March 2012 14:06 To: Steve McCrory Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Recommended IPv6 Resources Hi, On Tue, Mar 13, 2012 at 02:49:28PM +0100, Gert Doering wrote: > On Tue, Mar 13, 2012 at 01:39:03PM -0000, Steve McCrory wrote: > > I'm dipping my toe into the world of IPv6 and I'm looking for > > recommendations on resources - books, design guides, white papers, > > tutorials etc. > > "96 more bits, no magic" This might have been a bit too terse, though :-) - what I was trying to say: IPv6 is not *that* different from IPv4. It has longer addresses, the addresses are written in a weird way, and people have all of a sudden started to waste addresses like crazy ("because we can!") - but the underlying principles of BGP, OSPF, RIP, "longest-match-wins", etc. are basically still the same. So just go and experiment :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de Steve McCrory Senior Network Engineer GCI Com Cedar Court Office Park Denby Dale Road Calder Grove Wakefield WF4 3QZ Office: 0844 443 3537 Fax: 0844 443 3540 http://www.gcicom.net/ This email has been swept by Webroot for viruses. Any files transmitted with it are confidential and intended solely for the email recipient. If you are not the intended recipient please delete this email immediately. Be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error please notify the system administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. GCI Com incorporates the following Group Companies: GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in England and Wales, Registered Office: Global House, 2 Crofton Close, Lincoln, LN3 4NT From gert at greenie.muc.de Tue Mar 13 10:26:29 2012 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2012 15:26:29 +0100 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> <20120313140608.GL1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <20120313142629.GM1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 02:13:28PM -0000, Steve McCrory wrote: > I appreciate this list doesn't look favourably on the 'I can't figure > this out and can't be bothered looking for myself, please do it for me' > type of posts but that's not what I'm looking for here. > > I'm more than prepared to hunt for resources and have a play with IPv6 > for myself, I just wanted a pointer in the direction of good, > informative, up-to-date material. Yeah, and unfortunately, I don't have anything nicely packaged for you. There's stuff on http://www.cisco.com/go/ipv6 - some marketing blurb, but also links to whitepapers and such. But basically, you might not even *need* it, since it's just "96 more bits, no magic" - that was the point I was trying to make. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From brez at brezworks.com Tue Mar 13 10:43:23 2012 From: brez at brezworks.com (Jeremy Bresley) Date: Tue, 13 Mar 2012 09:43:23 -0500 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> <20120313140608.GL1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <4F5F5D0B.5050300@brezworks.com> A few good resources and cheat sheets: http://www.estoile.com/ and http://www.estoile.com/links/ipv6.pdf http://packetlife.net/library/cheat-sheets/ http://search.oreilly.com/?q=ipv6&x=0&y=0 Also check out some of the Live Virtual sessions covering IPv6, some very good intros there. If you can be a bit more specific on what specifically you want to read on, I'm sure the group can come up with more resources to cover that use case. (Peering, customer filtering, exchange point configuration, access switch issues, MPLS, 6VPE, etc.) Jeremy On 3/13/2012 9:13 AM, Steve McCrory wrote: > Gert, > > Not at all, I took it in the nature it was intended :o) > > I appreciate this list doesn't look favourably on the 'I can't figure > this out and can't be bothered looking for myself, please do it for me' > type of posts but that's not what I'm looking for here. > > I'm more than prepared to hunt for resources and have a play with IPv6 > for myself, I just wanted a pointer in the direction of good, > informative, up-to-date material. > > > On Tue, Mar 13, 2012 at 02:49:28PM +0100, Gert Doering wrote: >> On Tue, Mar 13, 2012 at 01:39:03PM -0000, Steve McCrory wrote: >>> I'm dipping my toe into the world of IPv6 and I'm looking for >>> recommendations on resources - books, design guides, white papers, >>> tutorials etc. >> "96 more bits, no magic" > This might have been a bit too terse, though :-) - what I was trying to > say: IPv6 is not *that* different from IPv4. It has longer addresses, > the addresses are written in a weird way, and people have all of a > sudden started to waste addresses like crazy ("because we can!") - but > the underlying principles of BGP, OSPF, RIP, "longest-match-wins", etc. > are basically still the same. So just go and experiment :-) From rus-p at mostelekom.net Tue Mar 13 11:01:10 2012 From: rus-p at mostelekom.net (Ruslan Pustovoitov) Date: Tue, 13 Mar 2012 19:01:10 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F5C3DF6.3010007@inbox.ru> References: <4F5C3DF6.3010007@inbox.ru> Message-ID: <4F5F6136.4090508@mostelekom.net> Does this question not worry community ? Ruslan Pustovoytov ?????: > Hi all > > Does anybody explain me what is the best way to do CGN on Cisco boxes ? > I look for powerfull solution with price congruous with other vendor. > > Recently I closely looked at ISM-100 card for asr9k platform. > I was negativly surprised that performance of this card is about 10 > Gbit/s half-duplex.. > Card is occupied full slot in chassis and costs about 200.000$ in GPL > with license for 10 miilion sessions. > I know that other vendors with more ancient NATs has double > performance for this price. > > Also, I look in CGSE blade for CRS-1 and CRS-3 platform. > Presentation says it has 10 Gbit/s full-duplex performance and card > occupy one slot. > Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this > is the sort of marketing game ? > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Tue Mar 13 11:12:14 2012 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 13 Mar 2012 16:12:14 +0100 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F5F6136.4090508@mostelekom.net> References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> Message-ID: <20120313151214.GN1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: > Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From bhmccie at gmail.com Tue Mar 13 11:26:44 2012 From: bhmccie at gmail.com (-Hammer-) Date: Tue, 13 Mar 2012 10:26:44 -0500 Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: <4F5F43F5.3090802@foobar.org> Message-ID: <4F5F6734.6010806@gmail.com> We did support you. We sent you links to the design guide as well as explained why you are having the STP issue. What else do you want/need? -Hammer- "I was a normal American nerd" -Jack Herer On 3/13/2012 8:58 AM, jack daniels wrote: > Hi Chris, > > I appriciate your suggestion , for Flex links this can surely help. > > Hi All, > > Request your suggestion support on this. > > > Regards > > > On Tue, Mar 13, 2012 at 7:21 PM, Chris Evans wrote: >> Switch the 3750 to use flex links. That way you can have redundancy without >> causing a loop. >> >> On Mar 13, 2012 9:50 AM, "Ryan West" wrote: >>> N2k's do not run spanning-tree and will block ports if a bpdu is detected. >>> You can disable spanning tree on those ports, but your 3750 will be flat at >>> that point. >>> >>> Sent from handheld >>> >>> On Mar 13, 2012, at 8:57 AM, "Nick Hilliard" wrote: >>> >>>> On 13/03/2012 11:56, jack daniels wrote: >>>>> In this scenario Switching LOOP is getting formed. Only way I'm able >>>>> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this >>>>> case. >>>> are the 3750 and both the n5k boxes running spanning tree? >>>> >>>> Nick >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ck-lists at cksoft.de Tue Mar 13 12:00:49 2012 From: ck-lists at cksoft.de (Christian Kratzer) Date: Tue, 13 Mar 2012 17:00:49 +0100 (CET) Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <20120313151214.GN1359@greenie.muc.de> References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> <20120313151214.GN1359@greenie.muc.de> Message-ID: Hi, On Tue, 13 Mar 2012, Gert Doering wrote: > Hi, > > On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: >> Does this question not worry community ? > > I think it's great that the hidden costs that come with running IPv4 > now start being openly visible... next let's think about the cost of maintaining a database of nat mappings for law enforment purposes when you have a high speed ftth user base ;) Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: ck at cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer From simon.leinen at switch.ch Tue Mar 13 13:17:25 2012 From: simon.leinen at switch.ch (Simon Leinen) Date: Tue, 13 Mar 2012 18:17:25 +0100 Subject: [c-nsp] ASN32 in Netflow (6500 / 12.2SX) In-Reply-To: <4F5F2506.8010508@imperial.ac.uk> (Phil Mayers's message of "Tue, 13 Mar 2012 10:44:22 +0000") References: <4F5F2506.8010508@imperial.ac.uk> Message-ID: Phil Mayers writes: > On 13/03/12 09:02, David Freedman wrote: >> Not seeing this in SXI3, > Are you using Netflow v9? > (I have no idea if it's supported, but I'm certain that, if it is, it > will require v9) I'm pretty sure that on the Catalyst 6500, Netflow export for 4-byte ASes is not supported until 15.0(1)SY1: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/release_notes.html#wp4838634 Phil is right in that you do need Netflow v9. I think you also need the newer "FlexFlow" implementation of Netflow that Cisco did for the Supervisor 2T. I have no idea whether they intend to "backport" this to older Supervisors - I suspect that these Netflow implementations are quite different internally. -- Simon. From andy-lists at bourges.de Tue Mar 13 13:42:13 2012 From: andy-lists at bourges.de (Andy Bourges) Date: Tue, 13 Mar 2012 18:42:13 +0100 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F5F6136.4090508@mostelekom.net> References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> Message-ID: <201203131842.14139.andy-lists@bourges.de> Hi, On Tuesday 13 March 2012 16:01:10 Ruslan Pustovoitov wrote: > > Card is occupied full slot in chassis and costs about 200.000$ in GPL > > with license for 10 miilion sessions. > > I know that other vendors with more ancient NATs has double > > performance for this price. > > > > Also, I look in CGSE blade for CRS-1 and CRS-3 platform. > > Presentation says it has 10 Gbit/s full-duplex performance and card > > occupy one slot. > > Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this > > is the sort of marketing game ? ...the CGSE can hold up to 20 mio concurrent nat sessions and multiple blades can be installed in one CRS-1. I thought the ISE for asr9k is more or less identical to the CGSE (at least it's based on the same code), so it might be a marketing decision to allow only 10mio sessions. regards, Andy From walter.keen at RainierConnect.net Tue Mar 13 13:53:07 2012 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 13 Mar 2012 10:53:07 -0700 (PDT) Subject: [c-nsp] SNMP monitoring routing table over time In-Reply-To: <661767473.1222769.1331660854420.JavaMail.root@zimbra01.rainierconnect.net> Message-ID: <1200508279.1222797.1331661187643.JavaMail.root@zimbra01.rainierconnect.net> Trying to work on an interesting project, where it would be nice to monitor the routing table of a collection of routers, store it, and look at it later, as a snapshot of what the routing table for a particular router looked at a particular time. All the information I'm wanting (route entry, nexthop, etc) is available via snmp on the ip-route mib I believe, and needs to stay fairly generic, or equipment-agnostic. Does anyone know of an existing project to do this before I start trying to make one? Walter Keen From A.L.M.Buxey at lboro.ac.uk Tue Mar 13 14:29:18 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 13 Mar 2012 18:29:18 +0000 Subject: [c-nsp] SNMP monitoring routing table over time In-Reply-To: <1200508279.1222797.1331661187643.JavaMail.root@zimbra01.rainierconnect.net> References: <661767473.1222769.1331660854420.JavaMail.root@zimbra01.rainierconnect.net> <1200508279.1222797.1331661187643.JavaMail.root@zimbra01.rainierconnect.net> Message-ID: <20120313182918.GD572@lboro.ac.uk> Hi, some years ago I thought about this myself - coupled with SNMPtraps etc you can build a map of the routing across your network. the trouble was, i went into planning it and all the required features...and it just grew and grew... i had a couple of quagga boxes joined into the IGP and EGP systems and was recording stuff but I'm no compsci and got stuck in a mess of SQL relantional tables that just didnt scale. yes, i saw events...but i saw events already and I hadnt worked out how to draw the map for the routing topology at date X - without re-writing routing algorithms myself. in the end I bought a little applicane that does most of what i needed - yes, not ALL i needed, but its a start. http://packetdesign.com/products/rex.htm I was then able to spent time on projects that local mgmt felt were more high priority (hey, its good having a working local network... ;-) ) alan From A.L.M.Buxey at lboro.ac.uk Tue Mar 13 14:35:04 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 13 Mar 2012 18:35:04 +0000 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <20120313183504.GE572@lboro.ac.uk> Hi, > I'm dipping my toe into the world of IPv6 and I'm looking for > recommendations on resources - books, design guides, white papers, > tutorials etc. there are a few IPv6 books out there - from the cisco offerings to third party and usual stalwart publishers. they should get you well versed on the subject. yes, address space is bigger - but its the other things that will get you .. uses multicast to do everything, ICMPv6 is very very important for operation of hosts, SLAAC is the 'easy way' to get addresses from the router - your DHCP server may well not do DHCPv6 (and if it does, the clients probably dont! ;-) ) so how do you record/manage hosts? what about reverse records - you going to have 65k of entries for each /64 that you deal with? ACLs and switch behaviour - and what about end point protection - theres a good layer of ipv4 protection on particualr cisco access layer switches now - but the ipv6 is lacking. likewise management - its a big big shame that cisco havent gone full-on with mgmt in IPv6 - theres no reason why the mgmt of your switches/APs etc cant all be in IPv6 and you have no IPv4 on those nets....but no.. latest IOS has some mgmt functions that work over IPv6.. not bad considering how long v6 has been around before. my take home message? you can leanr a WHOLE LOT more about it by having a dev/test router, a couple of VLANs and home hosts (oh, be sure to tick the IPv6 box in VMware if you are virtualised with it ;-) ) alan From JSmith at WindMobile.ca Sat Mar 10 22:40:20 2012 From: JSmith at WindMobile.ca (James S. Smith) Date: Sun, 11 Mar 2012 03:40:20 +0000 Subject: [c-nsp] "%HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error" + server losing default GW In-Reply-To: Message-ID: Did the Solaris system have the gateway in the defaultrouter file, or did it need to be added? It's possible that it never did have a default gateway, and your local router was doing proxy arp. I've run into that a few times where a server isn't given the proper gateway but still ends up getting connectivity because the local router is responding to the arps. Or perhaps someone had added the default route by cli and never added it to the defaultrouter file, and then it somehow got lost. It's an odd chain of events, but proxy arp should cause issues with the TCAM. ----- Original Message ----- From: Stefan [mailto:netfortius at gmail.com] Sent: Saturday, March 10, 2012 05:30 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] "%HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error" + server losing default GW Problem: solaris server connected to a port on a 3750 switch. Reported problem: solaris server lost capability to communicate over the network (checks performed from remote location / different VLAN - important to know!) Immediate reaction - network folks engaged: switch investigation reveals error from $subj: %HARDWARE-1-TCAM_ERROR: Found error in HFTM TCAM Space and not able to recover the error so decision taken to immediately reload the switch Phase II: switch recovers, no more errors, server still reported unreachable from monitoring tool; a quick test from within switch reveals reachability of server from within its own VLAN, though (all tests = ICMP)! Phase III: finally server folks involved - reached out to "down" server via another one, on the same VLAN, connected to the same switch - found missing gateway on the "down" server (allegedly there for the last 4xx days of uptime) Phase III - post-mortem monitoring: no more TCAM errors but also no more problems (obviously) after re-adding the default GW on the server What we are missing: test at the time of reported failure in communication with server did not include an ICMP from within its own VLAN (as the apparent problem was the error reported on the switch TCAM) My question to the audience: having done a little research on old solaris behavior (as we have it), I found this: http://www.tek-tips.com/viewthread.cfm?qid=211132 and now I wonder - is it possible that solaris mechanisms of spewing whatever traffic, in missing the default GW, caused the TCAM issue, or (and how come) the TCAM issue causing the "disappearance" of the solaris default GW. Anybody having experienced the problem described? ***Stefan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mhuff at ox.com Tue Mar 13 14:46:56 2012 From: mhuff at ox.com (Matthew Huff) Date: Tue, 13 Mar 2012 14:46:56 -0400 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <20120313183504.GE572@lboro.ac.uk> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313183504.GE572@lboro.ac.uk> Message-ID: <483E6B0272B0284BA86D7596C40D29F901928959AB02@PUR-EXCH07.ox.com> +1 on test lab. Lots of issues won't show up until actual use. For example, on a Cisco router by if you disable SLAAC by doing: # ipv6 nd prefix default 300 180 no-autoconfig Windows and Linux work fine. However, Solaris no longer gets a default route from RA. These are the gotcha's that you have to find out yourself. ---- Matthew Huff? | 1 Manhattanville Rd Director of Operations???| Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Alan Buxey > Sent: Tuesday, March 13, 2012 2:35 PM > To: Steve McCrory > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Recommended IPv6 Resources > > Hi, > > > I'm dipping my toe into the world of IPv6 and I'm looking for > > recommendations on resources - books, design guides, white papers, > > tutorials etc. > > there are a few IPv6 books out there - from the cisco offerings to > third party and usual stalwart publishers. they should get you well > versed on the subject. > > yes, address space is bigger - but its the other things that will get > you .. > uses multicast to do everything, ICMPv6 is very very important for > operation of hosts, SLAAC is the 'easy way' to get addresses from the > router - your DHCP server may well not do DHCPv6 (and if it does, the > clients probably dont! ;-) ) so how do you record/manage hosts? what > about reverse records - you going to have 65k of entries for each /64 > that you deal with? > > ACLs and switch behaviour - and what about end point protection - > theres a good layer of ipv4 protection on particualr cisco access layer > switches now - but the ipv6 is lacking. likewise management - its a > big big shame that cisco havent gone full-on with mgmt in IPv6 - theres > no reason why the mgmt of your switches/APs etc cant all be in IPv6 and > you have no IPv4 on those nets....but no.. latest IOS has some mgmt > functions that work over IPv6.. not bad considering how long v6 has > been around before. > > my take home message? you can leanr a WHOLE LOT more about it by having > a dev/test router, a couple of VLANs and home hosts (oh, be sure to > tick the IPv6 box in VMware if you are virtualised with it ;-) ) > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5339 bytes Desc: not available URL: From billwade98 at yahoo.com Tue Mar 13 17:31:08 2012 From: billwade98 at yahoo.com (Bill Wade) Date: Tue, 13 Mar 2012 14:31:08 -0700 (PDT) Subject: [c-nsp] Nexus network Design - Switching LOOP In-Reply-To: References: <4F5F43F5.3090802@foobar.org> Message-ID: <1331674268.25132.YahooMailNeo@web120405.mail.ne1.yahoo.com> The Nexus 2248 ports (not the uplink/fabric interfaces)? are designed to connect hosts not switches. If you need Cisco's support down the road I think you'd be told that this is not a supported topology/configuration. Bill ________________________________ From: jack daniels To: Chris Evans Cc: "cisco-nsp at puck.nether.net" Sent: Tuesday, March 13, 2012 9:58 AM Subject: Re: [c-nsp] Nexus network Design - Switching LOOP Hi Chris, I appriciate your suggestion , for Flex links this can surely help. Hi All, Request your suggestion support on this. Regards On Tue, Mar 13, 2012 at 7:21 PM, Chris Evans wrote: > Switch the 3750 to use flex links. That way you can have redundancy without > causing a loop. > > On Mar 13, 2012 9:50 AM, "Ryan West" wrote: >> >> N2k's do not run spanning-tree and will block ports if a bpdu is detected. >> You can disable spanning tree on those ports, but your 3750 will be flat at >> that point. >> >> Sent from handheld >> >> On Mar 13, 2012, at 8:57 AM, "Nick Hilliard" wrote: >> >> > On 13/03/2012 11:56, jack daniels wrote: >> >> In this scenario Switching LOOP is getting formed. Only way I'm able >> >> to get rid is shutdown Port eth1/1 on Nexus2K-2. Please help in this >> >> case. >> > >> > are the 3750 and both the n5k boxes running spanning tree? >> > >> > Nick >> > >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dan at beanfield.com Tue Mar 13 18:59:39 2012 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 13 Mar 2012 18:59:39 -0400 Subject: [c-nsp] Internet inside a VRF? Message-ID: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? Or Keep the Internet and peers and customers inside the global table? From pshem.k at gmail.com Tue Mar 13 20:12:02 2012 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 14 Mar 2012 13:12:02 +1300 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> Message-ID: Hi, On 14 March 2012 11:59, Dan Armstrong wrote: > I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: > > > In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? ?Keep the global table for just infrastructure links? In my previous role we've done just that. One internet VRF for all transit functions, separate vrfs for peering and customers and import-export statements to tie them all together. All done on ASR1k (mainly 1006, but a few of 1002 as well). kind regards Pshem From dan at beanfield.com Tue Mar 13 20:25:49 2012 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 13 Mar 2012 20:25:49 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> Message-ID: <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. This is all on ASR 9Ks and 7600s. On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: > Hi, > > On 14 March 2012 11:59, Dan Armstrong wrote: >> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >> >> >> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? > > In my previous role we've done just that. One internet VRF for all > transit functions, separate vrfs for peering and customers and > import-export statements to tie them all together. All done on ASR1k > (mainly 1006, but a few of 1002 as well). > > kind regards > Pshem From jmadrid2 at gmail.com Tue Mar 13 21:17:49 2012 From: jmadrid2 at gmail.com (Jose Madrid) Date: Tue, 13 Mar 2012 21:17:49 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> Message-ID: <-3038841589624570891@unknownmsgid> I would like to understand why you guys would do this? What is the reasoning behind this? Super granular control? Cant this level of granularity be achieved with route-maps? Sent from my iPhone On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. > > > This is all on ASR 9Ks and 7600s. > > > > > > On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: > >> Hi, >> >> On 14 March 2012 11:59, Dan Armstrong wrote: >>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>> >>> >>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? >> >> In my previous role we've done just that. One internet VRF for all >> transit functions, separate vrfs for peering and customers and >> import-export statements to tie them all together. All done on ASR1k >> (mainly 1006, but a few of 1002 as well). >> >> kind regards >> Pshem > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mike-cisconsplist at tiedyenetworks.com Tue Mar 13 21:39:30 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 13 Mar 2012 18:39:30 -0700 Subject: [c-nsp] Cisco BRAS questions again Message-ID: <4F5FF6D2.6060700@tiedyenetworks.com> Hello, I am now working on a 7201 trying to get all features implemented which are important to our PPPoE termination needs. I am comming from a linux environment which has allowed me substantial customization and although about %85 of what we want appears easily done in the cisco world, there still are some features I have not been able to duplicate. * per user gateway: I need to be able to give different pppoe subscribers different default gateways. I want to send their packets out somewhere other than internet default route, under the control of radius if I can. I have been trying to learn and in cisco parlance I think this would involve a vrf, but my google-fu is failing me and I am not seeing any clear examples that can help me learn this. I am fine with sending cisco-avpair attributes back in the radius access-accept response, the question here is how do I establish a simple vrf with a default gateway different than the internet default, and apply it to my sessions? * override the 'sss session' username: I plan on using pppoe intermediate agent based authentication and have perl code and freeradius working together already to do this. One problem will be, my customer CPE modems largely have '-f' as the programmed user name, which will create some ugliness when I show sss sessions, as all of them will be '-f'. Currently in my linux solution, when doing pppoe intermediate agent auth, if I send back a User-name as part of the access response, this overrides the name given during ppp/lcp setup phases, giving me a nice handy list to refer to. Tis isn't a show stopper but it would be great if I could override cisco's selection this way. Otherwise, I don't see how to tell these users apart. The sss sessions detailed output doesn't tell me what ckt id the session is connected on, so I would have to go thru more hoops (probally at radius accounting level) to have this info. Thanks. Mike- From dan at beanfield.com Tue Mar 13 21:29:11 2012 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 13 Mar 2012 21:29:11 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <-3038841589624570891@unknownmsgid> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> Message-ID: <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> Two reasons, the first reason is that the config is extremely simple, clean and difficult for a less trained provisioning guy to make a mistake. With route maps, it's error prone to harmonize them across many boxes - and it's relatively easy for somebody to muck one up by accident. The other reason is that we have some older folks around that long for the day when the core of a carrier network was ATM based, and the plethora of hops were basically hidden behind a switched network? They feel that customers will freak out and feel the service is inferior if a traceroute goes through many dozen hops. Having this inside a VRF lets us hide the hops inside a POP for instance, and only show the major transit points for clarity. On 2012-03-13, at 9:17 PM, Jose Madrid wrote: > I would like to understand why you guys would do this? What is the > reasoning behind this? Super granular control? Cant this level of > granularity be achieved with route-maps? > > Sent from my iPhone > > On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > >> We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. >> >> >> This is all on ASR 9Ks and 7600s. >> >> >> >> >> >> On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: >> >>> Hi, >>> >>> On 14 March 2012 11:59, Dan Armstrong wrote: >>>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>>> >>>> >>>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? >>> >>> In my previous role we've done just that. One internet VRF for all >>> transit functions, separate vrfs for peering and customers and >>> import-export statements to tie them all together. All done on ASR1k >>> (mainly 1006, but a few of 1002 as well). >>> >>> kind regards >>> Pshem >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From chuckchurch at gmail.com Tue Mar 13 22:35:06 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Tue, 13 Mar 2012 22:35:06 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <-3038841589624570891@unknownmsgid> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> Message-ID: <000c01cd018b$12244060$366cc120$@com> In the past (though probably still true), there were plenty of management things type things in 6500/7600 that didn't work in a VRF. So if you wanted to keep your management (SNMP, telnet/SSH, file copying, etc) separate from your production traffic and you wanted it to work, you had to keep it in the global table. I haven't tried in SXJ, but there were still some broken in SXI. Not sure about the SRx train. I've heard the Sup2T fixes most of the remaining broken things. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jose Madrid Sent: Tuesday, March 13, 2012 9:18 PM To: Dan Armstrong Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet inside a VRF? I would like to understand why you guys would do this? What is the reasoning behind this? Super granular control? Cant this level of granularity be achieved with route-maps? Sent from my iPhone On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. > > > This is all on ASR 9Ks and 7600s. > > > > > > On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: > >> Hi, >> >> On 14 March 2012 11:59, Dan Armstrong wrote: >>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>> >>> >>> In a service provider network, how do people feel about putting the >>> big Internet routing table, all their peers and customers inside a >>> VRF? Keep the global table for just infrastructure links. >> >> In my previous role we've done just that. One internet VRF for all >> transit functions, separate vrfs for peering and customers and >> import-export statements to tie them all together. All done on ASR1k >> (mainly 1006, but a few of 1002 as well). >> >> kind regards >> Pshem > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Tue Mar 13 22:58:58 2012 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 13 Mar 2012 21:58:58 -0500 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <-3038841589624570891@unknownmsgid> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> Message-ID: <4F600972.6040600@umn.edu> In R&E networks, separation of commodity Internet-1 and Internet-2 traffic. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0100 at umn.edu -- On 3/13/12 8:17 PM, Jose Madrid wrote: > I would like to understand why you guys would do this? What is the > reasoning behind this? Super granular control? Cant this level of > granularity be achieved with route-maps? > > Sent from my iPhone > > On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > >> We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. >> >> >> This is all on ASR 9Ks and 7600s. >> >> >> >> >> >> On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: >> >>> Hi, >>> >>> On 14 March 2012 11:59, Dan Armstrong wrote: >>>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>>> >>>> >>>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? >>> In my previous role we've done just that. One internet VRF for all >>> transit functions, separate vrfs for peering and customers and >>> import-export statements to tie them all together. All done on ASR1k >>> (mainly 1006, but a few of 1002 as well). >>> >>> kind regards >>> Pshem >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rus-p at mostelekom.net Wed Mar 14 02:32:34 2012 From: rus-p at mostelekom.net (Ruslan Pustovoitov) Date: Wed, 14 Mar 2012 10:32:34 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <20120313151214.GN1359@greenie.muc.de> References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> <20120313151214.GN1359@greenie.muc.de> Message-ID: <4F603B82.5060709@mostelekom.net> The question was what strategy of NAT deployment can be accepted by large ISP if one of the internal condition to use only cisco boxes for NAT ? Hidden cost was always visible to engeneers ) Now It is time to pay ) Has cisco plan to announce in next two year sucsessor of ISM-100 with better performance ? For example, if ISP already has asr9k chassis placed everywere in it's network, it will be happy to know that in 2013 cisco planning to do another card which will seat instead of ISM-100 into the same chassis. Gert Doering ?????: > Hi, > > On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: > >> Does this question not worry community ? >> > > I think it's great that the hidden costs that come with running IPv4 > now start being openly visible... > > Sorry, what was the question? > > gert > From overkillxx at gmail.com Wed Mar 14 03:00:12 2012 From: overkillxx at gmail.com (Brad Clausen) Date: Wed, 14 Mar 2012 18:00:12 +1100 Subject: [c-nsp] VSS display of show run on standby switch Message-ID: Hey Guys, I have 2 x 6509's running as a virtual switch (VSS). I can't for the likes of me work out the command to display the serial number details of the Supervisor that is in standby. The Show run displays the details of the active supervisor. OMESW001#sho switch virtual Switch mode : Virtual Switch Virtual switch domain number : 100 Local switch number : 2 Local switch operational role: Virtual Switch Active Peer switch number : 1 Peer switch operational role : Virtual Switch Standby OMESW001# how can I display the show run equivalent on peer switch 1? From lists at puzza.org Wed Mar 14 03:44:46 2012 From: lists at puzza.org (James Paussa) Date: Wed, 14 Mar 2012 17:44:46 +1000 Subject: [c-nsp] Cisco Border Router Recommendation? In-Reply-To: References: <00b401cce02e$705d9380$5118ba80$@pt> <201202011004.18402.mtinka@globaltransit.net> <003601cce0d8$ebd95b70$c38c1250$@pt> <006d01cce0ea$47b64b40$d722e1c0$@pt> <007d01cce0f5$ec6f7ac0$c54e7040$@pt> <4F296122.8050104@utc.fr> <009801cce0fd$f55f8f50$e01eadf0$@pt> <4F296B14.1070107@utc.fr> Message-ID: <4F604C6E.4050907@puzza.org> Hi, I have been looking at the ASR1001 but am concerned about the number of routes it supports. The product docs I have found show the router supports 1,000,000 IPv4 or 1,000,000 IPv6 routes (1). From what I have read on here there are only 512k IPv4 or 128k IPv6 routes supported in the FIB and no one is 100% sure how it will behave when this is exhausted. So my question is twofold. Is the realistic lifespan at the current expansion of prefixes (we are currently seeing just under 400k IPv4 routes from our upstreams and around 8k of IPv6) of the ASR1001 (my guess is about a year)? Secondly, what would be the best path to go given I would be looking for something able to support at least 1 million routes in the FIB. It wouldn't require LNS or LAC functionality and be required to support around 3 full BGP feeds. The forwarding rate would need to be around 500mbit moving towards 2 gigabit. Regards, James. 1. http://www.cisco.com/en/US/prod/collateral/routers/ps9343/data_sheet_c78-441072.html From jstuxuhu0816 at gmail.com Wed Mar 14 03:46:41 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Wed, 14 Mar 2012 15:46:41 +0800 Subject: [c-nsp] VSS display of show run on standby switch In-Reply-To: References: Message-ID: You just want to see the series number of supervisor in standby? Check the show inventory raw command to see whether you can find the answer or not. Xu Hu 2012/3/14 Brad Clausen > Hey Guys, > > I have 2 x 6509's running as a virtual switch (VSS). I can't for the likes > of me work out the command to display the serial number details of the > Supervisor that is in standby. The Show run displays the details of the > active supervisor. > > > OMESW001#sho switch virtual > Switch mode : Virtual Switch > Virtual switch domain number : 100 > Local switch number : 2 > Local switch operational role: Virtual Switch Active > Peer switch number : 1 > Peer switch operational role : Virtual Switch Standby > OMESW001# > > > how can I display the show run equivalent on peer switch 1? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jstuxuhu0816 at gmail.com Wed Mar 14 03:52:21 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Wed, 14 Mar 2012 15:52:21 +0800 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F603B82.5060709@mostelekom.net> References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> <20120313151214.GN1359@greenie.muc.de> <4F603B82.5060709@mostelekom.net> Message-ID: Actually in our 3G network, we use the 7609 (two ACE modules) for the NAT, in the live situation, we had 4M users. It is quite stable for now. Also we bought the ASR9K to expand the 3G network, maybe will migrate the NAT to ASR9K. Xu Hu 2012/3/14 Ruslan Pustovoitov > The question was what strategy of NAT deployment can be accepted by large > ISP if one of the internal condition to use only cisco boxes for NAT ? > Hidden cost was always visible to engeneers ) > Now It is time to pay ) > > Has cisco plan to announce in next two year sucsessor of ISM-100 with > better performance ? > For example, if ISP already has asr9k chassis placed everywere in it's > network, it will be happy to know that in 2013 cisco planning to do another > card which will seat instead of ISM-100 into the same chassis. > > > > Gert Doering ?????: > > Hi, >> >> On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: >> >> >>> Does this question not worry community ? >>> >>> >> >> I think it's great that the hidden costs that come with running IPv4 >> now start being openly visible... >> >> Sorry, what was the question? >> >> gert >> >> > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > From ck-lists at cksoft.de Wed Mar 14 04:38:04 2012 From: ck-lists at cksoft.de (Christian Kratzer) Date: Wed, 14 Mar 2012 09:38:04 +0100 (CET) Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> <20120313151214.GN1359@greenie.muc.de> <4F603B82.5060709@mostelekom.net> Message-ID: Hi, On Wed, 14 Mar 2012, Xu Hu wrote: > Actually in our 3G network, we use the 7609 (two ACE modules) for the NAT, > in the live situation, we had 4M users. > It is quite stable for now. > Also we bought the ASR9K to expand the 3G network, maybe will migrate the > NAT to ASR9K. I am curios if and if how you are doing logging for law enforment purposes on that scale ? We in europe have some pressure to have the ability to map the ip/port/timestamp touple back to user. Of course nobody will be able to deliver the port together with the ip and an accurate enough timestamp for this to be meaningfull. I can see this becoming a larger problem when more nats appear on conventional DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Greetings Christian > Xu Hu > 2012/3/14 Ruslan Pustovoitov > >> The question was what strategy of NAT deployment can be accepted by large >> ISP if one of the internal condition to use only cisco boxes for NAT ? >> Hidden cost was always visible to engeneers ) >> Now It is time to pay ) >> >> Has cisco plan to announce in next two year sucsessor of ISM-100 with >> better performance ? >> For example, if ISP already has asr9k chassis placed everywere in it's >> network, it will be happy to know that in 2013 cisco planning to do another >> card which will seat instead of ISM-100 into the same chassis. >> >> >> >> Gert Doering ?????: >> >> Hi, >>> >>> On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: >>> >>> >>>> Does this question not worry community ? >>>> >>>> >>> >>> I think it's great that the hidden costs that come with running IPv4 >>> now start being openly visible... >>> >>> Sorry, what was the question? >>> >>> gert >>> >>> >> ______________________________**_________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/**mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/**pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christian Kratzer CK Software GmbH Email: ck at cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer From gert at greenie.muc.de Wed Mar 14 05:04:23 2012 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 14 Mar 2012 10:04:23 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> Message-ID: <20120314090423.GQ1359@greenie.muc.de> Hi, On Wed, Mar 14, 2012 at 01:12:02PM +1300, Pshem Kowalczyk wrote: > In my previous role we've done just that. One internet VRF for all > transit functions, separate vrfs for peering and customers and > import-export statements to tie them all together. What is the benefit? The obvious drawback is "much more complicated, more possible ways things can blow up, and more effort to setup and maintain". (We currently run Internet in the global table, and do not currently intent to change that due to "if we make it more complicated, people will make more interesting mistakes") gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From gert at greenie.muc.de Wed Mar 14 05:09:47 2012 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 14 Mar 2012 10:09:47 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> Message-ID: <20120314090947.GR1359@greenie.muc.de> Hi, On Tue, Mar 13, 2012 at 09:29:11PM -0400, Dan Armstrong wrote: > Two reasons, the first reason is that the config is extremely > simple, clean and difficult for a less trained provisioning guy to > make a mistake. With route maps, it's error prone to harmonize > them across many boxes - and it's relatively easy for somebody to > muck one up by accident. I'm not exactly sure I buy the "simple and clean" argument... unless convinced otherwise, I'd claim that the customer-facing config is about the same complexity with and without VRFs, and the network-side is more complicated with VRFs and MPLS. What sort of route-maps are that, that you think need synchronizing? (genuinely curious) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From saku at ytti.fi Wed Mar 14 05:19:11 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 14 Mar 2012 11:19:11 +0200 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> Message-ID: <20120314091911.GA31246@pob.ytti.fi> On (2012-03-13 21:29 -0400), Dan Armstrong wrote: > The other reason is that we have some older folks around that long for the day when the core of a carrier network was ATM based, and the plethora of hops were basically hidden behind a switched network? They feel that customers will freak out and feel the service is inferior if a traceroute goes through many dozen hops. Having this inside a VRF lets us hide the hops inside a POP for instance, and only show the major transit points for clarity. You could also use TTL hiding. One other thing, I didn't see mentioned is that with INET in VRF you can easily do subset of Internet VRFs. This can be useful for example to have IXP Internet in subset which only imports you and your customer RT. So if someone default routes to you, they won't get free transit, but will get, what they should get. You can also sell partial transits, which are enforced by routing. And I'm sure there are plenty of situations where subset of Internet is useful. -- ++ytti From avitkovsky at emea.att.com Wed Mar 14 05:45:20 2012 From: avitkovsky at emea.att.com (Vitkovsky, Adam) Date: Wed, 14 Mar 2012 10:45:20 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <20120314090423.GQ1359@greenie.muc.de> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> Message-ID: I guess you can ask: Why do we run mpls anyway or even plan on expanding it all the way to the access layer right? I thought the answer is obvious, TE capabilities, fast failover or common carrier infrastructure that scales well And by common I mean infrastructure that supports all the services you offer not just a couple In pure ipv4 environment how do you make sure your RRs infrastructure offers multiple paths for particular prefix? -well with mpls we just configure each PE with a different RD for the internet VRF -I know of several solutions to this in pure ipv4 but none is this simple adam -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Wednesday, March 14, 2012 10:04 AM To: Pshem Kowalczyk Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet inside a VRF? Hi, On Wed, Mar 14, 2012 at 01:12:02PM +1300, Pshem Kowalczyk wrote: > In my previous role we've done just that. One internet VRF for all > transit functions, separate vrfs for peering and customers and > import-export statements to tie them all together. What is the benefit? The obvious drawback is "much more complicated, more possible ways things can blow up, and more effort to setup and maintain". (We currently run Internet in the global table, and do not currently intent to change that due to "if we make it more complicated, people will make more interesting mistakes") gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From michalis.bersimis at hq.cyta.gr Wed Mar 14 05:46:31 2012 From: michalis.bersimis at hq.cyta.gr (michalis.bersimis at hq.cyta.gr) Date: Wed, 14 Mar 2012 11:46:31 +0200 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: Message-ID: <3AC32AA6AF900D47BE9B7008B9B6F985044F3A891038@CMAIL.corp.cyta> Hi, Putting internet in a vrf is not that bad. I agree with some people say that separate the global routing table with vrf is easier, especially for networks that are deploying MPLS routers from scratch. I don't see any advantages from putting internet Prefixes in the global routing table. Best Regards, Michalis Bersimis ---------------------------------------------------------------------- Message: 1 Date: Tue, 13 Mar 2012 21:58:58 -0500 From: Ge Moua To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet inside a VRF? Message-ID: <4F600972.6040600 at umn.edu> Content-Type: text/plain; charset=windows-1252; format=flowed In R&E networks, separation of commodity Internet-1 and Internet-2 traffic. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0100 at umn.edu -- On 3/13/12 8:17 PM, Jose Madrid wrote: > I would like to understand why you guys would do this? What is the > reasoning behind this? Super granular control? Cant this level of > granularity be achieved with route-maps? > > Sent from my iPhone > > On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > >> We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. >> >> >> This is all on ASR 9Ks and 7600s. >> >> >> >> >> >> On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: >> >>> Hi, >>> >>> On 14 March 2012 11:59, Dan Armstrong wrote: >>>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>>> >>>> >>>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? >>> In my previous role we've done just that. One internet VRF for all >>> transit functions, separate vrfs for peering and customers and >>> import-export statements to tie them all together. All done on ASR1k >>> (mainly 1006, but a few of 1002 as well). >>> >>> kind regards >>> Pshem >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Nick.Ryce at lumison.net Wed Mar 14 06:37:38 2012 From: Nick.Ryce at lumison.net (Nick Ryce) Date: Wed, 14 Mar 2012 10:37:38 +0000 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <3AC32AA6AF900D47BE9B7008B9B6F985044F3A891038@CMAIL.corp.cyta> References: <3AC32AA6AF900D47BE9B7008B9B6F985044F3A891038@CMAIL.corp.cyta> Message-ID: Does memory usage not increase by putting all the internet routes in a VRF? Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of michalis.bersimis at hq.cyta.gr Sent: 14 March 2012 09:47 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet inside a VRF? Hi, Putting internet in a vrf is not that bad. I agree with some people say that separate the global routing table with vrf is easier, especially for networks that are deploying MPLS routers from scratch. I don't see any advantages from putting internet Prefixes in the global routing table. Best Regards, Michalis Bersimis ---------------------------------------------------------------------- Message: 1 Date: Tue, 13 Mar 2012 21:58:58 -0500 From: Ge Moua To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet inside a VRF? Message-ID: <4F600972.6040600 at umn.edu> Content-Type: text/plain; charset=windows-1252; format=flowed In R&E networks, separation of commodity Internet-1 and Internet-2 traffic. -- Regards, Ge Moua University of Minnesota Alumnus Email: moua0100 at umn.edu -- On 3/13/12 8:17 PM, Jose Madrid wrote: > I would like to understand why you guys would do this? What is the > reasoning behind this? Super granular control? Cant this level of > granularity be achieved with route-maps? > > Sent from my iPhone > > On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > >> We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. >> >> >> This is all on ASR 9Ks and 7600s. >> >> >> >> >> >> On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: >> >>> Hi, >>> >>> On 14 March 2012 11:59, Dan Armstrong wrote: >>>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>>> >>>> >>>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF? Keep the global table for just infrastructure links? >>> In my previous role we've done just that. One internet VRF for all >>> transit functions, separate vrfs for peering and customers and >>> import-export statements to tie them all together. All done on ASR1k >>> (mainly 1006, but a few of 1002 as well). >>> >>> kind regards >>> Pshem >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Pulsant. Finally, the recipient should check this email and any attachments for the presence of viruses. Pulsant accept no liability for any damage caused by any virus transmitted by this email. From saku at ytti.fi Wed Mar 14 07:21:05 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 14 Mar 2012 13:21:05 +0200 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <3AC32AA6AF900D47BE9B7008B9B6F985044F3A891038@CMAIL.corp.cyta> Message-ID: <20120314112105.GA9667@pob.ytti.fi> On (2012-03-14 10:37 +0000), Nick Ryce wrote: > Does memory usage not increase by putting all the internet routes in a VRF? Implementation detail. In HW FIB it shouldn't make any difference. In SW side, as you'll have slightly longer NLRI and you must have some RT communities it necessarily costs bit more in RIB, but this is imho, negligible. I wouldn't personally worry about it. I believe Cisco CEF book or maybe Behringer's MPLS VPN security book made some assumption about 2x, but it possibly cannot be true. You can mostly think of global table being just another instance in non-naive implementation of multiple FIB/RIB. -- ++ytti From Nick.Ryce at lumison.net Wed Mar 14 07:27:01 2012 From: Nick.Ryce at lumison.net (Nick Ryce) Date: Wed, 14 Mar 2012 11:27:01 +0000 Subject: [c-nsp] Question for LACP/LAG gurus Message-ID: Im in the same situation as below, trying to get a LACP working between Extreme and an ASR 9k. Does anyone have a workaround for this rather than resetting the system id of the Extreme kit? Nick > From: Dmitry Kiselev > > To: cisco-nsp at puck.nether.net > Date: Tue, 12 Apr 2011 14:49:24 +0300 > Subject: [c-nsp] Question for LACP/LAG gurus > Hello! > > While building several new LAGs on IOS XR I found strange behaviour of > Cisco IOSes for "system priority" LACP parameter. Most of classic IOSes > allow to set value from 0 to 65535, but IOS XR does not: > > 12.2(55)SE2 Switch(config)#lacp system-priority ? > <0-65535> Priority value > > 12.2(54)SG Switch(config)#lacp system-priority ? > <0-65535> Priority value > > 12.2(33)SRE Router(config)#lacp system-priority ? > <0-65535> Priority value > > IOS XE 12.2(33)XNF2 Router(config)#lacp system-priority ? > <0-65535> Priority value > > IOS XR 4.0.1 Router(config)#lacp system priority ? > <1-65535> Priority for this system. Lower value is higher priority. > > Moreover, IOS XR does not form the LAG if received partner system priority > is zero. > In this case each bundle port shows the error message "Partner System > ID/Key > do not match that of the Selected links" and remain "configured" state. > > It would remain a theoretical nuance, but Extreme Networks switches > advertise > priority=0 by default on all LAGs cousing some troubles in setup. > Interesting > fact thats in the same time zero is invalid value in Extreme switch > configuration :) :) > > Extreme# configure sharing 7 lacp system-priority ? > System Priority (1..65535) > > I take a short look inside IEEE 802.1AX-2008 standart and IEEE 802.3-2005 > clause 43 > and does not see any special case for priority=0. Does anybody in the list > familar > enough with LACP to explain me why Cisco IOS XR does not like zero here? > > Thanks > > -- > Dmitry Kiselev Nick Ryce Senior Network Engineer Pulsant Limited T: 0845 119 9900 DDI: +44 131 5144049 W: www.pulsant.co.uk ________________________________ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Pulsant. Finally, the recipient should check this email and any attachments for the presence of viruses. Pulsant accept no liability for any damage caused by any virus transmitted by this email. From p.mayers at imperial.ac.uk Wed Mar 14 07:41:46 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 14 Mar 2012 11:41:46 +0000 Subject: [c-nsp] N7k CoPP versus rate-limiters Message-ID: <4F6083FA.1050602@imperial.ac.uk> All, We've just taken delivery of our first pair of N7k (and so far I'm impressed). I'm playing with porting our standard 6500 config to an equivalent N7k config, and I'm a bit puzzled by the interaction of CoPP and the hardware rate-limiters. On 6500/Sup720 these two features have well documented limitations and interaction - specifically HW rate-limiters pre-empt CoPP. I can't seem to find detailed information on how that works in the N7k. In general, what should I be using, for what? This is NX-OS 6, with M1 series linecards doing routing (MPLS). From dwinkworth at att.net Wed Mar 14 08:51:55 2012 From: dwinkworth at att.net (Derick Winkworth) Date: Wed, 14 Mar 2012 05:51:55 -0700 (PDT) Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <-3038841589624570891@unknownmsgid> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> Message-ID: <1331729515.20891.YahooMailNeo@web180013.mail.gq1.yahoo.com> If you run an MPLS network and are using MPLS to separate security zones within your network (such as a very large enterprise) then this makes perfect sense in the context of your design. Sure, it can be solutioned otherwise. ?The bottom line is: ?POC it, buy enough RAM and CPU, and deploy what you POC. ?If it works as expected without negative side-effects and its aligned with your overall design, then do it. Otherwise, don't. Honestly I wouldn't use anything less than RP2 w/16GB of RAM (a common theme in my posts here) and probably an ESP-40. ?Again, for the on-board RAM setup... not the throughput. ? ? Derick Winkworth CCIE #15672 (RS, SP), JNCIE-M #721 http://packetpushers.net/author/dwinkworth/ ________________________________ From: Jose Madrid To: Dan Armstrong Cc: "cisco-nsp at puck.nether.net" Sent: Tuesday, March 13, 2012 8:17 PM Subject: Re: [c-nsp] Internet inside a VRF? I would like to understand why you guys would do this? What is the reasoning behind this? Super granular control? Cant this level of granularity be achieved with route-maps? Sent from my iPhone On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: > We have all our Internet peers and customers inside a VRF currently, and our Cisco SE thinks we're stark raving mad, and should redesign and put everything back in the global table. > > > This is all on ASR 9Ks and 7600s. > > > > > > On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: > >> Hi, >> >> On 14 March 2012 11:59, Dan Armstrong wrote: >>> I know this topic has been discussed a million times, but just wanted to get an updated opinion on how people are feeling about this: >>> >>> >>> In a service provider network, how do people feel about putting the big Internet routing table, all their peers and customers inside a VRF?? Keep the global table for just infrastructure links? >> >> In my previous role we've done just that. One internet VRF for all >> transit functions, separate vrfs for peering and customers and >> import-export statements to tie them all together. All done on ASR1k >> (mainly 1006, but a few of 1002 as well). >> >> kind regards >> Pshem > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From robert at raszuk.net Wed Mar 14 09:24:25 2012 From: robert at raszuk.net (Robert Raszuk) Date: Wed, 14 Mar 2012 14:24:25 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <20120314090947.GR1359@greenie.muc.de> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <519D1D50-E028-41CC-BFF9-65099B169C59@beanfield.com> <-3038841589624570891@unknownmsgid> <40B7C89A-2552-4774-9831-7AB1DDE4F36B@beanfield.com> <20120314090947.GR1359@greenie.muc.de> Message-ID: <4F609C09.9070109@raszuk.net> One additional point as I think most comments assumed such equation: Internet in a VRF = requirement for MPLS in the core. It does not. You can run mGRE encapsulation between ASBRs/PEs and the fact that behind GRE header of the packet sits vpnv4/v6 mpls label would have no bearing on the design of your core. No need to deploy LDP or RSVP-TE then worry that /32s of PE loopbacks are starting to hurt when number of such PEs grows ;) Also those who wish to send all paths between their ASBRs today may just do that by different RD configuration rather then with add-paths network wide OS code upgrade. ---- There is one more advantage of using VRFs for Internet ... in fact just came to me this morning. You know there is all this buzz about securing internet with RPKI which will allow various parties/courts to mess with it and cherry pick who has right to be in the Internet and who does not. So even if you would keep Internet in the global table as today rather then dropping reachability for those forbidden guys due to RPKI telling you to do so (in the even of no other bgp path present) you could just export it to a VRF called Dirty_Internet and provide for those customers who are happy with it a chained lookup (global-vrf) or (vrf-vrf) .. if no route to the dst in the Clean_Internet global table go to vrf. That way we could easily maintain two parallel internets without in fact paying twice for it as only hopefully a very small percentage or nets/paths would be considered "dirty". Mechanics of doing it are yet to be drawn on the whiteboard .... There are number of ways one could go about doing such design. Regards, R. From chuckchurch at gmail.com Wed Mar 14 10:26:35 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Wed, 14 Mar 2012 10:26:35 -0400 Subject: [c-nsp] VSS display of show run on standby switch In-Reply-To: References: Message-ID: <004501cd01ee$7aabb510$70031f30$@gmail.com> Haven't touched VSS in 8 months, but I believe you can do a 'sh mod ?' and after mod, you can do options for the individual chassis numbers. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Clausen Sent: Wednesday, March 14, 2012 3:00 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VSS display of show run on standby switch Hey Guys, I have 2 x 6509's running as a virtual switch (VSS). I can't for the likes of me work out the command to display the serial number details of the Supervisor that is in standby. The Show run displays the details of the active supervisor. OMESW001#sho switch virtual Switch mode : Virtual Switch Virtual switch domain number : 100 Local switch number : 2 Local switch operational role: Virtual Switch Active Peer switch number : 1 Peer switch operational role : Virtual Switch Standby OMESW001# how can I display the show run equivalent on peer switch 1? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Wed Mar 14 10:53:04 2012 From: rwest at zyedge.com (Ryan West) Date: Wed, 14 Mar 2012 14:53:04 +0000 Subject: [c-nsp] VSS display of show run on standby switch In-Reply-To: <004501cd01ee$7aabb510$70031f30$@gmail.com> References: <004501cd01ee$7aabb510$70031f30$@gmail.com> Message-ID: <5DC4853C6CC3EE4788779E0726E034DD010887B0@zy-ex1.zyedge.local> On Wed, Mar 14, 2012 at 10:26:35, Chuck Church wrote: > Subject: Re: [c-nsp] VSS display of show run on standby switch > > Haven't touched VSS in 8 months, but I believe you can do a 'sh mod ?' > and after mod, you can do options for the individual chassis numbers. > Yup, 'show mod switch all' will list both. Show inv will also get you both with a Chassis # identifier. -ryan From conceicao.jose at gmail.com Wed Mar 14 10:56:05 2012 From: conceicao.jose at gmail.com (Jose Conceicao) Date: Wed, 14 Mar 2012 14:56:05 +0000 Subject: [c-nsp] VSS display of show run on standby switch In-Reply-To: <004501cd01ee$7aabb510$70031f30$@gmail.com> References: <004501cd01ee$7aabb510$70031f30$@gmail.com> Message-ID: Hi Brad, hkgi-ddcevssa#sho mod switch 2 Switch Number: 2 Role: Virtual Switch Standby ---------------------- ----------------------------- Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 48 CEF720 48 port 1000mb SFP WS-X6748-SFP xxxxxxxxxx 2 48 CEF720 48 port 1000mb SFP WS-X6748-SFP xxxxxxxxxx 3 16 CEF720 16 port 10GE WS-X6716-10GE xxxxxxxxxx 4 16 CEF720 16 port 10GE WS-X6716-10GE xxxxxxxxxx 5 5 Supervisor Engine 720 10GE (Hot) VS-S720-10G xxxxxxxxxx 6 16 CEF720 16 port 10GE WS-X6716-10GE xxxxxxxxxx 7 16 CEF720 16 port 10GE WS-X6716-10GE xxxxxxxxxx 8 8 CEF720 8 port 10GE with DFC WS-X6708-10GE xxxxxxxxxx 9 8 CEF720 8 port 10GE with DFC WS-X6708-10GE xxxxxxxxxx Regards, Jose On Wed, Mar 14, 2012 at 2:26 PM, Chuck Church wrote: > Haven't touched VSS in 8 months, but I believe you can do a 'sh mod ?' and > after mod, you can do options for the individual chassis numbers. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Clausen > Sent: Wednesday, March 14, 2012 3:00 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VSS display of show run on standby switch > > Hey Guys, > > I have 2 x 6509's running as a virtual switch (VSS). I can't for the likes > of me work out the command to display the serial number details of the > Supervisor that is in standby. The Show run displays the details of the > active supervisor. > > > OMESW001#sho switch virtual > Switch mode : Virtual Switch > Virtual switch domain number : 100 > Local switch number : 2 > Local switch operational role: Virtual Switch Active > Peer switch number : 1 > Peer switch operational role : Virtual Switch Standby OMESW001# > > > how can I display the show run equivalent on peer switch 1? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From streiner at cluebyfour.org Wed Mar 14 11:29:29 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 14 Mar 2012 11:29:29 -0400 (EDT) Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> <20120313140608.GL1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> Message-ID: On Tue, 13 Mar 2012, Steve McCrory wrote: > I'm more than prepared to hunt for resources and have a play with IPv6 > for myself, I just wanted a pointer in the direction of good, > informative, up-to-date material. Your point is well taken :) IPv6, like many other technologies, has launched numerous religious debates (read through the NANOG list archives for many examples ;) ), so there is lots of information available, but there is also lots of potential mis-information. There are also many areas where either vendor support is lean (inet6 firewall filters in Junos), or their documentation is lean (Cisco IPv6 inspection capabilities in the ASA comes to mind). jms From Jean-Francois.TremblayING at videotron.com Wed Mar 14 11:12:51 2012 From: Jean-Francois.TremblayING at videotron.com (Jean-Francois.TremblayING at videotron.com) Date: Wed, 14 Mar 2012 11:12:51 -0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: Message-ID: > We in europe have some pressure to have the ability to map the ip/port/timestamp > touple back to user. Of course nobody will be able to deliver the port together > with the ip and an accurate enough timestamp for this to be meaningfull. Bulk Port Allocation (also called Port Range Allocation) is probably what you're looking for. It reduces logging requirements by several orders of magnitudes and your timestamping doesn't have to be as precise. This is a must to deploy any CGN, IMHO. Coming soon to your favorite Cisco CGN implementation, apparently... > I can see this becoming a larger problem when more nats appear on conventional > DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Mobile networks aren't that low bandwidth anymore. They have the same issues with logging. /JF From psirt at cisco.com Wed Mar 14 12:16:48 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 14 Mar 2012 12:16:48 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability Message-ID: <201203141216.asaclient-ep@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability Advisory ID: cisco-sa-20120314-asaclient Revision 1.0 For Public Release 2012 March 14 16:00 UTC (GMT) +-------------------------------------------------------------------- Summary ======= The Cisco Clientless VPN solution as deployed by Cisco ASA 5500 Series Adaptive Security Appliances (Cisco ASA) uses an ActiveX control on client systems to perform port forwarding operations. Microsoft Windows-based systems that are running Internet Explorer or another browser that supports Microsoft ActiveX technology may be affected if the system has ever connected to a device that is running the Cisco Clientless VPN solution. A remote, unauthenticated attacker who could convince a user to connect to a malicious web page could exploit this issue to execute arbitrary code on the affected machine with the privileges of the web browser. The affected ActiveX control is distributed to endpoint systems by Cisco ASA. However, the impact of successful exploitation of this vulnerability is to the endpoint system only and does not compromise Cisco ASA devices. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient Affected Products ================= Cisco Clientless VPN is a feature available on Cisco ASA 5500 Series Adaptive Security Appliances. Vulnerable Products +------------------ Cisco ASA 5500 Series Adaptive Security Appliances that are running one of the following versions contain the affected ActiveX component: +---------------------------------------------------------------+ |Affected Version |Affected Release| |----------------------------------------------+----------------| | Cisco Adaptive Security Appliance Software |7.1 | |7.x |7.2 | |----------------------------------------------+----------------| | |8.0 | | |8.1 | | Cisco Adaptive Security Appliance Software |8.2 | |8.x |8.3 | | |8.4 | | |8.6 | +---------------------------------------------------------------+ Note: Cisco ASA Software version 7.0 and 7.1 have reached end of software maintenance. Customers who are using Cisco ASA Software version 7.0 or 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco ASA Software. Note: The affected implementation of the Cisco Clientless VPN solution was introduced with the release of Cisco ASA Software version 7.1. This issue does not affect devices running Cisco PIX Software. Administrators may determine whether the Cisco Clientless VPN solution is enabled on their devices by issuing the "show running-config webvpn" command. The following example shows the response when the Cisco Clientless VPN solution is enabled: ciscoasa# show running-config webvpn webvpn enable outside End user systems running Microsoft Windows may be affected if they have used the Cisco Clientless VPN feature on an affected device from a browser that supports ActiveX technology. Devices that contain the cscopf.ocx ActiveX control registered with a class ID (CLSID) of {B8E73359-3422-4384-8D27-4EA1B4C01232} are affected. The affected controls are marked both Safe for Scripting (SFS) and Safe for Initialization (SFI), which may present additional attack vectors when a system has registered and cached the affected control. Products Confirmed Not Vulnerable +-------------------------------- * Cisco Firewall Service Modules are not affected by this vulnerability * Cisco Adaptive Security Appliance Services Modules are not affected by this vulnerability * Cisco IOS Software-based devices that use the Cisco Clientless VPN solution (WebVPN) are not affected by this vulnerability No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Adaptive Security Appliances (ASA) contain a feature known as the Cisco Clientless VPN solution. The Cisco Clientless VPN feature allows users to use a web browser to create an SSL VPN tunnel from an endpoint device to a Cisco ASA device. When connected, the ASA pushes several ActiveX and Java applications to the endpoint device to allow a number of features to operate. When a browser that supports Microsoft ActiveX technology is used to create the Clientless VPN tunnel, the Cisco Port Forwarder ActiveX control may be sent to the endpoint system on which the browser is running. This control contains an exploitable buffer overflow vulnerability that could allow an unauthenticated, remote attacker who can convince a user to visit a malicious website to execute attacker-controlled arbitrary code on the endpoint device. The attacker-supplied code would be executed with the privileges of the user who invoked the browser used to visit the attacker-controlled website. If the user has administrative privileges, a complete compromise may occur. Upgrading a Cisco ASA device to a version of software that contains the fixed control will not remediate the issue on endpoint systems that have downloaded the affected control. Affected endpoint systems will need to disable the control via one of the methods suggested in the "Workarounds" section of this document. Endpoint systems may also connect to a Cisco ASA device that is running a version of software that contains the fixed control via the Cisco Clientless VPN solution to update the control to an unaffected version. When loaded on an endpoint system, the affected control has a binary name of cscopf.ocx and is registered on a system with a CLSID of {B8E73359-3422-4384-8D27-4EA1B4C01232}. Fixed versions of the cscopf.ocx control are registered with CLSID {C861B75F-EE32-4aa4-B610-281AF26A8D1C}. Cisco is requesting that Microsoft set a global kill bit for this control in a future Microsoft kill-bit update. After this update occurs, the affected control will stop operating on all affected endpoint systems that load the Microsoft-provided update. This advisory addresses the vulnerability in the Cisco Port Forwarder ActiveX control provided by Cisco ASA when the Cisco Clientless VPN feature is used. This issue is documented in Cisco bug ID CSCtr00165 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0358. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr00165 ("Cisco Clientless VPN Port Forwarder ActiveX Control Remote Code Execution Vulnerability") CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on the affected end-user system with the privileges of the user who invoked the web browser. If the user has administrative privileges, code execution may result in a complete compromise of the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. +---------------------------------------------------------------+ |Affected | First Fixed | Recommended Release | |Version |Release | | |--------------+-----------------+------------------------------| |Cisco ASA 7.0 |Not Vulnerable |Migrate to 7.2 or later | |--------------+-----------------+------------------------------| |Cisco ASA 7.1 |Vulnerable |Vulnerable; Migrate to 7.2 or | | | |later | |--------------+-----------------+------------------------------| |Cisco ASA 7.2 | 7.2(5.6) |7.2(5.7) | |--------------+-----------------+------------------------------| |Cisco ASA 8.0 |8.0(5.26) |Migrate to 8.2(5.26) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.1 | 8.1(2.53) |Migrate to 8.2(5.26) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.2 | 8.2(5.18) |8.2(5.26) | |--------------+-----------------+------------------------------| |Cisco ASA 8.3 | 8.3(2.28) |Migrate to 8.4(3.8) or later | |--------------+-----------------+------------------------------| |Cisco ASA 8.4 |8.4(2.16) |8.4(3.8) | |--------------+-----------------+------------------------------| |Cisco ASA 8.5 |Not Vulnerable |8.5(1.7) | |--------------+-----------------+------------------------------| |Cisco ASA 8.6 |8.6(1.1) |8.6(1.1) | +---------------------------------------------------------------+ Note: Cisco ASA Software version 7.0 and 7.1 have reached end of software maintenance. Customers who are using Cisco ASA Software version 7.0 or 7.1 should contact their Cisco support team for assistance in upgrading to a supported version of Cisco ASA Software. Note: The recommended releases contain the fixes for all vulnerabilities for all the advisories published in the publication. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Note: Upgrading a Cisco ASA device to a version of software that contains the fixed version of the Cisco Port Forwarder ActiveX control does not remove the vulnerability on affected endpoint systems. Affected endpoint systems will need to download the fixed version by connecting to a Cisco ASA device that is running fixed software via the Cisco Clientless Web solution or disable the affected control via one of the methods mentioned in the "Workarounds" section of this document. Workarounds =========== End users or administrators may mitigate Internet Explorer as an attack vector by setting the kill bit for the affected ActiveX control. This can be achieved by modifying the registry either directly on the affected machine or via an Active Directory Group Policy. Warning: Incorrectly modifying the system registry of a Microsoft Windows-based device may cause serious problems. Neither Cisco nor Microsoft can guarantee that you can resolve problems that may result from improper registry modification from either applying the registry changes via a .reg file or by using the Registry Editor incorrectly. Modify the registry of your system at your own risk. To set the kill bit for the CLSID with a value of {B8E73359-3422-4384-8D27-4EA1B4C01232}, paste the following text in a text editor such as Notepad. Save the file using the .reg filename extension. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}] "Compatibility Flags"=dword:04000400 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}] "Compatibility Flags"=dword:04000400 End users can apply this .reg file to individual systems by double-clicking the file. Administrators can also apply the registry change across domains by using Group Policy. You can find more information about using Group Policy in the following Microsoft TechNet article: Group Policy Collection When the registry change has been applied, Microsoft Internet Explorer must be restarted for the changes to take effect. Once the kill bit has been set, the affected control will no longer be accessible by the Cisco Clientless VPN system or a malicious web page when accessed by Internet Explorer. This change may impact some clientless installations that use the Cisco Port Forwarder ActiveX control. One common component that may stop operating is the ActiveX RDP plug-in. Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120314-asaclient Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was reported to Cisco by Will Dormann of the CERT/CC. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-Mar-14 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9gw+sACgkQQXnnBKKRMNDtRwD9HEZMimIKp+jI/+wmveYZMmT4 /ezfjyf2ql/dxjmJNfUA/3D4zwpDyNUJeT/2H9blwnFah5/JiNZCcxhaIUGiRkwY =EnGt -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 14 12:17:13 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 14 Mar 2012 12:17:13 -0400 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Message-ID: <20120314121708.cisco-sa-20120314-asa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20120314-asa Revision 1.0 For Public Release 2012 March 14 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) are affected by the following vulnerabilities: * Cisco ASA UDP Inspection Engine Denial of Service Vulnerability * Cisco ASA Threat Detection Denial of Service Vulnerability * Cisco ASA Syslog Message 305006 Denial of Service Vulnerability * Protocol-Independent Multicast Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Note: The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) may be affected by some of the vulnerabilities above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. The FWSM advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Affected Products ================= Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected version. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. Consult the dedicated section for Cisco PIX Security Appliances in the "Vulnerable Products" section of this security advisory for more information about affected versions. Vulnerable Products +------------------ For specific version information, refer to the "Software Versions and Fixes" section of this advisory. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. All UDP protocols that are being inspected by the Cisco ASA UDP inspection engine may be vulnerable. The following protocols are known to use the Cisco ASA UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Note: UDP inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html Note: The Cisco ASA UDP inspection can be applied to non-default UDP ports via class-map and policy-map commands. Any instance of use of the Cisco ASA UDP inspection engines may be vulnerable to this vulnerability, thus, configurations that include non-default UDP ports but use the Cisco ASA UDP inspection engine are considered vulnerable. To determine whether any of the above inspections are enabled, issue the show service-policy | include command and confirm that the command returns output. The following example shows a Cisco ASA configured to inspect IBM NetBIOS traffic: ciscoasa# show service-policy | include netbios Inspect: netbios, packet 0, drop 0, reset-drop 0 Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature, when configured with the Scanning Threat Mode feature and with shun option enabled, contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. This feature is not enabled by default. To determine whether the Cisco ASA Threat Detection with Scanning Threat feature and shun option is enabled, issue the show running-config threat-detection scanning-threat command and confirm that the returned output includes the shun option. The following example shows a vulnerable configuration: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat shun Note: This feature was first introduced in Cisco ASA Software Version 8.0(2), Previous versions of Cisco ASA are not vulnerable. Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A denial of service (DoS) vulnerability exists in the implementation of one specific system log (syslog) message (message ID 305006), that could cause a reload of the Cisco ASA if this syslog message needs to be generated. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information regarding this syslog message can be found in the Cisco ASA System Log Messages guide at: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Logging is not enabled by default on Cisco ASA, however, when logging is enabled, Cisco ASA will automatically enable syslog message 305006. Cisco ASA Software may be affected by this vulnerability if the following conditions are satisfied: * System logging is enabled and syslogs are configured to be sent to any syslog destination (including Buffer or ASDM for example) * Cisco ASA Software is configured in any way to generate syslog message 305006 Syslog message 305006 has a default severity level of 3 (errors). Cisco ASA Software configured for logging at Level 3 or higher (that is Levels 3 through 7) may be vulnerable. To verify if logging is enabled, issue the show logging command. The following example shows a Cisco ASA with logging enabled and buffer logging enabled at Level 6 (informational): ciscoasa# show logging Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Debug-trace logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: level informational, 2 messages logged Trap logging: disabled Permit-hostdown logging: disabled History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: disabled Using a custom message list (created via the logging list command) that includes syslog message 305006, either by severity or by explicitly including the message ID, is also a vulnerable configuration. The default severity level of syslog messages can be changed. If the default severity level of syslog message 305006 is changed and the device is configured to log to any destination at the new severity level, the device is vulnerable. Note: This vulnerability was introduced after the implementation of the new Cisco ASA Identity Firewall (IDFW) feature. The Cisco ASA IDFW feature was introduced in the Cisco ASA Software Version 8.4(2), thus previous versions of Cisco ASA Software are not affected. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Cisco ASA Sofware is affected by a vulnerability that may cause affected devices to reload during the processing of Protocol-Indipendent Multicast (PIM) message when multicast routing is enabled. This feature is not enabled by default. To verify if PIM is enabled on an interface use the show pim interface command and verify that the state on appears under the PIM column. The following example shows PIM enabled on the interface outside but disabled on the interface inside: ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside on 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Note: Cisco ASA is vulnerable if at least one interface state is marked with on under the PIM column of the show pim interface command output. Determine the Running Software Version +------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.4(1): ciscoasa#show version | include Version Cisco Adaptive Security Appliance Software Version 8.4(1) Device Manager Version 6.4(1) Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Information about Cisco PIX Security Appliance +--------------------------------------------- Cisco PIX may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of maintenance support. Cisco PIX customers are encouraged to migrate to Cisco ASA. All versions of the Cisco PIX Security Appliances Software are affected by the Protocol-Independent Multicast Denial of Service Vulnerability. Version 8.0 of Cisco PIX Security Appliances Software is affected by the Cisco ASA UDP Inspection Engine Denial of Service Vulnerability and Cisco ASA Threat Detection Denial of Service Vulnerability Cisco PIX Security Appliances is not vulnerable to Cisco ASA Syslog Message 305006 Denial of Service Vulnerability. Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The following section gives additional detail about each vulnerability. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. Cisco ASA Software supports a number of inspection engines for UDP and TCP-based protocols. The Cisco ASA UDP inspection engine that is used to inspect UDP-based protocols contains a vulnerability that could allow a remote unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper flow handling by the inspection engine. An attacker could exploit this vulnerability by sending a specially crafted sequence through the affected system. All UDP protocols that are inspected by the inspection engine may be vulnerable to this vulnerability. The following protocols are known to use UDP inspection engine: * Domain Name System (DNS) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) * GPRS Tunneling Protocol (GTP) * H.323, H.225 RAS * Media Gateway Control Protocol (MGCP) * SunRPC * Trivial File Transfer Protocol (TFTP) * X Display Manager Control Protocol (XDMCP) * IBM NetBios * Instant Messaging (depending on the particular IM client/solution being used) Inspection engines may be enabled by default on Cisco ASA Software. Please consult your user guide for more information. The default inspected ports are listed at the following link: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127 Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this vulnerability. This vulnerability is documented in Cisco bug ID, CSCtq10441 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0353. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- The Cisco ASA Threat Detection feature consists of different levels of statistics gathered for various threats, as well as scanning threat detection, which determines when a host is performing a scan. Optionally, you can shun any hosts that are determined to be a scanning threat. The Cisco ASA Threat Detection feature, when configured with the Cisco ASA Scanning Threat Mode feature and with the shun option enabled, contains a vulnerability that could allow a remote, unauthenticated attacker to trigger a reload of the Cisco ASA. The vulnerability is due to improper handling of the internal flaw that is triggered by the shun event. An attacker may exploit this vulnerability by sending IP packets through the affected system in a way that triggers the shun option of Threat Detection scanning feature. Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode only in single context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. This vulnerability is documented in Cisco bug ID, CSCtw35765 and has been assigned CVE ID CVE-2012-0354. Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- Cisco ASA Software has a System Log (syslog) feature that provides information for monitoring normal operation and troubleshooting network or device issues. Syslog messages are assigned different severities (including debugging, informational, error and critical, for example) and can be sent to different logging destinations. A denial of service vulnerability is in the implementation of one specific syslog message (message ID 305006), that can cause a reload of the Cisco ASA if this syslog message needs to be generated. An attacker could exploit this vulnerability by sending a sequence of packets that could trigger the generation of the syslog message. Syslog message ID 305006 is generated when the Cisco ASA is unable to create a network address translation for a new connection. Additional information about this syslog message can be found in the Cisco ASA System Log Messages guide: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html Note: Only transit traffic can be used to exploit this vulnerability. This vulnerability affects both routed and transparent firewall mode in both single and multi-context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. This vulnerability is documented in Cisco bug ID, CSCts39634 and has been assigned CVE ID CVE-2012-0355. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol-independent multicast (PIM) is a multicast routing protocol that is IP routing protocol-independent. PIM can leverage whatever unicast routing protocols are used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static routes. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the reverse path forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of a PIM message. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. Note: This vulnerability affects Cisco ASA configured only in routed firewall mode and only in single context mode. This vulnerability can be triggered only by IPv4 PIM message as PIM over IPv6 is currently not supported. This vulnerability is documented in Cisco bug ID, CSCtr47517 and has been assigned CVE ID CVE-2012-0356. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10441- UDP inspection engines denial of service vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw35765- Threat Detection Denial Of Service Vulnerability CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCts39634 - Syslog Message 305006 Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtr47517 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities described in this security advisory may allow a remote, unauthenticated attacker to reload the affected system. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | 8.0(5.25) | |Cisco ASA UDP Inspection Engine Denial of |---------+------------| | Service Vulnerability - CSCtq10441 | 8.1 | 8.1(2.50) | | |---------+------------| | | 8.2 | 8.2(5.5) | | |---------+------------| | | 8.3 | 8.3(2.22) | | |---------+------------| | | 8.4 | 8.4(2.1) | | |---------+------------| | | 8.5 | 8.5(1.2) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |------------------------------------------+----------+-------------| | | 7.0 | Not | | | | Affected | | |----------+-------------| | | 7.1 | Not | | | | Affected | | |----------+-------------| | | 7.2 | Not | | | | Affected | | |----------+-------------| | | 8.0 | Migrate to | | | | 8.2(5.20) | |Cisco ASA Threat Detection Denial of |----------+-------------| | Service Vulnerability - CSCtw35765 | 8.1 | Migrate to | | | | 8.2(5.20) | | |----------+-------------| | | 8.2 | 8.2(5.20) | | |----------+-------------| | | 8.3 | 8.3(2.29) | | |----------+-------------| | | 8.4 | 8.4(3) | | |----------+-------------| | | 8.5 | 8.5(1.6) | | |----------+-------------| | | 8.6 | 8.6(1.1) | +-------------------------------------------------------------------+ Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- +-------------------------------------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |--------------------------------------------+---------+------------| | | 7.0 | Not | | | | Affected | | |---------+------------| | | 7.1 | Not | | | | Affected | | |---------+------------| | | 7.2 | Not | | | | Affected | | |---------+------------| | | 8.0 | Not | | | | Affected | | |---------+------------| | Cisco ASA Syslog Message 305006 Denial of | 8.1 | Not | | Service Vulnerability - CSCts39634 | | Affected | | |---------+------------| | | 8.2 | Not | | | | Affected | | |---------+------------| | | 8.3 | Not | | | | Affected | | |---------+------------| | | 8.4* | 8.4(2.11) | | |---------+------------| | | 8.5 | 8.5(1.4) | | |---------+------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ *This vulnerability has been introduced after the implementation of a new Cisco ASA feature called Identity Firewall (IDFW). Cisco ASA IDFW feature has been introduced in Cisco ASA version 8.4(2), thus, previous version of Cisco ASA are not affected. Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |-------------------------------------------+---------+-------------| | | 7.0 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.1 | Migrate to | | | | 7.2(5.7) | | |---------+-------------| | | 7.2 | 7.2(5.7) | | |---------+-------------| | | 8.0 | 8.0(5.27) | | |---------+-------------| | Protocol-Independent Multicast Denial of | 8.1 | 8.1(2.53) | |Service Vulnerability - CSCtr47517 |---------+-------------| | | 8.2 | 8.2(5.8) | | |---------+-------------| | | 8.3 | 8.3(2.25) | | |---------+-------------| | | 8.4 | 8.4(2.5) | | |---------+-------------| | | 8.5 | 8.5(1.2) | | |---------+-------------| | | 8.6 | Not | | | | Affected | +-------------------------------------------------------------------+ Recommended Releases +------------------- The following table lists all recommended releases. These recommended releases contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. +-------------------------------------------------------------------+ | Major Release | Recommended Release | |--------------------------+----------------------------------------| | 7.0 | Migrate to 7.2(5.7) | |--------------------------+----------------------------------------| | 7.1 | Migrate to 7.2(5.7) | |--------------------------+----------------------------------------| | 7.2 | 7.2(5.7) | |--------------------------+----------------------------------------| | 8.0 | Migrate to 8.2(5.26) | |--------------------------+----------------------------------------| | 8.1 | Migrate to 8.2(5.26) | |--------------------------+----------------------------------------| | 8.2 | 8.2(5.26) | |--------------------------+----------------------------------------| | 8.3 | 8.4(3.8) | |--------------------------+----------------------------------------| | 8.4 | 8.4(3.8) | |--------------------------+----------------------------------------| | 8.5 | 8.5(1.7) | |--------------------------+----------------------------------------| | 8.6 | 8.6(1.1) | +-------------------------------------------------------------------+ Software Download ================= Cisco ASA Software can be downloaded from the Software Center on Cisco.com by visiting: http://www.cisco.com/cisco/software/navigator.html For Cisco ASA 5500 Series Adaptive Security Appliances, navigate to Products > Security > Firewall > Firewall Appliances > Cisco ASA 5500 Series Adaptive Security Appliances > > Adaptive Security Appliance (ASA) Software. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. For Cisco Catalyst 6500 Series ASA Services Module, navigate to Products > Cisco Interfaces and Modules > Cisco Services Modules > Cisco Catalyst 6500 Series ASA Services Module > ASA Services Module (ASASM) Software. Please note that some of these versions are interim versions and they can be found by expanding the Interim tab on the download page. Workarounds =========== The following section will detail the workaround if available for each vulnerability detailed in this security advisory. Cisco ASA UDP Inspection Engine Denial of Service Vulnerability +-------------------------------------------------------------- There are no workarounds that mitigate this vulnerability. Cisco ASA Threat Detection Denial of Service Vulnerability +--------------------------------------------------------- If the shun option needs to be enabled, there are no workarounds that mitigate this vulnerability. However, if this option is not required, you can workaround this vulnerability by disabling this option. This can be done by issuing the no threat-detection scanning-threat shun command. The threat-detection scanning-threat command can be used afterwards to configure the feature without the shun option. To verify that the shun option has been correctly removed, issue the show running-config threat-detection scanning-threat command and confirm that the returned output does not show the shun option. The following example shows a Cisco ASA configured with the threat-detection scanning-threat feature without the shun option enabled: ciscoasa# show running-config threat-detection scanning-threat threat-detection scanning-threat Cisco ASA Syslog Message 305006 Denial of Service Vulnerability +-------------------------------------------------------------- A possible workaround is to prevent the Cisco ASA from generating the particular syslog message. This can be done by issuing the no logging message 305006 command. To verify that the message is not being generated issue show running-configuration logging command. The following example shows the output of the command when the logging of message 305006 is disabled: ciscoasa# show run logging [...] no logging message 305006 [...] Protocol-Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- If PIM is required to be enabled, then there are no workarounds that mitigate this vulnerability. However, if multicast routing is required but PIM is not used, PIM can be disabled on the Cisco ASA interfaces by issuing the no pim interface-level command. The following example shows the interface Ethernet0/0 on a Cisco ASA device with PIM disabled: interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 no pim To verify that PIM is disabled on all interfaces, issue the show pim interface command and make sure that for all interface the PIM state is set to off. The following example shows a Cisco ASA with PIM disabled on all interfaces. ciscoasa# show pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 192.168.1.1 outside off 0 30 1 this system 192.168.2.1 inside off 0 30 1 this system Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http:// www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory All the vulnerabilities described in this security advisory were found during internal testing or discovered during the resolution of customer support cases. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gqDoACgkQQXnnBKKRMNARMQD/WQOf+nO2va97P54EDmGQpuXf 0Rm/exibVufqYdrI0/QA/jac0kP0z5zoPO2A9wZNoRjw7rY542auiuxbovqiYKGm =HXUs -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 14 12:17:13 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 14 Mar 2012 12:17:13 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Crafted Protocol Independent Multicast Message Denial of Service Vulnerability Message-ID: <20120314121708.cisco-sa-20120314-fwsm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Firewall Services Module Crafted Protocol Independent Multicast Message Denial of Service Vulnerability Advisory ID: cisco-sa-20120314-fwsm Revision 1.0 For Public Release 2012 March 14 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) contains a Protocol Independent Multicast (PIM) Denial of Service Vulnerability. Cisco has released free software updates that address this vulnerability. There are no workarounds available that mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Note: The Cisco Adaptive Security Appliance (ASA) and the Cisco Catalyst 6500 ASA Services Module (ASASM) are also affected by this vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the ASA and ASASM. That advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asa Affected Products ================= The Cisco Catalyst 6500 Series Firewall Services Module is affected by this vulnerability. Not all versions of released FWSM Software are affected. Consult the "Software Versions and Fixes" section of this security advisory for more information. Vulnerable Products - ------------------- For specific version information, refer to the "Software Versions and Fixes" section of this advisory. Protocol Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- The Cisco FWSM is affected by a vulnerability that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. Multicast routing is disabled by default, however when multicast routing is enabled on the Cisco FWSM, PIM is automatically enabled on all interfaces. The following command enables multicast routing: fwsm(config)# multicast-routing To verify whether PIM is enabled on an interface use the show pim interface command. The following example shows PIM enabled on the "inside" interface: fwsm# sh pim interface Address Interface PIM Nbr Hello DR DR Count Intvl Prior 172.16.1.66 inside on 0 30 1 this system Products Confirmed Not Vulnerable +-------------------------------- With the exception of the Cisco ASA and the Cisco Catalyst 6500 ASA Services Module, no other Cisco products are currently known to be affected by this vulnerability. Details ======= The following section gives additional details about this vulnerability. Protocol Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to multiple recipients. Protocol Independent Multicast (PIM) is a multicast routing protocol that is independent of any IP routing protocol. PIM can leverage any unicast routing protocols that are in use, including Exterior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), or static routes, to populate the unicast routing table. PIM uses this unicast routing information to perform the multicast forwarding function, and is IP protocol-independent. Although PIM is called a multicast routing protocol, it actually uses the unicast routing table to perform the Reverse Path Forwarding (RPF) check function instead of building a completely independent multicast routing table. PIM does not send or receive multicast routing updates between routers as do other routing protocols. A vulnerability exists in the way PIM is implemented that may cause affected devices to reload during the processing of a PIM message when multicast routing is enabled. The vulnerability is due to improper handling of PIM messages. An attacker could exploit this vulnerability by sending a crafted PIM message to the affected system. This vulnerability is documented in Cisco bug ID CSCtu97367, and has been assigned Common Vulnerabilities ans Exposures (CVE) ID CVE-2012-0356. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtu97367 - Protocol-Independent Multicast Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Protocol Independent Multicast Denial of Service Vulnerability Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to cause the affected system to reload. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt Customers should review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Protocol Independent Multicast Denial of Service Vulnerability +------------------------------------------------------------- +-------------------------------------------------------------------+ | Vulnerability | Major | First Fixed | | | Release | Release | |------------------------------------+---------+--------------------| | | 2.2 | Not Affected | | |---------+--------------------| | | 2.3 | Not Affected | | |---------+--------------------| | | 3.1 | Vulnerable: | | | | Migrate to 3.2 | |Protocol Independent Multicast |---------+--------------------| | Denial of Service Vulnerability | 3.2 | 3.2(23) Available | | | | late March 2012 | | |---------+--------------------| | | 4.0 | Vulnerable: | | | | Migrate to 4.1 | | |---------+--------------------| | | 4.1 | 4.1(8) | +-------------------------------------------------------------------+ Workarounds =========== Protocol Independent Multicast Denial of Service Vulnerability There are no workarounds that mitigate this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as set forth at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html For additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. The vulnerability described in this security advisory was found during the resolution of a customer support case. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-fwsm Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-March-14 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9gruMACgkQQXnnBKKRMNBnaQD/YZ7uP45euLAopsaP/sGhX+/Y BTy8n5+G/AZwwpGuD8QA/jXS1ypnAe/YzWfDEbZi6+Vb8+mQE9ApkNC9vzes6bJ1 =Rl6D -----END PGP SIGNATURE----- From svoll.voip at gmail.com Wed Mar 14 13:56:11 2012 From: svoll.voip at gmail.com (Scott Voll) Date: Wed, 14 Mar 2012 10:56:11 -0700 Subject: [c-nsp] ip Multicast MoH with zone Based Firewalls? Message-ID: I have a Voice deployment with a remote site that has multicast Music on hold. The 2821 that it goes through also has Zone based Firewalls so I can do GRE over IPSec.(which is not the interface that the Multicast Moh is using) my problem is that my Music on hold is not working. sh ip mroute shows: (*, 239.1.1.1), 00:50:22/00:02:58, RP x.y.1.252, flags: SJC Incoming interface: GigabitEthernet0/1.902, RPF nbr x.z.9.254 < == WAN Metro E Outgoing interface list: GigabitEthernet0/0.1026, Forward/Sparse-Dense, 00:00:01/00:02:58 <==Phone network 239.1.1.1 is my Multicast MoH The RP is correct. both interfaces .902 and 1026 are in the INSIDE zone with a Zone policy of class default pass I'm running 15.1(3)T2, Is this a zone based FW issue? a Multicast issue? or a Bug? I'm not sure which way to go..... other then drive to the remote site and do a packet capture. Other ideas? I'm trying not to drive =) TIA Scott From p.mayers at imperial.ac.uk Wed Mar 14 14:08:00 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 14 Mar 2012 18:08:00 +0000 Subject: [c-nsp] ip Multicast MoH with zone Based Firewalls? In-Reply-To: References: Message-ID: <4F60DE80.7060702@imperial.ac.uk> On 14/03/12 17:56, Scott Voll wrote: > I have a Voice deployment with a remote site that has multicast Music on > hold. The 2821 that it goes through also has Zone based Firewalls so I can > do GRE over IPSec.(which is not the interface that the Multicast Moh is > using) > > my problem is that my Music on hold is not working. > > sh ip mroute shows: > > (*, 239.1.1.1), 00:50:22/00:02:58, RP x.y.1.252, flags: SJC > Incoming interface: GigabitEthernet0/1.902, RPF nbr x.z.9.254< == WAN > Metro E > Outgoing interface list: > GigabitEthernet0/0.1026, Forward/Sparse-Dense, 00:00:01/00:02:58 > <==Phone network > > 239.1.1.1 is my Multicast MoH > > The RP is correct. > > both interfaces .902 and 1026 are in the INSIDE zone with a Zone policy of > class default pass > > I'm running 15.1(3)T2, > > Is this a zone based FW issue? a Multicast issue? or a Bug? I'm not sure > which way to go..... other then drive to the remote site and do a packet > capture. Other ideas? I'm trying not to drive =) Disclaimer: I know nothing about ZBFw. There isn't really enough information here. You'd need to specify the topology in a bit more detail. Where is the source of the MoH? Have you traced the PIM join state from the source to the RP, and from source to receiver, and from RP to receiver? Since you don't have an (s,g) entry, I'm guessing the RP is either not receiving the Register packet, or the packet isn't being sent down the shared-tree to the edge router, thus an (s,g) join isn't working. MTU might be an issue here, if the MoH packets are "large". This is a bit of a pain with PIM registers, and whether the inner or outer packet is fragmented varies by IOS version IIRC. More details, please ;o) From hritter at cisco.com Wed Mar 14 14:18:18 2012 From: hritter at cisco.com (Harold Ritter) Date: Wed, 14 Mar 2012 14:18:18 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: Message-ID: Bear in mind that IOS and IOS-XR do "per prefix" label allocation by default and that some vendors do not cope well with a high number of labels from what I can remember. Regards Le 12-03-14 06:37, ? Nick Ryce ? a ?crit : >Does memory usage not increase by putting all the internet routes in a >VRF? > >Nick > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of >michalis.bersimis at hq.cyta.gr >Sent: 14 March 2012 09:47 >To: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Internet inside a VRF? > >Hi, >Putting internet in a vrf is not that bad. I agree with some people say >that separate the global routing table with vrf is easier, especially for >networks that are deploying MPLS routers from scratch. I don't see any >advantages from putting internet Prefixes in the global routing table. > >Best Regards, > >Michalis Bersimis > > > > >---------------------------------------------------------------------- > >Message: 1 >Date: Tue, 13 Mar 2012 21:58:58 -0500 >From: Ge Moua >To: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Internet inside a VRF? >Message-ID: <4F600972.6040600 at umn.edu> >Content-Type: text/plain; charset=windows-1252; format=flowed > >In R&E networks, separation of commodity Internet-1 and Internet-2 >traffic. > >-- >Regards, >Ge Moua > >University of Minnesota Alumnus >Email: moua0100 at umn.edu >-- > > >On 3/13/12 8:17 PM, Jose Madrid wrote: >> I would like to understand why you guys would do this? What is the >> reasoning behind this? Super granular control? Cant this level of >> granularity be achieved with route-maps? >> >> Sent from my iPhone >> >> On Mar 13, 2012, at 8:27 PM, Dan Armstrong wrote: >> >>> We have all our Internet peers and customers inside a VRF currently, >>>and our Cisco SE thinks we're stark raving mad, and should redesign and >>>put everything back in the global table. >>> >>> >>> This is all on ASR 9Ks and 7600s. >>> >>> >>> >>> >>> >>> On 2012-03-13, at 8:12 PM, Pshem Kowalczyk wrote: >>> >>>> Hi, >>>> >>>> On 14 March 2012 11:59, Dan Armstrong wrote: >>>>> I know this topic has been discussed a million times, but just >>>>>wanted to get an updated opinion on how people are feeling about this: >>>>> >>>>> >>>>> In a service provider network, how do people feel about putting the >>>>>big Internet routing table, all their peers and customers inside a >>>>>VRF? Keep the global table for just infrastructure links? >>>> In my previous role we've done just that. One internet VRF for all >>>> transit functions, separate vrfs for peering and customers and >>>> import-export statements to tie them all together. All done on ASR1k >>>> (mainly 1006, but a few of 1002 as well). >>>> >>>> kind regards >>>> Pshem >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > >-- > >This email and any files transmitted with it are confidential and intended >solely for the use of the individual or entity to whom they are addressed. >If you have received this email in error please notify the sender. Any >offers or quotation of service are subject to formal specification. >Errors and omissions excepted. Please note that any views or opinions >presented in this email are solely those of the author and do not >necessarily represent those of Pulsant. >Finally, the recipient should check this email and any attachments for the >presence of viruses. Pulsant accept no liability for any >damage caused by any virus transmitted by this email. > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From mike-cisconsplist at tiedyenetworks.com Wed Mar 14 17:12:00 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Wed, 14 Mar 2012 14:12:00 -0700 Subject: [c-nsp] cisco PPPoE Intermediate agent SNMP info Message-ID: <4F6109A0.2090303@tiedyenetworks.com> Hello, You guys (and gals) rock, thanks for being here. So I am noticing now that as I am using pppoe intermediate agent tags, I don't seem to be able to get my 7201 to show me any pppoe intermediate agent info (circuit-id and remote-id for example) for active sessions. The 7201 is certainly passing these along to my radius server and such, but 'show sss sessions detailed' has nothing to indicate what tags were present with the sessions listed, and there also doesn't appear to be anything available with SNMP either. It seems to me that knowing which circuit-id was associated with a session would be a logical thing to want. It does appear that cisco does send this information in the accounting packets, but it's otherwise unavailable. This means I would have to keep a seperate table if I want this all together with 'current sessions' information. Does anyone have any other ideas for this? Mike- From pshem.k at gmail.com Wed Mar 14 17:23:45 2012 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Thu, 15 Mar 2012 10:23:45 +1300 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <20120314090423.GQ1359@greenie.muc.de> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> Message-ID: Hi, On 14 March 2012 22:04, Gert Doering wrote: > Hi, > > On Wed, Mar 14, 2012 at 01:12:02PM +1300, Pshem Kowalczyk wrote: >> In my previous role we've done just that. One internet VRF for all >> transit functions, separate vrfs for peering and customers and >> import-export statements to tie them all together. > > What is the benefit? ?The obvious drawback is "much more complicated, > more possible ways things can blow up, and more effort to setup and > maintain". Easy separation into 'infrastructure' and 'services' spaces. From that perspective internet is just another service that's being offered. Ability to offer connectivity to resources only as required; so for example someone needs only domestic/peering and not full transit - they connection vrf only imports particular RT and it's all sorted. kind regards Pshem From andrew at 2sheds.de Wed Mar 14 17:29:46 2012 From: andrew at 2sheds.de (Andrew Miehs) Date: Thu, 15 Mar 2012 08:29:46 +1100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> Message-ID: On 15/03/2012, at 8:23 AM, Pshem Kowalczyk wrote: > Ability to offer connectivity to resources only as required; so for > example someone needs only domestic/peering and not full transit - > they connection vrf only imports particular RT and it's all sorted. Are people really doing this? - I would imagine that you run into routing table problems very quickly on things like 6500/ 7600s. Regards Andrew From pshem.k at gmail.com Wed Mar 14 19:08:26 2012 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Thu, 15 Mar 2012 12:08:26 +1300 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> Message-ID: On 15 March 2012 10:29, Andrew Miehs wrote: > > On 15/03/2012, at 8:23 AM, Pshem Kowalczyk wrote: > >> Ability to offer connectivity to resources only as required; so for >> example someone needs only domestic/peering and not full transit - >> they connection vrf only imports particular RT and it's all sorted. > > Are people really doing this? - I would imagine that you run into routing table problems very quickly on things like 6500/ 7600s. That particular setup is using ASR1ks, not 6500/7600. kind regards Pshem From anzolex at gmail.com Wed Mar 14 21:14:44 2012 From: anzolex at gmail.com (Luis Anzola) Date: Wed, 14 Mar 2012 20:14:44 -0500 Subject: [c-nsp] Interoperability issue between ME-3800X and Huawei OSN 6800 (1000BaseLX) Message-ID: <4F614284.9050004@gmail.com> Hi Guys, Does anyone have experienced problems interconnecting Cisco Router with DWDM Huawei equipments through 1000BaseLX? I am currently trying to connect a ME-3800X using the SFP+ Multi-rate port (Ten0/1) with a GLC-LH-SM versus Huawei OSN 6800 DWDM and I am experiencing problem bringing the b2b interface Up. I have tried turning on and off the Auto-Negotiation on the Cisco Router without success. Curiously, when I change the link to a 1GigaEth port (Gi0/1) in the ME-3800X the link goes UP and end2end connectivity is established. I was wondering whether some change have to be done on the DWDM equipment in order to achieve the negotiation with the SFP+ port. Thanks in advance for any comment you may suggest. Regards. From rus-p at mostelekom.net Thu Mar 15 01:57:47 2012 From: rus-p at mostelekom.net (Ruslan Pustovoitov) Date: Thu, 15 Mar 2012 09:57:47 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: References: <4F5C3DF6.3010007@inbox.ru> <4F5F6136.4090508@mostelekom.net> <20120313151214.GN1359@greenie.muc.de> <4F603B82.5060709@mostelekom.net> Message-ID: <4F6184DB.20503@mostelekom.net> In Russia the situation with law enforsement is simpler at least with real IP addresses. Now we insert prism into ligthpath between neighbor's SFP/XFP in point where regulator wont and send to their equipment all traffic without saving flows information in database. I hope with NAT situation will be the same. For real time correlation between internal (private IP) and external IP (real IP) I hope regulator be able to get from us Netflow v9 ) Christian Kratzer ?????: > Hi, > > On Wed, 14 Mar 2012, Xu Hu wrote: > >> Actually in our 3G network, we use the 7609 (two ACE modules) for the >> NAT, >> in the live situation, we had 4M users. >> It is quite stable for now. >> Also we bought the ASR9K to expand the 3G network, maybe will migrate >> the >> NAT to ASR9K. > > I am curios if and if how you are doing logging for law enforment > purposes on that scale ? > > We in europe have some pressure to have the ability to map the > ip/port/timestamp touple back to user. Of course nobody will be able > to deliver the port together with the ip and an accurate enough > timestamp for this to be meaningfull. > > I can see this becoming a larger problem when more nats appear on > conventional DSL / FTTx / Cable access products as opposed to just low > bandwidth mobile networks. > > Greetings > Christian > >> Xu Hu >> 2012/3/14 Ruslan Pustovoitov >> >>> The question was what strategy of NAT deployment can be accepted by >>> large >>> ISP if one of the internal condition to use only cisco boxes for NAT ? >>> Hidden cost was always visible to engeneers ) >>> Now It is time to pay ) >>> >>> Has cisco plan to announce in next two year sucsessor of ISM-100 with >>> better performance ? >>> For example, if ISP already has asr9k chassis placed everywere in it's >>> network, it will be happy to know that in 2013 cisco planning to do >>> another >>> card which will seat instead of ISM-100 into the same chassis. >>> >>> >>> >>> Gert Doering ?????: >>> >>> Hi, >>>> >>>> On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: >>>> >>>> >>>>> Does this question not worry community ? >>>>> >>>>> >>>> >>>> I think it's great that the hidden costs that come with running IPv4 >>>> now start being openly visible... >>>> >>>> Sorry, what was the question? >>>> >>>> gert >>>> >>>> >>> ______________________________**_________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/**mailman/listinfo/cisco-nsp >>> >>> archive at >>> http://puck.nether.net/**pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rus-p at mostelekom.net Thu Mar 15 02:07:23 2012 From: rus-p at mostelekom.net (Ruslan Pustovoitov) Date: Thu, 15 Mar 2012 10:07:23 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: References: Message-ID: <4F61871B.4080505@mostelekom.net> I know Alcatel has Bulk Port Allocation in it's MS-ISA and it work fine. ISM-100/CGSE has no such feature but my aim is argue that ISM is the right answer ) Jean-Francois.TremblayING at videotron.com ?????: >> We in europe have some pressure to have the ability to map the >> > ip/port/timestamp > >> touple back to user. Of course nobody will be able to deliver the port >> > together > >> with the ip and an accurate enough timestamp for this to be meaningfull. >> > > Bulk Port Allocation (also called Port Range Allocation) is probably what > you're looking for. > It reduces logging requirements by several orders of magnitudes and your > timestamping > doesn't have to be as precise. This is a must to deploy any CGN, IMHO. > > Coming soon to your favorite Cisco CGN implementation, apparently... > > >> I can see this becoming a larger problem when more nats appear on >> > conventional > >> DSL / FTTx / Cable access products as opposed to just low bandwidth >> > mobile networks. > > Mobile networks aren't that low bandwidth anymore. They have the same > issues with logging. > > /JF > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From td_miles at yahoo.com Thu Mar 15 03:13:01 2012 From: td_miles at yahoo.com (Tony) Date: Thu, 15 Mar 2012 00:13:01 -0700 (PDT) Subject: [c-nsp] SIP-400 oversubscription Message-ID: <1331795581.28662.YahooMailNeo@web125302.mail.ne1.yahoo.com> Hi all, I have a SIP-400 in a 7609 (running 12.2(33)SRD1 if it matters). The SPA's that are currently installed are one 2-port Gig & one 4-port OC3 (SPA-2X1GE & SPA-4XOC3-ATM). I would like to add a 5-port GigE (SPA-5X1GE-V2) into the same SIP-400. I've been reading through the Cisco doc and find references like this: === As of Cisco IOS Release 12.2(18)SXF, when using the Cisco?7600 SIP-400 with the 2-Port Gigabit Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription guidelines: ?The Cisco?7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without any other SPAs installed in the SIP. ?The Cisco?7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 2-Port Gigabit Ethernet SPA. === Which says I can have "1x OC3 + 1x 2-port GigE" (my current setup)? OR? "2x 2-port GigE". The above makes no mention whatsoever about the 5-port GigE card, either by itself or with OCx cards. I realise that the above is due to the bandwidth of the SIP-400 being 4Gbps (I think ?) and so Cisco want you to keep it below this figure to avoid over-subscribing the bandwidth of the device. We currently have about <50Mbps of traffic on the OC3 card and <200Mbps on the 2-port GigE card. My question is if I add a 5-port GigE card to my setup (in addition to 2-port GigE & 4-port OC3) what will happen ? Will everything work and it just log a message about "bandwidth points exceeded - unsupported" (which I will hapily ignore) ? Will it not power on the extra 5-port card ? Will it shutdown tne entire SIP ? Will my 7609 spantaneously combust leaving me with just a pile of ashes ? (ok, that's probably unlikely) Is the bandwidth oversubscription just a cosmetic type thing or is it enforced in some way ? Is anyone running lots of 2 or 5 port GigE cards and not having any issues with them ? Would I even be able to remove my 2-port cards and add 2x 5-port cards to give me 10x GigE ports on the SIP ? I am not too worried about bandwidth through the interfaces, it's unlikely we will be pushing more than an aggregate of 1Gbps over all the GigE ports, even if we add more. I'm just looking at increasing the number of GigE "WAN" ports available without having to replace SIP with ES (we would still need the SIP for OC3/ATM anyway). Thanks, Tony Miles. From velkovski0 at gmail.com Thu Mar 15 05:35:53 2012 From: velkovski0 at gmail.com (Aleksandar Velkovski) Date: Thu, 15 Mar 2012 10:35:53 +0100 Subject: [c-nsp] cisco-nsp Digest, Vol 112, Issue 38 In-Reply-To: References: Message-ID: > On 15/03/2012, at 8:23 AM, Pshem Kowalczyk wrote: > > > Ability to offer connectivity to resources only as required; so for > > example someone needs only domestic/peering and not full transit - > > they connection vrf only imports particular RT and it's all sorted. > > Are people really doing this? - I would imagine that you run into routing > table problems very quickly on things like 6500/ 7600s. > > > What are the possible routing table problems for 7600? Thanks, Aleksandar From arla at rn.dk Thu Mar 15 06:11:25 2012 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Thu, 15 Mar 2012 11:11:25 +0100 Subject: [c-nsp] vss-6500 supervisor problem Message-ID: <8D68760F464FFD40A01BF2FB374E4A280402DE9FCC35@SRVEXC02.aas.its.nja.dk> Hi all Have anyone experienced any thing like this. I have a vss-6500 environment that reboots the standby supervisor every time I mangle with an access-list. I thought, and so did our Cisco, that it was the standby sup that was the problem, but after changing that one all is the same. Then I thought that is must be a software bug, but I can't upgrade the software, the standby newer comes up. It uncompresses the image and then it stops. Hope someone have a hint. /Arne From gert at greenie.muc.de Thu Mar 15 06:58:16 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 15 Mar 2012 11:58:16 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> Message-ID: <20120315105816.GA1359@greenie.muc.de> Hi, On Thu, Mar 15, 2012 at 10:23:45AM +1300, Pshem Kowalczyk wrote: > Easy separation into 'infrastructure' and 'services' spaces. From that > perspective internet is just another service that's being offered. I'm not fully convinced by that (you can do that by keeping Internet in the global table)... > Ability to offer connectivity to resources only as required; so for > example someone needs only domestic/peering and not full transit - > they connection vrf only imports particular RT and it's all sorted. ... but this indeed sounds useful, yes. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From amsoares at netcabo.pt Thu Mar 15 07:39:15 2012 From: amsoares at netcabo.pt (Antonio Soares) Date: Thu, 15 Mar 2012 11:39:15 -0000 Subject: [c-nsp] vss-6500 supervisor problem In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A280402DE9FCC35@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A280402DE9FCC35@SRVEXC02.aas.its.nja.dk> Message-ID: <004101cd02a0$40705920$c1510b60$@pt> It seems you don't have a VSS anymore and that you are in RPR mode. What do you get in the "show redundancy" ? Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt http://www.ccie18473.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: quinta-feira, 15 de Mar?o de 2012 10:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] vss-6500 supervisor problem Hi all Have anyone experienced any thing like this. I have a vss-6500 environment that reboots the standby supervisor every time I mangle with an access-list. I thought, and so did our Cisco, that it was the standby sup that was the problem, but after changing that one all is the same. Then I thought that is must be a software bug, but I can't upgrade the software, the standby newer comes up. It uncompresses the image and then it stops. Hope someone have a hint. /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cnspmail001 at googlemail.com Thu Mar 15 08:16:26 2012 From: cnspmail001 at googlemail.com (Peter Subnovic) Date: Thu, 15 Mar 2012 13:16:26 +0100 Subject: [c-nsp] IPv6 - Using link-local addresses for BGP Peering Message-ID: Dear List, we will be having our first BGP Peering over IPv6 in the near future and would like to know if there is a general consens whether or not to use link-local addresses for the Peering. My google-fu may fail me, but i couldn't find much information about it. I found an IETF Draft which was discussing this topic and shed some light http://tools.ietf.org/html/draft-kato-bgp-ipv6-link-local-00 It is a little bit dated, so i am not so sure if it is still "applicable". I also found a presentation from a Workshop of an apnic meeting http://meetings.apnic.net/_data/assets/pdf_file/0018/45270/6-bgp-for-ipv6.pdf Where they say it is not recommended to establish the peering over link-local addresses, but couldn't grasp the reasoning behind that. configuration-wise it doesn't look that complicated on the Cisco Box. To sum it up a little: 1) What are the pros/cons of using link.local addresses for the BGP Peering? 2) What is the (from an operational and security pov) best way to set up the BGP Peering? Any Input or hints to documents are much appreciated. Thanks, Peter From oboehmer at cisco.com Thu Mar 15 08:29:06 2012 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 15 Mar 2012 13:29:06 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <20120315105816.GA1359@greenie.muc.de> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> <20120315105816.GA1359@greenie.muc.de> Message-ID: <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> > On Thu, Mar 15, 2012 at 10:23:45AM +1300, Pshem Kowalczyk wrote: > > Easy separation into 'infrastructure' and 'services' spaces. From that > > perspective internet is just another service that's being offered. > > I'm not fully convinced by that (you can do that by keeping Internet > in the global table)... > > > Ability to offer connectivity to resources only as required; so for > > example someone needs only domestic/peering and not full transit - > > they connection vrf only imports particular RT and it's all sorted. > > ... but this indeed sounds useful, yes. useful, yes, but could also be expensive.. the more different services you come up with, the more different routing table views you need to provide, the more VRFs you need, and the more VRFs you have on a PE, the more route duplication (on both control and forwading plane) you need to do.. with the current Internet table size, this quickly becomes a problem. oli From gert at greenie.muc.de Thu Mar 15 09:04:54 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 15 Mar 2012 14:04:54 +0100 Subject: [c-nsp] IPv6 - Using link-local addresses for BGP Peering In-Reply-To: References: Message-ID: <20120315130454.GB1359@greenie.muc.de> Hi, On Thu, Mar 15, 2012 at 01:16:26PM +0100, Peter Subnovic wrote: > we will be having our first BGP Peering over IPv6 in the near future and > would like to know if there is a general consens whether or not to use > link-local addresses for the Peering. All peering links we have today use global addresses. There's a couple of drafts in IETF about using link-locals, but it "feels wrong". I don't particularily like link-locals in the context of BGP. [..] > Where they say it is not recommended to establish the peering over > link-local addresses, but couldn't grasp the reasoning behind that. One of the problems I have with it is that you can't easily map the nexthop IP address to a "network", but you always need additional information, that is "fe80::1234 on *this* interface". And you tie your BGP config to a particular interface, so if you move the peering link somewhere else, you need to do more than just move the cable and the interface config. [..] > 2) What is the (from an operational and security pov) best way to set up > the BGP Peering? We do IPv6 peerings pretty much the same we do IPv4. Propler anti-spoofing filters, where applicable. MD5 if the other side asks for it. Proper ingress prefix filters on customer links (strict filtering by IRR DB) and max-prefix settings plus basic anti-bogon garbage filters on peers/uplinks. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From avitkovsky at emea.att.com Thu Mar 15 09:26:31 2012 From: avitkovsky at emea.att.com (Vitkovsky, Adam) Date: Thu, 15 Mar 2012 14:26:31 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> <20120315105816.GA1359@greenie.muc.de> <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> Message-ID: Right, finding a good business case is the catch But what's great on mpls is that you'll never hit the ceiling on number of routes carried in control plane or number of nodes in the network other than the budged, because no single node has to have a full routing awareness of the whole network adam > On Thu, Mar 15, 2012 at 10:23:45AM +1300, Pshem Kowalczyk wrote: > > Easy separation into 'infrastructure' and 'services' spaces. From that > > perspective internet is just another service that's being offered. > > I'm not fully convinced by that (you can do that by keeping Internet > in the global table)... > > > Ability to offer connectivity to resources only as required; so for > > example someone needs only domestic/peering and not full transit - > > they connection vrf only imports particular RT and it's all sorted. > > ... but this indeed sounds useful, yes. useful, yes, but could also be expensive.. the more different services you come up with, the more different routing table views you need to provide, the more VRFs you need, and the more VRFs you have on a PE, the more route duplication (on both control and forwading plane) you need to do.. with the current Internet table size, this quickly becomes a problem. oli _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at lixfeld.ca Thu Mar 15 09:39:38 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Thu, 15 Mar 2012 09:39:38 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> <20120315105816.GA1359@greenie.muc.de> <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> Message-ID: <8A3A4F53-CF44-49CE-881C-C3D7FDF89584@lixfeld.ca> On 2012-03-15, at 8:29 AM, Oliver Boehmer (oboehmer) wrote: > useful, yes, but could also be expensive.. the more different services > you come up with, the more different routing table views you need to > provide, the more VRFs you need, and the more VRFs you have on a PE, the > more route duplication (on both control and forwading plane) you need to > do.. with the current Internet table size, this quickly becomes a > problem. It's only expensive supposing you duplicate the Internet routing table a whole heap of times. If Internet goes right into a VRF and you have two more VRFs with, say, < 200 routes each, there's no way an ASR9k or a 7600 won't handle that. From jared at puck.nether.net Thu Mar 15 09:46:05 2012 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 15 Mar 2012 09:46:05 -0400 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <8A3A4F53-CF44-49CE-881C-C3D7FDF89584@lixfeld.ca> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> <20120315105816.GA1359@greenie.muc.de> <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> <8A3A4F53-CF44-49CE-881C-C3D7FDF89584@lixfeld.ca> Message-ID: <1C588E9D-00FB-4E98-B130-B7ADD3C83447@puck.nether.net> On Mar 15, 2012, at 9:39 AM, Jason Lixfeld wrote: > On 2012-03-15, at 8:29 AM, Oliver Boehmer (oboehmer) wrote: > >> useful, yes, but could also be expensive.. the more different services >> you come up with, the more different routing table views you need to >> provide, the more VRFs you need, and the more VRFs you have on a PE, the >> more route duplication (on both control and forwading plane) you need to >> do.. with the current Internet table size, this quickly becomes a >> problem. > > It's only expensive supposing you duplicate the Internet routing table a whole heap of times. If Internet goes right into a VRF and you have two more VRFs with, say, < 200 routes each, there's no way an ASR9k or a 7600 won't handle that. I once had a vendor pitch me the idea of having a few different VRFs: Internet (Customers + Peers) Customers (Customer routes, peer interfaces would be in this VRF to avoid abuse) Whatever else one wanted to do? The problems become more complex as you have this explosion happen when someone else wants to do another hybrid solution. Watch your TCAM (7600 you mentioned above) start to disappear quickly, combined with whatever complexities you dare add with dual-stack. These days when talking to vendors and carriers, I do suggest asking about IPv6 first. And call your IPv4 VRF "Internet-Classic"?(?)?* - Jared From robert at raszuk.net Thu Mar 15 10:28:09 2012 From: robert at raszuk.net (Robert Raszuk) Date: Thu, 15 Mar 2012 15:28:09 +0100 Subject: [c-nsp] Internet inside a VRF? In-Reply-To: <1C588E9D-00FB-4E98-B130-B7ADD3C83447@puck.nether.net> References: <2C1670C4-A01E-4F84-8A6F-8F6CBC54527D@beanfield.com> <20120314090423.GQ1359@greenie.muc.de> <20120315105816.GA1359@greenie.muc.de> <6E4D2678AC543844917CA081C9D6B33F06CE0DFA@XMB-AMS-103.cisco.com> <8A3A4F53-CF44-49CE-881C-C3D7FDF89584@lixfeld.ca> <1C588E9D-00FB-4E98-B130-B7ADD3C83447@puck.nether.net> Message-ID: <4F61FC79.3090905@raszuk.net> Jared, Oli, > The problems become more complex as you have this explosion happen > when someone else wants to do another hybrid solution. > useful, yes, but could also be expensive.. the more different services > you come up with, the more different routing table views you need to > provide, the more VRFs you need, and the more VRFs you have on a PE, the > more route duplication (on both control and forwading plane) you need to > do.. with the current Internet table size, this quickly becomes a > problem. I don't think you need to duplicate entires in different tables to provide portfolio of different services. All you need to be able to tell on a per peer basis which tables his packets allowed to traverse. That is very different from duplicate tables on a per set of services basis. AFAIK Internet2 was first to deploy this solution and they were quite happy about it. Also from another point of view it seems completely feasible (see cisco's route server context based architecture) to only provide per neighbor specific policy and only copy to a neighbor vrf/context/adj-rib-out the delta. Then during update generation you advertise all common nets/paths from "one table" then the policy delta from the per customer one. Cheers, R. > On Mar 15, 2012, at 9:39 AM, Jason Lixfeld wrote: > >> On 2012-03-15, at 8:29 AM, Oliver Boehmer (oboehmer) wrote: >> >>> useful, yes, but could also be expensive.. the more different >>> services you come up with, the more different routing table views >>> you need to provide, the more VRFs you need, and the more VRFs >>> you have on a PE, the more route duplication (on both control and >>> forwading plane) you need to do.. with the current Internet table >>> size, this quickly becomes a problem. >> >> It's only expensive supposing you duplicate the Internet routing >> table a whole heap of times. If Internet goes right into a VRF and >> you have two more VRFs with, say,< 200 routes each, there's no way >> an ASR9k or a 7600 won't handle that. > > I once had a vendor pitch me the idea of having a few different > VRFs: > > Internet (Customers + Peers) Customers (Customer routes, peer > interfaces would be in this VRF to avoid abuse) Whatever else one > wanted to do? > > The problems become more complex as you have this explosion happen > when someone else wants to do another hybrid solution. Watch your > TCAM (7600 you mentioned above) start to disappear quickly, combined > with whatever complexities you dare add with dual-stack. > > These days when talking to vendors and carriers, I do suggest asking > about IPv6 first. And call your IPv4 VRF "Internet-Classic"?(?)?* > > - Jared _______________________________________________ cisco-nsp > mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ > > From streiner at cluebyfour.org Thu Mar 15 14:18:05 2012 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 15 Mar 2012 14:18:05 -0400 (EDT) Subject: [c-nsp] IPv6 - Using link-local addresses for BGP Peering In-Reply-To: References: Message-ID: On Thu, 15 Mar 2012, Peter Subnovic wrote: > we will be having our first BGP Peering over IPv6 in the near future and > would like to know if there is a general consens whether or not to use > link-local addresses for the Peering. On external connections we use global addresses for our v6 sessions. For internal sessions, that would depend on how you number(ed) your v6 infrastructure. > 1) What are the pros/cons of using link.local addresses for the BGP > Peering? If you need to set up a BGP session to a device that's not directly connected to your router (over a tunnel, EBGP multihop, etc), you want global addresses. If you or your provider change hardware, the session would need to be reconfigured because one or both neighbor addresses would change. Why deal with that extra hassle if you don't have to? > 2) What is the (from an operational and security pov) best way to set up > the BGP Peering? Some of that depends on your environment. Some of that comes from good operational practices, and the syntax-specific stuff will depend on what platform you're using for your BGP session. Beyond that, the configuration of an IPv6 BGP session is really no different than an IPv4 BGP session - just using IPv6 neighbor addresses, prefix lists, policies, etc. General tips: 1. Have good contact info for the people at the other end of that link, and make sure they have good contact for you/your technical people. 2. Don't bother with MD5 encryption unless you're on a public fabric, like an exchange point (even then, somewhat iffy). For the most part, that has been a solution in search of a problem. 3. Tell the other provider what prefixes you will announce and what you need to accept (full routes? default-only? default+customer?, some other mix?), and write your announce/accept policies accordingly. 4. Consider setting a sane outbound max-prefix filter, to act as a circuit breaker to shut the session down if something goes horribly wrong and your router tries to re-feed the whole IPv6 table to your neighbor. Remeber to adjust the max-prefix value as the number of prefixes you announce changes. 5. Aggregate wherever possible. Be nice to your neighbors' routers :) jms From gert at greenie.muc.de Thu Mar 15 18:44:48 2012 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 15 Mar 2012 23:44:48 +0100 Subject: [c-nsp] IPv6 - Using link-local addresses for BGP Peering In-Reply-To: References: Message-ID: <20120315224447.GE1359@greenie.muc.de> Hi, On Thu, Mar 15, 2012 at 02:18:05PM -0400, Justin M. Streiner wrote: > General tips: > 1. Have good contact info for the people at the other end of that link, > and make sure they have good contact for you/your technical people. > 2. Don't bother with MD5 encryption unless you're on a public fabric, like > an exchange point (even then, somewhat iffy). For the most part, that has > been a solution in search of a problem. > 3. Tell the other provider what prefixes you will announce and what you > need to accept (full routes? default-only? default+customer?, some other > mix?), and write your announce/accept policies accordingly. 3a: document the prefix set in a reasonable IRR DB so other people can build strong ingress filters from it. "Reasonable" depends on your location, but "something that will not let just about anybody put in route6: objects for parts of your address space". > 4. Consider setting a sane outbound max-prefix filter, to act as a circuit > breaker to shut the session down if something goes horribly wrong and your > router tries to re-feed the whole IPv6 table to your neighbor. Remeber to > adjust the max-prefix value as the number of prefixes you announce > changes. > 5. Aggregate wherever possible. Be nice to your neighbors' routers :) Amend :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From waris at cisco.com Thu Mar 15 19:07:18 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Thu, 15 Mar 2012 16:07:18 -0700 Subject: [c-nsp] Interoperability issue between ME-3800X and Huawei OSN 6800(1000BaseLX) In-Reply-To: <4F614284.9050004@gmail.com> References: <4F614284.9050004@gmail.com> Message-ID: <4F2E952349CF714899213AA2A0F68C7D0425B089@xmb-sjc-215.amer.cisco.com> Have you tried forced speed mode on the Huawei side since autoneg is not supported on SFP+? -Waris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luis Anzola Sent: Wednesday, March 14, 2012 6:15 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Interoperability issue between ME-3800X and Huawei OSN 6800(1000BaseLX) Hi Guys, Does anyone have experienced problems interconnecting Cisco Router with DWDM Huawei equipments through 1000BaseLX? I am currently trying to connect a ME-3800X using the SFP+ Multi-rate port (Ten0/1) with a GLC-LH-SM versus Huawei OSN 6800 DWDM and I am experiencing problem bringing the b2b interface Up. I have tried turning on and off the Auto-Negotiation on the Cisco Router without success. Curiously, when I change the link to a 1GigaEth port (Gi0/1) in the ME-3800X the link goes UP and end2end connectivity is established. I was wondering whether some change have to be done on the DWDM equipment in order to achieve the negotiation with the SFP+ port. Thanks in advance for any comment you may suggest. Regards. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jtrooney at nexdlevel.com Thu Mar 15 22:57:56 2012 From: jtrooney at nexdlevel.com (Jeff Rooney) Date: Thu, 15 Mar 2012 21:57:56 -0500 Subject: [c-nsp] Certificate issues with Mac IPSEC VPN client Message-ID: Hey everyone, I'm trying to get a few Mac laptops connected to my network via IPSEC vpn on a PIX and am stuck getting certificates validated on these boxes. The cisco vpn client works fine, but only when booted in 32bit mode and the native client let me load the machine certificate as well as the CA, but I get an error saying the servers identity cannot be validated. The same certs work on the cisco ipsec client in 64bit on windows 7 as well as 32bit lion. Any suggestions? -- Jeff From Markus.Binder at globalways.net Sun Mar 18 09:15:34 2012 From: Markus.Binder at globalways.net (Markus Binder) Date: Sun, 18 Mar 2012 13:15:34 +0000 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue Message-ID: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> Hi all, I am wondering which Linecard on the Sup32 (or Sup720) Platform supports user settable MTUs on Routed Sub-interfaces? We want to use one physical Port for MPLS Backbone Uplink and IP Downlink to a customer at the same time. As MPLS Backbone Link we have a VLAN configured with a MTU of 9216 Bytes, as IP Downlink we want to use the "normal" 1500 Byte MTU each on separate Routed Sub-Interfaces. The Routed Sub-interfaces are required for the support of Xconnect MPLS connectivity of the IP Downlink Port as Sup32 does not support Xconnect on SVIs without WAN Cards. The configuration required would look like: interface GigabitEthernet6/1 mtu 9216 no ip address no switchport ! interface GigabitEthernet6/1.50 encapsulation dot1Q 50 description MPLS Backbone Link ip x.x.x.x y.y.y.y mpls ip ! interface GigabitEthernet6/1.100 description IP Downlink to customer encapsulation dot1Q 100 mtu 1500 xconnect x.x.x.x 100 encapsulation mpls But it does not work: SW(config)#int Gi6/1 SW(config-if)#mt SW(config-if)#mtu 9216 SW(config-if)#no sw SW(config-if)#no switchport SW(config-if)#int Gi6/1.100 SW(config-subif)#encapsulation dot1Q 100 SW(config-subif)#mtu ? <1500-9216> MTU size in bytes SW(config-subif)#mtu 1500 % Sub-interface GigabitEthernet6/1.100 does not support user settable mtu Any other ideas of how to achieve that? Best regards, Markus Binder -- Globalways AG Neue Br?cke 8 D-70173 Stuttgart Germany From gert at greenie.muc.de Sun Mar 18 09:42:30 2012 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 18 Mar 2012 14:42:30 +0100 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue In-Reply-To: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> Message-ID: <20120318134229.GI1359@greenie.muc.de> Hi, On Sun, Mar 18, 2012 at 01:15:34PM +0000, Markus Binder wrote: > I am wondering which Linecard on the Sup32 (or Sup720) Platform supports user settable MTUs on Routed Sub-interfaces? "Yes". Sort of :-) > We want to use one physical Port for MPLS Backbone Uplink and IP Downlink to a customer at the same time. > As MPLS Backbone Link we have a VLAN configured with a MTU of 9216 Bytes, as IP Downlink we want to use the "normal" 1500 Byte MTU each on separate Routed Sub-Interfaces. This works fine for IP-Subinterfaces, by using "ip mtu 1500"... > The Routed Sub-interfaces are required for the support of Xconnect MPLS connectivity of the IP Downlink Port as Sup32 does not support Xconnect on SVIs without WAN Cards. ... but *this* doesn't work with a settable MTU, and this sucks big time, because it means that you have to have 9216 on both ends. (Maybe this got added in the last year or so, but last time I ran into this issue, it wasn't possible) > Any other ideas of how to achieve that? Curse, spit, split the link into "big-mtu" and "small-mtu" VLANs. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From Markus.Binder at globalways.net Sun Mar 18 10:09:48 2012 From: Markus.Binder at globalways.net (Markus Binder) Date: Sun, 18 Mar 2012 14:09:48 +0000 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue In-Reply-To: <20120318134229.GI1359@greenie.muc.de> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> Message-ID: <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> Hi Gert, thank you for your quick response. > Curse, spit, split the link into "big-mtu" and "small-mtu" VLANs. But this doesn't help, as we need to transport the "smaller" 1500 MTU Vlan via Xconnect somewhere else and Xconnect is not supported on Sup32 SVIs. We don't do IP just there on the Access Box. Any idea which "fair priced" GigE WAN Card would be suitable supporting Xconnect on SVIs on SUP32 as OSMs are not supported on this platform. Of course we could just split the physical link into two separate links with appropriate MTU on each physical Interface (i.e. by using WDM). Obviously this would be the last resort, though. Best regards, Markus From gert at greenie.muc.de Sun Mar 18 13:53:28 2012 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 18 Mar 2012 18:53:28 +0100 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue In-Reply-To: <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> Message-ID: <20120318175328.GK1359@greenie.muc.de> Hi, On Sun, Mar 18, 2012 at 02:09:48PM +0000, Markus Binder wrote: > thank you for your quick response. > > > Curse, spit, split the link into "big-mtu" and "small-mtu" VLANs. > > But this doesn't help, as we need to transport the "smaller" 1500 MTU Vlan via Xconnect somewhere else and Xconnect is not supported on Sup32 SVIs. Of course this helps. Have gige2/3 with MTU 9216, and put your core-facing VLANs there. Have gige2/4 with MTU 1500, and put your incoming customer VLANs there, with the EoMPLS xconnects on gige2/4.1234 Of course this sucks, as you need twice the number of ports on both ends. (Or just live with a bigger MTU on the EoMPLS xconnects - it does not hurt to have a bigger MTU there, if the gear on the other end supports it. As long as the incoming frames are no larger than 1500, it really doesn't matter what the xconnect MTU is set to [greater or equal to 1500, of course]). > We don't do IP just there on the Access Box. This much I understood. It would be an alternative option, though... > Any idea which "fair priced" GigE WAN Card would be suitable supporting Xconnect on SVIs on SUP32 as OSMs are not supported on this platform. I don't think any WAN card (ES/ES+) will work with a Sup32 (no fabric). But I might be mistaken. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From jbaker at gcicom.net Mon Mar 19 07:59:52 2012 From: jbaker at gcicom.net (James Baker) Date: Mon, 19 Mar 2012 11:59:52 -0000 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> Message-ID: <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> Hi, You should be able to set the MTU on the xconnect if you have "Per Subinterface MTU for Ethernet over MPLS (EoMPLS)" feature in your IOS, try the following; interface GigabitEthernet6/1.100 description IP Downlink to customer encapsulation dot1Q 100 xconnect x.x.x.x 100 encapsulation mpls mtu 1500 FYI this does not enforce the MTU setting on the data plain however it should allow you to xconnect to other interfaces with differing MTU's. Kind regards James This email has been swept by Webroot for viruses. Any files transmitted with it are confidential and intended solely for the email recipient. If you are not the intended recipient please delete this email immediately. Be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error please notify the system administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. GCI Com incorporates the following Group Companies: GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in England and Wales, Registered Office: Global House, 2 Crofton Close, Lincoln, LN3 4NT From gert at greenie.muc.de Mon Mar 19 08:38:10 2012 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 19 Mar 2012 13:38:10 +0100 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <20120319123810.GN1359@greenie.muc.de> Hi, On Mon, Mar 19, 2012 at 11:59:52AM -0000, James Baker wrote: > You should be able to set the MTU on the xconnect if you have "Per > Subinterface MTU for Ethernet over MPLS (EoMPLS)" feature in your IOS, Oh, cool! This is great to know. FTR, Feature Navigator claims this has been added to 12.2SRC, 12.2SB and 15.0S/15.1S/15.2S. Which means, of course, that I all of a sudden don't find it cool anymore, as it isn't available in any IOS that would run on my 6500s. Thankyouohsoverymuch, Cisco-BU-Infighting-Bullshitting. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From Markus.Binder at globalways.net Mon Mar 19 09:46:49 2012 From: Markus.Binder at globalways.net (Markus Binder) Date: Mon, 19 Mar 2012 13:46:49 +0000 Subject: [c-nsp] Cisco 6500/Sup32 Sub-interface MTU Issue In-Reply-To: <20120319123810.GN1359@greenie.muc.de> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> <20120319123810.GN1359@greenie.muc.de> Message-ID: <9E813DC263007F4D9B37402CC4302A62382C25@EX1-STGT.intern.globalways.net> Hi James, thanks for the hint. This is really great to hear, but... > Hi, > > On Mon, Mar 19, 2012 at 11:59:52AM -0000, James Baker wrote: > > You should be able to set the MTU on the xconnect if you have "Per > > Subinterface MTU for Ethernet over MPLS (EoMPLS)" feature in your IOS, > > Oh, cool! This is great to know. > > FTR, Feature Navigator claims this has been added to 12.2SRC, 12.2SB and > 15.0S/15.1S/15.2S. > > Which means, of course, that I all of a sudden don't find it cool anymore, as it > isn't available in any IOS that would run on my 6500s. ...same for us. The IOS Versions currently in use don't support it. But definitely the way to go for the future. Gerd's idea with just having a bigger MTU in the Xconnect, as long as both ends support it, works fine in the meantime, even although it isn't the preferred solution either. > > Thankyouohsoverymuch, Cisco-BU-Infighting-Bullshitting. > > gert Best regards, Markus From christian at errxtx.net Mon Mar 19 12:47:38 2012 From: christian at errxtx.net (Christian Meutes) Date: Mon, 19 Mar 2012 18:47:38 +0200 Subject: [c-nsp] Add Path IOS In-Reply-To: <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> Message-ID: <2c2ae3183d0540749c39377dce54992f@errxtx.net> Hi, does anyone have an idea when BGP Add-Path will be available in ordinary IOS (non-XE/XR)? -- Christian From sledge121 at gmail.com Mon Mar 19 12:52:45 2012 From: sledge121 at gmail.com (Richard Clayton) Date: Mon, 19 Mar 2012 16:52:45 +0000 Subject: [c-nsp] QoS - Fair Queue effect on CPU Message-ID: I have been searching for any real world examples or information on the effect the 'fair queue' process has on router cpu, does anybody have any experience of this particularly with multiple high bandwidth flows on the ISRG2 platform. I know it's not an exact science and I am being specific with the scenario but I don't want to be caught out with unexpected high cpe when using this in a QoS policy. Thanks Rick From nick at foobar.org Mon Mar 19 15:41:21 2012 From: nick at foobar.org (Nick Hilliard) Date: Mon, 19 Mar 2012 19:41:21 +0000 Subject: [c-nsp] Add Path IOS In-Reply-To: <2c2ae3183d0540749c39377dce54992f@errxtx.net> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> <2c2ae3183d0540749c39377dce54992f@errxtx.net> Message-ID: <4F678BE1.1040701@foobar.org> On 19/03/2012 16:47, Christian Meutes wrote: > does anyone have an idea when BGP Add-Path will be available in > ordinary IOS (non-XE/XR)? It's already available on SR (i.e. 7200 / 7600). Incidentally if you're starting a new thread, please start a new thread and don't do it by hitting reply to an existing thread. Otherwise your posting will get lost. Nick From rvandolson at esri.com Mon Mar 19 17:58:52 2012 From: rvandolson at esri.com (Ray Van Dolson) Date: Mon, 19 Mar 2012 14:58:52 -0700 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? Message-ID: <20120319215852.GA29929@esri.com> We're looking to run straight FC from an XIV storage rack into a Nexus 5000 and output FCoE via another port on that same 5000. Can anyone advise if this is doable or if we'd need additional hardware to make it happen? Thanks, Ray From rwest at zyedge.com Mon Mar 19 18:24:15 2012 From: rwest at zyedge.com (Ryan West) Date: Mon, 19 Mar 2012 22:24:15 +0000 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <20120319215852.GA29929@esri.com> References: <20120319215852.GA29929@esri.com> Message-ID: <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> Output of FCoE to a server? Currently multihop FCoE is not supported, but connecting to a CNA in that topology is. Sent from handheld On Mar 19, 2012, at 6:01 PM, "Ray Van Dolson" wrote: > We're looking to run straight FC from an XIV storage rack into a Nexus > 5000 and output FCoE via another port on that same 5000. > > Can anyone advise if this is doable or if we'd need additional hardware > to make it happen? > > Thanks, > Ray > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rvandolson at esri.com Mon Mar 19 18:49:24 2012 From: rvandolson at esri.com (Ray Van Dolson) Date: Mon, 19 Mar 2012 15:49:24 -0700 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> References: <20120319215852.GA29929@esri.com> <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> Message-ID: <20120319224924.GA30743@esri.com> Basically looking at sending FC to the Nexus, and having the Nexus re-emit that traffic bundled as FCoE out another port to a Converged Network Adapter. Ray On Mon, Mar 19, 2012 at 03:24:15PM -0700, Ryan West wrote: > Output of FCoE to a server? Currently multihop FCoE is not > supported, but connecting to a CNA in that topology is. > > On Mar 19, 2012, at 6:01 PM, "Ray Van Dolson" wrote: > > > We're looking to run straight FC from an XIV storage rack into a Nexus > > 5000 and output FCoE via another port on that same 5000. > > > > Can anyone advise if this is doable or if we'd need additional hardware > > to make it happen? > > > > Thanks, > > Ray From William.Murphy at uth.tmc.edu Mon Mar 19 18:50:19 2012 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Mon, 19 Mar 2012 17:50:19 -0500 Subject: [c-nsp] Firewall/IPS Load Balancing Message-ID: I thought I would poll the list to solicit recommendations on how to do firewall/IPS load balancing. I am considering a traffic distribution switch from GigaMon but I am curious what other products might be out there, or perhaps even features in Cisco 6500 product that would achieve the same result. I am not interested in paying for full blown ADC/SLB boxes (ACE or whatever) with more features than I need, and the GigaMon approach seems like it fits that bill. Thanks in advance for your feedback. Bill Murphy UT Health Science Center at Houston From philxor at gmail.com Mon Mar 19 19:12:19 2012 From: philxor at gmail.com (Phil Bedard) Date: Mon, 19 Mar 2012 19:12:19 -0400 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <20120319224924.GA30743@esri.com> References: <20120319215852.GA29929@esri.com> <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> <20120319224924.GA30743@esri.com> Message-ID: <7E2AC286-08FC-4A06-B377-790935BF85CF@gmail.com> This works fine with the 5K. Phil On Mar 19, 2012, at 6:49 PM, Ray Van Dolson wrote: > Basically looking at sending FC to the Nexus, and having the Nexus > re-emit that traffic bundled as FCoE out another port to a Converged > Network Adapter. > > Ray > > On Mon, Mar 19, 2012 at 03:24:15PM -0700, Ryan West wrote: >> Output of FCoE to a server? Currently multihop FCoE is not >> supported, but connecting to a CNA in that topology is. >> >> On Mar 19, 2012, at 6:01 PM, "Ray Van Dolson" wrote: >> >>> We're looking to run straight FC from an XIV storage rack into a Nexus >>> 5000 and output FCoE via another port on that same 5000. >>> >>> Can anyone advise if this is doable or if we'd need additional hardware >>> to make it happen? >>> >>> Thanks, >>> Ray > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Michael.Balasko at cityofhenderson.com Mon Mar 19 19:19:59 2012 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 19 Mar 2012 23:19:59 +0000 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <7E2AC286-08FC-4A06-B377-790935BF85CF@gmail.com> References: <20120319215852.GA29929@esri.com> <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> <20120319224924.GA30743@esri.com> <7E2AC286-08FC-4A06-B377-790935BF85CF@gmail.com> Message-ID: <4B7373AC-BAF9-42BA-9B4F-AF14E90CFB42@cityofhenderson.com> As long as the John Chambers tax is paid. Oops, I mean licensed properly. http://www.cisco.com/en/US/docs/switches/datacenter/sw/nx-os/licensing/guide/Cisco_NX-OS_Licensing_Guide_chapter1.html Michael Balasko CCSP,CCNP,MCSE,SCP Network Specialist II City of Henderson 240 Water St. Henderson, Nv 89015 P:702-267-4337 C:702-373-2730 Coincidence, n.: You weren't paying attention to the other half of what was going on. On Mar 19, 2012, at 4:12 PM, Phil Bedard wrote: This works fine with the 5K. From Andrew.Jones at alphawest.com.au Mon Mar 19 18:36:12 2012 From: Andrew.Jones at alphawest.com.au (Andrew Jones) Date: Tue, 20 Mar 2012 09:36:12 +1100 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> References: <20120319215852.GA29929@esri.com> <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> Message-ID: <6184A445A023094CAEB001964208B12226B376571F@AWMAIL.alphawest.com.au> Netapp have a san that can use FCOE as an attachment to the network. Andrew Jones Alphawest -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan West Sent: Tuesday, 20 March 2012 9:24 AM To: Ray Van Dolson Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Nexus 5000 convert between FC and FCoE? Output of FCoE to a server? Currently multihop FCoE is not supported, but connecting to a CNA in that topology is. Sent from handheld On Mar 19, 2012, at 6:01 PM, "Ray Van Dolson" wrote: > We're looking to run straight FC from an XIV storage rack into a Nexus > 5000 and output FCoE via another port on that same 5000. > > Can anyone advise if this is doable or if we'd need additional hardware > to make it happen? > > Thanks, > Ray > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Ramses.Rios at hughes.com Mon Mar 19 21:23:58 2012 From: Ramses.Rios at hughes.com (Ramses Rios) Date: Mon, 19 Mar 2012 21:23:58 -0400 Subject: [c-nsp] Firewall/IPS Load Balancing In-Reply-To: References: Message-ID: <111098059A30DF48ADD0BA8E62A1FE3F01B902F1087F@EXPEXCVS1.hughes.com> Hi Bill Have you tried Anue products? http://www.anuesystems.com/products-main RR ________________________________________ De: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] En nombre de Murphy, William [William.Murphy at uth.tmc.edu] Enviado el: lunes, 19 de marzo de 2012 18:50 Para: cisco-nsp at puck.nether.net Asunto: [c-nsp] Firewall/IPS Load Balancing I thought I would poll the list to solicit recommendations on how to do firewall/IPS load balancing. I am considering a traffic distribution switch from GigaMon but I am curious what other products might be out there, or perhaps even features in Cisco 6500 product that would achieve the same result. I am not interested in paying for full blown ADC/SLB boxes (ACE or whatever) with more features than I need, and the GigaMon approach seems like it fits that bill. Thanks in advance for your feedback. Bill Murphy UT Health Science Center at Houston _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jay at west.net Tue Mar 20 01:36:44 2012 From: jay at west.net (Jay Hennigan) Date: Mon, 19 Mar 2012 22:36:44 -0700 Subject: [c-nsp] IP helper-address source from loopback? Message-ID: <4F68176C.7090204@west.net> We have a setup where an external global DHCP server is used to assign pools within a few VRFs on 7206VXR, IOS 12.4. Interface configuration looks like this: interface Port-channel1.3004 description Test encapsulation dot1Q 3004 ip vrf forwarding net21 ip address 10.21.97.126 255.255.255.192 ip helper-address global w.x.y.z We're using option 82 to communicate the vrf subnet information and it all works well. The problem that I'm trying to solve is to use a loopback as the global source interface from which the DHCP requests originate. With the above configuration the router uses the closest egress interface to the DHCP server. This is quite usable but I'd prefer it originate on a loopback for cleanliness and redundancy. IOS has tweaks to manipulate the source address of telnet, RADIUS, ftp, tftp, rcmd, and the like but I don't see an obvious way to specify the source of the DHCP relay packets. I'm considering attempting a local route-map as a possible solution but that seems like a pretty big hammer for a small tweak if it works at all. Any suggestions from the assorted Cisco wizards? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From christian at errxtx.net Tue Mar 20 02:46:53 2012 From: christian at errxtx.net (Christian Meutes) Date: Tue, 20 Mar 2012 08:46:53 +0200 Subject: [c-nsp] Add Path IOS In-Reply-To: <4F678BE1.1040701@foobar.org> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> <2c2ae3183d0540749c39377dce54992f@errxtx.net> <4F678BE1.1040701@foobar.org> Message-ID: <908ddd3ef5af40b89f9cfed2cf149f9b@errxtx.net> On 2012-03-19 21:41, Nick Hilliard wrote: > It's already available on SR (i.e. 7200 / 7600). Good to know, I should consider upgrading then. What about SX and 15.x train? Any chance that it will be available soon? > Incidentally if you're starting a new thread, please start a new > thread and > don't do it by hitting reply to an existing thread. Otherwise your > posting > will get lost. Oh, yeah you are right - mail is so damn complicated. -- Christian From avayner at cisco.com Tue Mar 20 02:56:25 2012 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 20 Mar 2012 07:56:25 +0100 Subject: [c-nsp] IP helper-address source from loopback? In-Reply-To: <4F68176C.7090204@west.net> References: <4F68176C.7090204@west.net> Message-ID: Jay, Take a look here... I think this should do the trick. http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcps ervidlink_mcp.html#wp1058967 Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: Tuesday, March 20, 2012 07:37 To: cisco-nsp at puck.nether.net Subject: [c-nsp] IP helper-address source from loopback? We have a setup where an external global DHCP server is used to assign pools within a few VRFs on 7206VXR, IOS 12.4. Interface configuration looks like this: interface Port-channel1.3004 description Test encapsulation dot1Q 3004 ip vrf forwarding net21 ip address 10.21.97.126 255.255.255.192 ip helper-address global w.x.y.z We're using option 82 to communicate the vrf subnet information and it all works well. The problem that I'm trying to solve is to use a loopback as the global source interface from which the DHCP requests originate. With the above configuration the router uses the closest egress interface to the DHCP server. This is quite usable but I'd prefer it originate on a loopback for cleanliness and redundancy. IOS has tweaks to manipulate the source address of telnet, RADIUS, ftp, tftp, rcmd, and the like but I don't see an obvious way to specify the source of the DHCP relay packets. I'm considering attempting a local route-map as a possible solution but that seems like a pretty big hammer for a small tweak if it works at all. Any suggestions from the assorted Cisco wizards? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eugen at imacandi.net Tue Mar 20 05:31:42 2012 From: eugen at imacandi.net (Eugeniu Patrascu) Date: Tue, 20 Mar 2012 11:31:42 +0200 Subject: [c-nsp] Firewall/IPS Load Balancing In-Reply-To: References: Message-ID: On Tue, Mar 20, 2012 at 00:50, Murphy, William wrote: > I thought I would poll the list to solicit recommendations on how to do firewall/IPS load balancing. ?I am considering a traffic distribution switch from GigaMon but I am curious what other products might be out there, or perhaps even features in Cisco 6500 product that would achieve the same result. ?I am not interested in paying for full blown ADC/SLB boxes (ACE or whatever) with more features than I need, and the GigaMon approach seems like it fits that bill. ?Thanks in advance for your feedback. Hi, I think you are a bit confused: GigaMon does not produce/sell load balancing "switches". What they do sniffing equipment that has the possibility to be very granular at what you want to capture and to audit this (like before receibing traffic you have to authenticate to the device). If you want firewall high availability, the simplest solution is to buy two firewalls and run them in A/A or A/P configuration. ACE or another SLB solution will balance incoming traffic to a pool of servers based on some criteria that you can usually choose from. I think you need to better describe what are your needs and what you want to accomplish. HTH, Eugeniu From p.mayers at imperial.ac.uk Tue Mar 20 06:33:51 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 20 Mar 2012 10:33:51 +0000 Subject: [c-nsp] Firewall/IPS Load Balancing In-Reply-To: References: Message-ID: <4F685D0F.90809@imperial.ac.uk> On 03/20/2012 09:31 AM, Eugeniu Patrascu wrote: > I think you are a bit confused: GigaMon does not produce/sell load > balancing "switches". What they do sniffing equipment that has the Maybe he means this? http://www.gigamon.com/g-secure-0216 > I think you need to better describe what are your needs and what you > want to accomplish. Very much so; "firewall load balancing" is way too generic a term to give useful advice on. From nick at foobar.org Tue Mar 20 06:55:49 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 20 Mar 2012 10:55:49 +0000 Subject: [c-nsp] Add Path IOS In-Reply-To: <908ddd3ef5af40b89f9cfed2cf149f9b@errxtx.net> References: <9E813DC263007F4D9B37402CC4302A6238245D@EX1-STGT.intern.globalways.net> <20120318134229.GI1359@greenie.muc.de> <9E813DC263007F4D9B37402CC4302A62382500@EX1-STGT.intern.globalways.net> <20120318175328.GK1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F656AF@ipi-cc-srv04.ipinfrastructures.com> <2c2ae3183d0540749c39377dce54992f@errxtx.net> <4F678BE1.1040701@foobar.org> <908ddd3ef5af40b89f9cfed2cf149f9b@errxtx.net> Message-ID: <4F686235.4080709@foobar.org> On 20/03/2012 06:46, Christian Meutes wrote: > Good to know, I should consider upgrading then. > What about SX and 15.x train? Any chance that it will be available soon? You'll have to ask your SE about this. Note that this is ibgp add-path support only. There is no support for ebgp add-path on any cisco platform at the moment. Nick From jrjahangir at yahoo.com Tue Mar 20 07:19:39 2012 From: jrjahangir at yahoo.com (Md. Jahangir Hossain) Date: Tue, 20 Mar 2012 04:19:39 -0700 (PDT) Subject: [c-nsp] About Cisco ASR 1006 Router performance Message-ID: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> Dear honorable member: Wishes all are fine. i need?? suggestion from you about CISCO ASR 1006 router performance. i want to buy? this router for IP Transit provider where i received? all global routes . it would be nice please put your valued suggestion about this issue. thanks jahangir From bandhani at gmail.com Tue Mar 20 07:35:34 2012 From: bandhani at gmail.com (Farhan Jaffer) Date: Tue, 20 Mar 2012 16:35:34 +0500 Subject: [c-nsp] About Cisco ASR 1006 Router performance In-Reply-To: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> References: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> Message-ID: Stable product. Not sure about full internet feed but I am using 7609 for the same purpose & it is perfectly running. ASR is the high end series & should work. -FJ On Tue, Mar 20, 2012 at 4:19 PM, Md. Jahangir Hossain wrote: > Dear honorable member: > > > Wishes all are fine. > > > i need suggestion from you about CISCO ASR 1006 router performance. i > want to buy this router for IP Transit provider where i received all > global routes . > > > it would be nice please put your valued suggestion about this issue. > > > > > > thanks > jahangir > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nick at foobar.org Tue Mar 20 07:39:49 2012 From: nick at foobar.org (Nick Hilliard) Date: Tue, 20 Mar 2012 11:39:49 +0000 Subject: [c-nsp] About Cisco ASR 1006 Router performance In-Reply-To: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> References: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> Message-ID: <4F686C85.9070708@foobar.org> On 20/03/2012 11:19, Md. Jahangir Hossain wrote: > i need suggestion from you about CISCO ASR 1006 router performance. i > want to buy this router for IP Transit provider where i received all > global routes . ASR1k performance depends completely on the ESP card used. ESP cards come with a number (e.g. ESP5 / ESP10 / ESP20, etc). This number tells you how much traffic the router can handle. Specifically, the ASR1k operates using centralised forwarding, and the number is a measure of how much traffic can leave the central forwarding engine. If you're handling just unicast traffic, this will be the same as the ingress traffic. If you're planning on multicast, outbound multicast traffic counts towards this total. Nick From christian at errxtx.net Tue Mar 20 08:05:15 2012 From: christian at errxtx.net (Christian Meutes) Date: Tue, 20 Mar 2012 14:05:15 +0200 Subject: [c-nsp] About Cisco ASR 1006 Router performance In-Reply-To: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> References: <1332242379.7527.YahooMailNeo@web121403.mail.ne1.yahoo.com> Message-ID: <64fef683de68895df334781975e5671f@errxtx.net> Hi, On 2012-03-20 13:19, Md. Jahangir Hossain wrote: > i need?? suggestion from you about CISCO ASR 1006 router performance. > i want to buy? this router for IP Transit provider where i received? > all global routes . > > > it would be nice please put your valued suggestion about this issue. regarding PE and RR scalability the ASR1k is afaik the best product from Cisco (~4M routes FIB, ~25M routes RIB/RR, 8k BGP-Sessions). -- Christian From cmontero at bme.es Tue Mar 20 08:07:10 2012 From: cmontero at bme.es (Cipriano Montero, Infostock) Date: Tue, 20 Mar 2012 13:07:10 +0100 Subject: [c-nsp] PPPOE pass through Cisco Routers Message-ID: <010001cd0691$faa69c60$eff3d520$@bme.es> As an environment as Wireless ISP, we are trying to deliver PPPOE connections to our clients, in a routed network. So, our first problem is to pass through PPPoE protocol over one or several cisco routers. Could somebody help us with this task? Thanks very much in advance. Gracias y saludos, Cipriano Montero From avayner at cisco.com Tue Mar 20 08:23:50 2012 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 20 Mar 2012 13:23:50 +0100 Subject: [c-nsp] PPPOE pass through Cisco Routers In-Reply-To: <010001cd0691$faa69c60$eff3d520$@bme.es> References: <010001cd0691$faa69c60$eff3d520$@bme.es> Message-ID: Hi, You most likely need to look into Layer 2 VPN options... Either over MPLS (EoMPLS/ATOM/VPLS) or over IP using L2TPv3. Be careful with MTU... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cipriano Montero, Infostock Sent: Tuesday, March 20, 2012 14:07 To: cisco-nsp at puck.nether.net Cc: Juan Luis Hoyo Herbello Subject: [c-nsp] PPPOE pass through Cisco Routers As an environment as Wireless ISP, we are trying to deliver PPPOE connections to our clients, in a routed network. So, our first problem is to pass through PPPoE protocol over one or several cisco routers. Could somebody help us with this task? Thanks very much in advance. Gracias y saludos, Cipriano Montero _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mike-cisconsplist at tiedyenetworks.com Tue Mar 20 09:27:59 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 20 Mar 2012 06:27:59 -0700 Subject: [c-nsp] PPPOE pass through Cisco Routers In-Reply-To: <010001cd0691$faa69c60$eff3d520$@bme.es> References: <010001cd0691$faa69c60$eff3d520$@bme.es> Message-ID: <4F6885DF.3090206@tiedyenetworks.com> On 03/20/2012 05:07 AM, Cipriano Montero, Infostock wrote: > > > As an environment as Wireless ISP, we are trying to deliver PPPOE > connections to our clients, in a routed network. So, our first problem is to > pass through PPPoE protocol over one or several cisco routers. Could > somebody help us with this task? > This isn't the cisco answer you are looking for, however.... PPPoE is a layer 2 protocol, and it (normally) requires that your clients are in the same broadcast domain as your PPPoE termination device (eg: plugged into the same switch for example). So, in a routed network, there won't normally be a layer 2 path here since you've got vlan's and / or routers connecting your network segments. One choice could be to use a PPPoE relay agent. This would have a router listen on some interface for PPPoE frames and then relay them to another interface where your PPPoE server is residing. This works for 1 hop when you have clients on one interface and the server is on another, but I don't think you want to try extending it beyond 1 hop. Another choice - and the one I myself use - is to create a layer 2 vpn. I know there are cisco mpls solutions for this which someone else can comment on. I happen to use an opensource package called OpenVPN and it's stable and reliable. Effectively you'd have two boxes - one out in your network facing your wireless customers, and then another near your PPPoE server, and there would be a tunnel built on UDP that the traffic would pass thru. MTU isn't really a problem although if you have jumbo frame support internally it would reduce your packet fragmentation. Good luck. Mike- From William.Murphy at uth.tmc.edu Tue Mar 20 12:12:58 2012 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Tue, 20 Mar 2012 11:12:58 -0500 Subject: [c-nsp] Firewall/IPS Load Balancing In-Reply-To: References: Message-ID: Thanks for your feedback, but I don't think I am confused. GigaMon produces a G-Secure-0216 device which allows you to take a 10G link and split the flows/conversations across up to 8 1G links. They basically call it a security device load balancer. The device operates at close to line rate and can allocate the flows using mac-address, IP address. and even layer-4 ports (user configurable). What I am trying to achieve is independence from vendor proprietary clustering, load sharing approaches and have something that is more linearly scalable simply by adding another parallel device into the path. I won't name names but certain security vendors don't do A/A very well... Bill -----Original Message----- From: Eugeniu Patrascu [mailto:eugen at imacandi.net] Sent: Tuesday, March 20, 2012 4:32 AM To: Murphy, William Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Firewall/IPS Load Balancing On Tue, Mar 20, 2012 at 00:50, Murphy, William wrote: > I thought I would poll the list to solicit recommendations on how to do firewall/IPS load balancing. ?I am considering a traffic distribution switch from GigaMon but I am curious what other products might be out there, or perhaps even features in Cisco 6500 product that would achieve the same result. ?I am not interested in paying for full blown ADC/SLB boxes (ACE or whatever) with more features than I need, and the GigaMon approach seems like it fits that bill. ?Thanks in advance for your feedback. Hi, I think you are a bit confused: GigaMon does not produce/sell load balancing "switches". What they do sniffing equipment that has the possibility to be very granular at what you want to capture and to audit this (like before receibing traffic you have to authenticate to the device). If you want firewall high availability, the simplest solution is to buy two firewalls and run them in A/A or A/P configuration. ACE or another SLB solution will balance incoming traffic to a pool of servers based on some criteria that you can usually choose from. I think you need to better describe what are your needs and what you want to accomplish. HTH, Eugeniu From jay at west.net Tue Mar 20 13:28:26 2012 From: jay at west.net (Jay Hennigan) Date: Tue, 20 Mar 2012 10:28:26 -0700 Subject: [c-nsp] IP helper-address source from loopback? In-Reply-To: References: <4F68176C.7090204@west.net> Message-ID: <4F68BE3A.5030601@west.net> On 3/19/12 11:56 PM, Arie Vayner (avayner) wrote: > Jay, > > Take a look here... I think this should do the trick. > http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcps > ervidlink_mcp.html#wp1058967 > > Arie It indeed does! It's only in the SE train, so now I need to analyze how much I want this and what might break... -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From Vinny_Abello at Dell.com Tue Mar 20 13:34:55 2012 From: Vinny_Abello at Dell.com (Vinny_Abello at Dell.com) Date: Tue, 20 Mar 2012 17:34:55 +0000 Subject: [c-nsp] PPPOE pass through Cisco Routers In-Reply-To: <4F6885DF.3090206@tiedyenetworks.com> References: <010001cd0691$faa69c60$eff3d520$@bme.es> <4F6885DF.3090206@tiedyenetworks.com> Message-ID: Congruent with your last suggestion, what about using L2TPv3 in a LAC/LNS sort of configuration? It's very easy to setup if you don't already have an MPLS enabled network deployed. -Vinny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Tuesday, March 20, 2012 9:28 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PPPOE pass through Cisco Routers On 03/20/2012 05:07 AM, Cipriano Montero, Infostock wrote: > > > As an environment as Wireless ISP, we are trying to deliver PPPOE > connections to our clients, in a routed network. So, our first problem is to > pass through PPPoE protocol over one or several cisco routers. Could > somebody help us with this task? > This isn't the cisco answer you are looking for, however.... PPPoE is a layer 2 protocol, and it (normally) requires that your clients are in the same broadcast domain as your PPPoE termination device (eg: plugged into the same switch for example). So, in a routed network, there won't normally be a layer 2 path here since you've got vlan's and / or routers connecting your network segments. One choice could be to use a PPPoE relay agent. This would have a router listen on some interface for PPPoE frames and then relay them to another interface where your PPPoE server is residing. This works for 1 hop when you have clients on one interface and the server is on another, but I don't think you want to try extending it beyond 1 hop. Another choice - and the one I myself use - is to create a layer 2 vpn. I know there are cisco mpls solutions for this which someone else can comment on. I happen to use an opensource package called OpenVPN and it's stable and reliable. Effectively you'd have two boxes - one out in your network facing your wireless customers, and then another near your PPPoE server, and there would be a tunnel built on UDP that the traffic would pass thru. MTU isn't really a problem although if you have jumbo frame support internally it would reduce your packet fragmentation. Good luck. Mike- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pkovalchuc at gmail.com Tue Mar 20 14:58:57 2012 From: pkovalchuc at gmail.com (Covalciuc Piotr) Date: Tue, 20 Mar 2012 14:58:57 -0400 Subject: [c-nsp] Cisco ASA IPSec VPN Problem Message-ID: Hello, We have the following problem with IPSec Site-to-Site VPN between Cisco ASA. The VPN establishes (IKE and IPSec phases are passed), but on my end I have only TX traffic, no RX. We've checked NAT (Exempt), ACL, routing. We've recreated the VPN from scratch. But, without success. And this problem is only with specific subnet: when we add another subnet in VPN config, it works. Do you know what else we have to check? Thanks, Piotr From jlewis at lewis.org Tue Mar 20 15:09:00 2012 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 20 Mar 2012 15:09:00 -0400 (EDT) Subject: [c-nsp] Cisco ASA IPSec VPN Problem In-Reply-To: References: Message-ID: On Tue, 20 Mar 2012, Covalciuc Piotr wrote: > We have the following problem with IPSec Site-to-Site VPN between Cisco ASA. > The VPN establishes (IKE and IPSec phases are passed), but on my end I have > only TX traffic, no RX. Who controls the other end? So you're sending traffic via the VPN, but not receiving any? > And this problem is only with specific subnet: when we add another subnet > in VPN config, it works. Can you elaborate on what you mean by "add another subnet"? > Do you know what else we have to check? Probably the config at the other end...the one that's receiving your traffic but not sending any back. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From diosbejgli at gmail.com Tue Mar 20 16:53:14 2012 From: diosbejgli at gmail.com (=?ISO-8859-1?Q?T=F3th_Andr=E1s?=) Date: Tue, 20 Mar 2012 21:53:14 +0100 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: <4F6083FA.1050602@imperial.ac.uk> References: <4F6083FA.1050602@imperial.ac.uk> Message-ID: Hi Phil, There are certain exceptions for packets being forwarded which are not handled by CoPP, these are covered by the HW Rate Limiters. Hardware rate-limiters protect the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC). Note that CoPP is applied per-linecard, so each module is allowed to transmit the configured rate. There are 3 templates you can use for CoPP, lenient, moderate and strict. The documentation describes them and their values in detail. You can apply one or the other with the 'copp profile' command. You can read more in detail about Configuring Rate Limits on the following link: http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_011010.html Below you can find the documentation for CoPP: http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x_chapter_011001.html Best regards, Andras On Wed, Mar 14, 2012 at 12:41 PM, Phil Mayers wrote: > All, > > We've just taken delivery of our first pair of N7k (and so far I'm > impressed). > > I'm playing with porting our standard 6500 config to an equivalent N7k > config, and I'm a bit puzzled by the interaction of CoPP and the hardware > rate-limiters. > > On 6500/Sup720 these two features have well documented limitations and > interaction - specifically HW rate-limiters pre-empt CoPP. I can't seem to > find detailed information on how that works in the N7k. > > In general, what should I be using, for what? > > This is NX-OS 6, with M1 series linecards doing routing (MPLS). > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From johnelliot67 at hotmail.com Tue Mar 20 19:13:29 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Wed, 21 Mar 2012 10:13:29 +1100 Subject: [c-nsp] 2960S IOS Message-ID: Hi Guys, Have a pair of new 2960S's that are running 12.2(55)SE3 - Just after a recommendation on whether to upgrade to 12.2.58-SE2 or go to 15.0.1-SE2 ? Cheers. From johnelliot67 at hotmail.com Tue Mar 20 19:18:07 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Wed, 21 Mar 2012 10:18:07 +1100 Subject: [c-nsp] 2960S IOS In-Reply-To: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> References: , <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> Message-ID: > > Hi John, > > I just upgrade our branch fleet of 2960s' to 15.0.1-SE2 if that helps. > Thanks Simon - No issues as yet I assume? From A.L.M.Buxey at lboro.ac.uk Tue Mar 20 19:39:12 2012 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 20 Mar 2012 23:39:12 +0000 Subject: [c-nsp] 2960S IOS Message-ID: 12.2.58 is not going anywhere, we're halfway through upgrading to 15.0 (first versions had some show stoppers but latest version okay..so far! ;) ) alan From cisco-nsp at itpro.co.nz Tue Mar 20 19:17:13 2012 From: cisco-nsp at itpro.co.nz (Ivan) Date: Wed, 21 Mar 2012 12:17:13 +1300 (NZDT) Subject: [c-nsp] Filtering Routes with Private AS Numbers in the AS Path Message-ID: <35791.131.203.92.28.1332285433.squirrel@mail.orcon.net.nz> Hi, For filtering private as numbers (64512-65535) using an as-path access-list there are a few options I have seen: 1). All in one line ip as-path access-list 66 permit _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_ 2). The above modified hopefully to be "better" in terms or regexp processing but perhaps not readability ip as-path access-list 66 permit _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ 3). Separate lines ip as-path access-list 66 permit _6451[2-9]_ ip as-path access-list 66 permit _645[2-9][0-9]_ ip as-path access-list 66 permit _64[6-9][0-9][0-9]_ ip as-path access-list 66 permit _65[0-4][0-9][0-9]_ ip as-path access-list 66 permit _655[0-2][0-9]_ ip as-path access-list 66 permit _6553[0-5]_ I would appreciate any feedback as to which is the least CPU intensive and if there is a better way to optimise 2 above. Thanks Ivan From Simon.Thomason at racq.com.au Tue Mar 20 19:16:00 2012 From: Simon.Thomason at racq.com.au (Thomason, Simon) Date: Wed, 21 Mar 2012 09:16:00 +1000 Subject: [c-nsp] 2960S IOS In-Reply-To: References: Message-ID: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> Hi John, I just upgrade our branch fleet of 2960s' to 15.0.1-SE2 if that helps. Cheers, Simon. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Elliot Sent: Wednesday, 21 March 2012 9:13 AM To: cisco-nsp Subject: [c-nsp] 2960S IOS Hi Guys, Have a pair of new 2960S's that are running 12.2(55)SE3 - Just after a recommendation on whether to upgrade to 12.2.58-SE2 or go to 15.0.1-SE2 ? Cheers. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. From Simon.Thomason at racq.com.au Tue Mar 20 19:52:54 2012 From: Simon.Thomason at racq.com.au (Thomason, Simon) Date: Wed, 21 Mar 2012 09:52:54 +1000 Subject: [c-nsp] 2960S IOS In-Reply-To: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> References: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> Message-ID: <42752206EE5B8545B68464E1D0B774B86787DECC89@EMPMAIL.racq.com.au> Not certain if anyone is looking into smart install or vstack but when you go to 15 train you get a few nicer features which is one of the reasons we have gone into the 15 train where we can. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thomason, Simon Sent: Wednesday, 21 March 2012 9:16 AM To: 'John Elliot'; cisco-nsp Subject: Re: [c-nsp] 2960S IOS Hi John, I just upgrade our branch fleet of 2960s' to 15.0.1-SE2 if that helps. Cheers, Simon. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Elliot Sent: Wednesday, 21 March 2012 9:13 AM To: cisco-nsp Subject: [c-nsp] 2960S IOS Hi Guys, Have a pair of new 2960S's that are running 12.2(55)SE3 - Just after a recommendation on whether to upgrade to 12.2.58-SE2 or go to 15.0.1-SE2 ? Cheers. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. From jiri.prochazka at superhosting.cz Tue Mar 20 22:24:46 2012 From: jiri.prochazka at superhosting.cz (Jiri Prochazka) Date: Wed, 21 Mar 2012 03:24:46 +0100 Subject: [c-nsp] 2960S IOS In-Reply-To: References: Message-ID: <4F693BEE.2080200@superhosting.cz> John, we're using 15.0.1-SE2 (and 15.0.1-SE1) on aproximately 20 2960S's for a while and we have no problem so far. Regards, Jiri Dne 21.3.2012 0:13, John Elliot napsal(a): > > Hi Guys, > Have a pair of new 2960S's that are running 12.2(55)SE3 - Just after a recommendation on whether to upgrade to 12.2.58-SE2 or go to 15.0.1-SE2 ? > Cheers. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jiri Prochazka network administrator (AS39392) SuperNetwork s.r.o. m: +420 777 87 37 67 w: http://www.superhosting.cz e: jiri.prochazka at superhosting.cz From johnelliot67 at hotmail.com Wed Mar 21 01:42:37 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Wed, 21 Mar 2012 16:42:37 +1100 Subject: [c-nsp] 2960S IOS In-Reply-To: <4F693BEE.2080200@superhosting.cz> References: , <4F693BEE.2080200@superhosting.cz> Message-ID: > > John, > > > we're using 15.0.1-SE2 (and 15.0.1-SE1) on aproximately 20 2960S's for a > while and we have no problem so far. > Thanks to all who responded - have upgraded to 15.0(1)SE2...fingers crossed we encounter no issues :) From Simon.Thomason at racq.com.au Wed Mar 21 01:59:00 2012 From: Simon.Thomason at racq.com.au (Thomason, Simon) Date: Wed, 21 Mar 2012 15:59:00 +1000 Subject: [c-nsp] 2960S IOS In-Reply-To: References: , <4F693BEE.2080200@superhosting.cz> Message-ID: <42752206EE5B8545B68464E1D0B774B86787DECCA1@EMPMAIL.racq.com.au> Always a good idea to read the field notice and current / fixed bugs in your new IOS. There might be a bug but it might not be relevant to your situation. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of John Elliot Sent: Wednesday, 21 March 2012 3:43 PM To: jiri.prochazka at superhosting.cz; cisco-nsp Subject: Re: [c-nsp] 2960S IOS > > John, > > > we're using 15.0.1-SE2 (and 15.0.1-SE1) on aproximately 20 2960S's for a > while and we have no problem so far. > Thanks to all who responded - have upgraded to 15.0(1)SE2...fingers crossed we encounter no issues :) _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. From gkg at gmx.de Wed Mar 21 03:13:15 2012 From: gkg at gmx.de (Garry) Date: Wed, 21 Mar 2012 08:13:15 +0100 Subject: [c-nsp] *** GMX Spamverdacht *** Re: 2960S IOS In-Reply-To: <42752206EE5B8545B68464E1D0B774B86787DECC89@EMPMAIL.racq.com.au> References: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> <42752206EE5B8545B68464E1D0B774B86787DECC89@EMPMAIL.racq.com.au> Message-ID: <4F697F8B.4010706@gmx.de> On 21.03.2012 00:52, Thomason, Simon wrote: > Not certain if anyone is looking into smart install or vstack but when you go to 15 train you get a few nicer features which is one of the reasons we have gone into the 15 train where we can. > Anybody have a link to the changes? One thing we've run across that's not so nice on the 2960S is the limit of 6 port channels per stack - has that changed? Tnx, garry From narain.arun at gmail.com Wed Mar 21 04:25:35 2012 From: narain.arun at gmail.com (Arun Kumar) Date: Wed, 21 Mar 2012 13:55:35 +0530 Subject: [c-nsp] Recommended IPv6 Resources In-Reply-To: References: <1C748D48EFD36B4AA0B934E8B4E2998003F08BE7@ipi-cc-srv04.ipinfrastructures.com> <20120313134928.GK1359@greenie.muc.de> <20120313140608.GL1359@greenie.muc.de> <1C748D48EFD36B4AA0B934E8B4E2998003F08C10@ipi-cc-srv04.ipinfrastructures.com> Message-ID: Hi I personally like and find this resource useful: http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf thanks Arun On Wed, Mar 14, 2012 at 8:59 PM, Justin M. Streiner wrote: > On Tue, 13 Mar 2012, Steve McCrory wrote: > > I'm more than prepared to hunt for resources and have a play with IPv6 >> for myself, I just wanted a pointer in the direction of good, >> informative, up-to-date material. >> > > Your point is well taken :) > > IPv6, like many other technologies, has launched numerous religious > debates (read through the NANOG list archives for many examples ;) ), so > there is lots of information available, but there is also lots of potential > mis-information. There are also many areas where either vendor support is > lean (inet6 firewall filters in Junos), or their documentation is lean > (Cisco IPv6 inspection capabilities in the ASA comes to mind). > > jms > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > From cmontero at bme.es Wed Mar 21 04:30:56 2012 From: cmontero at bme.es (Cipriano Montero, Infostock) Date: Wed, 21 Mar 2012 09:30:56 +0100 Subject: [c-nsp] PPPOE pass through Cisco Routers In-Reply-To: References: <010001cd0691$faa69c60$eff3d520$@bme.es> <4F6885DF.3090206@tiedyenetworks.com> Message-ID: <000e01cd073c$efa7dbc0$cef79340$@bme.es> These readings and others focus us to L2TP, because we don't have MPLS deployed. We have read the article in cisco.com "PPPoE Relay", and it seems to be the right solution, but some questions rise up: .- With two APs behind the router, we need two tunnels in the router, right? .- Or... unfortunately, we should establish a tunnel per CPE (i.e., per client) behind the APs, so having a big number of tunnels? Thanks very much. Gracias y saludos, Cipriano Montero Tel: 924 808016 ext 5722. cmontero at bme.es Infostock Europa de Extremadura, S.A. | www.infostock.es Noticia legal: Este mensaje electr?nico contiene informaci?n de Infostock Europa de Extremadura, S.A. con CIF: A-06253389 que es privada y confidencial, siendo para el uso exclusivo de la persona(s) entidad/es arriba mencionada/s. Si usted no es el destinatario se?alado, le informamos de que cualquier divulgaci?n, copia, distribuci?n o uso de los contenidos est? prohibida. Si usted ha recibido este mensaje por error, por favor borre su contenido lo antes posible. Gracias. Si usted no desea recibir m?s informaci?n sobre futuras y posibles comunicaciones que le enviemos puede solicitarlo de forma gratuita en el correo electr?nico infostock at infostock.es Gracias. ? Antes de imprimir este correo electr?nico piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -----Mensaje original----- De: Vinny_Abello at Dell.com [mailto:Vinny_Abello at Dell.com] Enviado el: martes, 20 de marzo de 2012 18:35 Para: mike-cisconsplist at tiedyenetworks.com; cisco-nsp at puck.nether.net Asunto: Re: [c-nsp] PPPOE pass through Cisco Routers Congruent with your last suggestion, what about using L2TPv3 in a LAC/LNS sort of configuration? It's very easy to setup if you don't already have an MPLS enabled network deployed. -Vinny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Tuesday, March 20, 2012 9:28 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PPPOE pass through Cisco Routers On 03/20/2012 05:07 AM, Cipriano Montero, Infostock wrote: > > > As an environment as Wireless ISP, we are trying to deliver PPPOE > connections to our clients, in a routed network. So, our first problem > is to pass through PPPoE protocol over one or several cisco routers. > Could somebody help us with this task? > This isn't the cisco answer you are looking for, however.... PPPoE is a layer 2 protocol, and it (normally) requires that your clients are in the same broadcast domain as your PPPoE termination device (eg: plugged into the same switch for example). So, in a routed network, there won't normally be a layer 2 path here since you've got vlan's and / or routers connecting your network segments. One choice could be to use a PPPoE relay agent. This would have a router listen on some interface for PPPoE frames and then relay them to another interface where your PPPoE server is residing. This works for 1 hop when you have clients on one interface and the server is on another, but I don't think you want to try extending it beyond 1 hop. Another choice - and the one I myself use - is to create a layer 2 vpn. I know there are cisco mpls solutions for this which someone else can comment on. I happen to use an opensource package called OpenVPN and it's stable and reliable. Effectively you'd have two boxes - one out in your network facing your wireless customers, and then another near your PPPoE server, and there would be a tunnel built on UDP that the traffic would pass thru. MTU isn't really a problem although if you have jumbo frame support internally it would reduce your packet fragmentation. Good luck. Mike- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shopik at inblock.ru Wed Mar 21 04:38:52 2012 From: shopik at inblock.ru (Nikolay Shopik) Date: Wed, 21 Mar 2012 12:38:52 +0400 Subject: [c-nsp] *** GMX Spamverdacht *** Re: 2960S IOS In-Reply-To: <4F697F8B.4010706@gmx.de> References: <42752206EE5B8545B68464E1D0B774B86787DECC85@EMPMAIL.racq.com.au> <42752206EE5B8545B68464E1D0B774B86787DECC89@EMPMAIL.racq.com.au> <4F697F8B.4010706@gmx.de> Message-ID: <4F69939C.4060109@inblock.ru> Pretty much everything is here http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/release/notes/OL25301.html On 21/03/12 11:13, Garry wrote: > On 21.03.2012 00:52, Thomason, Simon wrote: >> Not certain if anyone is looking into smart install or vstack but when you go to 15 train you get a few nicer features which is one of the reasons we have gone into the 15 train where we can. >> > Anybody have a link to the changes? One thing we've run across that's > not so nice on the 2960S is the limit of 6 port channels per stack - has > that changed? > > Tnx, garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From k.waheed at gmail.com Wed Mar 21 07:58:16 2012 From: k.waheed at gmail.com (K) Date: Wed, 21 Mar 2012 16:58:16 +0500 Subject: [c-nsp] Cisco ASR 9010 and CRS-1 understanding Message-ID: Hi team, I am working on a requirement for Cisco ASR-9010 for a metro deployment, but I am unable to find relevant references for it: 1. How many 'I/O slots' does ASR-9010 have? 8 or 10? 2. Are RSP slots combo slots (can they be used to host I/O cards)? 3. Does -L linecard (out of -L, -B and -E) support H-QoS (Hierarchical QoS)? Cisco documentation is not clear 4. What is the difference between RSP440-SE and RSP440-TR? 1. Do both provide a fabric throughput to each line-card at 440Gbps now? 2. What is the actual throughput of these RSP440-SE/TR per line-card? 5. What is the throughput of A9K-RSP-4G/8G per line-card? 6. A9K-4T or A9K-8T provide 4/8 x 10GE ports at line-rate respectively? 7. A9K-8T/4 provides only 4 x 10GE ports at line-rate? (Uses over-subscription)? 8. Do the above 10GE line-cards support DWDM-XFP-C= on each of the 10G ports? (I need tunable DWDM XFP) 9. Do I need a license per line-card for (A9K-AIP-LIC-B) for full-scale L3VPNs? 1. Is there a chassis-wide license? 10. Does Cisco support L2VPN Draft-kompella on IOS-XR now? CRS questions: 1. Does CRS-1 (or CRS-3) 4-slot support Multi-chassis configuration? 2. Does CRS-1 (or CRS-3) 8-slot support Multi-chassis configuration? 3. Or is multi-chassis just limited to CRS-1 (or CRS-3) 16-slot chassis configurations only? 4. Can I combine 4/8/16 slot configurations in a CRS-1 or CRS-3 multi-chassis configurations? I would appreciate if anyone can clarify this (ideally with Cisco's website URLs) -- Regards, KW From p.mayers at imperial.ac.uk Wed Mar 21 08:13:33 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 21 Mar 2012 12:13:33 +0000 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: References: <4F6083FA.1050602@imperial.ac.uk> Message-ID: <4F69C5ED.6050909@imperial.ac.uk> On 20/03/12 20:53, T?th Andr?s wrote: > Hi Phil, > > There are certain exceptions for packets being forwarded which are not > handled by CoPP, these are covered by the HW Rate Limiters. Andras, Thanks for the response. Unfortunately it didn't tell me anything I didn't already know ;o) In fact, it appears to be largely cut&paste from the NX-OS docs, which I have read. Perhaps I wasn't specific enough in my original email. I'm looking for comprehensive documentation on what types of packets are considered to match the HW rate limiters, what types of packets match CoPP, and how the system acts when >1 match occurs. This kind of behaviour is not well documented for Sup720, but if you dig through the Cisco site and archives of the list, you can find your info. It is even LESS well documented for N7k as far as I can tell. The HW RL have uninformative names like "layer-3 control" and there is little or no documentation about how they interact, other than tantalising hints like: """ Layer 3 control, multicast direct-connect, and ARP request packets are controlled by the Layer 2 copy rate limiter. The first two types of packets are also controlled by Layer 3 rate limiters, and the last two types are also subject to control plane policing """ For example: which HW rate-limiters does an OSPF packet match, if any? In which order do these rate-limiters match, and is it before or after CoPP? Or, the "receive" HW RL versus CoPP. Or, the "layer-3 ttl" HW RL versus the "match exception ttl-failure", or again for "mtu". Hope that explains things in more details. Cheers, Phil From nick at foobar.org Wed Mar 21 09:11:28 2012 From: nick at foobar.org (Nick Hilliard) Date: Wed, 21 Mar 2012 13:11:28 +0000 Subject: [c-nsp] Cisco ASR 9010 and CRS-1 understanding In-Reply-To: References: Message-ID: <4F69D380.50304@foobar.org> On 21/03/2012 11:58, K wrote: > 1. How many 'I/O slots' does ASR-9010 have? 8 or 10? 8 slots. ref: > http://www.cisco.com/en/US/prod/collateral/routers/ps9853/data_sheet_c78-501767.html#wp9000166 > 2. Are RSP slots combo slots (can they be used to host I/O cards)? Not that I'm aware of. > 3. Does -L linecard (out of -L, -B and -E) support H-QoS (Hierarchical > QoS)? Cisco documentation is not clear Yes, it does. However it has significantly smaller buffers than the other two cards so if you're planning to do very rich hqos stuff they may not be the best choice. > 4. What is the difference between RSP440-SE and RSP440-TR? afaik, the only difference is that RSP440-SE has twice the route-processor RAM that the RSP440-TR does (12G vs 6G). This affects scaling for multiservice edge / carrier ethernet / larger scale L3 configurations. > 1. Do both provide a fabric throughput to each line-card at 440Gbps > now? They each provide 200G capacity to the line card edge ports. > 2. What is the actual throughput of these RSP440-SE/TR per line-card? This is a difficult question. ASR9K boxes haven't been dissected by users in the same way that e.g. sup720/rsp720/etc boxes have been. So while it's nominally 200G per line card, it hasn't been trashed around enough in real life for people to get any idea what its limitations are. > 5. What is the throughput of A9K-RSP-4G/8G per line-card? > 6. A9K-4T or A9K-8T provide 4/8 x 10GE ports at line-rate respectively? > 7. A9K-8T/4 provides only 4 x 10GE ports at line-rate? (Uses > over-subscription)? The short answer is that they each support line-rate. The longer answer is that it depends on what you measure, how you measure it and what you're doing on all the ports. There's a good description of how this all works here: > http://www.cisco.com/en/US/docs/routers/asr9000/hardware/overview/guide/asr9kOVRGbook.pdf See chapter 2. All of this is worth reading if you're planning to look at asr9k boxes. So with an RSP2, you get up to 80G usable bandwidth per slot. This is provisioned using N * 23G paths from the line-card fabric interface to the back-plane (where N = 2 for the 4x10G cards and 4 for the 8x10G cards). For each of those 2x23G paths, there is a 30G capable ASIC which interfaces to two NPUs. Each ethernet interface has its own dedicated NPU which can handle up to 15G traffic. So the entire system is nominally under-subscribed from each ethernet port right back to the backplane. This is necessary to deal with various internal framing overhead issues (which is one of the primary reasons that the c6500/sup720 start dropping packets well before you hit 40gigs). An NPU is a software forwarding engine. The more complex the configuration, the slower it operates. You'll certainly get line-rate with a simple in/out ipv4 config. But if you jam on ridiculously large ACLs with a crazy hqos config with tiny packet sizes and so forth, you may find that it's not going to be able to handle line rate any more. This is one of those "ymmv" issues. > 8. Do the above 10GE line-cards support DWDM-XFP-C= on each of the 10G > ports? (I need tunable DWDM XFP) yes, ref: > http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6974.html#wp56063 If you need FEC, you will also need a A9K-ADV-OPTIC-LIC per line-card where you intend to run it. This isn't necessary for most installations and you'll really only need it for longer distances. > 9. Do I need a license per line-card for (A9K-AIP-LIC-B) for full-scale > L3VPNs? > 1. Is there a chassis-wide license? yes, you need a per-linecard license. There is no chassis-wide license. I understand that Cisco treat this as a feature rather than a bug. > 10. Does Cisco support L2VPN Draft-kompella on IOS-XR now? no idea. Nick From rolf-web at internet.ao Wed Mar 21 10:58:45 2012 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Wed, 21 Mar 2012 15:58:45 +0100 Subject: [c-nsp] real world experience - ASR901 / ASR903 Message-ID: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> Hi Guys, Just really curious regarding these new boxes (ASR901 / ASR903) ... Has anybody bought them recently? How is the IOS, relatively stable? How many routes (901), BGP, MPLS, IPv6?? Does anybody have the ASR903, how is its performance and does anybody have a full table (or two going into one of these). Regards, Rolf From jfitz at Princeton.EDU Wed Mar 21 13:12:46 2012 From: jfitz at Princeton.EDU (Jeffrey G. Fitzwater) Date: Wed, 21 Mar 2012 17:12:46 +0000 Subject: [c-nsp] NX-OS MAC-MOVE notifications, no vlan shown ?? Message-ID: <3E4A047D-5DE2-4F21-94EE-DCDBCC6F1E72@exchange.princeton.edu> I am running NX 5.2.1 on 7018 and have set logging level L2FM to 5 (notifications) in order to see the MAC-MOVES in logs. The problem I see is that VLAN associated with the MAC is not part of the error message as it is with 6500 IOS? NX-OS %L2FM-4-L2FM_MAC_MOVE: Mac 0014.4f82.9a60 has moved from Po1 to Eth3/33 IOS %MAC_MOVE-SP-4-NOTIF: Host 0014.4f82.9a60 in vlan 128 is flapping between port Gi10/6 and port Po16 Is there a way to have the NEXUS show VLAN or would this be an Enhancement request. Thanks for any help; Jeff Fitzwater OIT Network Systems Princeton University From peper at peper.eu.org Wed Mar 21 13:17:21 2012 From: peper at peper.eu.org (Piotr Wojciechowski) Date: Wed, 21 Mar 2012 18:17:21 +0100 Subject: [c-nsp] Cisco ASR 9010 and CRS-1 understanding In-Reply-To: <4F69D380.50304@foobar.org> References: <4F69D380.50304@foobar.org> Message-ID: On 3/21/12 14:11 , Nick Hilliard wrote: >> 2. Are RSP slots combo slots (can they be used to host I/O cards)? > > Not that I'm aware of. > They are not, can be used only for RSPs. Regards, -- Piotr Wojciechowski (CCIE #25543) | "The trouble with being a god is http://ccieplayground.wordpress.com | that you've got no one to pray to" JID: peper at jabber.org | -- (Terry Pratchett, Small Gods) From tstevens at cisco.com Wed Mar 21 14:14:15 2012 From: tstevens at cisco.com (Tim Stevenson) Date: Wed, 21 Mar 2012 11:14:15 -0700 Subject: [c-nsp] NX-OS MAC-MOVE notifications, no vlan shown ?? In-Reply-To: <3E4A047D-5DE2-4F21-94EE-DCDBCC6F1E72@exchange.princeton.ed u> References: <3E4A047D-5DE2-4F21-94EE-DCDBCC6F1E72@exchange.princeton.edu> Message-ID: <201203211814.q2LIEKLx017561@mtv-core-2.cisco.com> Hi Jeff, CSCtw82129 introduces the change to include VLAN ID, 5.2(4) and 6.0(2) have the integration. Hope that helps, Tim At 10:12 AM 3/21/2012, Jeffrey G. Fitzwater proclaimed: >I am running NX 5.2.1 on 7018 and have set >logging level L2FM to 5 (notifications) in order >to see the MAC-MOVES in logs. The problem I see >is that VLAN associated with the MAC is not part >of the error message as it is with 6500 IOS > > >NX-OS > >%L2FM-4-L2FM_MAC_MOVE: Mac 0014.4f82.9a60 has moved from Po1 to Eth3/33 > >IOS > >%MAC_MOVE-SP-4-NOTIF: Host 0014.4f82.9a60 in >vlan 128 is flapping between port Gi10/6 and port Po16 > > >Is there a way to have the NEXUS show VLAN or >would this be an Enhancement request. > > > >Thanks for any help; > > > >Jeff Fitzwater >OIT Network Systems >Princeton University >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at >http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstevens at cisco.com Routing & Switching CCIE #5561 Distinguished Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 ******************************************************** The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. From pshem.k at gmail.com Wed Mar 21 15:57:38 2012 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Thu, 22 Mar 2012 08:57:38 +1300 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> Message-ID: Hi, On 22 March 2012 03:58, Rolf Mendelsohn wrote: > Hi Guys, > > Just really curious regarding these new boxes (ASR901 / ASR903) ... > > Has anybody bought them recently? > > How is the IOS, relatively stable? > > How many routes (901), BGP, MPLS, IPv6?? > > Does anybody have the ASR903, how is its performance and does anybody have a full table (or two going into one of these). Not real world, but according to the information I got from Cisco RSP1A can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 and 16k ipv6, so nowhere near what's required for full table. I don't have the numbers for ASR901, but that's mainly a L2 VPN device, so I'd expect them to be even lower. kind regards Pshem From diosbejgli at gmail.com Wed Mar 21 16:58:59 2012 From: diosbejgli at gmail.com (=?ISO-8859-1?Q?T=F3th_Andr=E1s?=) Date: Wed, 21 Mar 2012 21:58:59 +0100 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: <4F69C5ED.6050909@imperial.ac.uk> References: <4F6083FA.1050602@imperial.ac.uk> <4F69C5ED.6050909@imperial.ac.uk> Message-ID: Hi Phil, Thanks for clarifying what you meant. I understand the documentation might not be detailed enough. Let me give some further information. The feature "hardware rate-limiter" is independent from CoPP, but it complements CoPP in protecting the supervisor CPU from excessive inbound traffic. The traffic rate allowed by the hardware rate-limiters is configured globally and applied to each individual I/O module. The resulting allowed rate depends on the number of I/O modules in the system. CoPP provides more granular supervisor CPU protection by utilizing the modular quality-of-service CLI (MQC). CoPP is evaluated first, then the HW Rate-limiters afterwards. There are some rate-limiters which can be found both in CoPP and in HW RL. An example is OSPF control packets. The reason for this is multiple layers of security and some form of redundancy if CoPP is not enabled. ip access-list copp-system-p-acl-ospf permit ospf any any class-map type control-plane match-any copp-system-p-class-critical match access-group name copp-system-p-acl-ospf See the following documentation for a few more examples of HW RLs: http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_Packet_Flow_Issues You can also use the following command to see how the RLs are mapped. With that you can also see what is and what isn't mapped to CoPP. As it's an internal command, it comes without the need of its output being customer friendly. show hardware internal forwarding rate-limiter usage I hope this helps a bit. Best regards, Andras On Wed, Mar 21, 2012 at 1:13 PM, Phil Mayers wrote: > On 20/03/12 20:53, T?th Andr?s wrote: >> >> Hi Phil, >> >> There are certain exceptions for packets being forwarded which are not >> handled by CoPP, these are covered by the HW Rate Limiters. > > > Andras, > > Thanks for the response. Unfortunately it didn't tell me anything I didn't > already know ;o) > > In fact, it appears to be largely cut&paste from the NX-OS docs, which I > have read. > > Perhaps I wasn't specific enough in my original email. > > I'm looking for comprehensive documentation on what types of packets are > considered to match the HW rate limiters, what types of packets match CoPP, > and how the system acts when >1 match occurs. > > > This kind of behaviour is not well documented for Sup720, but if you dig > through the Cisco site and archives of the list, you can find your info. > > It is even LESS well documented for N7k as far as I can tell. The HW RL have > uninformative names like "layer-3 control" and there is little or no > documentation about how they interact, other than tantalising hints like: > > """ > Layer 3 control, multicast direct-connect, and ARP request packets are > controlled by the Layer 2 copy rate limiter. The first two types of packets > are also controlled by Layer 3 rate limiters, and the last two types are > also subject to control plane policing > """ > > For example: which HW rate-limiters does an OSPF packet match, if any? In > which order do these rate-limiters match, and is it before or after CoPP? > > Or, the "receive" HW RL versus CoPP. > > Or, the "layer-3 ttl" HW RL versus the "match exception ttl-failure", or > again for "mtu". > > Hope that explains things in more details. > > Cheers, > Phil From diosbejgli at gmail.com Wed Mar 21 17:16:58 2012 From: diosbejgli at gmail.com (=?ISO-8859-1?Q?T=F3th_Andr=E1s?=) Date: Wed, 21 Mar 2012 22:16:58 +0100 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: References: <4F6083FA.1050602@imperial.ac.uk> <4F69C5ED.6050909@imperial.ac.uk> Message-ID: Hi Phil, Sorry, my previous email deserves some clarification as it was a bit confusing after I read it again. OSPF packets sent to 224.0.0/24, will go through L3-control RL and not CoPP. However, OSPF packets sent unicast will go through CoPP and not L3-control RL. There are only a few packets, such as DHCP and ARP which go through both CoPP and rate-limiter. There are some packets which CoPP cannot catch, and those need to be rate-limited, and that is why there are rate-limiters. As mentioned, you can use the "show hardware internal forwarding rate-limiter usage" command to check what is handled by CoPP and what is handled by rate-limiter, and what by both. Best regards, Andras On Wed, Mar 21, 2012 at 9:58 PM, T?th Andr?s wrote: > Hi Phil, > > Thanks for clarifying what you meant. I understand the documentation > might not be detailed enough. Let me give some further information. > > The feature "hardware rate-limiter" is independent from CoPP, but it > complements CoPP in protecting the supervisor CPU from excessive > inbound traffic. The traffic rate allowed by the hardware > rate-limiters is configured globally and applied to each individual > I/O module. The resulting allowed rate depends on the number of I/O > modules in the system. CoPP provides more granular supervisor CPU > protection by utilizing the modular quality-of-service CLI (MQC). > > > CoPP is evaluated first, then the HW Rate-limiters afterwards. There > are some rate-limiters which can be found both in CoPP and in HW RL. > An example is OSPF control packets. The reason for this is multiple > layers of security and some form of redundancy if CoPP is not enabled. > > ip access-list copp-system-p-acl-ospf > ? ?permit ospf any any > class-map type control-plane match-any copp-system-p-class-critical > ? ?match access-group name copp-system-p-acl-ospf > > See the following documentation for a few more examples of HW RLs: > http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_Packet_Flow_Issues > > > You can also use the following command to see how the RLs are mapped. > With that you can also see what is and what isn't mapped to CoPP. As > it's an internal command, it comes without the need of its output > being customer friendly. > > show hardware internal forwarding rate-limiter usage > > > I hope this helps a bit. > > Best regards, > Andras > > > On Wed, Mar 21, 2012 at 1:13 PM, Phil Mayers wrote: >> On 20/03/12 20:53, T?th Andr?s wrote: >>> >>> Hi Phil, >>> >>> There are certain exceptions for packets being forwarded which are not >>> handled by CoPP, these are covered by the HW Rate Limiters. >> >> >> Andras, >> >> Thanks for the response. Unfortunately it didn't tell me anything I didn't >> already know ;o) >> >> In fact, it appears to be largely cut&paste from the NX-OS docs, which I >> have read. >> >> Perhaps I wasn't specific enough in my original email. >> >> I'm looking for comprehensive documentation on what types of packets are >> considered to match the HW rate limiters, what types of packets match CoPP, >> and how the system acts when >1 match occurs. >> >> >> This kind of behaviour is not well documented for Sup720, but if you dig >> through the Cisco site and archives of the list, you can find your info. >> >> It is even LESS well documented for N7k as far as I can tell. The HW RL have >> uninformative names like "layer-3 control" and there is little or no >> documentation about how they interact, other than tantalising hints like: >> >> """ >> Layer 3 control, multicast direct-connect, and ARP request packets are >> controlled by the Layer 2 copy rate limiter. The first two types of packets >> are also controlled by Layer 3 rate limiters, and the last two types are >> also subject to control plane policing >> """ >> >> For example: which HW rate-limiters does an OSPF packet match, if any? In >> which order do these rate-limiters match, and is it before or after CoPP? >> >> Or, the "receive" HW RL versus CoPP. >> >> Or, the "layer-3 ttl" HW RL versus the "match exception ttl-failure", or >> again for "mtu". >> >> Hope that explains things in more details. >> >> Cheers, >> Phil From Matt.Stoward at team.telstra.com Wed Mar 21 21:14:16 2012 From: Matt.Stoward at team.telstra.com (Stoward, Matt) Date: Thu, 22 Mar 2012 12:14:16 +1100 Subject: [c-nsp] Is there sticky ARP functionality on Private VLAN in NX-OS In-Reply-To: References: Message-ID: Hi all, When configuring PVLANs in IOS, the L3 SVIs automatically get sticky ARP turned on and to remove it is quite simple. In NX-OS things are a little uncertain. It is implied that the behavior is the same but I don't think it actually is. On the Cisco site in http://docwiki.cisco.com/wiki/Cisco_Nexus_7000_Series_NX-OS_Troubleshooting_Guide_--_Troubleshooting_VLANs , and to quote: "Note: We recommend that you enable sticky Address Resolution Protocol (ARP) when you configure private VLANs. ARP entries learned on Layer 3 private VLAN interfaces, or SVIs, are sticky ARP entries. For security reasons, private VLAN port sticky ARP entries do not age out. " This is the only reference I can find to sticky ARP anywhere (except for a couple of similar looking entries for this like the 1000V). Is this quite possibly an error in documentation? Having sticky ARPs in a big virtualized environment is going to break things for the sever guys and I want to ensure I head this off before it becomes a problem. Regards, Matt From p.mayers at imperial.ac.uk Thu Mar 22 07:25:48 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 22 Mar 2012 11:25:48 +0000 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: References: <4F6083FA.1050602@imperial.ac.uk> <4F69C5ED.6050909@imperial.ac.uk> Message-ID: <4F6B0C3C.3050601@imperial.ac.uk> On 21/03/12 21:16, T?th Andr?s wrote: > Hi Phil, > > Sorry, my previous email deserves some clarification as it was a bit > confusing after I read it again. > > OSPF packets sent to 224.0.0/24, will go through L3-control RL and not > CoPP. However, OSPF packets sent unicast will go through CoPP and not > L3-control RL. Thanks, that's very helpful; it gives insight into the "split" between the two. > > There are only a few packets, such as DHCP and ARP which go through > both CoPP and rate-limiter. Presumably the "receive" rate-limiter is a special case o > > There are some packets which CoPP cannot catch, and those need to be > rate-limited, and that is why there are rate-limiters. > > As mentioned, you can use the "show hardware internal forwarding > rate-limiter usage" command to check what is handled by CoPP and what > is handled by rate-limiter, and what by both. This is an extremely useful bit of info; thanks very much for your excellent reply! Cheers, Phil From nmaxpierson at gmail.com Thu Mar 22 10:14:22 2012 From: nmaxpierson at gmail.com (N. Max Pierson) Date: Thu, 22 Mar 2012 09:14:22 -0500 Subject: [c-nsp] ASR 1006 Code Message-ID: Hi List, Turning up a few new 1006's and would like to hear from those of you on a stable revision of XE. W're currently running on 15.1(2)S1 and have hit quite a few bugs. Our Cisco team says we should move to 15.2.(1)S1. Being this release is relativity new, i'm a little hesitant to jump to it. The last go around had us on an image ridden with bugs after some exposure. Features used ... nothing really exotic .... BGPv4 EIGRPv4 Netflow QoS IP Sla Any recommendations would be great. Regards, Max From cisco-nsp at slepicka.net Thu Mar 22 11:34:22 2012 From: cisco-nsp at slepicka.net (James Slepicka (c-nsp)) Date: Thu, 22 Mar 2012 15:34:22 +0000 Subject: [c-nsp] ASR 1006 Code In-Reply-To: References: Message-ID: <75AFB6FE184CBF4EBA1F7ADFFF88942EB97F1DDC@mail1.slepicka.net> I recently upgraded a couple of these to 15.2(1)S1 to address crashes caused by the IPC Check Queue process. It's only been a couple of weeks but so far, so good. James -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of N. Max Pierson Sent: Thursday, March 22, 2012 9:14 AM To: Cisco Mailing list Subject: [c-nsp] ASR 1006 Code Hi List, Turning up a few new 1006's and would like to hear from those of you on a stable revision of XE. W're currently running on 15.1(2)S1 and have hit quite a few bugs. Our Cisco team says we should move to 15.2.(1)S1. Being this release is relativity new, i'm a little hesitant to jump to it. The last go around had us on an image ridden with bugs after some exposure. Features used ... nothing really exotic .... BGPv4 EIGRPv4 Netflow QoS IP Sla Any recommendations would be great. Regards, Max _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From keegan.holley at sungard.com Thu Mar 22 13:56:36 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Thu, 22 Mar 2012 13:56:36 -0400 Subject: [c-nsp] NAT on the 3750X Message-ID: Does cisco support NAT on it's rack mountable switches yet? 3560/3750X etc.. From rwest at zyedge.com Thu Mar 22 14:04:31 2012 From: rwest at zyedge.com (Ryan West) Date: Thu, 22 Mar 2012 18:04:31 +0000 Subject: [c-nsp] NAT on the 3750X In-Reply-To: References: Message-ID: <5DC4853C6CC3EE4788779E0726E034DD010BAE3C@zy-ex1.zyedge.local> On Thu, Mar 22, 2012 at 13:56:36, Keegan Holley wrote: > Subject: [c-nsp] NAT on the 3750X > > Does cisco support NAT on it's rack mountable switches yet? > 3560/3750X etc.. No, only on the 6500 in the catalyst series to my knowledge. The ME switch based on the 6500 may though. -ryan From ml at kenweb.org Thu Mar 22 14:05:25 2012 From: ml at kenweb.org (ML) Date: Thu, 22 Mar 2012 14:05:25 -0400 Subject: [c-nsp] New Cisco ME3400 IOS? Message-ID: <4F6B69E5.9050608@kenweb.org> Maybe a Cisco employee on list or someone in the know can shed some light on my inquiry... As my AM/SE won't even bother forwarding my question to the right person. Does anyone know if/when a new feature release for the ME3400 will be out? The last new feature release was in July 2011 and I'm about to do a mass upgrade of a number of 3400s. I'd rather wait a little while if it means a feature I can use will be in the next release rather than be behind in code shortly after an upgrade cycle. From c.spurgeon at mail.utexas.edu Thu Mar 22 14:55:25 2012 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Thu, 22 Mar 2012 13:55:25 -0500 Subject: [c-nsp] N7k CoPP versus rate-limiters In-Reply-To: <4F6B0C3C.3050601@imperial.ac.uk> References: <4F6083FA.1050602@imperial.ac.uk> <4F69C5ED.6050909@imperial.ac.uk> <4F6B0C3C.3050601@imperial.ac.uk> Message-ID: <20120322185525.GA48623@argus.gw.utexas.edu> On Thu, Mar 22, 2012 at 11:25:25AM +0000, Phil Mayers wrote: > On 21/03/12 21:16, T?th Andr?s wrote: > >Hi Phil, > > > >Sorry, my previous email deserves some clarification as it was a bit > >confusing after I read it again. > > > >OSPF packets sent to 224.0.0/24, will go through L3-control RL and not > >CoPP. However, OSPF packets sent unicast will go through CoPP and not > >L3-control RL. > > Thanks, that's very helpful; it gives insight into the "split" between > the two. > > > > >There are only a few packets, such as DHCP and ARP which go through > >both CoPP and rate-limiter. > > Presumably the "receive" rate-limiter is a special case o > > > > >There are some packets which CoPP cannot catch, and those need to be > >rate-limited, and that is why there are rate-limiters. > > > >As mentioned, you can use the "show hardware internal forwarding > >rate-limiter usage" command to check what is handled by CoPP and what > >is handled by rate-limiter, and what by both. > > This is an extremely useful bit of info; thanks very much for your > excellent reply! BTW, there's a new "IP Glean Throttling" command as of 5.1 code which is an ARP throttle. It is not enabled by default. We have enabled this on our 7010s with "hardware ip glean throttle" http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_ip.html#wp1197271 I took these notes about the new ARP throttle while on a conf call a year ago, so this is not official Cisco info, just what I thought I heard: -------------------- A new throttle rate limiter has shipped in v5.1 code that installs a /32 CEF FIB drop adjacency and automatically black holes traffic being sent to an unoccupied address in an attempt to DoS the router CPU. this is a vuln that they are dealing with by installing the auto-drop adjacency and ceasing to ARP for the address for 30 seconds after the first ARP. This feature must be enabled, not on by default. There are knobs to adjust timers and the number of /32 drop adjacencies that are allowed to avoid TCAM exhaustion from randomized src addrs in an attack of this type. -------------------- Also, on a related topic of which packets may get dropped on their way through the router, beware the IDS packet checking system which is enabled by default and likes to find reasons to drop packets. Since our preference is to deliver packets vs dropping them, we have disabled a number of these: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_ip.html#wp1197179 -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 From nick at foobar.org Thu Mar 22 16:36:51 2012 From: nick at foobar.org (Nick Hilliard) Date: Thu, 22 Mar 2012 20:36:51 +0000 Subject: [c-nsp] NAT on the 3750X In-Reply-To: References: Message-ID: <4F6B8D63.2020201@foobar.org> On 22/03/2012 17:56, Keegan Holley wrote: > Does cisco support NAT on it's rack mountable switches yet? 3560/3750X > etc.. afaik there is no hardware support for this sort of thing on that platform, therefore it will never be meaningfully supported. Nick From nick at foobar.org Thu Mar 22 18:02:41 2012 From: nick at foobar.org (Nick Hilliard) Date: Thu, 22 Mar 2012 22:02:41 +0000 Subject: [c-nsp] Filtering Routes with Private AS Numbers in the AS Path In-Reply-To: <35791.131.203.92.28.1332285433.squirrel@mail.orcon.net.nz> References: <35791.131.203.92.28.1332285433.squirrel@mail.orcon.net.nz> Message-ID: <4F6BA181.8090107@foobar.org> On 20/03/2012 23:17, Ivan wrote: > For filtering private as numbers (64512-65535) using an as-path > access-list there are a few options I have seen: Ivan, this is quite an interesting question. Obviously, the best way to model it is by testing it out in a lab environment with cisco gear, but given that this is slightly difficult to quantify accurately, I took the liberty of modelling the regexps against the perl regexp library. If you're interested in the theory of how regexps work, there's lots about it on the internet. > 1). All in one line > ip as-path access-list 66 permit > _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_ > > 2). The above modified hopefully to be "better" in terms or regexp > processing but perhaps not readability > ip as-path access-list 66 permit > _6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9][0-9])|5([0-4][0-9][0-9]|5([0-2][0-9]|3[0-5])))_ > > 3). Separate lines > ip as-path access-list 66 permit _6451[2-9]_ > ip as-path access-list 66 permit _645[2-9][0-9]_ > ip as-path access-list 66 permit _64[6-9][0-9][0-9]_ > ip as-path access-list 66 permit _65[0-4][0-9][0-9]_ > ip as-path access-list 66 permit _655[0-2][0-9]_ > ip as-path access-list 66 permit _6553[0-5]_ > > I would appreciate any feedback as to which is the least CPU intensive and > if there is a better way to optimise 2 above. The first thing to note is that #3 is basically the same as #1 except that there are two possible ways of implementing the regexp->DFA transformation. Either it can be done as a single DFA with possible optimisation or else as a implementation with multiple DFAs. The latter will certainly be slower. The former can be no faster than #1 in the best case. So #3 is more readable but certainly no more efficient than #1, pretty much regardless of exactly how cisco handle it. The real question then is how #2 is processed in comparison to #1. In terms of how simple regexps like this are processed, there is really only one algorithmic method: you transform the RE into a finite-state automaton using the as path as input (note that for more complicated regexps, this is categorically not the case and there are some interesting edge cases which cause the perl re lib to undergo catastrophic time-constraint failure). There are a couple of different ways of doing this transformation and data input, but for a simple regexp like yours with no back-references, while there might be implementation differences which will make one library faster than another, my suspicion is that you can do a comparative analysis using a different RE library to make comparisons about which expression is more efficient than which. I created a perl model to check the two regexps 100 times each, for each $as between 0 and 65535: > for ($j=0; $j < 100; $j++) { > for ($i=0; $i < 65536; $i++) { > if ($i =~ //) { > $match++; > } > } > } The wall-clock execution time was measured for 60 runs for each regexp and the 10 fastest times were compared for each regexp, in order to eliminate cpu jitter. The average wall clock time for the fastest 10 runs were: #1: 4.114 seconds #2: 2.202 seconds i.e. #2 is about ~47% more efficient than #1. Checking against a sequential list of asns isn't a very realistic means of figuring out what's going to happen in real life. So for the next run, I took a dfz dump and pulled out all the ASN paths from it and pushed this text file through the following code: > for ($j=0; $j < 5; $j++) { > open (INPUT, "dfz.txt"); > while () { > chomp; > if (/\b\b/) { > $match++; > } > } > close (INPUT); > } "\b" is the perl equivalent of cisco's "_" character, and is necessary to stop arbitrary sequence matching. This produced the following average fastest top-10 results: #1: 5.085 seconds #2: 1.803 seconds i.e. #2 is about ~65% more efficient than #1. You can see from these results that regexp #2 is much faster in general for perl, and based on the fact that all regexp libraries use similar algorithms I would suspect that you're going to see similar results for the IOS implementation. Several other bgp as-path filtering implementations (e.g. JUNOS and BIRD) score a major win against cisco in this regard, as they can perform numerical matching, which turns the input algorithm from: text input -> regexp parser -> match yes/no text input -> convert to numeric -> numeric comparison -> match yes/no The latter is obviously much faster than the former. hth, Nick From cburnham at du.edu Thu Mar 22 20:33:46 2012 From: cburnham at du.edu (Chad Burnham) Date: Thu, 22 Mar 2012 18:33:46 -0600 Subject: [c-nsp] ASR 1006 Code In-Reply-To: References: Message-ID: HI Max, I upgraded to asr1000rp2-advipservicesk9.03.05.00.S.152-1.S.bin 13 weeks ago - stable for us. BGPv4 BGPv6, Netflow, QoS Still have an open bug ID on special characters in user/password for the WUI interface. Very minor. Chad -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of N. Max Pierson Sent: Thursday, March 22, 2012 8:14 AM To: Cisco Mailing list Subject: [c-nsp] ASR 1006 Code Hi List, Turning up a few new 1006's and would like to hear from those of you on a stable revision of XE. W're currently running on 15.1(2)S1 and have hit quite a few bugs. Our Cisco team says we should move to 15.2.(1)S1. Being this release is relativity new, i'm a little hesitant to jump to it. The last go around had us on an image ridden with bugs after some exposure. Features used ... nothing really exotic .... BGPv4 EIGRPv4 Netflow QoS IP Sla Any recommendations would be great. Regards, Max _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ . From waris at cisco.com Fri Mar 23 03:28:51 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Fri, 23 Mar 2012 00:28:51 -0700 Subject: [c-nsp] New Cisco ME3400 IOS? In-Reply-To: <4F6B69E5.9050608@kenweb.org> References: <4F6B69E5.9050608@kenweb.org> Message-ID: <4F2E952349CF714899213AA2A0F68C7D0430125A@xmb-sjc-215.amer.cisco.com> Hi, ME3400 new release "12.2(58)EX" will be available by the end of March. Following new features are expected to be delivered in the new release, -Y.1731 PM Delay Measurement (DM) -IPSLA DMM/DMR MIB -Enhanced QoS buffer management Regards, -Waris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ML Sent: Thursday, March 22, 2012 11:05 AM To: Cisco Mailing list Subject: [c-nsp] New Cisco ME3400 IOS? Maybe a Cisco employee on list or someone in the know can shed some light on my inquiry... As my AM/SE won't even bother forwarding my question to the right person. Does anyone know if/when a new feature release for the ME3400 will be out? The last new feature release was in July 2011 and I'm about to do a mass upgrade of a number of 3400s. I'd rather wait a little while if it means a feature I can use will be in the next release rather than be behind in code shortly after an upgrade cycle. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From waris at cisco.com Fri Mar 23 03:32:53 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Fri, 23 Mar 2012 00:32:53 -0700 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? In-Reply-To: References: Message-ID: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> Hi Richard, ME3600X does support VLAN mapping through EVC. Can you elaborate the requirement? Regards, -Waris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard Hartmann Sent: Tuesday, March 06, 2012 7:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? Hi all, I am somewhat confused/annoyed by the ME 3600X's lack of support for VLAN mapping. The ME-C3750 offers this, listing the feature as "metro Ethernet service" for obvious reasons. I would go as far as saying that this is, in fact, a requirement for a device sold as offering ME capabilities. >From what I understand of the hardware side, this should be a software, not a hardware, limitation. Is anyone able to confirm/falsify this? Assuming it's a software issue, has anyone heard of an ETA for this highly advanced and cutting-edge technology's arrival on the poor, down-trodden ME 3600X? Thanks, Richard _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From waris at cisco.com Fri Mar 23 03:45:15 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Fri, 23 Mar 2012 00:45:15 -0700 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> Message-ID: <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> ASR 903 runs IOS XE and ASR901 runs classical IOS. ASR 901 Scale: IPv4 Routes - 12K BGP peers - 100 Number of VRF - 128 IPv6 support is in roadmap for August timeframe. ASR 903 is capable of line rate performance. It does not support full internet routing table. -Waris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Wednesday, March 21, 2012 12:58 PM To: Rolf Mendelsohn Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 Hi, On 22 March 2012 03:58, Rolf Mendelsohn wrote: > Hi Guys, > > Just really curious regarding these new boxes (ASR901 / ASR903) ... > > Has anybody bought them recently? > > How is the IOS, relatively stable? > > How many routes (901), BGP, MPLS, IPv6?? > > Does anybody have the ASR903, how is its performance and does anybody have a full table (or two going into one of these). Not real world, but according to the information I got from Cisco RSP1A can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 and 16k ipv6, so nowhere near what's required for full table. I don't have the numbers for ASR901, but that's mainly a L2 VPN device, so I'd expect them to be even lower. kind regards Pshem _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnetgroup.gr Fri Mar 23 03:59:53 2012 From: achatz at forthnetgroup.gr (Tassos Chatzithomaoglou) Date: Fri, 23 Mar 2012 09:59:53 +0200 Subject: [c-nsp] New Cisco ME3400 IOS? In-Reply-To: <4F2E952349CF714899213AA2A0F68C7D0430125A@xmb-sjc-215.amer.cisco.com> References: <4F6B69E5.9050608@kenweb.org> <4F2E952349CF714899213AA2A0F68C7D0430125A@xmb-sjc-215.amer.cisco.com> Message-ID: <4F6C2D79.2040703@forthnetgroup.gr> Hi Waris, Can you please provide more details about "Enhanced QoS buffer management"? Also, is there a CCO doc describing the buffer size of ME3400/ME3400E ports? -- Tassos Waris Sagheer (waris) wrote on 23/3/2012 09:28: > Hi, > ME3400 new release "12.2(58)EX" will be available by the end of March. > Following new features are expected to be delivered in the new release, > -Y.1731 PM Delay Measurement (DM) > -IPSLA DMM/DMR MIB > -Enhanced QoS buffer management > > Regards, > -Waris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ML > Sent: Thursday, March 22, 2012 11:05 AM > To: Cisco Mailing list > Subject: [c-nsp] New Cisco ME3400 IOS? > > Maybe a Cisco employee on list or someone in the know can shed some > light on my inquiry... As my AM/SE won't even bother forwarding my > question to the right person. > > Does anyone know if/when a new feature release for the ME3400 will be > out? The last new feature release was in July 2011 and I'm about to do a > mass upgrade of a number of 3400s. I'd rather wait a little while if it > means a feature I can use will be in the next release rather than be > behind in code shortly after an upgrade cycle. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rolf-web at internet.ao Fri Mar 23 05:00:43 2012 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Fri, 23 Mar 2012 10:00:43 +0100 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> Message-ID: Waris, How many routes does the ASR903 support? Rolf On 23 Mar 2012, at 8:45 AM, Waris Sagheer (waris) wrote: > ASR 903 runs IOS XE and ASR901 runs classical IOS. > ASR 901 Scale: > IPv4 Routes - 12K > BGP peers - 100 > Number of VRF - 128 > IPv6 support is in roadmap for August timeframe. > > ASR 903 is capable of line rate performance. It does not support full > internet routing table. > > -Waris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk > Sent: Wednesday, March 21, 2012 12:58 PM > To: Rolf Mendelsohn > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 > > Hi, > > On 22 March 2012 03:58, Rolf Mendelsohn wrote: >> Hi Guys, >> >> Just really curious regarding these new boxes (ASR901 / ASR903) ... >> >> Has anybody bought them recently? >> >> How is the IOS, relatively stable? >> >> How many routes (901), BGP, MPLS, IPv6?? >> >> Does anybody have the ASR903, how is its performance and does anybody > have a full table (or two going into one of these). > > Not real world, but according to the information I got from Cisco RSP1A > can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 and 16k > ipv6, so nowhere near what's required for full table. I don't have the > numbers for ASR901, but that's mainly a L2 VPN device, so I'd expect > them to be even lower. > > kind regards > Pshem From achatz at forthnetgroup.gr Fri Mar 23 05:30:36 2012 From: achatz at forthnetgroup.gr (Tassos Chatzithomaoglou) Date: Fri, 23 Mar 2012 11:30:36 +0200 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> Message-ID: <4F6C42BC.6010206@forthnetgroup.gr> ASR903 seem more like a modular ME-3800X, with the ability to upgrade the RSP if needed. -- Tassos Rolf Mendelsohn wrote on 23/3/2012 11:00: > Waris, > > How many routes does the ASR903 support? > > Rolf > > On 23 Mar 2012, at 8:45 AM, Waris Sagheer (waris) wrote: >> ASR 903 runs IOS XE and ASR901 runs classical IOS. >> ASR 901 Scale: >> IPv4 Routes - 12K >> BGP peers - 100 >> Number of VRF - 128 >> IPv6 support is in roadmap for August timeframe. >> >> ASR 903 is capable of line rate performance. It does not support full >> internet routing table. >> >> -Waris >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk >> Sent: Wednesday, March 21, 2012 12:58 PM >> To: Rolf Mendelsohn >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 >> >> Hi, >> >> On 22 March 2012 03:58, Rolf Mendelsohn wrote: >>> Hi Guys, >>> >>> Just really curious regarding these new boxes (ASR901 / ASR903) ... >>> >>> Has anybody bought them recently? >>> >>> How is the IOS, relatively stable? >>> >>> How many routes (901), BGP, MPLS, IPv6?? >>> >>> Does anybody have the ASR903, how is its performance and does anybody >> have a full table (or two going into one of these). >> >> Not real world, but according to the information I got from Cisco RSP1A >> can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 and 16k >> ipv6, so nowhere near what's required for full table. I don't have the >> numbers for ASR901, but that's mainly a L2 VPN device, so I'd expect >> them to be even lower. >> >> kind regards >> Pshem > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisco-nsp at itpro.co.nz Fri Mar 23 05:39:33 2012 From: cisco-nsp at itpro.co.nz (Ivan) Date: Fri, 23 Mar 2012 22:39:33 +1300 Subject: [c-nsp] Filtering Routes with Private AS Numbers in the AS Path In-Reply-To: <4F6BA181.8090107@foobar.org> References: <35791.131.203.92.28.1332285433.squirrel@mail.orcon.net.nz> <4F6BA181.8090107@foobar.org> Message-ID: <4F6C44D5.8070805@itpro.co.nz> Hi Nick, Thanks very much for your thorough response and the time your put into testing things out. I was contemplating taking this to my lab but was hoping there was some documentation or experiences from others that may have helped answer things first. Your results are interesting - I did suspect option 2 would be better but didn't really have any idea of the numbers. Saving time and processing cycles on BGP routes is always good. Interesting to see just how may routes with private AS number in their paths are out there in the DFZ too. Thanks Ivan From Markus.Binder at globalways.net Fri Mar 23 06:19:14 2012 From: Markus.Binder at globalways.net (Markus Binder) Date: Fri, 23 Mar 2012 10:19:14 +0000 Subject: [c-nsp] WS-SVC-MWAM as L2TP Server - Performance metrics Message-ID: <9E813DC263007F4D9B37402CC4302A62385D8A@EX1-STGT.intern.globalways.net> Hello, does anyone has experience with the WS-SVC-MWAM Modules as L2TP Server for WAN aggregation? We're interested in perfomance metrics when acting as a LNS and providing QoS (traffic policing) to each session. If not, which platform would you recommend to do LNS with QoS? Currently we're using 7200 Series with NPE-G1s. Best regards, Markus Binder -- Globalways AG Neue Br?cke 8 D-70173 Stuttgart Germany From aledm at qix.co.uk Fri Mar 23 06:36:13 2012 From: aledm at qix.co.uk (Aled Morris) Date: Fri, 23 Mar 2012 10:36:13 +0000 Subject: [c-nsp] New Cisco ME3400 IOS? In-Reply-To: <4F6C2D79.2040703@forthnetgroup.gr> References: <4F6B69E5.9050608@kenweb.org> <4F2E952349CF714899213AA2A0F68C7D0430125A@xmb-sjc-215.amer.cisco.com> <4F6C2D79.2040703@forthnetgroup.gr> Message-ID: On 23 March 2012 07:59, Tassos Chatzithomaoglou wrote: > Can you please provide more details about "Enhanced QoS buffer management"? > > Sometimes this is marketing speak for "now works (more) like the documentation claims it always did" i.e. fixed wiithout admitting that the code was broken before. Aled From rolf-web at internet.ao Fri Mar 23 07:48:48 2012 From: rolf-web at internet.ao (Rolf Mendelsohn) Date: Fri, 23 Mar 2012 12:48:48 +0100 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: <4F6C42BC.6010206@forthnetgroup.gr> References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> <4F6C42BC.6010206@forthnetgroup.gr> Message-ID: <6574E10A-48C7-49CB-88AB-A30A2F03CC5C@internet.ao> Tassos, Surely with this TCAM space, there are lots of routes which can be supported: http://www.cisco.com/en/US/docs/wireless/asr_900/hardware/installation/overview.html Supported RSPs: The Cisco ASR 903 Series Aggregation Services Router supports the following RSPs: ?A900-RSP1A-55?Provides 2 GB of SDRAM, 5 Mb of TCAM memory, 3-Mb buffer table, 576-Mb forwarding memory, and 1,536-Mb packet buffer memory. ?A900-RSP1B-55?Provides 4 GB of SDRAM, 20 Mb of TCAM memory, 144-Mb buffer table, 1152-Mb forwarding memory, and 1,536-Mb packet buffer memory. vs the ASR 1000 Series: http://www.cisco.com/en/US/prod/collateral/routers/ps9343/data_sheet_c78-450070_ps2797_Products_Data_Sheet.html For 2.5-Gbps/5-Gbps integrated ESP in ASR1001: 256MB Cisco QuantumFlow Processor, 1GB DRAM, 5Mb ternary content addressable memory (TCAM), and 64MB packet buffer memory For 5-Gbps Cisco ASR 1000 ESP: 256MB Cisco QuantumFlow Processor, 512MB DRAM, 5Mb ternary content addressable memory (TCAM), and 64MB packet buffer memory For 10-Gbps Cisco ASR 1000 ESP: 512MB Cisco QuantumFlow Processor, 2GB DRAM, 10Mb TCAM, and 128MB packet buffer memory For 10-N-Gbps Cisco ASR 1000 ESP: 512MB Cisco QuantumFlow Processor, 2GB DRAM, 10Mb TCAM, and 128MB packet buffer memory For 20-Gbps Cisco ASR 1000 ESP: 1GB Cisco QuantumFlow Processor, 4GB DRAM, 40Mb TCAM, and 256MB packet buffer memory Rolf On 23 Mar 2012, at 10:30 AM, Tassos Chatzithomaoglou wrote: > ASR903 seem more like a modular ME-3800X, with the ability to upgrade the RSP if needed. > > -- > Tassos > > Rolf Mendelsohn wrote on 23/3/2012 11:00: >> Waris, >> >> How many routes does the ASR903 support? >> >> Rolf >> >> On 23 Mar 2012, at 8:45 AM, Waris Sagheer (waris) wrote: >>> ASR 903 runs IOS XE and ASR901 runs classical IOS. >>> ASR 901 Scale: >>> IPv4 Routes - 12K >>> BGP peers - 100 >>> Number of VRF - 128 >>> IPv6 support is in roadmap for August timeframe. >>> >>> ASR 903 is capable of line rate performance. It does not support full >>> internet routing table. >>> >>> -Waris >>> >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pshem Kowalczyk >>> Sent: Wednesday, March 21, 2012 12:58 PM >>> To: Rolf Mendelsohn >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 >>> >>> Hi, >>> >>> On 22 March 2012 03:58, Rolf Mendelsohn wrote: >>>> Hi Guys, >>>> >>>> Just really curious regarding these new boxes (ASR901 / ASR903) ... >>>> >>>> Has anybody bought them recently? >>>> >>>> How is the IOS, relatively stable? >>>> >>>> How many routes (901), BGP, MPLS, IPv6?? >>>> >>>> Does anybody have the ASR903, how is its performance and does anybody >>> have a full table (or two going into one of these). >>> >>> Not real world, but according to the information I got from Cisco RSP1A >>> can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 and 16k >>> ipv6, so nowhere near what's required for full table. I don't have the >>> numbers for ASR901, but that's mainly a L2 VPN device, so I'd expect >>> them to be even lower. >>> >>> kind regards >>> Pshem From rus-p at inbox.ru Fri Mar 23 08:45:48 2012 From: rus-p at inbox.ru (Ruslan Pustovoytov) Date: Fri, 23 Mar 2012 16:45:48 +0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F61871B.4080505@mostelekom.net> References: <4F61871B.4080505@mostelekom.net> Message-ID: <4F6C707C.7020200@inbox.ru> Recently I got from cisco presentation about ISM. Bulk port allocation was planned for the release 4.2.1. But I am not sure if regulator can send port number with IP address. Without port number bulk port allocation will be useless feature. Ruslan Pustovoitov ?????: > I know Alcatel has Bulk Port Allocation in it's MS-ISA and it work fine. > ISM-100/CGSE has no such feature but my aim is argue that ISM is the > right answer ) > > Jean-Francois.TremblayING at videotron.com ?????: >>> We in europe have some pressure to have the ability to map the >> ip/port/timestamp >>> touple back to user. Of course nobody will be able to deliver the >>> port >> together >>> with the ip and an accurate enough timestamp for this to be >>> meaningfull. >>> >> >> Bulk Port Allocation (also called Port Range Allocation) is probably >> what you're looking for. It reduces logging requirements by several >> orders of magnitudes and your timestamping doesn't have to be as >> precise. This is a must to deploy any CGN, IMHO. >> Coming soon to your favorite Cisco CGN implementation, apparently... >> >>> I can see this becoming a larger problem when more nats appear on >> conventional >>> DSL / FTTx / Cable access products as opposed to just low bandwidth >> mobile networks. >> >> Mobile networks aren't that low bandwidth anymore. They have the same >> issues with logging. >> /JF >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nmaxpierson at gmail.com Fri Mar 23 08:48:41 2012 From: nmaxpierson at gmail.com (N. Max Pierson) Date: Fri, 23 Mar 2012 07:48:41 -0500 Subject: [c-nsp] ASR 1006 Code In-Reply-To: References: Message-ID: Thanks for the all replies. Looks like I'm going to have to go with 15.2(1)S1. Gotta turn these up this weekend. Regards, Max From richih.mailinglist at gmail.com Fri Mar 23 11:50:50 2012 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Fri, 23 Mar 2012 16:50:50 +0100 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? In-Reply-To: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> References: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> Message-ID: Hi Waris, > ME3600X does support VLAN mapping through EVC. > Can you elaborate the requirement? Indeed, it does; I found that out in the meantime; I just realized that several replies, and thus the resulting conversation, was off-list. No idea why, but as it wasn't me who took it off-list in the first place, I will refrain from bouncing the mails to this list. Is the syntax of switchport vlan mapping enable switchport vlan mapping 123 654 deprecated? It's a lot simpler and cleaner than EVC if you need to remap VLANs, only. Thanks for getting back to me in what, to this list, must have looked like a stale thread, Richard From nick at foobar.org Fri Mar 23 12:26:41 2012 From: nick at foobar.org (Nick Hilliard) Date: Fri, 23 Mar 2012 16:26:41 +0000 Subject: [c-nsp] Filtering Routes with Private AS Numbers in the AS Path In-Reply-To: <4F6C4483.3070300@itpro.co.nz> References: <35791.131.203.92.28.1332285433.squirrel@mail.orcon.net.nz> <4F6BA181.8090107@foobar.org> <4F6C4483.3070300@itpro.co.nz> Message-ID: <4F6CA441.8090400@foobar.org> On 23/03/2012 09:38, Ivan Walker wrote: > Your results are interesting - I did suspect option 2 would be better but > didn't really have any idea of the numbers. Saving time and processing > cycles on BGP routes is always good. I just wish there was some mechanism in IOS for handling as-path comparison by using numeric comparison. regexps are a real convergence killer on units with slow CPUs (e.g. sup720). Nick From tdurack at gmail.com Fri Mar 23 14:01:17 2012 From: tdurack at gmail.com (Tim Durack) Date: Fri, 23 Mar 2012 14:01:17 -0400 Subject: [c-nsp] N7K, NX-OS 6.0(2) link-local OSPFv3 Message-ID: Simple link-local OSPFv3 config: CORE-1: interface port-channel1 mpls traffic-eng tunnels mpls ip ip address 10.1.1.1/30 ipv6 address use-link-local-only ip ospf network point-to-point ip router ospf CORE area 0.0.0.0 ospfv3 network point-to-point ipv6 router ospfv3 CORE area 0.0.0.0 interface loopback0 ip address 10.1.0.1/32 ipv6 address 2001:DB8:4:1::1/128 ip router ospf CORE area 0.0.0.0 ipv6 router ospfv3 CORE area 0.0.0.0 router ospfv3 CORE router-id 10.1.0.1 log-adjacency-changes auto-cost reference-bandwidth 100000 CORE-2: interface port-channel1 mpls traffic-eng tunnels mpls ip ip address 10.1.1.2/30 ipv6 address use-link-local-only ip ospf network point-to-point ip router ospf CORE area 0.0.0.0 ospfv3 network point-to-point ipv6 router ospfv3 CORE area 0.0.0.0 interface loopback0 ip address 10.1.0.2/32 ipv6 address 2001:DB8:4:2::2/128 ip router ospf CORE area 0.0.0.0 ipv6 router ospfv3 CORE area 0.0.0.0 router ospfv3 CORE router-id 10.1.0.2 log-adjacency-changes auto-cost reference-bandwidth 100000 CORE-1# show ipv6 route IPv6 Routing Table for VRF "default" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] 2001:DB8:4:1::1/128, ubest/mbest: 2/0, attached *via 2001:DB8:4:1::1, Lo0, [0/0], 1d03h, direct, *via 2001:DB8:4:1::1, Lo0, [0/0], 1d03h, local 2001:DB8:4:2::2/128, ubest/mbest: 1/0 *via fe80::4255:39ff:fe07:3f42, Po1, [110/10], 13:33:18, ospfv3-CORE, intra CORE-1# ping6 2001:DB8:4:2::2 PING6 2001:DB8:4:2::2 (2001:DB8:4:2::2): 56 data bytes ping6: sendto: No route to host Request 0 timed out ping6: sendto: No route to host Request 1 timed out ping6: sendto: No route to host Request 2 timed out ping6: sendto: No route to host Request 3 timed out ping6: sendto: No route to host Request 4 timed out --- 2001:DB8:4:2::2 ping6 statistics --- 5 packets transmitted, 0 packets received, 100.00% packet loss CORE-2# show ipv6 route IPv6 Routing Table for VRF "default" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] 2001:DB8:4:1::1/128, ubest/mbest: 1/0 *via fe80::4255:39ff:fe07:3f41, Po1, [110/10], 13:48:18, ospfv3-CORE, intra 2001:DB8:4:2::2/128, ubest/mbest: 2/0, attached *via 2001:DB8:4:2::2, Lo0, [0/0], 1d03h, direct, *via 2001:DB8:4:2::2, Lo0, [0/0], 1d03h, local CORE-2# ping6 2001:DB8:4:1::1 PING6 2001:DB8:4:1::1 (2001:DB8:4:1::1): 56 data bytes ping6: sendto: No route to host Request 0 timed out ping6: sendto: No route to host Request 1 timed out ping6: sendto: No route to host Request 2 timed out ping6: sendto: No route to host Request 3 timed out ping6: sendto: No route to host Request 4 timed out --- 2001:DB8:4:1::1 ping6 statistics --- 5 packets transmitted, 0 packets received, 100.00% packet loss This works on a 6500/SUP720/12.2(33)SXI, but not an N7K/NX-OS/6.0(2) What am I missing? -- Tim:> From Jean-Francois.TremblayING at videotron.com Fri Mar 23 13:48:21 2012 From: Jean-Francois.TremblayING at videotron.com (Jean-Francois.TremblayING at videotron.com) Date: Fri, 23 Mar 2012 13:48:21 -0400 Subject: [c-nsp] Carrier grade NAT44 & newest Cisco boxes In-Reply-To: <4F6C707C.7020200@inbox.ru> Message-ID: > But I am not sure if regulator can send port number with IP address. > Without port number bulk port allocation will be useless feature. This is why RFC6302 was written (http://tools.ietf.org/html/rfc6302). The source port will be required for any law enforcement or abuse case, because a timestamp and all connections logs aren't usually enough to prove the connection comes from a specific user on popular destinations. Anyway, good luck logging everything. For a large ISP, we're talking about petabytes of data over a year. Bulk/range port allocation is a must IMHO. /JF From mays at win.net Fri Mar 23 14:38:53 2012 From: mays at win.net (Joseph Mays) Date: Fri, 23 Mar 2012 14:38:53 -0400 Subject: [c-nsp] QoS on Multilink T1's. Message-ID: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> We have the following service policy on a router that priorities VOIP traffic according to the ef tag. class-map match-all dscp-ef match ip dscp ef ! ! policy-map queue-on-dscp description Prioritizes voice traffic first, signalling next. class dscp-ef priority percent 75 class class-default fair-queue random-detect dscp-based The router primarily contains traffic for T1's routed to several destinations. I can demonstrate that for individual T1's the service policy does as it should. Throw normal pings at the remote end, things are low latency and no packet loss. Ping flood the remote end with 1500 byte packets and latency for normal pings and packet loss go sky high. While still pingflooding, pings tagged with DSCP ef still have low latency and no packet loss. This is all the way it should be. However, it generally doesn't work for the multilink client on the box. In this case, while ping flooding, packets with and without the EF tag set all suffer the same high latency and packet loss during ping flood. Not surprisingly, this one client is also having VOIP call quality problems. All the clients are using the same service policy. I have been assuming that it's something about the fact that this client has two multilink T1's bonded together with multilink PPP and other clients just have a single T1. Is there somethings special that has to done for QoS over multilink PPP? Or is there possibly some other thing affecting this one client? There are no specific access lists relating to their connection, nor to the ones that work. Really, the only thing overt that sets them different from the others is that they have bonded T1's, as shown below. interface Multilink117870 description Bonded Pair to Edge Outreach bandwidth 3072 ip address 216.24.2.145 255.255.255.252 no cdp enable ppp authorization PermT1 ppp multilink ppp multilink group 117870 service-policy output queue-on-dscp interface Serial6/0/1:0 description Edge Outreach (K1.HCFU.511024..SC) bandwidth 1536 no ip address no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 ppp multilink ppp multilink group 117870 ! interface Serial6/0/2:0 description Edge Outreach (K1.HCFU.511025..SC) bandwidth 1536 no ip address no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 ppp multilink ppp multilink group 117870 Here is an example of a plain single T1 client config, in which case the QoS service policy works exactly as it should. interface Serial6/0/3:0 description Leonard Brush (K1.HCFU.511093..SC) bandwidth 1536 ip address 216.24.0.53 255.255.255.252 no ip redirects no ip proxy-arp encapsulation ppp ppp authorization PermT1 service-policy output queue-on-dscp From mays at win.net Fri Mar 23 14:49:27 2012 From: mays at win.net (Joseph Mays) Date: Fri, 23 Mar 2012 14:49:27 -0400 Subject: [c-nsp] QoS on Multilink T1's. References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> Message-ID: > You might try using an actual KBS number instead of percentages for the > multilink. That's what I was doing before. I changed to the percent in the process of trying to figure out this problem. From o.calvano at gmail.com Fri Mar 23 15:51:10 2012 From: o.calvano at gmail.com (Olivier CALVANO) Date: Fri, 23 Mar 2012 20:51:10 +0100 Subject: [c-nsp] Vlkan mapping on Cisco ME3400E Message-ID: Hi i request your help for resolv a problems. I want see in labs a specific configuration, for this i have: 1 Cisco 7301 router, labelled "PE" 2 Cisco 1841 router, labelled first "CE1" and second "CE2" 1 Cisco ME3400E, labelled "Gateway" 1 Cisco 3750, labelled "Transport" 2 cisco 3750, labelled "Delivery1" and "Delivery2". For my labs, the C3750 "Transport is only for simule the carrier. My config: Cisco 7301 is connected to ME3400E port 1 config Cisco 7301: C7301 interface GigabitEthernet0/2 mtu 1600 no ip address no ip route-cache cef no ip route-cache media-type rj45 speed auto duplex auto no negotiation auto interface GigabitEthernet0/2.500 encapsulation dot1Q 500 ip address 192.168.51.1 255.255.255.252 no ip route-cache interface GigabitEthernet0/2.600 encapsulation dot1Q 600 ip address 192.168.61.1 255.255.255.252 no ip route-cache On the ME3400E interface FastEthernet0/1 Descript port of C7301 switchport trunk allowed vlan 500,600 switchport mode trunk ! interface FastEthernet0/24 description Port to Transport port-type nni switchport mode trunk switchport vlan mapping 500-599 dot1q-tunnel 100 switchport vlan mapping 600-699 dot1q-tunnel 101 On C3750 transport: interface FastEthernet1/0/1 description Vers Switch Delivery1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100 switchport mode trunk ! interface FastEthernet1/0/2 description Vers Switch Delivery2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 101 switchport mode trunk interface FastEthernet1/0/24 description Vers Switch ME3400E switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,101 switchport mode trunk On C3750 Delivery1: interface FastEthernet1/0/1 description to CE1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 500-599 switchport mode trunk interface FastEthernet1/0/48 description to transport switchport access vlan 100 switchport mode dot1q-tunnel no cdp enable no cdp tlv server-location no cdp tlv app On C3750 Delivery2: interface FastEthernet1/0/1 description to CE2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 600-699 switchport mode trunk interface FastEthernet1/0/48 description to transport switchport access vlan 101 switchport mode dot1q-tunnel no cdp enable no cdp tlv server-location no cdp tlv app on CE1: interface FastEthernet0/0 no ip address speed auto full-duplex no mop enabled ! interface FastEthernet0/0.500 encapsulation dot1Q 500 ip address 192.168.51.2 255.255.255.252 on CE2 interface FastEthernet0/0 no ip address speed auto full-duplex no mop enabled ! interface FastEthernet0/0.600 encapsulation dot1Q 600 ip address 192.168.61.2 255.255.255.252 My objectif is encapsuled vlan 500 to 599 into the vlan transport 100 and encapsuled vlan 600 to 699 into the vlan transport 101. Where is my error? because all vlan are created on switch but C7301 don't ping CE1 or CE2 "Transport" is my carrier, i supply me 3 ports in trunk with two vlan. A friends say me : "Use L2TP" between ME3400E and each Delivery Switch thanks for your help. Olicier From mays at win.net Fri Mar 23 16:12:54 2012 From: mays at win.net (Joseph Mays) Date: Fri, 23 Mar 2012 16:12:54 -0400 Subject: [c-nsp] QoS on Multilink T1's. References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> <06502C073AD9394AADB3CA7FD94931BC08BB2C6E@okc1x1.Logixcom.com> Message-ID: <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> The router is a 7206VXR (NPE400) running 12.3.(22). I am out of ideas as it stands, so I was thinking about upgrading the IOS. ----- Original Message ----- From: "Craig Dickerson" To: "Joseph Mays" Sent: Friday, March 23, 2012 4:01 PM Subject: RE: [c-nsp] QoS on Multilink T1's. We have had a similar problem before. Have you tried removing the policy form the interface and then re-applying it? If this works you may have a software bug. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Joseph Mays > Sent: Friday, March 23, 2012 1:49 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] QoS on Multilink T1's. > > > You might try using an actual KBS number instead of percentages for > > the multilink. > > That's what I was doing before. I changed to the percent in the process of > trying to figure out this problem. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From fia at transtelco.net Fri Mar 23 16:22:22 2012 From: fia at transtelco.net (Fernando Atilano) Date: Fri, 23 Mar 2012 14:22:22 -0600 Subject: [c-nsp] QoS on Multilink T1's. In-Reply-To: <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> <06502C073AD9394AADB3CA7FD94931BC08BB2C6E@okc1x1.Logixcom.com> <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> Message-ID: Hi, We had a kind of the same issue, what we did is we enabled fair queue on the multilink interface. By default fair queue is disabled having only FIFO to take over in theory if only one queue is available no matter if the packets are marked as VOIP it only as one egress queue. hope this helps. On Fri, Mar 23, 2012 at 2:12 PM, Joseph Mays wrote: > The router is a 7206VXR (NPE400) running 12.3.(22). I am out of ideas as > it stands, so I was thinking about upgrading the IOS. > > ----- Original Message ----- From: "Craig Dickerson" > > To: "Joseph Mays" > Sent: Friday, March 23, 2012 4:01 PM > Subject: RE: [c-nsp] QoS on Multilink T1's. > > > We have had a similar problem before. Have you tried removing the policy > form the interface and then re-applying it? If this works you may have a > software bug. > > > -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.**net[mailto: >> cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Joseph Mays >> Sent: Friday, March 23, 2012 1:49 PM >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] QoS on Multilink T1's. >> >> > You might try using an actual KBS number instead of percentages for >> > the multilink. >> >> That's what I was doing before. I changed to the percent in the >> > process of > >> trying to figure out this problem. >> >> >> ______________________________**_________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/**mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/**pipermail/cisco-nsp/ >> > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > -- * Fernando Atilano | Engineering | TRANSTELCO MX: +52 (656) 257 ?1114 | US: +1 (915) 217- 2286 * From keegan.holley at sungard.com Fri Mar 23 17:40:37 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 23 Mar 2012 17:40:37 -0400 Subject: [c-nsp] routerperformance Message-ID: Does anyone have the throughput numbers for the new cisco 29XX/39XX routers? I see they continue to omit them from the website. From Vinny_Abello at Dell.com Fri Mar 23 18:04:34 2012 From: Vinny_Abello at Dell.com (Vinny_Abello at Dell.com) Date: Fri, 23 Mar 2012 22:04:34 +0000 Subject: [c-nsp] routerperformance In-Reply-To: References: Message-ID: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf The ISR G2 2901, 3911, 2921, 2951, 3925, and 3945 are all there with PPS and Mbps (based on pps * 64 bytes * 8bits/byte). -Vinny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Keegan Holley Sent: Friday, March 23, 2012 5:41 PM To: Cisco NSPs Subject: [c-nsp] routerperformance Does anyone have the throughput numbers for the new cisco 29XX/39XX routers? I see they continue to omit them from the website. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Vinny_Abello at Dell.com Fri Mar 23 18:14:21 2012 From: Vinny_Abello at Dell.com (Vinny_Abello at Dell.com) Date: Fri, 23 Mar 2012 22:14:21 +0000 Subject: [c-nsp] QoS on Multilink T1's. In-Reply-To: References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> <06502C073AD9394AADB3CA7FD94931BC08BB2C6E@okc1x1.Logixcom.com> <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> Message-ID: Due to the policy-map configuration and application on the multilink interface, the OP is using CBWFQ, not FIFO. And fair-queue is configured on the default traffic class as well, so I don't think what you're saying applies in this case. Although I don't believe this is the source of the issue, I would look into also configuring interleaving and fragment-delay on the multilink interface, especially if you're running voice traffic over it. It should help to normalize jitter in certain situations. I would also check the policy-map statistics on the multilink interface to see if it is actually doing anything and go from there. It *could* be a bug. -Vinny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fernando Atilano Sent: Friday, March 23, 2012 4:22 PM To: Joseph Mays Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] QoS on Multilink T1's. Hi, We had a kind of the same issue, what we did is we enabled fair queue on the multilink interface. By default fair queue is disabled having only FIFO to take over in theory if only one queue is available no matter if the packets are marked as VOIP it only as one egress queue. hope this helps. On Fri, Mar 23, 2012 at 2:12 PM, Joseph Mays wrote: > The router is a 7206VXR (NPE400) running 12.3.(22). I am out of ideas as > it stands, so I was thinking about upgrading the IOS. > > ----- Original Message ----- From: "Craig Dickerson" > > To: "Joseph Mays" > Sent: Friday, March 23, 2012 4:01 PM > Subject: RE: [c-nsp] QoS on Multilink T1's. > > > We have had a similar problem before. Have you tried removing the policy > form the interface and then re-applying it? If this works you may have a > software bug. > > > -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.**net[mailto: >> cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Joseph Mays >> Sent: Friday, March 23, 2012 1:49 PM >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] QoS on Multilink T1's. >> >> > You might try using an actual KBS number instead of percentages for >> > the multilink. >> >> That's what I was doing before. I changed to the percent in the >> > process of > >> trying to figure out this problem. >> >> >> ______________________________**_________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/**mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/**pipermail/cisco-nsp/ >> > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > -- * Fernando Atilano | Engineering | TRANSTELCO MX: +52 (656) 257 -1114 | US: +1 (915) 217- 2286 * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mays at win.net Fri Mar 23 18:52:04 2012 From: mays at win.net (Joseph Mays) Date: Fri, 23 Mar 2012 18:52:04 -0400 Subject: [c-nsp] QoS on Multilink T1's. References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> <06502C073AD9394AADB3CA7FD94931BC08BB2C6E@okc1x1.Logixcom.com> <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> Message-ID: <6EF8FB2526CF4F27904FE509E8129F71@win2snvu0x4eg9> > I would also check the policy-map statistics on the multilink interface to > see if it is actually doing > anything and go from there. It *could* be a bug. I took each t1 individually out of the multilink bundle, so the bundle contained only the first t1, then only the second t1. In both cases, the problem disappeared and QoS began working normally as soon as there was only one t1 in the bundle. This is without changing the multilink interface config or policy itself. As soon as I put both t1's back in the problem returns immediately. Right now I'm planning to upgrade the router to 12.4ish Monday. From keegan.holley at sungard.com Fri Mar 23 20:08:44 2012 From: keegan.holley at sungard.com (Keegan Holley) Date: Fri, 23 Mar 2012 20:08:44 -0400 Subject: [c-nsp] routerperformance In-Reply-To: References: Message-ID: Thanks! 2012/3/23 > > http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf > > The ISR G2 2901, 3911, 2921, 2951, 3925, and 3945 are all there with PPS > and Mbps (based on pps * 64 bytes * 8bits/byte). > > -Vinny > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Keegan Holley > Sent: Friday, March 23, 2012 5:41 PM > To: Cisco NSPs > Subject: [c-nsp] routerperformance > > Does anyone have the throughput numbers for the new cisco 29XX/39XX > routers? I see they continue to omit them from the website. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From sledge121 at gmail.com Fri Mar 23 20:17:31 2012 From: sledge121 at gmail.com (Richard Clayton) Date: Sat, 24 Mar 2012 00:17:31 +0000 Subject: [c-nsp] routerperformance In-Reply-To: References: Message-ID: I have performed extensive testing of this platform with different features enabled if you need anything specific. On 23 March 2012 21:40, Keegan Holley wrote: > Does anyone have the throughput numbers for the new cisco 29XX/39XX > routers? I see they continue to omit them from the website. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Sat Mar 24 03:46:46 2012 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 24 Mar 2012 08:46:46 +0100 Subject: [c-nsp] routerperformance In-Reply-To: References: Message-ID: <20120324074645.GG1359@greenie.muc.de> Hi, On Fri, Mar 23, 2012 at 05:40:37PM -0400, Keegan Holley wrote: > Does anyone have the throughput numbers for the new cisco 29XX/39XX > routers? I see they continue to omit them from the website. http://lmgtfy.com?q=site%3acisco.com+routerperformance.pdf gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: From waris at cisco.com Sat Mar 24 07:03:13 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Sat, 24 Mar 2012 04:03:13 -0700 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? In-Reply-To: References: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> Message-ID: <4F2E952349CF714899213AA2A0F68C7D04301567@xmb-sjc-215.amer.cisco.com> Hi Richard, Following vlan mapping syntax is not supported. -Waris -----Original Message----- From: Richard Hartmann [mailto:richih.mailinglist at gmail.com] Sent: Friday, March 23, 2012 8:51 AM To: Waris Sagheer (waris) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Why does the ME3600X not support VLAN mapping? Hi Waris, > ME3600X does support VLAN mapping through EVC. > Can you elaborate the requirement? Indeed, it does; I found that out in the meantime; I just realized that several replies, and thus the resulting conversation, was off-list. No idea why, but as it wasn't me who took it off-list in the first place, I will refrain from bouncing the mails to this list. Is the syntax of switchport vlan mapping enable switchport vlan mapping 123 654 deprecated? It's a lot simpler and cleaner than EVC if you need to remap VLANs, only. Thanks for getting back to me in what, to this list, must have looked like a stale thread, Richard From waris at cisco.com Sat Mar 24 07:11:34 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Sat, 24 Mar 2012 04:11:34 -0700 Subject: [c-nsp] real world experience - ASR901 / ASR903 In-Reply-To: References: <7EC7FB71-57DD-4545-B74B-BAE4ECB9684A@internet.ao> <4F2E952349CF714899213AA2A0F68C7D0430125F@xmb-sjc-215.amer.cisco.com> Message-ID: <4F2E952349CF714899213AA2A0F68C7D04301569@xmb-sjc-215.amer.cisco.com> Rolf, RSP1A RSP1B* IPv4/IPv6 Routes 12,000/6,000 32,000/16,000 RSP1B numbers may change in future. -Waris -----Original Message----- From: Rolf Mendelsohn [mailto:rolf-web at internet.ao] Sent: Friday, March 23, 2012 2:01 AM To: Waris Sagheer (waris) Cc: Pshem Kowalczyk; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 Waris, How many routes does the ASR903 support? Rolf On 23 Mar 2012, at 8:45 AM, Waris Sagheer (waris) wrote: > ASR 903 runs IOS XE and ASR901 runs classical IOS. > ASR 901 Scale: > IPv4 Routes - 12K > BGP peers - 100 > Number of VRF - 128 > IPv6 support is in roadmap for August timeframe. > > ASR 903 is capable of line rate performance. It does not support full > internet routing table. > > -Waris > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net ] On Behalf Of Pshem > Kowalczyk > Sent: Wednesday, March 21, 2012 12:58 PM > To: Rolf Mendelsohn > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] real world experience - ASR901 / ASR903 > > Hi, > > On 22 March 2012 03:58, Rolf Mendelsohn > wrote: >> Hi Guys, >> >> Just really curious regarding these new boxes (ASR901 / ASR903) ... >> >> Has anybody bought them recently? >> >> How is the IOS, relatively stable? >> >> How many routes (901), BGP, MPLS, IPv6?? >> >> Does anybody have the ASR903, how is its performance and does anybody > have a full table (or two going into one of these). > > Not real world, but according to the information I got from Cisco > RSP1A can hold 12k ipv4 routes or 6k ipv6 ones, and RSP1B - 32k ipv4 > and 16k ipv6, so nowhere near what's required for full table. I don't > have the numbers for ASR901, but that's mainly a L2 VPN device, so I'd > expect them to be even lower. > > kind regards > Pshem From richih.mailinglist at gmail.com Sat Mar 24 07:41:34 2012 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Sat, 24 Mar 2012 12:41:34 +0100 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? In-Reply-To: <4F2E952349CF714899213AA2A0F68C7D04301567@xmb-sjc-215.amer.cisco.com> References: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> <4F2E952349CF714899213AA2A0F68C7D04301567@xmb-sjc-215.amer.cisco.com> Message-ID: On Sat, Mar 24, 2012 at 12:03, Waris Sagheer (waris) wrote: > Following vlan mapping syntax is not supported. What's the reason for this? Thanks, Richard From waris at cisco.com Sat Mar 24 07:46:53 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Sat, 24 Mar 2012 04:46:53 -0700 Subject: [c-nsp] Why does the ME3600X not support VLAN mapping? In-Reply-To: References: <4F2E952349CF714899213AA2A0F68C7D0430125D@xmb-sjc-215.amer.cisco.com> <4F2E952349CF714899213AA2A0F68C7D04301567@xmb-sjc-215.amer.cisco.com> Message-ID: <4F2E952349CF714899213AA2A0F68C7D0430156D@xmb-sjc-215.amer.cisco.com> The goal is to completely move to EVC model and it should be able to handle all cases. -Waris -----Original Message----- From: Richard Hartmann [mailto:richih.mailinglist at gmail.com] Sent: Saturday, March 24, 2012 4:42 AM To: Waris Sagheer (waris) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Why does the ME3600X not support VLAN mapping? On Sat, Mar 24, 2012 at 12:03, Waris Sagheer (waris) wrote: > Following vlan mapping syntax is not supported. What's the reason for this? Thanks, Richard From manoj_koshti at yahoo.com Sat Mar 24 13:53:05 2012 From: manoj_koshti at yahoo.com (Manoj koshti) Date: Sat, 24 Mar 2012 10:53:05 -0700 (PDT) Subject: [c-nsp] routerperformance Message-ID: <1332611585.46377.YahooMailMobile@web161202.mail.bf1.yahoo.com> Craglist From frnkblk at iname.com Sat Mar 24 16:24:39 2012 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 24 Mar 2012 15:24:39 -0500 Subject: [c-nsp] ASR 1006 Code In-Reply-To: References: Message-ID: <02f401cd09fc$23ce65b0$6b6b3110$@iname.com> A neighboring ISP has had an ASR1002 for about two years for BRAS + ISG functionality and it's still not stable. I can't count how many (beta) code releases Cisco has had him try. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of N. Max Pierson Sent: Thursday, March 22, 2012 9:14 AM To: Cisco Mailing list Subject: [c-nsp] ASR 1006 Code Hi List, Turning up a few new 1006's and would like to hear from those of you on a stable revision of XE. W're currently running on 15.1(2)S1 and have hit quite a few bugs. Our Cisco team says we should move to 15.2.(1)S1. Being this release is relativity new, i'm a little hesitant to jump to it. The last go around had us on an image ridden with bugs after some exposure. Features used ... nothing really exotic .... BGPv4 EIGRPv4 Netflow QoS IP Sla Any recommendations would be great. Regards, Max _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ghira at mistral.co.uk Sat Mar 24 16:50:52 2012 From: ghira at mistral.co.uk (Adam Atkinson) Date: Sat, 24 Mar 2012 20:50:52 +0000 Subject: [c-nsp] QoS on Multilink T1's. In-Reply-To: <6EF8FB2526CF4F27904FE509E8129F71@win2snvu0x4eg9> References: <41B3279AC24842A5820D15C2E428F412@win2snvu0x4eg9> <434B78D0A3B6AB458FC35B6BCDB4260102042B262D@exchmb-prod.uso.bor.usg.edu> <06502C073AD9394AADB3CA7FD94931BC08BB2C6E@okc1x1.Logixcom.com> <7A53EDE8F69D4408A9DDBE138FBB7952@win2snvu0x4eg9> <6EF8FB2526CF4F27904FE509E8129F71@win2snvu0x4eg9> Message-ID: <4F6E33AC.1080702@mistral.co.uk> Joseph Mays wrote: >> I would also check the policy-map statistics on the multilink >> interface to see if it is actually doing >> anything and go from there. It *could* be a bug. > > I took each t1 individually out of the multilink bundle, so the bundle > contained only the first t1, then only the second t1. In both cases, the > problem disappeared and QoS began working normally as soon as there was > only one t1 in the bundle. This is without changing the multilink > interface config or policy itself. As soon as I put both t1's back in > the problem returns immediately. > > Right now I'm planning to upgrade the router to 12.4ish Monday. Have you tried putting a parent shaper policy in and putting your intended policy in class-default in that? I have this recollection that "pretend" interfaces like dialer, multilink and tunnel need to have this done to them. Though this could be badly out of date if it was ever true at all. From adwhite at inchix.net Sun Mar 25 02:41:11 2012 From: adwhite at inchix.net (Andrew White) Date: Sun, 25 Mar 2012 17:41:11 +1100 Subject: [c-nsp] Nexus 5000 convert between FC and FCoE? In-Reply-To: <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> References: <20120319215852.GA29929@esri.com> <6EDC5F80-B379-4226-9DF7-B2F475ED1C25@zyedge.com> Message-ID: FYI, multihop is supported today and the configuration you have mentioned is totally valid On Tue, Mar 20, 2012 at 9:24 AM, Ryan West wrote: > Output of FCoE to a server? Currently multihop FCoE is not supported, but > connecting to a CNA in that topology is. > > Sent from handheld > > On Mar 19, 2012, at 6:01 PM, "Ray Van Dolson" wrote: > > > We're looking to run straight FC from an XIV storage rack into a Nexus > > 5000 and output FCoE via another port on that same 5000. > > > > Can anyone advise if this is doable or if we'd need additional hardware > > to make it happen? > > > > Thanks, > > Ray > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jason at lixfeld.ca Sun Mar 25 14:31:46 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Sun, 25 Mar 2012 14:31:46 -0400 Subject: [c-nsp] ISIS and MTU mismatch Message-ID: <8E67EEA1-2137-4B66-B6DF-337D834D2AA4@lixfeld.ca> I've been doing some experimenting with MTU size mismatches and ISIS adjacencies. Consider an ME3400 SVI facing a 7600 ES port subinterface: [ME3400 SVI -> Gi0/1] --- [7600 ES Gi7/0/19 -> Gi7/0/19.68] The default MTU on the ES port is 1500, which the subinterface inherits. The MTU on the ME3400 SVI is based on the system MTU size, or 1998: ! ME3400 me3400#show system mtu System MTU size is 1998 bytes System Jumbo MTU size is 9000 bytes System Alternate MTU size is 1998 bytes Routing MTU size is 1500 bytes The 7600/1500 to ME3400/1998 mismatched MTU works fine. ISIS adjacency forms, no problem. If I leave ME3400/1998 and set 7600/9000, the ISIS adjacency gets torn down. Why would a bigger > smaller MTU work fine in one direction (ME3400 > 7600) but not the other direction (7600 > ME3400)? From randy_94108 at yahoo.com Sun Mar 25 15:06:55 2012 From: randy_94108 at yahoo.com (Randy) Date: Sun, 25 Mar 2012 12:06:55 -0700 (PDT) Subject: [c-nsp] ISIS and MTU mismatch In-Reply-To: <8E67EEA1-2137-4B66-B6DF-337D834D2AA4@lixfeld.ca> Message-ID: <1332702415.48350.YahooMailClassic@web181120.mail.ne1.yahoo.com> --- On Sun, 3/25/12, Jason Lixfeld wrote: > From: Jason Lixfeld > Subject: [c-nsp] ISIS and MTU mismatch > To: cisco-nsp at puck.nether.net > Date: Sunday, March 25, 2012, 11:31 AM > I've been doing some experimenting > with MTU size mismatches and ISIS adjacencies. > > Consider an ME3400 SVI facing a 7600 ES port subinterface: > > [ME3400 SVI -> Gi0/1] --- [7600 ES Gi7/0/19 -> > Gi7/0/19.68] > > The default MTU on the ES port is 1500, which the > subinterface inherits. > > The MTU on the ME3400 SVI is based on the system MTU size, > or 1998: > > ! ME3400 > me3400#show system mtu > > System MTU size is 1998 bytes > System Jumbo MTU size is 9000 bytes > System Alternate MTU size is 1998 bytes > Routing MTU size is 1500 bytes > > The 7600/1500 to ME3400/1998 mismatched MTU works > fine.? ISIS adjacency forms, no problem. > > If I leave ME3400/1998 and set 7600/9000, the ISIS adjacency > gets torn down. > > Why would a bigger >? smaller MTU work fine in one > direction (ME3400 > 7600) but not the other direction > (7600 > ME3400)? > Hello Jason, I believe the routed-mtu size on SVI is still 1500 despite system mtu being 1998 When you change default on 7600 to 9000 you are changing the routed-mtu size. ./Randy From jason at lixfeld.ca Sun Mar 25 15:28:46 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Sun, 25 Mar 2012 15:28:46 -0400 Subject: [c-nsp] ISIS and MTU mismatch In-Reply-To: <1332702415.48350.YahooMailClassic@web181120.mail.ne1.yahoo.com> References: <1332702415.48350.YahooMailClassic@web181120.mail.ne1.yahoo.com> Message-ID: > Hello Jason, > I believe the routed-mtu size on SVI is still 1500 despite system mtu being 1998 > When you change default on 7600 to 9000 you are changing the routed-mtu size. > ./Randy I thought about that, but the MTU on the SVI certainly follows the system MTU. I checked that. Although it would seem to make sense considering the SVI is technically a routed interface that the MTU should reflect that of the routed MTU, alas. From randy_94108 at yahoo.com Sun Mar 25 15:34:32 2012 From: randy_94108 at yahoo.com (Randy) Date: Sun, 25 Mar 2012 12:34:32 -0700 (PDT) Subject: [c-nsp] ISIS and MTU mismatch In-Reply-To: Message-ID: <1332704072.72332.YahooMailClassic@web181118.mail.ne1.yahoo.com> --- On Sun, 3/25/12, Jason Lixfeld wrote: > From: Jason Lixfeld > Subject: Re: [c-nsp] ISIS and MTU mismatch > To: "Randy" > Cc: "cisco-nsp at puck.nether.net" > Date: Sunday, March 25, 2012, 12:28 PM > > Hello Jason, > > I believe the routed-mtu size on SVI is still 1500 > despite system mtu being 1998 > > When you change default on 7600 to 9000 you are > changing the routed-mtu size. > > ./Randy > > I thought about that, but the MTU on the SVI certainly > follows the system MTU.? I checked that.? Although > it would seem to make sense considering the SVI is > technically a routed interface that the MTU should reflect > that of the routed MTU, alas. ...so a "sh ip int vlan x" says ip mtu 1998? I can understand "sh int vlan x" would reflect the system mtu. ./Randy From td_miles at yahoo.com Sun Mar 25 20:09:48 2012 From: td_miles at yahoo.com (Tony) Date: Sun, 25 Mar 2012 17:09:48 -0700 (PDT) Subject: [c-nsp] WS-SVC-MWAM as L2TP Server - Performance metrics In-Reply-To: <9E813DC263007F4D9B37402CC4302A62385D8A@EX1-STGT.intern.globalways.net> References: <9E813DC263007F4D9B37402CC4302A62385D8A@EX1-STGT.intern.globalways.net> Message-ID: <1332720588.63014.YahooMailNeo@web125303.mail.ne1.yahoo.com> Hi Markus, That module is EoL and even if it wasn't I think you'd probably be dissapointed using it compared to a 7200. Nest step up would be a 7200 w/ G2 or if that isn't enough then it would seem to be the ASR1000 series. I have no experience with these, but there is plenty of discussion on the list about them. regards, Tony. ________________________________ From: Markus Binder To: "'cisco-nsp at puck.nether.net'" Sent: Friday, 23 March 2012 8:19 PM Subject: [c-nsp] WS-SVC-MWAM as L2TP Server - Performance metrics Hello, does anyone has experience with the WS-SVC-MWAM Modules as L2TP Server for WAN aggregation? We're interested in perfomance metrics when acting as a LNS and providing QoS (traffic policing) to each session. If not, which platform would you recommend to do LNS with QoS? Currently we're using 7200 Series with NPE-G1s. Best regards, Markus Binder -- Globalways AG Neue Br?cke 8 D-70173 Stuttgart Germany _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jstuxuhu0816 at gmail.com Mon Mar 26 06:15:37 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Mon, 26 Mar 2012 18:15:37 +0800 Subject: [c-nsp] MPLS TE conver from IOS to IOS-XR In-Reply-To: References: <1330349568.69584.YahooMailMobile@web31803.mail.mud.yahoo.com> Message-ID: Hi Team, I had something new to updated this topic. I want to highlight two things that need to be careful. 1. In the auto-tunnel mesh, if you want to define the destination-list, must remember to use the prefix list not the access-list, if you use the access-list, the auto-tunnel also can created, but the number and path is wrong, i trouble shooting so much time. 2.If you don't see the backup tunnel work, you need to check if you enable the backup tunnel under the interface. The command is like this: mpls traffic-eng interface auto-tunnel backup, that's all. Hu Xu 2012/2/27 Xu Hu > You can use the Cisco Tools of "Cisco Feature Navigator" to check whether > your platform can support or not. > > Xu Hu > 2012/2/27 David Barak > >> BFD is great stuff. Is there any chance of getting BFD on the 45k >> platform? >> >> David Barak >> (apologies for the mobile-device-style top post) >> >> ------------------------------ >> * From: * Oliver Boehmer (oboehmer) ; >> * To: * ; Xu Hu ; >> * Cc: * ; >> * Subject: * Re: [c-nsp] MPLS TE conver from IOS to IOS-XR >> * Sent: * Mon, Feb 27, 2012 5:58:18 AM >> >> >> > > "Timer intervals configured, Hello 333 msec, Dead 1, Wait >> > > 1, Retransmit 5" >> > >> > So what you're talking about is the "OSPF Support for Fast >> > Hellos" feature from Cisco: >> > >> > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fasthelo.html >> > >> > >> > This feature combines the Hello Interval and Dead Interval, >> > along with some enhancements that make it behave like BFD in >> > a way. >> > >> > AFAICT, it's only supported in IOS (and perhaps, IOS XE). >> > You can tweak both the Hello and Dead Interval timers in IOS >> > XR, but they lack of the enhancements to enable fast >> > detection. >> > >> > For IOS XR, yes, BFD is your best bet. >> >> this holds true for any platform, fast hellos just don't scale.. so >> please use BFD if you need to detect neighbour failures quickly. >> >> oli >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From o.calvano at gmail.com Mon Mar 26 08:00:27 2012 From: o.calvano at gmail.com (Olivier CALVANO) Date: Mon, 26 Mar 2012 14:00:27 +0200 Subject: [c-nsp] Vlkan mapping on Cisco ME3400E In-Reply-To: References: Message-ID: Anyone can help me ??? Le 23 mars 2012 20:51, Olivier CALVANO a ?crit : > Hi > > i request your help for resolv a problems. > > I want see in labs a specific configuration, > for this i have: > > 1 Cisco 7301 router, labelled "PE" > 2 Cisco 1841 router, labelled first "CE1" and second "CE2" > 1 Cisco ME3400E, labelled "Gateway" > 1 Cisco 3750, labelled "Transport" > 2 cisco 3750, labelled "Delivery1" and "Delivery2". > > For my labs, the C3750 "Transport is only for simule the carrier. > > > > My config: > > > Cisco 7301 is connected to ME3400E port 1 > > config Cisco 7301: > > C7301 > interface GigabitEthernet0/2 > ?mtu 1600 > ?no ip address > ?no ip route-cache cef > ?no ip route-cache > ?media-type rj45 > ?speed auto > ?duplex auto > ?no negotiation auto > > interface GigabitEthernet0/2.500 > ?encapsulation dot1Q 500 > ?ip address 192.168.51.1 255.255.255.252 > ?no ip route-cache > > interface GigabitEthernet0/2.600 > ?encapsulation dot1Q 600 > ?ip address 192.168.61.1 255.255.255.252 > ?no ip route-cache > > > > On the ME3400E > > interface FastEthernet0/1 > ?Descript port of C7301 > ?switchport trunk allowed vlan 500,600 > ?switchport mode trunk > ! > > interface FastEthernet0/24 > ?description Port to Transport > ?port-type nni > ?switchport mode trunk > ?switchport vlan mapping 500-599 dot1q-tunnel 100 > ?switchport vlan mapping 600-699 dot1q-tunnel 101 > > > On C3750 transport: > > > interface FastEthernet1/0/1 > ?description Vers Switch Delivery1 > ?switchport trunk encapsulation dot1q > ?switchport trunk allowed vlan 100 > ?switchport mode trunk > ! > interface FastEthernet1/0/2 > ?description Vers Switch Delivery2 > ?switchport trunk encapsulation dot1q > ?switchport trunk allowed vlan 101 > ?switchport mode trunk > > interface FastEthernet1/0/24 > ?description Vers Switch ME3400E > ?switchport trunk encapsulation dot1q > ?switchport trunk allowed vlan 100,101 > ?switchport mode trunk > > > > On C3750 Delivery1: > interface FastEthernet1/0/1 > ?description to CE1 > ?switchport trunk encapsulation dot1q > ?switchport trunk allowed vlan 500-599 > ?switchport mode trunk > > interface FastEthernet1/0/48 > ?description to transport > ?switchport access vlan 100 > ?switchport mode dot1q-tunnel > ?no cdp enable > ?no cdp tlv server-location > ?no cdp tlv app > > > > On C3750 Delivery2: > interface FastEthernet1/0/1 > ?description to CE2 > ?switchport trunk encapsulation dot1q > ?switchport trunk allowed vlan 600-699 > ?switchport mode trunk > > interface FastEthernet1/0/48 > ?description to transport > ?switchport access vlan 101 > ?switchport mode dot1q-tunnel > ?no cdp enable > ?no cdp tlv server-location > ?no cdp tlv app > > > > > > on CE1: > > interface FastEthernet0/0 > ?no ip address > ?speed auto > ?full-duplex > ?no mop enabled > ! > interface FastEthernet0/0.500 > ?encapsulation dot1Q 500 > ?ip address 192.168.51.2 255.255.255.252 > > > > on CE2 > interface FastEthernet0/0 > ?no ip address > ?speed auto > ?full-duplex > ?no mop enabled > ! > interface FastEthernet0/0.600 > ?encapsulation dot1Q 600 > ?ip address 192.168.61.2 255.255.255.252 > > > > > My objectif is encapsuled vlan 500 to 599 into the vlan transport 100 > and encapsuled vlan 600 to 699 into the vlan transport 101. > > > Where is my error? because all vlan are created on switch but C7301 don't > ping CE1 or CE2 > > "Transport" is my carrier, i supply me 3 ports in trunk with two vlan. > > > > > A friends say me : "Use L2TP" between ME3400E and each Delivery Switch > > > > thanks for your help. > Olicier From jason at lixfeld.ca Mon Mar 26 08:48:24 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Mon, 26 Mar 2012 08:48:24 -0400 Subject: [c-nsp] ISIS and MTU mismatch In-Reply-To: <1332704072.72332.YahooMailClassic@web181118.mail.ne1.yahoo.com> References: <1332704072.72332.YahooMailClassic@web181118.mail.ne1.yahoo.com> Message-ID: On 2012-03-25, at 3:34 PM, Randy wrote: > ...so a "sh ip int vlan x" says ip mtu 1998? > I can understand "sh int vlan x" would reflect the system mtu. > ./Randy Indeed. show ip int does indeed inherit the routed MTU. So one other riddle - when I set the MTU of the ES port to 1600, the ISIS adjacency stays up. Shouldn't that get torn down? From jason at lixfeld.ca Mon Mar 26 09:07:29 2012 From: jason at lixfeld.ca (Jason Lixfeld) Date: Mon, 26 Mar 2012 09:07:29 -0400 Subject: [c-nsp] link failure detection notification (CFM/LMI/OAM?) Message-ID: Scenario - [7600 1 (ES port)] -(T)- [ME3400 1] -(T)- [ME3400 2] -(T)- [7600 2 (ES port)] - Customer is connected to ME3400 2 on an access port in VLAN 10. - VLAN 10 is carried on the trunks between both ME3400s to each 7600 ES port - An xconnect is configured on each ES port under a service instance for vlan 10. - The Z end of Customer's VLAN has a primary and backup xconnect to 7600 1 and 7600 2, respectively. - The primary xconnect is via 7600 1. Problem - - If the link between ME3400 1 and ME3400 2 goes down, what mechanism is available to notify 7600 1 to teardown it's xconnect so the Z end fires up the backup xconnect? - Spanning-tree/REP/whatever is not available as a protection mechanism between the 7600s and/or the ME3400s. I've been looking at CFM/LMI/OAM, but I haven't found any clues yet to determine whether or not it can (directly or otherwise) signal an xconnect to tear itself down if connectivity is broken somewhere within the last mile. Thanks in advance for any tips. From tdurack at gmail.com Mon Mar 26 09:45:12 2012 From: tdurack at gmail.com (Tim Durack) Date: Mon, 26 Mar 2012 09:45:12 -0400 Subject: [c-nsp] N7K, NX-OS 6.0(2) link-local OSPFv3 In-Reply-To: References: Message-ID: On Fri, Mar 23, 2012 at 2:01 PM, Tim Durack wrote: > Simple link-local OSPFv3 config: > CORE-2# ping6 2001:DB8:4:1::1 > PING6 2001:DB8:4:1::1 (2001:DB8:4:1::1): 56 data bytes > ping6: sendto: No route to host > Request 0 timed out > ping6: sendto: No route to host > Request 1 timed out > ping6: sendto: No route to host > Request 2 timed out > ping6: sendto: No route to host > Request 3 timed out > ping6: sendto: No route to host > Request 4 timed out > > --- 2001:DB8:4:1::1 ping6 statistics --- > 5 packets transmitted, 0 packets received, 100.00% packet loss > > This works on a 6500/SUP720/12.2(33)SXI, but not an N7K/NX-OS/6.0(2) > What am I missing? Turns out NX-OS is using the interface link-local as a source to ping a unicast destination, even though the router as a host has a unicast address. You can force ping6 source: CORE-1# ping6 2001:DB8:4:2::2 source 2001:DB8:4:1::1 PING6 2001:DB8:4:2::2 (2001:DB8:4:2::2) from 2001:DB8:4:1::1: 56 data bytes 64 bytes from 2001:DB8:4:2::2: icmp_seq=0 time=2.307 ms 64 bytes from 2001:DB8:4:2::2: icmp_seq=1 time=2.094 ms 64 bytes from 2001:DB8:4:2::2: icmp_seq=2 time=1.894 ms 64 bytes from 2001:DB8:4:2::2: icmp_seq=3 time=1.702 ms 64 bytes from 2001:DB8:4:2::2: icmp_seq=4 time=1.678 ms This is not an obvious change from IOS to NX-OS. I'm also not sure that this follows rfc3484 "Default Address Selection for Internet Protocol version 6" -- Tim:> From jfreherman at ptci.com Mon Mar 26 11:39:46 2012 From: jfreherman at ptci.com (Justin Reherman) Date: Mon, 26 Mar 2012 15:39:46 +0000 Subject: [c-nsp] Failed to export vc data Message-ID: <4E3599F85AFA4B4F8E9BD0EC03EAEECE01A2BC@PTCCEXCHMB1.corp.ptci.com> I have two 7604 routers setup in a lab. I have been using them to test different services before we implement them in our live network. I have built many xconnects with them before and never had any issues, until a couple days ago I built a xconnect from router 1 to router 2 that would not come up. When I ran a "sh mpls l2 vc" I did not see the new vc on R1 but did on R2 . After verifying configs I decided to reboot R1. When It came back the "sh mpls l2 vc " command returned nothing. Even though I have 5 different xconnect defined on the router. R2 still shows all the vc's with a status of down. When I run a "debug mpls l2 vc event" I keep getting the error "Failed to export VC data". I have done some searching and cannot find what this means. Any help will be greatly appreciated. Thanks Router1 R1#sh mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- R1# Router2 R2#sh mpls l2 vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi2/0/9 Eth VLAN 200 100.1.1.1 888 DOWN Gi2/0/10 Eth VLAN 100 100.1.1.1 1000 DOWN Te3/0/1 Eth VLAN 897 100.1.1.1 10897 DOWN Gi2/0/3 Eth VLAN 100 100.1.1.1 101007 DOWN Gi2/0/8 Eth VLAN 1234 100.1.1.1 101234 ADMIN DOWN R2# *************************** This email message and any files transmitted with it are intended solely for the use of the individual or entity for whom it is addressed. It may contain confidential and privileged information. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message and its contents. Any unauthorized review, use, disclosure or distribution of this email or any file attachments is strictly prohibited. From jfitz at Princeton.EDU Mon Mar 26 11:54:42 2012 From: jfitz at Princeton.EDU (Jeffrey G. Fitzwater) Date: Mon, 26 Mar 2012 15:54:42 +0000 Subject: [c-nsp] nexus 7K COPP ARP traffic? Message-ID: <6F90FA3E-4050-420E-8D27-DB92D19FC4D2@exchange.princeton.edu> I am trying to understand if ALL ARP (requests ) packets that a nexus 7K sees, need to be punted to the CPU and therefor managed by COPP policies / rate-limits? Over the weekend we had a data loop that cooked the CPU and we are trying to understand what packets that were control plane processed, caused the CPU load. We currently have a Nexus 7k running 5.2.1, that only has L2 interfaces, other than the management VRF port. I would think that the CPU would never have to process any ARP requests for non-management traffic since it does not have any L3 interfaces. My understanding is that other sites have had similar issues and changing the COPP profile stopped the CPU form being saturated during this kind of event. The COPP profile can be ( lenient, moderate, strict ). Thanks in advance for any info on this issue. Jeff Fitzwater OIT Netwrok Systems Princeton University From p.mayers at imperial.ac.uk Mon Mar 26 12:11:56 2012 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 26 Mar 2012 17:11:56 +0100 Subject: [c-nsp] nexus 7K COPP ARP traffic? In-Reply-To: <6F90FA3E-4050-420E-8D27-DB92D19FC4D2@exchange.princeton.edu> References: <6F90FA3E-4050-420E-8D27-DB92D19FC4D2@exchange.princeton.edu> Message-ID: <4F70954C.9060809@imperial.ac.uk> On 26/03/12 16:54, Jeffrey G. Fitzwater wrote: > > My understanding is that other sites have had similar issues and > changing the COPP profile stopped the CPU form being saturated > during this kind of event. Which CoPP profile were you using? What value did/do the HW rate-limiters have? Which linecard types? F1/F2/M1? N.B. I don't claim expertise in this platform (yet ;o) but I believe these are all relevant. From rshughes at gmail.com Mon Mar 26 12:31:24 2012 From: rshughes at gmail.com (Ryan Hughes) Date: Mon, 26 Mar 2012 12:31:24 -0400 Subject: [c-nsp] nexus 7K COPP ARP traffic? In-Reply-To: <6F90FA3E-4050-420E-8D27-DB92D19FC4D2@exchange.princeton.edu> References: <6F90FA3E-4050-420E-8D27-DB92D19FC4D2@exchange.princeton.edu> Message-ID: Immediate recommendation to move to 5.2.3a or 5.2.4 - lots of catastrophic fun to be had on 5.2.1 / 5.2.2 ... Contact your account team for more details but I'm pretty sure one of the cases was shared on list a few months back. Ryan On Mon, Mar 26, 2012 at 11:54 AM, Jeffrey G. Fitzwater wrote: > > I am trying to understand if ALL ARP (requests ) packets that a nexus 7K > sees, need to be punted to the CPU and therefor managed by COPP policies / > rate-limits? > > Over the weekend we had a data loop that cooked the CPU and we are trying > to understand what packets that were control plane processed, caused the > CPU load. > > We currently have a Nexus 7k running 5.2.1, that only has L2 interfaces, > other than the management VRF port. I would think that the CPU would > never have to process any ARP requests for non-management traffic since it > does not have any L3 interfaces. > > > My understanding is that other sites have had similar issues and changing > the COPP profile stopped the CPU form being saturated during this kind of > event. > > The COPP profile can be ( lenient, moderate, strict ). > > > Thanks in advance for any info on this issue. > > > > Jeff Fitzwater > OIT Netwrok Systems > Princeton University > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kevin.hodle at gmail.com Mon Mar 26 17:32:42 2012 From: kevin.hodle at gmail.com (Kevin Hodle) Date: Mon, 26 Mar 2012 16:32:42 -0500 Subject: [c-nsp] ISIS and MTU mismatch In-Reply-To: References: <1332704072.72332.YahooMailClassic@web181118.mail.ne1.yahoo.com> Message-ID: Hi Jason, A few things you might check, run the command show clns interface xx/xx on each terminating interface * usually the CLNS MTU != the IP MTU and may be system/platform dependent. You can set this with 'clns mtu xxxx' under the interface config. * Check if either side has hello padding enabled, which pads the hello PDU to the interface's clns MTU. The default for the 7600 should off but no idea with the ME series, lack of padding can sometimes mask mtu mismatches. HTH, Kevin On Mon, Mar 26, 2012 at 7:48 AM, Jason Lixfeld wrote: > > On 2012-03-25, at 3:34 PM, Randy wrote: > >> ...so a "sh ip int vlan x" says ip mtu 1998? >> I can understand "sh int vlan x" would reflect the system mtu. >> ./Randy > > Indeed. ?show ip int does indeed inherit the routed MTU. > > So one other riddle - when I set the MTU of the ES port to 1600, the ISIS adjacency stays up. ?Shouldn't that get torn down? > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Cheers, Kevin ================================================================ ?:: :: Kevin Hodle | http://www.linkedin.com/in/kevinhodle ?:: :: PGP Key ID? | fingerprint ?:: :: 0x803F24BE? | 1094 FB06 837F 2FAB C86B E4BE 4680 3679 803F 24BE "Elegance is not a dispensable luxury but a factor that decides between success and failure. " -Edsgar Dijkstra ================================================================ From chris at uplogon.com Mon Mar 26 18:13:32 2012 From: chris at uplogon.com (Chris Gotstein) Date: Mon, 26 Mar 2012 17:13:32 -0500 Subject: [c-nsp] 6509 SUP2 rommon Message-ID: <4F70EA0C.4020106@uplogon.com> We had an incident over the weekend in which our 6509 crashed. When i arrived to see the problem, bith SUP2's were in rommon. I issued a reset on both, and they came up without any problems. Now i'm seeing the following errors: 000060: Mar 24 13:59:56.902 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 000061: Mar 24 14:07:58.889 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 Everything is working fine, but I'm concerned about the error messages. A search on Cisco's site doesn't really explain much. Note, the SUP2's are in the first 2 slots in the 6509 chassis. Any thoughts? -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com From chuckchurch at gmail.com Mon Mar 26 22:47:49 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Mon, 26 Mar 2012 22:47:49 -0400 Subject: [c-nsp] 6509 SUP2 rommon In-Reply-To: <4F70EA0C.4020106@uplogon.com> References: <4F70EA0C.4020106@uplogon.com> Message-ID: <001301cd0bc4$00f71220$02e53660$@com> Sounds like a potential chassis issue. IOS version? Any changes recently or bent pins maybe? Blow dust out, reseat sups, maybe that'll fix it. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein Sent: Monday, March 26, 2012 6:14 PM To: cisco-nsp Subject: [c-nsp] 6509 SUP2 rommon We had an incident over the weekend in which our 6509 crashed. When i arrived to see the problem, bith SUP2's were in rommon. I issued a reset on both, and they came up without any problems. Now i'm seeing the following errors: 000060: Mar 24 13:59:56.902 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 000061: Mar 24 14:07:58.889 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 Everything is working fine, but I'm concerned about the error messages. A search on Cisco's site doesn't really explain much. Note, the SUP2's are in the first 2 slots in the 6509 chassis. Any thoughts? -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chris at uplogon.com Tue Mar 27 00:09:45 2012 From: chris at uplogon.com (Chris Gotstein) Date: Mon, 26 Mar 2012 23:09:45 -0500 Subject: [c-nsp] 6509 SUP2 rommon In-Reply-To: <001301cd0bc4$00f71220$02e53660$@com> References: <4F70EA0C.4020106@uplogon.com> <001301cd0bc4$00f71220$02e53660$@com> Message-ID: <4F713D89.4090902@uplogon.com> IOS 12.2(18)SXF17a No changes, in fact it had been up and running for over 300 days since the last reboot. I could try re-seating the SUPs, maybe swap the 2 around to see if it's a slot issue or problem with the module. On 3/26/2012 9:47 PM, Chuck Church wrote: > Sounds like a potential chassis issue. IOS version? Any changes recently > or bent pins maybe? Blow dust out, reseat sups, maybe that'll fix it. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein > Sent: Monday, March 26, 2012 6:14 PM > To: cisco-nsp > Subject: [c-nsp] 6509 SUP2 rommon > > We had an incident over the weekend in which our 6509 crashed. When i > arrived to see the problem, bith SUP2's were in rommon. I issued a reset on > both, and they came up without any problems. Now i'm seeing the following > errors: > > 000060: Mar 24 13:59:56.902 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT > OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), > get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 > 000061: Mar 24 14:07:58.889 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT > OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), > get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 > > Everything is working fine, but I'm concerned about the error messages. > A search on Cisco's site doesn't really explain much. Note, the SUP2's > are in the first 2 slots in the 6509 chassis. Any thoughts? > > -- > ---- ---- ---- ---- > Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. > http://uplogon.com | +1 906 774 4847 | chris at uplogon.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com From schilling2006 at gmail.com Tue Mar 27 14:00:17 2012 From: schilling2006 at gmail.com (schilling) Date: Tue, 27 Mar 2012 14:00:17 -0400 Subject: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code? Message-ID: I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels for prefixes learned from eBGP over address family vpnv4. Does anybody ever have this working? Any catch? Thanks, Schilling From schilling2006 at gmail.com Tue Mar 27 14:17:49 2012 From: schilling2006 at gmail.com (schilling) Date: Tue, 27 Mar 2012 14:17:49 -0400 Subject: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code? In-Reply-To: <20120327181257.GD10673@radiological.warningg.com> References: <20120327181257.GD10673@radiological.warningg.com> Message-ID: In my case, I happened to have the vrf and route-target configured on the ASBR. schilling On Tue, Mar 27, 2012 at 2:12 PM, Brandon Ewing wrote: > On Tue, Mar 27, 2012 at 02:00:17PM -0400, schilling wrote: >> I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to >> support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels >> for prefixes learned from eBGP over address family vpnv4. >> >> Does anybody ever have this working? Any catch? >> >> Thanks, >> >> Schilling > > Have you disabled automatic route-target filtering on the 6500? ?It will > drop routes learned via eBGP if the specific route-target doesn't exist in an > import filter in a configured VRF. > > http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_a1gt.html#wp1015775 > > -- > Brandon Ewing ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(nicotine at warningg.com) From nicotine at warningg.com Tue Mar 27 14:12:57 2012 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 27 Mar 2012 13:12:57 -0500 Subject: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code? In-Reply-To: References: Message-ID: <20120327181257.GD10673@radiological.warningg.com> On Tue, Mar 27, 2012 at 02:00:17PM -0400, schilling wrote: > I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to > support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels > for prefixes learned from eBGP over address family vpnv4. > > Does anybody ever have this working? Any catch? > > Thanks, > > Schilling Have you disabled automatic route-target filtering on the 6500? It will drop routes learned via eBGP if the specific route-target doesn't exist in an import filter in a configured VRF. http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_a1gt.html#wp1015775 -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From djweis at internetsolver.com Tue Mar 27 17:38:36 2012 From: djweis at internetsolver.com (Dave Weis) Date: Tue, 27 Mar 2012 16:38:36 -0500 Subject: [c-nsp] Most efficient DSL bonding Message-ID: What is the recommended way to bond 2 or 4 ADSL lines to aggregate the throughput? We've used ML PPP so far but processor usage and out of order fragment arrival limits the throughput and number of links that we can bond. In these cases we're using the ILEC DSL aggregation service so it will be delivered to us via DS3 and OC3 and terminated to a 7206 G2 with a PA-A3. Thanks Dave From tknchris at gmail.com Tue Mar 27 18:21:27 2012 From: tknchris at gmail.com (chris) Date: Tue, 27 Mar 2012 18:21:27 -0400 Subject: [c-nsp] Most efficient DSL bonding In-Reply-To: References: Message-ID: I have also wondered this myself. The ILEC here (VZ) has no support for bonding with their DSLAMs so I've been limited to CEF load balancing :( Curious to see what other people have done in this situation though. Is there some way to gain aggregated speed without help from the ILEC? chris On Tue, Mar 27, 2012 at 5:38 PM, Dave Weis wrote: > > What is the recommended way to bond 2 or 4 ADSL lines to aggregate the > throughput? We've used ML PPP so far but processor usage and out of order > fragment arrival limits the throughput and number of links that we can > bond. In these cases we're using the ILEC DSL aggregation service so it > will be delivered to us via DS3 and OC3 and terminated to a 7206 G2 with a > PA-A3. > > Thanks > Dave > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chris at uplogon.com Tue Mar 27 19:04:21 2012 From: chris at uplogon.com (Chris Gotstein) Date: Tue, 27 Mar 2012 18:04:21 -0500 Subject: [c-nsp] 6509 SUP2 rommon In-Reply-To: <6184A445A023094CAEB001964208B12226B3B338D1@AWMAIL.alphawest.com.au> References: <4F70EA0C.4020106@uplogon.com> <001301cd0bc4$00f71220$02e53660$@com> <4F713D89.4090902@uplogon.com> <6184A445A023094CAEB001964208B12226B3B338D1@AWMAIL.alphawest.com.au> Message-ID: <4F724775.1090803@uplogon.com> Wish it was the easy, to expensive to upgrade right now and don't really need the extra horsepower. On 3/27/2012 6:02 PM, Andrew Jones wrote: > I know this probably isn't the answer youre after, but perhaps its time to upgrade: > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd80423d31.html > > Andrew Jones > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein > Sent: Tuesday, 27 March 2012 3:10 PM > To: Chuck Church > Cc: 'cisco-nsp' > Subject: Re: [c-nsp] 6509 SUP2 rommon > > IOS 12.2(18)SXF17a > > No changes, in fact it had been up and running for over 300 days since > the last reboot. I could try re-seating the SUPs, maybe swap the 2 > around to see if it's a slot issue or problem with the module. > > On 3/26/2012 9:47 PM, Chuck Church wrote: >> Sounds like a potential chassis issue. IOS version? Any changes recently >> or bent pins maybe? Blow dust out, reseat sups, maybe that'll fix it. >> >> Chuck >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein >> Sent: Monday, March 26, 2012 6:14 PM >> To: cisco-nsp >> Subject: [c-nsp] 6509 SUP2 rommon >> >> We had an incident over the weekend in which our 6509 crashed. When i >> arrived to see the problem, bith SUP2's were in rommon. I issued a reset on >> both, and they came up without any problems. Now i'm seeing the following >> errors: >> >> 000060: Mar 24 13:59:56.902 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT >> OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), >> get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 >> 000061: Mar 24 14:07:58.889 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT >> OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), >> get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 >> >> Everything is working fine, but I'm concerned about the error messages. >> A search on Cisco's site doesn't really explain much. Note, the SUP2's >> are in the first 2 slots in the 6509 chassis. Any thoughts? >> >> -- >> ---- ---- ---- ---- >> Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. >> http://uplogon.com | +1 906 774 4847 | chris at uplogon.com >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com From Andrew.Jones at alphawest.com.au Tue Mar 27 19:02:37 2012 From: Andrew.Jones at alphawest.com.au (Andrew Jones) Date: Wed, 28 Mar 2012 10:02:37 +1100 Subject: [c-nsp] 6509 SUP2 rommon In-Reply-To: <4F713D89.4090902@uplogon.com> References: <4F70EA0C.4020106@uplogon.com> <001301cd0bc4$00f71220$02e53660$@com> <4F713D89.4090902@uplogon.com> Message-ID: <6184A445A023094CAEB001964208B12226B3B338D1@AWMAIL.alphawest.com.au> I know this probably isn't the answer youre after, but perhaps its time to upgrade: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd80423d31.html Andrew Jones -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein Sent: Tuesday, 27 March 2012 3:10 PM To: Chuck Church Cc: 'cisco-nsp' Subject: Re: [c-nsp] 6509 SUP2 rommon IOS 12.2(18)SXF17a No changes, in fact it had been up and running for over 300 days since the last reboot. I could try re-seating the SUPs, maybe swap the 2 around to see if it's a slot issue or problem with the module. On 3/26/2012 9:47 PM, Chuck Church wrote: > Sounds like a potential chassis issue. IOS version? Any changes recently > or bent pins maybe? Blow dust out, reseat sups, maybe that'll fix it. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gotstein > Sent: Monday, March 26, 2012 6:14 PM > To: cisco-nsp > Subject: [c-nsp] 6509 SUP2 rommon > > We had an incident over the weekend in which our 6509 crashed. When i > arrived to see the problem, bith SUP2's were in rommon. I issued a reset on > both, and they came up without any problems. Now i'm seeing the following > errors: > > 000060: Mar 24 13:59:56.902 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT > OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), > get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 > 000061: Mar 24 14:07:58.889 CDT: %OIR-SP-4-WARN: PRIMARY(2) REPORTED AS NOT > OCCUPIED IN SLOT!! disable_reason: 26(off (Module Removed)), > get_peer_previous_slot: 0, is_occupied fn ptr:0x40497DE8 > > Everything is working fine, but I'm concerned about the error messages. > A search on Cisco's site doesn't really explain much. Note, the SUP2's > are in the first 2 slots in the 6509 chassis. Any thoughts? > > -- > ---- ---- ---- ---- > Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. > http://uplogon.com | +1 906 774 4847 | chris at uplogon.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ---- ---- ---- ---- Chris Gotstein, Network Engineer, U.P. Logon/Computer Connection U.P. http://uplogon.com | +1 906 774 4847 | chris at uplogon.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From panocisco77 at gmail.com Tue Mar 27 21:32:41 2012 From: panocisco77 at gmail.com (Renelson Panosky) Date: Tue, 27 Mar 2012 21:32:41 -0400 Subject: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help Message-ID: I have a user who work from home and he has a home network printer which connected to his wireless router throuh a LAN port. Whenever he is VPN into the office he is not able to print from his home network printer. but if he disconnect from the VPN then he can print. I already make sure split tunnelling is enabled on the VPN server and Local LAN access is enabled on his machines. However he can print if he connects his wireless printer directly to his PC or Laptop he is just can't print wirelessly. Any idea how i can get him to be able to print wirelessly while VPN into the office. Things i've already checked: 1) he can ping his printer IP address 2) While connected to the VPN he can see his home printer Any help will greatly appreciated... Renelson From lostinmoscow at gmail.com Tue Mar 27 22:03:32 2012 From: lostinmoscow at gmail.com (Quinn Kuzmich) Date: Tue, 27 Mar 2012 20:03:32 -0600 Subject: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help In-Reply-To: References: Message-ID: Enable split tunneling on the VPN or plug the printer into a local USB port. Q On Tue, Mar 27, 2012 at 7:32 PM, Renelson Panosky wrote: > I have a user who work from home and he has a home network printer which > connected to his wireless router throuh a LAN port. Whenever he is VPN > into the office he is not able to print from his home network printer. > but if he disconnect from the VPN then he can print. I already make sure > split tunnelling is enabled on the VPN server and Local LAN access is > enabled on his machines. However he can print if he connects his wireless > printer directly to his PC or Laptop he is just can't print wirelessly. > Any idea how i can get him to be able to print wirelessly while VPN into > the office. > > Things i've already checked: > > 1) he can ping his printer IP address > 2) While connected to the VPN he can see his home printer > > Any help will greatly appreciated... > > Renelson > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From artem at aws-net.org.ua Wed Mar 28 02:23:55 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Wed, 28 Mar 2012 09:23:55 +0300 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer Message-ID: <4F72AE7B.9000303@aws-net.org.ua> Hi, List! I need to rate-limit traffic on two subinterfaces facing a single customer. These two subifs used for building reliable connection to the customer using OSPF and two links with different vlans. On Cisco 7600 it culd be done using aggregate policer and one policy-map applied to two SVIs. But is something similar possible on 7201? IOS on this router c7200p-advipservicesk9-mz.124-24.T6.bin. Thanks in advance! -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From Simon.Thomason at racq.com.au Wed Mar 28 02:26:24 2012 From: Simon.Thomason at racq.com.au (Thomason, Simon) Date: Wed, 28 Mar 2012 16:26:24 +1000 Subject: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help In-Reply-To: References: Message-ID: <42752206EE5B8545B68464E1D0B774B86787DECD1C@EMPMAIL.racq.com.au> Does the printer have a default gateway as in able to see outside its own subnet? Can you ping/tracroute to it? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Quinn Kuzmich Sent: Wednesday, 28 March 2012 12:04 PM To: Renelson Panosky Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help Enable split tunneling on the VPN or plug the printer into a local USB port. Q On Tue, Mar 27, 2012 at 7:32 PM, Renelson Panosky wrote: > I have a user who work from home and he has a home network printer which > connected to his wireless router throuh a LAN port. Whenever he is VPN > into the office he is not able to print from his home network printer. > but if he disconnect from the VPN then he can print. I already make sure > split tunnelling is enabled on the VPN server and Local LAN access is > enabled on his machines. However he can print if he connects his wireless > printer directly to his PC or Laptop he is just can't print wirelessly. > Any idea how i can get him to be able to print wirelessly while VPN into > the office. > > Things i've already checked: > > 1) he can ping his printer IP address > 2) While connected to the VPN he can see his home printer > > Any help will greatly appreciated... > > Renelson > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. From Simon.Thomason at racq.com.au Wed Mar 28 02:29:30 2012 From: Simon.Thomason at racq.com.au (Thomason, Simon) Date: Wed, 28 Mar 2012 16:29:30 +1000 Subject: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help In-Reply-To: References: Message-ID: <42752206EE5B8545B68464E1D0B774B86787DECD1D@EMPMAIL.racq.com.au> Sorry I am pretty certain I total miss read this one. Split tunnelling will only work if you specify what is and is not interesting traffic for the VPN and local network. Depending on what client you are using you can enable local lan access in anyconnect (not certain if there is an option for this in the old Cisco VPN). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Quinn Kuzmich Sent: Wednesday, 28 March 2012 12:04 PM To: Renelson Panosky Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help Enable split tunneling on the VPN or plug the printer into a local USB port. Q On Tue, Mar 27, 2012 at 7:32 PM, Renelson Panosky wrote: > I have a user who work from home and he has a home network printer which > connected to his wireless router throuh a LAN port. Whenever he is VPN > into the office he is not able to print from his home network printer. > but if he disconnect from the VPN then he can print. I already make sure > split tunnelling is enabled on the VPN server and Local LAN access is > enabled on his machines. However he can print if he connects his wireless > printer directly to his PC or Laptop he is just can't print wirelessly. > Any idea how i can get him to be able to print wirelessly while VPN into > the office. > > Things i've already checked: > > 1) he can ping his printer IP address > 2) While connected to the VPN he can see his home printer > > Any help will greatly appreciated... > > Renelson > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ RACQ gets more than 9 out of 10 cars going again ? quick smart. That?s Australia?s highest success rate! Be part of Queensland?s largest club. Visit racq.com/roadsiderescue Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. Please Note: If you are not the intended recipient, please delete this email as its use is prohibited. RACQ does not warrant or represent that this email is free from viruses or defects. If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05. From johnelliot67 at hotmail.com Wed Mar 28 04:57:56 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Wed, 28 Mar 2012 19:57:56 +1100 Subject: [c-nsp] Portchan ASR->2960 Message-ID: Hi Guys, Testing an ASR1006->2960 portchan, and portchan comes up, config vlan int on 2960 in vlan 88 and portchan1.88 and can see mac's but cannot pass data - If I change the config to bring down the portchan, and use physical interface on asr with dot1q subint, I have no issues? Bug? ASR: interface Port-channel1 description ETHCHAN_TO_ESW mtu 1998 no ip address ip flow ingress no negotiation auto interface GigabitEthernet1/0/0 no ip address ip flow ingress negotiation auto no cdp enable channel-group 1 interface GigabitEthernet2/0/0 no ip address ip flow ingress negotiation auto no cdp enable channel-group 1 interface Port-channel1.88 description TEST encapsulation dot1Q 88 ip address 10.10.10.1 255.255.255.252 SW: interface GigabitEthernet0/1 media-type sfp channel-group 1 mode on ! interface GigabitEthernet0/2 switchport mode trunk media-type sfp channel-group 1 mode on ! interface Port-channel1 switchport mode trunk ! interface Vlan88 ip address 10.10.10.2 255.255.255.252 no ip route-cache Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.2 - 0019.06d9.7541 ARPA Vlan88 Internet 10.10.10.1 0 f0f7.5548.50c0 ARPA Vlan88 Switch#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Then with physical int dot1q, success: Router#sh interfaces gigabitEthernet 1/0/0 GigabitEthernet1/0/0 is down, line protocol is down Router#sh interfaces port-channel 1 Port-channel1 is down, line protocol is down interface GigabitEthernet2/0/0 no ip address ip mtu 1998 ip flow ingress negotiation auto no cdp enable ! interface GigabitEthernet2/0/0.88 description TEST encapsulation dot1Q 88 ip address 10.10.10.1 255.255.255.252 Router#ping 10.10.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms Router#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.1 - f0f7.5548.4f80 ARPA GigabitEthernet2/0/0.88 Internet 10.10.10.2 6 0019.06d9.7541 ARPA GigabitEthernet2/0/0.88 SW: Switch#sh interface port-channel 1 Port-channel1 is down, line protocol is down (notconnect) Switch#sh interface gigabitEthernet 0/1 GigabitEthernet0/1 is administratively down, line protocol is down (disabled) Switch#sh int trunk Port Mode Encapsulation Status Native vlan Gi0/2 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/2 1-4094 Port Vlans allowed and active in management domain Gi0/2 1,10,88 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 1,10,88 Switch#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.2 - 0019.06d9.7541 ARPA Vlan88 Internet 10.10.10.1 8 f0f7.5548.4f80 ARPA Vlan88 IOS/XE: #sh verCisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNA1, RELEASE SOFTWARE (fc1) Cheers. From matt at melbourne.org.uk Wed Mar 28 05:45:25 2012 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Wed, 28 Mar 2012 10:45:25 +0100 Subject: [c-nsp] Local printer will not print when connected to Cisco VPN client or checkpoint..Please help Message-ID: On 28 March 2012 03:01, wrote: > Message: 8 > Date: Tue, 27 Mar 2012 21:32:41 -0400 > From: Renelson Panosky > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Local printer will not print when connected to Cisco > ? ? ? ?VPN client or checkpoint..Please help > Message-ID: > ? ? ? ? > Content-Type: text/plain; charset=ISO-8859-1 > > I have a user who work from home and he has a home network printer which > connected to his wireless router throuh a LAN port. ?Whenever he is VPN > into the office he is not able to print from his home network printer. > but if he ?disconnect from the VPN then he can print. ? I already make sure > split tunnelling is enabled on the VPN server ?and Local LAN access is > enabled on his machines. ?However he can print if he connects his wireless > printer directly to his PC or Laptop he is just can't print wirelessly. > Any idea how i can get him to be able to print wirelessly while VPN into > the office. > > Things i've already checked: > > 1) he can ping his printer IP address > 2) While connected to the VPN he can see his home printer Is "Allow local LAN access" (include-local-lan) enabled at the VPN head-end (it's pushed to the client as part of the Group configuration). Cheers, Matt -- Matthew Melbourne From tdurack at gmail.com Wed Mar 28 08:56:04 2012 From: tdurack at gmail.com (Tim Durack) Date: Wed, 28 Mar 2012 08:56:04 -0400 Subject: [c-nsp] N7K, NX-OS 6.0(2) link-local OSPFv3 In-Reply-To: References: Message-ID: On Mon, Mar 26, 2012 at 9:45 AM, Tim Durack wrote: > This is not an obvious change from IOS to NX-OS. I'm also not sure > that this follows rfc3484 "Default Address Selection for Internet > Protocol version 6" > > -- > Tim:> Cisco has confirmed the NX-OS IPv6 stack does not implement rfc3484 correctly. An enhancement bug has been filed to correct this. -- Tim:> From dharmachris at gmail.com Wed Mar 28 12:08:21 2012 From: dharmachris at gmail.com (Chris Hunt) Date: Wed, 28 Mar 2012 09:08:21 -0700 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer In-Reply-To: References: Message-ID: <4F733775.7080505@gmail.com> On 3/28/2012 9:00 AM, cisco-nsp-request at puck.nether.net wrote: > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 28 Mar 2012 09:23:55 +0300 > From: Artyom Viklenko > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer > Message-ID: <4F72AE7B.9000303 at aws-net.org.ua> > Content-Type: text/plain; charset=KOI8-U; format=flowed > > Hi, List! > > I need to rate-limit traffic on two subinterfaces facing > a single customer. These two subifs used for building reliable > connection to the customer using OSPF and two links with > different vlans. > > On Cisco 7600 it culd be done using aggregate policer and > one policy-map applied to two SVIs. But is something similar > possible on 7201? > > IOS on this router c7200p-advipservicesk9-mz.124-24.T6.bin. > > Thanks in advance! > > -- Sincerely yours, Artyom Viklenko. > ------------------------------------------------------- Try interface GigabitEthernet0/1.310 encapsulation dot1Q 310 rate-limit input 11000000 2062500 4125000 conform-action transmit exceed-action drop rate-limit output 11000000 2062500 4125000 conform-action transmit exceed-action drop Cheers, Chris H. From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-smartinstall@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Smart Install Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-smartinstall Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Devices configured as a Smart Install client or director are affected by this vulnerability. To display Smart Install information, use the show vstack config privileged EXEC command on the Smart Install director or client. The outputs of show commands are different when entered on the director or on the client. The following is the output of show vstack config in a Cisco Catalyst Switch configured as a Smart Install client: switch#show vstack config Role: Client Vstack Director IP address: 10.1.1.163 The following is the output of show vstack config in a Cisco Catalyst Switch configured as a Smart Install director: Director# show vstack config Role: Director Vstack Director IP address: 10.1.1.163 Vstack Mode: Basic Vstack default management vlan: 1 Vstack management Vlans: none Vstack Config file: tftp://10.1.1.100/default-config.txt Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122- Join Window Details: Window: Open (default) Operation Mode: auto (default) Vstack Backup Details: Mode: On (default) Repository: flash:/vstack (default) The Smart Install Feature is enabled by default. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS XR Software is not affected by this vulnerability. Cisco IOS XE Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new LAN Ethernet switches. This feature allows, for example, new LAN switches to be deployed at new locations without any configuration. A vulnerability exists in the Smart Install feature of Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device. Smart Install uses a Cisco proprietary protocol that runs over TCP port 4786. To exploit this vulnerability, an attacker needs to establish a TCP session on port 4786 of an affected device that has the Smart Install feature enabled, and then send a malformed Smart Install message. This vulnerability is documented in Cisco bug ID CSCtt16051 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0385. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * Cisco IOS Software Smart Install Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an affected device. Repeated exploitation could result in a sustained denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | | First Fixed Release for All | |12.0-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | | First Fixed Release for All | |12.2-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |----------+---------------------+----------------------------------| |12.2 |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2B |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2BC |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2BW |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2BX |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SB | |----------+---------------------+----------------------------------| |12.2BY |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2BZ |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2CX |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2CY |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2CZ |Not vulnerable |Vulnerable; First fixed in Release| | | |12.0S | |----------+---------------------+----------------------------------| |12.2DA |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2DD |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2DX |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2EU |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2EW |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2EWA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | |Vulnerable; First | | | |fixed in Release | | |12.2EX |15.0SE |Vulnerable; First fixed in Release| | |Releases up to and |15.0SE | | |including 12.2(46)EX | | | |are not vulnerable. | | |----------+---------------------+----------------------------------| | |Vulnerable; migrate | | | |to any release in | | |12.2EY |15.1EY |12.2(52)EY4 | | |Releases up to and | | | |including 12.2(52)EY4| | | |are not vulnerable. | | |----------+---------------------+----------------------------------| | |Vulnerable; First | | | |fixed in Release | | |12.2EZ |15.0SE |Vulnerable; First fixed in Release| | |Releases up to and |15.0SE | | |including 12.2(53)EZ | | | |are not vulnerable. | | |----------+---------------------+----------------------------------| |12.2FX |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2FY |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2FZ |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2IRA |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2IRB |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2IRC |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2IRD |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2IRE |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2IRF |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IRG |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IRH |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXB |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXC |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXD |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXE |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXF |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXG |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2IXH |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2JA |Not vulnerable |Not vulnerable | |----------+---------------------+----------------------------------| |12.2JK |Not vulnerable |Not vulnerable | |----------+---------------------+----------------------------------| |12.2MB |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2MC |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2MRA |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2MRB |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Releases prior to 12.2(30)S are | |12.2S |Not vulnerable |vulnerable; Releases 12.2(30)S and| | | |later are not vulnerable. First | | | |fixed in Release 12.0S | |----------+---------------------+----------------------------------| |12.2SB |Not vulnerable |12.2(33)SB12 | |----------+---------------------+----------------------------------| |12.2SBC |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2SCA |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SCE | |----------+---------------------+----------------------------------| |12.2SCB |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SCE | |----------+---------------------+----------------------------------| |12.2SCC |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SCE | |----------+---------------------+----------------------------------| |12.2SCD |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SCE | |----------+---------------------+----------------------------------| |12.2SCE |Not vulnerable |12.2(33)SCE6 | |----------+---------------------+----------------------------------| |12.2SCF |Not vulnerable |12.2(33)SCF2 | |----------+---------------------+----------------------------------| |12.2SE |12.2(55)SE5 | | | | |12.2(55)SE5 * | |----------+---------------------+----------------------------------| |12.2SEA |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SEB |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SEC |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SED |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SEE |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SEF |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SEG |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0SE | |----------+---------------------+----------------------------------| |12.2SG |Not vulnerable |12.2(53)SG7; Available on | | | |07-MAY-12 | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SGA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2SL |Not vulnerable |Not vulnerable | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SM |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SO |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SQ |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2SRA |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2SRB |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2SRC |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2SRD |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| |12.2SRE |Not vulnerable |12.2(33)SRE6 | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2STE |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2SU |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2SV |Not vulnerable |Releases up to and including 12.2 | | | |(18)SV2 are not vulnerable. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SVA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SVC |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SVD |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SVE |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2SW |Not vulnerable |Vulnerable; First fixed in Release| | | |12.4T | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SX |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXB |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXD |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXE |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXF |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2SXH |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2SXI |Not vulnerable |12.2(33)SXI9 | |----------+---------------------+----------------------------------| |12.2SXJ |Not vulnerable |12.2(33)SXJ2 | |----------+---------------------+----------------------------------| |12.2SY |Not vulnerable |12.2(50)SY2; Available on | | | |11-JUN-12 | |----------+---------------------+----------------------------------| |12.2SZ |Not vulnerable |Vulnerable; First fixed in Release| | | |12.0S | |----------+---------------------+----------------------------------| |12.2T |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2TPC |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2XA |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XB |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XC |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XD |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XE |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XF |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XG |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XH |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XI |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XJ |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XK |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XL |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XM |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XNA |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XNB |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XNC |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XND |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XNE |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | |Please see Cisco |Please see Cisco IOS-XE Software | |12.2XNF |IOS-XE Software |Availability | | |Availability | | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2XO |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2XQ |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | | |Releases prior to 12.2(15)XR are | |12.2XR |Not vulnerable |vulnerable; Releases 12.2(15)XR | | | |and later are not vulnerable. | | | |First fixed in Release 15.0M | |----------+---------------------+----------------------------------| |12.2XS |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XT |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XU |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XV |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2XW |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2YA |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YC |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YD |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YE |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YK |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YO |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; First fixed in Release| |12.2YP |Not vulnerable |15.0M | | | |Releases up to and including 12.2 | | | |(8)YP are not vulnerable. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YT |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YW |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YX |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YY |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2YZ |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZB |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZC |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZD |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2ZE |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| |12.2ZH |Not vulnerable |Vulnerable; First fixed in Release| | | |15.0M | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZJ |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZP |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZU |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |12.2ZX |Not vulnerable |Vulnerable; First fixed in Release| | | |12.2SRE | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZY |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |12.2ZYA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | Affected | | First Fixed Release for All | |12.3-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | | First Fixed Release for All | |12.4-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |-------------------------------------------------------------------| | There are no affected 12.4 based releases | |-------------------------------------------------------------------| | Affected | | First Fixed Release for All | |15.0-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |----------+---------------------+----------------------------------| |15.0M |Not vulnerable |15.0(1)M8 | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |15.0MR |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |15.0MRA |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | |Not vulnerable | | | |Cisco IOS XE devices:|15.0(1)S5 | |15.0S |Please see Cisco IOS |Cisco IOS XE devices: Please see | | |XE Software |Cisco IOS XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| |15.0SA |Not vulnerable |Not vulnerable | |----------+---------------------+----------------------------------| |15.0SE |15.0(1)SE1 |15.0(1)SE1 | |----------+---------------------+----------------------------------| | |Not vulnerable | | | |Cisco IOS XE devices:|15.0(2)SG2 | |15.0SG |Please see Cisco IOS |Cisco IOS XE devices: Please see | | |XE Software |Cisco IOS XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| |15.0SY |Not vulnerable |15.0(1)SY1 | |----------+---------------------+----------------------------------| |15.0XA |Not vulnerable |Vulnerable; First fixed in Release| | | |15.1T | |----------+---------------------+----------------------------------| | |Cisco IOS XE devices:| | |15.0XO |Please see Cisco |Cisco IOS XE devices: Please see | | |IOS-XE Software |Cisco IOS-XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| | Affected | | First Fixed Release for All | |15.1-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |----------+---------------------+----------------------------------| |15.1EY |Not vulnerable |15.1(2)EY2 | |----------+---------------------+----------------------------------| |15.1GC |Not vulnerable |15.1(2)GC2 | |----------+---------------------+----------------------------------| |15.1M |15.1(4)M4; Available |15.1(4)M4; Available on 30-MAR-12 | | |on 30-MAR-12 | | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |15.1MR |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| | |Not vulnerable | | | |Cisco IOS XE devices:|15.1(3)S2 | |15.1S |Please see Cisco IOS |Cisco IOS XE devices: Please see | | |XE Software |Cisco IOS XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| | |Not vulnerable | | | |Cisco IOS XE devices:|Not vulnerable | |15.1SG |Please see Cisco IOS |Cisco IOS XE devices: Please see | | |XE Software |Cisco IOS XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| | | |Vulnerable; contact your support | |15.1SNG |Not vulnerable |organization per the instructions | | | |in Obtaining Fixed Software | | | |section of this advisory. | |----------+---------------------+----------------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+---------------------+----------------------------------| |15.1T |15.1(3)T3 |15.1(3)T3 | |----------+---------------------+----------------------------------| |15.1XB |Not vulnerable |Vulnerable; First fixed in Release| | | |15.1T | |----------+---------------------+----------------------------------| | Affected | | First Fixed Release for All | |15.2-Based| First Fixed Release |Advisories in the March 2012 Cisco| | Releases | | IOS Software Security Advisory | | | | Bundled Publication | |----------+---------------------+----------------------------------| |15.2GC |15.2(1)GC2 |15.2(1)GC2 | |----------+---------------------+----------------------------------| | |Not vulnerable |15.2(1)S1 | | |Cisco IOS XE devices:| | |15.2S |Please see Cisco IOS |Cisco IOS XE devices: Please see | | |XE Software |Cisco IOS XE Software Availability| | |Availability | | |----------+---------------------+----------------------------------| | |15.2(1)T2 |15.2(1)T2 | |15.2T |15.2(2)T1 |15.2(2)T1 | | |15.2(3)T; Available |15.2(3)T; Available on 30-MAR-12 | | |on 30-MAR-12 | | +-------------------------------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerability disclosed in this advisory. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature. To disable the Smart Install feature use the global configuration command no vstack. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20120328-smartinstall Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This issue was reported to Cisco by customers who discovered it during the course of security audits. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-March-28 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPcSThQXnnBKKRMNARCOH4AP9Wgc8t/hVLf4NZrWSE6Y64edlgu+lg7MB6 h5OtNEQTgAD/Ux8fxWyhS8HGYK17bT294K2OMuymiytT5sN/T2u/ZY8= =6eFE -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Reverse SSH Denial of Service Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-ssh@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Reverse SSH Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-ssh Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Secure Shell (SSH) server implementation in Cisco IOS Software and Cisco IOS XE Software contains a denial of service (DoS) vulnerability in the SSH version 2 (SSHv2) feature. An unauthenticated, remote attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. The SSH server in Cisco IOS Software and Cisco IOS XE Software is an optional service, but its use is highly recommended as a security best practice for the management of Cisco IOS devices. Devices that are not configured to accept SSHv2 connections are not affected by this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they have the SSH server enabled and allow SSHv2 logins. Only SSHv2 is affected. To determine if SSH is enabled, use the show ip ssh command. Router#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 2.0. Possible values for the SSH protocol versions that are reported by Cisco IOS are: * 1.5: only SSH protocol version 1 is enabled * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled * 2.0: only SSH protocol version 2 is enabled The SSH server is not available in all IOS images. If the show ip ssh command is not available, the device is not vulnerable. Devices that do not support SSHv2 are not vulnerable. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS-XR is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. The SSH server implementation in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability in the SSH version 2 (SSHv2) feature that could allow an unauthenticated remote attacker to cause a device to reload. An attacker could exploit this vulnerability by attempting a reverse SSH login with a crafted username. Successful exploitation of this vulnerability could allow an attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. The SSH server in Cisco IOS Software and Cisco IOS XE Software is an optional service, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. SSH is enabled any time RSA keys are generated such as when an http secure-server or trust points for digital certificates are configured. Devices that are not configured to accept SSHv2 connections are not affected by this vulnerability. A complete TCP three-way handshake is required to exploit this vulnerability. Reverse SSH traffic uses TCP port 22 by default. This vulnerability has been documented in Cisco Bug ID CSCtr49064 and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0386. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr49064 - Cisco IOS Software Reverse SSH Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to create a DoS condition by causing the device to reload. Repeated exploits could create a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | |First Fixed Release for All | |12.0-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.2-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+---------------------------+----------------------------| |12.2 |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2B |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2BC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2BW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2BX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SB | |----------+---------------------------+----------------------------| |12.2BY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2BZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2CX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2CY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2CZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.0S | |----------+---------------------------+----------------------------| |12.2DA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2DD |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2DX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2EU |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2EW |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2EWA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; First fixed in | | | |Release 15.0SE |Vulnerable; First fixed in | |12.2EX |Releases up to and |Release 15.0SE | | |including 12.2(55)EX3 are | | | |not vulnerable. | | |----------+---------------------------+----------------------------| |12.2EY |12.2(58)EY2 |12.2(52)EY4 | |----------+---------------------------+----------------------------| |12.2EZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2FX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2FY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2FZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2IRA |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2IRB |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2IRC |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2IRD |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2IRE |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2IRF |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IRG |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IRH |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXF |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXG |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2IXH |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2JA |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| |12.2JK |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| |12.2MB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2MC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2MRA |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2MRB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Releases prior to 12.2(30)S | | | |are vulnerable; Releases | |12.2S |Not vulnerable |12.2(30)S and later are not | | | |vulnerable. First fixed in | | | |Release 12.0S | |----------+---------------------------+----------------------------| |12.2SB |Not vulnerable |12.2(33)SB12 | |----------+---------------------------+----------------------------| |12.2SBC |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2SCA |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SCE | |----------+---------------------------+----------------------------| |12.2SCB |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SCE | |----------+---------------------------+----------------------------| |12.2SCC |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SCE | |----------+---------------------------+----------------------------| |12.2SCD |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SCE | |----------+---------------------------+----------------------------| |12.2SCE |Not vulnerable |12.2(33)SCE6 | |----------+---------------------------+----------------------------| |12.2SCF |Not vulnerable |12.2(33)SCF2 | |----------+---------------------------+----------------------------| | |Vulnerable; First fixed in | | | |Release 15.0SE | | |12.2SE |Releases up to and |12.2(55)SE5 * | | |including 12.2(58)SE1 are | | | |not vulnerable. | | |----------+---------------------------+----------------------------| |12.2SEA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SEB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SEC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SED |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SEE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SEF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SEG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+---------------------------+----------------------------| |12.2SG |Not vulnerable |12.2(53)SG7; Available on | | | |07-MAY-12 | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SGA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2SL |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SM |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SO |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SQ |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2SRA |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2SRB |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2SRC |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2SRD |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| |12.2SRE |Not vulnerable |12.2(33)SRE6 | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2STE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2SU |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Releases up to and including| |12.2SV |Not vulnerable |12.2(18)SV2 are not | | | |vulnerable. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SVA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SVC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SVD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SVE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2SW |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4T | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SX |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXF |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2SXH |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2SXI |Not vulnerable |12.2(33)SXI9 | |----------+---------------------------+----------------------------| |12.2SXJ |Not vulnerable |12.2(33)SXJ2 | |----------+---------------------------+----------------------------| |12.2SY |Not vulnerable |12.2(50)SY2; Available on | | | |11-JUN-12 | |----------+---------------------------+----------------------------| |12.2SZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.0S | |----------+---------------------------+----------------------------| |12.2T |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2TPC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2XA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XD |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XH |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XI |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XJ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XK |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XL |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XM |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XNA |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| |12.2XNB |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| |12.2XNC |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| |12.2XND |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| |12.2XNE |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| |12.2XNF |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2XO |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2XQ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Releases prior to 12.2(15)XR| | | |are vulnerable; Releases | |12.2XR |Not vulnerable |12.2(15)XR and later are not| | | |vulnerable. First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XS |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XT |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XU |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XV |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2XW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2YA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YK |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YO |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; First fixed in | | | |Release 15.0M | |12.2YP |Not vulnerable |Releases up to and including| | | |12.2(8)YP are not | | | |vulnerable. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YT |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YW |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YX |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YY |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2YZ |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2ZE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.2ZH |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZJ |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZP |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZU |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.2ZX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZY |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.2ZYA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | Affected | |First Fixed Release for All | |12.3-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.4-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+---------------------------+----------------------------| | |Releases 12.4(13d) and |Vulnerable; First fixed in | |12.4 |prior are not vulnerable; |Release 15.0M | | |first fixed in 12.4(25f) | | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4GC |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| |12.4JA |12.4(23c)JA4 |12.4(23c)JA4 | | |12.4(25e)JA |12.4(25e)JA | |----------+---------------------------+----------------------------| |12.4JAX |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4JA |Release 12.4JA | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JDA |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JDC |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JDD |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JDE |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JHA |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JHB |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4JHC |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JK |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JL |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; First fixed in | | | |Release 12.4JA |Vulnerable; First fixed in | |12.4JX |Releases up to and |Release 12.4JA | | |including 12.4(3g)JX2 are | | | |not vulnerable. | | |----------+---------------------------+----------------------------| |12.4JY |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4JA |Release 12.4JA | |----------+---------------------------+----------------------------| |12.4JZ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4JA |Release 12.4JA | |----------+---------------------------+----------------------------| |12.4MD |12.4(22)MD3; Available on |12.4(22)MD3; Available on | | |30-MAR-12 |30-MAR-12 | |----------+---------------------------+----------------------------| |12.4MDA |12.4(24)MDA11 |12.4(24)MDA11 | |----------+---------------------------+----------------------------| |12.4MDB |12.4(24)MDB5a |12.4(24)MDB5a | |----------+---------------------------+----------------------------| |12.4MDC |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | |Releases up to and |support organization per the| |12.4MR |including 12.4(16)MR1 are |instructions in Obtaining | | |not vulnerable. |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4MRA |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| |12.4MRB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+---------------------------+----------------------------| |12.4SW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | |12.4(15)T16 |12.4(15)T17 | |12.4T |12.4(24)T6 |12.4(24)T7 | | | | | |----------+---------------------------+----------------------------| |12.4XA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XB |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4T | |----------+---------------------------+----------------------------| |12.4XC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XD |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XJ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XK |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XL |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.4XM |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XN |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XP |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.4XQ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XR |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 12.4T | |----------+---------------------------+----------------------------| |12.4XT |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XV |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| |12.4XW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+---------------------------+----------------------------| |12.4XZ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+---------------------------+----------------------------| |12.4YA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4YB |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |12.4YD |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| |12.4YE |12.4(24)YE3d |12.4(24)YE3d | |----------+---------------------------+----------------------------| |12.4YG |12.4(24)YG4 |12.4(24)YG4 | |----------+---------------------------+----------------------------| | Affected | |First Fixed Release for All | |15.0-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+---------------------------+----------------------------| |15.0M |15.0(1)M7 |15.0(1)M8 | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |15.0MR |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |15.0MRA |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| | |15.0(1)S5 |15.0(1)S5 | |15.0S |Cisco IOS XE devices: |Cisco IOS XE devices: Please| | |Please see Cisco IOS XE |see Cisco IOS XE Software | | |Software Availability |Availability | |----------+---------------------------+----------------------------| |15.0SA |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| | |15.0(1)SE1 | | |15.0SE |15.0(2)SE; Available on |15.0(1)SE1 | | |06-AUG-12 | | |----------+---------------------------+----------------------------| | |Not vulnerable |15.0(2)SG2 | |15.0SG |Cisco IOS XE devices: |Cisco IOS XE devices: Please| | |Please see Cisco IOS-XE |see Cisco IOS-XE Software | | |Software Availability |Availability | |----------+---------------------------+----------------------------| |15.0SY |Not vulnerable |15.0(1)SY1 | |----------+---------------------------+----------------------------| |15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+---------------------------+----------------------------| | |Cisco IOS XE devices: |Cisco IOS XE devices: Please| |15.0XO |Please see Cisco IOS-XE |see Cisco IOS-XE Software | | |Software Availability |Availability | |----------+---------------------------+----------------------------| | Affected | |First Fixed Release for All | |15.1-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+---------------------------+----------------------------| |15.1EY |15.1(2)EY1a |15.1(2)EY2 | |----------+---------------------------+----------------------------| |15.1GC |15.1(2)GC2 |15.1(2)GC2 | |----------+---------------------------+----------------------------| |15.1M |15.1(4)M2 |15.1(4)M4; Available on | | | |30-MAR-12 | |----------+---------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.1MR |15.1(1)MR3 |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+---------------------------+----------------------------| | |15.1(3)S2 |15.1(3)S2 | |15.1S |Cisco IOS XE devices: |Cisco IOS XE devices: Please| | |Please see Cisco IOS XE |see Cisco IOS XE Software | | |Software Availability |Availability | |----------+---------------------------+----------------------------| | |Not vulnerable |Not vulnerable | |15.1SG |Cisco IOS XE devices: |Cisco IOS XE devices: Please| | |Please see Cisco IOS XE |see Cisco IOS XE Software | | |Software Availability |Availability | |----------+---------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per |support organization per the| |15.1SNG |the instructions in |instructions in Obtaining | | |Obtaining Fixed Software |Fixed Software section of | | |section of this advisory. |this advisory. | |----------+---------------------------+----------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+---------------------------+----------------------------| | |15.1(1)T4 | | |15.1T |15.1(2)T5; Available on |15.1(3)T3 | | |27-APR-12 | | | |15.1(3)T3 | | |----------+---------------------------+----------------------------| |15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+---------------------------+----------------------------| | Affected | |First Fixed Release for All | |15.2-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+---------------------------+----------------------------| |15.2GC |15.2(1)GC1 |15.2(1)GC2 | |----------+---------------------------+----------------------------| | |Not vulnerable |15.2(1)S1 | | |Cisco IOS XE devices: |Cisco IOS XE devices: Please| |15.2S |Please see Cisco IOS XE |see Cisco IOS XE Software | | |Software Availability |Availability | | | | | |----------+---------------------------+----------------------------| | |15.2(1)T2 |15.2(1)T2 | |15.2T |15.2(2)T |15.2(2)T1 | | |15.2(2)T1 |15.2(3)T; Available on | | | |30-MAR-12 | +-------------------------------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability that is disclosed in this document. +---------------------------------------+ | | | First Fixed | | | | Release for | | | | All | | Cisco | | Advisories | | IOS XE | First Fixed | in the March | | Software | Release | 2012 Cisco | | Release | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |----------+-------------+--------------| | | | Vulnerable; | | 2.1.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.2.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.3.x | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.4.x | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.5.x | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.6.x | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.1.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | | Vulnerable; | | 3.2.xSG | Not | migrate to | | | Vulnerable | 3.2.2SG or | | | | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.2.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.2.xSG | Not | 3.2.2SG | | | Vulnerable | | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.3.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.3.xSG | Not | Not | | | Vulnerable | Vulnerable | |----------+-------------+--------------| | 3.4.xS | 3.4.2S | 3.4.2S | |----------+-------------+--------------| | 3.5.xS | Not | 3.5.1S | | | vulnerable | | |----------+-------------+--------------| | 3.6.xS | Not | Not | | | vulnerable | vulnerable | +---------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== If disabling the IOS SSH Server is not feasible, the following workarounds may be useful to some customers in their environments. SSH version 1 +------------ This vulnerability only affects SSHv2, so it can be temporarily mitigated by applying the ip ssh version 1 global configuration command until a software update can be completed. Customers should be aware of the limitations and vulnerabilities of SSH version 1 protocol before applying this workaround. vty Access Class +--------------- It is possible to limit the exposure of the Cisco device by applying a vty access class to allow only known, trusted hosts to connect to the device via SSH. For more information on restricting traffic to a vty, please consult: http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389 The following example permits access to the vty lines from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from anywhere else: Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 1 permit host 172.16.1.2 Router(config)# line vty 0 4 Router(config-line)# access-class 1 in Different Cisco platforms support a different amount of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform. Infrastructure Access Control Lists +---------------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure access control lists (iACLs) are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list, which will protect all devices with IP addresses in the infrastructure IP address range. A sample access list for devices running Cisco IOS is below: !--- Permit SSH services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Deny SSH packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in The white paper titled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper is located at: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing +--------------------- The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the following example, only SSH traffic from trusted hosts with receive destination IP addresses is permitted to reach the route processor (RP). Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device. access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22 access-list 152 permit tcp any any eq 22 ! class-map match-all COPP-KNOWN-UNDESIRABLE match access-group 152 ! ! policy-map COPP-INPUT-POLICY class COPP-KNOWN-UNDESIRABLE drop ! control-plane service-policy input COPP-INPUT-POLICY In the above CoPP example, the ACL entries that match the exploit packets with the permit action result in these packets being discarded by the policy-map drop function, while packets that match the deny action are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was reported to Cisco by a customer. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-March-28 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9zNG4ACgkQQXnnBKKRMNA2VAD/eHjS4OiLcpv5x5OOjIvHSWuC kJ7DDF+wNTvEJQWX44cA/25zYBDJKshRjHuMIzTALkM0ML4n3PNHiDMaQbphXteJ =jhc2 -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities Message-ID: <201203281220058.cisco-sa-20120328-zbfw@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Zone-Based Firewall Vulnerabilities Advisory ID: cisco-sa-20120328-zbfw Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IOS Software contains four vulnerabilities related to Cisco IOS Zone-Based Firewall features. These vulnerabilities are as follows: * Memory Leak Associated with Crafted IP Packets * Memory Leak in HTTP Inspection * Memory Leak in H.323 Inspection * Memory Leak in SIP Inspection Workarounds that mitigate these vulnerabilities are not available. Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Cisco IOS devices running vulnerable versions of Cisco IOS Software are affected by four vulnerabilities in the Cisco IOS Zone-Based Firewall. The vulnerabilities are independent of each other. Details to confirm affected configurations are provided below. To determine whether a device is configured with Zone-Based Firewall, log in to the device and issue the show zone security command-line interface (CLI) command. If the output shows a member interface under a zone name, the device is vulnerable. The following example shows a device with Zone-Based Firewall rules configured on both GigabitEthernet0/0 and GigabitEthernet0/1: Router#show zone security zone self Description: System defined zone zone inside Description: *** Inside Network *** Member Interfaces: GigabitEthernet0/0 zone outside Description: *** Outside Network *** Member Interfaces: GigabitEthernet0/1 Router# The following sections provide more details on the specific features containing the vulnerabilities. Memory Leak Associated with Crafted IP Packets +--------------------------------------------- There is no specific configuration necessary for a device to be vulnerable to the memory leak associated with crafted IP packets. If the Zone-Based Firewall is configured, the device is vulnerable. Memory Leak in HTTP Inspection +----------------------------- For the device to be vulnerable to the memory leak associated with HTTP inspection, the Zone-Based Firewall must be configured to perform HTTP inspection with the Zone-Based Firewall. To determine whether a device is configured for HTTP inspection, enter the command show policy-map type inspect zone-pair | include Match: protocol http. The following example shows a vulnerable device configured with Cisco IOS Zone-Based Policy Firewall HTTP inspection: Router#show policy-map type inspect zone-pair | include Match: protocol http Match: protocol http Memory Leak in H.323 Inspection +------------------------------ For a device to be vulnerable to the memory leak associated with H.323 inspection, the Zone-Based Firewall must be configured to perform H.323 inspection. To determine if a device is configured for H.323 inspection enter the command show policy-map type inspect zone-pair | include Match: protocol h323. If the output contains "Match: protocol h323" the device is vulnerable. The following example shows a vulnerable device configured with Cisco IOS Zone-Based Policy Firewall H.323 inspection: Router# show policy-map type inspect zone-pair | include Match: protocol h323 Match: protocol h323 Memory Leak in SIP Inspection +---------------------------- The device is vulnerable if the configuration has either a Layer 4 or Layer 7 Session Initiation Protocol (SIP) application-specific policy configured, and the policy is applied to any firewall zone. To determine whether a device is configured for SIP inspection enter the command show policy-map type inspect zone-pair | include Match: protocol sip. If the output contains "Match: protocol sip" the device is vulnerable. The following example shows a vulnerable device configured with Cisco IOS Zone-Based Policy Firewall SIP inspection: Router# show policy-map type inspect zone-pair | include Match: protocol sip Match: protocol sip To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at http://www.cisco.com/web/about/security/ intelligence/ios-ref.html. Products Confirmed Not Vulnerable +-------------------------------- The following products are confirmed not vulnerable: * Cisco PIX 500 Series Firewall * Cisco ASA 5500 Series Adaptive Security Appliance * Firewall Services Module (FWSM) for Catalyst 6500 Series Switches and 7600 Series Routers * Virtual Firewall (VFW) application on the multiservice blade (MSB) on the Cisco XR 12000 Series Router * Cisco ACE Application Control Engine Module * Cisco IOS devices configured with legacy Cisco IOS Firewall support * Cisco IOS XR Software * Cisco IOS XE Software * Cisco Catalyst 6500 Series ASA Services Module * Context-Based Access Control (CBAC) No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Firewalls are networking devices that control access to the network assets of an organization. Firewalls are often positioned at the entrance points of networks. Cisco IOS Software provides a set of security features that allow the configuration of a firewall policy to match an organization's requirements. The vulnerabilities described in this advisory affect the Zone-Based Firewall feature. The Zone-Based Policy Firewall (also known as Zone-Policy Firewall or ZFW) updates the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface. More information on the Zone-Based Firewall is available at: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html Memory Leak Associated with Crafted IP Packets +--------------------------------------------- A vulnerability exists in the Zone-Based Firewall implementation in Cisco IOS Software that could allow a remote attacker to cause an affected device to reload or to trigger memory leaks that may result in system instabilities. These vulnerabilities are triggered when the device that is running Cisco IOS Software processes crafted IP packets. Only traffic destined to an IP address configured on the device can trigger the vulnerability; transit traffic is not an exploit vector. This vulnerability is documented in Cisco bug ID CSCto89536 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2012-1310. Memory Leak in HTTP Inspection +--------------------------------------------- The HTTP Inspection Engine feature allows users to configure their Cisco IOS Firewall to detect and filter HTTP connections-such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers-that are not authorized within the scope of the security policy configuration. A vulnerability exists in the implementation of the Cisco IOS Software HTTP inspection feature that could allow a remote attacker to cause an affected device to reload or to trigger memory leaks that may result in system instabilities. This vulnerability is triggered when the device that is running Cisco IOS Software processes certain HTTP messages. Transit HTTP traffic is an exploit vector. This vulnerability is documented in Cisco bug ID CSCtq36153 and has been assigned CVE ID CVE-2012-0387. More information on HTTP inspection is available at: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_fwapc.html Memory Leak in H.323 Inspection +--------------------------------------------- H.323 is the ITU standard for real-time multimedia communications and conferencing over packet-based (IP) networks. A vulnerability exists in the implementation of the Cisco IOS Software H.323 inspection feature that could allow a remote attacker to cause an affected device to reload or to trigger memory leaks that may result in system instabilities. This vulnerability is triggered when the device that is running Cisco IOS Software processes malformed H.323 messages. Transit H.323 traffic is an exploit vector. This vulnerability is documented in Cisco bug ID CSCtq45553 and has been assigned the CVE ID CVE-2012-0388. More information on H.323 inspection is available at: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/fw-h323-v3v4-sup.html Memory Leak in SIP Inspection +--------------------------------------------- SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks, such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or Transport Layer Security (TLS; TCP port 5061) as the underlying transport protocol. A vulnerability exists in the implementation of the Cisco IOS SIP inspection feature that could allow a remote attacker to cause an affected device to reload or to trigger memory leaks that may result in system instabilities. This vulnerability is triggered when the device that is running Cisco IOS Software processes crafted SIP messages. Transit SIP traffic is an exploit vector. This vulnerability is documented in Cisco bug ID CSCti46171 and has been assigned CVE ID CVE-2012-1315. More information on SIP inspection is available at: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html Memory Leak Detection +--------------------------------------------- Detected memory leaks can be viewed using the command show memory debug leaks chunks in privileged EXEC mode, as shown in the following example: Router# show memory debug leaks chunks Adding blocks for GD... I/O memory Address Size Alloc_pc PID Alloc-Proc Name Chunk Elements: AllocPC Address Size Parent Name Processor memory Address Size Alloc_pc PID Alloc-Proc Name 4733113C 188 419CB164 129 IP Input FW h225 tpkt The previous example shows a memory leak in the process FW h225 tpkt. The show memory debug leaks command was introduced in Cisco IOS Software versions 12.3(8)T1 and 12.2(25)S. Caution: All show memory debug commands must be used on customer networks only to diagnose the router for memory leaks when memory depletion is observed. These commands may cause high CPU utilization and may cause time-sensitive protocols to flap. These commands are recommended to be used in maintenance windows. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * Memory Leak associated with crafted IP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Memory Leak in HTTP inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Memory Leak in H.323 inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Memory Leak in SIP Inspection CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in a reload of the affected device. Repeated exploit attempts may result in a sustained denial of service (DoS) attack. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +------------------------------------------+ | Major | Availability of | | Release | Repaired Releases | |------------+-----------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.0-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------------------------------------| | There are no affected 12.0 based | | releases | |------------------------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.2-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------------------------------------| | There are no affected 12.2 based | | releases | |------------------------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.3-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------------------------------------| | There are no affected 12.3 based | | releases | |------------------------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.4-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | | | Vulnerable; | | 12.4 | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4GC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.4JA | Not | 12.4(23c)JA4 | | | vulnerable | 12.4(25e)JA | |------------+--------------+--------------| | | | Vulnerable; | | 12.4JAX | Not | First fixed | | | vulnerable | in Release | | | | 12.4JA | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JDA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JDC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JDD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JDE | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JHA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JHB | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JHC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JK | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4JL | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.4JX | Not | First fixed | | | vulnerable | in Release | | | | 12.4JA | |------------+--------------+--------------| | | | Vulnerable; | | 12.4JY | Not | First fixed | | | vulnerable | in Release | | | | 12.4JA | |------------+--------------+--------------| | | | Vulnerable; | | 12.4JZ | Not | First fixed | | | vulnerable | in Release | | | | 12.4JA | |------------+--------------+--------------| | | 12.4(22)MD3; | 12.4(22)MD3; | | 12.4MD | Available on | Available on | | | 30-MAR-12 | 30-MAR-12 | |------------+--------------+--------------| | 12.4MDA | 12.4(24) | 12.4(24) | | | MDA11 | MDA11 | |------------+--------------+--------------| | 12.4MDB | 12.4(24) | 12.4(24) | | | MDB5a | MDB5a | |------------+--------------+--------------| | 12.4MDC | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | Releases up | organization | | | to and | per the | | 12.4MR | including | instructions | | | 12.4(19)MR3 | in Obtaining | | | are not | Fixed | | | vulnerable. | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4MRA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4MRB | First fixed | First fixed | | | in Release | in Release | | | 15.0M | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4SW | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | 12.4(24)T7 | | | | | | | | Releases up | 12.4(15)T17 | | 12.4T | to and | 12.4(24)T7 | | | including | | | | 12.4(15)T17 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XA | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XB | Not | First fixed | | | vulnerable | in Release | | | | 12.4T | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XC | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XD | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XE | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XF | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XG | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XJ | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XK | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4XL | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XM | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4XN | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4XP | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XQ | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | | | | First fixed | | | | in Release | | | | 12.4T | Vulnerable; | | 12.4XR | Releases up | First fixed | | | to and | in Release | | | including | 12.4T | | | 12.4(15)XR10 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XT | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.4XV | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XW | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4XY | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XZ | First fixed | First fixed | | | in Release | in Release | | | 15.0M | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4YA | First fixed | First fixed | | | in Release | in Release | | | 15.0M | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4YB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4YD | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d | |------------+--------------+--------------| | 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.0-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.0M | 15.0(1)M8 | 15.0(1)M8 | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 15.0MR | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 15.0MRA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | 15.0(1)S5 | | | | Cisco IOS XE | | | Not | devices: | | 15.0S | vulnerable | Please see | | | | Cisco IOS XE | | | | Software | | | | Availability | |------------+--------------+--------------| | 15.0SA | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | 15.0SE | Not | 15.0(1)SE1 | | | vulnerable | | |------------+--------------+--------------| | | | 15.0(2)SG2 | | | | Cisco IOS XE | | | Not | devices: | | 15.0SG | vulnerable | Please see | | | | Cisco IOS XE | | | | Software | | | | Availability | |------------+--------------+--------------| | 15.0SY | Not | 15.0(1)SY1 | | | vulnerable | | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 15.0XA | First fixed | First fixed | | | in Release | in Release | | | 15.1T | 15.1T | |------------+--------------+--------------| | | | Vulnerable; | | | | First fixed | | | | in Release | | | | 15.0SG Cisco | | 15.0XO | Not | IOS XE | | | vulnerable | devices: | | | | Please see | | | | Cisco IOS XE | | | | Software | | | | Availability | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.1-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.1EY | Not | 15.1(2)EY2 | | | vulnerable | | |------------+--------------+--------------| | 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 | |------------+--------------+--------------| | | 15.1(4)M3 | 15.1(4)M4; | | 15.1M | | Available on | | | | 30-MAR-12 | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 15.1MR | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | 15.1(3)S2 | | | | Cisco IOS XE | | | Not | devices: | | 15.1S | vulnerable | Please see | | | | Cisco IOS XE | | | | Software | | | | Availability | |------------+--------------+--------------| | 15.1SG | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 15.1SNG | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | 15.1SNH | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | 15.1T | 15.1(3)T3 | 15.1(3)T3 | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 15.1XB | First fixed | First fixed | | | in Release | in Release | | | 15.1T | 15.1T | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.2-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.2GC | 15.2(1)GC2 | 15.2(1)GC2 | |------------+--------------+--------------| | | | 15.2(1)S1 | | | | Cisco IOS XE | | | | devices: | | 15.2S | Not | Please see | | | vulnerable | Cisco IOS XE | | | | Software | | | | Availability | | | | | |------------+--------------+--------------| | | | 15.2(1)T2 | | | 15.2(1)T2 | 15.2(2)T1 | | 15.2T | 15.2(2)T | 15.2(3)T; | | | 15.2(2)T1 | Available on | | | | 30-MAR-12 | +------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerabilities that are disclosed in this document. For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== There are no workarounds that mitigate the vulnerabilities described in this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were discovered by Cisco during normal internal security testing. Status of This Notice: Final THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-March-28 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPcSUMQXnnBKKRMNARCA3iAP48lwmrPR8E6Wi6CVHpEpqoDUnfuHJA/e4E tz+jl1voLwD+NNC2Y5SFONTzfed+n4Ib3cxVLPAwafgVDlr+HhITJgc= =Na2V -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features Message-ID: <201203281220058.cisco-sa-20120328-mace@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS Software Traffic Optimization Features Advisory ID: cisco-sa-20120328-mace Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +-------------------------------------------------------------------- Summary ======= Cisco IOS Software contains a denial of service (DoS) vulnerability in the Wide Area Application Services (WAAS) Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Cisco IOS Software also contains a DoS vulnerability in the Measurement, Aggregation, and Correlation Engine (MACE) feature that could allow an unauthenticated, remote attacker to cause the router to reload. An attacker could exploit these vulnerabilities by sending transit traffic through a router configured with WAAS Express or MACE. Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-mace Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/ Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Cisco devices that are running Cisco IOS Software are vulnerable when they are configured with the "mace enable" or "waas enable" interface configuration commands on one or more interfaces. Additional configuration is required for WAAS Express or MACE to be configured; more details follow. Note: Cisco IOS Software is vulnerable only when configured for WAAS Express or MACE. Cisco IOS Software configured for WAAS, not WAAS Express, is not vulnerable. For more information on WAAS Express, see http://www.cisco.com/en/US/products/ps11211/index.html. For more information about MACE, see http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps11709/ps11671/guide_c07-664643.html. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at http://www.cisco.com/web/about/security/intelligence/ios-ref.html. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco Wide Area Application Services (WAAS) Express feature allows optimization of the WAN bandwidth required to access centrally located applications. WAAS Express allows the traffic to be optimized by a Cisco Integrated Services Router (ISR G2), with no other devices required. The Cisco Measurement, Aggregation, and Correlation Engine (MACE) is a Cisco IOS feature that is used for measurement and analysis of network traffic. The feature may be used with WAAS Express to give details of optimized traffic or used by itself to help measure application performance. Cisco IOS Software contains a DoS vulnerability in the WAAS Express feature that could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. This vulnerability is documented in Cisco bug ID CSCtt45381 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-1314. Cisco IOS Software contains a DoS vulnerability in the MACE feature that could allow an unauthenticated, remote attacker to cause the router to reload. This vulnerability is documented in Cisco bug IDs CSCtq64987 and CSCtu57226 and has been assigned CVE ID CVE-2012-1312. An attacker could exploit these vulnerabilities by sending transit traffic through a router configured with WAAS Express or MACE. Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition. A configuration similar to one or more of the following configuration excerpts will exist if WAAS Express or MACE is configured on the router. The following example shows a partial WAAS Express configuration: parameter-map type waas waas_global tfo optimize full class-map type waas match-any HTTP match tcp destination port 80 class-map type waas match-any NNTP match tcp destination port 119 ... policy-map type waas waas_global class HTTP optimize tfo dre lz application Web class NNTP optimize tfo dre lz application Email-and-Messaging ... interface waas enable The following example shows a partial MACE configuration with WAAS Express already configured as shown in the preceding excerpt: flow record type mace my-flow-record collect art all flow exporter my-flow-exporter export-protocol netflow-v9 destination 10.101.200.1 flow monitor type mace my-flow-monitor record my-flow-record exporter my-flow-exporter mace monitor waas all my-flow-monitor interface mace enable The following example shows a partial MACE configuration without WAAS Express: flow record type mace mace-flow-record collect datalink mac source address input collect ipv4 dscp collect interface input collect interface output collect application name collect waas all flow exporter flow-exporter1 destination 10.101.200.1 source output-features transport udp 32001 flow monitor type mace mace-flow-monitor1 record mace-flow-record exporter flow-exporter1 class-map type waas match-any HTTP match tcp destination port 80 match tcp destination port 8080 ... policy-map type mace mace_global class HTTP flow monitor mace-flow-monitor1 ... interface mace enable Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt45381 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtq64987 and CSCtu57226 CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to cause the router to leak memory or to reload. Repeated exploits could allow a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+-------------------------------------------------| | Affected | | First Fixed Release for All | |12.0-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |------------------------------------------------------------| | There are no affected 12.0 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for All | |12.2-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |------------------------------------------------------------| | There are no affected 12.2 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for All | |12.3-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |------------------------------------------------------------| | There are no affected 12.3 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for All | |12.4-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |------------------------------------------------------------| | There are no affected 12.4 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for All | |15.0-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |------------------------------------------------------------| | There are no affected 15.0 based releases | |------------------------------------------------------------| | Affected | | First Fixed Release for All | |15.1-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |----------+------------------+------------------------------| |15.1EY |Not vulnerable |15.1(2)EY2 | |----------+------------------+------------------------------| |15.1GC |Not vulnerable |15.1(2)GC2 | |----------+------------------+------------------------------| | |15.1(4)M4; |15.1(4)M4; Available on | |15.1M |Available on |30-MAR-12 | | |30-MAR-12 | | |----------+------------------+------------------------------| | | |Vulnerable; contact your | | | |support organization per the | |15.1MR |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of this| | | |advisory. | |----------+------------------+------------------------------| | |Cisco IOS XE | | | |devices: Please |Cisco IOS XE devices: Please | |15.1S |see Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+------------------+------------------------------| | |Cisco IOS XE | | | |devices: Please |Cisco IOS XE devices: Please | |15.1SG |see Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+------------------+------------------------------| | | |Vulnerable; contact your | | | |support organization per the | |15.1SNG |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of this| | | |advisory. | |----------+------------------+------------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+------------------+------------------------------| |15.1T |Not vulnerable |15.1(3)T3 | |----------+------------------+------------------------------| |15.1XB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.1T | |----------+------------------+------------------------------| | Affected | | First Fixed Release for All | |15.2-Based| First Fixed | Advisories in the March 2012 | | Releases | Release | Cisco IOS Software Security | | | | Advisory Bundled Publication | |----------+------------------+------------------------------| |15.2GC |15.2(1)GC2 |15.2(1)GC2 | |----------+------------------+------------------------------| |15.2S |Not vulnerable |15.2(1)S1 | | | | | |----------+------------------+------------------------------| | |15.2(1)T2 |15.2(1)T2 | | |15.2(2)T1 |15.2(2)T1 | |15.2T |15.2(3)T; |15.2(3)T; Available on | | |Available on |30-MAR-12 | | |30-MAR-12 | | +------------------------------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerabilities that are disclosed in this document. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== There are no workarounds for these vulnerabilities. There is no Applied Mitigation Bulletin (AMB) for this advisory. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were initially found by Cisco during internal testing. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-mace Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-March-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9yeDQACgkQQXnnBKKRMND8JAD+LwCEQ/3I15qyaV2fGjOXnBBP oqdlu1PkfePXe5OeMaoA/iUbaiXx3glDNbmziQwcm+fVu2RAJ1HvZzyh0mjz9vOn =BPrU -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-ike@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Internet Key Exchange Vulnerability Advisory ID: cisco-sa-20120328-ike Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +-------------------------------------------------------------------- Summary ======= The Cisco IOS Software Internet Key Exchange (IKE) feature contains a denial of service (DoS) vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Cisco devices that are running Cisco IOS Software are vulnerable when they are configured to use IKE version 1 (IKEv1). A number of features use IKEv1, including different Virtual Private Networks (VPN) such as: * LAN-to-LAN VPN * Remote access VPN (excluding SSLVPN) * Dynamic Multipoint VPN (DMVPN) * Group Domain of Interpretation (GDOI) There are two methods to determine if a device is configured for IKE: * Determine if IKE ports are open on a running device * Determine if IKE features are included in the device configuration Determine if IKE Ports are Open on a Running Device +-------------------------------------------------- The preferred method to determine if a device has been configured for IKE is to issue the "show ip sockets" or "show udp" exec command. If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets. In the following example, the device is processing IKE packets in UDP port 500 and UDP port 4500, using either IPv4 or IPv6: router# show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- 192.168.130.21 500 0 0 1001011 0 17(v6) --listen-- UNKNOWN 500 0 0 1020011 0 17 --listen-- 192.168.130.21 4500 0 0 1001011 0 17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0 !--- Output truncated router# Determine if IKE Features are included in the Device Configuration +----------------------------------------------------------------- To determine if a Cisco IOS device configuration is vulnerable, the administrator needs to establish whether there is at least one configured feature that uses IKE. This can be achieved by using the "show run | include crypto map|tunnel protection ipsec|crypto gdoi" enable mode command. If the output of this command contains either crypto map, tunnel protection ipsec, or, crypto gdoi then the device contains an IKE configuration. The following example shows a device that has been configured for IKE: router# show run | include crypto map|tunnel protection ipsec|crypto gdoi crypto map CM 100 ipsec-isakmp crypto map CM router# Determine the Cisco IOS Software Release +--------------------------------------- To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- Cisco ASA 5500 Series Adaptive Security Appliance is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session. These attributes include cryptographic algorithm, mode, and shared keys. The end result of IKE is a shared session secret that will be used to derive cryptographic keys. Cisco IOS Software supports IKE for IPv4 and IPv6 communications. IKE communication can use any of the following UDP ports: * UDP port 500 * UDP port 4500, NAT Traversal (NAT-T) * UDP port 848, Group Domain of Interpretation (GDOI) * UDP port 4848, GDOI NAT-T The IKEv1 feature of Cisco IOS Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of an affected device. An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports. Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device. This vulnerability is documented in Cisco bug ID CSCts38429 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0381. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts38429 ("Cisco IOS Software IKE DoS vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may cause the vulnerable device to reload. Software Versions and Fixes =========================== Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |12.0-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |-------------------------------------------------------------------| | There are no affected 12.0 based releases | |-------------------------------------------------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |12.2-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |12.2 |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 15.0M |Vulnerable; First fixed in | |12.2B |Releases up to and including|Release 15.0M | | |12.2(2)B7 are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 15.0M |Vulnerable; First fixed in | |12.2BC |Releases up to and including|Release 15.0M | | |12.2(4)BC1b are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| |12.2BW |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 12.2SRE |Vulnerable; First fixed in | |12.2BX |Releases up to and including|Release 12.2SB | | |12.2(2)BX1 are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 15.0M |Vulnerable; First fixed in | |12.2BY |Releases up to and including|Release 15.0M | | |12.2(2)BY3 are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 15.0M |Vulnerable; First fixed in | |12.2BZ |Releases up to and including|Release 15.0M | | |12.2(4)BZ2 are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| |12.2CX |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2CY |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2CZ |Vulnerable; migrate to any |Vulnerable; First fixed in | | |release in 12.0S |Release 12.0S | |----------+----------------------------+---------------------------| |12.2DA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.2DD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2DX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2EU |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2EW |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2EWA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.2EX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2EY |Not vulnerable |12.2(52)EY4 | |----------+----------------------------+---------------------------| |12.2EZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2FX |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2FY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2FZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2IRA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2IRB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2IRC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2IRD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2IRE |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2IRF |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IRG |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IRH |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXB |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXD |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXE |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXF |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXG |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2IXH |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.2JA |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| |12.2JK |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| |12.2MB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.2MC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.2MRA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2MRB |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Note: Releases prior to 12.2|Releases prior to 12.2(30)S| | |(25)S1 are vulnerable; |are vulnerable; Releases | |12.2S |Releases 12.2(25)S1 and |12.2(30)S and later are not| | |later are not vulnerable. |vulnerable. First fixed in | | | |Release 12.0S | |----------+----------------------------+---------------------------| | |Only releases 12.2(33)SB1 | | |12.2SB |through 12.2(33)SB4 are |12.2(33)SB12 | | |vulnerable. | | |----------+----------------------------+---------------------------| |12.2SBC |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2SCA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SCE |Release 12.2SCE | |----------+----------------------------+---------------------------| |12.2SCB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SCE |Release 12.2SCE | |----------+----------------------------+---------------------------| |12.2SCC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SCE |Release 12.2SCE | |----------+----------------------------+---------------------------| |12.2SCD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SCE |Release 12.2SCE | |----------+----------------------------+---------------------------| |12.2SCE |12.2(33)SCE6 |12.2(33)SCE6 | |----------+----------------------------+---------------------------| |12.2SCF |12.2(33)SCF2 |12.2(33)SCF2 | |----------+----------------------------+---------------------------| |12.2SE |Not vulnerable* | | | | |12.2(55)SE5 * | |----------+----------------------------+---------------------------| |12.2SEA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SEB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SEC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SED |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SEE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SEF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SEG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0SE | |----------+----------------------------+---------------------------| |12.2SG |Not vulnerable |12.2(53)SG7; Available on | | | |07-MAY-12 | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SGA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.2SL |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SM |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SO |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SQ |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.2SRA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2SRB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2SRC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRD |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2SRD |12.2(33)SRD8 |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.2SRE |12.2(33)SRE6 |12.2(33)SRE6 | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2STE |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.2SU |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | | |Releases up to and | |12.2SV |Not vulnerable |including 12.2(18)SV2 are | | | |not vulnerable. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SVA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SVC |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SVD |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2SVE |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Releases up to and including| | | |12.2(21)SW1 are not | | |12.2SW |vulnerable. |Vulnerable; First fixed in | | |Releases 12.2(25)SW10 and |Release 12.4T | | |later are not vulnerable. | | | |First fixed in Release 12.4T| | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SX |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXB |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXD |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXE |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXF |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2SXH |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.2SXI |12.2(33)SXI9 |12.2(33)SXI9 | |----------+----------------------------+---------------------------| |12.2SXJ |12.2(33)SXJ2 |12.2(33)SXJ2 | |----------+----------------------------+---------------------------| |12.2SY |12.2(50)SY2; Available on |12.2(50)SY2; Available on | | |11-JUN-12 |11-JUN-12 | |----------+----------------------------+---------------------------| |12.2SZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.0S | |----------+----------------------------+---------------------------| |12.2T |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2TPC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.2XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XE |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XG |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XH |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XI |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XJ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XK |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XL |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XM |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XNA |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| |12.2XNB |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| |12.2XNC |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| |12.2XND |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| |12.2XNE |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| |12.2XNF |Please see Cisco IOS-XE |Please see Cisco IOS-XE | | |Software Availability |Software Availability | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2XO |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.2XQ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | | |Releases prior to 12.2(15) | | | |XR are vulnerable; Releases| |12.2XR |Not vulnerable |12.2(15)XR and later are | | | |not vulnerable. First fixed| | | |in Release 15.0M | |----------+----------------------------+---------------------------| |12.2XS |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XT |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XU |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XV |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2XW |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2YA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YD |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YE |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2YK |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YO |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; First fixed in | | | |Release 15.0M | |12.2YP |Not vulnerable |Releases up to and | | | |including 12.2(8)YP are not| | | |vulnerable. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2YT |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YW |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YX |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YY |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2YZ |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | |Releases up to and including|support organization per | |12.2ZB |12.2(8)ZB are not |the instructions in | | |vulnerable. |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2ZC |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZD |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.2ZE |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.2ZH |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZJ |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.2ZP |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZU |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.2ZX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.2SRE | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZY |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.2ZYA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |12.3-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |12.3 |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3B |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3BC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SCE |Release 12.2SCE | |----------+----------------------------+---------------------------| |12.3BW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.3JA |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.3JEA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.3JEB |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3JEC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3JED |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Releases up to and including| | | |12.3(2)JK3 are not | | |12.3JK |vulnerable. |Vulnerable; First fixed in | | |Releases 12.3(8)JK1 and |Release 15.0M | | |later are not vulnerable. | | | |First fixed in Release 15.0M| | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.3JL |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.3JX |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| |12.3T |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3TPC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.3VA |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| |12.3XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3XB |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.3XC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XE |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3XF |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.3XG |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XI |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.2SRE |Release 12.2SRE | |----------+----------------------------+---------------------------| |12.3XJ |Vulnerable; migrate to any |Vulnerable; First fixed in | | |release in 12.4XN |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XK |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XL |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XQ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XR |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; First fixed in | | | |Release 12.4T |Vulnerable; First fixed in | |12.3XU |Releases up to and including|Release 12.4T | | |12.3(8)XU1 are not | | | |vulnerable. | | |----------+----------------------------+---------------------------| |12.3XW |Vulnerable; migrate to any |Vulnerable; First fixed in | | |release in 12.4XN |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XX |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.3XZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YF |Vulnerable; migrate to any |Vulnerable; First fixed in | | |release in 12.4XN |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YG |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YI |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YJ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YK |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YM |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YQ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YS |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YT |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YU |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.3YX |Vulnerable; migrate to any |Vulnerable; First fixed in | | |release in 12.4XN |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.3YZ |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.3ZA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |12.4-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |12.4 |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.0M |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4GC |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.4JA |Not vulnerable |12.4(23c)JA4 | | | |12.4(25e)JA | |----------+----------------------------+---------------------------| |12.4JAX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JDA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JDC |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JDD |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JDE |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JHA |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JHB |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JHC |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JK |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4JL |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.4JX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+----------------------------+---------------------------| |12.4JY |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+----------------------------+---------------------------| |12.4JZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+----------------------------+---------------------------| |12.4MD |12.4(22)MD3; Available on |12.4(22)MD3; Available on | | |30-MAR-12 |30-MAR-12 | |----------+----------------------------+---------------------------| |12.4MDA |12.4(24)MDA11 |12.4(24)MDA11 | |----------+----------------------------+---------------------------| |12.4MDB |12.4(24)MDB5a |12.4(24)MDB5a | |----------+----------------------------+---------------------------| |12.4MDC |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | |Releases up to and including|support organization per | |12.4MR |12.4(9)MR are not |the instructions in | | |vulnerable. |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4MRA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.4MRB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4SW |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | |12.4(15)T17 |12.4(15)T17 | |12.4T |12.4(24)T7 |12.4(24)T7 | | | | | |----------+----------------------------+---------------------------| |12.4XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | |Releases prior to 12.4(2) | | | |XB12 are vulnerable; |Vulnerable; First fixed in | |12.4XB |Releases 12.4(2)XB12 and |Release 12.4T | | |later are not vulnerable. | | | |First fixed in Release 12.4T| | |----------+----------------------------+---------------------------| |12.4XC |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XD |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XE |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XF |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XJ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XK |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4XL |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| |12.4XM |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+----------------------------+---------------------------| | | |Vulnerable; contact your | | | |support organization per | |12.4XN |Not vulnerable |the instructions in | | | |Obtaining Fixed Software | | | |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4XP |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.4XQ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XR |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 12.4T | |----------+----------------------------+---------------------------| |12.4XT |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4XV |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.4XW |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XY |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4XZ |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| |12.4YA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 12.4T |Release 15.0M | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4YB |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |12.4YD |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |12.4YE |12.4(24)YE3d |12.4(24)YE3d | |----------+----------------------------+---------------------------| |12.4YG |12.4(24)YG4 |12.4(24)YG4 | |----------+----------------------------+---------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |15.0-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |15.0M |15.0(1)M8 |15.0(1)M8 | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |15.0MR |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |15.0MRA |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |15.0(1)S5 |15.0(1)S5 | |15.0S |Cisco IOS XE devices: Please|Cisco IOS XE devices: | | |see Cisco IOS XE Software |Please see Cisco IOS XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| |15.0SA |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| |15.0SE |Not vulnerable |15.0(1)SE1 | |----------+----------------------------+---------------------------| | |Not vulnerable |15.0(2)SG2 | |15.0SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: | | |see Cisco IOS XE Software |Please see Cisco IOS XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| |15.0SY |15.0(1)SY1 |15.0(1)SY1 | |----------+----------------------------+---------------------------| |15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+----------------------------+---------------------------| | |Cisco IOS XE devices: Please|Cisco IOS XE devices: | |15.0XO |see Cisco IOS-XE Software |Please see Cisco IOS-XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |15.1-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |15.1EY |Not vulnerable |15.1(2)EY2 | |----------+----------------------------+---------------------------| |15.1GC |15.1(2)GC2 |15.1(2)GC2 | |----------+----------------------------+---------------------------| |15.1M |15.1(4)M3 |15.1(4)M4; Available on | | | |30-MAR-12 | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |15.1MR |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| | |15.1(3)S2 |15.1(3)S2 | |15.1S |Cisco IOS XE devices: Please|Cisco IOS XE devices: | | |see Cisco IOS XE Software |Please see Cisco IOS XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| | |Not vulnerable |Not vulnerable | |15.1SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: | | |see Cisco IOS XE Software |Please see Cisco IOS XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per | |15.1SNG |instructions in Obtaining |the instructions in | | |Fixed Software section of |Obtaining Fixed Software | | |this advisory. |section of this advisory. | |----------+----------------------------+---------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+----------------------------+---------------------------| | |15.1(1)T5; Available on | | | |18-MAY-12 | | |15.1T |15.1(2)T5; Available on |15.1(3)T3 | | |27-APR-12 | | | |15.1(3)T3 | | |----------+----------------------------+---------------------------| |15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+----------------------------+---------------------------| | | |First Fixed Release for All| | Affected | | Advisories in the March | |15.2-Based| First Fixed Release | 2012 Cisco IOS Software | | Releases | | Security Advisory Bundled | | | | Publication | |----------+----------------------------+---------------------------| |15.2GC |15.2(1)GC2 |15.2(1)GC2 | |----------+----------------------------+---------------------------| | |15.2(1)S1 |15.2(1)S1 | | | | | |15.2S |Cisco IOS XE devices: Please|Cisco IOS XE devices: | | |see Cisco IOS XE Software |Please see Cisco IOS XE | | |Availability |Software Availability | |----------+----------------------------+---------------------------| | |15.2(1)T2 |15.2(1)T2 | |15.2T |15.2(2)T1 |15.2(2)T1 | | |15.2(3)T; Available on |15.2(3)T; Available on | | |30-MAR-12 |30-MAR-12 | +-------------------------------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- +------------------------------------------------------------+ | Cisco IOS | | First Fixed Release for All | | XE | First Fixed | Advisories in the March 2012 | | Software | Release | Cisco IOS Software Security | | Release | | Advisory Bundled Publication | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.1.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.2.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.3.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.4.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.5.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.6.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.1.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | 3.1.xSG | Not | Vulnerable; migrate to 3.2.2SG | | | vulnerable | or later. | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.2.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | 3.2.xSG | 3.2.2SG | 3.2.2SG | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.3.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.2S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | 3.3.xSG | Not | Not Vulnerable | | | Vulnerable | | |-----------+--------------+---------------------------------| | 3.4.xS | 3.4.2S | 3.4.2S | |-----------+--------------+---------------------------------| | 3.5.xS | 3.5.1S | 3.5.1S | |-----------+--------------+---------------------------------| | 3.6.xS | Not | Not vulnerable | | | vulnerable | | +------------------------------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was found during internal Cisco testing. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-March-28 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9xNMgACgkQQXnnBKKRMND8jwD6AzE8IxsF7PzqGh9w75+OhEQ7 z3dm7J1xzgPKLxtI7R8A/1AXDWCmSXsfNHJjhTPmMeZ5kxiA+9AfvxkWJLWxDMZ2 =sT/L -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-nat@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Network Address Translation Vulnerability Advisory ID: cisco-sa-20120328-nat Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +-------------------------------------------------------------------- Summary ======= The Cisco IOS Software Network Address Translation (NAT) feature contains a denial of service (DoS) vulnerability in the translation of Session Initiation Protocol (SIP) packets. The vulnerability is caused when packets in transit on the vulnerable device require translation on the SIP payload. Cisco has released free software updates that address this vulnerability. A workaround that mitigates the vulnerability is available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for NAT and contain support for NAT for Session Initiation Protocol. There are two methods to determine if a device is configured for NAT: * Determine if NAT is active on a running device. * Determine if NAT commands are included in the device configuration. Determine if NAT is Active on a Running Device +--------------------------------------------- The preferred method to verify whether NAT is enabled on a Cisco IOS device is to log in to the device and issue the "show ip nat statistics" command. If NAT is active, the sections "Outside interfaces" and "Inside interfaces" will each include at least one interface. The following example shows a device on which the NAT feature is active: Router#show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Depending on the Cisco IOS Software release, the interface lists can be in the lines following the "Outside interfaces" and "Inside interfaces". In releases that support the "section" filter on "show" commands, the administrator can determine whether NAT is active by using the "show ip nat statistics | section interfaces" command, as illustrated in the following example: Router> show ip nat statistics | section interfaces Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1 Router> Determine if NAT Commands are Included in the Device Configuration +----------------------------------------------------------------- Alternatively, to determine whether NAT has been enabled in the Cisco IOS Software configuration, either the "ip nat inside" or "ip nat outside" commands must be present in different interfaces, or in the case of the NAT Virtual Interface, the "ip nat enable" interface command will be present. Determine the Cisco IOS Software Release +--------------------------------------- To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco IOS Software NAT SIP Memory Starvation Vulnerability NAT SIP application level gateway (ALG) translation of SIP packets could cause a memory resource exhaustion condition that can lead to a DoS condition, which could cause the reload of the vulnerable device. NAT for SIP is performed on UDP port 5060 packets by default. The port is configurable using the "ip nat service sip udp port" global configuration command. This vulnerability is documented in Cisco bug ID CSCti35326 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0383. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCti35326 ("Cisco IOS Software NAT SIP Memory Starvation Vulnerability") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause incrementing use of memory that will not be released until the device is reloaded. This memory consumption could lead to a DoS condition and cause the vulnerable device to become unresponsive or reload. Software Versions and Fixes =========================== Cisco IOS Software Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+-------------------------------------------------| | Affected | |First Fixed Release for All | |12.0-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |------------------------------------------------------------| | There are no affected 12.0 based releases | |------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.2-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |------------------------------------------------------------| | There are no affected 12.2 based releases | |------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.3-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |------------------------------------------------------------| | There are no affected 12.3 based releases | |------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.4-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+--------------------+----------------------------| |12.4 |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | |Releases up to and |Vulnerable; contact your | | |including 12.4(24) |support organization per the| |12.4GC |GC3a are not |instructions in Obtaining | | |vulnerable. |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4JA |Not vulnerable |12.4(23c)JA4 | | | |12.4(25e)JA | |----------+--------------------+----------------------------| |12.4JAX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JDA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JDC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JDD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JDE |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JHA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JHB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JHC |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JK |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4JL |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4JX |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+--------------------+----------------------------| |12.4JY |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+--------------------+----------------------------| |12.4JZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4JA | |----------+--------------------+----------------------------| | |Only releases 12.4 |12.4(22)MD3; Available on | |12.4MD |(24)MD5 and 12.4(24)|30-MAR-12 | | |MD6 are vulnerable. | | |----------+--------------------+----------------------------| | |Releases 12.4(24) | | | |MDA5 and prior are | | |12.4MDA |not vulnerable; |12.4(24)MDA11 | | |first fixed in 12.2 | | | |(24)MDA11 | | |----------+--------------------+----------------------------| |12.4MDB |12.4(24)MDB4 |12.4(24)MDB5a | |----------+--------------------+----------------------------| |12.4MDC |Not vulnerable |Not vulnerable | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4MR |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4MRA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4MRB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4SW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | |Only releases 12.4 |12.4(15)T17 | |12.4T |(24)T5 and 12.4(24) |12.4(24)T7 | | |T6 are vulnerable. | | |----------+--------------------+----------------------------| |12.4XA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XB |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4T | |----------+--------------------+----------------------------| |12.4XC |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XD |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XE |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XF |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XG |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XJ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XK |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XL |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4XM |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XN |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XP |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4XQ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XR |Not vulnerable |Vulnerable; First fixed in | | | |Release 12.4T | |----------+--------------------+----------------------------| |12.4XT |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4XV |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4XW |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XY |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4XZ |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| |12.4YA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.0M | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4YB |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |12.4YD |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |12.4YE |Not vulnerable |12.4(24)YE3d | |----------+--------------------+----------------------------| |12.4YG |Not vulnerable |12.4(24)YG4 | |----------+--------------------+----------------------------| | Affected | |First Fixed Release for All | |15.0-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+--------------------+----------------------------| | |Only releases 15.0 | | |15.0M |(1)M4 and 15.0(1)M5 |15.0(1)M8 | | |are vulnerable. | | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.0MR |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.0MRA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | |Not vulnerable | | | |Cisco IOS XE |15.0(1)S5 | |15.0S |devices: Please see |Cisco IOS XE devices: Please| | |Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+--------------------+----------------------------| |15.0SA |Not vulnerable |Not vulnerable | |----------+--------------------+----------------------------| |15.0SE |Not vulnerable |15.0(1)SE1 | |----------+--------------------+----------------------------| | |Not vulnerable | | | |Cisco IOS XE |15.0(2)SG2 | |15.0SG |devices: Please see |Cisco IOS XE devices: Please| | |Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+--------------------+----------------------------| |15.0SY |Not vulnerable |15.0(1)SY1 | |----------+--------------------+----------------------------| |15.0XA |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.1T | |----------+--------------------+----------------------------| | |Cisco IOS XE | | | |devices: Please see |Cisco IOS XE devices: Please| |15.0XO |Cisco IOS-XE |see Cisco IOS-XE Software | | |Software |Availability | | |Availability | | |----------+--------------------+----------------------------| | Affected | |First Fixed Release for All | |15.1-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+--------------------+----------------------------| |15.1EY |Not vulnerable |15.1(2)EY2 | |----------+--------------------+----------------------------| |15.1GC |Not vulnerable |15.1(2)GC2 | |----------+--------------------+----------------------------| |15.1M |Not vulnerable |15.1(4)M4; Available on | | | |30-MAR-12 | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.1MR |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| | |Not vulnerable | | | |Cisco IOS XE |15.1(3)S2 | |15.1S |devices: Please see |Cisco IOS XE devices: Please| | |Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+--------------------+----------------------------| | |Not vulnerable | | | |Cisco IOS XE |Not vulnerable | |15.1SG |devices: Please see |Cisco IOS XE devices: Please| | |Cisco IOS XE |see Cisco IOS XE Software | | |Software |Availability | | |Availability | | |----------+--------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.1SNG |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+--------------------+----------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+--------------------+----------------------------| | |15.1(1)T4 | | |15.1T |15.1(2)T5; Available|15.1(3)T3 | | |on 27-APR-12 | | | |15.1(3)T | | |----------+--------------------+----------------------------| |15.1XB |Not vulnerable |Vulnerable; First fixed in | | | |Release 15.1T | |----------+--------------------+----------------------------| | Affected | |First Fixed Release for All | |15.2-Based|First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |------------------------------------------------------------| | There are no affected 15.2 based releases | +------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is not affected by the vulnerability that is disclosed in this document. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory bundled publication. Workarounds =========== NAT for SIP Resource Exhaustion Vulnerability +-------------------------------------------- This vulnerability can be mitigated by disabling NAT SIP ALG over the UDP transport by using the "no ip nat service sip udp port 5060" global configuration command. This command can only be configured in Cisco IOS images that include the NAT ALG SIP feature. Layer 3 NAT translation will continue to be performed on SIP packets but the SIP payload will not be translated. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability|vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was found during troubleshooting of TAC service requests. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-March-28 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9xNOsACgkQQXnnBKKRMNA9ZgD8DRkOzlhN25SRskCM6aUk2u1W i09PHPREp3klD75CsG4A/2bnHzLZ6x4vSf3PzWIJWHXAPGDiZS7+JtOyp9IBbyoI =GnDB -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-rsvp@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software RSVP Denial of Service Vulnerability Advisory ID: cisco-sa-20120328-rsvp Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A workaround is available to mitigate this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Only devices with specific configurations are affected. Cisco devices that are running affected Cisco IOS Software or Cisco IOS XE Software versions are vulnerable when they are configured with RSVP and also have one or more VRF interfaces. A device is vulnerable if both the following criteria are met: * At least one VRF is configured without RSVP * At least one other interface (physical or virtual), not in the same VRF, is configured with RSVP Some example scenarios are as follows: * RSVP-Traffic Engineering (RSVP-TE) in Multiprotocol Label Switching (MPLS) infrastructures * Multi-VRF infrastructures * VRF-Lite infrastructures To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS-XR software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco IOS Software and Cisco IOS XE Software contain a vulnerability in the RSVP feature when used on a device configured with VPN routing and forwarding (VRF) instances. This vulnerability could allow an unauthenticated, remote attacker to cause an interface wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other denial of service (DoS) conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. A device is vulnerable if it is configured with VRF and none of the interfaces in that VRF have RSVP enabled, but any other interface (physical or virtual) does have RSVP enabled. An attacker with some knowledge of the affected infrastructure could exploit this vulnerability by sending RSVP packets to vulnerable devices. Successful exploitation of the vulnerability could allow an attacker to wedge the receive queue of any RSVP ingress interface. A workaround is available to mitigate this vulnerability. In devices that meet the vulnerable configuration criteria, valid RSVP packets could trigger this vulnerability. An attacker with knowledge of the infrastructure could craft valid RSVP packets with set conditions to exploit this vulnerability. Recovery from this interface queue wedge requires a reload of the device. An interface queue wedge is a class of vulnerability in which certain packets are received and queued by a Cisco IOS router or switch but, due to a processing error, are never removed from the queue. For more information about queue wedges and a few detection mechanisms that may be used to identify a blocked interface on Cisco IOS Software (including a white paper describing how this condition can be detected using SNMP) see: http://blogs.cisco.com/security/comments/cisco_ios_queue_wedges_explained This vulnerability has been documented in Cisco bug ID CSCts80643 and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2012-1311. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCts80643 - Cisco IOS Software RSVP Denial of Service Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability will result in an interface queue wedge, which can lead to loss of connectivity, loss of routing protocol adjacency, and other DoS conditions. This vulnerability could be exploited repeatedly to cause an extended DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +--------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+---------------------------------------------------------| | Affected | |First Fixed Release for All | |12.0-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |--------------------------------------------------------------------| | There are no affected 12.0 based releases | |--------------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.2-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |--------------------------------------------------------------------| | There are no affected 12.2 based releases | |--------------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.3-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |--------------------------------------------------------------------| | There are no affected 12.3 based releases | |--------------------------------------------------------------------| | Affected | |First Fixed Release for All | |12.4-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |--------------------------------------------------------------------| | There are no affected 12.4 based releases | |--------------------------------------------------------------------| | Affected | |First Fixed Release for All | |15.0-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+----------------------------+----------------------------| |15.0M |15.0(1)M8 |15.0(1)M8 | |----------+----------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.0MR |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+----------------------------+----------------------------| | | |Vulnerable; contact your | | | |support organization per the| |15.0MRA |Not vulnerable |instructions in Obtaining | | | |Fixed Software section of | | | |this advisory. | |----------+----------------------------+----------------------------| | |Not vulnerable |15.0(1)S5 | |15.0S |Cisco IOS XE devices: Please|Cisco IOS XE devices: Please| | |see Cisco IOS XE Software |see Cisco IOS XE Software | | |Availability |Availability | |----------+----------------------------+----------------------------| |15.0SA |Not vulnerable |Not vulnerable | |----------+----------------------------+----------------------------| |15.0SE |Not vulnerable |15.0(1)SE1 | |----------+----------------------------+----------------------------| | |Not vulnerable |15.0(2)SG2 | |15.0SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: Please| | |see Cisco IOS XE Software |see Cisco IOS XE Software | | |Availability |Availability | |----------+----------------------------+----------------------------| |15.0SY |15.0(1)SY1 |15.0(1)SY1 | |----------+----------------------------+----------------------------| |15.0XA |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+----------------------------+----------------------------| | |Cisco IOS XE devices: Please|Cisco IOS XE devices: Please| |15.0XO |see Cisco IOS XE Software |see Cisco IOS XE Software | | |Availability |Availability | |----------+----------------------------+----------------------------| | Affected | |First Fixed Release for All | |15.1-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |----------+----------------------------+----------------------------| |15.1EY |15.1(2)EY2 |15.1(2)EY2 | |----------+----------------------------+----------------------------| |15.1GC |15.1(2)GC2 |15.1(2)GC2 | |----------+----------------------------+----------------------------| |15.1M |15.1(4)M3 |15.1(4)M4; Available on | | |15.1(4)M3a |30-MAR-12 | |----------+----------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per the| |15.1MR |instructions in Obtaining |instructions in Obtaining | | |Fixed Software section of |Fixed Software section of | | |this advisory. |this advisory. | |----------+----------------------------+----------------------------| | |15.1(3)S2 |15.1(3)S2 | |15.1S |Cisco IOS XE devices: Please|Cisco IOS XE devices: Please| | |see Cisco IOS XE Software |see Cisco IOS XE Software | | |Availability |Availability | |----------+----------------------------+----------------------------| | |Not vulnerable |Not vulnerable | |15.1SG |Cisco IOS XE devices: Please|Cisco IOS XE devices: Please| | |see Cisco IOS XE Software |see Cisco IOS XE Software | | |Availability |Availability | |----------+----------------------------+----------------------------| | |Vulnerable; contact your |Vulnerable; contact your | | |support organization per the|support organization per the| |15.1SNG |instructions in Obtaining |instructions in Obtaining | | |Fixed Software section of |Fixed Software section of | | |this advisory. |this advisory. | |----------+----------------------------+----------------------------| |15.1SNH |Not vulnerable |Not vulnerable | |----------+----------------------------+----------------------------| | |15.1(1)T5; Available on | | | |18-MAY-12 | | |15.1T |15.1(2)T5; Available on |15.1(3)T3 | | |27-APR-12 | | | |15.1(3)T3 | | |----------+----------------------------+----------------------------| |15.1XB |Vulnerable; First fixed in |Vulnerable; First fixed in | | |Release 15.1T |Release 15.1T | |----------+----------------------------+----------------------------| | Affected | |First Fixed Release for All | |15.2-Based| First Fixed Release |Advisories in the March 2012| | Releases | |Cisco IOS Software Security | | | |Advisory Bundled Publication| |--------------------------------------------------------------------| | There are no affected 15.2 based releases | +--------------------------------------------------------------------+ Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability that is disclosed in this document. +---------------------------------------+ | | | First Fixed | | | | Release for | | | | All | | Cisco | | Advisories | | IOS XE | First Fixed | in the March | | Software | Release | 2012 Cisco | | Release | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |----------+-------------+--------------| | | | Vulnerable; | | 2.1.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.2.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.3.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.4.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.5.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 2.6.x | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 3.1.xS | Not | migrate to | | | vulnerable | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | | Vulnerable; | | 3.1xSG | Not | migrate to | | | vulnerable | 3.2.2SG or | | | | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.2.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.2xSG | Not | 3.2.2SG | | | vulnerable | | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.3.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.3.xSG | Not | Not | | | Vulnerable | Vulnerable | |----------+-------------+--------------| | 3.4.xS | 3.4.2S | 3.4.2S | |----------+-------------+--------------| | 3.5.xS | Not | 3.5.1S | | | vulnerable | | |----------+-------------+--------------| | 3.6.xS | Not | Not | | | vulnerable | vulnerable | +---------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== It is possible to mitigate the vulnerability in this advisory by applying the global configuration command ip rsvp listener vrf vrf-name ip-address 0 0 announce, where the IP address is one that does not exist on the device or in the routing tables. Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered by Cisco during internal testing. Status of This Notice: Final +--------------------------- THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on the Cisco Security Intelligence Operations portal at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-March-28 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9zJcsACgkQQXnnBKKRMNDH1QD/fcj0Kk+JmG8NAI53aDniH5yk EfxvebH1J/HGmUcEuFAA/RMKnbZ81Zx39c2hJe7iuaeRZnglJVFbsZyIPvZZrOSU =HBKt -----END PGP SIGNATURE----- From saku at ytti.fi Wed Mar 28 12:45:13 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 28 Mar 2012 19:45:13 +0300 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer In-Reply-To: <4F733775.7080505@gmail.com> References: <4F733775.7080505@gmail.com> Message-ID: <20120328164513.GA15169@pob.ytti.fi> On (2012-03-28 09:08 -0700), Chris Hunt wrote: > interface GigabitEthernet0/1.310 > encapsulation dot1Q 310 > rate-limit input 11000000 2062500 4125000 conform-action transmit > exceed-action drop > rate-limit output 11000000 2062500 4125000 conform-action transmit > exceed-action drop I would recommend rather using MQC, I don't think this is any more officially supported. I recall some 7 years ago on NSE100 where this command disappeared from IOS and we migrated to MQC and got customer complaint, as it actually started working and customers were unhappy with the new lower speed connections. -- ++ytti From psirt at cisco.com Wed Mar 28 12:20:57 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 12:20:57 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Multicast Source Discovery Protocol Vulnerability Message-ID: <201203281220058.cisco-sa-20120328-msdp@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Multicast Source Discovery Protocol Vulnerability Advisory ID: cisco-sa-20120328-msdp Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +-------------------------------------------------------------------- Summary ======= A vulnerability in the Multicast Source Discovery Protocol (MSDP) implementation of Cisco IOS Software and Cisco IOS XE Software could allow a remote, unauthenticated attacker to cause a reload of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ The following products are affected by this vulnerability: + Cisco IOS Software + Cisco IOS XE Software To determine whether a Cisco IOS or Cisco IOS XE Software release is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team Additional information about Cisco IOS Software release naming conventions is available in the White Paper: Cisco IOS and NX-OS Software Reference Guide Products Confirmed Not Vulnerable +-------------------------------- Cisco IOS XR Software is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= MSDP is the protocol used to connect multiple Protocol Independent Multicast sparse mode (PIM-SM) domains. MSDP allows multicast sources for a group to be known to all rendezvous points (RPs) in different domains. An RP runs MSDP over TCP to discover multicast sources. An RP in a PIM-SM domain has an MSDP peering relationship with MSDP-enabled routers in another domain. The peering relationship occurs over a TCP connection, where primarily a list of sources sending to multicast groups is exchanged. The TCP connections between RPs are achieved by the underlying routing system. The receiving RP uses the source lists to establish a source path. The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. An MSDP packet containing encapsulated Internet Group Management Protocol (IGMP) data, received from an external MSDP-configured peer router, can cause an affected device to reload. This vulnerability can only be exploited if the router is explicitly joined to the multicast group. The MSDP packet destination address is a unicast address and can be addressed to any IP address on the affected device, including loopback addresses. Transit traffic will not trigger this vulnerability. A vulnerable interface configuration contains an explicitly joined multicast group. Some example configurations that permit exploitation of this vulnerability are: !--- Interface configured for SAP Listener Support (a common multicast group) interface GigabitEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip pim sparse-mode ip sap listen !--- Interface configured to join a multicast group interface GigabitEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip pim sparse-mode ip igmp join-group 224.2.127.254 You can also use the "show igmp interface" command to determine if an interface is joined to a multicast group. RouterA#show ip igmp interface GigabitEthernet0/0 is up, line protocol is up Internet address is 192.168.0.1/24 IGMP is enabled on interface Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds IGMP querier timeout is 120 seconds IGMP max query response time is 10 seconds Last member query count is 2 Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 2 joins, 0 leaves Multicast routing is disabled on interface Multicast TTL threshold is 0 Multicast groups joined by this system (number of users): 224.2.127.254(2) 239.255.255.255(1) This vulnerability is documented in Cisco bug ID CSCtr28857. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0382. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtr28857 ("MSDP-peered Router joined to a multicast group may crash") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Workaround Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may cause the affected device to reload. Repeated exploitation may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |------------+-----------------------------------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 12.0-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | 12.0S | 12.0(33)S10 | 12.0(33)S10 | |------------+-----------------------+-----------------------| | 12.0SY | 12.0(32)SY15 | 12.0(32)SY15 | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.0SZ | fixed in Release | fixed in Release | | | 12.0S | 12.0S | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 12.2-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2 | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2B | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2BC | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2BW | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2BX | fixed in Release | fixed in Release | | | 12.2SB | 12.2SB | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2BY | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2BZ | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2CX | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2CY | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2CZ | fixed in Release | fixed in Release | | | 12.0S | 12.0S | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2DA | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2DD | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2DX | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2EU | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2EW | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2EWA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2EX | fixed in Release | fixed in Release | | | 15.0SE | 15.0SE | |------------+-----------------------+-----------------------| | 12.2EY | 12.2(52)EY4 | 12.2(52)EY4 | | | 12.2(58)EY2 | | |------------+-----------------------+-----------------------| | | Releases prior to | | | | 12.2(53)EZ are | | | | vulnerable; Releases | Vulnerable; First | | 12.2EZ | 12.2(53)EZ and later | fixed in Release | | | are not vulnerable. | 15.0SE | | | First fixed in | | | | Release 15.0SE | | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.2FX | Not vulnerable | fixed in Release | | | | 15.0SE | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.2FY | Not vulnerable | fixed in Release | | | | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2FZ | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRA | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRB | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRC | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRD | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRE | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2IRF | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IRG | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2IRH | 12.2(33)IRH1 | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXE | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXF | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXG | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2IXH | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.2JA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | 12.2JK | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2MB | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2MC | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2MRA | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2MRB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Releases prior to | Releases prior to | | | 12.2(30)S are | 12.2(30)S are | | | vulnerable; Releases | vulnerable; Releases | | 12.2S | 12.2(30)S and later | 12.2(30)S and later | | | are not vulnerable. | are not vulnerable. | | | First fixed in | First fixed in | | | Release 12.0S | Release 12.0S | |------------+-----------------------+-----------------------| | 12.2SB | 12.2(33)SB12 | 12.2(33)SB12 | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SBC | fixed in Release | fixed in Release | | | 12.2SB | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SCA | fixed in Release | fixed in Release | | | 12.2SCE | 12.2SCE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SCB | fixed in Release | fixed in Release | | | 12.2SCE | 12.2SCE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SCC | fixed in Release | fixed in Release | | | 12.2SCE | 12.2SCE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SCD | fixed in Release | fixed in Release | | | 12.2SCE | 12.2SCE | |------------+-----------------------+-----------------------| | 12.2SCE | 12.2(33)SCE5 | 12.2(33)SCE6 | |------------+-----------------------+-----------------------| | 12.2SCF | 12.2(33)SCF2 | 12.2(33)SCF2 | |------------+-----------------------+-----------------------| | 12.2SE | 12.2(55)SE5 | | | | | 12.2(55)SE5 * | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SEA | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SEB | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SEC | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SED | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SEE | fixed in Release | fixed in Release | | | 12.2SE | 15.0SE | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.2SEF | Not vulnerable | fixed in Release | | | | 15.0SE | |------------+-----------------------+-----------------------| | | Releases prior to | | | | 12.2(25)SEG4 are | | | | vulnerable; Releases | Vulnerable; First | | 12.2SEG | 12.2(25)SEG4 and | fixed in Release | | | later are not | 15.0SE | | | vulnerable. First | | | | fixed in Release | | | | 15.0SE | | |------------+-----------------------+-----------------------| | | 12.2(53)SG7; | 12.2(53)SG7; | | 12.2SG | Available on | Available on | | | 07-MAY-12 | 07-MAY-12 | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SGA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.2SL | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SM | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SO | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SQ | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SRA | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SRB | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SRC | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SRD | fixed in Release | fixed in Release | | | 12.2SRE | 12.2SRE | |------------+-----------------------+-----------------------| | 12.2SRE | 12.2(33)SRE5 | 12.2(33)SRE6 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.2STE | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SU | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Releases up to and | Releases up to and | | 12.2SV | including 12.2(18)SV2 | including 12.2(18)SV2 | | | are not vulnerable. | are not vulnerable. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SVA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SVC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SVD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SVE | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SW | fixed in Release | fixed in Release | | | 12.4SW | 12.4T | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SX | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXE | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXF | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2SXH | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.2SXI | 12.2(33)SXI9 | 12.2(33)SXI9 | |------------+-----------------------+-----------------------| | 12.2SXJ | 12.2(33)SXJ2 | 12.2(33)SXJ2 | |------------+-----------------------+-----------------------| | | 12.2(50)SY2; | 12.2(50)SY2; | | 12.2SY | Available on | Available on | | | 11-JUN-12 | 11-JUN-12 | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2SZ | fixed in Release | fixed in Release | | | 12.0S | 12.0S | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2T | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2TPC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XA | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XB | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XC | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XD | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XE | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XF | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XG | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XH | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XI | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XJ | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XK | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XL | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XM | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XNA | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XNB | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XNC | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XND | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XNE | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Please see Cisco | Please see Cisco | | 12.2XNF | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2XO | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XQ | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Releases prior to | Releases prior to | | | 12.2(15)XR are | 12.2(15)XR are | | | vulnerable; Releases | vulnerable; Releases | | 12.2XR | 12.2(15)XR and later | 12.2(15)XR and later | | | are not vulnerable. | are not vulnerable. | | | First fixed in | First fixed in | | | Release 12.4 | Release 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XS | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XT | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XU | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XV | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2XW | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2YA | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YE | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YK | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YO | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | | fixed in Release 12.4 | fixed in Release | | 12.2YP | Releases up to and | 15.0M | | | including 12.2(8)YP | Releases up to and | | | are not vulnerable. | including 12.2(8)YP | | | | are not vulnerable. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YT | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YW | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YX | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YY | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2YZ | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2ZE | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2ZH | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZJ | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZP | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZU | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.2ZX | fixed in Release | fixed in Release | | | 12.2SB | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZY | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.2ZYA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 12.3-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3 | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3B | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3BC | fixed in Release | fixed in Release | | | 12.2SCE | 12.2SCE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3BW | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Releases prior to | | | | 12.3(4)JA2 are | | | | vulnerable; Releases | Vulnerable; First | | 12.3JA | 12.3(4)JA2 and later | fixed in Release | | | are not vulnerable. | 12.4JA | | | Migrate to any | | | | release in 12.4JA | | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.3JEA | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.3JEB | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.3JEC | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.3JED | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | Releases up to and | | | | including 12.3(2)JK3 | | | | are not vulnerable. | Vulnerable; First | | 12.3JK | Releases 12.3(8)JK1 | fixed in Release | | | and later are not | 15.0M | | | vulnerable. First | | | | fixed in Release 12.4 | | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.3JL | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | 12.3JX | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3T | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.3TPC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.3VA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XA | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.3XB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XC | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XD | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XE | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.3XF | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XG | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XI | fixed in Release | fixed in Release | | | 12.2SB | 12.2SRE | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XJ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XK | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XL | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XQ | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XR | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XU | fixed in Release | fixed in Release | | | 12.4T | 12.4T | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XW | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XX | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XY | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3XZ | fixed in Release 12.4 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YD | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YF | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YG | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YI | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YJ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YK | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YM | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YQ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YS | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YT | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YU | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3YX | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.3YZ | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.3ZA | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 12.4-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | | 12.4(25g); Available | Vulnerable; First | | 12.4 | on 19-SEP-12 | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4GC | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.4JA | Not vulnerable | 12.4(23c)JA4 | | | | 12.4(25e)JA | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.4JAX | Not vulnerable | fixed in Release | | | | 12.4JA | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JDA | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JDC | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JDD | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JDE | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JHA | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JHB | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JHC | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JK | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 12.4JL | Not vulnerable | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.4JX | Not vulnerable | fixed in Release | | | | 12.4JA | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.4JY | Not vulnerable | fixed in Release | | | | 12.4JA | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.4JZ | Not vulnerable | fixed in Release | | | | 12.4JA | |------------+-----------------------+-----------------------| | | 12.4(24)MD7; | 12.4(22)MD3; | | 12.4MD | Available on | Available on | | | 29-Jun-12 | 30-MAR-12 | |------------+-----------------------+-----------------------| | 12.4MDA | 12.4(24)MDA11 | 12.4(24)MDA11 | |------------+-----------------------+-----------------------| | 12.4MDB | 12.4(24)MDB5a | 12.4(24)MDB5a | |------------+-----------------------+-----------------------| | 12.4MDC | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4MR | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4MRA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4MRB | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | | Vulnerable; First | | 12.4SW | 12.4(15)SW8a | fixed in Release | | | | 15.0M | |------------+-----------------------+-----------------------| | | 12.4(15)T17 | 12.4(15)T17 | | 12.4T | 12.4(24)T7 | 12.4(24)T7 | | | | | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XA | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XB | fixed in Release | fixed in Release | | | 12.4T | 12.4T | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XC | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XD | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XE | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XF | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XG | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XJ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XK | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4XL | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XM | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4XN | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4XP | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XQ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XR | fixed in Release | fixed in Release | | | 12.4T | 12.4T | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XT | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4XV | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XW | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XY | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4XZ | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 12.4YA | fixed in Release | fixed in Release | | | 12.4T | 15.0M | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4YB | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 12.4YD | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d | |------------+-----------------------+-----------------------| | 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 15.0-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | 15.0M | 15.0(1)M8 | 15.0(1)M8 | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MR | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.0MRA | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | | 15.0(1)S5 | 15.0(1)S5 | | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.0S | Please see Cisco IOS | Please see Cisco IOS | | | XE Software | XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | 15.0SA | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | 15.0(1)SE1 | | | 15.0SE | 15.0(2)SE; Available | 15.0(1)SE1 | | | on 06-AUG-12 | | |------------+-----------------------+-----------------------| | | 15.0(2)SG2 | 15.0(2)SG2 | | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.0SG | Please see Cisco | Please see Cisco | | | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | 15.0SY | Not vulnerable | 15.0(1)SY1 | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 15.0XA | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.0XO | Please see Cisco | Please see Cisco | | | IOS-XE Software | IOS-XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 15.1-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | 15.1EY | 15.1(2)EY1a | 15.1(2)EY2 | |------------+-----------------------+-----------------------| | 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 | |------------+-----------------------+-----------------------| | 15.1M | 15.1(4)M2 | 15.1(4)M4; Available | | | 15.1(4)M3a | on 30-MAR-12 | |------------+-----------------------+-----------------------| | | | Vulnerable; contact | | | | your support | | | | organization per the | | 15.1MR | 15.1(1)MR3 | instructions in | | | | Obtaining Fixed | | | | Software section of | | | | this advisory. | |------------+-----------------------+-----------------------| | | 15.1(3)S1 | 15.1(3)S2 | | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.1S | Please see Cisco IOS | Please see Cisco IOS | | | XE Software | XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Not vulnerable | Not vulnerable | | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.1SG | Please see Cisco IOS | Please see Cisco IOS | | | XE Software | XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | Vulnerable; contact | Vulnerable; contact | | | your support | your support | | | organization per the | organization per the | | 15.1SNG | instructions in | instructions in | | | Obtaining Fixed | Obtaining Fixed | | | Software section of | Software section of | | | this advisory. | this advisory. | |------------+-----------------------+-----------------------| | 15.1SNH | Not vulnerable | Not vulnerable | |------------+-----------------------+-----------------------| | | 15.1(1)T5; Available | | | | on 18-MAY-12 | | | 15.1T | 15.1(2)T5; Available | 15.1(3)T3 | | | on 27-APR-12 | | | | 15.1(3)T3 | | |------------+-----------------------+-----------------------| | | Vulnerable; First | Vulnerable; First | | 15.1XB | fixed in Release | fixed in Release | | | 15.1T | 15.1T | |------------+-----------------------+-----------------------| | | | First Fixed Release | | Affected | | for All Advisories in | | 15.2-Based | First Fixed Release | the March 2012 Cisco | | Releases | | IOS Software Security | | | | Advisory Bundled | | | | Publication | |------------+-----------------------+-----------------------| | 15.2GC | 15.2(1)GC1 | 15.2(1)GC2 | |------------+-----------------------+-----------------------| | | Not vulnerable | 15.2(1)S1 | | | Cisco IOS XE devices: | Cisco IOS XE devices: | | 15.2S | Please see Cisco IOS | Please see Cisco IOS | | | XE Software | XE Software | | | Availability | Availability | |------------+-----------------------+-----------------------| | | 15.2(1)T1 | 15.2(1)T2 | | 15.2T | 15.2(2)T | 15.2(2)T1 | | | 15.2(2)T1 | 15.2(3)T; Available | | | | on 30-MAR-12 | +------------------------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability that is disclosed in this document. +------------------------------------------------------------+ | Cisco IOS | | First Fixed Release for All | | XE | First Fixed | Advisories in the March 2012 | | Software | Release | Cisco IOS Software Security | | Release | | Advisory Bundled Publication | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.1.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.2.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.3.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.4.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.5.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 2.6.x | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.1.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.1.xSG | migrate to | Vulnerable; migrate to 3.2.2SG | | | 3.2.2SG or | or later. | | | later. | | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.2.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | 3.2.xSG | 3.2.2SG | 3.2.2SG | |-----------+--------------+---------------------------------| | | Vulnerable; | | | 3.3.xS | migrate to | Vulnerable; migrate to 3.4.2S | | | 3.4.1S or | or later. | | | later. | | |-----------+--------------+---------------------------------| | 3.3.xSG | Not | Not Vulnerable | | | Vulnerable | | |-----------+--------------+---------------------------------| | 3.4.xS | 3.4.1S | 3.4.2S | |-----------+--------------+---------------------------------| | 3.5.xS | Not | 3.5.1S | | | vulnerable | | |-----------+--------------+---------------------------------| | 3.6.xS | Not | Not vulnerable | | | vulnerable | | +------------------------------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== Customers with an MSDP-configured router who do not require membership to multicast groups can remove the "ip sap listen" or "ip igmp join-group " commands on the router interface as a workaround. For example: RouterA#conf t RouterA(config)# interface GigabitEthernet0/0 RouterA(config-if)# no ip sap listen RouterA(config-if)# no ip igmp join-group 224.2.127.254 interface GigabitEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip pim sparse-mode To determine if a router is configured for MSDP peers, run the command "show ip msdp peer" at the router command prompt: RouterA# show ip msdp peer MSDP Peer 192.168.0.2 (?), AS 100 Connection status: State: Up, Resets: 0, Connection source: none configured Uptime(Downtime): 01:23:42, Messages sent/received: 25/24 Output messages discarded: 0 Connection and counters cleared 01:15:14 ago SA Filtering: Input (S,G) filter: none, route-map: none Input RP filter: none, route-map: none Output (S,G) filter: none, route-map: none Output RP filter: none, route-map: none SA-Requests: Input filter: none Peer ttl threshold: 0 SAs learned from this peer: 0 Input queue size: 0, Output queue size: 0 Message counters: RPF Failure count: 0 SA Messages in/out: 13/8 SA Requests in: 0 SA Responses out: 0 Data Packets in/out: 7/8 To remove an untrusted MSDP peer from your configuration, use the "no ip msdp peer
" or "ip msdp default-peer " command on the router configuration interface. RouterA(config)# no ip msdp peer 192.168.0.2 interface GigabitEthernet0/0 ip address 192.168.0.1 255.255.255.0 ip pim sparse-mode Obtaining Fixed Software ======================== Cisco has released free software updates that address the vulnerability|vulnerabilities described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at http://www.cisco.com. Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed. Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was found during the troubleshooting of customer service requests. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2012-March-28 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk9xNOEACgkQQXnnBKKRMND6JgD/TLEfBY6XfhL7hpQW01gFYpBT sO8HTYkhaAOnkwSN/psBAIOin3zSOfsxb42tDq57ub1MvMM7zk28YqWG2V3y6p7G =Ja0H -----END PGP SIGNATURE----- From psirt at cisco.com Wed Mar 28 12:23:51 2012 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 28 Mar 2012 18:23:51 +0200 (CEST) Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass Message-ID: <201203281220058.cisco-sa-20120328-pai@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Cisco IOS Software Command Authorization Bypass Advisory ID: cisco-sa-20120328-pai Revision 1.0 For Public Release 2012 March 28 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A vulnerability exists in the Cisco IOS Software that may allow a remote application or device to exceed its authorization level when authentication, authorization, and accounting (AAA) authorization is used. This vulnerability requires that the HTTP or HTTPS server is enabled on the Cisco IOS device. Products that are not running Cisco IOS Software are not vulnerable. Cisco has released free software updates that address these vulnerabilities. The HTTP server may be disabled as a workaround for the vulnerability described in this advisory. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar12.html Affected Products ================= Vulnerable Products +------------------ Any device running Cisco IOS Software release after 12.2 that has an HTTP or HTTPS server configured is affected by this vulnerability if AAA authorization is used. To determine if an HTTP or HTTP server is configured with an HTTP or HTTPS server, issue the show ip http server status | include status command. The following example illustrates a Cisco IOS device with an HTTPS server enabled and the HTTP server disabled. Router> show ip http server status | include status HTTP server status: Disabled HTTP secure server status: Enabled To determine if AAA authorization is used, an administrator can log in to the device and issue the show run | include aaa authorization command in privileged EXEC mode. If there is an entry that shows aaa authorization commands, as shown in the following example, then AAA authorization is configured. Router# show run | include aaa authorization commands aaa authorization commands 0 default local group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default local To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at: http://www.cisco.com/web/about/security/intelligence/ios-ref.html Products Confirmed Not Vulnerable +-------------------------------- If you are not running Cisco IOS or IOS XE software, you are not affected by this vulnerability. Devices that are not using AAA authorization or that do not have an HTTP or HTTPS server configured are not affected by this vulnerability. Cisco IOS XR is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco IOS allows remote applications to administer and monitor devices running Cisco IOS Software over an HTTP or HTTPS connection. A vulnerability exists that may allow the Cisco IOS command authorization to be bypassed, allowing a remote, authenticated HTTP or HTTPS session to execute any Cisco IOS command that is configured for their authorization level. This vulnerability does not allow unauthenticated access; a valid username and password are required to successfully exploit this vulnerability. Additionally, the vulnerability does not allow a user to execute commands that are not configured for their privilege level. The HTTP server is enabled by default for cluster configurations and on the following Cisco switches: Catalyst 3700 series, Catalyst 3750 series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950 series. More information on AAA authorization can be found at: http://www.cisco.com/en/US/docs/ios/12_2t/secure/command/reference/sftauth.html Releases of Cisco IOS Software after release 12.2 are potentially vulnerable. Please refer to the release table below for more information. This vulnerability is documented as Cisco Bug ID CSCtr91106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0384. Vulnerability Scoring Details ============================= Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * Command Authorization Fails for commands delivered over HTTP CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow the Cisco IOS command authorization to be bypassed, allowing a remote, authenticated HTTP or HTTPS session to execute any Cisco IOS command that is configured for its authorization level. Software Versions and Fixes =========================== When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at: http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS Software +----------------- Each row of the following Cisco IOS Software table corresponds to a Cisco IOS Software train. If a particular train is vulnerable, the earliest releases that contain the fix are listed in the First Fixed Release column. The First Fixed Release for All Advisories in the March 2012 Bundled Publication column lists the earliest possible releases that correct all the published vulnerabilities in the Cisco IOS Software Security Advisory bundled publication. Cisco recommends upgrading to the latest available release, where possible. The Cisco IOS Software Checker allows customers to search for Cisco Security Advisories that address specific Cisco IOS Software releases. This tool is available on the Cisco Security Intelligence Operations (SIO) portal at: http://tools.cisco.com/security/center/selectIOSVersion.x +------------------------------------------+ | Major | Availability of | | Release | Repaired Releases | |------------+-----------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.0-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------------------------------------| | There are no affected 12.0 based | | releases | |------------------------------------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.2-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | | | Vulnerable; | | 12.2 | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2B | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2BC | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2BW | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2BX | Not | First fixed | | | vulnerable | in Release | | | | 12.2SB | |------------+--------------+--------------| | | | Vulnerable; | | 12.2BY | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2BZ | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2CX | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2CY | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2CZ | Not | First fixed | | | vulnerable | in Release | | | | 12.0S | |------------+--------------+--------------| | | | Vulnerable; | | 12.2DA | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2DD | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2DX | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2EU | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | Vulnerable; | | | | contact your | | | | support | | | | organization | Vulnerable; | | | per the | contact your | | | instructions | support | | | in Obtaining | organization | | | Fixed | per the | | 12.2EW | Software | instructions | | | section of | in Obtaining | | | this | Fixed | | | advisory. | Software | | | Releases up | section of | | | to and | this | | | including | advisory. | | | 12.2(20)EWA4 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | | Vulnerable; | | | | contact your | | | | support | | | | organization | Vulnerable; | | | per the | contact your | | | instructions | support | | | in Obtaining | organization | | | Fixed | per the | | 12.2EWA | Software | instructions | | | section of | in Obtaining | | | this | Fixed | | | advisory. | Software | | | Releases up | section of | | | to and | this | | | including | advisory. | | | 12.2(20)EWA4 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | | Vulnerable; | | | | First fixed | | | | in Release | | | | 15.0SE | Vulnerable; | | 12.2EX | Releases up | First fixed | | | to and | in Release | | | including | 15.0SE | | | 12.2(25)EX1 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | 12.2EY | 12.2(52)EY4 | 12.2(52)EY4 | | | 12.2(58)EY2 | | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2EZ | First fixed | First fixed | | | in Release | in Release | | | 15.0SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2FX | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2FY | First fixed | First fixed | | | in Release | in Release | | | 15.0SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2FZ | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRA | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRB | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRC | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRD | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRE | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2IRF | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.2IRG | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IRH | 12.2(33)IRH1 | instructions | | | | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXB | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXE | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXF | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXG | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2IXH | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | 12.2JA | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | 12.2JK | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | | Vulnerable; | | 12.2MB | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2MC | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2MRA | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.2MRB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | | Releases | | | | prior to | | | | 12.2(30)S | | | | are | | | | vulnerable; | | | Not | Releases | | 12.2S | vulnerable | 12.2(30)S | | | | and later | | | | are not | | | | vulnerable. | | | | First fixed | | | | in Release | | | | 12.0S | |------------+--------------+--------------| | 12.2SB | 12.2(33)SB12 | 12.2(33)SB12 | |------------+--------------+--------------| | | | Vulnerable; | | 12.2SBC | Not | First fixed | | | vulnerable | in Release | | | | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SCA | First fixed | First fixed | | | in Release | in Release | | | 12.2SCE | 12.2SCE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SCB | First fixed | First fixed | | | in Release | in Release | | | 12.2SCE | 12.2SCE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SCC | First fixed | First fixed | | | in Release | in Release | | | 12.2SCE | 12.2SCE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SCD | First fixed | First fixed | | | in Release | in Release | | | 12.2SCE | 12.2SCE | |------------+--------------+--------------| | 12.2SCE | 12.2(33)SCE5 | 12.2(33)SCE6 | |------------+--------------+--------------| | 12.2SCF | 12.2(33)SCF2 | 12.2(33)SCF2 | |------------+--------------+--------------| | | | | | 12.2SE | 12.2(55)SE5 | 12.2(55)SE5 | | | | * | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEA | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEB | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEC | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SED | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEE | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEF | First fixed | First fixed | | | in Release | in Release | | | 12.2SE | 15.0SE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SEG | First fixed | First fixed | | | in Release | in Release | | | 15.0SE | 15.0SE | |------------+--------------+--------------| | | 12.2(53)SG7; | 12.2(53)SG7; | | 12.2SG | Available on | Available on | | | 07-MAY-12 | 07-MAY-12 | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | Vulnerable; | per the | | 12.2SGA | First fixed | instructions | | | in Release | in Obtaining | | | 12.2SG | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | 12.2SL | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SM | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SO | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.2SQ | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SRA | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SRB | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2SRC | First fixed | First fixed | | | in Release | in Release | | | 12.2SRD | 12.2SRE | |------------+--------------+--------------| | | | Vulnerable; | | 12.2SRD | 12.2(33)SRD8 | First fixed | | | | in Release | | | | 12.2SRE | |------------+--------------+--------------| | 12.2SRE | 12.2(33)SRE6 | 12.2(33)SRE6 | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.2STE | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2SU | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Releases up | | | | to and | | 12.2SV | Not | including | | | vulnerable | 12.2(18)SV2 | | | | are not | | | | vulnerable. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SVA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SVC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SVD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SVE | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2SW | Not | First fixed | | | vulnerable | in Release | | | | 12.4T | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SX | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SXA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SXB | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SXD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SXE | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2SXF | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.2SXH | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.2SXI | 12.2(33)SXI9 | 12.2(33)SXI9 | |------------+--------------+--------------| | 12.2SXJ | 12.2(33)SXJ2 | 12.2(33)SXJ2 | |------------+--------------+--------------| | | 12.2(50)SY2; | | | | Available on | | | | 11-JUN-12 | | | | Releases up | 12.2(50)SY2; | | 12.2SY | to and | Available on | | | including | 11-JUN-12 | | | 12.2(14)SY5 | | | | are not | | | | vulnerable. | | |------------+--------------+--------------| | | | Vulnerable; | | 12.2SZ | Not | First fixed | | | vulnerable | in Release | | | | 12.0S | |------------+--------------+--------------| | | | Vulnerable; | | 12.2T | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2TPC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XA | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XB | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XC | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XD | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XE | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XF | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XG | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XH | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XI | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XJ | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XK | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XL | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XM | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Please see | Please see | | 12.2XNA | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | Please see | Please see | | 12.2XNB | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | Please see | Please see | | 12.2XNC | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | Please see | Please see | | 12.2XND | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | Please see | Please see | | 12.2XNE | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | Please see | Please see | | 12.2XNF | Cisco IOS-XE | Cisco IOS-XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | Vulnerable; | per the | | 12.2XO | First fixed | instructions | | | in Release | in Obtaining | | | 12.2SG | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XQ | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Releases | | | | prior to | | | | 12.2(15)XR | | | | are | | | | vulnerable; | | | Not | Releases | | 12.2XR | vulnerable | 12.2(15)XR | | | | and later | | | | are not | | | | vulnerable. | | | | First fixed | | | | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XS | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XT | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XU | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XV | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2XW | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.2YA | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YE | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YK | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YO | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | First fixed | | | | in Release | | | | 15.0M | | 12.2YP | Not | Releases up | | | vulnerable | to and | | | | including | | | | 12.2(8)YP | | | | are not | | | | vulnerable. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YT | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YW | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YX | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YY | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2YZ | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZB | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZC | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZD | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2ZE | Not | First fixed | | | vulnerable | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.2ZH | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZJ | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZP | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZU | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | 12.2ZX | Not | First fixed | | | vulnerable | in Release | | | | 12.2SRE | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZY | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 12.2ZYA | Not | instructions | | | vulnerable | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.3-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3 | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3B | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3BC | First fixed | First fixed | | | in Release | in Release | | | 12.2SCE | 12.2SCE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3BW | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3JA | First fixed | First fixed | | | in Release | in Release | | | 12.4JA | 12.4JA | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3JEA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3JEB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3JEC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3JED | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3JK | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3JL | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.3JX | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3T | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3TPC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.3VA | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XA | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3XB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XC | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XD | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XE | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3XF | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XG | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XI | First fixed | First fixed | | | in Release | in Release | | | 12.2SB | 12.2SRE | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XJ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XK | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XL | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XQ | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XR | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XU | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 12.4T | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XW | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XX | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XY | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3XZ | First fixed | First fixed | | | in Release | in Release | | | 12.4 | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YD | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YF | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YG | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YI | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YJ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YK | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YM | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YQ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YS | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YT | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YU | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3YX | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.3YZ | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.3ZA | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 12.4-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | | 12.4(25g); | Vulnerable; | | 12.4 | Available on | First fixed | | | 19-SEP-12 | in Release | | | | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4GC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | 12.4(23c)JA4 | | | | 12.4(25d) | 12.4(23c) | | 12.4JA | JA2; | JA412.4(25e) | | | Available on | JA | | | 01-AUG-12 | | | | 12.4(25e)JA | | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4JAX | First fixed | First fixed | | | in Release | in Release | | | 12.4JA | 12.4JA | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JDA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JDC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JDD | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JDE | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JHA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JHB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JHC | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JK | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4JL | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4JX | First fixed | First fixed | | | in Release | in Release | | | 12.4JA | 12.4JA | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4JY | First fixed | First fixed | | | in Release | in Release | | | 12.4JA | 12.4JA | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4JZ | First fixed | First fixed | | | in Release | in Release | | | 12.4JA | 12.4JA | |------------+--------------+--------------| | | 12.4(22)MD3; | 12.4(22)MD3; | | 12.4MD | Available on | Available on | | | 30-MAR-12 | 30-MAR-12 | |------------+--------------+--------------| | 12.4MDA | 12.4(24) | 12.4(24) | | | MDA11 | MDA11 | |------------+--------------+--------------| | 12.4MDB | 12.4(24) | 12.4(24) | | | MDB5a | MDB5a | |------------+--------------+--------------| | 12.4MDC | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4MR | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4MRA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4MRB | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | | Vulnerable; | | 12.4SW | 12.4(15)SW8a | First fixed | | | | in Release | | | | 15.0M | |------------+--------------+--------------| | | 12.4(15)T17 | 12.4(15)T17 | | 12.4T | 12.4(24)T7 | 12.4(24)T7 | | | | | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XA | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XB | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 12.4T | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XC | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XD | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XE | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XF | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XG | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XJ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XK | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4XL | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XM | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4XN | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4XP | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XQ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XR | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 12.4T | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XT | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4XV | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XW | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XY | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4XZ | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 12.4YA | First fixed | First fixed | | | in Release | in Release | | | 12.4T | 15.0M | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4YB | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 12.4YD | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 12.4YE | 12.4(24)YE3d | 12.4(24)YE3d | |------------+--------------+--------------| | 12.4YG | 12.4(24)YG4 | 12.4(24)YG4 | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.0-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.0M | 15.0(1)M8 | 15.0(1)M8 | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 15.0MR | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 15.0MRA | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | | 15.0(1)S5 | 15.0(1)S5 | | | Cisco IOS XE | Cisco IOS XE | | | devices: | devices: | | 15.0S | Please see | Please see | | | Cisco IOS XE | Cisco IOS XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | 15.0SA | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | 15.0(1)SE1 | | | 15.0SE | 15.0(2)SE; | 15.0(1)SE1 | | | Available on | | | | 06-AUG-12 | | |------------+--------------+--------------| | | 15.0(2)SG2 | 15.0(2)SG2 | | | Cisco IOS XE | Cisco IOS XE | | | devices: | devices: | | 15.0SG | Please see | Please see | | | Cisco IOS XE | Cisco IOS XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | 15.0SY | 15.0(1)SY1 | 15.0(1)SY1 | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 15.0XA | First fixed | First fixed | | | in Release | in Release | | | 15.1T | 15.1T | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | First fixed | First fixed | | | in Release | in Release | | | 15.0SG Cisco | 15.0SG Cisco | | 15.0XO | IOS XE | IOS XE | | | devices: | devices: | | | Please see | Please see | | | Cisco IOS XE | Cisco IOS XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.1-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.1EY | 15.1(2)EY1a | 15.1(2)EY2 | |------------+--------------+--------------| | 15.1GC | 15.1(2)GC2 | 15.1(2)GC2 | |------------+--------------+--------------| | | 15.1(4)M2 | 15.1(4)M4; | | 15.1M | | Available on | | | | 30-MAR-12 | |------------+--------------+--------------| | | | Vulnerable; | | | | contact your | | | | support | | | | organization | | | | per the | | 15.1MR | 15.1(1)MR3 | instructions | | | | in Obtaining | | | | Fixed | | | | Software | | | | section of | | | | this | | | | advisory. | |------------+--------------+--------------| | | 15.1(3)S2 | 15.1(3)S2 | | | Cisco IOS XE | Cisco IOS XE | | | devices: | devices: | | 15.1S | Please see | Please see | | | Cisco IOS XE | Cisco IOS XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | 15.1SG | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | | contact your | contact your | | | support | support | | | organization | organization | | | per the | per the | | 15.1SNG | instructions | instructions | | | in Obtaining | in Obtaining | | | Fixed | Fixed | | | Software | Software | | | section of | section of | | | this | this | | | advisory. | advisory. | |------------+--------------+--------------| | 15.1SNH | Not | Not | | | vulnerable | vulnerable | |------------+--------------+--------------| | | 15.1(1)T4 | | | | 15.1(2)T5; | | | 15.1T | Available on | 15.1(3)T3 | | | 27-APR-12 | | | | 15.1(3)T3 | | |------------+--------------+--------------| | | Vulnerable; | Vulnerable; | | 15.1XB | First fixed | First fixed | | | in Release | in Release | | | 15.1T | 15.1T | |------------+--------------+--------------| | | | First Fixed | | | | Release for | | | | All | | | | Advisories | | Affected | First Fixed | in the March | | 15.2-Based | Release | 2012 Cisco | | Releases | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |------------+--------------+--------------| | 15.2GC | 15.2(1)GC1 | 15.2(1)GC2 | |------------+--------------+--------------| | | 15.2(1)S1 | 15.2(1)S1 | | | Cisco IOS XE | Cisco IOS XE | | | devices: | devices: | | 15.2S | Please see | Please see | | | Cisco IOS XE | Cisco IOS XE | | | Software | Software | | | Availability | Availability | |------------+--------------+--------------| | | | 15.2(1) | | | 15.2(1)T1 | T215.2(2) | | 15.2T | 15.2(2)T | T115.2(3)T; | | | 15.2(2)T1 | Available on | | | | 30-MAR-12 | +------------------------------------------+ * Cisco Catalyst 3550 Series Switches support the Internet Key Exchange (IKE) feature and are vulnerable to Cisco bug ID CSCts38429 when the devices are running Layer 3 images; however, this product reached the End of Software Maintenance milestone. Cisco 3550 Series SMI Switches that are running Layer 2 images do not support IKE and are not vulnerable. No other Cisco devices that run 12.2SE-based software are vulnerable. Cisco IOS XE Software +-------------------- Cisco IOS XE Software is affected by the vulnerability that is disclosed in this document. +---------------------------------------+ | | | First Fixed | | | | Release for | | | | All | | Cisco | | Advisories | | IOS XE | First Fixed | in the March | | Software | Release | 2012 Cisco | | Release | | IOS Software | | | | Security | | | | Advisory | | | | Bundled | | | | Publication | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.1.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.2.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.3.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.4.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.5.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 2.6.x | migrate to | migrate to | | | 3.1.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | | | Vulnerable; | | 3.1.xS | 3.1.2S | migrate to | | | | 3.4.2S or | | | | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.1.xSG | migrate to | migrate to | | | 3.2.2SG or | 3.2.2SG or | | | later. | later. | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.2.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.2.xSG | 3.2.2SG | 3.2.2SG | |----------+-------------+--------------| | | Vulnerable; | Vulnerable; | | 3.3.xS | migrate to | migrate to | | | 3.4.2S or | 3.4.2S or | | | later. | later. | |----------+-------------+--------------| | 3.2.xSG | Not | Not | | | vulnerable | vulnerable | |----------+-------------+--------------| | 3.4.xS | 3.4.2S | 3.4.2S | |----------+-------------+--------------| | 3.5.xS | 3.5.1S | 3.5.1S | |----------+-------------+--------------| | 3.6.xS | Not | Not | | | vulnerable | vulnerable | +---------------------------------------+ For a mapping of Cisco IOS XE Software releases to Cisco IOS Software releases, refer to Cisco IOS XE 2 Release Notes, Cisco IOS XE 3S Release Notes, and Cisco IOS XE 3SG Release Notes. Cisco IOS XR Software +-------------------- Cisco IOS XR Software is not affected by any of the vulnerabilities disclosed in the March 2012 Cisco IOS Software Security Advisory Bundled Publication. Workarounds =========== If the HTTP and HTTPS servers are not required, they may be disabled with the commands no ip http server and no ip http secure-server. However, if web services are required, a feature was introduced in 12.3(14)T and later in which selective HTTP and HTTPS services could be enabled or disabled. The WEB_EXEC service provides a facility to configure the device and retrieve the current state of the device from remote clients. It is possible to disable the WEB_EXEC service while still leaving other HTTP services active. If an installation does not require the use of the WEB_EXEC service, then it may be disabled using the following procedure: 1. Verify the list of all session modules. Router# show ip http server session-module HTTP server application session modules: Session module Name Handle Status Secure-status Description HTTP_IFS 1 Active Active HTTP based IOS File Server HOME_PAGE 2 Active Active IOS Homepage Server QDM 3 Active Active QOS Device Manager Server QDM_SA 4 Active Active QOS Device Manager Signed Applet Server WEB_EXEC 5 Active Active HTTP based IOS EXEC Server IXI 6 Active Active IOS XML Infra Application Server IDCONF 7 Active Active IDCONF HTTP(S) Server XSM 8 Active Active XML Session Manager VDM 9 Active Active VPN Device Manager Server XML_Api 10 Active Active XML Api ITS 11 Active Active IOS Telephony Service ITS_LOCDIR 12 Active Active ITS Local Directory Search CME_SERVICE_URL 13 Active Active CME Service URL CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server IPS_SDEE 15 Active Active IOS IPS SDEE Server tti-petitioner 16 Active Active TTI Petitioner 2. Create a list of session modules that are required, in this example it would be everything other than WEB_EXEC. Router# configuration terminal Router(config)# ip http session-module-list exclude_webexec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,IXI,IDCONF,XSM,VDM,XML_Api, ITS,ITS_LOCDIR,CME_SERVICE_URL,CME_AUTH_SRV_LOGIN,IPS_SDEE,tti-petitioner 3. Selectively enable HTTP/HTTPS applications that will service incoming HTTP requests from remote clients. Router(config)# ip http active-session-modules exclude_webexec Router(config)# ip http secure-active-session-modules exclude_webexec Router(config)# exit 4. Verify the list of all session modules, and ensure WEB_EXEC is not active. Router# show ip http server session-module HTTP server application session modules: Session module Name Handle Status Secure-status Description HTTP_IFS 1 Active Active HTTP based IOS File Server HOME_PAGE 2 Active Active IOS Homepage Server QDM 3 Active Active QOS Device Manager Server QDM_SA 4 Active Active QOS Device Manager Signed Applet Server WEB_EXEC 5 Inactive Inactive HTTP based IOS EXEC Server IXI 6 Active Active IOS XML Infra Application Server IDCONF 7 Active Active IDCONF HTTP(S) Server XSM 8 Active Active XML Session Manager VDM 9 Active Active VPN Device Manager Server XML_Api 10 Active Active XML Api ITS 11 Active Active IOS Telephony Service ITS_LOCDIR 12 Active Active ITS Local Directory Search CME_SERVICE_URL 13 Active Active CME Service URL CME_AUTH_SRV_LOGIN 14 Active Active CME Authentication Server IPS_SDEE 15 Active Active IOS IPS SDEE Server tti-petitioner 16 Active Active TTI Petitioner For further information on the selective enabling of applications using an HTTP or secure HTTP server, consult the Cisco IOS network management configuration guide, release 12.4T, at: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_http_app_enable.html If the HTTP server and WEB_EXEC service are required, it is a recommended best practice to limit which hosts may access the HTTP server to allow only trusted sources. An access list can be applied to the HTTP server to limit which hosts are permitted access. To apply an access list to the HTTP server, use the following command in global configuration mode: ip http access-class {access-list-number | access-list-name}. The following example shows an access list that allows only trusted hosts to access the Cisco IOS HTTP server: ip access-list standard 20 permit 192.168.1.0 0.0.0.255 remark "Above is a trusted subnet" remark "Add further trusted subnets or hosts below" ! (Note: all other access implicitly denied) ! (Apply the access-list to the http server) ip http access-class 20 For additional information on configuring the Cisco IOS HTTP server, consult Using the Cisco Web Browser User Interface. Obtaining Fixed Software ======================== Cisco has released free software updates that addresses the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments. Customers may only install and expect support for feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as set forth at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Center on Cisco.com at: http://www.cisco.com Customers Using Third-Party Support Organizations +------------------------------------------------ Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action. The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed Customers Without Service Contracts +---------------------------------- Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC. Refer to Cisco Worldwide Contacts at: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, instructions, and e-mail addresses for support in various languages. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was reported to Cisco TAC by customers observing the vulnerability during the normal operation of their devices. Status of This Notice: Final THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2012-March-28 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iFcDBQFPcfB+QXnnBKKRMNARCG0KAP98319EAgChMCfxp4K0GXiscRX+fBEv/3NF +CJDx7WA5gD+IcSwDBmEjesJmNj3GyxbjQ9f1WX7jFpUvy81HYDOqko= =vGZr -----END PGP SIGNATURE----- From saku at ytti.fi Wed Mar 28 12:49:45 2012 From: saku at ytti.fi (Saku Ytti) Date: Wed, 28 Mar 2012 19:49:45 +0300 Subject: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code? In-Reply-To: References: Message-ID: <20120328164945.GB15169@pob.ytti.fi> On (2012-03-27 14:00 -0400), schilling wrote: > I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to > support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels > for prefixes learned from eBGP over address family vpnv4. > > Does anybody ever have this working? Any catch? Should work. Are you sure you were actually sending labels? 'send-label' in route-map? Also did you enable MPLS forwarding in interface via 'mpls bgp forwarding' In my opinion OptionB is useless, you need OptionA if full trust lacks, and otherwise OptC will be more convenient or just native MPLS. RFC4364 page 32 last sentence mandates that OptB should do RPF like label checking. This would guarantee that you only put shared customers at risk, but as this checking is non-existing in every vendor (IOS XR supposedly is getting it), it removes the usage case. -- ++ytti From schilling2006 at gmail.com Wed Mar 28 13:22:00 2012 From: schilling2006 at gmail.com (schilling) Date: Wed, 28 Mar 2012 13:22:00 -0400 Subject: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code? In-Reply-To: <20120328164945.GB15169@pob.ytti.fi> References: <20120328164945.GB15169@pob.ytti.fi> Message-ID: Thanks all for the advice. I figured out with TAC. The label is filtered by my label advertisement filter. Schilling On Wed, Mar 28, 2012 at 12:49 PM, Saku Ytti wrote: > On (2012-03-27 14:00 -0400), schilling wrote: > >> I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to >> support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels >> for prefixes learned from eBGP over address family vpnv4. >> >> Does anybody ever have this working? Any catch? > > Should work. Are you sure you were actually sending labels? 'send-label' in > route-map? Also did you enable MPLS forwarding in interface via 'mpls bgp > forwarding' > > In my opinion OptionB is useless, you need OptionA if full trust lacks, and > otherwise OptC will be more convenient or just native MPLS. > RFC4364 page 32 last sentence mandates that OptB should do RPF like label > checking. This would guarantee that you only put shared customers at risk, > but as this checking is non-existing in every vendor (IOS XR supposedly is > getting it), it removes the usage case. > > -- > ?++ytti > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alandaluz at gmail.com Wed Mar 28 20:26:58 2012 From: alandaluz at gmail.com (Cassidy Larson) Date: Wed, 28 Mar 2012 18:26:58 -0600 Subject: [c-nsp] Apply service policy via Radius? In-Reply-To: <4B94CACD.30107@reub.net> References: <20100308183238.78buyjzyxqxwssk8@webmail.datafx.com.au> <4B94CACD.30107@reub.net> Message-ID: Just resurrecting an old thread. Anybody have any new information on "Per-user QoS policies via RADIUS" on 15.1? I have a 1941 running 15.1(4)M1 that I'd like to accept the above, but am unable to figure out the secret combo. Thanks, -c On Mon, Mar 8, 2010 at 3:00 AM, Reuben Farrelly wrote: > What version of IOS code are you running? > > Just in case this apples to you, note that the feature "Per-user QoS > policies applied via RADIUS" is broken in all versions of IOS 15.0, and as > far as I can tell, many versions of 12.4T including 12.4(15)Tx and possibly > earlier, on multiple platforms. ?Apparently the code is "broken" on the 7200 > and "the feature is not present" on the ISRs. ?I reported this bug to TAC > and tested on both 7200 and ISR (2851) platforms. > > 12.4M works OK on both platforms so you might want to try out 12.4(25)c on > either platform, where the code "exists" and "works". > > See CSCte95297 for the gory details. > > Reuben > > > > mb at adv.gcomm.com.au wrote: >> >> Hi, >> >> Have DSL users terminating on LNS(7204) via Eth, with radius auth - >> Trying to apply the following service policy(Configured on LNS) upon >> successful auth: >> >> policy-map JF-2MB-ADSL >> class class-default >> ? ?shape average 1850000 > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From reuben-cisco-nsp at reub.net Wed Mar 28 20:59:37 2012 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Thu, 29 Mar 2012 11:59:37 +1100 Subject: [c-nsp] Apply service policy via Radius? In-Reply-To: References: <20100308183238.78buyjzyxqxwssk8@webmail.datafx.com.au> <4B94CACD.30107@reub.net> Message-ID: <4F73B3F9.8080104@reub.net> It works on 15.1M - at least on the 2800s and 7200s (I've got 15.1(4)M3 in production and planning 15.1(4)M4 which just came out a couple of days ago). The secret combo probably relates to how you are checking out the feature: rt1.nsw#show subscriber session username xxx at yyy Unique Session ID: 259 Identifier: xxx at yyy SIP subscriber access type(s): VPDN/PPP Current SIP options: Req Fwding/Req Fwded Session Up-time: 2w6d , Last Changed: 2w6d Interface: Virtual-Access17 Policy information: Authentication status: authen Session inbound features: Feature: QoS Policy Map Input Policy Map: police-0.512M Session outbound features: Feature: QoS Policy Map Output Policy Map: police-0.512M Non-datapath features: Feature: Interface-Config Configuration sources associated with this session: Interface: Virtual-Template10, Active Time = 2w6d rt1.nsw# Note: nothing shows up if you do a 'show policy-map interface virtual-access 10', you need to use the 'show subscriber' command instead. I did ask the TAC engineer at the time of resolving the bug if the command syntax could be fixed as well so that it is consistent across interface types, but apparently this needed to go through as an 'enhancement' via our AM and needed a business case before it would be considered etc etc Reuben On 29/03/2012 11:26 AM, Cassidy Larson wrote: > Just resurrecting an old thread. > > Anybody have any new information on "Per-user QoS policies via RADIUS" on 15.1? > I have a 1941 running 15.1(4)M1 that I'd like to accept the above, but > am unable to figure out the secret combo. > > Thanks, > > -c > > > On Mon, Mar 8, 2010 at 3:00 AM, Reuben Farrelly > wrote: >> What version of IOS code are you running? >> >> Just in case this apples to you, note that the feature "Per-user QoS >> policies applied via RADIUS" is broken in all versions of IOS 15.0, and as >> far as I can tell, many versions of 12.4T including 12.4(15)Tx and possibly >> earlier, on multiple platforms. Apparently the code is "broken" on the 7200 >> and "the feature is not present" on the ISRs. I reported this bug to TAC >> and tested on both 7200 and ISR (2851) platforms. >> >> 12.4M works OK on both platforms so you might want to try out 12.4(25)c on >> either platform, where the code "exists" and "works". >> >> See CSCte95297 for the gory details. >> >> Reuben >> >> >> >> mb at adv.gcomm.com.au wrote: >>> >>> Hi, >>> >>> Have DSL users terminating on LNS(7204) via Eth, with radius auth - >>> Trying to apply the following service policy(Configured on LNS) upon >>> successful auth: >>> >>> policy-map JF-2MB-ADSL >>> class class-default >>> shape average 1850000 >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From alandaluz at gmail.com Thu Mar 29 01:31:27 2012 From: alandaluz at gmail.com (Cassidy Larson) Date: Wed, 28 Mar 2012 23:31:27 -0600 Subject: [c-nsp] Apply service policy via Radius? In-Reply-To: <4F73B3F9.8080104@reub.net> References: <20100308183238.78buyjzyxqxwssk8@webmail.datafx.com.au> <4B94CACD.30107@reub.net> <4F73B3F9.8080104@reub.net> Message-ID: Ah, that explains things. But for some reason all of my sessions do not have an Inbound Policy map applied, only Outbound. Snippit of debug: RADIUS: Vendor, Cisco [26] 59 RADIUS: Cisco AVpair [1] 53 "ip:sub-qos-policy-in=512K_CIR-1536K_MIR-U" RADIUS: Vendor, Cisco [26] 60 RADIUS: Cisco AVpair [1] 54 "ip:sub-qos-policy-out=768K_CIR-1536K_MIR-D" sub-qos-policy-in "512K_CIR-1536K_MIR-U" sub-qos-policy-out "768K_CIR-1536K_MIR-D" SSS PM: No VPDN attributes or policy found SSS AAA AUTHOR [uid:262]: SIP PPP[22F9E0E4] parsed as Success SSS AAA AUTHOR [uid:262]: SIP PPP[2379C4A0] parsed as Ignore SSS AAA AUTHOR [uid:262]: SIP PPPoE[2304E288] parsed as Success SSS AAA AUTHOR [uid:262]: SIP Root parser not installed Any magic trick to getting the Inbound rules to get applied? Thanks, -c On Wed, Mar 28, 2012 at 6:59 PM, Reuben Farrelly wrote: > It works on 15.1M - at least on the 2800s and 7200s (I've got 15.1(4)M3 in > production and planning 15.1(4)M4 which just came out a couple of days ago). > > The secret combo probably relates to how you are checking out the feature: > > rt1.nsw#show subscriber session username xxx at yyy > Unique Session ID: 259 > Identifier: xxx at yyy > SIP subscriber access type(s): VPDN/PPP > Current SIP options: Req Fwding/Req Fwded > Session Up-time: 2w6d ? ?, Last Changed: 2w6d > Interface: Virtual-Access17 > > Policy information: > ?Authentication status: authen > > Session inbound features: > ?Feature: QoS Policy Map > ?Input Policy Map: police-0.512M > > Session outbound features: > ?Feature: QoS Policy Map > ?Output Policy Map: police-0.512M > > Non-datapath features: > ?Feature: Interface-Config > > Configuration sources associated with this session: > Interface: Virtual-Template10, Active Time = 2w6d > > rt1.nsw# > > Note: nothing shows up if you do a 'show policy-map interface virtual-access > 10', you need to use the 'show subscriber' command instead. > > I did ask the TAC engineer at the time of resolving the bug if the command > syntax could be fixed as well so that it is consistent across interface > types, but apparently this needed to go through as an 'enhancement' via our > AM and needed a business case before it would be considered etc etc > > Reuben > > > > On 29/03/2012 11:26 AM, Cassidy Larson wrote: >> >> Just resurrecting an old thread. >> >> Anybody have any new information on "Per-user QoS policies via RADIUS" on >> 15.1? >> I have a 1941 running 15.1(4)M1 that I'd like to accept the above, but >> am unable to figure out the secret combo. >> >> Thanks, >> >> -c >> >> >> On Mon, Mar 8, 2010 at 3:00 AM, Reuben Farrelly >> ?wrote: >>> >>> What version of IOS code are you running? >>> >>> Just in case this apples to you, note that the feature "Per-user QoS >>> policies applied via RADIUS" is broken in all versions of IOS 15.0, and >>> as >>> far as I can tell, many versions of 12.4T including 12.4(15)Tx and >>> possibly >>> earlier, on multiple platforms. ?Apparently the code is "broken" on the >>> 7200 >>> and "the feature is not present" on the ISRs. ?I reported this bug to TAC >>> and tested on both 7200 and ISR (2851) platforms. >>> >>> 12.4M works OK on both platforms so you might want to try out 12.4(25)c >>> on >>> either platform, where the code "exists" and "works". >>> >>> See CSCte95297 for the gory details. >>> >>> Reuben >>> >>> >>> >>> mb at adv.gcomm.com.au wrote: >>>> >>>> >>>> Hi, >>>> >>>> Have DSL users terminating on LNS(7204) via Eth, with radius auth - >>>> Trying to apply the following service policy(Configured on LNS) upon >>>> successful auth: >>>> >>>> policy-map JF-2MB-ADSL >>>> class class-default >>>> ? ?shape average 1850000 >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From artem at aws-net.org.ua Thu Mar 29 01:56:18 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Thu, 29 Mar 2012 08:56:18 +0300 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer In-Reply-To: <4F733775.7080505@gmail.com> References: <4F733775.7080505@gmail.com> Message-ID: <4F73F982.4090308@aws-net.org.ua> On 28.03.2012 19:08, Chris Hunt wrote: > On 3/28/2012 9:00 AM, cisco-nsp-request at puck.nether.net wrote: >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Wed, 28 Mar 2012 09:23:55 +0300 >> From: Artyom Viklenko >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer >> Message-ID:<4F72AE7B.9000303 at aws-net.org.ua> >> Content-Type: text/plain; charset=KOI8-U; format=flowed >> >> Hi, List! >> >> I need to rate-limit traffic on two subinterfaces facing >> a single customer. These two subifs used for building reliable >> connection to the customer using OSPF and two links with >> different vlans. >> >> On Cisco 7600 it culd be done using aggregate policer and >> one policy-map applied to two SVIs. But is something similar >> possible on 7201? >> >> IOS on this router c7200p-advipservicesk9-mz.124-24.T6.bin. >> >> Thanks in advance! >> >> -- Sincerely yours, Artyom Viklenko. >> ------------------------------------------------------- > > Try > > interface GigabitEthernet0/1.310 > encapsulation dot1Q 310 > rate-limit input 11000000 2062500 4125000 conform-action transmit > exceed-action drop > rate-limit output 11000000 2062500 4125000 conform-action transmit > exceed-action drop > > Cheers, > Chris H. These commands will rate-limit traffic only on Gi0/1.310. But I need to rate-limit two interfaces simultaneusly. Say, limit traffic on both Gi0/1.10 AND Gi0/1.20 to 20Mbps in total. -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From artem at aws-net.org.ua Thu Mar 29 01:58:56 2012 From: artem at aws-net.org.ua (Artyom Viklenko) Date: Thu, 29 Mar 2012 08:58:56 +0300 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer In-Reply-To: <20120328164513.GA15169@pob.ytti.fi> References: <4F733775.7080505@gmail.com> <20120328164513.GA15169@pob.ytti.fi> Message-ID: <4F73FA20.2020503@aws-net.org.ua> On 28.03.2012 19:45, Saku Ytti wrote: > On (2012-03-28 09:08 -0700), Chris Hunt wrote: > >> interface GigabitEthernet0/1.310 >> encapsulation dot1Q 310 >> rate-limit input 11000000 2062500 4125000 conform-action transmit >> exceed-action drop >> rate-limit output 11000000 2062500 4125000 conform-action transmit >> exceed-action drop > > I would recommend rather using MQC, I don't think this is any more > officially supported. > I recall some 7 years ago on NSE100 where this command disappeared from IOS > and we migrated to MQC and got customer complaint, as it actually started > working and customers were unhappy with the new lower speed connections. > We use rate-limits like this: rate-limit input 30720000 3840000 3840000 conform-action transmit exceed-action drop rate-limit output 30720000 3840000 3840000 conform-action transmit exceed-action drop All ok. No complaints about speed. :) -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem artem at viklenko.net | JID: artem at jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From johnelliot67 at hotmail.com Thu Mar 29 02:01:39 2012 From: johnelliot67 at hotmail.com (John Elliot) Date: Thu, 29 Mar 2012 17:01:39 +1100 Subject: [c-nsp] Portchan ASR->2960 In-Reply-To: References: Message-ID: Ok - Found a "solution" to this....seems the ASR requires port-channel load-balance vlan-manual Unusual :) Is there any other gotchas's that I should know about? > From: johnelliot67 at hotmail.com > To: cisco-nsp at puck.nether.net > Date: Wed, 28 Mar 2012 19:57:56 +1100 > Subject: [c-nsp] Portchan ASR->2960 > > > Hi Guys, > Testing an ASR1006->2960 portchan, and portchan comes up, config vlan int on 2960 in vlan 88 and portchan1.88 and can see mac's but cannot pass data - If I change the config to bring down the portchan, and use physical interface on asr with dot1q subint, I have no issues? Bug? > > ASR: > > > > interface Port-channel1 > description ETHCHAN_TO_ESW > mtu 1998 > no ip address > ip flow ingress > no negotiation auto > > > > > interface GigabitEthernet1/0/0 > > > no ip address > > > ip flow ingress > > > negotiation auto > > > no cdp enable > > > channel-group 1 > > > > > > interface GigabitEthernet2/0/0 > > > no ip address > > > ip flow ingress > > > negotiation auto > > > no cdp enable > > > channel-group 1 > > > > > > interface Port-channel1.88 > > > description TEST > > > encapsulation dot1Q 88 > > > ip address 10.10.10.1 > 255.255.255.252 > > > > > > > SW: > > > > > interface GigabitEthernet0/1 > > > media-type sfp > > > channel-group 1 mode on > > > > ! > > interface GigabitEthernet0/2 > > > switchport mode trunk > > > media-type sfp > > > channel-group 1 mode on > > > ! > > > > interface Port-channel1 > > > switchport mode trunk > > > > ! > > interface Vlan88 > > > ip address 10.10.10.2 > 255.255.255.252 > > > no ip route-cache > > > > > > Switch#sh > arp > > > Protocol > Address Age (min) > Hardware Addr Type Interface > > > Internet > 10.10.10.2 > - 0019.06d9.7541 ARPA Vlan88 > > > Internet > 10.10.10.1 > 0 f0f7.5548.50c0 ARPA Vlan88 > > > Switch#ping 10.10.10.1 > > > > Type escape sequence to abort. > > > Sending 5, 100-byte ICMP Echos > to 10.10.10.1, timeout is 2 seconds: > > > ..... > > > Success rate is 0 percent (0/5) > > > > > Then with physical int dot1q, success: > > > Router#sh interfaces > gigabitEthernet 1/0/0 > > > GigabitEthernet1/0/0 is down, > line protocol is down > > > > > Router#sh interfaces > port-channel 1 > > > Port-channel1 is down, line > protocol is down > > > > > > interface GigabitEthernet2/0/0 > > > no ip address > > > ip mtu 1998 > > > ip flow ingress > > > negotiation auto > > > no cdp enable > > > ! > > > interface > GigabitEthernet2/0/0.88 > > > description TEST > > > encapsulation dot1Q 88 > > > ip address 10.10.10.1 > 255.255.255.252 > > > > > Router#ping > 10.10.10.2 > > > > > Type escape sequence to abort. > > > Sending 5, 100-byte ICMP Echos > to 10.10.10.2, timeout is 2 seconds: > > > !!!!! > > > Success rate is 100 percent > (5/5), round-trip min/avg/max = 2/2/3 ms > > > > > Router#sh arp > > > Protocol > Address Age (min) > Hardware Addr Type Interface > > > Internet > 10.10.10.1 > - f0f7.5548.4f80 ARPA GigabitEthernet2/0/0.88 > > > Internet > 10.10.10.2 > 6 0019.06d9.7541 ARPA GigabitEthernet2/0/0.88 > > > > > > SW: > > > > > Switch#sh interface port-channel > 1 > > > Port-channel1 is down, line > protocol is down (notconnect) > > > > > > Switch#sh interface > gigabitEthernet 0/1 > > > GigabitEthernet0/1 is > administratively down, line protocol is down (disabled) > > > > > Switch#sh int trunk > > > > Port > Mode > Encapsulation Status Native > vlan > > > Gi0/2 > on > 802.1q > trunking 1 > > > > Port > Vlans allowed on trunk > > > Gi0/2 > 1-4094 > > > > Port > Vlans allowed and active in management domain > > > Gi0/2 > 1,10,88 > > > > Port > Vlans in spanning tree forwarding state and not pruned > > > Gi0/2 > 1,10,88 > > > > > Switch#ping 10.10.10.1 > > > > Type escape sequence to abort. > > > Sending 5, 100-byte ICMP Echos > to 10.10.10.1, timeout is 2 seconds: > > > !!!!! > > > Success rate is 100 percent > (5/5), round-trip min/avg/max = 1/4/9 ms > > > > > Switch#sh arp > > > Protocol > Address Age (min) > Hardware Addr Type Interface > > > Internet > 10.10.10.2 > - 0019.06d9.7541 ARPA Vlan88 > > > Internet > 10.10.10.1 > 8 f0f7.5548.4f80 ARPA Vlan88 > > > > IOS/XE: > #sh verCisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNA1, RELEASE SOFTWARE (fc1) > > Cheers. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From saku at ytti.fi Thu Mar 29 04:38:17 2012 From: saku at ytti.fi (Saku Ytti) Date: Thu, 29 Mar 2012 11:38:17 +0300 Subject: [c-nsp] Cisco 7201 rate-limit or aggregate policer In-Reply-To: <4F73F982.4090308@aws-net.org.ua> References: <4F733775.7080505@gmail.com> <4F73F982.4090308@aws-net.org.ua> Message-ID: <20120329083817.GA3634@pob.ytti.fi> On (2012-03-29 08:56 +0300), Artyom Viklenko wrote: > These commands will rate-limit traffic only on Gi0/1.310. > > But I need to rate-limit two interfaces simultaneusly. Say, limit > traffic on both Gi0/1.10 AND Gi0/1.20 to 20Mbps in total. IRB and bridge-group in interfaces and L3 + MQC in BVI? Really you shouldn't be using 'rate-limit/CAR' ever, any more. Just MQC. -- ++ytti From panocisco77 at gmail.com Thu Mar 29 13:43:35 2012 From: panocisco77 at gmail.com (Renelson Panosky) Date: Thu, 29 Mar 2012 13:43:35 -0400 Subject: [c-nsp] Error on 4510-R-E Message-ID: I am receiving a lot of the below errors on my access switch 4510-R-E log which connected via a trunk port to 6509-E core. Have anyone of you seen this before ? How do i stop it ? Errors: Mar 26 07:45:53.627 EDT: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: Packet received with invalid source MAC address (00:00:00:00:00:00) on port Te5/1 in vlan 237 From mike-cisconsplist at tiedyenetworks.com Thu Mar 29 14:03:40 2012 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Thu, 29 Mar 2012 11:03:40 -0700 Subject: [c-nsp] clearing ip policy map on the cli? Message-ID: <4F74A3FC.6040901@tiedyenetworks.com> Hi, I am assigning policy routes to some pppoe users via a radius attribute Cisco-AVPair := "lcp:interface-config=ip policy route-map noticedusers" This works and forces my customer packets to have this route-map applied. What I would like to do is to be able to clear this route-map from the cli without resetting the user's pppoe session (and yes of course removing it from radius so if they re-connect it's not reapplied). Is there any cli way of doing this? Mike- From bacon at walleyesoftware.com Thu Mar 29 14:37:13 2012 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Thu, 29 Mar 2012 18:37:13 +0000 Subject: [c-nsp] ME3600X architecture Message-ID: Primarily a question for Waris probably: Is there anything out there about the "Carrier Ethernet ASIC" or the overall architecture of the box? Looking at the board itself, it looks as though there's two separate but identical ASIC complexes on the board. My instinct says that the 10G ports are run by one ASIC and the 24 1G ports are run by the other ASIC, with some sort of bridge or bus between 'em. I only just got my hands on one (and yes of course I ripped it apart) so I'm only just starting to answer questions - but there's so many nice docs on the 6500 and 4900s that I'm spoiled... Thanks! -bacon From lobotiger at gmail.com Thu Mar 29 20:25:17 2012 From: lobotiger at gmail.com (Lobo) Date: Thu, 29 Mar 2012 20:25:17 -0400 Subject: [c-nsp] 6PE our only option? Message-ID: <4F74FD6D.40406@gmail.com> Apologies if this is a little long but looking for some friendly advice from you experts on rolling out IPv6 on our network. Our network follows a traditional model where it's edge----distribution----core-----gwy for our internet customers. The entire distribution, core and gwy routers have had MPLS enabled on them for a couple of years in order to offer EoMPLS like services. The edge routers have not had MPLS enabled on them as there was no real need since they only provide internet access. The IGP is OSPF and BGP is running on the distribution & gwy routers towards our route-reflectors. The core is BGP less now so they are functioning as true P routers. We have managed to dual stack (v4 & v6) all of our distribution, core and gwy routers' interfaces as we believed that dual stack is always the preferred option. We followed the same principles as our v4 implementation (loopbacks & PTPs only in the IGP and static/connected routes at the edge distributed via iBGP). Upon installing a new edge router that would participate in IPv6 we discovered that the core could not route the packets to other IPv6 destinations because it only knows about LBs & PTPs. Even if it made it to the gwy because of a default route (::/0), there were times when another gwy router had a better route and then we would have packets bouncing back and forth between a gwy and core router until the TTL expired. Now we're at the point of wondering if 6PE is our only option in order to forward the packets or if we go back to the old way of doing things by re-enabling BGP on the core (for ipv6 only) and having a partial set of ipv6 routes? Personally I've been configuring 6PE in our lab for the entire week and it's really racking my head. There are times when I have things working and then I make the smallest change in a route-map and suddenly things no longer work. Do I configure the 6PE stuff on the edge router or can it start at the distribution router? Traceroutes look really odd with the core not showing and I'm wondering if I'm introducing more problems for our NOC to troubleshoot (and learn) vs going with some other, simpler option. Right now I'm really wishing that LDPv6 was implemented. :) Appreciate any comments, feedback or suggestions. Please let me know I can provide any further information. Thanks! Jose From omar.parihuana at gmail.com Thu Mar 29 20:28:28 2012 From: omar.parihuana at gmail.com (omar parihuana) Date: Thu, 29 Mar 2012 19:28:28 -0500 Subject: [c-nsp] MPLS TE Load Balancing Message-ID: Hi Group, I'm wondering about a strange behaviour about MPLS TE on ASR9K I have two MPLS TE tunnels (with autoroute announce): RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 Thu Mar 29 23:09:49.818 UTC Routing entry for 10.100.100.7/32 Known via "isis BACKBONE", distance 115, metric 140, type level-2 Installed Mar 29 22:58:29.392 for 00:11:20 Routing Descriptor Blocks 10.100.100.2, from 10.100.100.7, via tunnel-te502 Route metric is 140 10.100.100.3, from 10.100.100.7, via tunnel-te501 Route metric is 140 No advertising protos. RP/0/RSP0/CPU0:9K6-413# In accordance to RIB output I was hopping that traffic to 10.100.100.7 be balanced between both tunnels... however I only see traffic over the first tunnel... RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32 detail Thu Mar 29 23:05:13.320 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 16012 16014 10.100.100.7/32 tt502 10.100.100.2 24438881830 Updated Mar 29 22:58:29.416 MAC/Encaps: 14/18, MTU: 9180 Label Stack (Top -> Bottom): { Imp-Null 16014 } Packets Switched: 100987115 16018 10.100.100.7/32 tt501 10.100.100.3 0 Updated Mar 29 22:58:29.416 MAC/Encaps: 14/22, MTU: 9180 Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } Packets Switched: 0 What's happening? why not load balancing ? do i need a additional conf on ASR9K in order to accomplish MPLS TE load balancing? Thank you for your answer... Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From jstuxuhu0816 at gmail.com Thu Mar 29 20:35:53 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Fri, 30 Mar 2012 08:35:53 +0800 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: Can share your configuration? Recently I was also configuring the MPLS TE in asr9k. Thanks and regards, Xu Hu On 30 Mar, 2012, at 8:28, omar parihuana wrote: > Hi Group, > > I'm wondering about a strange behaviour about MPLS TE on ASR9K > > I have two MPLS TE tunnels (with autoroute announce): > > RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 > Thu Mar 29 23:09:49.818 UTC > > Routing entry for 10.100.100.7/32 > Known via "isis BACKBONE", distance 115, metric 140, type level-2 > Installed Mar 29 22:58:29.392 for 00:11:20 > Routing Descriptor Blocks > 10.100.100.2, from 10.100.100.7, via tunnel-te502 > Route metric is 140 > 10.100.100.3, from 10.100.100.7, via tunnel-te501 > Route metric is 140 > No advertising protos. > RP/0/RSP0/CPU0:9K6-413# > > In accordance to RIB output I was hopping that traffic to 10.100.100.7 be > balanced between both tunnels... however I only see traffic over the first > tunnel... > > > RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32 detail > Thu Mar 29 23:05:13.320 UTC > Local Outgoing Prefix Outgoing Next Hop > Bytes > Label Label or ID Interface > Switched > ------ ----------- ------------------ ------------ --------------- > ------------ > 16012 16014 10.100.100.7/32 tt502 10.100.100.2 > 24438881830 > Updated Mar 29 22:58:29.416 > MAC/Encaps: 14/18, MTU: 9180 > Label Stack (Top -> Bottom): { Imp-Null 16014 } > Packets Switched: 100987115 > > 16018 10.100.100.7/32 tt501 10.100.100.3 > 0 > Updated Mar 29 22:58:29.416 > MAC/Encaps: 14/22, MTU: 9180 > Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } > Packets Switched: 0 > > > What's happening? why not load balancing ? do i need a additional conf on > ASR9K in order to accomplish MPLS TE load balancing? > > > Thank you for your answer... > > Rgds. > > > -- > Omar E.P.T > ----------------- > Certified Networking Professionals make better Connections! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From omar.parihuana at gmail.com Thu Mar 29 20:43:28 2012 From: omar.parihuana at gmail.com (omar parihuana) Date: Thu, 29 Mar 2012 19:43:28 -0500 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 501 Thu Mar 29 23:38:02.719 UTC interface tunnel-te501 ipv4 unnumbered Loopback0 load-interval 30 autoroute announce !autoroute announce destination 10.100.100.3 fast-reroute path-option 10 explicit name 413-312 ! RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 502 Thu Mar 29 23:38:12.446 UTC interface tunnel-te502 ipv4 unnumbered Loopback0 load-interval 30 autoroute announce !autoroute announce destination 10.100.100.2 fast-reroute path-option 10 explicit name 413-405 ! ! explicit-path name 413-312 index 10 next-address strict ipv4 unicast 10.20.4.1 index 20 next-address strict ipv4 unicast 10.100.100.3 ! explicit-path name 413-405 index 10 next-address strict ipv4 unicast 10.20.3.1 index 20 next-address strict ipv4 unicast 10.100.100.2 ! if you need aditional outputs let me know... Thank you! On Thu, Mar 29, 2012 at 7:35 PM, Xu Hu wrote: > Can share your configuration? Recently I was also configuring the MPLS TE > in asr9k. > > Thanks and regards, > Xu Hu > > On 30 Mar, 2012, at 8:28, omar parihuana wrote: > > > Hi Group, > > > > I'm wondering about a strange behaviour about MPLS TE on ASR9K > > > > I have two MPLS TE tunnels (with autoroute announce): > > > > RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 > > Thu Mar 29 23:09:49.818 UTC > > > > Routing entry for 10.100.100.7/32 > > Known via "isis BACKBONE", distance 115, metric 140, type level-2 > > Installed Mar 29 22:58:29.392 for 00:11:20 > > Routing Descriptor Blocks > > 10.100.100.2, from 10.100.100.7, via tunnel-te502 > > Route metric is 140 > > 10.100.100.3, from 10.100.100.7, via tunnel-te501 > > Route metric is 140 > > No advertising protos. > > RP/0/RSP0/CPU0:9K6-413# > > > > In accordance to RIB output I was hopping that traffic to 10.100.100.7 be > > balanced between both tunnels... however I only see traffic over the > first > > tunnel... > > > > > > RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32detail > > Thu Mar 29 23:05:13.320 UTC > > Local Outgoing Prefix Outgoing Next Hop > > Bytes > > Label Label or ID Interface > > Switched > > ------ ----------- ------------------ ------------ --------------- > > ------------ > > 16012 16014 10.100.100.7/32 tt502 10.100.100.2 > > 24438881830 > > Updated Mar 29 22:58:29.416 > > MAC/Encaps: 14/18, MTU: 9180 > > Label Stack (Top -> Bottom): { Imp-Null 16014 } > > Packets Switched: 100987115 > > > > 16018 10.100.100.7/32 tt501 10.100.100.3 > > 0 > > Updated Mar 29 22:58:29.416 > > MAC/Encaps: 14/22, MTU: 9180 > > Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } > > Packets Switched: 0 > > > > > > What's happening? why not load balancing ? do i need a additional conf on > > ASR9K in order to accomplish MPLS TE load balancing? > > > > > > Thank you for your answer... > > > > Rgds. > > > > > > -- > > Omar E.P.T > > ----------------- > > Certified Networking Professionals make better Connections! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From jstuxuhu0816 at gmail.com Thu Mar 29 20:48:42 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Fri, 30 Mar 2012 08:48:42 +0800 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: Check the load-share command under the tunnel configuration. Thanks and regards, Xu Hu On 30 Mar, 2012, at 8:43, omar parihuana wrote: > RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 501 > Thu Mar 29 23:38:02.719 UTC > interface tunnel-te501 > ipv4 unnumbered Loopback0 > load-interval 30 > autoroute announce > !autoroute announce > destination 10.100.100.3 > fast-reroute > path-option 10 explicit name 413-312 > ! > > RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 502 > Thu Mar 29 23:38:12.446 UTC > interface tunnel-te502 > ipv4 unnumbered Loopback0 > load-interval 30 > autoroute announce > !autoroute announce > destination 10.100.100.2 > fast-reroute > path-option 10 explicit name 413-405 > ! > > ! > explicit-path name 413-312 > index 10 next-address strict ipv4 unicast 10.20.4.1 > index 20 next-address strict ipv4 unicast 10.100.100.3 > ! > > explicit-path name 413-405 > index 10 next-address strict ipv4 unicast 10.20.3.1 > index 20 next-address strict ipv4 unicast 10.100.100.2 > ! > > if you need aditional outputs let me know... > > Thank you! > > > > > On Thu, Mar 29, 2012 at 7:35 PM, Xu Hu wrote: > Can share your configuration? Recently I was also configuring the MPLS TE in asr9k. > > Thanks and regards, > Xu Hu > > On 30 Mar, 2012, at 8:28, omar parihuana wrote: > > > Hi Group, > > > > I'm wondering about a strange behaviour about MPLS TE on ASR9K > > > > I have two MPLS TE tunnels (with autoroute announce): > > > > RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 > > Thu Mar 29 23:09:49.818 UTC > > > > Routing entry for 10.100.100.7/32 > > Known via "isis BACKBONE", distance 115, metric 140, type level-2 > > Installed Mar 29 22:58:29.392 for 00:11:20 > > Routing Descriptor Blocks > > 10.100.100.2, from 10.100.100.7, via tunnel-te502 > > Route metric is 140 > > 10.100.100.3, from 10.100.100.7, via tunnel-te501 > > Route metric is 140 > > No advertising protos. > > RP/0/RSP0/CPU0:9K6-413# > > > > In accordance to RIB output I was hopping that traffic to 10.100.100.7 be > > balanced between both tunnels... however I only see traffic over the first > > tunnel... > > > > > > RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32 detail > > Thu Mar 29 23:05:13.320 UTC > > Local Outgoing Prefix Outgoing Next Hop > > Bytes > > Label Label or ID Interface > > Switched > > ------ ----------- ------------------ ------------ --------------- > > ------------ > > 16012 16014 10.100.100.7/32 tt502 10.100.100.2 > > 24438881830 > > Updated Mar 29 22:58:29.416 > > MAC/Encaps: 14/18, MTU: 9180 > > Label Stack (Top -> Bottom): { Imp-Null 16014 } > > Packets Switched: 100987115 > > > > 16018 10.100.100.7/32 tt501 10.100.100.3 > > 0 > > Updated Mar 29 22:58:29.416 > > MAC/Encaps: 14/22, MTU: 9180 > > Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } > > Packets Switched: 0 > > > > > > What's happening? why not load balancing ? do i need a additional conf on > > ASR9K in order to accomplish MPLS TE load balancing? > > > > > > Thank you for your answer... > > > > Rgds. > > > > > > -- > > Omar E.P.T > > ----------------- > > Certified Networking Professionals make better Connections! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > Omar E.P.T > ----------------- > Certified Networking Professionals make better Connections! From ikiris at gmail.com Thu Mar 29 21:28:30 2012 From: ikiris at gmail.com (Blake Dunlap) Date: Thu, 29 Mar 2012 20:28:30 -0500 Subject: [c-nsp] 6PE our only option? In-Reply-To: <4F74FD6D.40406@gmail.com> References: <4F74FD6D.40406@gmail.com> Message-ID: I too would like to see LDPv6 very much, for the same reasons, as I have had the same issues and was forced to redo my true dual stack in to 6PE due to conversion to MPLS. -Blake On Thu, Mar 29, 2012 at 19:25, Lobo wrote: > Apologies if this is a little long but looking for some friendly advice > from you experts on rolling out IPv6 on our network. > > Our network follows a traditional model where it's > edge----distribution----core--**---gwy for our internet customers. The > entire distribution, core and gwy routers have had MPLS enabled on them for > a couple of years in order to offer EoMPLS like services. The edge routers > have not had MPLS enabled on them as there was no real need since they only > provide internet access. The IGP is OSPF and BGP is running on the > distribution & gwy routers towards our route-reflectors. The core is BGP > less now so they are functioning as true P routers. > > We have managed to dual stack (v4 & v6) all of our distribution, core and > gwy routers' interfaces as we believed that dual stack is always the > preferred option. We followed the same principles as our v4 implementation > (loopbacks & PTPs only in the IGP and static/connected routes at the edge > distributed via iBGP). Upon installing a new edge router that would > participate in IPv6 we discovered that the core could not route the packets > to other IPv6 destinations because it only knows about LBs & PTPs. Even if > it made it to the gwy because of a default route (::/0), there were times > when another gwy router had a better route and then we would have packets > bouncing back and forth between a gwy and core router until the TTL expired. > > Now we're at the point of wondering if 6PE is our only option in order to > forward the packets or if we go back to the old way of doing things by > re-enabling BGP on the core (for ipv6 only) and having a partial set of > ipv6 routes? Personally I've been configuring 6PE in our lab for the > entire week and it's really racking my head. There are times when I have > things working and then I make the smallest change in a route-map and > suddenly things no longer work. Do I configure the 6PE stuff on the edge > router or can it start at the distribution router? Traceroutes look really > odd with the core not showing and I'm wondering if I'm introducing more > problems for our NOC to troubleshoot (and learn) vs going with some other, > simpler option. > > Right now I'm really wishing that LDPv6 was implemented. :) > > Appreciate any comments, feedback or suggestions. Please let me know I > can provide any further information. > > Thanks! > > Jose > > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/**pipermail/cisco-nsp/ > From omar.parihuana at gmail.com Thu Mar 29 22:02:27 2012 From: omar.parihuana at gmail.com (omar parihuana) Date: Thu, 29 Mar 2012 21:02:27 -0500 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: Hi Xu Hu: I've tried to configure load-share unfortunately it is not supported :( RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 RP/0/RSP0/CPU0:9K6-413(config-if)#interface tunnel-te501 RP/0/RSP0/CPU0:9K6-413(config-if)#load-share % Incomplete command. RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 RP/0/RSP0/CPU0:9K6-413(config-if)#commit % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors RP/0/RSP0/CPU0:9K6-413(config-if)#show configuration failed Fri Mar 30 00:58:07.275 UTC !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface tunnel-te501 load-share 100 !!% The requested operation is not supported: Feature not supported on this platform ! interface tunnel-te502 load-share 100 !!% The requested operation is not supported: Feature not supported on this platform ! end RP/0/RSP0/CPU0:9K6-413#show platform Fri Mar 30 00:59:35.525 UTC Node Type State Config State ----------------------------------------------------------------------------- 0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON 0/0/CPU0 A9K-2T20GE-B IOS XR RUN PWR,NSHUT,MON RP/0/RSP0/CPU0:9K6-413#show ver Fri Mar 30 00:59:41.689 UTC Cisco IOS XR Software, Version 4.0.3[Default] Copyright (c) 2011 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON], 9K6-413 uptime is 3 weeks, 3 days, 8 hours, 43 minutes System image file is "bootflash:disk0/asr9k-os-mbi-4.0.3/mbiasr9k-rp.vm" cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory. MPC8641D processor at 1333MHz, Revision 2.2 ASR-9006 AC Chassis Rgds. On Thu, Mar 29, 2012 at 7:48 PM, Xu Hu wrote: > Check the load-share command under the tunnel configuration. > > > Thanks and regards, > Xu Hu > > On 30 Mar, 2012, at 8:43, omar parihuana wrote: > > RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 501 > Thu Mar 29 23:38:02.719 UTC > interface tunnel-te501 > ipv4 unnumbered Loopback0 > load-interval 30 > autoroute announce > !autoroute announce > destination 10.100.100.3 > fast-reroute > path-option 10 explicit name 413-312 > ! > > RP/0/RSP0/CPU0:9K6-413#show run int tunnel-te 502 > Thu Mar 29 23:38:12.446 UTC > interface tunnel-te502 > ipv4 unnumbered Loopback0 > load-interval 30 > autoroute announce > !autoroute announce > destination 10.100.100.2 > fast-reroute > path-option 10 explicit name 413-405 > ! > > ! > explicit-path name 413-312 > index 10 next-address strict ipv4 unicast 10.20.4.1 > index 20 next-address strict ipv4 unicast 10.100.100.3 > ! > > explicit-path name 413-405 > index 10 next-address strict ipv4 unicast 10.20.3.1 > index 20 next-address strict ipv4 unicast 10.100.100.2 > ! > > if you need aditional outputs let me know... > > Thank you! > > > > > On Thu, Mar 29, 2012 at 7:35 PM, Xu Hu wrote: > >> Can share your configuration? Recently I was also configuring the MPLS TE >> in asr9k. >> >> Thanks and regards, >> Xu Hu >> >> On 30 Mar, 2012, at 8:28, omar parihuana >> wrote: >> >> > Hi Group, >> > >> > I'm wondering about a strange behaviour about MPLS TE on ASR9K >> > >> > I have two MPLS TE tunnels (with autoroute announce): >> > >> > RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 >> > Thu Mar 29 23:09:49.818 UTC >> > >> > Routing entry for 10.100.100.7/32 >> > Known via "isis BACKBONE", distance 115, metric 140, type level-2 >> > Installed Mar 29 22:58:29.392 for 00:11:20 >> > Routing Descriptor Blocks >> > 10.100.100.2, from 10.100.100.7, via tunnel-te502 >> > Route metric is 140 >> > 10.100.100.3, from 10.100.100.7, via tunnel-te501 >> > Route metric is 140 >> > No advertising protos. >> > RP/0/RSP0/CPU0:9K6-413# >> > >> > In accordance to RIB output I was hopping that traffic to 10.100.100.7 >> be >> > balanced between both tunnels... however I only see traffic over the >> first >> > tunnel... >> > >> > >> > RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32detail >> > Thu Mar 29 23:05:13.320 UTC >> > Local Outgoing Prefix Outgoing Next Hop >> > Bytes >> > Label Label or ID Interface >> > Switched >> > ------ ----------- ------------------ ------------ --------------- >> > ------------ >> > 16012 16014 10.100.100.7/32 tt502 10.100.100.2 >> > 24438881830 >> > Updated Mar 29 22:58:29.416 >> > MAC/Encaps: 14/18, MTU: 9180 >> > Label Stack (Top -> Bottom): { Imp-Null 16014 } >> > Packets Switched: 100987115 >> > >> > 16018 10.100.100.7/32 tt501 10.100.100.3 >> > 0 >> > Updated Mar 29 22:58:29.416 >> > MAC/Encaps: 14/22, MTU: 9180 >> > Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } >> > Packets Switched: 0 >> > >> > >> > What's happening? why not load balancing ? do i need a additional conf >> on >> > ASR9K in order to accomplish MPLS TE load balancing? >> > >> > >> > Thank you for your answer... >> > >> > Rgds. >> > >> > >> > -- >> > Omar E.P.T >> > ----------------- >> > Certified Networking Professionals make better Connections! >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > -- > Omar E.P.T > ----------------- > Certified Networking Professionals make better Connections! > > -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From ianh at ianh.net.au Thu Mar 29 21:38:10 2012 From: ianh at ianh.net.au (Ian Henderson) Date: Fri, 30 Mar 2012 12:38:10 +1100 Subject: [c-nsp] NETCONF replacing SNMP Message-ID: <3D2636F3-6316-4B8F-A238-18E34A5D7E68@ianh.net.au> Hi folks, We've recently deployed some 4500/Sup7Es - pretty cool box, but we've run into problems with our network monitoring system. With the dual core architecture of the Sup7E, SNMP no longer returns correct CPU utilisation values. Cisco suggested using the old school SNMP MIB for the 7500 and similar, but it doesn't return multiple counters. root at monitor1:~# snmpwalk -v2c -c com switch1 .1.3.6.1.4.1.9.9.109.1.1.1.1.5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.3000 = Gauge32: 17 root at monitor1:~# The TAC lodged a bug for this (CSCti07144), but that doesn't really help me now. Had a chat with a few of the folks at Cisco Live in Melbourne last week, the general consensus is that bugs in SNMP won't be fixed anymore, and that we should be using NETCONF. OK, cool, I'm happy with that, but I can't actually find very much useful stuff about NETCONF at all. We're a Nagios/OSS/homegrown shop, so I've got no problems integrating it, but it still seems very much at the "here's an prototype library" stage. Are there any monitoring packages that actually do it? Is anyone using it as a general NMS platform for things like CPU > x%? Thanks all, - I. From dmitry at dmitry.net Thu Mar 29 23:17:56 2012 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Fri, 30 Mar 2012 06:17:56 +0300 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: <20120330031756.GA24848@f17.dmitry.net> Hi! Yes, unlinke CRS, MPLSTE Unequal Load Balancing currently is not supported on both Trident and Typhoon A9K cards. Seems it will be supported on Typhoon in the future, but not on Trident. So, it is difinitely not Your case :) -- Dmitry Kiselev On Thu, Mar 29, 2012 at 09:02:27PM -0500, omar parihuana wrote: > Hi Xu Hu: > > I've tried to configure load-share unfortunately it is not supported :( > > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 > RP/0/RSP0/CPU0:9K6-413(config-if)#interface tunnel-te501 > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share > % Incomplete command. > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 > RP/0/RSP0/CPU0:9K6-413(config-if)#commit > > % Failed to commit one or more configuration items during a pseudo-atomic > operation. All changes made have been reverted. Please issue 'show > configuration failed' from this session to view the errors > RP/0/RSP0/CPU0:9K6-413(config-if)#show configuration failed > Fri Mar 30 00:58:07.275 UTC > !! SEMANTIC ERRORS: This configuration was rejected by > !! the system due to semantic errors. The individual > !! errors with each failed configuration command can be > !! found below. > > > interface tunnel-te501 > load-share 100 > !!% The requested operation is not supported: Feature not supported on this > platform > ! > interface tunnel-te502 > load-share 100 > !!% The requested operation is not supported: Feature not supported on this > platform > ! > end > > RP/0/RSP0/CPU0:9K6-413#show platform > Fri Mar 30 00:59:35.525 UTC > Node Type State Config State > ----------------------------------------------------------------------------- > 0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON > 0/0/CPU0 A9K-2T20GE-B IOS XR RUN PWR,NSHUT,MON > RP/0/RSP0/CPU0:9K6-413#show ver > Fri Mar 30 00:59:41.689 UTC > > Cisco IOS XR Software, Version 4.0.3[Default] > Copyright (c) 2011 by Cisco Systems, Inc. > > ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON], > > 9K6-413 uptime is 3 weeks, 3 days, 8 hours, 43 minutes > System image file is "bootflash:disk0/asr9k-os-mbi-4.0.3/mbiasr9k-rp.vm" > > cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory. > MPC8641D processor at 1333MHz, Revision 2.2 > ASR-9006 AC Chassis > > > Rgds. > From mays at win.net Fri Mar 30 01:41:32 2012 From: mays at win.net (Joseph Mays) Date: Fri, 30 Mar 2012 01:41:32 -0400 Subject: [c-nsp] Failing to load IOS Message-ID: <8B9DBD02B8C7422C80EE2E14D5F3E8BF@win2snvu0x4eg9> Trying to load 12.4(13b) on a -- cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. I have the following boot sequence defined -- boot-start-marker boot system disk1:c7200-is-mz.124-13b.bin boot system slot0:c7200-is-mz.123-22.bin boot-end-marker Both images are there. From mays at win.net Fri Mar 30 01:46:30 2012 From: mays at win.net (Joseph Mays) Date: Fri, 30 Mar 2012 01:46:30 -0400 Subject: [c-nsp] Failing to load IOS Message-ID: Sorry, disregard the previous message, hit send by accident before it was completed. Trying to load 12.4(13b) on a -- cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. I have the following boot sequence defined -- boot-start-marker boot system disk1:c7200-is-mz.124-13b.bin boot system slot0:c7200-is-mz.123-22.bin boot-end-marker Both images are there. gw1.armplc#dir disk1: Directory of disk1:/ 1 -rw- 26027532 Mar 29 2012 10:32:38 +00:00 c7200-is-mz.124-13b.bin 40759296 bytes total (14729216 bytes free) gw1.armplc#dir slot0: Directory of slot0:/ 1 -rw- 17839240 Apr 6 2011 14:12:43 +00:00 c7200-is-mz.123-22.bin 20578304 bytes total (2738936 bytes free) Yet after bootup the router is still running the 12.3(22) version. I assume the problem is the amount of ram, since the feature navigator shows that the router requires 48meg for 12.4(13b), and show ver shows it only has 32 meg (is that correct)? But the feature navigator also shows that 12.3(22) requires 48meg, and that loads fine. So I'm looking for a sanity check as to whether or not I am misreading the feature navigator or the router info, and whether or not something other than the amount of ram is likely to be the problem. From jstuxuhu0816 at gmail.com Fri Mar 30 02:31:31 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Fri, 30 Mar 2012 14:31:31 +0800 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: <20120330031756.GA24848@f17.dmitry.net> References: <20120330031756.GA24848@f17.dmitry.net> Message-ID: Actually from the command " show route 10.100.100.7 " we can see the two path is the same metric. You are using OSPF for TE, or ISIS? Can check the database if the metric if same or not? Because i think by default the cost is same, will load-share the traffic. BTW, just now, i check my ASR9000, also cannot support. interface tunnel-te1 load-share 2 !!% The requested operation is not supported: Feature not supported on this platform ! end Xu Hu 2012/3/30 Dmitry Kiselev > Hi! > > > Yes, unlinke CRS, MPLSTE Unequal Load Balancing currently is not supported > on both Trident and Typhoon A9K cards. > Seems it will be supported on Typhoon in the future, but not on Trident. > > So, it is difinitely not Your case :) > > -- > Dmitry Kiselev > > On Thu, Mar 29, 2012 at 09:02:27PM -0500, omar parihuana wrote: > > > Hi Xu Hu: > > > > I've tried to configure load-share unfortunately it is not supported :( > > > > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 > > RP/0/RSP0/CPU0:9K6-413(config-if)#interface tunnel-te501 > > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share > > % Incomplete command. > > RP/0/RSP0/CPU0:9K6-413(config-if)#load-share 100 > > RP/0/RSP0/CPU0:9K6-413(config-if)#commit > > > > % Failed to commit one or more configuration items during a pseudo-atomic > > operation. All changes made have been reverted. Please issue 'show > > configuration failed' from this session to view the errors > > RP/0/RSP0/CPU0:9K6-413(config-if)#show configuration failed > > Fri Mar 30 00:58:07.275 UTC > > !! SEMANTIC ERRORS: This configuration was rejected by > > !! the system due to semantic errors. The individual > > !! errors with each failed configuration command can be > > !! found below. > > > > > > interface tunnel-te501 > > load-share 100 > > !!% The requested operation is not supported: Feature not supported on > this > > platform > > ! > > interface tunnel-te502 > > load-share 100 > > !!% The requested operation is not supported: Feature not supported on > this > > platform > > ! > > end > > > > RP/0/RSP0/CPU0:9K6-413#show platform > > Fri Mar 30 00:59:35.525 UTC > > Node Type State Config State > > > ----------------------------------------------------------------------------- > > 0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON > > 0/0/CPU0 A9K-2T20GE-B IOS XR RUN PWR,NSHUT,MON > > RP/0/RSP0/CPU0:9K6-413#show ver > > Fri Mar 30 00:59:41.689 UTC > > > > Cisco IOS XR Software, Version 4.0.3[Default] > > Copyright (c) 2011 by Cisco Systems, Inc. > > > > ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON], > > > > 9K6-413 uptime is 3 weeks, 3 days, 8 hours, 43 minutes > > System image file is "bootflash:disk0/asr9k-os-mbi-4.0.3/mbiasr9k-rp.vm" > > > > cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory. > > MPC8641D processor at 1333MHz, Revision 2.2 > > ASR-9006 AC Chassis > > > > > > Rgds. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From andriy.bilous at gmail.com Fri Mar 30 03:17:48 2012 From: andriy.bilous at gmail.com (Andriy Bilous) Date: Fri, 30 Mar 2012 09:17:48 +0200 Subject: [c-nsp] Failing to load IOS In-Reply-To: References: Message-ID: What 'show bootvar' says? Also when you're intending to boot from local file system I'd recommend not to miss keyword 'flash' in 'boot system' command - boot system flash disk1:c7200-is-mz.124-13b.bin On Fri, Mar 30, 2012 at 7:46 AM, Joseph Mays wrote: > Sorry, disregard the previous message, hit send by accident before it was completed. > > Trying to load 12.4(13b) on a -- > > cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of > memory. > > I have the following boot sequence defined -- > > boot-start-marker > boot system disk1:c7200-is-mz.124-13b.bin > boot system slot0:c7200-is-mz.123-22.bin > boot-end-marker > > > Both images are there. > > gw1.armplc#dir disk1: > Directory of disk1:/ > > ? ?1 ?-rw- ? ?26027532 ?Mar 29 2012 10:32:38 +00:00 ?c7200-is-mz.124-13b.bin > > 40759296 bytes total (14729216 bytes free) > > gw1.armplc#dir slot0: > Directory of slot0:/ > > ? ?1 ?-rw- ? ?17839240 ? Apr 6 2011 14:12:43 +00:00 ?c7200-is-mz.123-22.bin > > 20578304 bytes total (2738936 bytes free) > > Yet after bootup the router is still running the 12.3(22) version. > > I assume the problem is the amount of ram, since the feature navigator shows that the router requires 48meg for 12.4(13b), and show ver shows it only has 32 meg (is that correct)? But the feature navigator also shows that 12.3(22) requires 48meg, and that loads fine. > > So I'm looking for a sanity check as to whether or not I am misreading the feature navigator or the router info, and whether or not something other than the amount of ram is likely to be the problem. > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jstuxuhu0816 at gmail.com Fri Mar 30 03:29:31 2012 From: jstuxuhu0816 at gmail.com (Xu Hu) Date: Fri, 30 Mar 2012 15:29:31 +0800 Subject: [c-nsp] Failing to load IOS In-Reply-To: References: Message-ID: <658078D6-2108-4B7E-8D5D-0076C270488A@gmail.com> Why just delete the Boot system command. Try just use one boot system command. If cannot will go directly into the Rommon mode, use boot command will load the old ios. Thanks and regards, Xu Hu On 30 Mar, 2012, at 15:17, Andriy Bilous wrote: > What 'show bootvar' says? Also when you're intending to boot from > local file system I'd recommend not to miss keyword 'flash' in 'boot > system' command - boot system flash disk1:c7200-is-mz.124-13b.bin > > On Fri, Mar 30, 2012 at 7:46 AM, Joseph Mays wrote: >> Sorry, disregard the previous message, hit send by accident before it was completed. >> >> Trying to load 12.4(13b) on a -- >> >> cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of >> memory. >> >> I have the following boot sequence defined -- >> >> boot-start-marker >> boot system disk1:c7200-is-mz.124-13b.bin >> boot system slot0:c7200-is-mz.123-22.bin >> boot-end-marker >> >> >> Both images are there. >> >> gw1.armplc#dir disk1: >> Directory of disk1:/ >> >> 1 -rw- 26027532 Mar 29 2012 10:32:38 +00:00 c7200-is-mz.124-13b.bin >> >> 40759296 bytes total (14729216 bytes free) >> >> gw1.armplc#dir slot0: >> Directory of slot0:/ >> >> 1 -rw- 17839240 Apr 6 2011 14:12:43 +00:00 c7200-is-mz.123-22.bin >> >> 20578304 bytes total (2738936 bytes free) >> >> Yet after bootup the router is still running the 12.3(22) version. >> >> I assume the problem is the amount of ram, since the feature navigator shows that the router requires 48meg for 12.4(13b), and show ver shows it only has 32 meg (is that correct)? But the feature navigator also shows that 12.3(22) requires 48meg, and that loads fine. >> >> So I'm looking for a sanity check as to whether or not I am misreading the feature navigator or the router info, and whether or not something other than the amount of ram is likely to be the problem. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From avitkovsky at emea.att.com Fri Mar 30 04:34:10 2012 From: avitkovsky at emea.att.com (Vitkovsky, Adam) Date: Fri, 30 Mar 2012 10:34:10 +0200 Subject: [c-nsp] MPLS TE Load Balancing In-Reply-To: References: Message-ID: Hi Omar, Wouldn't all the packets be considered part of the same flow by any chance? adam -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of omar parihuana Sent: Friday, March 30, 2012 2:28 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] MPLS TE Load Balancing Hi Group, I'm wondering about a strange behaviour about MPLS TE on ASR9K I have two MPLS TE tunnels (with autoroute announce): RP/0/RSP0/CPU0:9K6-413#show route 10.100.100.7 Thu Mar 29 23:09:49.818 UTC Routing entry for 10.100.100.7/32 Known via "isis BACKBONE", distance 115, metric 140, type level-2 Installed Mar 29 22:58:29.392 for 00:11:20 Routing Descriptor Blocks 10.100.100.2, from 10.100.100.7, via tunnel-te502 Route metric is 140 10.100.100.3, from 10.100.100.7, via tunnel-te501 Route metric is 140 No advertising protos. RP/0/RSP0/CPU0:9K6-413# In accordance to RIB output I was hopping that traffic to 10.100.100.7 be balanced between both tunnels... however I only see traffic over the first tunnel... RP/0/RSP0/CPU0:9K6-413#show mpls forwarding prefix 10.100.100.7/32 detail Thu Mar 29 23:05:13.320 UTC Local Outgoing Prefix Outgoing Next Hop Bytes Label Label or ID Interface Switched ------ ----------- ------------------ ------------ --------------- ------------ 16012 16014 10.100.100.7/32 tt502 10.100.100.2 24438881830 Updated Mar 29 22:58:29.416 MAC/Encaps: 14/18, MTU: 9180 Label Stack (Top -> Bottom): { Imp-Null 16014 } Packets Switched: 100987115 16018 10.100.100.7/32 tt501 10.100.100.3 0 Updated Mar 29 22:58:29.416 MAC/Encaps: 14/22, MTU: 9180 Label Stack (Top -> Bottom): { 16020 Imp-Null 16018 } Packets Switched: 0 What's happening? why not load balancing ? do i need a additional conf on ASR9K in order to accomplish MPLS TE load balancing? Thank you for your answer... Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ketimun at gmail.com Fri Mar 30 09:17:22 2012 From: ketimun at gmail.com (selamat pagi) Date: Fri, 30 Mar 2012 15:17:22 +0200 Subject: [c-nsp] 6500 Sup2T CMP comands Message-ID: Looking for ways to customize the CMP 1) How can the clock be set or synchronised on the CMP ? Sup2T-cmp# sh clo 05:54:16 UTC Thu Mar 22 2012 Sup2T# sh clo 15:10:37.407 UTC Fri Mar 30 2012 2) Can the username be changed from root to xy ? many thanks, keti From harbor235 at gmail.com Fri Mar 30 09:57:01 2012 From: harbor235 at gmail.com (harbor235) Date: Fri, 30 Mar 2012 09:57:01 -0400 Subject: [c-nsp] ISRG2 Message-ID: I am having the hardest time finding docs on ISRG2 performance comparisons for the 3900 and the 3900E models. I am interested in the 3925/3925E, Before anyone lmgtfy.com's typical marketing data I found, there are slot differences, built-in LAN interfaces differences, etc ...One uses the SPE100 and the other the SPE200 but what are the performance numbers, comparisons? thanx in advance, Mike From fasterfourier at gmail.com Fri Mar 30 11:12:22 2012 From: fasterfourier at gmail.com (Robert Johnson) Date: Fri, 30 Mar 2012 11:12:22 -0400 Subject: [c-nsp] 3745 router crash Message-ID: I have a 3745 router with 256D, a NM-1FE-FX in slot 0, and a NM-2FE2W in slot 1. IOS 12.4(25a). On Wednesday the router locked hard and was unresponsive from console, etc. Power cycle brought it back up. This morning the router crashed, but this time came up on its own. I'm not finding much public information on the below "address parity error", and I'm not familiar enough with this platform to be able to tell whether this is a software bug, bad NM, etc. Any suggestions would be greatly appreciated. Here are the interesting tidbits: --------------------- router>sho ver Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Sat 23-May-09 00:48 by prod_rel_team ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1) router uptime is 1 hour, 1 minute System returned to ROM by error - a System Error, PC 0x604EBA28 at 07:53:05 EDT Fri Mar 30 2012 System restarted at 07:56:23 EDT Fri Mar 30 2012 System image file is "flash:c3745-adventerprisek9-mz.124-25a.bin" ----------------------- %ERR-1-GT64120 (PCI-1): Fatal error, Address parity error GT=0x24000000, cause=0x00000100, mask=0x00D01D00, real_cause=0x00000100 bus_err_high=0x00000000, bus_err_low=0x00000000, addr_decode_err=0x00000470 cpu_err_data_high=0xFFFFFFFF, cpu_err_data_low=0xFFFFFFFF, cpu_err_parity=0x0000 00FF r0 = FFFFFFFF r1 = FFFFFFFF r2 = 0 r3 = 64A40000 r4 = 0 r5 = 0 r6 = 0 r7 = 64CB0000 r8 = 0 r9 = 0 r10 = 0 r11 = 646A0000 r12 = 0 r13 = 1 r14 = 0 r15 = 64EE3C04 r16 = 0 r17 = 0 r18 = 0 r19 = 0 r20 = 0 r21 = 8D348A4 r22 = 0 r23 = 64A38274 r24 = 0 r25 = 646A0000 r26 = 0 r27 = 1 r28 = 0 r29 = 64EE0000 r30 = 0 r31 = 66AA9744 r32 = FFFFFFFF r33 = FFFFFFFF r34 = FFFFFFFF r35 = FFFFFFFF r36 = FFFFFFFF r37 = FFFFFFFF r38 = FFFFFFFF r39 = FFFFFFFF r40 = FFFFFFFF r41 = FFFFFFFF r42 = FFFFFFFF r43 = FFFFFFFF r44 = FFFFFFFF r45 = FFFFFFFF r46 = FFFFFFFF r47 = FFFFFFFF r48 = 0 r49 = 0 r50 = 0 r51 = 0 r52 = 0 r53 = 663495A8 r54 = 0 r55 = 623BD80C r56 = FFFFFFFF r57 = FFFFFFFF r58 = 0 r59 = 653CB078 r60 = FFFFFFFF r61 = FFFFFFFF r62 = 0 r63 = 60AA5D40 sreg = 3401FF03 mdlo_hi = FFFFFFFF mdlo = DFB3E941 mdhi_hi = FFFFFFFF mdhi = FBCF9D47 badvaddr_hi = FFFFFFFF badvaddr = FFFFFFFF cause = FFFFFFFF epc_hi = 0 epc = 604EBA28 err_epc_hi = FFFFFFFF err_epc = FFFFFFFF %ERR-1-FATAL: Fatal error interrupt, reloading err_stat=0x0 From shopik at inblock.ru Fri Mar 30 11:43:33 2012 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 30 Mar 2012 19:43:33 +0400 Subject: [c-nsp] 3745 router crash In-Reply-To: References: Message-ID: <4F75D4A5.7070109@inblock.ru> Well Output Interpreter usually your friend, since I don't have your crashinfo file i just paste your error. This is what it says: %ERR-1-FATAL: Fatal error interrupt Explanation: This error message indicates a Hardware problem in the device. Recommended Action: To troubleshoot try this: 1. Reload the device with no modules installed and check if the message appears. 2. Reload the device with each successive module and check to see if a certain module or mis-seated module is causing this issue. ERROR: A system crash due to the 'System Error' is normally caused by a hardware issue. TRY THIS: 1. If a new module has been recently installed, first try to re-seat the module. Re-seat all the removable components. 2. Capture the output of "show tech-support" from your device and submit it to the Output Interpreter to display potential issues and fixes. 3. If the problem persists, consider opening a service request with Cisco at TAC Service Request Tool. On 30.03.2012 19:12, Robert Johnson wrote: > I have a 3745 router with 256D, a NM-1FE-FX in slot 0, and a NM-2FE2W > in slot 1. IOS 12.4(25a). > > On Wednesday the router locked hard and was unresponsive from console, > etc. Power cycle brought it back up. This morning the router crashed, > but this time came up on its own. I'm not finding much public > information on the below "address parity error", and I'm not familiar > enough with this platform to be able to tell whether this is a > software bug, bad NM, etc. Any suggestions would be greatly > appreciated. > > Here are the interesting tidbits: > > --------------------- > router>sho ver > Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25a), > RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2009 by Cisco Systems, Inc. > Compiled Sat 23-May-09 00:48 by prod_rel_team > > ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1) > > router uptime is 1 hour, 1 minute > System returned to ROM by error - a System Error, PC 0x604EBA28 at 07:53:05 EDT > Fri Mar 30 2012 > System restarted at 07:56:23 EDT Fri Mar 30 2012 > System image file is "flash:c3745-adventerprisek9-mz.124-25a.bin" > ----------------------- > > %ERR-1-GT64120 (PCI-1): Fatal error, Address parity error > GT=0x24000000, cause=0x00000100, mask=0x00D01D00, real_cause=0x00000100 > bus_err_high=0x00000000, bus_err_low=0x00000000, addr_decode_err=0x00000470 > cpu_err_data_high=0xFFFFFFFF, cpu_err_data_low=0xFFFFFFFF, cpu_err_parity=0x0000 > 00FF > r0 = FFFFFFFF r1 = FFFFFFFF r2 = 0 r3 = 64A40000 r4 = 0 > r5 = 0 r6 = 0 r7 = 64CB0000 r8 = 0 r9 = 0 > r10 = 0 r11 = 646A0000 r12 = 0 r13 = 1 r14 = 0 > r15 = 64EE3C04 r16 = 0 r17 = 0 r18 = 0 r19 = 0 > r20 = 0 r21 = 8D348A4 r22 = 0 r23 = 64A38274 r24 = 0 > r25 = 646A0000 r26 = 0 r27 = 1 r28 = 0 r29 = 64EE0000 > r30 = 0 r31 = 66AA9744 r32 = FFFFFFFF r33 = FFFFFFFF r34 = FFFFFFFF > r35 = FFFFFFFF r36 = FFFFFFFF r37 = FFFFFFFF r38 = FFFFFFFF r39 = FFFFFFFF > r40 = FFFFFFFF r41 = FFFFFFFF r42 = FFFFFFFF r43 = FFFFFFFF r44 = FFFFFFFF > r45 = FFFFFFFF r46 = FFFFFFFF r47 = FFFFFFFF r48 = 0 r49 = 0 > r50 = 0 r51 = 0 r52 = 0 r53 = 663495A8 r54 = 0 > r55 = 623BD80C r56 = FFFFFFFF r57 = FFFFFFFF r58 = 0 r59 = 653CB078 > r60 = FFFFFFFF r61 = FFFFFFFF r62 = 0 r63 = 60AA5D40 > sreg = 3401FF03 mdlo_hi = FFFFFFFF mdlo = DFB3E941 > mdhi_hi = FFFFFFFF mdhi = FBCF9D47 badvaddr_hi = FFFFFFFF > badvaddr = FFFFFFFF cause = FFFFFFFF epc_hi = 0 > epc = 604EBA28 err_epc_hi = FFFFFFFF err_epc = FFFFFFFF > > %ERR-1-FATAL: Fatal error interrupt, reloading > err_stat=0x0 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From fasterfourier at gmail.com Fri Mar 30 12:01:26 2012 From: fasterfourier at gmail.com (Robert Johnson) Date: Fri, 30 Mar 2012 12:01:26 -0400 Subject: [c-nsp] 3745 router crash In-Reply-To: <4F75D4A5.7070109@inblock.ru> References: <4F75D4A5.7070109@inblock.ru> Message-ID: Thank you. Sadly, no CCO so output interpreter is not my friend. However, if anyone is feeling nice, I've attached the crashinfo file with the config redacted. I'd love to know which hardware to replace instead of the entire chassis+modules. On Fri, Mar 30, 2012 at 11:43 AM, Nikolay Shopik wrote: > Well Output Interpreter usually your friend, since I don't have your > crashinfo file i just paste your error. This is what it says: > > > %ERR-1-FATAL: Fatal error interrupt > > Explanation: This error message indicates a Hardware problem in the device. > Recommended Action: To troubleshoot try this: > ?1. Reload the device with no modules installed and check if the message > appears. > ?2. Reload the device with each successive module and check to see if a > certain > ?module or mis-seated module is causing this issue. > > ERROR: A system crash due to the 'System Error' is normally caused by a > hardware > issue. > TRY THIS: > 1. If a new module has been recently installed, first try to re-seat the > module. > ? Re-seat all the removable components. > 2. Capture the output of "show tech-support" from your device and submit > it to > ? the Output Interpreter to display potential issues and fixes. > 3. If the problem persists, consider opening a service request with Cisco at > ? TAC Service Request Tool. > > On 30.03.2012 19:12, Robert Johnson wrote: >> I have a 3745 router with 256D, a NM-1FE-FX in slot 0, and a NM-2FE2W >> in slot 1. IOS 12.4(25a). >> >> On Wednesday the router locked hard and was unresponsive from console, >> etc. Power cycle brought it back up. This morning the router crashed, >> but this time came up on its own. I'm not finding much public >> information on the below "address parity error", and I'm not familiar >> enough with this platform to be able to tell whether this is a >> software bug, bad NM, etc. Any suggestions would be greatly >> appreciated. >> >> Here are the interesting tidbits: >> >> --------------------- >> router>sho ver >> Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25a), >> RELEASE SOFTWARE (fc2) >> Technical Support: http://www.cisco.com/techsupport >> Copyright (c) 1986-2009 by Cisco Systems, Inc. >> Compiled Sat 23-May-09 00:48 by prod_rel_team >> >> ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1) >> >> router uptime is 1 hour, 1 minute >> System returned to ROM by error - a System Error, PC 0x604EBA28 at 07:53:05 EDT >> Fri Mar 30 2012 >> System restarted at 07:56:23 EDT Fri Mar 30 2012 >> System image file is "flash:c3745-adventerprisek9-mz.124-25a.bin" >> ----------------------- >> >> %ERR-1-GT64120 (PCI-1): Fatal error, Address parity error >> ?GT=0x24000000, cause=0x00000100, mask=0x00D01D00, real_cause=0x00000100 >> ?bus_err_high=0x00000000, bus_err_low=0x00000000, addr_decode_err=0x00000470 >> cpu_err_data_high=0xFFFFFFFF, cpu_err_data_low=0xFFFFFFFF, cpu_err_parity=0x0000 >> 00FF >> r0 ?= FFFFFFFF r1 ?= FFFFFFFF r2 ?= 0 ? ? ? ?r3 ?= 64A40000 r4 ?= 0 >> r5 ?= 0 ? ? ? ?r6 ?= 0 ? ? ? ?r7 ?= 64CB0000 r8 ?= 0 ? ? ? ?r9 ?= 0 >> r10 = 0 ? ? ? ?r11 = 646A0000 r12 = 0 ? ? ? ?r13 = 1 ? ? ? ?r14 = 0 >> r15 = 64EE3C04 r16 = 0 ? ? ? ?r17 = 0 ? ? ? ?r18 = 0 ? ? ? ?r19 = 0 >> r20 = 0 ? ? ? ?r21 = 8D348A4 ?r22 = 0 ? ? ? ?r23 = 64A38274 r24 = 0 >> r25 = 646A0000 r26 = 0 ? ? ? ?r27 = 1 ? ? ? ?r28 = 0 ? ? ? ?r29 = 64EE0000 >> r30 = 0 ? ? ? ?r31 = 66AA9744 r32 = FFFFFFFF r33 = FFFFFFFF r34 = FFFFFFFF >> r35 = FFFFFFFF r36 = FFFFFFFF r37 = FFFFFFFF r38 = FFFFFFFF r39 = FFFFFFFF >> r40 = FFFFFFFF r41 = FFFFFFFF r42 = FFFFFFFF r43 = FFFFFFFF r44 = FFFFFFFF >> r45 = FFFFFFFF r46 = FFFFFFFF r47 = FFFFFFFF r48 = 0 ? ? ? ?r49 = 0 >> r50 = 0 ? ? ? ?r51 = 0 ? ? ? ?r52 = 0 ? ? ? ?r53 = 663495A8 r54 = 0 >> r55 = 623BD80C r56 = FFFFFFFF r57 = FFFFFFFF r58 = 0 ? ? ? ?r59 = 653CB078 >> r60 = FFFFFFFF r61 = FFFFFFFF r62 = 0 ? ? ? ?r63 = 60AA5D40 >> sreg ? ? = 3401FF03 mdlo_hi ? ?= FFFFFFFF mdlo ? ? ? ?= DFB3E941 >> mdhi_hi ?= FFFFFFFF mdhi ? ? ? = FBCF9D47 badvaddr_hi = FFFFFFFF >> badvaddr = FFFFFFFF cause ? ? ?= FFFFFFFF epc_hi ? ? ?= 0 >> epc ? ? ?= 604EBA28 err_epc_hi = FFFFFFFF err_epc ? ? = FFFFFFFF >> >> %ERR-1-FATAL: Fatal error interrupt, reloading >> ?err_stat=0x0 >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From mays at win.net Fri Mar 30 12:22:30 2012 From: mays at win.net (Joseph Mays) Date: Fri, 30 Mar 2012 12:22:30 -0400 Subject: [c-nsp] Failing to load IOS References: Message-ID: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> From: "Andriy Bilous" > What 'show bootvar' says? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; CONFIG_FILE variable does not exist BOOTLDR variable = Configuration register is 0x2102 From mikec at callagy.org Fri Mar 30 13:17:05 2012 From: mikec at callagy.org (Mike Callagy) Date: Fri, 30 Mar 2012 10:17:05 -0700 Subject: [c-nsp] ASR 1006 Code In-Reply-To: References: Message-ID: On Thu, Mar 22, 2012 at 7:14 AM, N. Max Pierson wrote: > Hi List, > > Turning up a few new 1006's and would like to hear from those of you on a > stable revision of XE. W're currently running on 15.1(2)S1 and have hit > quite a few bugs. Our Cisco team says we should move to 15.2.(1)S1. Being > this release is relativity new, i'm a little hesitant to jump to it. The > last go around had us on an image ridden with bugs after some exposure. > > Features used ... nothing really exotic .... > > BGPv4 > EIGRPv4 > Netflow > QoS > IP Sla > > Any recommendations would be great. > > Regards, > Max > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From amsoares at netcabo.pt Fri Mar 30 14:05:38 2012 From: amsoares at netcabo.pt (Antonio Soares) Date: Fri, 30 Mar 2012 19:05:38 +0100 Subject: [c-nsp] Failing to load IOS In-Reply-To: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> References: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> Message-ID: <006d01cd0e9f$b6c75c80$24561580$@pt> Check this field notice: http://www.cisco.com/en/US/ts/fn/620/fn62725.html Do you trust your disk1 ? Regards, Antonio Soares, CCIE #18473 (R&S/SP) amsoares at netcabo.pt http://www.ccie18473.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joseph Mays Sent: sexta-feira, 30 de Mar?o de 2012 17:23 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Failing to load IOS From: "Andriy Bilous" > What 'show bootvar' says? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; CONFIG_FILE variable does not exist BOOTLDR variable = Configuration register is 0x2102 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mays at win.net Fri Mar 30 14:19:22 2012 From: mays at win.net (Joseph Mays) Date: Fri, 30 Mar 2012 14:19:22 -0400 Subject: [c-nsp] Failing to load IOS References: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> Message-ID: <9237F7773444459A90EA9579ED750043@win2snvu0x4eg9> BTW, what does the number just after the file name in the BOOT variable represent? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; ^^ ^^ From sledge121 at gmail.com Fri Mar 30 14:54:10 2012 From: sledge121 at gmail.com (Richard Clayton) Date: Fri, 30 Mar 2012 19:54:10 +0100 Subject: [c-nsp] ISRG2 In-Reply-To: References: Message-ID: Ah, somebody asked me this on a previous post and I forgot to answer, I have extensive testing results which I will post to you in raw format now. Any questions on the format just ask. On 30 March 2012 14:57, harbor235 wrote: > I am having the hardest time finding docs on ISRG2 performance comparisons > for the 3900 and > the 3900E models. I am interested in the 3925/3925E, Before anyone > lmgtfy.com's typical marketing > data I found, there are slot differences, built-in LAN interfaces > differences, etc ...One uses the SPE100 and the > other the SPE200 but what are the performance numbers, comparisons? > > > thanx in advance, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chuckchurch at gmail.com Fri Mar 30 16:13:04 2012 From: chuckchurch at gmail.com (Chuck Church) Date: Fri, 30 Mar 2012 16:13:04 -0400 Subject: [c-nsp] Failing to load IOS In-Reply-To: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> References: <11F6F7F798224B8F930D52C5395EDE66@win2snvu0x4eg9> Message-ID: <005301cd0eb1$884d73f0$98e85bd0$@gmail.com> Is this a case where a bootldr file is needed? Does the ROMMON understand the disk1: filesystem? In ROMMON, can you do a 'dev' and see the filesystem, or do a 'dir' on it? I haven't played with too many of the older 7200s, but I seem to remember this. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joseph Mays Sent: Friday, March 30, 2012 12:23 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Failing to load IOS From: "Andriy Bilous" > What 'show bootvar' says? gw1.armplc#show bootvar BOOT variable = disk1:c7200-is-mz.124-13b.bin,12;slot0:c7200-is-mz.123-22.bin,12; CONFIG_FILE variable does not exist BOOTLDR variable = Configuration register is 0x2102 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From waris at cisco.com Sat Mar 31 18:42:13 2012 From: waris at cisco.com (Waris Sagheer (waris)) Date: Sat, 31 Mar 2012 15:42:13 -0700 Subject: [c-nsp] ME3600X architecture In-Reply-To: References: Message-ID: <4F2E952349CF714899213AA2A0F68C7D043A5BEB@xmb-sjc-215.amer.cisco.com> Hi, The architecture details are currently not available on CCO. ME3800X/ME3600X has Cisco Carrier Ethernet ASIC. It is a Cisco ASIC and it has all the features (QOS, MPLS, EVC) hardwired. The forwarding is TCAM based hence NO performance impact upon enabling multiple features at the same time. Scale advertised is multidimensional meaning number of IPv4 routes and IPv6 can coexist at the same time since every feature has its own TCAM space reserved. Push/pop/swap of MPLS labels won't have any performance impact and same is true for QoS policies. There are two Cisco Carrier Ethernet ASICs on the platform, one for the 24x1Gig and another one for the 2x10Gig SFP+ ports (you were right about the ASIC distribution). There is a non blocking connectivity between the two ASICs. 10Gig SFP+ ports also support 1xGig Fiber SFP without license. Multicast is done in the egress path and has no performance impact. -Waris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Bacon Sent: Thursday, March 29, 2012 11:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ME3600X architecture Primarily a question for Waris probably: Is there anything out there about the "Carrier Ethernet ASIC" or the overall architecture of the box? Looking at the board itself, it looks as though there's two separate but identical ASIC complexes on the board. My instinct says that the 10G ports are run by one ASIC and the 24 1G ports are run by the other ASIC, with some sort of bridge or bus between 'em. I only just got my hands on one (and yes of course I ripped it apart) so I'm only just starting to answer questions - but there's so many nice docs on the 6500 and 4900s that I'm spoiled... Thanks! -bacon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lharrison at convergencegroup.co.uk Thu Mar 1 08:59:24 2012 From: lharrison at convergencegroup.co.uk (Leigh Harrison) Date: Thu, 01 Mar 2012 13:59:24 -0000 Subject: [c-nsp] ME3600 Configuration advice Message-ID: Hello team, We're looking to run QinQ down a telco provided circuit that's presented to us as a vlan in our Core network. The CPE will be a Cisco 2900 router (schematic below) [cid:image004.png at 01CCF22B.0E195B00] As we don't have any spare ME3600X's to test on, would someone be able to sanity check that the following configuration is viable? I went through the config guides for the ME3600X. 2911: Int gig 0/0 No ip address Int gig 0/0.20 Encapsulation dot1q 10 second 20 Ip address 10.0.20.1 255.255.255.0 Int gig 0/0.30 Encapsulation dot1q 10 second 30 ME3600X: Int g0/1 Service instance 20 Encapsulation dot1q 10 second 20 Bridge-group 20 Service instance 30 Encapsulation dot1q 10 second 30 Bridge-group 30 Int vlan 20 Ip address 10.0.20.2 255.255.255.0 Int vlan 30 Ip address 10.0.30.2 255.255.255.0 If someone would be able to let me know that we're looking good - that would be much appreciated. Many thanks in advance, Leigh Leigh Harrison, CCIE#15331 Head of Design & Infrastructure ---------------------------------------------------------------------------------------------- Telephone: 0121 711 5527 Mobile: 07872 811 889 Facsimile: 0845 270 2710 Tech Support: 0845 270 2989 E-Mail: lharrison at convergencegroup.co.uk Group Website: www.convergencegroup.co.uk Media & Broadcast Website: www.media-net.co Bullet Internet Website: www.bulletinternet.co.uk ---------------------------------------------------------------------------------------------- [Description: cid:image001.gif at 01CB9178.1F793010] [Description: cid:image002.gif at 01CB9178.1F793010] [Description: cid:image003.gif at 01CB9178.1F793010] This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephoning 0845 270 2709 or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. Convergence Group reserve the right to monitor all email communications through their internal networks. Convergence (Group Networks) Ltd - registered business in England & Wales - registered number 3815417 - registered office at One Cranmore, Cranmore Drive, Shirley, Solihull, West Midlands, B90 4RZ - VAT number 787 5475 65 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 3591 bytes Desc: image001.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 2285 bytes Desc: image002.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.gif Type: image/gif Size: 1639 bytes Desc: image003.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 12468 bytes Desc: image004.png URL: From cburnham at du.edu Fri Mar 9 10:26:21 2012 From: cburnham at du.edu (Chad Burnham) Date: Fri, 09 Mar 2012 15:26:21 -0000 Subject: [c-nsp] Problems with PPP Auth on Cisco 857 / 887V in DenverCenturyLink (Qwest.net) - ANYONE FROM QWEST.NET? Message-ID: HI, About two weeks ago we started seeing PPP auth issues on just a few of our Cisco 887V (VDSL2), and 857 (ADSL2+) locations in Denver, CO with CenturyLink (Qwest.net) as our ISP - we run Site to Site VPNs on this platform - for years. IOS PPP debugs yield an ISP driven PPP authentication method move from PAP to CHAP during maintenance window(s). Moving from PAP to CHAP on the dialer 0 interface fixed one site on the 887V platform. Similar config has not fixed the 857. 36 hours later and a very deep dive with TAC has yielded no success. Essentially we see failures on the PPP session with no real reason code other than the carrier has changed something (see below). I have other ADSL2+ (fiber fed/PPPoE) sites in Denver continuing to working fine on PAP. Is there anyone on this list from CenturlyLink/Qwest.net that may be able to assist TAC and I offline and help determine with what was changed on the backend so we can match in IOS on our Cisco's? Since the Cisco's are "3rd party" - I am getting stonewalled on support. I been told by our CenturyLink service manger that the Radius servers were moved from 1G to 10G connections very recently. He is aware that others are having this exact problem and CenturyLink NOC is upset as no communications from the internal Auth group making the changes. FYI, Using a ZyXEL5000PK unit will yield a PPP auth success on this current problem circuit. Hard to debug/show the config on ZyZEL unit to see what is missing in IOS to match. Thanks for any help on this one. The prolonged outage is killing me.... Chad Burnham University of Denver Debug: I was not able to find any recent issue regarding PPP negotiation with Juniper devices. Basically the problem seems to be authentication after all but on the Telco side. Vi1 CHAP: I CHALLENGE id 210 len 33 from "JUNOS" - We negotiated CHAP with the DSL Agg device during LCP, therefore we receive an incoming CHAP CHALLENGE packet from "JUNOS" device. Vi1 CHAP: Using hostname from interface CHAP Vi1 CHAP: Using password from interface CHAP Vi1 CHAP: O RESPONSE id 210 len 47 from "odatuniversityof at qwest.net" - Router sends its credentials configured under Dialer interface via RESPONSE packet. Vi1 CHAP: I FAILURE id 210 len 4 - DSL Agg device receives our credentials, checks their internal database (or redirects it to a RADIUS server), for some reason they do not "like" them hence it sends a FAILURE message. Vi1 LCP: I TERMREQ [Open] id 212 len 4 - Due to the authentication problem DSL Agg device sends a TERMREQ (termination request) packet to drop the session. Vi1 LCP: O TERMACK [Open] id 212 len 4 - CISCO router will ACK this via TERMACK message. Basically credentials are not matching what ISP has configured on their side, this is case sensitive therefore an incorrect letter under the user/pass might cause this issue, password could be different now, or basically this user does not exist in the "JUNOS" device (or Radius server where JUNOS redirects all AAA information). ---- [cid:image001.jpg at 01CCFDC8.CA7D7D50] . -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 13136 bytes Desc: image001.jpg URL: From cmontero at bme.es Tue Mar 20 07:10:14 2012 From: cmontero at bme.es (Cipriano Montero, Infostock) Date: Tue, 20 Mar 2012 11:10:14 -0000 Subject: [c-nsp] (no subject) Message-ID: <00d601cd0686$5dd5cf10$19816d30$@bme.es> As an environment as Wireless ISP, we are trying to deliver PPPOE connections to our clients, in a routed network. So, our first problem = is to pass through PPPoE protocol over one or several cisco routers. Could somebody help us with this task? Thanks very much in advance. Gracias y saludos, Cipriano Montero Tel: 924 808016 ext 5722. cmontero at bme.es Infostock Europa de Extremadura, S.A. | www.infostock.es Descripci?n: Descripci?n: Descripci?n: infostock_mail Noticia legal: Este mensaje electr?nico contiene informaci?n de Infostock Europa de Extremadura, S.A. con CIF: A-06253389 que es privada y confidencial, siendo para el uso exclusivo de la persona(s) entidad/es arriba mencionada/s. Si usted no es el destinatario se?alado, le informamos de que cualquier divulgaci?n, copia, distribuci?n o uso de los contenidos est? prohibida. Si usted ha recibido este mensaje por error, por favor borre su contenido lo antes posible. Gracias. Si usted no desea recibir m?s informaci?n sobre futuras y posibles comunicaciones que le enviemos puede solicitarlo de forma gratuita en el correo electr?nico infostock at infostock.es Gracias. P Antes de imprimir este correo electr?nico piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 9607 bytes Desc: not available URL: From lharrison at convergencegroup.co.uk Fri Mar 23 09:02:25 2012 From: lharrison at convergencegroup.co.uk (Leigh Harrison) Date: Fri, 23 Mar 2012 13:02:25 -0000 Subject: [c-nsp] Spanning Tree Instances Message-ID: Hello all, We have run into an issue on a 3750 switch where it has run out of spanning tree instances. Is this a limitation of PVST or is it a limitation of the switch? I can't seem to find good clarity anywhere. I have some 6509's and nexus 7k's and I'm wondering if they're going to suffer from the same fate... Leigh Leigh Harrison, CCIE#15331 Head of Design & Infrastructure ---------------------------------------------------------------------------------------------- Telephone: 0121 711 5527 Mobile: 07872 811 889 Facsimile: 0845 270 2710 Tech Support: 0845 270 2989 E-Mail: lharrison at convergencegroup.co.uk Group Website: www.convergencegroup.co.uk Media & Broadcast Website: www.media-net.co Bullet Internet Website: www.bulletinternet.co.uk ---------------------------------------------------------------------------------------------- [Description: cid:image001.gif at 01CB9178.1F793010] [Description: cid:image002.gif at 01CB9178.1F793010] [Description: cid:image003.gif at 01CB9178.1F793010] This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephoning 0845 270 2709 or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. Convergence Group reserve the right to monitor all email communications through their internal networks. Convergence (Group Networks) Ltd - registered business in England & Wales - registered number 3815417 - registered office at One Cranmore, Cranmore Drive, Shirley, Solihull, West Midlands, B90 4RZ - VAT number 787 5475 65 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 3591 bytes Desc: image001.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 2285 bytes Desc: image002.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.gif Type: image/gif Size: 1639 bytes Desc: image003.gif URL: