[c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
Hi Cydon , We had a similar problem with XR . The setup was ng-mvpn , sender site xr receiving site juniper. What we found is the traffic is switched to pmp-te but the counters are not reflecting this , so you might run into the same issue. check: -sh mrib mpls forwarding - sh mrib route 232.11.11.11 detail , look for enc id - sh mfib hardware encap id X location 0/0/CPU - sh mpls forwarding p2mp -- counter increasing , wireshark on confirms traffic is mapped to lsp Relevant config in our setup : multicast-routing address-family ipv4 mdt source Loopback0 rate-per-route interface all enable accounting per-prefix ! vrf CST1 address-family ipv4 mdt source Loopback0 mdt static p2mp-te tunnel-mte534 rate-per-route interface all enable bgp auto-discovery p2mp-te ! accounting per-prefix ! ! router igmp vrf CST1 interface tunnel-mte534 static-group 232.100.100.15 10.3.183.3 route to src over GigabitEthernet0/0/0/2.158 ! ! ! interface tunnel-mte534 ipv4 unnumbered Loopback0 destination 10.20.3.3 path-option 2 dynamic ! destination 10.20.4.4 path-option 1 dynamic ! ! sh pim vrf CST1 topology (10.3.183.3,232.100.100.15)SPT SSM Up: 09:02:31 JP: Join(00:00:06) RPF: GigabitEthernet0/0/0/2.158,10.3.58.8 Flags: MT join sent to source tunnel-mte534 09:02:31 fwd LI LH Traffic mapping to lsp is working. Another test we did is to have the xr as a receiver , the p2mp tunnel is building , but as you said no LSP-VIF interface , thus the rpf check will fail. I never got it to work as advertised and ended up using mldp. Hope this helps. Catalin Petrescu From: Cydon Satyr cydonsa...@gmail.com To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: [c-nsp] ASR9000 Multicast over P2MP TE tunnels Message-ID: caf0puwfayee-kquppdmp6+n7ufs8ysdr+vofpuuvnh5ua29...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Hello experts. I'm trying to map multicast traffic to RSVP-TE tunnel, without success. I'm not quite sure what I might be missing (I think it's all there). Topology is simple: 155.1.1.0/24--Gi0/0/0/0.110XR1MPLS--XR2---Gi0/0/0/0.150 Here's the config (the relevant stuff - there's whole RSVP-TE topology already working under it): HEADEND (asr9k) --- interface tunnel-mte1000 ipv4 unnumbered Loopback0 load-interval 30 destination 2.2.2.2 path-option 10 dynamic ! destination 3.3.3.3 path-option 10 dynamic ! path-selection metric igp affinity ignore ! multicast-routing address-family ipv4 interface tunnel-mte1000 enable router igmp interface tunnel-mte1000 static-group 232.11.11.11 155.1.1.104 ! TAILEND (asr9k) - multicast-routing address-family ipv4 core-tree-protocol rsvp-te group-list acl-232 static-rpf 155.1.1.104 32 mpls 1.1.1.1 router igmp interface GigabitEthernet0/0/0/0.150 static-group 232.11.11.11 155.1.1.104 Tunnel is up, I'm trying to ping from 155.1.1.104 which is connected directly to HEADEND router. show mrib route 232.11.11.11 | begin \\( Tue Jul 1 17:29:01.984 UTC *(155.1.1.104,232.11.11.11) RPF nbr: 155.1.1.104 Flags: EID* * Up: 05:35:59* * Incoming Interface List* *GigabitEthernet0/0/0/0.110 Flags: A, Up: 01:19:08* * Outgoing Interface List* *tunnel-mte1000 Flags: F NS LI LVIF, Up: 01:18:30* However, no traffic seems to pass trough tunnel. *show mfib interface tunnel-mte 1000* *Tue Jul 1 17:30:41.257 UTC* *Interface : tunnel-mte1000 (Enabled)* *SW Mcast pkts in : 0, SW Mcast pkts out : 0* *TTL Threshold : 0* *Ref Count : 5* Any chance you could give me a pointer to where I might be wrong? As a side note, I don't see LSP-VIF interface coming up on tailend router. Best Regards! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IP nat question
You can use an ACL to let IOS know which addresses to translate. So an ACL which reads ANY to 172.16.144.0/20 - Then source NAT to the interface Thanks Darren http://www.mellowd.co.uk/ccie Date: Tue, 1 Jul 2014 14:48:26 -0700 From: mike-cisconspl...@tiedyenetworks.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco IP nat question I have a 7201 connected to network 172.16.144.0/20, and it's interface is 172.16.144.1 (gi0/1. for example). I was wondering how I might arrange things so that any source address - inbound to 172.16.144.0/20 is natted with a source address of 172.16.144.1? The clients are dumb and default route doesn't work for them (they have multiple and can't pick the right one), so sourcing all traffic FROM 172.16.144.1 would let me talk to them all. I do not care about the other direction, just inbound. Thank you. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
On Wednesday, July 02, 2014 09:18:43 AM Catalin Petrescu wrote: Another test we did is to have the xr as a receiver , the p2mp tunnel is building , but as you said no LSP-VIF interface , thus the rpf check will fail. I never got it to work as advertised and ended up using mldp. I know Cisco were pushing mLDP more that p2mp RSVP-TE. However, they have had p2mp RSVP-TE support for a while now, and I even know of inter-op tests between an ASR9000 and an MX480 that work. Perhaps best to open a case. That said, I'm also in favour of mLDP these days. It's simpler and just as effective for general Multicast use- cases. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
Thanks. Yeah mLDP is nicer for mvpn. We're playing/experimenting with P2MP tunnels for IPTV and with FRR protection. So, what I'm trying to do is map global multicast traffic to P2MP, not vrf traffic. I'm not seeing anything going trough. I wanted to check if anyone has configured this before in case I indeed missed some commands. Regards On Wed, Jul 2, 2014 at 10:15 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Wednesday, July 02, 2014 09:18:43 AM Catalin Petrescu wrote: Another test we did is to have the xr as a receiver , the p2mp tunnel is building , but as you said no LSP-VIF interface , thus the rpf check will fail. I never got it to work as advertised and ended up using mldp. I know Cisco were pushing mLDP more that p2mp RSVP-TE. However, they have had p2mp RSVP-TE support for a while now, and I even know of inter-op tests between an ASR9000 and an MX480 that work. Perhaps best to open a case. That said, I'm also in favour of mLDP these days. It's simpler and just as effective for general Multicast use- cases. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
Hi, I think you are referring to this test http://www.eantc.de/fileadmin/eantc/downloads/events/2011-2015/MPLSEWC2013/EANTC-MPLSEWC2013-WhitePaper-5.1.pdf , page 12 goes into detail about the issues and fixes. For 1st problem this is fixed on jnp with mvpn-iana-rt-import. Need to load up the lab again to look into second one. The paper doesn't say what version they are running on asr as per cisco documentation only static configuration is available thus only S-PMSI is advertised at least in 4.3.2. Regards, Catalin Petrescu On Wed, Jul 2, 2014 at 11:15 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Wednesday, July 02, 2014 09:18:43 AM Catalin Petrescu wrote: Another test we did is to have the xr as a receiver , the p2mp tunnel is building , but as you said no LSP-VIF interface , thus the rpf check will fail. I never got it to work as advertised and ended up using mldp. I know Cisco were pushing mLDP more that p2mp RSVP-TE. However, they have had p2mp RSVP-TE support for a while now, and I even know of inter-op tests between an ASR9000 and an MX480 that work. Perhaps best to open a case. That said, I'm also in favour of mLDP these days. It's simpler and just as effective for general Multicast use- cases. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
On Wednesday, July 02, 2014 10:42:29 AM Cydon Satyr wrote: Yeah mLDP is nicer for mvpn. We're playing/experimenting with P2MP tunnels for IPTV and with FRR protection. I originally used p2mp RSVP-TE for IPTv, but I'm also comfortable using mLDP for IPTv as well. There is work ongoing to add LFA support to mLDP, and in that case, the FRR argument for keeping IPTv on p2mp RSVP-TE will be out the window. That said, I've been happy with convergence times using hardware-assited BFD which would make pre-mLDP-LFA scenarios workable, considering how well mLDP scales and how much more complex p2mp RSVP-TE is to configure in large networks. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Re ASR9000 Multicast over P2MP TE tunnels
On Wednesday, July 02, 2014 10:47:14 AM Catalin Petrescu wrote: I think you are referring to this test http://www.eantc.de/fileadmin/eantc/downloads/events/2011 -2015/MPLSEWC2013/EANTC-MPLSEWC2013-WhitePaper-5.1.pdf , No, not that test. The test I'm talking about is in a live operator. But thanks for the link, anyway :-). The paper doesn't say what version they are running on asr as per cisco documentation only static configuration is available thus only S-PMSI is advertised at least in 4.3.2. I ran a PoC in Raleigh at the end of last year with Cisco, and they supported both I- and S-PMSI on the ASR9000. Par-for-par, I'm now satisfied with using an ASR9000 as a video-enabled edge router. The only reason we always stuck to Juniper, until now, is because they had a working NG-MVPN implementation. Cisco have now come to the party, both in terms of p2mp RSVP-TE and mLDP. So they are certainly on my radar if we need to deploy edge routers. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 duplicate address
On Jul 1, 2014, at 2:53 PM, Mark Tinka mark.ti...@seacom.mu wrote: I remember this was happening on IOS XR in 3.9 and 4.0.x, when Ethernet ports were looped for testing, and after the loop is cleared, DAD keeps IPv6 from working until manual intervention or a reboot. Had the same happening each time we looped for debugging. clear ipv6 duplicate address [interface] saves the day. This is on of the main motivation behind http://tools.ietf.org/html/draft-ietf-6man-enhanced-dad, that suggests a nonce to be added to the nd for loop detection. The other use case is detecting when someone plugs two cable modems LAN interfaces together (nice way to blow up the LL on the CMTS!). /JF ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] I need to limit BW ASR9K
El 02/07/14 08:59, Elizabeth Millan Castaño escribió: Cordial Saludo, I have the following problem in a Cisco ASR9K. I need to limit BW of an interface Bundle-Ethernet to 1075Mbps. This Bundle is a LACP made with two giga-ethernet interfaces. I've applied a policy-map with rate 1075Mbps. (See Configuration). policy-map BW_Internet_IXA class class-default police rate 1075 mbps conform-action transmit exceed-action drop end-policy-map The Cisco ASR9K, show the following Errors. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface Bundle-Ether2 service-policy input BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' service-policy output BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' ! end What's missing inthe configuration?. Do I have to change my interfaces to one Tengiga? Atentamente, * Elizabeth Millán Castaño* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] I need to limit BW ASR9K
You may want to use percentage based policing on bundle-ethernet interfaces as it will avoid this particular warning/defect. - Jared On Jul 2, 2014, at 10:18 AM, Elizabeth Millan Castaño emil...@mediacommerce.net.co wrote: El 02/07/14 08:59, Elizabeth Millan Castaño escribió: Cordial Saludo, I have the following problem in a Cisco ASR9K. I need to limit BW of an interface Bundle-Ethernet to 1075Mbps. This Bundle is a LACP made with two giga-ethernet interfaces. I've applied a policy-map with rate 1075Mbps. (See Configuration). policy-map BW_Internet_IXA class class-default police rate 1075 mbps conform-action transmit exceed-action drop end-policy-map The Cisco ASR9K, show the following Errors. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface Bundle-Ether2 service-policy input BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' service-policy output BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' ! end What's missing inthe configuration?. Do I have to change my interfaces to one Tengiga? Atentamente, * Elizabeth Millán Castaño* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME1200-4s-a
Anybody using the ME1200 ? I was unable to get into my temp loaner in my lab and tried to break into it. I was able to but now I've somehow got it stuck in some lower level boot prompt. Anybody know how to tell it to load IOS and skip configuration file ? Aaron RedBoot help Manage aliases kept in FLASH memory alias name [value] Set/Query the system console baud rate baudrate [-b rate] Manage machine caches cache [ON | OFF] Display/switch console channel channel [channel number] Compute a 32bit checksum [POSIX algorithm] for a range of memory cksum -b location -l length Show calculated ddr parameters ddrparams Run Power-On-Self-Test -q: Quiet operation -a: Run all tests -t: Run TCAM self-test -d: Run DDR SDRAM test -k: Run DDR SDRAM test continuously (Keep going) -p: Run tests according to POST configuration diag [-q] [-a] [-t] [-d] [-h] [-p] Display (hex dump) a range of memory dump -b location [-l length] [-s] [-1|-2|-4] Execute an image exec [-b argv addr] [-c kernel command line] [-w timeout] [entry point] Manage FLASH images fis {cmds} Manage configuration kept in FLASH memory fconfig [-i] [-l] [-n] [-f] [-d] | [-d] nickname [value] Execute code at a location go [-w timeout] [-c] [entry] Uncompress GZIP compressed data gunzip -s location -d location Help about help? help [topic] Display command history history Utility to migrate FIS layout -l: List (desired) layout -u: Do update layout [-l] [-u] Load a file load [-r] [-v] [-d] [-m varies] [-b base_address] file_name Compare two blocks of memory mcmp -s location -d location -l length [-1|-2|-4] Copy memory from one address to another mcopy -s location -d location -l length [-1|-2|-4] Fill a block of memory with a pattern mfill -b location -l length -p pattern [-1|-2|-4] Relocate RAM image and boot it ramload ram-address Reset the system reset Display RedBoot version information version Display (hex dump) a range of memory x -b location [-l length] [-s] [-1|-2|-4] RedBoot RedBoot version RedBoot(tm) bootstrap and debug environment [ROMRAM] Non-certified release, version 1_11_Vitesse - built 16:55:53, Jan 2 2014 Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. RedBoot is free software, covered by the eCos license, derived from the GNU General Public License. You are welcome to change it and/or distribute copies of it under certain conditions. Under the license terms, RedBoot's source code and full license terms must have been made available to you. Redboot comes with ABSOLUTELY NO WARRANTY. Platform: SANDINO (MIPS32 24KEc) SERVAL RAM: 0x8000-0xa000 [0x800223b0-0x9ffdfffc available] FLASH: 0x4000-0x41ff, 512 x 0x1 blocks FLASH: 0x4200-0x43ff, 512 x 0x1 blocks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] I need to limit BW ASR9K
When you do a show bundle-ether 2 does the output say both members are in an active state? RP/0/RSP0/CPU0:IOS-XR-2#show int bundle-ether 2 .. .. No. of members in this bundle: 2 GigabitEthernet0/0/0/1 Full-duplex 1000Mb/s Active GigabitEthernet0/1/0/1 Full-duplex 1000Mb/s Standby In LACP mode, one is active, the other is standby, so the total bandwidth available is only 1gig. Maybe convert it to an EtherChannel? On Wed, Jul 2, 2014 at 8:18 AM, Elizabeth Millan Castaño emil...@mediacommerce.net.co wrote: El 02/07/14 08:59, Elizabeth Millan Castaño escribió: Cordial Saludo, I have the following problem in a Cisco ASR9K. I need to limit BW of an interface Bundle-Ethernet to 1075Mbps. This Bundle is a LACP made with two giga-ethernet interfaces. I've applied a policy-map with rate 1075Mbps. (See Configuration). policy-map BW_Internet_IXA class class-default police rate 1075 mbps conform-action transmit exceed-action drop end-policy-map The Cisco ASR9K, show the following Errors. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface Bundle-Ether2 service-policy input BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' service-policy output BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' ! end What's missing inthe configuration?. Do I have to change my interfaces to one Tengiga? Atentamente, * Elizabeth Millán Castaño* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] I need to limit BW ASR9K
On Wed, Jul 02, 2014 at 08:46:11AM -0600, Scott Miller wrote: When you do a show bundle-ether 2 does the output say both members are in an active state? RP/0/RSP0/CPU0:IOS-XR-2#show int bundle-ether 2 .. .. No. of members in this bundle: 2 GigabitEthernet0/0/0/1 Full-duplex 1000Mb/s Active GigabitEthernet0/1/0/1 Full-duplex 1000Mb/s Standby In LACP mode, one is active, the other is standby, so the total bandwidth available is only 1gig. Maybe convert it to an EtherChannel? when doing qos on bunde interfaces, the policies are applied to the member links. so if you want to rate limit a bundle you have to do some basic math or use a percentage as jared suggested. http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/qos/configuration/guide/b_qos_cg421asr/b_qos_cg421asr_chapter_01000.html#ID105 When a QoS policy is applied on a bundle (ingress or egress directions), the policy is applied at each member interface. Any queues and policers in the policy map (ingress or egress directions) will be replicated on each bundle member. On Wed, Jul 2, 2014 at 8:18 AM, Elizabeth Millan Castaño emil...@mediacommerce.net.co wrote: El 02/07/14 08:59, Elizabeth Millan Castaño escribió: Cordial Saludo, I have the following problem in a Cisco ASR9K. I need to limit BW of an interface Bundle-Ethernet to 1075Mbps. This Bundle is a LACP made with two giga-ethernet interfaces. I've applied a policy-map with rate 1075Mbps. (See Configuration). policy-map BW_Internet_IXA class class-default police rate 1075 mbps conform-action transmit exceed-action drop end-policy-map The Cisco ASR9K, show the following Errors. !! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. interface Bundle-Ether2 service-policy input BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' service-policy output BW_Internet_IXA !!% 'qos-lib' detected the 'warning' condition 'MQC: Policer conform rate is greater than the reference parent bandwidth' ! end What's missing inthe configuration?. Do I have to change my interfaces to one Tengiga? Atentamente, * Elizabeth Millán Castaño* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] I need to limit BW ASR9K
When you do a show bundle-ether 2 this is the output. Thanks. #sh interfaces bundle-ether 2 Wed Jul 2 09:50:33.419 gmt Bundle-Ether2 is up, line protocol is up Interface state transitions: 3 MTU 9216 bytes, BW 200 Kbit (Max: 200 Kbit) reliability 255/255, txload 11/255, rxload 84/255 Encapsulation ARPA, Full-duplex, 2000Mb/s No. of members in this bundle: 2 GigabitEthernet0/0/0/4 Full-duplex 1000Mb/s Active GigabitEthernet0/0/0/5 Full-duplex 1000Mb/s Active El 02/07/14 09:46, Scott Miller escribió: When you do a show bundle-ether 2 does the output say both members are in an active state? RP/0/RSP0/CPU0:IOS-XR-2#show int bundle-ether 2 .. .. No. of members in this bundle: 2 GigabitEthernet0/0/0/1 Full-duplex 1000Mb/s Active GigabitEthernet0/1/0/1 Full-duplex 1000Mb/s Standby In LACP mode, one is active, the other is standby, so the total bandwidth available is only 1gig. Maybe convert it to an EtherChannel? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Domain Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco Unified Communications Domain Manager Advisory ID: cisco-sa-20140702-cucdm Revision 1.0 For Public Release 2014 July 2 16:00 UTC (GMT) +- Summary === Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities: Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability Cisco Unified Communications Domain Manager Default SSH Key Vulnerability Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system. Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings. Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability. Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the Workarounds section of this advisory. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBU7QbV4pI1I6i1Mx3AQKVLA//TEKNdo/FP3h8CtJlMenXH3tzM1xh0zM/ 1XzSxz24NOJ/B4SHzOwz8oWrzYx73CiZDgxmuZfMkssWjYH2nUTXU893XEgownMa z/OIvp0UIR0A+PNEAFFwukkD+2yDz/z6M/pZnVOsvazKihtQ/RodQYB5ffNzTiqM sgFvIq0410GWRdPb/GnewWZ97mPvZhAuHN+J50b8Q+is47r9amEDJxT0ATj7Iuvi OM5QJxogYzDj6Z8b+FTEVOglza32azmrWBCWU/pq8UJ4gtaqQGnDjwNWTmUtsPfI qL1G66nBRjzE/avdd9PnqOhJjxWQkeMcHPL5R5g2G+5YLvnmEJDHPYC/oCYy3rsa CblYHFQP1sTW8apYvrM7xC/ZSKF9Cpn3PwaUaMis7tXqX/d3VJt8YuIkCYnJX7mw /ZPMUurbKrnjYUsrVlbSVPTiCrg+U1fkZnHrY+akp7gpj6Ay1jFcKKMQ8EnAwhlz NS3clKLFCOmV3ov96SBwsHXA7XQDRQG5bOcXaD12hWsWbLV2hHwXYCb/m0f/XKxE opdMXmFwn8oOJJBgFLe9DTR9rhm7P06sdrXS82bPglQCod3gdsIW3Zz+O+ekMrCh E+WGiiBatkZ0WIjvse6QaEAexZMzizWC0ATsFWylAMT/nd4ZXTNYAFV0KJyavZq1 RFrcvzPuQKk= =B+Fk -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MEF CE (1.0/2.0) Services Certification
Anyone out there had to certify their network or another network for MEF CE 1.0/2.0 ? My company wants me to get our network svc's certified. I've already had the initial phone con with MEF and the subsequent phone con with MEF's 3rd party testing facility (Iometrix) and am moving forward slowly but surely. I will be attempting to certify MEF CE Services via my ASR9k, ME3600, ASR901 and Calix GPON FTTH systems. Any words of wisdom on challenges you faced along the way and how you overcame those challenges would be greatly appreciated. Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5512x VPN route issue
One final reply on this. All works if you setup everything as described in the link you provided Ulrik. The issue we had was caused by the remote side of the IPsec tunnel ACL not allowing access for the VPN clients IP block. Thanks again. -Lee On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes lee.t.star...@gmail.com wrote: Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help. -Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote: Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/