[c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello group, I try to creaty an EOMPLS VLAN mode circuit betweet one 10G subinterface and GE interface between two 7600 as PE. Here is my config: PE1: sh running-config interface TenGigabitEthernet7/3.999 Building configuration... Current configuration : 141 bytes ! interface TenGigabitEthernet7/3.999 description TEST_EOMPLS encapsulation dot1Q 999 xconnect 172.25.231.68 encapsulation mpls end show mpls l2transport vc detail Local interface: Te7/3.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.231.68, VC ID: , VC status: up Output interface: Te4/2, imposed label stack {5673 54} Preferred path: not configured Default path: active Next hop: 95.77.36.45 Create time: 00:04:21, last status change time: 00:04:21 Signaling protocol: LDP, peer 172.25.231.68:0 up Targeted Hello: 172.25.224.1(LDP Id) - 172.25.231.68 MPLS VC labels: local 1244, remote 54 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: EOMPLS TEST Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 PE2: sh running-config interface Gi2/2.999 Building configuration... Current configuration : 137 bytes ! interface GigabitEthernet2/2.999 description EOMPLS TEST encapsulation dot1Q 999 xconnect 172.25.224.1 encapsulation mpls end #show mpls l2transport vc detail Local interface: Gi2/2.999 up, line protocol up, Eth VLAN 999 up MPLS VC type is Eth VLAN, interworking type is Ethernet Destination address: 172.25.224.1, VC ID: , VC status: up Output interface: Vl894, imposed label stack {2488 1244} Preferred path: not configured Default path: active Next hop: 85.186.212.133 Create time: 00:10:07, last status change time: 00:03:49 Signaling protocol: LDP, peer 172.25.224.1:0 up Targeted Hello: 172.25.231.68(LDP Id) - 172.25.224.1 MPLS VC labels: local 54, remote 1244 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: TEST_EOMPLS Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 9 byte totals: receive 0, send 576 packet drops: receive 0, send 0 It seems that on PE1 side I only receive but not send any VCs frames: VC statistics: packet totals: receive 4, send 0 byte totals: receive 240, send 0 packet drops: receive 0, send 0 CE1 is a Juniper and it is learnig ARP from other CE: show configuration interfaces xe-3/1/0 enable; flexible-vlan-tagging; link-mode full-duplex; encapsulation flexible-ethernet-services; gigether-options { no-auto-negotiation; } unit 999 { vlan-id 999; family inet { address 150.1.1.2/30; } } ping 150.1.1.1 source 150.1.1.2 PING 150.1.1.1 (150.1.1.1): 56 data bytes ^C --- 150.1.1.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss {master} show arp no-resolve | match xe-3/1/0 00:25:45:a5:fe:a2 150.1.1.1 xe-3/1/0.999 none CE2 is not learning arp from CE1 CE2: interface GigabitEthernet2/2 description Link to PE2-EOMPLS switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 999 switchport mode trunk sh running-config interface vlan 999 Building configuration... Current configuration : 63 bytes ! interface Vlan999 ip address 150.1.1.1 255.255.255.252 end #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: . Success rate is 0 percent (0/5) #sh ip arp Vlan999 Protocol Address Age (min) Hardware Addr Type Interface Internet 150.1.1.1 - 0016.9c6d.4280 ARPA Vlan999 Internet 150.1.1.2 0 Incomplete ARPA Have you tried such a setup? Could you send me an example? Thank you, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL1005CBXG Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0Ok Mod Online Diag Status --- 2 Pass Thank you, John On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: GE interface between two 7600 as PE. You forgot to include what software you're running. -- Mikael Abrahamssonemail: swm...@swm.pp.se -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] netiquette
Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: http://lowendmac.com/lists/netiquette.shtml Never post private (off-list) correspondence to the list without the permission of the sender. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-ash mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/20.3601Eth VLAN 3601 x.x.x.x 3601 UP 7600-bsh mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL1005CBXG Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0Ok Mod Online Diag Status --- 2 Pass Thank you, John On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: GE interface between two 7600 as PE. You forgot to include what software you're running. -- Mikael Abrahamssonemail: swm...@swm.pp.se -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Controlling allowed VLANs, alternatives?
On 02/16/2010 10:21 PM, Randy McAnally wrote: Nothing wrong...it's exactly what I needed. Long hours of coding makes me overlook these kinds of things and I really appreciate the added eyes of the community :) FWIW we define an alias: alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...and use: int Gi1/1 tagvlan 100 detagvlan 200-299,310 ...because forgetting that add and remove can do really really really bad things... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netiquette
Thanks. So if I post a question to cisco-nsp@puck.nether.net and t...@gmail.com answer to me directly, I can't replay to the mailing list but only to tom? Even if the message is only about technical stuff? Marco -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mikael Abrahamsson Sent: mercoledì 17 febbraio 2010 09:54 To: cisco-nsp@puck.nether.net Subject: [c-nsp] netiquette Since this has now happened to me TWICE in 24 hours, I feel I need to post this because it seems enough people doesn't know about it: http://lowendmac.com/lists/netiquette.shtml Never post private (off-list) correspondence to the list without the permission of the sender. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:16:9c:6d:42:80 Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:21:59:a7:c4:30 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou ach...@forthnet.gr wrote: I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-ash mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/20.3601Eth VLAN 3601 x.x.x.x 3601 UP 7600-bsh mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL1005CBXG Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok Mod Online Diag Status --- 2 Pass Thank you, John On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: GE interface between two 7600 as PE. You forgot to include what software you're running. -- Mikael Abrahamssonemail: swm...@swm.pp.se -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Controlling allowed VLANs, alternatives?
On (2010-02-17 09:33 +), Phil Mayers wrote: alias interface tagvlan switchport trunk allowed vlan add alias interface detagvlan switchport trunk allowed vlan remove ...because forgetting that add and remove can do really really really bad things... Agreed. Alternatives are using EEM or TACACS to deny execution of dangerous commands. It is hard to find people who've worked with Cisco switches for few years who haven't made this mistake. Also very common mistake we've denied in TACACS is 'no router isis', people sometimes type that in interface, forgetting the 'ip'. While Cisco does provide rather poor quality software it is still the operator who breaks the network most typically. Hardware faults are far distant 3rd. Yet when we design networks, we concentrate on avoiding downtime from hardware faults. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netiquette
On Wed, 17 Feb 2010, Marco Regini wrote: Thanks. So if I post a question to cisco-nsp@puck.nether.net and t...@gmail.com answer to me directly, I can't replay to the mailing list but only to tom? Even if the message is only about technical stuff? That is correct. Unless you KNOW for sure that Tom is ok with you posting his reply to the list, you shouldn't do it. What Tom is telling you might be for your eyes only and he doesn't want to share it with the rest of the world, and you might not realise it. The correct way of handling this is to reply to your own email to the list and supply the new information (if you feel it's not a secret). Then at least the world won't know who said it to you. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products = Vulnerable Products +-- Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Only Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability. Only Cisco Security Agent release 5.2 is affected by the DoS vulnerability. Note: Only the Management Center for Cisco Security Agents is affected by the directory traversal and SQL injection vulnerabilities. The agents installed on user end-points are not affected. Only Cisco Security Agent release 5.2 for Windows and Linux, either managed or standalone, are affected by the DoS vulnerability. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Products Confirmed Not Vulnerable + The Sun Solaris version of Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center. The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Management Center for Cisco Security Agents Directory Traversal Vulnerability + The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73275 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0146. Management Center for Cisco Security Agents SQL Injection Vulnerability +-- The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. This vulnerability is documented in Cisco Bug ID CSCtd73290 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0147. Cisco Security Agent Denial of Service Vulnerability +--- Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello, I tried with Cisco 7600 as CE instead of Juniper and it works, I have to find out what is wrong there. Thank you for your help, Regards, John -- Forwarded message -- From: Ioan Branet ioan.bra...@gmail.com Date: Wed, Feb 17, 2010 at 11:44 AM Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 To: Tassos Chatzithomaoglou ach...@forthnet.gr Cc: cisco-nsp@puck.nether.net Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:16:9c:6d:42:80 Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:21:59:a7:c4:30 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou ach...@forthnet.gr wrote: I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-ash mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/20.3601Eth VLAN 3601 x.x.x.x 3601 UP 7600-bsh mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL1005CBXG Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok Mod Online Diag Status --- 2 Pass Thank you, John On Wed, Feb 17, 2010 at 10:27 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: GE interface between two 7600 as PE. You forgot to include what software you're running. -- Mikael Abrahamssonemail: swm...@swm.pp.se -- Mikael Abrahamssonemail: swm...@swm.pp.se
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. Affected Products = Vulnerable Products +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. For specific version information, refer to the Software Versions and Fixes section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability + Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +--- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the show service-policy | include sip command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... ! service-policy global_policy global SCCP Inspection Denial of Service Vulnerability +-- A denial of service vulnerability affects the SCCP inspection feature of the Cisco ASA 5500 Series Adaptive Security Appliances. Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global WebVPN DTLS Denial of Service Vulnerability +-- Cisco ASA 5500 Series Adaptive Security Appliances are affected by a denial of service vulnerability that exists when WebVPN and DTLS are enabled. Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the enable interface name command in webvpn configuration mode. DTLS can be enabled by issuing the svc dtls enable command in group policy webvpn configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables
[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Advisory ID: cisco-sa-20100217-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. The vulnerability exists when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. Affected Products = Vulnerable Products +-- All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global To determine the version of Cisco FWSM Software that is running, issue the show module command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.74.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the show module slot number command to identify the software version that is running. Example output follows: switchshow module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the column under Sw. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the show module slot number but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the show version command. Example output follows: FWSM show version FWSM Firewall Version 3.2(2)10 [...] Customers who use the Cisco
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello, It is just a config problem on your J CE1: You needn't flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) R/ Manu On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet ioan.bra...@gmail.com wrote: Hello, I tried with Cisco 7600 as CE instead of Juniper and it works, I have to find out what is wrong there. Thank you for your help, Regards, John -- Forwarded message -- From: Ioan Branet ioan.bra...@gmail.com Date: Wed, Feb 17, 2010 at 11:44 AM Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 To: Tassos Chatzithomaoglou ach...@forthnet.gr Cc: cisco-nsp@puck.nether.net Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:16:9c:6d:42:80 Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:21:59:a7:c4:30 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou ach...@forthnet.gr wrote: I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-ash mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/20.3601Eth VLAN 3601 x.x.x.x 3601 UP 7600-bsh mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL1005CBXG Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0016.c8c4.fc10 to 0016.c8c4.fc27 2.3 12.2(14r)S5 12.2(33)SRB4 Ok Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 2 Centralized Forwarding Card WS-F6700-CFC SAL1014J60S 2.0 Ok Mod Online Diag Status --- 2 Pass Thank you,
Re: [c-nsp] Renumbering serial interfaces
Test this ahead of time with a lab box if you can ;) What I've done in this scenarios is to build the snippets of config I need to apply and put them into a plain text file. Then do a copy tftp://blahblah/filename running-config which merges the changes. Before I do the copy I do a reload in 15 in case it fails so that I know I can get back into the box in 15 minutes YMMV... Please test this though as I haven't done it in a while but did work for my needs at the time... Paul -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james edwards Sent: Wednesday, February 17, 2010 1:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Renumbering serial interfaces
You can renumber serial links with one person. Standard disclaimer of paying attention to detail, being careful, etc. If you can tolerate a few minutes downtime worst-case (which, I'm making the assumption this is being done in a window that can), you can also use the 'reload in x' command, where x = minutes. If you botch it and cannot get back in, the device will reload with the saved startup configuration (ie: not with your most current changes). You can roll back the near side and be back up. If all changes are successful, don't forget to reload cancel and write your changes. Obviously there are some other things you probably need to consider like routing protocol adjacencies, or static default routes... so telnet/ssh'ing in from a directly connected interface may be necessary depending on the setup. The only time something like this is a bit more tricky is when multiple changes are required (encapsulation, etc.) HTH, -Ryan On Wed, Feb 17, 2010 at 1:19 PM, james edwards lists.james.edwa...@gmail.com wrote: I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP
B, -Original Message- Sent: Wednesday, February 17, 2010 1:22 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA - Monitor an IPSEC Tunnel via SNMP What's the best way to monitor an IPSec tunnel via SNMP on an ASA (v8)? I just want to know if it is up or down. I did an snmpwalk but can't find anything related to the tunnels. Check out this MIB, CISCO-IPSEC-FLOW-MONITOR-MIB. .1.3.6.1.4.1.9.9.171.1.3.1.1.0 will retrieve the number of active tunnels. .1.3.6.1.4.1.9.9.171.1.2.1.1.0 will retrieve the number of active IKE peers. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Renumbering serial interfaces
Hi, On Wed, Feb 17, 2010 at 11:19:31AM -0700, james edwards wrote: I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z Should work. (At that point, the connection will lock up, and then you need to connect to the new address and continue) Always remember to put in reload in 5 before you do anything that might lock you out, and reload cancel afterwards... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpGmYeZeGU3S.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netiquette
On Wed, Feb 17, 2010 at 2:54 AM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Wed, 17 Feb 2010, Marco Regini wrote: Thanks. So if I post a question to cisco-nsp@puck.nether.net and t...@gmail.com answer to me directly, I can't replay to the mailing list but only to tom? Even if the message is only about technical stuff? That is correct. Unless you KNOW for sure that Tom is ok with you posting his reply to the list, you shouldn't do it. A good example of this is someone going out on a limb to provide information that isn't under NDA, but that their PR department might not want to see on a public list. I've asked questions before (Anyone know why $FOO_COMPANY is doing this?) and received subtle but helpful answers that make the reply button seem like a dangerous weapon if used incorrectly. ... there tends to be a lot of trust in these parts. -Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600
Hello, I used also vlan-tagging but with same result: show configuration interfaces xe-3/1/0 description ** Link To PE1 **; vlan-tagging; link-mode full-duplex; gigether-options { no-auto-negotiation; } unit 999 { bandwidth 10g; vlan-id 999; family inet { accounting { source-class-usage { input; } } no-redirects; sampling { input; } address 150.1.1.2/30 { primary; preferred; } } } #ping 150.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.1.2, timeout is 2 seconds: . Success rate is 0 percent (0/5) On Wed, Feb 17, 2010 at 7:06 PM, Manu Chao linux.ya...@gmail.com wrote: Hello, It is just a config problem on your J CE1: You needn't flexible-vlan-tagging (nor flexible-ethernet-services encapsulation) R/ Manu On Wed, Feb 17, 2010 at 5:01 PM, Ioan Branet ioan.bra...@gmail.comwrote: Hello, I tried with Cisco 7600 as CE instead of Juniper and it works, I have to find out what is wrong there. Thank you for your help, Regards, John -- Forwarded message -- From: Ioan Branet ioan.bra...@gmail.com Date: Wed, Feb 17, 2010 at 11:44 AM Subject: Re: [c-nsp] EOMPLS between 10G subinterface and GE subinterface between two 7600 To: Tassos Chatzithomaoglou ach...@forthnet.gr Cc: cisco-nsp@puck.nether.net Hello, Maybe there is a bug with SRB IOS. I still have VC up on both ends but I cant ping between CE1 and CE2. On CE1 (Juniper side) I learn arp address of remote CE2 device and receive arp request and send arp reply: show arp no-resolve | match xe-3/1/0 00:16:9c:6d:42:80 150.1.1.1 xe-3/1/0.999 none Juniper PCAP Flags [Ext, In], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:16:9c:6d:42:80 Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 999, p 0, ethertype ARP, arp who-has 150.1.1.2 tell 150.1.1.1 11:34:01.878596 Out Juniper PCAP Flags [Ext], PCAP Extension(s) total length 22 Device Media Type Extension TLV #3, length 1, value: Ethernet (1) Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14) Device Interface Index Extension TLV #1, length 2, value: 193 Logical Interface Index Extension TLV #4, length 4, value: 126 Logical Unit Number Extension TLV #5, length 4, value: 32767 -original packet- 0:21:59:a7:c4:30 0:16:9c:6d:42:80, ethertype 802.1Q (0x8100), length 46: vlan 999, p 0, ethertype ARP, arp reply 150.1.1.2 is-at 0:21:59:a7:c4:30. The issue is that I can't upgrade to SRD IOS. thank you, John On Wed, Feb 17, 2010 at 11:05 AM, Tassos Chatzithomaoglou ach...@forthnet.gr wrote: I'm running EoMPLS between 10GE subif and 1GE subif without any problem. 7600-ash mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Gi4/20.3601Eth VLAN 3601 x.x.x.x 3601 UP 7600-bsh mpls l2 vc 3601 Local intf Local circuit Dest addressVC ID Status - -- --- -- -- Te3/2.3601 Eth VLAN 3601 x.x.x.x 3601 UP Both 7600s are running SRD3. -- Tassos Ioan Branet wrote on 17/02/2010 10:49: Hello, We run EOMPLS on port and vlan mode on GE interfaces but we did not run EOMPLS Vlan mode between 10G and 1G subinterfaces until now. Any feedback is appreciated. Thank you, John On Wed, Feb 17, 2010 at 10:43 AM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Wed, 17 Feb 2010, Ioan Branet wrote: You should answer to the list, answering just to me doesn't make much sense. SRB4 is buggy, stop running it. Try latest SRB (SRB6 or 7, I don't remember), or go SRD3 or later. Hello, We are running on both PEs the following: sh ver | i IOS Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB4, RELEASE SOFTWARE (fc3) 10G card on PE1 is: show module 7 Mod Ports Card Type Model Serial No. --- - -- -- --- 74 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL1337YN4W and 1G on PE2 is: ro-sv01a-rd2#show module 2 Mod Ports Card Type