[c-nsp] Cisco ME-6524 platform architecture
Dear all, I stumbled across this excellent forum yesterday whilst trying to gain some information on the platform architecture of the Cisco ME-6524. I have been extensively testing this device for a couple of months now, using a mixture of local switching, multiplex-uni and EoMPLS with MPLS-TE FRR. So far, it has performed remarkably well, especially considering its price point as an entry level device to the Cisco 6500 family. I do however have a question regarding the platform architecture of the box. As I'm sure you all know, the architecture of the modular 6500 series is very well documented by Cisco, including details of the modules (PFC, MSFC etc..),types of ASIC (Pinnacle, Medusa, Earl, Tycho and Superman etc..) and how they interoperate at a high level. The part I'm struggling with is how this relates to the fixed configuration of the ME-6524. I appreciate that its based upon the SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a show asic-version slot 1, I don't see any ASIC names that I recognise: nsn1#sho asic-version slot 1 Module in slot 1 has 5 type(s) of ASICs ASIC Name Count Version KUMA 1 (2.0) HYPERION 1 (6.0) R2D2 1 (2.0) DHANUSH 2 (2.0) VISHAKHA 8 (1.0) Can anyone help with some more detailed information relating to the platform configuration of this device? Many thanks in advance James Humphris IP Engineering, Nexagent Ltd. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN
Thanks Oli. I will test today on PFC3xx with SRB2 and post the result. Br, Alaerte -Original Message- From: ext Oliver Boehmer (oboehmer) [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 8:01 PM To: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] PIM Split Rules and Multicast over L3 MPLS VPN [EMAIL PROTECTED] wrote on Tuesday, January 22, 2008 6:09 PM: Hi, PIM considers source of multicast to perform load splitting when the command ip multicast multipath is entered. When using multicast over L3 MPLS VPN, the source IP is the IP of PEx for any customer group connected to PEx. Any way to overcome this limitation and achieve load splitting of multicast over L3 MPLS VPN? For example, consider this scenario: Sender for group G1 and G2---CE1-PE1--P1-PE2CE2receiver of G1 and G2 | | |___P2__| The goal is having one G1 taking path PE1--P1--PE2 and G2 taking path PE1--P2--PE2. (but without using GRE encapsulation to have multicast encapsulated into unicast) 12.2SRB for the 7600 introduced ip multicast multipath s-g-hash basic which allows you to do the hash on source+group.. Platform support for this is still limited, not sure about your environment. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL
Would be a bit of a waste of an entire PA slot though wouldnt it? :-) You could always use something like an 857 (on the cheaper side if you want to stick with Cisco, otherwise any el cheapo yum-cha brand) in bridge mode hooked up to an ethernet port to do PPPoE, provided PPPoE client is supported of course. On 23/01/2008, at 2:55 AM, Sridhar Ayengar wrote: I *really* wish Cisco had made an ADSL PA. Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RTBH - anyone using this?
Or make it multihop. I got bitten by this many years ago (on both cisco and juniper) but it seems that till now documentation hasn't been changed to reflect it. If you are going to allow your customers to use it (usually done with communities) be sure to filter accordingly, so the customers'd blackhole their own prefixes only :) Cheers, Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Matyas Koszik Sent: dinsdag 22 januari 2008 19:41 To: Drew Weaver Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RTBH - anyone using this? You need to add disable-connected-check to the peer's bgp configuration. (I know the documentation doesn't say so but that's what makes it work for me.) On Tue, 22 Jan 2008, Drew Weaver wrote: Iâ?Tm following this guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/p rod_white_paper0900aecd80313fac.pdf if anyone knows of a better one please do enlighten me âş Everything works a lot better than I imagined it would except for one issue and one question. Question: There is simply no reason to be exporting the routes from the edge routers to the triggers if I am reading this document correctly. Rather than using prefix or filter lists, is there a handy way to make the edge routers not send routes to the trigger server (using a command in that peer-group?) The issue I am having is kind of strange and Iâ?Tve never ran across it before like many of my issuesâ?Ś.. RTBH has you add a static route on the edge routers which acts as a next-hop for the routes which are sent by the trigger server/router. For whatever reason the routes sent by the trigger server/router arenâ?Tt being entered into my routing table on the Edge routers because it is giving me RIB failures: LAB01#sh ip bgp nei 10.1.0.11 routes BGP table version is 476702490, local router ID is 10.1.0.9 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path riblocked/28 192.0.2.10200 0 i LAB01#sh ip route 192.0.2.1 Routing entry for 192.0.2.1/32 Known via static, distance 1, metric 0 (connected) Tag 50 Redistributing via ospf 1 Routing Descriptor Blocks: * directly connected, via Null0 Route metric is 0, traffic share count is 1 Route tag 50 Clearly there is a route to 192.0.2.1 with a destination of Null so it does appear to be a valid route, yet bgp refuses to add the â?śblocked/28â?ť route to the routing table. Has anyone ran into this before? Thanks! -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 8.0 Webvpn MAPI
Howdy, Anyone had any experience with getting MS Exchange to work with a webvpn client on ASA 8.0(2) or greater without using the AnyConnect client (ie clientless) now that MAPI support isn't available? Doesn't look like smart tunnels will do the job either and can't find anything else hinting in the Cisco doc's or google. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Tacacs+ accounting on ASA/PIX 7.x
Hey all, I know in the past the pix/asa would not generate account records of what command were entered on the device. Does anyone know if this has changed? I've read some docs that talk about accounting traffic that passes THROUGH the device but not accounting for what commands are entered on the device from what user, like you get on a IOS router. Thanks Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EzVPN drops packets after first data burst
Anything to do with packet size? Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kristofer Sigurdsson Sent: Tuesday, January 22, 2008 7:42 AM To: Cisco NSP Subject: [c-nsp] EzVPN drops packets after first data burst Hi list, I have a Cisco 1841 router, IOS 12.4(12), Adv. IP Services. I'm using it for an EzVPN server where clients can VPN into a VRF which contains a local network. Clients can connect and start to use eg. Remote Desktop to a computer on the inside network, but as soon as some traffic starts flowing (like opening a browser in Remote Desktop), the session hangs and, according to the show crypto session remote peer detail, no new outbound (from the VPN server) packets come and I start seeing dropped inbound packets (dec'ed). Sample output: Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: x.x.x.x port 4406 fvrf: (none) ivrf: xx Phase1_id: Desc: (none) IKE SA: local x.x.x.x/4500 remote x.x.x.x/4406 Active Capabilities:CXN connid:233 lifetime:07:58:49 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.210.158 Active SAs: 2, origin: dynamic crypto map Inbound: #pkts dec'ed 279 drop 69 life (KB/Sec) 4587796/86332 Outbound: #pkts enc'ed 432 drop 0 life (KB/Sec) 4587562/86332 Whatever the user tries to do on the VPN, the only thing that changes (apart from time) is the dec'ed drop packets. The number of packets dec'ed/enc'ed is not exactly consistant, but this always happens at the first burst of data across the link. The counters go to a few hundred, then this happens. The VPN connection stays up, nothing unusual in the client. It says transparent tunneling: active on UDP port 4500, so it probably doesn't matter that the client is behind NAT, right? The problem only depends on data going over the link, not time. If I'm just using ping, traceroute and SSH terminal access, there is no problem. As soon as I put a burst on the link, it hangs and does not recover. We have a few customers on the router, each using a different profile (pretty much same configuration) and different VRFs for inside networks. Same problem for all of them. Thanks in advance, Kristo Here's the relevant configuration: aaa group server radius RADIUS-XX server-private x.x.x.x auth-port 1645 acct-port 1646 key xxx ip vrf forwarding xx aaa authentication login AAA-XX group RADIUS-XX aaa authorization network vpn local ip vrf xx description xx rd 65365:7 route-target export 65365:7 route-target import 65365:7 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group key x dns x.x.x.x pool xx acl xx group-lock save-password max-users 50 netmask 255.255.255.255 ! crypto isakmp profile vrf xx self-identity address match identity group client authentication list AAA-XX isakmp authorization list vpn client configuration address respond initiate mode aggressive local-address FastEthernet0/0 ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set vpn esp-3des esp-md5-hmac ! ! dynamic-map vpn 1-6 and 8-... are other customers who also have the same problem ! crypto dynamic-map vpn 7 set transform-set vpn set isakmp-profile reverse-route ! crypto map vpn 65535 ipsec-isakmp dynamic vpn ! interface FastEthernet0/0 description Uplink ip address x.x.x.x 255.255.255.128 duplex auto speed auto crypto map vpn ! interface FastEthernet0/1.930 encapsulation dot1Q 930 ip vrf forwarding xx ip address 10.9.8.2 255.255.255.252 ! ! The RIP is to advertise the host routes to the VPN clients to another router on the inside (and receive routes from there) ! router rip version 2 ! address-family ipv4 vrf xx redistribute connected redistribute static network 10.0.0.0 network 192.168.0.0 network 192.168.124.0 no auto-summary version 2 exit-address-family ! ip local pool xx 10.10.210.100 10.10.210.200 group xx ! ip access-list extended xx (lots of networks) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] access-list question
You may be interested in looking aggregate an microflows: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_ paper0900aecd803e5017.html Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richey Sent: Tuesday, January 22, 2008 10:14 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] access-list question If I do the following will it rate-limit each IP to 1.8Mb or will it limit the group of IPs to 1.8Mb? I want for each IP to get 1.8Mb. interface Ethernet1/1 description EB1 - Wireless ip address 69.18.x.x 255.255.255.224 rate-limit input access-group 199 180 337500 675000 conform-action transmit exceed-action drop rate-limit output access-group 199 180 337500 675000 conform-action transmit exceed-action drop half-duplex access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any access-list 199 permit ip host 69.18.x.x any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RTBH - anyone using this?
On Jan 23, 2008, at 2:15 AM, Drew Weaver wrote: Question: There is simply no reason to be exporting the routes from the edge routers to the triggers if I am reading this document correctly. Rather than using prefix or filter lists, is there a handy way to make the edge routers not send routes to the trigger server (using a command in that peer-group?) I set up outgoing prefix-lists on the edge routers so that no routes are sent down, and incoming prefix-lists on the trigger, too, just to be sure. The issue I am having is kind of strange and I’ve never ran across it before like many of my issues….. I always set local-pref on routes received from the trigger to be high, and they end up being the preferred routes for the prefixes in question, which ends up triggering the recursive lookup to null0 and thus the packet drops. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco PIX and ASA Time-to-Live Vulnerability Advisory ID: cisco-sa-20080123-asa http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +- Summary === A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml. Affected Products = Vulnerable Products +-- The TTL decrement feature was introduced in version 7.2(2) and it is disabled by default. The Cisco PIX and ASA security appliances running software versions prior to 7.2(3)006 or 8.0(3) and that have the TTL decrement feature enabled are vulnerable. By default the PIX and ASA security appliance software does not decrement the TTL of transient packets. The ability to decrement the TTL of transient packets can be enabled on a selective or global basis by using the set connection decrement-ttl command in the policy-map class configuration mode. To determine whether you are running this feature use the show running-config command and search for the set connection decrement-ttl command. Alternatively you can use the include argument to search for this command as follows: ASA#show running-config | include decrement-ttl set connection decrement-ttl ASA# The set connection decrement-ttl command is part of a configured class-map. In order for this command to take effect it must be applied using a policy-map (assigned globally or to an interface). For more information about the Modular Policy Framework on the Cisco ASA and PIX refer to the following link: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html To determine whether you are running a vulnerable version of Cisco PIX or ASA software, issue the show version command-line interface (CLI) command. The following example shows a Cisco ASA Security Appliance that runs software release 7.2(3): ASA#show version Cisco Adaptive Security Appliance Software Version 7.2(3) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following: PIX Version 7.2(3) Products Confirmed Not Vulnerable + Cisco PIX and ASA security appliances which do not support the TTL decrement feature or are not explicitly configured for it are not vulnerable. Note: The TTL decrement feature was introduced in version 7.2(2), and it is disabled by default. The Cisco Firewall Services Module (FWSM) is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details === A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. This vulnerability is documented in Cisco Bug ID CSCsk48199. Vulnerability Scoring Details + Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Cisco PIX and ASA TTL Vulnerability (CSCsk48199) CVSS Base Score - 7.8 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact
Re: [c-nsp] Cisco ME-6524 platform architecture
The part I'm struggling with is how this relates to the fixed configuration of the ME-6524. I appreciate that its based upon the SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a show Actually it's closer to SUP-32, as the ME-6524 is a classic-bus only device. KUMA 1 (2.0) HYPERION 1 (6.0) R2D2 1 (2.0) DHANUSH 2 (2.0) VISHAKHA 8 (1.0) My guess is the Vishakha ASICs are the ones connected to the customer ports; it's documented that there 8 ASICs for the customer ports, each 1 serving groups of 3 ports. Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Default Passwords in the Application Velocity System
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Default Passwords in the Application Velocity System Advisory ID: cisco-sa-20080123-avs http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml Revision 1.0 For Public Release 2008 January 23 1600 UTC (GMT) +- Summary === Versions of the Cisco Application Velocity System (AVS) prior to software version AVS 5.1.0 do not prompt users to modify system account passwords during the initial configuration process. Because there is no requirement to change these credentials during the initial configuration process, an attacker may be able to leverage the accounts that have default credentials, some of which have root privileges, to take full administrative control of the AVS system. After upgrading to software version AVS 5.1.0, users will be prompted to modify these credentials. Cisco will make free upgrade software available to address this vulnerability for affected customers. The software upgrade will be applicable only for the AVS 3120, 3180, and 3180A systems. The workaround identified in this document describes how to change the passwords in current releases of software for the AVS 3110. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0029 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080123-avs.shtml. Affected Products = Vulnerable Products +-- This vulnerability affects the Cisco AVS 3110, 3120, 3180, and 3180A Management Station appliances that are running software versions prior to AVS 5.1.0. Administrators can determine the software version of the AVS appliances by logging in to the Management Station web-based user interface or from the command-line interface (CLI) of the appliance operating system. Customers who use the AVS 3180 or 3180A Management Station can determine their node software versions by navigating to the Cluster Information Page. Each registered node will display the corresponding software version when the node is selected. The AVS appliance version can also be determined from the host operating system by using the Show Version command. The following example shows Show Version output for an AVS 3120 appliance that is running version 5.1.0: velocityShow Version Cisco Application Velocity System,(AVS) AVS 3120-K9 005.001(000.034) The following example shows Show Version output for an AVS 3180 or 3180A appliance that is running version 5.1.0: velocityShow Version Cisco Application Velocity System,(AVS) AVS 3180-MGMT 005.001(000.034) Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco AVS 3110 and 3120 are enterprise data center appliances for improving web application performance, measuring end-user response time, and managing application security. The Cisco AVS 3120 enforces application security with an integrated web application firewall. The Cisco AVS 3180 and 3180A Management Stations provide web-based tools for the configuration and application performance monitoring for a cluster of AVS 3110s and 3120s or individual nodes. The Cisco AVS 3110, 3120, 3180, and 3180A Management Stations use some system accounts that are initially configured with default passwords. Vulnerable versions of the AVS software do not prompt the administrator to change the passwords for these accounts, including accounts with root privileges, during the initial configuration process. Non-vulnerable versions of AVS software will now prompt administrators to change these accounts after installation. Note: If the passwords for the AVS 3110 or 3120 are changed on the device itself and it has previously been registered with an AVS 3180 or 3180A Management Station, the node must be re-registered with the Management Station console. Otherwise, communication between the AVS 3180 or 3180A Management Station and AVS 3110 or 3120 node will be lost. For additional details about the AVS node registration process, refer to the Register Node section of the Cisco AVS User's Guide. After upgrading the appliance software to version AVS 5.1.0 and logging in for the first time, the administrator will now be prompted to change the system account passwords. The following example shows the new password change prompts and the subsequent password change dialog for the AVS 3120 after upgrade: velocity login: fgn Password: **WARNING** System wide secrets are in factory default state. Would you like to change
[c-nsp] Cisco PIX Device Manager
Classification INTERNAL :The contents of this mail are restricted to being within Patni. Its non-compliance violates the Patni BPO policy Hi, Can you tell me why Cisco PDM(GUI) does not take same credentials from ACS that work for telnet(CLI). Thanks Vijay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ME-6524 platform architecture
Hi James, I am the Product Manager for the ME-6524 platform. I am very interested to hear about your deployment scenario and can help answer your questions. The ME-6524 has a similar architecture to Sup32 with the one key difference that it supports PFC3C rather than the PFC3B on the Sup32. Sup32 architecture documents can be leveraged to understand the ME-6524. Please feel free to contact me directly if you have any more questions. Sachin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Humphris Sent: Wednesday, January 23, 2008 3:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ME-6524 platform architecture Dear all, I stumbled across this excellent forum yesterday whilst trying to gain some information on the platform architecture of the Cisco ME-6524. I have been extensively testing this device for a couple of months now, using a mixture of local switching, multiplex-uni and EoMPLS with MPLS-TE FRR. So far, it has performed remarkably well, especially considering its price point as an entry level device to the Cisco 6500 family. I do however have a question regarding the platform architecture of the box. As I'm sure you all know, the architecture of the modular 6500 series is very well documented by Cisco, including details of the modules (PFC, MSFC etc..),types of ASIC (Pinnacle, Medusa, Earl, Tycho and Superman etc..) and how they interoperate at a high level. The part I'm struggling with is how this relates to the fixed configuration of the ME-6524. I appreciate that its based upon the SUP-720, and utilises MSFC2A with PFC3C, but I when I issue a show asic-version slot 1, I don't see any ASIC names that I recognise: nsn1#sho asic-version slot 1 Module in slot 1 has 5 type(s) of ASICs ASIC Name Count Version KUMA 1 (2.0) HYPERION 1 (6.0) R2D2 1 (2.0) DHANUSH 2 (2.0) VISHAKHA 8 (1.0) Can anyone help with some more detailed information relating to the platform configuration of this device? Many thanks in advance James Humphris IP Engineering, Nexagent Ltd. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco PIX Device Manager
Classification INTERNAL :The contents of this mail are restricted to being within Patni. Its non-compliance violates the Patni BPO policy Sorry no one is allowed to answer! [REDACTED to protect my innocence!] ~JasonG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MUX
Dear ALL We are looking to get a MUX for the Fiber between our 2 buildings... out of your experience , what do you think about getting *Marconi OMS * http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml since our LAN and WAN built on Cisco and Exterme devices. Thanks -- madunix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPLS Error Message: Output interface: if-?(0), imposed label stack {}
In a very simple lab setup, VPLS is not working. I am wondering if it is platform/hardware issue (for example WS-X6548-GE-TX issue). Any idea? Topology: CE1a---PE1-PE2---CE2a Here is result of related command: sh mpls l2transport vc 60 det Local interface: VFI vlan60 VFI up MPLS VC type is VFI, interworking type is Ethernet Destination address: 200.222.117.41, VC ID: 60, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:19:18, last status change time: 00:06:28 Signaling protocol: LDP, peer 200.222.117.41:0 up Targeted Hello: 200.222.117.42(LDP Id) - 200.222.117.41 MPLS VC labels: local 21, remote 16 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Configuration: l2 vfi vlan60 manual vpn id 60 neighbor 200.222.117.41 encapsulation mpls ! interface Vlan60 xconnect vfi vlan60 ! mpls label protocol ldp mpls ldp discovery targeted-hello accept mpls ldp router-id Loopback0 force ! interface Loopback0 ip address 10.10.10.101 255.255.255.255 ! Ip cef sh ver Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB2, RELEASE SOFTWARE (fc1) show module Mod Ports Card Type Model Serial No. --- - -- -- --- 12 Supervisor Engine 720 (Active) WS-SUP720-3B SAD092604Y5 28 8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC SAL10489531 3 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAL10425G69 Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Policy Feature Card 3 WS-F6K-PFC3B SAD09240BDE 2.1 Ok 1 MSFC3 Daughterboard WS-SUP720 SAD0925023U 2.3 Ok Tks, Alaerte ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Key-chain and MD5 authentication for IS-IS
Hello everybody, Do you know whether I have to update the key chain string after an IOS upgrade? Let´s fancy from 12.2S to 12.0S... I'm only using it for IS-IS instance authentication. Have anyone ever run into this situation? I'll appreciate any clue or recommendation. Leonardo. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MUX
Mr. madunix, Not sure what your requirements are, but if all you need is multiple GigE links over the same fiber, take a look at this: http://www.cisco.com/en/US/products/ps6575/index.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mad Unix Sent: Wednesday, January 23, 2008 21:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MUX Dear ALL We are looking to get a MUX for the Fiber between our 2 buildings... out of your experience , what do you think about getting *Marconi OMS * http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml since our LAN and WAN built on Cisco and Exterme devices. Thanks -- madunix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS Error Message: Output interface: if-?(0), imposed label stack {}
With the LAN cards, like the 6548, you can only use subinterface or port mode EoMPLS. Local switching (which VFIs provide) needs OSM/SPA/ES card on the backbone side. A debug mpls l2transport vc event should give you a bunch of messages about the switch being unable to find a suitable tunnel label. You can use a set of looped ports do provide local switching, looping between a trunk interface and an EoMPLS port mode interface on each side of the tunnel. But it's not very neat. :-) Regards, Peter On Wed, 2008-01-23 at 14:53 -0600, [EMAIL PROTECTED] wrote: In a very simple lab setup, VPLS is not working. I am wondering if it is platform/hardware issue (for example WS-X6548-GE-TX issue). Any idea? Topology: CE1a---PE1-PE2---CE2a Here is result of related command: sh mpls l2transport vc 60 det Local interface: VFI vlan60 VFI up MPLS VC type is VFI, interworking type is Ethernet Destination address: 200.222.117.41, VC ID: 60, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:19:18, last status change time: 00:06:28 Signaling protocol: LDP, peer 200.222.117.41:0 up Targeted Hello: 200.222.117.42(LDP Id) - 200.222.117.41 MPLS VC labels: local 21, remote 16 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Configuration: l2 vfi vlan60 manual vpn id 60 neighbor 200.222.117.41 encapsulation mpls ! interface Vlan60 xconnect vfi vlan60 ! mpls label protocol ldp mpls ldp discovery targeted-hello accept mpls ldp router-id Loopback0 force ! interface Loopback0 ip address 10.10.10.101 255.255.255.255 ! Ip cef sh ver Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 12.2(33)SRB2, RELEASE SOFTWARE (fc1) show module Mod Ports Card Type Model Serial No. --- - -- -- --- 12 Supervisor Engine 720 (Active) WS-SUP720-3B SAD092604Y5 28 8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC SAL10489531 3 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAL10425G69 Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Policy Feature Card 3 WS-F6K-PFC3B SAD09240BDE 2.1 Ok 1 MSFC3 Daughterboard WS-SUP720 SAD0925023U 2.3 Ok Tks, Alaerte ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MUX
Hi Mad, CWDM is a nice and (relatively) cheap solution, but of course it requires special colour GBICs at each end. The cost of the passive CWDM muxer and special GBICs + stock for a rainy day can sometimes make provisioning an extra physical fiber look more attractive than otherwise, especially for short distances. But YMMV. Regards, Peter On Wed, 2008-01-23 at 22:41 +0100, Arie Vayner (avayner) wrote: Mr. madunix, Not sure what your requirements are, but if all you need is multiple GigE links over the same fiber, take a look at this: http://www.cisco.com/en/US/products/ps6575/index.html Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mad Unix Sent: Wednesday, January 23, 2008 21:44 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] MUX Dear ALL We are looking to get a MUX for the Fiber between our 2 buildings... out of your experience , what do you think about getting *Marconi OMS * http://www.ericsson.com/solutions/products/hp/Optical_Networks_pa.shtml since our LAN and WAN built on Cisco and Exterme devices. Thanks -- madunix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXH1 - lab tested/live router
On Tue, Jan 22, 2008 at 12:01:37PM -0600, mack wrote: Has anyone other than cisco lab tested or put SXH1 into production yet? I am still waiting on approval for lab time. The bug fixes most relevant to me are: DOM support for older XENPAKs (supposedly fixed) Stability Improvements (a number of bug fixes) Insertion of a line into an active BGP loopback group leading to uneven traffic distribution requiring hard bgp reset to rectify. memory/cpu usage tracking via SNMP in the modular version. The DOM support had kept us from considering upgrading to SXH. The SNMP cpu usage tracking kept us from considering modular versions. DOM is most definitely fixed in SXH1 and SRC, which is a Very Good Thing (tm). I'm personally still torn about which way to go after SXF. SXH seems to have mostly good reviews as far as stability, and offers modular code that does MPLS and IPv6 now, but seems to be missing a few critical features that only exist in SRB+ (such as a functional route-map continue for outbound routes, and netflow sampling which stands at least the slightest chance of being usable by only sampling packets on interfaces you actually WANT sampled in netflow). Honestly neither train seems to offer a complete solution, which seems to prove that Cisco is doing its customers a great disservice by playing business unit games with the 6500/7600 software. I don't know if I have the balls to run SRC so soon after its initial release, but maybe SRB3 will have the DOM fix. Also, for the love of god, can someone please encourage Cisco to fix ip policy-list so it can match NAMED community-lists instead of just numbered lists. This is the only way to do a logical and on component policies and make route-maps suck even the slightest bit less, and its all but unusable because of such a simple oversight. :) -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560/3750 12.2(44)
There is a bug in the release and the command is not available. This will be fixed in the next maintenance release. -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Mike Louis Sent: Tuesday, January 22, 2008 11:49 AM To: Higham, Josh; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3560/3750 12.2(44) Its not being dropped from the configuration, its not available in the global configuration. (config)# -Original Message- From: Higham, Josh [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 1:12 PM To: Mike Louis; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 3560/3750 12.2(44) [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis I recently upgraded some switches 3750 from 12.2(35) ipbase to 12.2(44) and now the ip tacacs source-interface command is missing Anyone else seen this?. I upgraded my lab 3560 to same rev of code and found the same command missing. I believe that the source-interface command is silently dropped if the interface doesn't exist. Not sure if that's what you hit, but it's caught me on several occasions. Thanks, Josh Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco WIC-1DSU-T1-V2 + 2811 + 12.4(11)T ??
I can't get this combination to bring up a T1. Configured as encaps hdlc service-module t1 clock source line service-module t1 line b8zs service-module t1 frame esf service-module t1 timeslots all Indicator LED on WIC is green, with no alarms. Turning on debugging shows no keepalives seen: yourname#debug serial event Serial interface event debugging is on yourname#debug serial interface Serial network interface debugging is on yourname#debug serial packet Serial network packets debugging is on yourname# *Jan 23 22:30:23.227: DTE idb-dte_interface = DTE *Jan 23 22:30:23.227: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:30:25.227: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up *Jan 23 22:30:26.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up *Jan 23 22:30:30.391: Serial0/0/0: HDLC myseq 0, mineseen 0, yourseen 0, line up *Jan 23 22:30:40.391: Serial0/0/0: HDLC myseq 1, mineseen 0, yourseen 0, line up *Jan 23 22:30:50.391: gt96k_mbrd_serial_mode_reg_init:: was DTE, now set to DTE *Jan 23 22:30:50.391: DTE idb-dte_interface = DTE *Jan 23 22:30:50.391: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:30:50.391: Serial0/0/0: HDLC myseq 2, mineseen 0, yourseen 0, line down *Jan 23 22:30:51.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down *Jan 23 22:31:00.391: Serial0/0/0: HDLC myseq 3, mineseen 0, yourseen 0, line down *Jan 23 22:31:10.391: Serial0/0/0: HDLC myseq 4, mineseen 0, yourseen 0, line down *Jan 23 22:31:20.391: Serial0/0/0: HDLC myseq 5, mineseen 0, yourseen 0, line down *Jan 23 22:31:21.391: Serial0/0/0: attempting to restart *Jan 23 22:31:21.391: gt96k_mbrd_serial_mode_reg_init:: was DTE, now set to DTE *Jan 23 22:31:21.391: DTE idb-dte_interface = DTE *Jan 23 22:31:21.391: Dscc4(Serial0/0/0): DCD is up. *Jan 23 22:31:30.391: Serial0/0/0: HDLC myseq 6, mineseen 0, yourseen 0, line down *Jan 23 22:31:40.391: Serial0/0/0: HDLC myseq 7, mineseen 0, yourseen 0, line down no deb all All possible debugging has been turned off If I plug the T1 circuit into a 1760 w- a V1 WIC-1DSU-T1, it comes right up... Any ideas?? Joe Joe McGuckin ViaNet Communications [EMAIL PROTECTED] 650-207-0372 cell 650-213-1302 office 650-969-2124 fax ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco WIC-1DSU-T1-V2 + 2811 + 12.4(11)T ??
joe mcguckin wrote: I can't get this combination to bring up a T1. Configured as encaps hdlc service-module t1 clock source line service-module t1 line b8zs service-module t1 frame esf service-module t1 timeslots all Indicator LED on WIC is green, with no alarms. Look closely at the jack on the WIC, the molded plastic on the back of where the plug inserts. Does it read STEWART? If not, you have a fake WIC. Even if it does, you might have a fake. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PA-MC-T3 and T1 config questions
Guys, Forgive the rudimentary question, but I'm installing my first PA-MC-T3 for use with 28 point-to-point T1's and I need some config help. We are doing very simple IP for T1 customers. All will terminate on our DS3 in the PA-MC-T3. I'm pretty sure I understand the configuration required for the basic T3 controller, but I'm fuzzy on what I'll need for the individual T1's. We will be assigning blocks of IP addresses to the remote customer, but our end can be un-numbered. Does anyone have a good working config they could share. The Cisco documentation goes over all the possibilities, but I'm looking for a real world example in a working router. Our platform is a 7206 VXR with the PA-MC-T3 card running the IP Plus feature set on a relatively new IOS. Like I said, I just need the T1's to do basic IP traffic. Thanks for any advice you have. -Nick Voth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Key-chain and MD5 authentication for IS-IS
Leonardo Gama Souza wrote on Wednesday, January 23, 2008 11:10 PM: Hello everybody, Do you know whether I have to update the key chain string after an IOS upgrade? Let´s fancy from 12.2S to 12.0S... I'm only using it for IS-IS instance authentication. Have anyone ever run into this situation? You shouldn't need to update the keys, but I've seen cases where this was required after an upgrade (just re-entering the same key helped). I recall there was a bug somewhere in 12.2S where this was required for all keys (IIRC).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/