[c-nsp] CRS-1 Policy change
Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-CR-SAR of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 Policy change
Can you please confirm the modified configuration / new class-map? We are running same version on CRS-1s with no. of policies modification on need basis. This should not be the case... -FJ On Wed, Feb 23, 2011 at 1:14 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-CR-SAR of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 Policy change
Hi Farhan, All other policies I am able to modify except this. Also this is the only policy with qos-group (for incoming packets) policy-map CR_QOS_FROM_PE-CORE class Premium-From-PE_CORE set qos-group 5 ! class Business1-From-PE-CORE set qos-group 3 ! class Business2-From-PE-CORE set qos-group 2 ! class Business3-From-PE-CORE set qos-group 1 ! class Routing-Management-From-PE-CORE set qos-group 6 ! class Default-From-PE-CORE set qos-group 0 ! class Multicast-From-PE-CORE set qos-group 4 ! class class-default ! end-policy-map Regards, Vikas On Wed, Feb 23, 2011 at 3:19 PM, Farhan Jaffer bandh...@gmail.com wrote: Can you please confirm the modified configuration / new class-map? We are running same version on CRS-1s with no. of policies modification on need basis. This should not be the case... -FJ On Wed, Feb 23, 2011 at 1:14 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-PE-CORE of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CRC Errors on Ethernet Router
Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. -- ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
On 23/02/2011 9:19 PM, alex nyagah wrote: Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. duplex mismatch, bad cable, cosmic rays. Send though a show interface from both ends. -James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
duplex? On 23.02.2011 12:19, alex nyagah wrote: Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
On Wed, 23 Feb 2011, alex nyagah wrote: I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. You have to provide more information. Is this copper or fiber, what speed, what is at the other end, how long is the cable etc. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Integration of Cisco CSM 3.3.1 with Cisco ACS 4.2
Dear I intergrated Cisco CSM 3.3.1 with Cisco ACS 4.2. After intergreting i am able to login with ACS users and user defined in system identity setup but i have don't have the sufficient previledge assiged (even i can't see the devices added in CMS). Also when CSM communicate first time with ACS it generated some roles in shared profile in ACS which is also missing in my case.. Pls help me out urgently ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
First thing I would do would be to check for a duplex mismatch and then check the wiring (either by replacing the cable if it's a simple patch or using a cable tester over the span.) You might also just physically trace it and see if someone decided to hang a fluorescent light off of it or something too. Luck, Buz -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of alex nyagah Sent: Wednesday, February 23, 2011 6:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CRC Errors on Ethernet Router Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. -- ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
Hi, Usually when Cyclic Redundancy Check (CRC) errors are incrementing in the show interface command output, it indicates that the cyclic redundancy checksum generated by the originating LAN/WAN device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or cable. A high number of CRCs is usually the result of collisions or a station transmitting bad data. So we can safely assume that CRCs are a very critical alarm and it can not be ignored so I don’t think there should be a threshold in general, the NMS should monitor interfaces for CRCs and if the number increments then an immediate check is needed, we are talking on the core links here. So we cant wait till the counter increments. Once we have CRCs, then we have a bad cable, port or router and this needs immediate attention. Regards, Kim On Wed, Feb 23, 2011 at 3:53 PM, Harold 'Buz' Dale buz.d...@usg.edu wrote: First thing I would do would be to check for a duplex mismatch and then check the wiring (either by replacing the cable if it's a simple patch or using a cable tester over the span.) You might also just physically trace it and see if someone decided to hang a fluorescent light off of it or something too. Luck, Buz -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of alex nyagah Sent: Wednesday, February 23, 2011 6:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CRC Errors on Ethernet Router Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. -- ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC Errors on Ethernet Router
Thanks so much, I now have a point to start checking... alex On Wed, Feb 23, 2011 at 5:37 PM, Kasper Adel karim.a...@gmail.com wrote: Hi, Usually when Cyclic Redundancy Check (CRC) errors are incrementing in the show interface command output, it indicates that the cyclic redundancy checksum generated by the originating LAN/WAN device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or cable. A high number of CRCs is usually the result of collisions or a station transmitting bad data. So we can safely assume that CRCs are a very critical alarm and it can not be ignored so I don’t think there should be a threshold in general, the NMS should monitor interfaces for CRCs and if the number increments then an immediate check is needed, we are talking on the core links here. So we cant wait till the counter increments. Once we have CRCs, then we have a bad cable, port or router and this needs immediate attention. Regards, Kim On Wed, Feb 23, 2011 at 3:53 PM, Harold 'Buz' Dale buz.d...@usg.eduwrote: First thing I would do would be to check for a duplex mismatch and then check the wiring (either by replacing the cable if it's a simple patch or using a cable tester over the span.) You might also just physically trace it and see if someone decided to hang a fluorescent light off of it or something too. Luck, Buz -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of alex nyagah Sent: Wednesday, February 23, 2011 6:19 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] CRC Errors on Ethernet Router Hi All, I am noting CRC errors on my Ethernet port on my cisco router, what could it be causing it.. -- ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 99, Issue 67
Hello umair: CONFIGURING BFD BFD can be configured in two steps. The first step in configuring BFD is setting the baseline parameters for all BFD sessions on an interface. The configuration occurs at the interface level and the syntax is as follows: [no] bfd interval 50-999 min_rx 1-999 multiplier 3-50 interval: determines how frequently (in milliseconds) BFD packets will be sent to BFD peers. min_rx: determines how frequently (in milliseconds) BFD packets will be expected to be received from BFD peers multiplier: The number of consecutive BFD packets which must be missed from a BFD peer before declaring that peer unavailable, and informing the higher-layer protocols of the failure the second step Once the baseline parameters have been set, individual protocols must be informed that they will be using BFD for failure detection. In the first release of BFD, the supported protocols are OSPF, IS-IS, EIGRP and BGP. on the concerned interface you specify BFD. example: interface GigabitEthernet1/2 ip ospf network point-to-point ip ospf cost 1000 ip ospf hello-interval 3 ip ospf dead-interval 10 ip ospf bfd router ospf 1 log-adjacency-changes bfd interval 50 min_rx 50 multiplier 5 Kind Regards Said IzawiSenior Network Analyst From: cisco-nsp-requ...@puck.nether.net Subject: cisco-nsp Digest, Vol 99, Issue 67 To: cisco-nsp@puck.nether.net Date: Wed, 23 Feb 2011 09:23:04 -0500 Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can reach the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... --Forwarded Message Attachment-- From: umair.sae...@live.com To: cisco-nsp@puck.nether.net Date: Wed, 23 Feb 2011 06:26:00 + Subject: [c-nsp] BFD neighbor up/down in log with Static Dear all, I wanted to know that can any one know the command to enable logging of BFD neighbor status in routers log. I have already enables snmp traps but i need to show these in router logs. We are using BFD with static routing. Thanks Best Regards, Umair SaeedAM IP Operations Core South , Pakistan Telecommunication Company Ltd, Phone # +92 333 2354591 --Forwarded Message Attachment-- From: h...@efes.iucc.ac.il To: cisco-nsp@puck.nether.net Date: Wed, 23 Feb 2011 08:55:17 +0200 Subject: Re: [c-nsp] flow-export to more than 2? Platforms which have implemented FNF or some subset thereof (N7K, CRS-1, ASR9K, et. al.) can support multiple exporters. What about 7600s? Any IOS train that handles more than 2 exporters? Thanks, Hank --Forwarded Message Attachment-- From: vikasshar...@gmail.com To: cisco-nsp@puck.nether.net Date: Wed, 23 Feb 2011 13:44:47 +0530 Subject: [c-nsp] CRS-1 Policy change Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-CR-SAR of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas --Forwarded Message Attachment-- From: bandh...@gmail.com CC: cisco-nsp@puck.nether.net To: vikasshar...@gmail.com Date: Wed, 23 Feb 2011 14:49:12 +0500 Subject: Re: [c-nsp] CRS-1 Policy change Can you please confirm the modified configuration / new class-map? We are running same version on CRS-1s with no. of policies modification on need basis. This should not be the case... -FJ On Wed, Feb 23, 2011 at 1:14 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-CR-SAR of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --Forwarded Message Attachment--
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch Advisory ID: cisco-sa-20110223-telepresence-ctms Revision 1.0 For Public Release 2011 February 23 +- Summary === Multiple vulnerabilities exist within the Cisco TelePresence Multipoint Switch. This security advisory outlines details of the following vulnerabilities: * Unauthenticated Java Servlet Access * Unauthenticated Arbitrary File Upload * Cisco Discovery Protocol Remote Code Execution * Unauthorized Servlet Access * Java RMI Denial of Service * Real-Time Transport Control Protocol Denial of Service * XML-Remote Procedure Call (RPC) Denial of Service Duplicate Issue Identification in Other Cisco TelePresence Advisories The Unauthenticated Java Servlet Access vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect as related to each component is covered in each associated advisory. The Cisco bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCtf42008 * Cisco TelePresence Recording Server - CSCtf42005 The Unauthenticated Arbitrary File Upload vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect as related to each component is covered in each associated advisory. The Cisco bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCth61065 * Cisco TelePresence Recording Server - CSCth85786 The Cisco Discovery Protocol Remote Code Execution vulnerability affects Cisco TelePresence endpoint devices, Manager, Multipoint Switch, and Recording Server. The defect as related to each component is covered in each associated advisory. The Cisco bug IDs for these defects are as follows: * Cisco TelePresence endpoint devices - CSCtd75754 * Cisco TelePresence Manager - CSCtd75761 * Cisco TelePresence Multipoint Switch - CSCtd75766 * Cisco TelePresence Recording Server - CSCtd75769 The Java RMI Denial of Service vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect as related to each component is covered in each associated advisory. The Cisco bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCtg35830 * Cisco TelePresence Recording Server - CSCtg35825 This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctms.shtml. Affected Products = These vulnerabilities affect the Cisco TelePresence Multipoint Switch. All releases of Cisco TelePresence System Software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. The following table provides information pertaining to affected software releases: +-+ | | Cisco Bug | Affected | | Description | ID | Software | | || Releases | |-++--| | Unauthenticated || 1.0.x, | | Java Servlet| CSCtf01253 | 1.1.x, | | Access || 1.5.x, | | || 1.6.x| |-++--| | Unauthenticated || 1.0.x, | | Java Servlet| CSCtf42008 | 1.1.x, | | Access || 1.5.x, | | || 1.6.x| |-++--| | Unauthenticated || 1.0.x, | | Arbitrary File | CSCth61065 | 1.1.x, | | Upload || 1.5.x, | | || 1.6.x| |-++--| | Cisco Discovery || 1.0.x, | | Protocol Remote | CSCtd75766 | 1.1.x, | | Code Execution || 1.5.x, | | || 1.6.x| |-++--| | || 1.0.x, | | Unauthorized| CSCtf97164 | 1.1.x, | | Servlet Access || 1.5.x, | | || 1.6.x| |-++--| | || 1.0.x, | | Java RMI Denial | CSCtg35825 | 1.1.x, | | of Service || 1.5.x, | | || 1.6.x| |-++--| | Real-Time || 1.0.x, | | Transport || 1.1.x, | | Control | CSCth60993 | 1.5.x, | | Protocol Denial || 1.6.x| | of Service || | |-++--| | || 1.0.x, | | XML-RPC Denial || 1.1.x, | | of Service | CSCtj44534 | 1.5.x, | | || 1.6.x, | | || 1.7.0| +-+ Vulnerable Products
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server Advisory ID: cisco-sa-20110223-telepresence-ctrs Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist within the Cisco TelePresence Recording Server. This security advisory outlines details of the following vulnerabilities: * Unauthenticated Java Servlet Access * Common Gateway Interface (CGI) Command Injection * Unauthenticated Arbitrary File Upload * XML-Remote Procedure Call (RPC) Arbitrary File Overwrite * Cisco Discovery Protocol Remote Code Execution * Ad Hoc Recording Denial of Service * Java Remote method Invocation (RMI) Denial of Service * Unauthenticated XML-RPC Interface Duplicate Issue Identification in Other Cisco TelePresence Advisories + The Unauthenticated Java Servlet Access vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCtf42008 * Cisco TelePresence Recording Server - CSCtf42005 The Unauthenticated Arbitrary File Upload vulnerability affects the Cisco TelePresence Multipoint Switch and Recording server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCth61065 * Cisco TelePresence Recording Server - CSCth85786 The Cisco Discovery Protocol Remote Code Execution vulnerability affects Cisco TelePresence endpoints, Manager, Multipoint Switch, and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows: * Cisco TelePresence endpoint devices - CSCtd75754 * Cisco TelePresence Manager - CSCtd75761 * Cisco TelePresence Multipoint Switch - CSCtd75766 * Cisco TelePresence Recording Server - CSCtd75769 The Java RMI Denial of Service vulnerability affects the Cisco TelePresence Multipoint Switch and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco Bug IDs for these defects are as follows: * Cisco TelePresence Multipoint Switch - CSCtg35825 * Cisco TelePresence Recording Server - CSCtg35830 This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml Affected Products = These vulnerabilities affect the Cisco TelePresence Recording Server. All releases of Cisco TelePresence software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. The following table provides information that pertains to affected software releases: +-+ | | Cisco Bug | Affected | | Description | ID | Software | | || Releases | |-++--| | Unauthenticated || | | Java Servlet| CSCtf42005 | 1.6.x| | Access || | |-++--| | CGI Command | CSCtf97221 | 1.6.x| | Injection || | |-++--| | Unauthenticated || | | Arbitrary File | CSCth85786 | 1.6.x| | Upload || | |-++--| | XML-RPC || 1.6.x, | | Arbitrary File | CSCti50739 | 1.7.0| | Overwrite || | |-++--| | Cisco Discovery || | | Protocol Remote | CSCtd75769 | 1.6.x| | Code Execution || | |-++--| | Ad Hoc || | | Recording | CSCtf97205 | 1.6.x| | Denial of || | | Service || | |-++--| | Java RMI Denial | CSCtg35830 | 1.6.x| | of Service || | |-++--| | Unauthenticated || | | XML-RPC | CSCtg35833 | 1.6.x| | Interface || | +-+ Vulnerable Products +-- Cisco TelePresence Recording Server devices that are running an affected version of software are affected. To determine the current version of software that is running on the Cisco TelePresence Recording Server, SSH into the device and issue the show version active and the show version inactive
Re: [c-nsp] the number of users decreas sharply on lns
A few months ago we started having issues on one of our LNS's (7602-VXR) and the issue was that the bearer that we had from the supplier (BT in our case) was being ~100% utilised for the bandwidth we had purchased but because it was only a percentage of the interface speed our NMS was not picking it up. Of course YMMV but that is a similar issue to what we were having... On 23 Feb 2011, at 15:46, mohamad abboud wrote: i have cisco router LNS 7301 , it was working nicely until last weekwhen adsl users number began to decrease Sharply within a few minutes any help plz Best Regards M.Aboud IT.Networking Engineer \\\|||/// \\ ^ ^ // ( 6 6 ) -oOOo-(_)-oOOo-- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20110223-asa Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * Transparent Firewall Packet Buffer Exhaustion Vulnerability * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * Routing Information Protocol (RIP) Denial of Service Vulnerability * Unauthorized File System Access Vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by one of these vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects the Cisco FWSM. That advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. Transparent Firewall Packet Buffer Exhaustion Vulnerability +-- A packet buffer exhaustion vulnerability affects multiple versions of Cisco ASA Software when a security appliance is configured to operate in the transparent firewall mode. Transparent firewall mode is enabled on the appliance if the command firewall transparent is present in the configuration. The default firewall mode is routed, not transparent. The show firewall command can also be used to determine the firewall operation mode: ciscoasa# show firewall Firewall mode: Transparent SCCP Inspection Denial of Service Vulnerability +-- A denial of service vulnerability affects the SCCP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Administrators can determine if SCCP inspection is enabled by issuing the show service-policy | include skinny command and confirming that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include skinny Inspect: skinny, packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface instead of globally, which is displayed in the previous example. SCCP inspection is enabled by default. RIP Denial of Service Vulnerability +-- A denial of service vulnerability affects the RIP implementation in Cisco ASA 5500 Series Adaptive Security Appliances when both RIP and the Cisco Phone Proxy feature are enabled on the same device. The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1): router rip ... ! phone-proxy instance name media-termination address IP address ... Rest of phone proxy feature configuration Or (Cisco ASA Software version 8.2 and later): router rip ... ! media-termination instance name address IP address ! Rest of phone proxy feature configuration A security appliance is vulnerable if it is processing RIP messages (router rip) and if a global media termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However, in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an interface. This configuration, which is accomplished by issuing the command address IP address interface interface name in media termination configuration mode, is not affected. Neither RIP nor the Cisco Phone Proxy feature is enabled by default. Unauthorized File System Access Vulnerability + An unauthorized file system access vulnerability affects Cisco ASA 5500 Series Adaptive Security Appliances when a security appliance is configured as a local
[c-nsp] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability Document ID: 112893 Advisory ID: cisco-sa-20110223-fwsm Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +- Summary === A vulnerability exists in the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing a malformed Skinny Client Control Protocol (SCCP) message. Devices are affected when SCCP inspection is enabled. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml. Note: Cisco ASA 5500 Series Adaptive Security Appliances are affected by the vulnerability described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml. Affected Products = Vulnerable Products +-- Versions 3.1.x, 3.2.x, 4.0.x, and 4.1.x of Cisco FWSM software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default. To determine whether SCCP inspection is enabled, issue the show service-policy | include skinny command and confirm that the command returns output. Example output follows: fwsm#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... ! service-policy global_policy global Note: The service policy could also be applied to a specific interface. (Global application is shown in the previous example.) To determine the version of Cisco FWSM software that is running, issue the show module command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and submodules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0009.11e3.ade8 to 0009.11e3.adf7 5.1 6.3(1) 8.5(0.46)RFW Ok 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok 3 0014.a90c.9956 to 0014.a90c.995d 5.0 7.2(1) 5.1(6)E1 Ok 4 0014.a90c.66e6 to 0014.a90c.66ed 1.74.2(3) Ok 5 0013.c42e.7fe0 to 0013.c42e.7fe3 4.4 8.1(3) 12.2(18)SXF1 Ok [...] After locating the correct slot, issue the show module slot number command to identify the software version that is running, as shown in the following example: switchshow module 2 Mod Ports Card Type Model Serial No. --- - -- -- --- 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 Mod MAC addresses HwFw Sw Status --- -- -- --- 2 0018.ba41.5092 to 0018.ba41.5099 4.0 7.2(1) 3.2(2)10 Ok [...] The preceding example shows that the FWSM is running software version 3.2(2)10 as indicated by the Sw column. Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the show module command; therefore, executing the show module slot number command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the show module switch all command can display the software version of all
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Endpoint Devices Advisory ID: cisco-sa-20110223-telepresence-cts Revision 1.0 For Public Release 2011 February 23 1600 +--- Summary === Multiple vulnerabilities exist in the Cisco TelePresence solution; each component of the solution is addressed independently in its own advisory. This advisory addresses Cisco TelePresence endpoint devices and details the following vulnerabilities: * Unauthenticated Common Gateway Interface (CGI) Access * CGI Command Injection * TFTP Information Disclosure * Malicious IP Address Injection * XML-Remote Procedure Call (RPC) Command Injection * Cisco Discovery Protocol Remote Code Execution Duplicate Issue Identification in Other Cisco TelePresence Advisories + The Cisco Discovery Protocol Remote Code Execution vulnerability affects Cisco TelePresence endpoint devices, Manager, Multipoint Switch, and Recording Server. The defect that is related to each component is covered in each associated advisory. The Cisco bug IDs for these defects are as follows: * Cisco TelePresence endpoint devices (CSCtd75754) * Cisco TelePresence Manager (CSCtd75761) * Cisco TelePresence Multipoint Switch (CSCtd75766) * Cisco TelePresence Recording Server (CSCtd75769) This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-cts.shtml Affected Products = One or more of these vulnerabilities affect all Cisco TelePresence endpoint systems that are running a release of Cisco TelePresence software prior to 1.7.1. The following table provides information that pertains to affected software releases: +-+ | | Cisco Bug | Affected | | Description | ID | Software | | || Releases | |-++--| | || 1.2.x, | | Unauthenticated | CSCtb31640 | 1.3.x, | | CGI Access || 1.4.x, | | || 1.5.x| |-++--| | || 1.2.x, | | CGI Command | CSCtb31685 | 1.3.x, | | Injection || 1.4.x, | | || 1.5.x| |-++--| | || 1.2.x, | | CGI Command | CSCtb31659 | 1.3.x, | | Injection || 1.4.x, | | || 1.5.x| |-++--| | || 1.2.x, | | CGI Command || 1.3.x, | | Injection | CSCth24671 | 1.4.x, | | || 1.5.x, | | || 1.6.x| |-++--| | || 1.2.x, | | TFTP|| 1.3.x, | | Information | CSCte43876 | 1.4.x, | | Disclosure || 1.5.x, | | || 1.6.0, | | || 1.6.1| |-++--| | || 1.2.x, | | Malicious IP|| 1.3.x, | | Address | CSCth03605 | 1.4.x, | | Injection || 1.5.x, | | || 1.6.x| |-++--| | || 1.2.x, | | XML-RPC Command | CSCtb52587 | 1.3.x, | | Injection || 1.4.x, | | || 1.5.x| |-++--| | || 1.2.x, | | Cisco Discovery || 1.3.x, | | Protocol Remote | CSCtd75754 | 1.4.x, | | Code Execution || 1.5.x, | | || 1.6.x| +-+ Vulnerable Products +-- The following Cisco TelePresence endpoint systems that are running an affected version of software are vulnerable: Cisco TelePresence System 500 Series, 1300 Series, 3000 Series, and 3200 Series and Cisco TelePresence System 1000 and 1100. To determine the current version of software that is running on the endpoint, access the device via SSH and issue the show version command. The output should resemble the following example. The version that is active on the system will be marked by an asterisk character (*). admin: show version primary Factory CTS 1.4.2(2194) *Slot 1CTS 1.7.1(4750) P1 Slot 2CTS 1.6.2(2835) P1 admin: In the preceding example, the system has versions 1.4.2, 1.6.2, and 1.7.1 loaded on the device and version 1.7.1 is currently active. A device is affected only by vulnerabilities that are present in the active software
[c-nsp] Log Egress IP packet delivered via legacy inject pat
Am getting numerous logs with the following message: Feb 23 20:54:02: %LSMPI-4-INJECT_FEATURE_ESCAPE: Egress IP packet delivered via legacy inject pat cant seems to make heads or tails of it. Kindly assist Regards, Righa Shake ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 6500 and 40G
On 23/02/2011 18:57, Dinesh wrote: Does Cisco 6500 (6500-E) support 40G interface ? Not currently, no. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] debug to see what IP is trying to log in via telnet
hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet -g On Feb 23, 2011, at 2:40 PM, Alan Buxey wrote: hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) however, scanning some login/security docs on cisoc.com tonight has been a nice refresher of some other things that need to be put onto a work schedule! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi Alan, The following command might help. It needs aaa new-model to be enabled I believe. login on-failure log Feb 23 21:46:23.922: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: test] [Source: 10.0.0.1] [localport: 22] [Reason: Login Authentication Failed] at 21:46:23 CET Wed Feb 23 2011 Tested on 12.2(33)SXI3 , 12.2(53)SE and 15.0(1)M4. http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_k1gt.html#wp1180994 Best regards, Andras On Wed, Feb 23, 2011 at 8:40 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, okay...i appear to have mislaid some memory cells over the past month which coincides with a major bout of unable to drive google/bing or cisco.com properly(!) ;-) basically, auth logs show a device somewhere is trying to log into some switches with wrong user/pass. and I cant recall/dig how to debug on the switch to see what IP is causing the mischief the obvious 'debug telnet' only debugs the negotiation/method/junk rather than provide anything usefulany chance someone can throw me a line to jog my memory on this score? cheers alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
On Wed, Feb 23, 2011 at 14:21, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) You can log the successful ACL attempts too, even though the login failed. This is provided the box is not too overly active with valid login attempts. access-list 80 permit 0.0.0.0 0.0.0.0 log line vty 0 4 access-class 80 in Then you get a log like so, indicating the ACL was passed, not necessarily that a login was completed: Aug 14 09:34:45.082 CDT: %SEC-6-IPACCESSLOGS: list 80 permitted x.x.x.x 2 packets HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
This seems to come back with the info in the log: login on-failure log sh log shows this: Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011 Thanks, Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: Wednesday, February 23, 2011 3:22 PM To: Greg Whynott Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] debug to see what IP is trying to log in via telnet Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) however, scanning some login/security docs on cisoc.com tonight has been a nice refresher of some other things that need to be put onto a work schedule! :-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, This seems to come back with the info in the log: login on-failure log sh log shows this: Feb 23 15:39:53.667: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: X.X.X.X] [localport: 23] [Reason: Login Authentication Failed] at 15:39:53 EST Wed Feb 23 2011 oh, if only all devices had that option :-) works fine on 6500's but no show on 29xx it seems. oh well, I'm going to sniff a trunk link tomorrow alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
Hi, You can log the successful ACL attempts too, even though the login ..of course! i'm always thinking of logging the bad things. thanks! alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 6500 and 40G
On 23/02/2011 22:07, Dinesh wrote: Thanks one of link on cisco website showed 2010 as the time line for 40G on 6500. if you know of the current time line ? is there any 40G planned for Cisco7606 ? 40G support depends on the sup2t, which has been delayed for some years. Cisco say it's due out soon. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RFC 1483 Bridged to PPPoE migration with Cisco 7401
We’re currently aggregating DSL connections with a Cisco 7401 using RFC 1483 bridged. We want to migrate from bridged to PPPoE and authenticate and assign IP addresses with RADIUS. We’re looking for sample configurations which have both 1483 bridged and PPPoE interfaces on the same box. We'd like to use either ranges and pvc-in-range subinterfaces as shown below, or a fresh configuration without ranges where we can replace a bridged subinterface with a PPPoE one for the same pvc. We’re using ranges of pvcs to create subinterfaces like this ... interface ATM1/0 no ip address atm scrambling cell-payload atm framing cbitplcp no atm ilmi-keepalive interface ATM1/0.285 point-to-point description RBE Subinterface Range2 ip unnumbered Loopback1 atm route-bridged ip range RANGE2 pvc 1/285 1/537 encapsulation aal5snap ! pvc-in-range samuel 1/357 class-vc atm encapsulation aal5autoppp Virtual-Template1 no protocol ip inarp protocol pppoe ip route 44.133.56.79 255.255.255.255 ATM1/0.356 ip route 44.133.56.80 255.255.255.255 ATM1/0.357 ip route 44.133.56.78 255.255.255.255 ATM1/0.358 We’ve now got RADIUS authenticating and returning the Framed-IP-Address and Framed-Netmask in the accept packet. But the 7401 doesn’t apply the IP address to the generated virtual interface. 7401 debug statements follow Feb 21 2011 21:31:47.359 UTC: RADIUS: Received from id 1645/177 44.133.224.78:1645, Access-Accept, len 44 Feb 21 2011 21:31:47.359 UTC: RADIUS: authenticator 79 20 DE 47 35 51 D2 3F - 6C 92 4B E4 91 33 5F D9 Feb 21 2011 21:31:47.359 UTC: RADIUS: Service-Type[6] 6 Framed [2] Feb 21 2011 21:31:47.359 UTC: RADIUS: Framed-Protocol [7] 6 PPP [1] Feb 21 2011 21:31:47.359 UTC: RADIUS: Framed-IP-Address [8] 6 44.133.226.74 === User address Feb 21 2011 21:31:47.359 UTC: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 ... Feb 21 2011 22:26:19.520 UTC: Vi3.1 PPP: Phase is UP Feb 21 2011 22:26:19.520 UTC: Vi3.1 IPCP: O CONFREQ [Closed] id 1 len 10 Feb 21 2011 22:26:19.520 UTC: Vi3.1 IPCP:Address 44.133.224.36 (0x03344175E024) Feb 21 2011 22:26:19.520 UTC: Vi3.1 PPP: Process pending ncp packets Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP: I CONFREQ [REQsent] id 1 len 22 Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP:Address 0.0.0.0 (0x0306) Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP:PrimaryDNS 0.0.0.0 (0x8106) Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP:SecondaryDNS 0.0.0.0 (0x8306) Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP: No peer address configured Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP: Neither side knows remote address Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP: O CONFREJ [REQsent] id 1 len 10 Feb 21 2011 22:26:19.560 UTC: Vi3.1 IPCP:Address 0.0.0.0 (0x0306) Feb 21 2011 22:26:19.564 UTC: Vi3.1 IPCP: I CONFACK [REQsent] id 1 len 10 Feb 21 2011 22:26:19.564 UTC: Vi3.1 IPCP:Address 44.133.224.36 (0x03344175E024) Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 26 Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP:Addresses(Deprecated) 0.0.0.0 0.0.0.0 (0x010A) === Missing user address Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP:PrimaryDNS 0.0.0.0 (0x8106) Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP:SecondaryDNS 0.0.0.0 (0x8306) Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP: No peer address configured Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP: Neither side knows remote address Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP: O CONFREJ [ACKrcvd] id 2 len 14 Feb 21 2011 22:26:19.604 UTC: Vi3.1 IPCP:Addresses(Deprecated) 0.0.0.0 0.0.0.0 (0x010A) === Missing user address Feb 21 2011 22:26:19.644 UTC: Vi3.1 IPCP: I CONFREQ [ACKrcvd] id 3 len 16 Feb 21 2011 22:26:19.644 UTC: Vi3.1 IPCP:PrimaryDNS 0.0.0.0 (0x8106) Feb 21 2011 22:26:19.644 UTC: Vi3.1 IPCP:SecondaryDNS 0.0.0.0 (0x8306) Feb 21 2011 22:26:19.648 UTC: Vi3.1 IPCP: O CONFNAK [ACKrcvd] id 3 len 16 Feb 21 2011 22:26:19.648 UTC: Vi3.1 IPCP:PrimaryDNS 44.133.224.77 (0x45388375E04D) Feb 21 2011 22:26:19.648 UTC: Vi3.1 IPCP:SecondaryDNS 44.133.224.80 (0x43877575E050) Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP: I CONFREQ [ACKrcvd] id 4 len 16 Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP:PrimaryDNS 44.133.224.77 (0x45388375E04D) Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP:SecondaryDNS 44.133.224.80 (0x43877575E050) Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP: O CONFACK [ACKrcvd] id 4 len 16 Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP:PrimaryDNS 44.133.224.77 (0x45388375E04D) Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP:SecondaryDNS 44.133.224.80 (0x43877575E050) Feb 21 2011 22:26:19.688 UTC: Vi3.1 IPCP: State is Open Feb 21 2011 22:26:19.732 UTC: Vi3.1 IPCP: I TERMREQ [Open] id 5 len 40 Following is the 7401's configuration version 12.3 no service dhcp ! hostname cisco7401asr ! boot-start-marker boot
Re: [c-nsp] cisco 6500 and 40G
On Wed, 2011-02-23 at 14:07 -0800, Dinesh wrote: one of link on cisco website showed 2010 as the time line for 40G on 6500. if you know of the current time line ? Just like Sup2T and N7k MPLS, it's permanently available at the end of $(( $current_month + 4 )) or something. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bonded T3 Bandwidth issue
I have a bonded T3 that I have never been able to get over 45mbs. I have been on the phone with my ISP and they are able to verify that both circuits work and they feel bonded circuits are working fine and that any problem is on my side Does anybody know what could cause a bonded T3 not to be able to deliver bandwith over 45 mbs? o I am testing this circuit with a udp client/server transfer program with the server on an att circuit that can more than handle 100 mbs. o I have tied to hit the bonded t3 with muliple isps just incase it is an isp to isp thing. The t3's never go over 45 mbs. o I have run mutiple speed test.net benchmarks and that never show any speed faster that 45mbs (They work with my att circuit when leads me to belive that that are semi reliable) Any help is appreciated! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded T3 Bandwidth issue
On Wed, Feb 23, 2011 at 8:40 PM, Lawrence cisco-...@theindianmaiden.com wrote: I have a bonded T3 that I have never been able to get over 45mbs. I have been on the phone with my ISP and they are able to verify that both circuits work and they feel bonded circuits are working fine and that any problem is on my side Does anybody know what could cause a bonded T3 not to be able to deliver bandwith over 45 mbs? o I am testing this circuit with a udp client/server transfer program with the server on an att circuit that can more than handle 100 mbs. o I have tied to hit the bonded t3 with muliple isps just incase it is an isp to isp thing. The t3's never go over 45 mbs. o I have run mutiple speed test.net benchmarks and that never show any speed faster that 45mbs (They work with my att circuit when leads me to belive that that are semi reliable) What type of router do you have these circuits connected to? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast Packet Loss over GRE
Hi All, Was hoping someone can provide some advice with regards to troubleshooting a particularly painful multicast issue. The set up isnt particularly complex: Servers SwitchTunnel router (RP) GRE over WAN Tunnel router SwitchServers The tunnel router interfaces have been configured with the TCP mss adjust mtu command and set to 1400. Everythings been up and working for a year but recently weve been experiencing issues with mcast and can see dropped packets when using a sniffer on the server. The suspicion lies with the WAN provider who has recently made changes but extended pings/sweeps over the WAN shows no drops. Has anyone any ideas or experience on how to troubleshoot packet loss over GRE for multicast? Regards, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded T3 Bandwidth issue
How have you bonded the DS3? Typically load balancing on cisco boxes are per session so you will never get over anything beyond the speed of the link (45Mb/s). In order to do something beyond that, you need to load balance per packet. I wrote up this paper in '96 about how to do this with DS1s. The same applies with DS3s http://www.lns.com/papers/netload/ Tim on 2/23/11 7:40 PM Lawrence said the following: I have a bonded T3 that I have never been able to get over 45mbs. I have been on the phone with my ISP and they are able to verify that both circuits work and they feel bonded circuits are working fine and that any problem is on my side Does anybody know what could cause a bonded T3 not to be able to deliver bandwith over 45 mbs? o I am testing this circuit with a udp client/server transfer program with the server on an att circuit that can more than handle 100 mbs. o I have tied to hit the bonded t3 with muliple isps just incase it is an isp to isp thing. The t3's never go over 45 mbs. o I have run mutiple speed test.net benchmarks and that never show any speed faster that 45mbs (They work with my att circuit when leads me to belive that that are semi reliable) Any help is appreciated! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- GPG Fingerprint: 4821 CFDA 06E7 49F3 BF05 3F02 11E3 390F 8338 5B04 http://www.lns.com/house/pozar/pozar_4096_rsa_public.asc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bonded T3 Bandwidth issue
Keep in mind the Windows TCP scaling limitations, with default window sizes an RTT of 10ms gives you a maximum of 52Mbps. http://cisconet.com/traffic-analysis/throughput/104-tcp-throughput-calculati on-formula.html I am seeing a lot of this as customer bandwidth demands increase, this is the reason for the very expensive layer 7 acceleration devices like Cisco WAAS. Stevan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lawrence Sent: Wednesday, February 23, 2011 10:40 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Bonded T3 Bandwidth issue I have a bonded T3 that I have never been able to get over 45mbs. I have been on the phone with my ISP and they are able to verify that both circuits work and they feel bonded circuits are working fine and that any problem is on my side Does anybody know what could cause a bonded T3 not to be able to deliver bandwith over 45 mbs? o I am testing this circuit with a udp client/server transfer program with the server on an att circuit that can more than handle 100 mbs. o I have tied to hit the bonded t3 with muliple isps just incase it is an isp to isp thing. The t3's never go over 45 mbs. o I have run mutiple speed test.net benchmarks and that never show any speed faster that 45mbs (They work with my att circuit when leads me to belive that that are semi reliable) Any help is appreciated! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/