[c-nsp] Cisco 7304-NSE-100 used as a border BGP router
I have a customer who wishes to be multi-homed with us and another Service Provider and wishes to have 2 full views. We proposed a Cisco 7206VXR-NPE-G1 with 1Gb/256 and the other vendor (a small ISP) provided him with a 7304-NSE-100 and a SPA2-1Gb card as a solution. He has 1Gb with 100Mb commit Metro-E from both providers. Surprisingly, I had never seen a 7304 before used for anything but MPLS tunnel termination. When I looked it up on the Cisco router performance chart is shows the NSE-100 about 3 times the performance of the NPE-G1 but uses PXF instead of just plain old CEF. Questions: 1. What is PXF in comparison to normal CEF? 2. Will this router be able to route 500Mb/sec while processing BGP tables? 3. Is there something special about this 7304 that I am missing? 4. Is the 7304 ok with IPv6 and IPv6 BGP? 5. Is this a good choice for a customer router? Thoughts and comments are appreciated. Ralph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] pppoe - different speed DSL customers
can dsl customers be seperated based on speed in cisco PPPoe thanks for any clues on this regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7304-NSE-100 used as a border BGP router
Questions: 3. Is there something special about this 7304 that I am missing? It's an old deprecated product which went End of Sale in July 4, 2010. 5. Is this a good choice for a customer router? I would rather choose an ASR1001. It's a modern platform and do out-perform a 7304 in every aspect. As the 7304 is EoS, I can't compare cost, but the ASR1001 is quite reasonably priced. -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7304-NSE-100 used as a border BGP router
On (2011-10-04 23:21 -0700), puck-...@interworld.net wrote: I have a customer who wishes to be multi-homed with us and another Service Provider and wishes to have 2 full views. We proposed a Cisco 7206VXR-NPE-G1 with 1Gb/256 and the other vendor (a small ISP) provided him with a 7304-NSE-100 and a SPA2-1Gb card as a solution. He has 1Gb with 100Mb commit Metro-E from both providers. Surprisingly, I had never seen a 7304 before used for anything but MPLS tunnel termination. When I looked it up on the Cisco router performance chart is shows the NSE-100 about 3 times the performance of the NPE-G1 but uses PXF instead of just plain old CEF. 3.5Mpps is for single pass, quite many things force two pass and halve performance. The platform is at its best at relatively basic IP termination with QoS, there when compared to VXR it offers superior and predictable performance when VXR and QoS typically at any non-trivial scale spell problems. 1. What is PXF in comparison to normal CEF? PXF is NPU, i.e. application specific hardware, so it has better performance of CPU. CEF means just FIB in cisco speak, but in this context you intend it to mean any software processing. 2.Will this router be able to route 500Mb/sec while processing BGP tables? Yes. But it won't eat full BGP table. 3.Is there something special about this 7304 that I am missing? It's dead platform, as is VXR soon. I wouldn't deploy them, having said that, if someone wants to buy them, I'm happy to sell :. 4.Is the 7304 ok with IPv6 and IPv6 BGP? Yeah it does IPv6 in hardware. 5.Is this a good choice for a customer router? No, it's not particularly good choice anywhere anymore. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C7600 vs. ASR 9000
On Tue, 4 Oct 2011, Mack McBride wrote: The 9K uses a crossbar fabric evolved from the 6500/7600 (not the same as the GSR - CRS evolved fabric) The port interface chips are the same. The NPU chip is the same as used in the ES cards. Primary difference is in the way the FIB is run on the 9K vs DFC on the 7600. Basically they 9K uses the NPU to do more than the 7600 so it is in a lot of ways more efficient but it is also more 'software' based (not necessarily a bad thing as it is more flexible). Being evolved from the 7600 should give users confidence that it is solid. That is a good thing. But it isn't so revolutionary that the 7600 is completely obsolete. After discounts the 9K still cost more but has a longer life expectancy. After some calculation: AS9006 with 6-8 10 GE and 20 GE is slightly cheaper on list prices than C7606 with similar amount of ports with ES+ cards. The only problem I see at the moment is the software upgrade on ASR9K IOS-XR. Most of the time one swoftware upgrade requires two reboot (each ~ 10 minutes). In C7600/C6500 we could do software upgrade most of the time with RP switchover under 2 minutes. Best Regards, Janos Mohacsi Mack -Original Message- From: Jason Lixfeld [mailto:ja...@lixfeld.ca] Sent: Monday, October 03, 2011 10:27 PM To: Mack McBride Cc: mti...@globaltransit.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] C7600 vs. ASR 9000 On 2011-10-03, at 11:37 PM, Mack McBride wrote: The 7600 and ASR9000 use a lot of similar hardware (Cisco didn't reinvent the wheel they just added rims). Where? The ASR line cards resemble the ES series on the 7600. Where? If one is using an ES port on a 7600, I'd assume one is likely using EVCs on said port. The ES ports on the 7600s do not support SPAN on a physical interface that is configured with EVCs. The ASR9k thankfully supports this extremely basic feature. The 7600 ES port's lack of SPAN on an EVC would lead me to believe that the ASIC controlling the ES is very different than the ASIC controlling the ASR linecards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pppoe - different speed DSL customers
Can you define separated? Basically, you can have a user policy (per user or user group) on your AAA server (RADIUS) with different policies such as QOS, IP Assignment, VRF selection and many other options... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of K bharathan Sent: Wednesday, October 05, 2011 09:01 To: cisco-nsp@puck.nether.net Subject: [c-nsp] pppoe - different speed DSL customers can dsl customers be seperated based on speed in cisco PPPoe thanks for any clues on this regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CPU utilization for handling interrupt
Hi, I'm seeing the following output for show interface gig x/y switching ROUTER#sh inter gig x/y switching GigabitEthernet x/y Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 46670 Drops 0 Protocol Path Pkts In Chars In Pkts Out Chars Out Other Process 1078379 69124236 1 96 Cache misses 0 Fast 0 0 0 0 Auton/SSE 0 0 0 0 IP Process 3594269215 341714357335 162336237 18154131440 Cache misses 0 Fast 395280896627 35724688800466 406469605169 44781968153216 Auton/SSE 1220084333084 240117721335247 1899837692532 1757256129434539 ARP Process 28158607 1689516436 31556627 3029436192 Cache misses 0 Fast 0 0 0 0 Auton/SSE 0 0 0 0 The IP Process and IP Fast are accumulating . The config. of the interface is as follows: -- interface GigabitEthernet x/y ip address x.x.x.x x.x.x.x ip verify unicast source reachable-via rx allow-default no ip redirects no ip proxy-arp ip tcp adjust-mss 1400 speed nonegotiate no cdp enable service-policy input POLICY service-policy output POLICY end Regard, Waseem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
On 05/10/11 09:31, Waseem wrote: Hi, I'm seeing the following output for show interface gig x/y switching What platform? What IOS version? And what is your question? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
On 05/10/11 12:05, Waseem wrote: 7600+RSP720-3C-GE 12.2(33)SRB2 why I'm seeing 10% CPU utilization by interrupt handling? Try using a SPAN of the CPU to see what traffic is hitting the CPU; this is by far the quickest way to find the cause. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
It is a regular internet traffic to port 80, from our customers, which should be CEF switched. From: Phil Mayers p.may...@imperial.ac.uk To: Waseem waseem_alir...@yahoo.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Wednesday, October 5, 2011 2:07 PM Subject: Re: [c-nsp] CPU utilization for handling interrupt On 05/10/11 12:05, Waseem wrote: 7600+RSP720-3C-GE 12.2(33)SRB2 why I'm seeing 10% CPU utilization by interrupt handling? Try using a SPAN of the CPU to see what traffic is hitting the CPU; this is by far the quickest way to find the cause. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
On 05/10/11 12:15, Waseem wrote: It is a regular internet traffic to port 80, from our customers, which should be CEF switched. Port 80 traffic to where? Can you show some? There must be something wrong with the traffic or your config for the 7600 to be process switching it. You need to give more details instead of giving the minimum information in each reply you make. In your original post, you gave a small config snippet; can you describe the topology in more detail? Rather than replacing IP addresses with x.x.x.x can you replace them with corresponding private IPs? Or show the real config? I am assuming the traffic is ingressing on the gig interface whose config you listed; what is the egress interface? What is the config for the service-policy you list? What does: sh int GiX/X sh ip int GiX/X sh tcam int GiX/X acl in ip ...say? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
7600+RSP720-3C-GE 12.2(33)SRB2 why I'm seeing 10% CPU utilization by interrupt handling? From: Phil Mayers p.may...@imperial.ac.uk To: cisco-nsp@puck.nether.net Sent: Wednesday, October 5, 2011 1:41 PM Subject: Re: [c-nsp] CPU utilization for handling interrupt On 05/10/11 09:31, Waseem wrote: Hi, I'm seeing the following output for show interface gig x/y switching What platform? What IOS version? And what is your question? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
On 05/10/2011 12:15, Waseem wrote: It is a regular internet traffic to port 80, from our customers, which should be CEF switched. Sounds like your router is punting all traffic. Are you seeing the following errors in your logs? %CFIB-SP-7-CFIB_EXCEPTION : FIB TCAM exception, Some entries will be software switched If this is the case, you need to drop the number of routes that the box is handling, and then reboot the system. Once the FIB limits are exceeded on this platform, rebooting is the only way to revert to hardware forwarding. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 76-ES+XC-20G3C UPGRADE
Good day everyone, Our SE is out of town and we have urgent project for a telco this weekend. is there any way to upgrade a 76-ES+XC-20G3C to a 76-ES+XC-20G3CXL? Is this just a daughterboard issue? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
TCP Adjust-mss causes the 6k to punt the SYN to SW. I'm not sure if this will be process switched or CEF switched (interrupt), but I don't see a reason why we couldn't do it in software CEF. -Pete On Wed, Oct 5, 2011 at 8:20 AM, Nick Hilliard n...@foobar.org wrote: On 05/10/2011 12:15, Waseem wrote: It is a regular internet traffic to port 80, from our customers, which should be CEF switched. Sounds like your router is punting all traffic. Are you seeing the following errors in your logs? %CFIB-SP-7-CFIB_EXCEPTION : FIB TCAM exception, Some entries will be software switched If this is the case, you need to drop the number of routes that the box is handling, and then reboot the system. Once the FIB limits are exceeded on this platform, rebooting is the only way to revert to hardware forwarding. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
I'm not receiving that log, I have nearly 600Mbps on this link, nearly 3 - 6 Mbps is being process switched from this link only, I tried to disable it, the CPU due to interrupt got 0%. please check the following packets. -- interface Gi1/9, routine process_rx_packet_inline dbus info: src_vlan 0x406(1030), src_indx 0x8(8), len 0x42(66) bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896) B8020401 0406 0008 4200 00060530 0E40 0380 destmac 00.1E.13.E4.A2.00, srcmac 00.25.9E.20.7A.D0, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 48, identifier 6637 df 1, mf 0, fo 0, ttl 126, src 109.127.86.37, dst 209.85.145.105 tcp src 63915, dst 80, seq 2253251144, ack 0, win 16384 off 7 checksum 0xBA29 syn --- interface Gi1/9, routine naboo_fastsend dbus info: src_vlan 0x406(1030), src_indx 0x380(896), len 0x46(70) bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896) 0002 04062800 0380 4600 00060560 0040 0380 destmac 00.25.9E.20.7A.D0, srcmac 00.1E.13.E4.A2.00, protocol 0800 layer 3 data: 4534 5DCA4000 3706F051 57F8D9C0 6D7F5670 005052A5 845F754B EC784102 8012 00E2 02040514 01030304 0402 001E688A 0413 0340 interface Gi1/9, routine process_rx_packet_inline dbus info: src_vlan 0x406(1030), src_indx 0x8(8), len 0x42(66) bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896) E0020401 0406 0008 4200 00060520 0E40 0380 destmac 00.1E.13.E4.A2.00, srcmac 00.25.9E.20.7A.D0, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 48, identifier 7783 df 1, mf 0, fo 0, ttl 126, src 109.127.86.8, dst 95.211.87.169 tcp src 29827, dst 80, seq 2269663441, ack 0, win 8192 off 7 checksum 0x9B2E syn - interface Gi1/9, routine process_rx_packet_inline dbus info: src_vlan 0x406(1030), src_indx 0x8(8), len 0x4E(78) bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x380(896) 10020401 0406 0008 4E00 00060550 0E40 0380 destmac 00.1E.13.E4.A2.00, srcmac 00.25.9E.20.7A.D0, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 60, identifier 28750 df 1, mf 0, fo 0, ttl 126, src 109.127.86.29, dst 207.66.182.20 tcp src 58557, dst 80, seq 2150691164, ack 0, win 8192 off 10 checksum 0xD911 syn -- those are captured from dumping the CPU. do you find anything that make them need special handling? regards, Waseem From: Nick Hilliard n...@foobar.org To: Waseem waseem_alir...@yahoo.com Cc: NSP cisco-nsp@puck.nether.net Sent: Wednesday, October 5, 2011 3:20 PM Subject: Re: [c-nsp] CPU utilization for handling interrupt On 05/10/2011 12:15, Waseem wrote: It is a regular internet traffic to port 80, from our customers, which should be CEF switched. Sounds like your router is punting all traffic. Are you seeing the following errors in your logs? %CFIB-SP-7-CFIB_EXCEPTION : FIB TCAM exception, Some entries will be software switched If this is the case, you need to drop the number of routes that the box is handling, and then reboot the system. Once the FIB limits are exceeded on this platform, rebooting is the only way to revert to hardware forwarding. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
On 05/10/11 14:15, Pete Lumbis wrote: TCP Adjust-mss causes the 6k to punt the SYN to SW. I'm not sure if this will be process switched or CEF switched (interrupt), but I don't see a reason why we couldn't do it in software CEF. Ah, well spotted; I didn't see that. FWIW I have used adjust-mss on our default route to work around temporary MTU problems; it performed quite well, but I'm not sure what traffic rate the OP is facing. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU utilization for handling interrupt
Hi, TCP adjust-mss is the key, you were right. Thanks Waseem From: Pete Lumbis alum...@gmail.com To: Nick Hilliard n...@foobar.org Cc: Waseem waseem_alir...@yahoo.com; NSP cisco-nsp@puck.nether.net Sent: Wednesday, October 5, 2011 4:15 PM Subject: Re: [c-nsp] CPU utilization for handling interrupt TCP Adjust-mss causes the 6k to punt the SYN to SW. I'm not sure if this will be process switched or CEF switched (interrupt), but I don't see a reason why we couldn't do it in software CEF. -Pete On Wed, Oct 5, 2011 at 8:20 AM, Nick Hilliard n...@foobar.org wrote: On 05/10/2011 12:15, Waseem wrote: It is a regular internet traffic to port 80, from our customers, which should be CEF switched. Sounds like your router is punting all traffic. Are you seeing the following errors in your logs? %CFIB-SP-7-CFIB_EXCEPTION : FIB TCAM exception, Some entries will be software switched If this is the case, you need to drop the number of routes that the box is handling, and then reboot the system. Once the FIB limits are exceeded on this platform, rebooting is the only way to revert to hardware forwarding. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20111005-asa Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) + Summary === Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows: * MSN Instant Messenger (IM) Inspection Denial of Service vulnerability * TACACS+ Authentication Bypass vulnerability * Four SunRPC Inspection Denial of Service vulnerabilities * Internet Locator Service (ILS) Inspection Denial of Service vulnerability These vulnerabilities are independent; a release that is affected by one vulnerability may not necessarily be affected by the others. Workarounds for some of the vulnerabilities are provided in this advisory. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml. Note: The Cisco Firewall Services Module (FWSM) is affected by the TACACS+ authentication bypass vulnerability, SunRPC Inspection denial of service (DoS) vulnerabilities and ILS inspection DoS vulnerability. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20110831-fwsm.shtml Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. MSN IM Inspection Denial of Service Vulnerability + The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability. MSN IM inspection is not enabled by default. Administrators can enable MSN IM inspection and specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection, as shown in the following example: policy-map type inspect im MY-MSN-INSPECT parameters match protocol msn-im log ! policy-map global_policy class inspection_default inspect im MY-MSN-INSPECT TACACS+ Authentication Bypass Vulnerability +-- An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances. In order to enable TACACS+ for authentication, authorization, or accounting (AAA), you must first create at least one AAA server group per AAA protocol and add one or more servers to each group with the aaa-server command. You identify AAA server groups by name. The following example shows how a AAA server group is configured for TACACS+ authentication: aaa-server my-tacacs-sever protocol tacacs+ aaa-server my-tacacs-server (inside) host 203.0.113.11 SunRPC Inspection Denial of Service Vulnerabilities +-- Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global ILS Inspection Denial of Service Vulnerability +- A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. ILS inspection is not enabled by default. To check if ILS inspection is enabled, issue the show service-policy | include ils command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include ils Inspect: ils, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable ILS inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20111005-fwsm Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) +--- Summary === The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities: * Syslog Message Memory Corruption Denial of Service Vulnerability * Authentication Proxy Denial of Service Vulnerability * TACACS+ Authentication Bypass Vulnerability * Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities * Internet Locator Server (ILS) Inspection Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20111005-fwsm.shtml Note: Cisco ASA 5500 Series Adaptive Security Appliances and the Cisco Catalyst 6500 Series ASA Services Module are affected by some of the vulnerabilities described in this advisory. A separate Cisco Security Advisory has been published to disclose these and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances and the Cisco Catalyst 6500 Series ASA Services Module. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20111005-asa.shtml Affected Products = Vulnerable Products +-- The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the Software Version and Fixes section for specific information on vulnerable versions. Syslog Message Memory Corruption Denial of Service Vulnerability +--- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if the following conditions are satisfied: * The device has interfaces with IPv6 addresses * System logging is enabled (command logging enable) * The device is configured in any way to generate system log message 302015 (refer to the following examples) System log message 302015 has a default severity level of 6 (informational) so, assuming that the system administrator has not changed this default severity level, the vulnerability can be triggered if the device is logging to any destination at level 6 or level 7 (debug). As an example, the following configuration is vulnerable: logging enable ! logging console informational logging buffered informational [...] Using a custom message list (via the logging list command) that includes system log message 302015, either by severity or by explicitly including the message ID, is also a vulnerable configuration. For example, the following configuration is also vulnerable: logging enable ! logging list MYLIST level informational and/or logging list MYLIST message 302015 ! logging trap MYLIST Note: The default severity level of system log messages can be changed. If the default severity level of system log message 302015 is changed, and the device is configured to log to any destination at the new severity level, then the device is still vulnerable. Authentication Proxy Denial of Service Vulnerability +--- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use Authentication, Authorization, and Accounting (AAA) for network access, also known as cut-through or authentication proxy. The network access authentication feature is enabled if the aaa authentication match or aaa authentication include commands are present in the configuration of an affected device. TACACS+ Authentication Bypass Vulnerability +-- Devices running vulnerable versions of Cisco FWSM Software are affected by this vulnerability if they are configured to use the Terminal Access Controller Access-Control System Plus (TACACS+) protocol for AAA. A device is configured for TACACS+ if an AAA server group is defined in a manner similar to the following: aaa-server my-tacacs-server protocol tacacs+ aaa-server my-tacacs-server (inside) host 192.168.1.1 [...] Note: In the preceding example, my-tacacs-server is the name of the AAA server group. SunRPC Inspection Denial of Service Vulnerabilities +-- Devices running
[c-nsp] Cisco Security Advisory: Directory Traversal Vulnerability in Cisco Network Admission Control Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Directory Traversal Vulnerability in Cisco Network Admission Control Manager Advisory ID: cisco-sa-20111005-nac Revision 1.0 For Public Release 2011 October 05 1600 UTC (GMT) + Summary === Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information. There are no workarounds to mitigate this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml. Affected Products = Vulnerable Products +-- Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected. Products Confirmed Not Vulnerable + The Cisco NAC Server (Appliance) is not affected. The Cisco Identity Services Engine (ISE) is not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco NAC (formerly Cisco Clean Access) solution allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. The solution identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. You can use the NAC Manager server and its web-based administration console to manage multiple NAC Appliances in a deployment. Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks. This vulnerability is documented in Cisco bug ID CSCtq10755 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3305. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq10755 (Directory Traversal in CCA) CVSS Base Score - 7.8 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks. Software Versions and Fixes === When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability has been corrected in Cisco NAC Manager Software version 4.9. Cisco NAC Manager software can be downloaded from the following link: http://www.cisco.com/cisco/pub/software/portal/select.html?i=!mmdfid=279515766 Workarounds === There are no workarounds to mitigate this vulnerability. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20111005-nac.shtml. Obtaining Fixed Software Cisco has released free software updates
[c-nsp] No Link between SFP-10G-LRM and X2-10GB-LX4?
Greetings, I have a 6509 with an X6716-10GE Card equipped with Cisco X2-10GB-LX4 10GE modules and a Cisco 2960S-48TD-L Switch with two Cisco SFP-10G-LRM modules. Right now I am not able to get an active link between these X2 and SFP modules, it stays down/down (notconnected). I instantly get a link when connecting X2 to X2 or SFP+ to SFP+ Module. I tried nonegotiate but this didn't help.. The 6509 runs IOS 12.2(33)SXI7, the 2960 IOS 12.2(55)SE3. Cisco says these modules are compatible to each other.. Has anyone seen this before? Any hints or ideas? Thanks, Holger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Link between SFP-10G-LRM and X2-10GB-LX4?
Hi, On Wed, Oct 05, 2011 at 07:40:30PM +0200, ci...@entrap.de wrote: I have a 6509 with an X6716-10GE Card equipped with Cisco X2-10GB-LX4 10GE modules and a Cisco 2960S-48TD-L Switch with two Cisco SFP-10G-LRM modules. http://en.wikipedia.org/wiki/10_Gigabit_Ethernet#10GBASE-LX4 and no... Cisco says these modules are compatible to each other.. ... LRM and LX4 are not compatible. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpb9kzrYTgzy.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Link between SFP-10G-LRM and X2-10GB-LX4?
are you sure that its supported? lx4 == wwdm optic == 4x2.5gbps channels using wideband muxing. additionally, when looking at datasheets for x2 and sfp+ modules, one will see that lx4 optic mentions 4 lanes, launching in the 1300nm space and a separate pluggable for x2-10gb-lrm. sfp+ only mentions single lane in 1310nm space. i dont believe the two are compatible. would suggest looking at x2-10gb-lrm= for compatibility. regards, q. -= sent via ipad. please excuse brevity, spelling, and grammar =- On Oct 5, 2011, at 11:21, ci...@entrap.de ci...@entrap.de wrote: Greetings, I have a 6509 with an X6716-10GE Card equipped with Cisco X2-10GB-LX4 10GE modules and a Cisco 2960S-48TD-L Switch with two Cisco SFP-10G-LRM modules. Right now I am not able to get an active link between these X2 and SFP modules, it stays down/down (notconnected). I instantly get a link when connecting X2 to X2 or SFP+ to SFP+ Module. I tried nonegotiate but this didn't help.. The 6509 runs IOS 12.2(33)SXI7, the 2960 IOS 12.2(55)SE3. Cisco says these modules are compatible to each other.. Has anyone seen this before? Any hints or ideas? Thanks, Holger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Link between SFP-10G-LRM and X2-10GB-LX4?
I believe LX4 uses multiple wavelengths. This seems to confirm it. I don't think you can mix those with anything else. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6574/product_dat a_sheet0900aecd801f92aa.html Thanks, Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of ci...@entrap.de Sent: Wednesday, October 05, 2011 1:41 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] No Link between SFP-10G-LRM and X2-10GB-LX4? Greetings, I have a 6509 with an X6716-10GE Card equipped with Cisco X2-10GB-LX4 10GE modules and a Cisco 2960S-48TD-L Switch with two Cisco SFP-10G-LRM modules. Right now I am not able to get an active link between these X2 and SFP modules, it stays down/down (notconnected). I instantly get a link when connecting X2 to X2 or SFP+ to SFP+ Module. I tried nonegotiate but this didn't help.. The 6509 runs IOS 12.2(33)SXI7, the 2960 IOS 12.2(55)SE3. Cisco says these modules are compatible to each other.. Has anyone seen this before? Any hints or ideas? Thanks, Holger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE over IPSEC loss in IOS 15.x / ISR x9xx Routers
Today I also noticed that all these connections are going over comcast business. Anyone seen anything like this? On Tue, Sep 27, 2011 at 5:43 PM, Dustin Schuemann dschuem...@gmail.comwrote: Do you have any other suggestions. TAC is kinda going around in circles. On Sep 27, 2011, at 3:43 AM, Phil Mayers wrote: On 09/27/2011 12:38 AM, Dustin Schuemann wrote: Disabling CEF didn't correct the issue. I'm not surprised. I'm amazed TAC would even suggest it. Disabling CEF on modern IOS isn't sensible. The slower code paths don't get properly tested any more, and whole (large) chunks of functionality only exist as CEF code. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR903, ASR9k, SUP2T questions
Hi, On 6 October 2011 08:59, Robert Hass robh...@gmail.com wrote: {cut} 3) What is performance of ASR903 (Gbps and PPS) - can I have it wirerate with 5 x 10GE cards ? AFAIK the chassis can take only 4 x10G (last two slots have only about 7G of capacity). kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C7600 vs. ASR 9000
On Wednesday, October 05, 2011 02:51:18 PM Mohacsi Janos wrote: After some calculation: AS9006 with 6-8 10 GE and 20 GE is slightly cheaper on list prices than C7606 with similar amount of ports with ES+ cards. You really can get an ASR9000 at a much better, similarly- spec'ed 7600. Just spend some time with your account team :-). The only problem I see at the moment is the software upgrade on ASR9K IOS-XR. Most of the time one swoftware upgrade requires two reboot (each ~ 10 minutes). In C7600/C6500 we could do software upgrade most of the time with RP switchover under 2 minutes. This is a general problem with IOS XR-based systems. Even service-impacting SMU's that reload fabrics or line cards can make software upgrades a very annoying experience. I've discussed this with our SE many times. He says Cisco are looking at optimizing the process so code updates run faster. I suppose time will tell, but as of now, we easily can spend 2hrs on a box if we're catching up with all SMU's. More if we're also moving up a release. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7304-NSE-100 used as a border BGP router
On Wednesday, October 05, 2011 03:27:39 PM Saku Ytti wrote: 3.5Mpps is for single pass, quite many things force two pass and halve performance. The platform is at its best at relatively basic IP termination with QoS, there when compared to VXR it offers superior and predictable performance when VXR and QoS typically at any non-trivial scale spell problems. We've been fairly happy with some decent QoS deployments on an NPE-G1 and NPE-G2, handling 100's of Mbps. Of course, the software nature of the forwarding paradigm has its limits, but we've surely got lots of bang for our buck :-). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR903, ASR9k, SUP2T questions
On Thursday, October 06, 2011 10:19:20 AM Pshem Kowalczyk wrote: AFAIK the chassis can take only 4 x10G (last two slots have only about 7G of capacity). Can't say much about the box at the moment, but in case you didn't notice, it's an IOS XE system, despite the 9 following ASR :-). Maybe it should have been the ASR103 :-). Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/