Cisco IOS-XR with ACS
Hello, my question is if you have to configure the Cisco IOS-XR enabled router (it is a 12k series by-the-by) differently on the ACS side or is it added like any other normal router.
hi raul,
the ios-xr router will act as a NAS for the ACS. so the configuration will the same as any other NAS on the ACS.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resloved
Similar Messages
-
AAA authentication is fail on cisco 4505 switch with acs
i am new in AAA . i want to login switch which authentication come from cisco acs 5.1 but i configure both switch and acs 5.1. when i telnet
switch it display % Authentication fails. can anybody help me regurding this issue!!!
on cisco switch end conf:
aaa new-modle
aaa authentication login default group tacacs+
aaa authentication login TACASE group tacacs+
aaa authentication exec default group tacacs+
tacacs-server host 10.10.10.1
tacacs-server key Password!@#
line vty 0 4
login authentication TACASE
on acs 5.1 side i add switch on its vlan ip address which is connect acs 5.1 but
BUT when i login using putty terminal its show % Authentication fails.
Please help me regurding this issue!!!Hi,
what is the error message reported on ACS?
Are you sure that you are using the same key on ACS and cat4k?
Can you configure "ip tacacs source-interface " with the vlan interface you are using as source?
You can also collect these debugs:
- deb aaa authentication
- deb tacacs
Cheers
Marco -
IOS XR Command authorization with ACS server
We have a newly implemented ASR 9010 and are trying to figure out how to best configure it with TACACS, as it is slightly different than IOS.
In ACS, we have two groups: Group 1 and Group 2
Group 1 allows full access in the shell command authorization set.
Group 2 allows limited access in the shell command set (basically just show commands).
Both groups can login fine (aaa authentication login default group <groupname> local)
Group 1 has full access to everything (group I am in).
Group 2 has NO access to anything (can't even perform show commands).
Group 2 CAN access other IOS devices and can perform the various show commands.
With regards to our authorization commands, we currently have it configured as:
aaa authorization commands default group <groupname> local
Why is it working for the one group, but not the other? I've read how IOS XR uses task Ids and other various things that I'm unfamiliar with. I'm mainly curious if I have to use those, if the authorized commands are configured in ACS.
Thanks!
Kyledont have enough info to give you a full conclusive answer Kyle, but some suspicions.
Task group not set right?
Command groups not defined properly in tacacs for command author.
if you only want show access, you can just use the task groups in XR with a read permission on any command for instance. no direct need to send every command down to tacacs (hate that slowness )
More info here:
https://supportforums.cisco.com/docs/DOC-15944
xander -
Monitoring Cisco ASR 1002 with IOS-XE in IPM 4.2
We are running LMS 3.2 with IPM 4.2 installed....and we are looking to do IPSLA monitoring on a couple of our Cisco ASR's with IOS-XE code installed.
I looked at the IPSLA feature mapping and it only talks about supported IOS code....do we need to upgrade our current IPM module to a current version?Hi Konstantin,
Regarding "It is strange that these commands cleaned from sh run view.": this is normal for many default configuration commands.
Mine is a lab device so I cannot really comment on stability or provide you a recommendation based on that. However, I see that the download section from Cisco.com mentiones the following release as the recommended based on quality, stability and longevity:
asr1002x-universal.03.07.04a.S.152-4.S4a.SPA.bin
The best would be for you to check this with yor cisco Account Team or Advanced Services Team as normally they are the proper point of contacts for SW advisory.
Regards. -
Cisco Works LMS R3.1 with ACS R5.1
I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
Regards and thanks in advanced
Luis MartinezNael,
Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
Could you please tell me where can I download the complete and initial LMS R3.2.
Thanks in advanced for your kindly help.
Luis Martinez -
How to setup Cisco IOS with multi public IP's
I'd like to set up a little network environment. We have bought 2 different subnet from our ISP.
The WAN internet connection: xx.yy.81.61/26
WAN gateway: xx.yy.81.1
First subnet : xx.yy.81.80/30 (this has the same first 3 octet as the WAN, probably doesn't count, because it is a different subnet)
Second subnet : zz.uu.156.48/29
As you can see in the first diagram, the xx.yy.81.61/26 is assigned to the CISCO's outside(WAN) interface, the internet connection is alive, all hosts in LAN have internet connection. We want to assign some hosts with public IP address (for webserver sake). I'm not familiar with networking, so please forgive me if I make some silly questions. In brackets, I make the cisco router setup with the "Cisco Configuration Professional 2.8" PC program.
|
| ADSL or Optical cable (fiber link)
|
+-----+
| | modem
| |
+-----+
|
| WAN (xx.yy.81.61/26)
| Gateway(xx.yy.81.1)
|
+----------+
| |
| | CISCO 881 (router/firewall)
| | IOS 15.2(4)M6
| |
+----------+
|
|
-----+------------- our local LAN segment (vlan)
10.10.10.1/24
I want to set up the CISCO:
- The question is, that how can i make my subnets alive? I just want to transmit(NAT) some public IP from subnet to specific HOST computer(or inverse?). I have made the NAT rules (zz.uu.156.50 <- 10.10.10.xxx), but no result, the public IP is unreachable(no ping, no traceroute).
- Do I have to assign a second IP(virtual) address from subnets to the outside interface(WAN). If yes, than how? Or my ISP has to route the subnets to my WAN IP address(xx.yy.81.61) ?
The truth is that the original setup was different, as you can see in the second diagram. In this case the both subnet was alive. Now, I unmounted the ISP owned HP router and I attached the CISCO directly to the modem output(first diagram), because we had some DNS issues and I think it is unnecessary to be 2 router sequentially. Please indicate if i was wrong.
I mention, that by the original setup, I could access the HP router (only the login interface) from internet with the first IP of the subnets (xx.yy.81.81 from the first subnet and zz.uu.156.49 from the second subnet).
|
| ADSL or Optical cable (fiber link)
|
+-----+
| | modem
| |
+-----+
|
|
|
+-------+
| | blackbox, no acces
| | ISP owned HP router
| |
+-------+
|
| WAN (xx.yy.81.82/30) or WAN (zz.uu.156.50/29)
| Gateway(xx.yy.81.81) Gateway(zz.uu.156.49)
|
+----------+
| |
| | CISCO 881 (router/firewall)
| | IOS 15.2(4)M6
| |
+----------+
|
|
-----+------------- our local LAN segment
10.10.10.1/24
Thanks for any answer or suggestion!Hey,
Proxy-ARP should take care of this!
As long as you assign the NAT rules into the IOS Router it should start replying to any ARP request to those IPs on different subnets.
Of course the ISP should forward this ARP requests to you!
So make sure Proxy-ARP is enabled in the WAN interface and you should be good to go (as long as the NAT rules are good).
Regards,
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us -
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
I just want to implement 802.1x authentication, to dynamically assign into differente vlans, can you help me how it should be done? What is the best method? I see the PEAP is much more complex. Initially I'm thinking about Mac-Address based, so that I create all mac-address's in ACS Server that we have, and the VLAN is assigned from there.
Excerpt from Cisco doc:-
7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco
Secure Access Control Server Software
The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided
below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS
Software and Cisco PIX? Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or
SSID-list).
1. Select Interface Configuration > Advanced Options; Enable ?Per-user TACACS+/RADIUS Attributes? > Click
on ?Submit.?
2. Select Interface Configuration > RADIUS (IETF).
a. Enable IETF attributes 64, 65, and 81. Enable these options at both User and Group levels.
b. Click on ?Submit.?
3. Select Network Configuration:
a. Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/
PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX).
This device is needed to enable Cisco IOS/PIX attributes.
b. After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS
(Cisco IOS/PIX):
i. Enable the ?[026/009/001] cisco-av-pair? option. Enable this option at both User and Group levels.
ii. Click on ?Submit.?
"You want option B here"
4. Add a User (User Setup > Add/Edit).
a. To restrict user by VLAN-ID:
? Enable and set IETF 64 (Tunnel Type) to ?VLAN.?
? Enable and set IETF 65 (Tunnel Medium Type) to ?802.?
? Enable and set IETF 81 (Tunnel Private Group ID) to VLAN-ID.
Note: Use the same Tag numbers (example: Tag 1) for all the above parameters.
b. To restrict user by SSID (note: SSID is case-sensitive):
? Enable and configure Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair
? Example: ssid=LEAP_WEP -
AAA Authorization with ACS Shell-Sets
Hi all,
I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
I am having trouble getting AAA Authorization to work correctly with ACS.
I am able to set the users up on ACS fine and assign them shell and priv level 7.
I then setup a Shell Auth Set, and enter in the commands show and configure.
When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
to access global config mode by typing in conf (or configure) terminal or t.
If I type con? the only command there is connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 configure terminal
I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
This is most frustrating
The ACS Server is set up with a Shell Command Authorization Set named Level_7
It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
The "Permit Unmatched Args" is also selected.
See an excerpt of my IOS config below:
aaa new-model
aaa group server tacacs+ ACS
server 10.90.0.11
aaa authentication login default group ACS local
aaa authorization exec default group ACS
aaa authorization commands 7 default group ACS local
tacacs-server host 10.90.0.11 key cisco
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show running-config
privilege exec level 7 show
Hope you can help me with this one..
P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?Hi,
So here it is,
You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
This is what I suggest the commands back to normal level.
Below provided are steps to configure shell command authorization:
Follow the following steps over the router:
!--- is the desired username
!--- is the desired password
!--- we create a local username and password
!--- in case we are not able to get authenticated via
!--- our tacacs+ server. To provide a back door.
username password privilege 15
!--- To apply aaa model over the router
aaa new-model
!--- Following command is to specify our ACS
!--- server location, where is the
!--- ip-address of the ACS server. And
!--- is the key that should be same over the ACS and the router.
tacacs-server host key
!--- To get users authentication via ACS, when they try to log-in
!--- If our router is unable to contact to ACS, then we will use
!--- our local username & password that we created above. This
!--- prevents us from locking out.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!--- Following commands are for accounting the user's activity,
!--- when user is logged into the device.
aaa accounting exec default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Configuration on ACS
[1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
Provide any name to the set.
provide the sufficent description (if required)
(a) For Full Access administrative set.
In Unmatched Commands, select 'Permit'
(b) For Limited Access set.
In Unmatched commands, select 'Deny'.
And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
For example: If we want user to be only able to access the following commads:
login
logout
exit
enable
disable
show
Then the configuration should be:
------------------------Permit unmatched Args--
login permit
logout permit
exit permit
enable permit
disable permit
configure permit terminal
interface permit ethernet
permit 0
show permit running-config
in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
[2] Press 'Submit'.
[3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
(cont...) -
Cisco 7206 has with LLQ QOS and cpu 85 %
hi all ,
i want to mention issue about cisco router 7206 npeg2 :
can this router handle traffic 780 Mbps as download and 75 MBps as upload ?? with cpu 85 % and with LLQ qos ??
im asking this question because my QOS althoug it matched alot of traffic , it some time get slow and seems that QOS not working fine , im sure that my work is fine, because it was fine , but recent days i added more bw ???!!!!!
dont know if need more memory for router for QOS :
===============================================================
7200Gateway#sh memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 6B97A80 1883669308 114125456 1769543852 1768174580 1760364316
I/O 78000000 67108864 4482572 62626292 62598896 62617884
Transient 77000000 16777216 22196 16755020 16222412 16728368
Processor memory
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
06B97A80 0000010004 00000000 06B9A1C4 001 -------- -------- 01A493D8 CEF: fib
06B9A1C4 0000000028 06B97A80 06B9A210 000 87F3D04 87FD620 015FC24C AAA Attr Binary/String
06B9A210 0000004700 06B9A1C4 06B9B49C 001 -------- -------- 01AC85B4 ADJ: adjacency
06B9B49C 0000004100 06B9A210 06B9C4D0 001 -------- -------- 0011245C HTTP CORE
06B9C4D0 0000004100 06B9B49C 06B9D504 001 -------- -------- 00112548 HTTP CORE
06B9D504 0000004100 06B9C4D0 06B9E538 001 -------- -------- 00112548 HTTP CORE
06B9E538 0000004100 06B9D504 06B9F56C 001 -------- -------- 00112548 HTTP CORE
06B9F56C 0000004100 06B9E538 06BA05A0 001 -------- -------- 00112548 HTTP CORE
06BA05A0 0000000756 06B9F56C 06BA08C4 001 -------- -------- 0343C38C Process
06BA08C4 0000000204 06BA05A0 06BA09C0 001 -------- -------- 0343FAB4 Process Events
06BA09C0 0000022764 06BA08C4 06BA62DC 001 -------- -------- 04055CB4 IPSM Octet Str
06BA62DC 0000014488 06BA09C0 06BA9BA4 001 -------- -------- 0405C0C4 ipsm IPSEC Fai
06BA9BA4 0000004100 06BA62DC 06BAABD8 001 -------- -------- 00112548 H
===========================================================================
==========================================
7200Gateway#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 28-Feb-12 12:53 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
7200Gateway uptime is 2 weeks, 5 days, 19 hours, 43 minutes
System returned to ROM by power-on
System image file is "disk2:/c7200p-adventerprisek9-mz.124-24.T7.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 1966080K/65536K bytes of memory.
Processor board ID 13252317
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.0
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
==============================================================
7200Gateway#sh processes cpu
CPU utilization for five seconds: 85%/84%; one minute: 84%; five minutes: 84%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 32 416 76 0.00% 0.00% 0.00% 0 Chunk Manager
2 32788 342520 95 0.00% 0.05% 0.05% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 chkpt message ha
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
5 2624584 213262 12306 0.00% 0.03% 0.04% 0 Check heaps
6 56 373 150 0.00% 0.00% 0.00% 0 Pool Manager
7 0 2 0 0.00% 0.00% 0.00% 0 Timers
8 0 2 0 0.00% 0.00% 0.00% 0 ATM AutoVC Perio
9 0 2 0 0.00% 0.00% 0.00% 0 ATM VC Auto Crea
10 16 28543 0 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
11 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
12 688 1670887 0 0.00% 0.00% 0.00% 0 IPC Periodic Tim
13 520 1670887 0 0.00% 0.00% 0.00% 0 IPC Deferred Por
14 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
15 0 1 0 0.00% 0.00% 0.00% 0 IPC BackPressure
16 9007072 30711869 293 1.35% 0.15% 0.11% 0 EnvMon
17 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler
18 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
19 1380 3892 354 0.00% 0.00% 0.00% 0 ARP Input
20 1584 1784473 0 0.00% 0.00% 0.00% 0 ARP Background
21 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
22 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
23 4 134 29 0.00% 0.00% 0.00% 0 AAA high-capacit
24 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
25 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
26 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers
27 0 5 0 0.00% 0.00% 0.00% 0 Entity MIB API
28 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
29 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
30 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
31 28 281 99 0.00% 0.00% 0.00% 0 EEM ED Syslog
32 0 2 0 0.00% 0.00% 0.00% 0 SMART
33 724 1712571 0 0.00% 0.00% 0.00% 0 GraphIt
34 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
35 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect
36 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client
37 0 2 0 0.00% 0.00% 0.00% 0 VSA background
38 0 1 0 0.00% 0.00% 0.00% 0 VSA Cleanup Proc
39 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd
40 4348 444483 9 0.00% 0.00% 0.00% 0 Net Background
41 0 2 0 0.00% 0.00% 0.00% 0 IDB Work
42 32 501 63 0.00% 0.00% 0.00% 0 Logger
43 1236 1710802 0 0.00% 0.00% 0.00% 0 TTY Background
44 16504 1712627 9 0.07% 0.00% 0.00% 0 Per-Second Jobs
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
45 20 34 588 0.00% 0.00% 0.00% 0 IF-MGR control p
46 8 40 200 0.00% 0.00% 0.00% 0 IF-MGR event pro
47 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest
48 0 1 0 0.00% 0.00% 0.00% 0 IKE HA Mgr
49 0 1 0 0.00% 0.00% 0.00% 0 IPSEC HA Mgr
50 4 4 1000 0.00% 0.00% 0.00% 0 rf task
51 12808 179149 71 0.00% 0.00% 0.00% 0 Net Input
52 1304 342532 3 0.00% 0.00% 0.00% 0 Compute load avg
53 610136 28974 21058 0.00% 0.00% 0.00% 0 Per-minute Jobs
54 0 1 0 0.00% 0.00% 0.00% 0 Token Daemon
55 4 10570 0 0.00% 0.00% 0.00% 0 Transport Port A
56 1272 505453 2 0.00% 0.00% 0.00% 0 HC Counter Timer
57 0 1 0 0.00% 0.00% 0.00% 0 Coproc Event Pro
58 0 1 0 0.00% 0.00% 0.00% 0 POS APS Event Pr
59 0 1 0 0.00% 0.00% 0.00% 0 SONET alarm time
60 0 1 0 0.00% 0.00% 0.00% 0 CSP Timer
61 204 4 51000 0.00% 0.00% 0.00% 0 USB Startup
62 0 2 0 0.00% 0.00% 0.00% 0 FPD Management P
63 0 1 0 0.00% 0.00% 0.00% 0 FPD Action Proce
64 0 2 0 0.00% 0.00% 0.00% 0 VNM DSPRM MAIN
65 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_DELA
66 0 1 0 0.00% 0.00% 0.00% 0 RF_INTERDEV_SCTP
67 464 1712577 0 0.00% 0.00% 0.00% 0 ISA Common Helpe
68 0 2 0 0.00% 0.00% 0.00% 0 Flash MIB Update
69 0 58 0 0.00% 0.00% 0.00% 0 Flash Card Oir
70 0 1 0 0.00% 0.00% 0.00% 0 CES Line Conditi
71 0 1 0 0.00% 0.00% 0.00% 0 CF_INTERDEV_SCTP
72 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
73 0 2 0 0.00% 0.00% 0.00% 0 Ethernet CFM
74 736 1670893 0 0.00% 0.00% 0.00% 0 Ethernet Timer C
75 0 1 0 0.00% 0.00% 0.00% 0 delayed evt hand
76 28 112 250 0.00% 0.00% 0.00% 0 AAA Server
77 0 1 0 0.00% 0.00% 0.00% 0 AAA ACCT Proc
78 0 1 0 0.00% 0.00% 0.00% 0 ACCT Periodic Pr
79 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R
80 744 1670882 0 0.00% 0.00% 0.00% 0 BGP Scheduler
81 0 2 0 0.00% 0.00% 0.00% 0 Ethernet OAM Pro
82 0 2 0 0.00% 0.00% 0.00% 0 Ethernet LMI
83 0 2 0 0.00% 0.00% 0.00% 0 CEF switching ba
84 3684 14726 250 0.00% 0.00% 0.00% 0 ADJ resolve proc
85 8 30 266 0.00% 0.00% 0.00% 0 IP ARP Adjacency
86 0 1 0 0.00% 0.00% 0.00% 0 IP ARP Retry Age
87 3481296 6804010 511 0.00% 0.02% 0.01% 0 IP Input
88 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl
89 0 9 0 0.00% 0.00% 0.00% 0 TurboACL
90 0 2 0 0.00% 0.00% 0.00% 0 TurboACL chunk
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
91 0 1 0 0.00% 0.00% 0.00% 0 IPv6 Echo event
92 16 2854 5 0.00% 0.00% 0.00% 0 MOP Protocols
93 0 1 0 0.00% 0.00% 0.00% 0 LSP Tunnel FRR
94 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto-Tunnel
95 0 3 0 0.00% 0.00% 0.00% 0 PPP Hooks
96 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
97 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager
98 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Mana
99 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Time
100 0 2 0 0.00% 0.00% 0.00% 0 Spanning Tree
101 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana
102 20 96 208 0.00% 0.00% 0.00% 0 SSM connection m
103 0 1 0 0.00% 0.00% 0.00% 0 AC Switch
104 4 5709 0 0.00% 0.00% 0.00% 0 Authentication P
105 0 1 0 0.00% 0.00% 0.00% 0 Auth-proxy AAA B
106 0 2 0 0.00% 0.00% 0.00% 0 EAPoUDP Process
107 0 2 0 0.00% 0.00% 0.00% 0 IP Host Track Pr
108 0 2 0 0.00% 0.00% 0.00% 0 KRB5 AAA
109 1152 49386 23 0.00% 0.00% 0.00% 0 IP Background
110 2276 28582 79 0.00% 0.00% 0.00% 0 IP RIB Update
111 60 34442 1 0.00% 0.00% 0.00% 0 CEF background p
112 6784 2485297 2 0.00% 0.00% 0.00% 0 CEF: IPv4 proces
113 12 104 115 0.00% 0.00% 0.00% 0 ADJ background
114 0 2 0 0.00% 0.00% 0.00% 0 PPP IP Route
115 0 2 0 0.00% 0.00% 0.00% 0 PPP IPCP
116 0 1 0 0.00% 0.00% 0.00% 0 IP Traceroute
117 7292 7550370 0 0.00% 0.00% 0.00% 0 TCP Timer
118 1300 10511 123 0.00% 0.00% 0.00% 0 TCP Protocols
119 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers
120 18228 11429 1594 0.00% 0.00% 0.00% 0 HTTP CORE
121 0 2 0 0.00% 0.00% 0.00% 0 RLM groups Proce
122 0 1 0 0.00% 0.00% 0.00% 0 L2X Data Daemon
123 0 1 0 0.00% 0.00% 0.00% 0 ac_atm_state_eve
124 0 2 0 0.00% 0.00% 0.00% 0 SNMP Timers
125 1320 1710737 0 0.00% 0.00% 0.00% 0 RUDPV1 Main Proc
126 0 1 0 0.00% 0.00% 0.00% 0 bsm_timers
127 568 1710728 0 0.00% 0.00% 0.00% 0 bsm_xmt_proc
128 0 1 0 0.00% 0.00% 0.00% 0 COPS
129 0 2 0 0.00% 0.00% 0.00% 0 Dialer Forwarder
130 0 3 0 0.00% 0.00% 0.00% 0 Flow Exporter Ti
131 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM Input
132 0 2 0 0.00% 0.00% 0.00% 0 ATM OAM TIMER
133 0 1 0 0.00% 0.00% 0.00% 0 RARP Input
134 0 1 0 0.00% 0.00% 0.00% 0 IPv6 Inspect Tim
135 0 1 0 0.00% 0.00% 0.00% 0 LAPB Process
136 0 2 0 0.00% 0.00% 0.00% 0 LFDp Input Proc
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
137 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall
138 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background
139 0 2 0 0.00% 0.00% 0.00% 0 PPP Bind
140 0 2 0 0.00% 0.00% 0.00% 0 PPP SSS
141 0 1 0 0.00% 0.00% 0.00% 0 MQC Flow Event B
142 35504 424737438 0 0.23% 0.25% 0.23% 0 HQF Shaper Backg
143 4068 17031478 0 0.00% 0.00% 0.00% 0 RBSCP Background
144 0 2 0 0.00% 0.00% 0.00% 0 SCTP Main Proces
145 0 1 0 0.00% 0.00% 0.00% 0 VPDN call manage
146 0 1 0 0.00% 0.00% 0.00% 0 CHKPT EXAMPLE
147 0 1 0 0.00% 0.00% 0.00% 0 CHKPT DevTest
148 0 1 0 0.00% 0.00% 0.00% 0 IPS Process
149 0 2 0 0.00% 0.00% 0.00% 0 IPS Auto Update
150 0 2 0 0.00% 0.00% 0.00% 0 SDEE Management
151 948 3338807 0 0.00% 0.00% 0.00% 0 Inspect process
152 0 1 0 0.00% 0.00% 0.00% 0 xcpa-driver
153 52 136947 0 0.00% 0.00% 0.00% 0 FW DP Inspect pr
154 1112 3338806 0 0.00% 0.00% 0.00% 0 CCE DP URLF cach
155 0 2 0 0.00% 0.00% 0.00% 0 URL filter proc
156 0 1 0 0.00% 0.00% 0.00% 0 XSM_EVENT_ENGINE
157 144 171238 0 0.00% 0.00% 0.00% 0 XSM_ENQUEUER
158 68 171238 0 0.00% 0.00% 0.00% 0 XSM Historian
159 0 1 0 0.00% 0.00% 0.00% 0 Select Timers
160 4 2 2000 0.00% 0.00% 0.00% 0 HTTP Process
161 0 2 0 0.00% 0.00% 0.00% 0 CIFS API Process
162 0 2 0 0.00% 0.00% 0.00% 0 CIFS Proxy Proce
163 0 1 0 0.00% 0.00% 0.00% 0 Crypto HW Proc
164 56 114166 0 0.00% 0.00% 0.00% 0 ACE policy loade
165 156 68505 2 0.00% 0.00% 0.00% 0 CRM_CALL_UPDATE_
166 36688 172862 212 0.00% 0.00% 0.00% 0 BGP I/O
167 0 2 0 0.00% 0.00% 0.00% 0 AAA Cached Serve
168 0 2 0 0.00% 0.00% 0.00% 0 ENABLE AAA
169 0 1 0 0.00% 0.00% 0.00% 0 EM Background Pr
170 0 1 0 0.00% 0.00% 0.00% 0 Key chain liveke
171 0 2 0 0.00% 0.00% 0.00% 0 LINE AAA
172 44 112 392 0.00% 0.00% 0.00% 0 LOCAL AAA
173 0 42 0 0.00% 0.00% 0.00% 0 MPLS Auto Mesh P
174 0 2 0 0.00% 0.00% 0.00% 0 TPLUS
175 0 2 0 0.00% 0.00% 0.00% 0 VSP_MGR
176 0 1 0 0.00% 0.00% 0.00% 0 FW_TEST_TRP
177 0 1 0 0.00% 0.00% 0.00% 0 EPM MAIN PROCESS
178 4 3 1333 0.00% 0.00% 0.00% 0 Crypto WUI
179 0 2 0 0.00% 0.00% 0.00% 0 Crypto Support
180 0 1 0 0.00% 0.00% 0.00% 0 IPSECv6 PS Proc
181 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_HTSP
182 0 1 0 0.00% 0.00% 0.00% 0 CCVPM_R2
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
183 0 1 0 0.00% 0.00% 0.00% 0 EPHONE MWI Refre
184 0 1903 0 0.00% 0.00% 0.00% 0 FB/KS Log HouseK
185 0 2 0 0.00% 0.00% 0.00% 0 EPHONE MWI BG Pr
186 0 1 0 0.00% 0.00% 0.00% 0 Skinny HW confer
187 0 1 0 0.00% 0.00% 0.00% 0 CCSWVOICE
188 206492 114180 1808 0.00% 0.00% 0.00% 0 BGP Scanner
189 0 1 0 0.00% 0.00% 0.00% 0 http client proc
190 0 3 0 0.00% 0.00% 0.00% 0 BGP Event
191 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN
192 0 1 0 0.00% 0.00% 0.00% 0 RPMS_PROC_MAIN
193 0 1 0 0.00% 0.00% 0.00% 0 VoIP AAA
194 0 2 0 0.00% 0.00% 0.00% 0 Dialog Manager
195 184 104 1769 0.00% 0.00% 0.00% 0 crypto engine pr
196 0 4 0 0.00% 0.00% 0.00% 0 Crypto CA
197 0 1 0 0.00% 0.00% 0.00% 0 Crypto PKI-CRL
198 28008 64288 435 0.00% 0.00% 0.00% 0 encrypt proc
199 384768 28300 13596 0.00% 0.00% 0.00% 0 crypto sw pk pro
200 8 27 296 0.00% 0.00% 0.00% 0 Crypto INT
201 456 2019 225 0.00% 0.00% 0.00% 0 Crypto IKE Dispa
202 2128 2714 784 0.00% 0.00% 0.00% 0 Crypto IKMP
203 0 1 0 0.00% 0.00% 0.00% 0 IPSEC manual key
204 180 85737 2 0.00% 0.00% 0.00% 0 IPSEC key engine
205 0 1 0 0.00% 0.00% 0.00% 0 CRYPTO QoS proce
206 28 142 197 0.00% 0.00% 0.00% 0 Crypto ACL
207 0 1 0 0.00% 0.00% 0.00% 0 Crypto PAS Proc
208 0 1 0 0.00% 0.00% 0.00% 0 GDOI GM Process
209 0 1 0 0.00% 0.00% 0.00% 0 UNICAST REKEY
210 0 1 0 0.00% 0.00% 0.00% 0 UNICAST REKEY AC
211 0 1 0 0.00% 0.00% 0.00% 0 MV64 TDR Process
212 0 1 0 0.00% 0.00% 0.00% 0 IMA Traps
213 0 1 0 0.00% 0.00% 0.00% 0 SYSMGT Events
214 0 2 0 0.00% 0.00% 0.00% 0 Control-plane ho
215 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr
216 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector
217 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
218 116 292 397 0.00% 0.00% 0.00% 0 AAA SEND STOP EV
219 136 171243 0 0.00% 0.00% 0.00% 0 RMON Recycle Pro
220 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se
221 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps
222 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Resource
223 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Routing
224 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Track
225 80 53575 1 0.00% 0.00% 0.00% 0 Crypto cTCP proc
226 0 1 0 0.00% 0.00% 0.00% 0 IP SLAs Ethernet
227 4 1 4000 0.00% 0.00% 0.00% 0 RMON Packets
228 820 1709984 0 0.00% 0.00% 0.00% 0 trunk conditioni
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
229 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni
230 12 120 100 0.00% 0.00% 0.00% 0 EEM Server
231 4 2 2000 0.00% 0.00% 0.00% 0 Call Home proces
232 52 260 200 0.00% 0.00% 0.00% 0 Syslog
233 0 1 0 0.00% 0.00% 0.00% 0 VPDN Test
234 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc
235 0 2 0 0.00% 0.00% 0.00% 0 EEM ED CLI
236 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Counter
237 0 3 0 0.00% 0.00% 0.00% 0 EM ED GOLD
238 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Interface
239 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD
240 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Ipsla
241 0 3 0 0.00% 0.00% 0.00% 0 EEM ED None
242 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Nf
243 0 3 0 0.00% 0.00% 0.00% 0 EEM ED OIR
244 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RF
245 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP
246 0 2 0 0.00% 0.00% 0.00% 0 EEM ED SNMP Noti
247 36 42890 0 0.00% 0.00% 0.00% 0 EEM ED Timer
248 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Test
249 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Config
250 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Env
251 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RPC
252 0 2 0 0.00% 0.00% 0.00% 0 cpf_process_msg_
253 0 1 0 0.00% 0.00% 0.00% 0 Key Proc
254 36 28543 1 0.00% 0.00% 0.00% 0 Call Home Timer
255 0 1 0 0.00% 0.00% 0.00% 0 tHUB
256 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
257 104 953 109 0.00% 0.00% 0.00% 0 SSH Event handle
258 16 28543 0 0.00% 0.00% 0.00% 0 Secure Login
259 84 54 1555 0.00% 0.00% 0.00% 0 Tunnel Security
260 56 67 835 0.00% 0.00% 0.00% 0 Crypto SS Proces
261 0 1 0 0.00% 0.00% 0.00% 0 cpf_process_tpQ
262 0 1 0 0.00% 0.00% 0.00% 0 TCP Listener
263 0 2 0 0.00% 0.00% 0.00% 0 IP Flow Top Talk
264 1180 3338804 0 0.00% 0.00% 0.00% 0 IP NAT Ager
265 0 1 0 0.00% 0.00% 0.00% 0 IP NAT WLAN
266 24 28563 0 0.00% 0.00% 0.00% 0 IP SLAs Event Pr
267 434504 1489526 291 0.00% 0.00% 0.00% 0 IP SNMP
268 170304 877961 193 0.00% 0.00% 0.00% 0 PDU DISPATCHER
269 495704 877992 564 0.00% 0.00% 0.00% 0 SNMP ENGINE
270 0 2 0 0.00% 0.00% 0.00% 0 IP SNMPV6
271 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro
272 0 1 0 0.00% 0.00% 0.00% 0 SNMP Traps
273 1185420 1715196 691 0.00% 0.00% 0.00% 0 NTP
274 412 29 14206 0.00% 0.00% 0.00% 0 VTEMPLATE Backgr
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
275 18608 174262 106 0.00% 0.00% 0.00% 0 BGP Router
276 36 27171 1 0.00% 0.00% 0.00% 0 DFS flush period
277 8 12 666 0.00% 0.00% 0.00% 0 Collection proce
278 16 651 24 0.00% 0.00% 0.00% 0 CRYPTO IKMP IPC
279 1724 850 2028 0.00% 0.00% 0.00% 2 SSH Process
281 0 1 0 0.00% 0.00% 0.00% 0 Skinny MOH Event
282 64 173856 0 0.00% 0.00% 0.00% 0 Skinny Socket Se
283 0 1451 0 0.00% 0.00% 0.00% 0 Web Write Housek
==============================================================
wish to help ASAPJosephDoherty wrote:DisclaimerThe Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.Liability DisclaimerIn no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.PostingThe fact you are matching with any ACLs, will decrease maximum performance.The fact you are using a policy-may, will decrease maximum performance.The fact is a -G2 only has finite capacity.In other words, what you're seeing might be completely normal for your traffic volume, your traffic composition and your configuration.If you believe your router is overloaded, and generally above 75% CPU might be so considered, either you'll need a faster device (see ASR 1Ks), or you might try changing your configuration to decrease your configuration load on the router.What's your CPU load if your remove the policy-map from the interface?If removing the policy-map from the interface shows a significant CPU loading decrease - QED.If you need/desire such QoS, then you'll want a "faster" router.You might be also able to decrease your CPU a little by some "tuning". I already mention the TurboACL feature statement. With ACLs, fewer are faster, and how they ordered (especially without TurboACL) impacts CPU. How you order you class-maps, within a policy, and how the match statements are ordered will also have some impact on the CPU load. If buffers are being allocated/deallocated, that too will impact CPU loading. I assume CEF is enabled, but for some traffic, flow caching might decrease CPU load.Remember a software based router, like the 7200s, are, more or less, a computer that takes your configuration and determines what's to be done with every packet it "sees". The more your configuration requires for per packet analysis, the more load for each packet.There are whitepapers addressing high CPU load caused by "process switching", but what you posted appears to be mostly all interrupt processing, which is "fast path", or optimal, packet forwarding. There's not much you can normally do to improve against that, other than insuring your configuration is as optimal as possible for your needs (again, things like sequencing/ordering of statements).
hi ,
thanks very very much for this nice information,
let me answer you :
you said that NPE G2 has finite capacity , but how to know this full capacity ???
i mean that my policy map is matching the traffic , but the matched traffic is not being enhancemend ??!!!
last about two weeks , the matched traffic of youtube was excellent and no interrupt durting the my rush hour.
i didnt change any thing, but my bw increased from 730 Mbps to 760Mbps ,
im un able to make sure that i need to chnage my platform to faster one.
agian
my cpu is 60 % without QOS
after QOS it increase to 80-85 %
agian ,
about NBAR
i want to tell you that i cant depend on NBAR , as an example , im matching the ips of videos of facebook , i cant depend on NBAR because it is https videos.
but in summary ,
my qos is matching well , but i have no real enhancement for my traffic.
did you face my issue before ???
i mean have you see like my problem ?
like my router platform with cpu over 80 % and 750Mbps , and matched qos without good result ??
note that i upgraded to iso 15 , but seems same issue !!!
regards -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
ISE 1.1.3 en Cisco IOS SCEP
Hi,
I'm running Cisco ISE 1.1.3.124 and a Cisco IOS 2811 (c2800nm-spservicesk9-mz.150-1.M2.bin) which I configured the be a SCEP server.
PKI Authentication and enrollment of a Cisco switch with this SCEP server is running well but BYOD clients enrollment via EAP-TLS (1024/2048) giving me the following error on the Cisco IOS SCEP server:
SCEP#
.Mar 17 15:21:59.446: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
Protocol = HTTP/1.1 Method = GET Query = operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgU
AMIAGCSqGSIb3DQEHAaCAJIAEggPoMIAGCSqGSIb3DQEHA6CAMIACAQAxggEvMIIBKwIBADATMA4xDDAKBgNVBAMTA2lzZQIBA
TANBgkqhkiG9w0BAQEFAASCAQAmbK6WZ5L6gw+uh7h4Qi53XL76QsBNcY8E6cMxWDp8hWbLvujNOylSvJLF
.Mar 17 15:21:59.446:
.Mar 17 15:21:59.454: CRYPTO_CS: received a SCEP request, 3652 bytes
.Mar 17 15:21:59.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_10
.Mar 17 15:21:59.482: CRYPTO_CS: scep msg type - 19
.Mar 17 15:21:59.482: CRYPTO_CS: trans id - 9871e81c65121310b77df8b341c7c887a5392da2
.Mar 17 15:21:59.486: CRYPTO_CS: failed to open env data
.Mar 17 15:21:59.486: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_10
.Mar 17 15:21:59.486: CRYPTO_CS: failed to read SCEP request
.Mar 17 15:21:59.502: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
SCEP#
I'm stuck now on the message: failed to open env data. So can anyone explain what the meaning is of this message or maybe know if IOS SCEP with ISE is supported ?
Thanks in advance.
greetz Michel
btw the tracelog of the switch enrollment with IOS SCEP is below:
SCEP#
.Mar 17 14:57:10.932: Sun, 17 Mar 2013 14:57:10 GMT 10.0.0.161 /cgi-bin/pkiclient.exe ok
Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=MIIGWgYJKoZIhvcNAQcCoIIGSzCCBkcCAQExCzAJBgUrDgMCGgUAMIIDAAYJKoZI
hvcNAQcBoIIC8QSCAu0wggLpBgkqhkiG9w0BBwOgggLaMIIC1gIBADGBujCBtwIB
ADAgMBsxGTAXBgNVBAMTEGNhLndlc3R3aWp6ZXIubmwCAQEwDQYJKoZIhvcNAQEB
BQAEgYAo/LNaINm+tcgzF8V8d7d5x
.Mar 17 14:57:10.932:
.Mar 17 14:57:10.936: CRYPTO_CS: received a SCEP request, 2210 bytes
.Mar 17 14:57:10.940: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1
.Mar 17 14:57:10.948: CRYPTO_CS: scep msg type - 19
.Mar 17 14:57:10.948: CRYPTO_CS: trans id - 59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1
.Mar 17 14:57:11.040: CRYPTO_CS: received an enrollment request
.Mar 17 14:57:11.040: CRYPTO_PKI: creating trustpoint clone ise1
.Mar 17 14:57:11.040: CRYPTO_CS: checking policy for enrollment request ID=1
.Mar 17 14:57:11.040: CRYPTO_CS: request has been authorized, transaction id=59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: locking the CS
.Mar 17 14:57:11.040: CRYPTO_CS: added CDP extension
.Mar 17 14:57:11.044: CRYPTO_CS: added key usage extension
.Mar 17 14:57:11.044: CRYPTO_CS: Validity: 13:57:11 UTC Mar 17 2013-13:57:11 UTC Oct 3 2013
.Mar 17 14:57:11.128: CRYPTO_CS: writing serial number 0x2.
.Mar 17 14:57:11.180: CRYPTO_CS: file opened: nvram:ise.ser
.Mar 17 14:57:11.180: CRYPTO_CS: Writing 32 bytes to ser file
.Mar 17 14:57:13.864: CRYPTO_CS: reqID=1 granted, fingerprint=2
.Mar 17 14:57:13.864: CRYPTO_CS: unlocking the CS
.Mar 17 14:57:13.864: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1
.Mar 17 14:57:13.984: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1
.Mar 17 14:57:13.988: CRYPTO_CS: Certificate generated and sent to requestor
.Mar 17 14:57:13.988: CRYPTO_CS: removing trustpoint clone ise1Michel,
Officially supported it is not:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud86973
Some people mentioned varios degrees of "having it working".
In your case it's the envelope data which appears to be a problem for IOS.
M. -
LMS 3.2 integration with ACS 5.1
Hi
Is it
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
Here is a link to how to do it with ACS 4.X:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
Regards
Reidar/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately ....... -
Basic questions about CISCO IOS
Hi everybody, Jack here,
I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
Thank you all so much for reading through the wall of text:)
JackJack
Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
HTH
Rick -
Dynamic Vlan Assigment on 2950 with acs 4.2
Hello to everyone
We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
On the ACS we configured the following attributes for the specific group
64 = VLAN
65 = 802
81 = VLAN Name
We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
Before we configured the switch to speak with ACS:
aaa new-model
aaa group server radius Switch
server 172.16.0.93 auth-port 1812 acct-port 1813
dot1x system-auth-control
radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
radius-server retransmit 3
Configured the ports for the use of dot1.x.
switchport mode access
dot1x port-control auto
dot1x guest-vlan 7
spanning-tree portfast
The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
We tried to debug with the debug dot1.x events command and we get the following errors:
Feb 16 12:00:04.017: Attribute 64 6 0100000D
Feb 16 12:00:04.017: Attribute 65 6 01000006
Feb 16 12:00:04.017: Attribute 81 4 01360806
Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
Does anyone know what we could have missed?
Thank’ssolved
It was just missing the command
aaa authorization network default group XXXX
Maybe you are looking for
-
How to send only part of a sequence to Encore?
Hi I'm new to CS5.5 and I've been trying to figure out how to send only part of a sequence to Encore from PPro. I see in the Help file that it says this can be done but it doesn't explain how to do this (or I haven't been able to find where it's expl
-
Can i use JEE server for my Android app?
Hello, Let me introduce myself,i am Mohith K M from India,Student and beginner in JEE I am doing a project,Which is combination of Android application,Server and Desktop app (developed in Visual C# ) I am comfortable with Android app side, Bt, i dont
-
Deplyment of customize Page in OA Framework
I have created one customized page very similar to HelloWorld which has only XML and CO.class file I have created function for the same and had attached it to the responsibilty. Then I deployedthe page on server using import coomand.AFter running it
-
Authoring Environment Tutorial or SAP Class
Hi , In order to learn the details of Authoring Environment ( LSO 300 or LSO 600 ) , what is the best ? SAP class HR270: SAP Learning Solution Overview, seems the only class were Authoring Environment is presented , is HR270 a good class (enough deta
-
How to update OID oblogintrycout attribute through java code
Hi Team, As per my requirement ,i need to update OID oblogintrycout attribute through java code. could you please help me on this. where can i get the java code. Regards, Ravi.