IDSM-2 blade in a 7600 router
Will the IDSM-2 blade work in a 7600 series router? Only documentation I see is that it is supported in the Catalyst 6500
Yes it will.
Similar Messages
-
Viewing MAX-reseved-bandwidth on Cisco 7600 router
Hi everybody
I have been searching a command that will shows us the max-reseved bandwidth ( In the context of QOS) on cisco 7600.
I appreciate your help
Thanks
ciscoR1#show version
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 12-Feb-13 13:17 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRD5, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S5, RELEASE SOFTWARE (fc2)Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm uncertain, but on a 7600 with 15.x IOS, it's likely QoS is following the HQF changes, and if so, max-reserved-bandwidth has really been deprecated. -
LDP session flap on a 7600 router
Hi guys,,
Please refer below the brief intro to the problem:
LDP neighbor went down [as seen in the below logs] for around few secs between below mentioned PE device to the two uplinks P devices.
Please refer to the note detail Topology:
PE[tE x/0/0] -------- TE Tunnel ------ P Device @ A location
[Te y/0/0] ------ TE Tunnel-------- P Device @ B location
#Show logs
917597: Mar 8 08:10:09 SAST: %LDP-5-NBRCHG: LDP Neighbor a.b.c.d:0 (5) is DOWN (TCP
connection closed by peer)
917664: Mar 8 08:10:19 SAST: %LDP-5-NBRCHG: LDP Neighbor e.f.g.h:0 (1) is DOWN
(Session KeepAlive Timer expired)
917701: Mar 8 08:10:21 SAST: %LDP-5-NBRCHG: LDP Neighbor a.b.c.d:0 (5) is UP
917771: Mar 8 08:10:23 SAST: %LDP-5-NBRCHG: LDP Neighbor e.f.g.h:0 (7) is UP
Please anybody can tell what was the reason behind the LDP flap?
Regards
PradipHi Vinit,
Please find below the o/p of both show ibc & show int:
# show ibc
Interface information:
Interface IBC0/0(idb 0x1D224BF0)
5 minute rx rate 390000 bits/sec, 470 packets/sec
5 minute tx rate 724000 bits/sec, 696 packets/sec
1227785718 packets input, 132277835813 bytes
531848764 broadcasts received
703054986 packets output, 89510912001 bytes
53000709 broadcasts sent
0 Bridge Packet loopback drops
386955797 Packets CEF Switched, 58076 Packets Fast Switched
0 Packets SLB Switched, 0 Packets CWAN Switched
Label switched pkts dropped: 0 Pkts dropped during dma: 219471401
Invalid pkts dropped: 57811 Pkts dropped(not cwan consumed): 8925
Xconnect pkts processed: 0, dropped: 1111508
Xconnect pkt reflection drops: 0
Total paks copied for process level 0
Total short paks sent in route cache 78654011
Total throttle drops 218301133 Input queue drops 773327
total spd packets classified (456244739 low, 359912505 medium, 20316995 high)
total spd packets dropped (153503515 low, 65948095 medium, 41 high)
spd prio pkts allowed in due to selective throttling (0 med, 0 high)
IBC resets = 1; last at 05:12:26.831 SAST Wed Feb 8 2012
Driver Level Counters: (Cumulative, Zeroed only at Reset)
Frames Bytes
Rx(0) 368004372 1762711303
Rx(1) 913412478 2159603712
Tx(0) 728948380 3037780905
Input Drop Frame Count
Rx0 = 22141 Rx1 = 996745
Per Queue Receive Errors:
FRME OFLW BUFE NOENP DISCRD DISABLE BADCOUNT
Rx0 0 0 0 0 0 0 0
Rx1 0 0 0 68 0 0 0
Tx Errors/State:
One Collision Error = 0 More Collisions = 0
No Encap Error = 0 Deferred Error = 0
Loss Carrier Error = 0 Late Collision Error = 0
Excessive Collisions = 0 Buffer Error = 0
Tx Freeze Count = 0 Tx Intrpt Serv timeout= 1
Counters collected at Idb:
Is input throttled = 0 Throttle Count = 0
Rx Resource Errors = 0 Input Drops = 1104309
Input Errors = 610494
Output Drops = 0 Giants/Runts = 0/0
Dma Mem Error = 0 Input Overrun = 0
#show int te X/0/0
TenGigabitEthernetX/0/0 is up, line protocol is up (connected)
MTU 4470 bytes, BW 10000000 Kbit, DLY 10 usec,
reliability 255/255, txload 20/255, rxload 43/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Carrier delay is 0 msec
Full-duplex, 10Gb/s
Transport mode LAN (10GBASE-R, 10.3125Gb/s)
input flow-control is on, output flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 2w1d
Input queue: 0/75/38/33 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 1691089000 bits/sec, 390075 packets/sec
5 minute output rate 818470000 bits/sec, 413745 packets/sec
L2 Switched: ucast: 5460795 pkt, 851382131 bytes - mcast: 557617 pkt, 63052504 bytes
L3 in Switched: ucast: 72659051788 pkt, 57114890177182 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 237095519242 pkt, 42944537492139 bytes mcast: 0 pkt, 0 bytes
704163207990 packets input, 315321595661874 bytes, 1 no buffer
Received 1125 broadcasts (0 IP multicasts)
0 runts, 0 giants, 3 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 567310 multicast, 0 pause input
0 input packets with dribble condition detected
786519825664 packets output, 210404496698710 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
#show int te X/0/0
TenGigabitEthernetY/0/0 is up, line protocol is up (connected)
MTU 4470 bytes, BW 10000000 Kbit, DLY 10 usec,
reliability 255/255, txload 5/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Carrier delay is 0 msec
Full-duplex, 10Gb/s
Transport mode LAN (10GBASE-R, 10.3125Gb/s)
input flow-control is on, output flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 2w1d
Input queue: 0/75/292/19 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: Class-based queueing
Output queue: 0/40 (size/max)
5 minute input rate 112466000 bits/sec, 66131 packets/sec
5 minute output rate 221669000 bits/sec, 69520 packets/sec
L2 Switched: ucast: 2161150 pkt, 440372316 bytes - mcast: 514981 pkt, 65137030 bytes
L3 in Switched: ucast: 5460878448 pkt, 1060741666543 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 3518851937 pkt, 2138635500086 bytes mcast: 0 pkt, 0 bytes
136383893748 packets input, 34454049909804 bytes, 1 no buffer
Received 1125 broadcasts (0 IP multicasts)
0 runts, 0 giants, 3 throttles
267 input errors, 220 CRC, 47 frame, 0 overrun, 0 ignored
0 watchdog, 536405 multicast, 0 pause input
0 input packets with dribble condition detected
124870339660 packets output, 57889219631351 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
There was no any flap observed on the physical interface. IGP protocol is also running thru the same physical links & that was UP & stable.
Please tell me how do we check the TCP MSS value this LDP sessions.
- Pradip -
Trouble with advertise a route BGP from VRF on Cisco IOS 7600
Hi
the diagram especifie the actually operating network
we try to advertise the network 172.16.161.6 to Nortel devices and Cisco devices on cisco AS 2005 and 64912, if we are staying look the routing table on cisco 7600 the network 172.16.161.6 is know it
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
cisco 7600#trace
cisco 7600#traceroute vrf data 172.16.161.6
Type escape sequence to abort.
Tracing the route to 172.16.161.6
1 189.1.11.5 [MPLS: Labels 581/730 Exp 0] 24 msec 24 msec 24 msec
2 172.16.12.73 [MPLS: Label 730 Exp 0] 36 msec 28 msec 36 msec
3 172.16.12.74 20 msec 20 msec 24 msec
4 172.16.14.10 64 msec 20 msec 20 msec
5 172.16.19.9 20 msec 24 msec 20 msec
6 172.16.161.6 24 msec 20 msec 24 msec
PE_CAR_1#ping vrf data 172.16.161.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.161.6, timeout is 2 seconds:
but the devices Nortel on AS 64912 on routing tables don´t know the networ 172.16.161.6
the difference on cisco 7600 that know both AS 64912 and 2005 is this one:
configuration on Cisco Router 7600
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.10.41 remote-as 64912
neighbor 172.16.10.41 description PP-A6
neighbor 172.16.11.233 remote-as 64912
neighbor 172.16.11.233 description PP-2TE2
neighbor 172.16.12.73 remote-as 2005
neighbor 172.16.12.73 description PE_MEX_1
neighbor 172.16.12.73 fall-over bfd
neighbor 172.16.13.9 remote-as 2005
neighbor 172.16.13.9 description PE_MEX_3
neighbor 172.16.13.9 fall-over bfd
neighbor 172.16.13.77 remote-as 2005
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.16.26 remote-as 64982
neighbor 172.16.16.26 description INTERNET-2
neighbor 172.16.16.30 remote-as 64982
neighbor 172.16.16.30 description INTERNET-1
address-family ipv4
neighbor 172.16.10.41 activate (conexion to Nortel Devices)
neighbor 172.16.10.41 route-map AS-PATH-MAN in
neighbor 172.16.10.41 route-map REDES-WAN->MAN out
neighbor 172.16.11.233 activate (conexion to Nortel Devices)
neighbor 172.16.11.233 route-map AS-PATH-MAN in
neighbor 172.16.11.233 route-map REDES-WAN->MAN out
neighbor 172.16.12.73 activate
neighbor 172.16.12.73 route-map REDES-WAN-PE_MEX_1 in
neighbor 172.16.12.73 route-map DEFAULT-ROUTE out
neighbor 172.16.13.9 activate (conexion to Cisco 7600 Devices)
neighbor 172.16.13.9 route-map REDES-WAN-PE_MEX_3 in
neighbor 172.16.13.9 route-map DEFAULT-ROUTE out
neighbor 172.16.13.77 activate
neighbor 172.16.13.77 route-map DEFAULT-ROUTE out
neighbor 172.16.14.6 activate (conexion to ASR 9000)
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate (conexion to ASR 9000)
neighbor 172.16.14.10 route-map default out
the difference that look it from routes to know Nortel devices an Cisco Devices is the sollow on Cisco 7600
Cisco 7600#sho ip bgp 150.151.1.250
BGP routing table entry for 150.151.0.0/16, version 5612717
Paths: (2 available, best #1, table default)
Multipath: eBGP
Advertised to update-groups:
2 4
2005
172.16.13.9 from 172.16.13.9 (150.220.250.5)
Origin IGP, localpref 300, valid, external, best
Community: 100:22
Extended Community: RT:100:22
2005
172.16.12.73 from 172.16.12.73 (150.220.250.1)
Origin IGP, localpref 260, valid, external
Community: 100:22
Extended Community: RT:100:22
Cisco 7600#sho ip bgp 172.16.161.6
BGP routing table entry for 172.16.161.6/32, version 6133620
Paths: (2 available, best #2, table default)
Multipath: eBGP
Not advertised to any peer
64512 64513
172.16.14.6 from 172.16.14.6 (172.16.14.1)
Origin incomplete, localpref 100, valid, external, multipath
Extended Community: RT:64512:64513
64512 64513
172.16.14.10 from 172.16.14.10 (172.16.14.2)
Origin incomplete, localpref 100, valid, external, multipath, best
Extended Community: RT:64512:64513
NOT advertised to any peer
if we looking on ASR the vrf GAT the network is advertised but on vrf CAMPUS not
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf CAMPUS 172.16.161.6
Mon May 20 12:58:03.516 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:64513
Versions:
Process bRIB/RIB SendTblVer
Speaker 20 20
Local Label: 16004
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Not advertised to any peer
Path #1: Received by speaker 0
Not advertised to any peer
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate
Received Path ID 0, Local Path ID 1, version 20
Extended community: RT:64512:64513
but the vrf GAT:
RP/0/RSP0/CPU0:ED_MEX_1#sho bgp vrf GAT 172.16.161.6
Mon May 20 12:58:52.909 UTC
BGP routing table entry for 172.16.161.6/32, Route Distinguisher: 64512:2006
Versions:
Process bRIB/RIB SendTblVer
Speaker 30 30
Last Modified: May 17 17:24:29.877 for 2d19h
Paths: (1 available, best #1)
Advertised to CE peers (in unique update groups):
172.16.14.5
Path #1: Received by speaker 0
Advertised to CE peers (in unique update groups):
172.16.14.5
64513
172.16.19.5 from 172.16.19.5 (172.16.162.4)
Origin incomplete, metric 110, localpref 100, valid, external, best, group-best, import-candidate, imported
Received Path ID 0, Local Path ID 1, version 30
Extended community: RT:64512:64513
Any idea for this trouble, we try to advertise the extend community but nothing.
the configuration on ASR is the follow:
router bgp 64512
bgp router-id 172.16.14.1
address-family ipv4 unicast
address-family vpnv4 unicast
vrf GAT
rd 64512:2006
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.14.5
remote-as 2006
address-family ipv4 unicast
send-community-ebgp
route-policy pass-all in
route-policy pass-all out
send-extended-community-ebgp
vrf CAMPUS
rd 64512:64513
address-family ipv4 unicast
redistribute connected
redistribute static
neighbor 172.16.19.5
remote-as 64513
address-family ipv4 unicast
route-policy pass-all in
route-policy pass-all out
we only put send-extended-community-ebgp only on vrf GAT.
Best RegardsHi Harold thanks for your comment
We do it your recommendation and put on AS 64912 routes a route-map for identify the traffic IN on interface the finally configuration on cisco 7600 is:
router bgp 2006
bgp router-id 172.16.110.97
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 172.16.14.6 remote-as 64512
neighbor 172.16.14.6 description EDGE_MEX_1
neighbor 172.16.14.10 remote-as 64512
neighbor 172.16.14.10 description EDGE_MEX_2
address-family ipv4
no synchronization
neighbor 172.16.14.6 route-map REDES_CAMPUS in
neighbor 172.16.14.6 route-map default out
neighbor 172.16.14.10 activate
neighbor 172.16.14.10 route-map REDES_CAMPUS in
neighbor 172.16.14.10 route-map default out
neighbor 172.16.16.26 activate
with the follow route maps:
ip extcommunity-list standard GAT permit rt 64512:64513
ip bgp-community new-format
ip community-list standard REDES-GAT permit 64512:2006
route-map REDES_CAMPUS permit 430
match extcommunity GAT
set local-preference 250
set community 64512:2006 additive
set extcommunity rt 64512:64513 additive
route-map REDES-WAN->MAN permit 1600
match community REDES-GAT
with this information the routes advertise on neighbord know the loopback 172.16.161.6
GW_MEX_2#sho ip bgp neighbors 172.16.11.233 advertised-routes
BGP table version is 6160029, local router ID is 172.16.110.97
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.1/32 172.16.12.73 300 0 2005 ?
*> 1.0.0.2/32 172.16.12.73 300 0 2005 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.16.140.72/32 172.16.13.9 300 0 2005 ?
*> 172.16.141.22/32 172.16.12.73 250 0 2005 ?
*> 172.16.141.61/32 172.16.12.73 250 0 2005 i
*> 172.16.141.71/32 172.16.12.73 250 0 2005 i
*> 172.16.142.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.142.32/27 172.16.13.9 250 0 2005 ?
*> 172.16.144.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.146.1/32 172.16.13.9 300 0 2005 65451 i
*> 172.16.150.0/27 172.16.12.73 250 0 2005 ?
*> 172.16.152.0/27 172.16.13.9 300 0 2005 ?
*> 172.16.152.32/28 172.16.13.9 300 0 2005 ?
*> 172.16.155.1/32 172.16.13.9 300 0 2005 ?
*> 172.16.161.1/32 172.16.14.6 0 250 0 64512 ?
*> 172.16.161.6/32 172.16.14.10 0 250 0 64512 ?
Thanks for your cooperation
Best Regards -
Which is the maximum number of simultaneous IP sessions on 7600 with/out SAMI?
Please I need help from someone who has ever wondered and get to know the maximum number of simultaneous IP sessions on 7600.
On the documentation, this is the applicable information that we find regarding the number of sessions:
http://www9.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_acess_sub_sessns_ps6922_TSD_Products_Configuration_Guide_Chapter.html
Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards
The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays:
- Cisco 7600 chassis—32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases)
- ES+ line card—4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases)
- SIP400 line card—8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases)
Let us suppose that we use the SIP400 line card, since ES+ is far from our networking requirements.
Please confirm/answer the following:
No special license is required to use ISG with SIP400.
Is the 8000 session limitation per SIP400 module or per SPA attached to it?
I read in the documentation, that the SAMI card enhances the maximum number of ISG sessions:
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sup_sami_blade.html
The ISG Support for SAMI Blade feature combines the subscriber management features and functions of the Cisco Intelligent Services Gateway (ISG) with the processing power of the Cisco Service Application Module for IP (SAMI). The Cisco SAMI blade has six PowerPC (PPC) processors and occupies just one slot in the Cisco 7600 series router. This means that you can support many ISG features for up to 600,000 subscribers on a single router.
We then assume that the SAMI blade overcomes the limitations noted above: 32,000 session/chassis and 8,000 sessions/SIP400. Correct?
No extra license is required to use ISG with SAMI.How I can load a license in a home agent (modulo SAMI), which is installed in a 7606-S router?.
-
IDSM with inline pairs causing mac move
Hello,
I´ve just added the IDSM-2 blades on a 6500 and configured it but it did not work as I planned.
This picture is a little scale what I tried to do, actually I had more vlans on the inspection.
I have 2 cores and a portchannel trunk in between them and for redundancy I´m using HSRP as the config shows.
After I congfigured I´ve got these msgs and I could not figure out how to stop it:
Core1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 6 is flapping between port Gi6/d1 and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 001a.a2e4.e800 in vlan 7 is flapping between port Gi6/d1 and port Po1
MAC 001a.a2e4.e800 is from Core2
Core2
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 6 is flapping between port and port Po1
%MAC_MOVE-SP-4-NOTIF: Host 0022.557b.c340 in vlan 7 is flapping between port Po1 and port
Mac 0022.557b.c340 is from Core1
There was only one VLAN pair that did not have this problem, which was the VLAN L2 for the ISP router and the VLAN Outside for the FWSM . It also was the only VLAN that did not have HSRP working, I dont know if it has something to do.
The Core 1 is the STP Root with priority of Zero and the Core 2 is the Backup Root with priority 4096
Any guesses ?I see this log message frequently when using a switch to feed an IPS sensor if the same Ethernet frame is entering the same VLAN on two different interfaces. I can;t tell how your traffic is flowing but I think you have the same issue.
In my case it was not anything to worry about so I just ignored the messages.
- Bob -
IDSM in redundant switching environment
I have two 6500 switches/routers trunked to each other serving various devices. The two switches are installed for the purpose of redundancy and same VLANs are configured on both. My question is related to deploying IDSM-2 blades in this environment. Can I just use single blade in one switch and still be able to monitor desired VLANs traffic through VACL or SPAN/VSPAN/RSPAN or do I need two IDSM blades; one in each switch. Has anyone deployed IDS in this environment and what are the benefits of deploying 2 (one is each) versus 1.
RSPAN is generally the method of choice for these types of configurations.
The packets from both switches can then be monitored by a single IDSM-2 in one switch.
You can also provide some redundancy by placing a second IDSM-2 in the other switch, and have both IDSM-2s monitoring the exact same traffic (each IDSM-2 is monitoring packets from both switches).
You will get duplicate alarms (one from each IDSM-2) when both are running, but it will ensure you do not miss any alarms if one of the switches should happen to go down for maintenance or power loss.
There are other deployment options, but these depend on some specifics that you will need to analyze:
Do you have assymmetric traffic?
Quite often in these types of setups, both the switches are carrying traffic at the same time, and on occasion the client traffic will go through one switch, but the server response traffic will come through the other switch. For the IDSM-2 to properly track these connections it needs to see traffic from both switches. So if assymetric traffic patterns exist, then RSPAN needs to be used so both switches can be monitored by a single IDSM-2.
If assymetric traffic does not exist, then the IDSM-2 does not need to monitor both switches.
You could deploy an IDSM-2 in each switch. Then using either span or VACL Capture the IDSM-2 could monitor just the traffic flowing through the switch where it is located.
What are the traffic rates?
The IDSM-2 has an upper performance limitation of 600Mbps. If you are forced to use RSPAN because of assymteric traffic patterns, then you will only have the ability to monitor 600Mbps and must choose wisely what will be RSPANed to the IDSM-2.
If you do not have assymetric patterns then you can at least use 2 IDSM-2s (one in each switch) and possibly more (see below).
If the traffic being routed by the switch/msfc?
If no traffic is being routed by the switch, and you do not have assymetric traffic patterns then you are in luck. This is the easiest deployment scenario. You can have multiple IDSM-2s in each switch. Each IDSM-2 would be configured to monitor one or more vlans using VACL Capture. The performance limitations are 600 Mbps times the numbers of IDSM-2s you purchase and can fit in the switch.
If traffic is being routed, however. You once again run into a situation where a single IDSM-2 has to monitor all of the vlans in the switch (when using VACL Capture). There is an interaction between the routing features of the switch/msfc which force a single IDSM-2 (per switch if no assymetric traffic patterns) to be used to monitor all of the vlans in that switch.
And you are now limited to the 600 Mbps limitation (or 2*600Mbps if you place one in each switch and there are no assymetric traffic patterns). -
Reg:FWSM router mode issue
Hi,
I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]
Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
router config:
Router#sh firewall module
Module Vlan-groups
04 1,2
Router#sh firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
1 ACE 100-101,200-202
2 <empty>
Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1
Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1
Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200
Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200
Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201
Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201
Fwsm config:
hostname FWSM
interface Vlan200
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
interface Vlan201
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
: end
FWSM#
FWSM# sh arp
outside 192.168.2.1 001d.a156.9300
inside 192.168.3.2 001d.a156.9300
eobc 127.0.0.81 0000.1800.0000
FWSM# sh int
Interface Vlan200 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.2.2, subnet mask 255.255.255.0
Traffic Statistics for "outside":
6 packets input, 658 bytes
12 packets output, 1316 bytes
474 packets dropped
Interface Vlan201 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
6 packets input, 658 bytes
7 packets output, 726 bytes
107 packets droppedhi,
thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
thanks.
Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
FWSM# debug icmp trace 255
debug icmp trace enabled at level 255
FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
Kindly suggest what could be done.
thanks. -
How redundancy can be achieved with IDSM-2 blades installed in one or more switches. I have looked at the Cisco documents but could not find much on IDSM-2 redundancy features.
Thanks Nadeem.
Is the other IDSM required to be in the same Switch or it can be in other switch. What I am trying to understand is various level of redundancies that can be achieved with IDSM-2. In case if I have Switch A and B at one site for the purpose of redundancy (but traffic may flow from either), how can I achieve redundancy in IDSM2 by installing one in each switch while minimizing the duplicacy.
Is there a Cisco document that discusses various deployment scenarios of IDSM2 in CAT routers.
Thanks. -
I have a 6500 IDSM-2 blade which is configured to create a blocking ACL in the 6500 for a few signatures. It's been working for a couple of years but recently stopped. The IDSM detects attacks and thinks it's updating the 6500, but the 6500's ACLs are not updated and the 6500 shows no login from the IDS. I am not seeing any error msgs anywhere. When I manually insert an IP to block via the IDM client, it shows up in the sensor with no error, but the 6500 is not updated. This seems to have started about the time I installed S324 (3/26/08). The sensor is now S329. I have rebooted the IDS with no effect in behavior.
Can someone suggest what I might look at to narrow down the problem? Thanks.Are you running version 6.0(4)?
There is a known problem during upgrade from earlier version to 6.0(4). The passwords for blocking on routers, firewalls, and switches, as well as the passwords for auto updates were not converted properly.
CSCso31217 encrypted passwords not decrypted after upgrade
For users who already loaded 6.0(4), to fix the porblem the user needs to re-enter these passwords.
For users still on older versions and wanting to upgrade to 6.0(4), they should instead upgrade to 6.0(4a). The 6.0(4a) will properly convert the passwords.
NOTE: Users already at 6.0(4) can Not upgrade to 6.0(4a), and will need to re-enter the passwords on the sensors.
This problem has only been seen with the 6.0(4) upgrade package when upgrading from older 5.1 and 6.0 versions.
NOTE: The System Images and Recovery Images for 6.0(4) are all fine.
So if you are running a 6.0(4) version, then that is likely where your problem originated rather than a signature update.
IF you are not running version 6.0(4), then there is a small possibility you might have discovered a new bug that Cisco is unaware of. -
Hi There,
I want to monitor traffic between fwsm outside interface with idsm-2, fwsm in configured in routed mode and is default gateway for servers.This was discussed in detail just a few days back, have a look at this thread:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1b707
Please rate if you find the posts helpful.
Regards
Farrukh -
Cisco 7600 under attack?
Is possible to router 7600 Sup720-10GE-3CXL , CPU goes up to 99% when under attack ?
I think we have some attack from outside and that destination ip is uplink ip of 7600 router .
Can syn packets rise cpu on 7600? Can they go to RP processor ?
somethink like this attached .Hi,
This can be a kind of SYN flood attck. You can send this traffic to a loopback or contact your ISP and ask them to block this traffic.
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
EVC Configuration Comparison 7600 vs ASR9k
Just curious to know if anyone has migrated from the 7600 metro series routers to ASR9ks.
specifically, how to translate the following from 7600 to ASR
ingress/egress traffic tagged with vlan200((7600/lo01.1.1.1/int gig3/0/0)(trunk port te1/0/0))<=mpls=>((trunk port te1/0/0)(7600/lo02.2.2.2/int gig3/0/0))ingress egress traffic tagged with vlan200
7600 router with lo0 of 1.1.1.1
using ldp
interface gig3/0/0
service instance 200 ethernet
encapsulation dot1q 200
xconnect 2.2.2.2 999 encapsulation mpls
7600 router with lo0 of 2.2.2.2
using ldp
interface gig3/0/0
service instance 200 ethernet
encapsulation dot1q 200
xconnect 1.1.1.1 999 encapsulation mpls
whats the equivalent on ASR9k?
static or dynamic point to point cross-connects?
l2vpn
xconnect group vlan200_traffic
interface gig0/0/0/3.200 l2transport
encapsulation dot1q 200
neighbor 2.2.2.2 pw-id 999
or
l2vpn
xconnect group vlan200_traffic
p2p vlan200
interface gig0/0/0/3.200
neighbor 2.2.2.2 pw-id 200
not really sure
Regards
JudeAnswered
-
OSM-2+4GE-WAN vs new 7600-ES20-GE3CXL card
Please can you provide me information about differencess between those 2 modules, considering MPLS support. I am interested in VPLS feature support. Is this new ES20 card support non H-VPLS, like situation where we have access or trunk (dot1q) port on same 7600 router on WS-X6724 SFP card where is MPLS uplink realized with this ES20 card. Generaly,which card OSM or ES20 is better solution for MPLS (L3VPN, EoMPLS and VPLS)feature.
The 7600-ES20-GE3CXL card has following MPLS features
Layer 2 VPNs
? EoMPLS with MAC learning
? H-VPLS (MPLS Edge or IEEE 802.1ad Edge)
? Flexible QinQ
? Layer 3 VPNs
? MPLS VPN (RFC 2547-bis)
? Inter-AS and Carrier-Supporting-Carrier
? Multicast VPN
Following links may help you
http://www.cisco.com/en/US/products/hw/routers/ps368/products_data_sheet0900aecd8057f3ad.html
http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00801e5bfa.html#wp1002608 -
Hi,
I am trying to obtain more information about the ISG feature on 7200 and 7600 platforms and finding it very difficult to obtain answers from distributors or even Cisco representatives.
The main questions are:
- How many subscribers include the 7200 license?, provided that my subscribers would be of IP-type (not tunnelled).
FR-ISG72
ISG Feature License for 7200
FR-ISG72=
ISG Feature License for 7200
- What other licenses are needed in a 7200 platform?
I believe, maybe:
FR-BUS72
Cisco IOS 7200/7300/7400 Series Broadband 8000 User License
FR-BUS72=
Cisco IOS 7200 Series Broadband User Services License
- On Cico 7600, ISG is licensed in steps of 8000 subscribers. If I have a redundant system (two routing engines), do I need to buy the license twice?
76-ES+ISG-LIC
ES+ Intelligent Services Gateway SW License, 8K subs, 8 VRF
76-ES+ISG-LIC=
ES+ Internet Services Gateway (ISG) Software License
ThanksThanks indeed for your response.
In fact I could not obtain any support at all from Cisco (Spain) even if I explained we were a small software company that required ISG to complement an existing solution for a BIG mobile operator. The question was supposed to be escalated to the US more than 1 month ago.
Myself, I was actually able to better understand the configuration and licenses required for the feature, with a final question about the capacity (maximum number of sessions). My conclusions and questions are at the end of this email, in case you or anyone else is interested.
Anyway, our main requirement is not traffic shaping, but providing a captive portal (redirect unauthorized traffic to some node, and be able to let the box know when an IP is "authorized"/"unauthorized".Cisco used to have a smaller feature to do this called SSG (service selection gateway) which is end-of-lifed, I believe.
If you know a box that does this, please advise! And it would be nice if you could recommend an "inline packet swatter".
For demo, I have done it myself with linux and iptables, but the time to make it business-class may be more costly than buying some product.
The issues I have had trying to find out information from Juniper ("subscriber management" feature) are similar!!
Final Question about ISG capacity
We wish to use the Intelligent Services Gateway (ISG) functionality, which seems supported only on Cisco 10000, 7600, 7300 and 7200 routers.
Our traffic requirements are not too high (500Mbps), but due to the following number of sessions limitation in 7200/7300, the right platform for us seems the 7600:
"The Cisco 7200 Series and Cisco 7301 scale from 4000 to 8000 sessions"
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6549/ps6588/prod_bulletin0900aecd804a2c70.html
We would actually need 50000-100000 consurrent sessions.
On Cisco 7600, the feature seems supported by default on Cisco IOS 12.2SR without the need for an extra license, even with the plain "IP Services" flavour of IOS.
However, we have the following fundamental questions that we could not completely resolve with the documentation or software configurator tool.
Maximum number of consurrent sessions supported
Our sessions would be of the "IP session" kind, meaning:
"An IP session includes all the traffic that is associated with a single subscriber IP address".
On the documentation, this is the applicable information that we find regarding the number of sessions:
http://www9.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_acess_sub_sessns_ps6922_TSD_Products_Configuration_Guide_Chapter.html
Beginning in Cisco IOS Release 12.2(33)SRE, the Cisco 7600 router supports IP subscriber sessions only on the SIP400 and ES+ line cards
The Cisco 7600 router enforces limits on the number of IP subscriber sessions per line card and router chassis. If the number of active sessions exceeds the following limits, an error message displays:
- Cisco 7600 chassis—32,000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRE1 and later releases)
- ES+ line card—4000 subscriber sessions per port group; 16,000 sessions per line card (supported in Cisco IOS Release 12.2(33)SRE and later releases)
- SIP400 line card—8000 subscriber sessions (supported in Cisco IOS Release 12.2(33)SRD4 and later releases)
Let us suppose that we use the SIP400 line card, since ES+ is far from our networking requirements.
Please confirm/answer the following:
No special license is required to use ISG with SIP400.
Is the 8000 session limitation per SIP400 module or per SPA attached to it?
I read in the documentation, that the SAMI card enhances the maximum number of ISG sessions:
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_sup_sami_blade.html
The ISG Support for SAMI Blade feature combines the subscriber management features and functions of the Cisco Intelligent Services Gateway (ISG) with the processing power of the Cisco Service Application Module for IP (SAMI). The Cisco SAMI blade has six PowerPC (PPC) processors and occupies just one slot in the Cisco 7600 series router. This means that you can support many ISG features for up to 600,000 subscribers on a single router.
We then assume that the SAMI blade overcomes the limitations noted above: 32,000 session/chassis and 8,000 sessions/SIP400. Correct?
No extra license is required to use ISG with SAMI.
Based on this assumptions, an example configuration for a single node could be:
Product Description Quantity
CISCO7604 Cisco 7604 Chassis 1
FAN-MOD-4HS High-Speed Fan Module for 7604/6504-E 1
7604-RSP720C-P Cisco 7604 Chassis,4-slot,RSP720-3C,PS 1
2700W-AC Dummy PID 2700 W AC Power Supply for 7604 1
CAB-C19-CBN Cabinet Jumper Power Cord, 250 VAC 16A, C20-C19 Connectors 1
S764ISK9-12233SRE Cisco 7600-RSP720 IOS IP SERVICES SSH 1
7600-SIP-400 Cisco 7600 Series SPA Interface Processor-400 1
SPA-2X1GE Cisco 2-port Gigabit Ethernet Shared Port Adapter 2
WS-SVC-SAMI-BB-K9 Service Application Module for IP ( 6 x PPC w/ 1GB) (Cryto) 1
Maybe you are looking for
-
Does JSP best practice of putting under WEB-INF apply to JSF pages?
I'm new to JSF and wondering if the "best practice" advice that used to be given of storing your jsp pages under WEB-INF (when using Model2) to keep them from being served up without going through your controller still applies with JSF. Since the com
-
Line item in purchase requsition
Dear Sir , Presently i am working in 4.7 environment , in purchase requsition screen no. of line item is upto 10 , My client want 100 line item to be punched in one PR , whether this is possible or not , please specify that how can it be done . than
-
Can't get rid of ISIToolBox icons from the toolbar...
...every time I open a pdf, these icons are in the toolbar, taking up real estate. I can uncheck them from the toolbar menu and get rid of them. But who wants to do 4 extra mouse clicks every one of the tens of times they open a document each day?
-
Solaris 9 Container - Large Page Sizes
hello, I have recently installed a Solaris9 branded container on a T5440 box, and have an issue with MPSS in the container, please see below I run pagesize a in the global zone and get this: 8192 65536 4194304 268435456 I run pagesize a in a Solar
-
Hi All, I am new to IBASE management and I urgently need the following information. I need the list of core API's related to IBASE Management in CRM. Currently I know this list of core API's in function group IB_CRM_API, but I could only find a very