L2VPN Pseudowire Redundancy arquitecture

Similar Messages

• L2VPN Pseudowire Redundancy/IPSEC

  I have a customer with L2VPN Pseudowire Redundancy configured and they want a more secure environment and would like to implement IPSEC and still maintain the Pseudowire Redundancy. The only way I can come up with is to put a device behind each side of the L2VPN tunnel to do the IPSEC VPN. Is there a way to do Pseudowire Redundancy with IPSEC and not L2VPN? As far as I know you can not because its run on layer 2 and IPSEC is layer 3, but maybe I am missing something.
  Thanks.

  The L2VPN Pseudowire Redundancy feature enables you to configure your network to detect a failure in the network and reroute the Layer 2 (L2) service to another endpoint that can continue to provide service.
  http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080819eea.html#wp1053684
  Configuring IPSec Redundancy: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml

• L2 MPLS (AToM) redundancy

  Hi all,
  Is it possible to provide redundancy for a L2 MPLS VPN Customer between his two sites. ( I thought of having a parallel pseudowire link and run any routing protocol between his CE's). Apart from this any other possibility of providing redundancy??
  Thanks in advance....

  Arun, depending on your SLA to your customer you can choose the appropriate method for redundancy. The method which you have proposed if also fine.
  Here is a feature called L2VPN pseudowire redundancy where in only one pseudowire would be active for the customer at a time just like what you have in opticals called protection circuits.
  http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080819eea.html
  HTH-Cheers,
  Swaroop

• [ios pw redundancy with xr mc-lag termination]

  hi, all:
  first of all, thanks in advance and please take a look at the attached diagram.
  i'm trying to setup a pseudowire redundancy setup between an ME3800 and two ASR9000s that build a mlacp etherchannel towards a cat4500, 4500-2. when primary pseudowire is up, everything works as expected. the problem is that, when you cause a switchover scenario from the primary asr9k-1 (say by shutting down the link to the 4500-2) to the secondary asr9k-2, traffic does not pass from one end of the pw to the other. if we bring up the failed link back up, primary pw works.
  all 'show' commands checkout and pw switches over as expected. as a test, i have a 3rd asr9k connected in parallel to the ME3800 and we have no problem with that. when we cause the exact same failure scenario, the primary pw switches over to the secondary and everything works exactly like i would expect. traffic passes in both pri and stby pws when using the parallel asr9k.
  as you will be able to see from attached-configs, the pw's from ME3800 and asr9k are a little different. ME3800 pw is port-based and asr9k pw is vlan-based, but since both primary pws work i see no obvious problem with that.
  now, i know both ends of the mc-lag work, because the asr9k pw redundancy setup works.
  if i build a single pw (no redundancy) from ME3800 to asr9k-1 connecivity works AND if i build a single pw from me3800 to asr9k-2 on same exact vlan, connecivity works also.
  hopefully, one of you will take the time to look at configs and let me know if you see something wrong (i think with the ME3800 config). please keep in mind that everything works perfectly when working with asr9k pw redundancy (xr on both ends of pw)
  c.
  ============
  ME3800 (pw-redundancy)
  3800#show run | section pseudowire
  pseudowire-class mpls
  encapsulation mpls
  status peer topology dual-homed
  ! tried it without above status command, didn't work either.
  3800#show run int g0/24          
  Building configuration...
  Current configuration : 175 bytes
  interface GigabitEthernet0/24
  no switchport
  no ip address
  xconnect 207.x.y.9 1100 encapsulation mpls pw-class mpls
    backup peer 207.x.y.17 1101 pw-class mpls
  end
  3800#
  3800#show xconnect all
  Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
    UP=Up       DN=Down            AD=Admin Down      IA=Inactive
    SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
  XC ST  Segment 1                         S1 Segment 2                         S2
  ------+---------------------------------+--+---------------------------------+--
  UP pri   ac Gi0/24:78(Ethernet)          UP mpls 207.x.y.9:1100            UP
  IA sec   ac Gi0/24:78(Ethernet)          UP mpls 207.x.y.17:1101           DN
  3800_sw_pruebas#
  ============
  ASR-3 (pw-redundancy)
  RP/0/RSP1/CPU0:ASR-3#show run l2vpn
  Sat Jun 15 09:07:10.183 CST
  l2vpn
  xconnect group PRUEBAS-XXXX
    p2p ESC-MTZ
     interface Bundle-Ether1000.28
     neighbor 207.x.y.9 pw-id 1128
      backup neighbor 207.x.y.17 pw-id 1228
  RP/0/RSP1/CPU0:ASR-3#show l2vpn xconnect
  Sat Jun 15 09:20:26.183 CST
  Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
          SB = Standby, SR = Standby Ready
  XConnect                   Segment 1                   Segment 2               
  Group      Name       ST   Description            ST   Description            ST
  PRUEBAS-XXXX
             to4500-2    UP   BE1000.28              UP   207.x.y.9    1128   UP
                                                         Backup                  
                                                         207.x.y.17   1228   DN
  RP/0/RSP1/CPU0:ASR-3#
  ============
  asr9k-1  (pw-termination)
  RP/0/RSP0/CPU0:asr9k-1#show run l2vpn
  Sat Jun 15 09:09:10.555 CST
  l2vpn
  pw-status
  pw-class mpls
    encapsulation mpls
     redundancy
      one-way
  xconnect group PRUEBAS-XXXX
    p2p toASR-3
     interface Bundle-Ether1000.28
     neighbor 207.x.y.1 pw-id 1128
    p2p toME3800
     interface Bundle-Ether1000.26
     neighbor 207.x.y.30 pw-id 1100
  RP/0/RSP0/CPU0:asr9k-1#show run redundancy
  Sat Jun 15 09:09:16.659 CST
  redundancy
  iccp
    group 1000
     mlacp node 1
     mlacp system mac 000d.000e.000f
     mlacp system priority 1
     member
      neighbor 207.x.y.17
     backbone
      interface Bundle-Ether1
  ============
  RP/0/RSP0/CPU0:asr9k-2#show run l2vpn
  Sat Jun 15 09:13:39.908 CST
  l2vpn
  pw-status
  pw-class mpls
    encapsulation mpls
     redundancy
      one-way
  xconnect group PRUEBAS-XXXX
    p2p toASR-3
     interface Bundle-Ether1000.28
     neighbor 207.x.y.1 pw-id 1228
    p2p toME3800
     interface Bundle-Ether1000.26
     neighbor 207.x.y.30 pw-id 1101
  RP/0/RSP0/CPU0:asr9k-2#show run redundancy
  Sat Jun 15 09:13:43.656 CST
  redundancy
  iccp
    group 1000
     mlacp node 2
     mlacp system mac 000d.000e.000f
     mlacp system priority 1
     member
      neighbor 207.x.y.9
     backbone
      interface Bundle-Ether1

  hard to tell where and why the traffic gets dropped if I were to guess the me might send traff still down the wrong PW
  due to mac learning so it might need to get flushed.
  I thought however that as part of the pw switchover the mac flush is instantiated.
  either case you want to set up a stream of say 1000 pps so it is easy to verify and check the np counters to see where and why these paks are getting dropped and if it is the 9k or the me in that regard.
  suspect a pw signaling and mac flushing issue here.
  xander

• EoMPLS support on Cisco ISR G2 2921?

  Hi there is saw in feature navigator that EoMPLS is a supported feature for 2921...
  - Can somebody please confirm that EoMPLS is supported with Cisco 2921?
  - Is pseudowire redundancy possible?
  Thanks
  Manuel

  Hi Manuel,
  yes it is supported (if I am not wrong since release 12(4)T) and also L2VPN PW redundancy is supported.
  Riccardo

• Redundant Q-in-Q injection

  Hi,
  I have to inject traffic in a dot1q-tunnel and this has to happen in a redundant way. The structure of the underlying network is the following:
  There are 2 pairs of switches the first one consists of 2 Catalyst 6509-E which both belong to 1 mst region and the second one is made up of 2 Catalyst 4948 which don't run any kind of spanning-tree. The 2 switches of each pair are connected to each other and this link should be the primary one. There are also 4 connections acting as trunks between these two pairs of switches, so that each switch has one direct connection to each one of the 2 switches of the opposite pair.
  To inject the traffic into the Q-in-Q tunnel this structure of 4 direct connections between the switches is repeated. But this time the interfaces of the Catalyst 4849 terminate these links configured with "switchport mode dot1q-tunnel". At the other side the interfaces of the 2 Catalyst 6509-E are configured as trunk with allows only the vlans which had to be insert into the dot1q-tunnel.
  My problem is that I can't get this running. With just one of the 4 Q-in-Q links active this works. But if I activate just one of the other 3 Q-in-Q connections this stops working properly. I lose the remote connection to the 2 Catalyst 6509-E and it seems there is a loop. But "debug spanning-tree all" won't show any thing at all at the 2 Catalyst 6509-E.
  Has someone of you been able to setup a similar scenario? And/Or can give me some kind of hind in the right direction?
  thanks in advance
  kind regards
  Mark

  Tag Stacking is a Cisco's implementation of Q-in-Q. Tag Stacking in the context of VPLS is used to bundle all customer VLANs into a single L2VPN identifier that identifies which VSI is used to switch the frame. The outer 802.1q label in the Tag Stack is a service delimiting Tag.
  PPPoE - QinQ Support on Subinterfaces:
  PPPoE - QinQ Support simply adds another layer of IEEE 802.1Q tag (called "metro tag" or "PE-VLAN") to the 802.1Q tagged packets that enter the network. The purpose is to expand the VLAN space by tagging the tagged packets, thus producing a "double-tagged" frame. The expanded VLAN space allows the service provider to provide certain services, such as Internet access on specific VLANs for specific customers, and yet still allows the service provider to provide other types of services for their other customers on other VLANs.
  Generally the service provider's customers require a range of VLANs to handle multiple applications. Service providers can allow their customers to use this feature to safely assign their own VLAN IDs on subinterfaces because these subinterface VLAN IDs are encapsulated within a service provider-designated VLAN ID for that customer. Therefore there is no overlap of VLAN IDs among customers, nor does traffic from different customers become mixed. The double-tagged frame is "terminated" or assigned on a subinterface with an expanded encapsulation dot1q command that specifies the two VLAN ID tags (outer VLAN ID and inner VLAN ID) terminated on the subinterface. See Figure 1.
  PPPoE - QinQ Support is generally supported on whichever Cisco IOS features or protocols are supported on the subinterface. For example, if you can run PPPoE on the subinterface, you can configure a double-tagged frame for PPPoE. IPoQ-in-Q supports IP packets that are double-tagged for Q-in-Q VLAN tag termination by forwarding IP traffic with the double-tagged (also known as stacked) 802.1Q headers.
  Try:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a.html

• LLDP trasport over Pseudowire ASR9K

  We are trying to transport LLDP over PW and CE devices can not see the LLDP neighbors one CE. Can anyone confirm ASR9K transport LLDP over PW as I did not find LLDP specific information on CCO and its not working ??
  www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-1/interfaces/configuration/guide/hc41asr9kbook/hc41ethi.html
  We could only see STP neighbor with this setup but not LLDP
  Topology :
  CE(LLDP Enabled) ------- ASR903 (PW End A)---------MPLS-------------ASR9K( PW End B)----- CE( LLDP Enabled)
  IF we move the link from ASR9K to ASR903 , LLDP & STP neighbors can be seen on CE.
  ASR9K Configuration :
  RP/0/RSP0/CPU0:ASR9K#sh running-config int gig 0/5/1/1
  Tue Mar 24 00:56:23.707 IST
  interface GigabitEthernet0/5/1/1
  mtu 9216
  speed 1000
  load-interval 30
  RP/0/RSP0/CPU0:ASR9K#sh running-config int gig 0/5/1/1.100
  Tue Mar 24 00:56:31.582 IST
  interface GigabitEthernet0/5/1/1.4002 l2transport
  encapsulation dot1q 100
  rewrite ingress tag pop 1 symmetric
  l2protocol cpsv tunnel
  l2vpn
   logging
    pseudowire
   xconnect group ABC_xconnect
    p2p ABC
     interface gig 0/5/1/1.100
     neighbor ipv4 192.168.54.11 pw-id 1001
  ASR903 Configuration
  S2BLRACPTNXXXACR007#sh run  int gig 0/3/4
  Building configuration...
  Current configuration : 342 bytes
  interface GigabitEthernet0/3/4
  mtu 9202
  no ip address
  negotiation auto
  no keepalive
  service instance 1 ethernet
    encapsulation default
    l2protocol tunnel stp lldp
    xconnect 192.168.53.65 1001 encapsulation mpls
  end

  I think you can create multiple templates and by using CBTS to route the desired traffic over the required TE tunnel combined with CBTS can achieve it
  each template can has its own path calculation e.g DS-te or explicit path vs dynamic
  hope this help

• I am using Windows 8.1 i have an External Hard Disk and one drive is now inaccessible due to sudden power failure few days ago. Now it shows "Data error (Cyclic redundancy check)". I want all my important files and Pics. How ?

  Hi,
  I am using Windows 8.1
  I have an External Hard Disk i have partitioned it to 4 parts.
  One drive is now inaccessible due to sudden power failure while listening Music from that drive few days ago.
  Now it shows "Data error (Cyclic redundancy check)".
  I tried all the procedures provided here like
  chkdsk /f, diskpart, rescan etc
  but no result :( (i mean all processes failed. They could not detect the drive).
  Please help me to get those data, pictures and project files.
  thank you

  Then why aren't you posting this in the Windows 8 forums found @
  http://social.technet.microsoft.com/Forums/windows/en-US/home?category=w8itpro
  This is a Windows 7 forum for discussion about Windows 7.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• Data error (cyclic redundancy check) when installing windows xp..

  hi guys.. i'm new here.. just switched to macdom a few days ago but unfortunately, i have been having problems trying to install windows xp with sp 2 on my system using boot camp. everytime i install it, i get to the setup screen ("39 minutes till setup rah rah rah", "windows xp is awesome because it has this cool interface etc... rah rah rah") and then the error of doom comes out -_-
  the error given is;
  an eror has been encountered that prevents setup from continuing
  one of the components that windows needs to continue setup could not be installed
  data error (cyclic redundancy check)
  if you are installing from a cd, there might be a problem with the disc; try cleaning the disc or using another disc
  if you are installing from the network, it is possible that not all of the files were copied correctly to your disk drive. run the disk checking utility on your installation drive from the recovery console and start setup again
  press ok to view the setup log file
  i have tried numerous times without fail and it is getting to my head.. gah.. if someone could help me out, it would be massive and i would sell my soul to you! (kidding).. thanks for reading!
  p/s: my setup is;
  Macbook
  2.1ghz
  1gb ram
  120gb hard disk
  dvd/cd-rw combo drive
  the basic setup pretty much.. again.. any help would be greatly appreciated. thank you so much guys!

  I guess there is a problem with your XP CD, probably scratched or did not burn successfully. Have you tried it with another installation cd?

• Recovery Window-Based Retention VS Redundancy-Based Retention

  Hi Experts,
  We'd like to know your take on the use of Recovery Window-Based Retention Policy e.g.
  RMAN> CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 7 DAYS;against the use of Redundancy-Based Retention Policy, e.g.
  CONFIGURE RETENTION POLICY TO REDUNDANCY 7;Do you have any recommendations or preferences to which should be used? Is there a preferred method by oracle?
  We're currently setting up RMAN for a client that's using Oracle 11.1.0.7 standard edition, so is there a preference to what's better suited for the standard edition? The plan is to back up data to Disk, and this data will be then backed up to tape.
  Thanks

  REDUNDANCY 7 is 7 backups -- irrespective of the number of days.
  If you are running only 1 backup a day, you'd assume that it is equivalent to 7 days. However, if one day you run a backup twice, then the 7-day old backup becomes redundant ! If, the next day, you again run the backup twice, the 5-day old backup becomes redundant ! (Conversely, if you don't run a backup for 2 days, then even the 9 day old backup is not redundant !).
  So, be aware (or beware) that any adhoc backup runs or changes to the backup frequency would change your retention duration (and if this happens 6 months from now, the IT Manager / DBA onsite may not know that retention has changed !)
  Hemant K Chitae

• Dot1x with port security and redundant radius servers

  I have a strange issue with my dot1x port authentication.  I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC.  Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc.  When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc.  Strange, since it showed an accept on the radius server.
  This only seems to happen when the first one on the list is failed.  When the second one is failed, it obviously won't need to try it, so there's not an issue.  Any ideas?
  Here's the setup and configs:
  freeradius 2.1.12-4
  cisco 3560
  Switch Ports Model              SW Version            SW Image                
  *    1 52    WS-C3560G-48PS     12.2(53)SE2           C3560-IPBASEK9-M 
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  interface GigabitEthernet0/1
  switchport access vlan 100
  switchport mode access
  switchport voice vlan 110
  authentication event no-response action authorize vlan 901
  authentication host-mode multi-domain
  authentication port-control auto
  authentication periodic
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  no mdix auto
  spanning-tree portfast
  radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
  radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
  Here's an authentication string from the radius server:
  (there are two mac address.  The first one 00.13 is the PC and the second 30.37 is the phone)
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
  User-Name = "001372b639a6"
  User-Password = "001372b639a6"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "00-13-72-B6-39-A6"
  Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
  Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: %{User-Name} -> 001372b639a6
  Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '001372b639a6'           ORDER BY id
  Wed Sep 18 10:48:06 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '001372b639a6'           ORDER BY priority
  Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
  Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
  Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 204 to 10.90.100.7 port 1645
  Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
  Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
  Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
  rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
  User-Name = "3037a616cd49"
  User-Password = "3037a616cd49"
  Service-Type = Call-Check
  Framed-MTU = 1500
  Called-Station-Id = "9C-AF-CA-23-D9-01"
  Calling-Station-Id = "30-37-A6-16-CD-49"
  Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
  NAS-Port-Type = Ethernet
  NAS-Port = 50001
  NAS-Port-Id = "GigabitEthernet0/1"
  NAS-IP-Address = 10.90.100.7
  Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
  Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
  Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
  Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: %{User-Name} -> 3037a616cd49
  Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '3037a616cd49'           ORDER BY id
  Wed Sep 18 10:48:13 2013 : Info: [sql]           expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = '3037a616cd49'           ORDER BY priority
  Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
  Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
  Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
  Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
  Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
  Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
  Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
  Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
  Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
  Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
  Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
  Sending Access-Accept of id 205 to 10.90.100.7 port 1645
  Cisco-AVPair = "device-traffic-class=voice"
  Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
  Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
  Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
  Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
  Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
  Thanks!

  802.1X support    requires an authentication server that is configured for Remote    Authentication Dial-In User Service (RADIUS). 802.1X authentication does  not   work unless the network access switch can route packets to the  configured   RADIUS server.
  Please check the  below links which can be helpful in configurations:
  Link-1
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

• Jabber for Windows 10.5 and global redundancy

  Hi All,
  I implement J4W 10.5 in a full redundant environment, that contains:
  - 3 x CUCM 10.5
  - 2 x Unity Connection 10.5
  - 2 x IM&P 10.5
  - 2 x Expressway-C 8.2.2
  - 2 x Expressway-E 8.2.2
  After testing, I notice that the redundancy/failover does not act the same way depending the product, sometime no.
  As it is not clearly stated in the documentation, what is clearly supported as automatic failover, and what's not, when using Jabber for Windows 10.5?
  In my first test, I saw that Jabber does not support failover with UnityConnection: if the primary peer is down, no more voicemail on Jabber.
  If jabber run in Mobile and Remote Access, and the Expressway where it's conencted goes down, it doesn't switch to the other peer.
  It will be good to have a document that relate all the redundancy and failover support with Jabber, what can we expect during the failover process.
  It will help a lot of people.
  Thanks
  Gabriel

  Yep, that's what I did now.
  But keep in mind this is not really explained, even if crossing all the documentations.
  There is no document explaining what behaviour to expect in Jabber in case of redundancy of all the UC components.
  For the CUCM, it's not clear, and nothing is mentionned in case of MRA.
  IM&P is documented, but nothing for MRA.
  Expressays states about redundancy, but the behaviour to expect is not. Same for XMPP federation, no idea.
  UnityConnection as well, nothing is explained.

• Memory on the redundant CSS5-SCM-2GE=

  Hi all,
  If a second SCM is installed in a CSS11506 Chassis,
  what is the amount of memory on board.
  I know the primary SCM has 288MB on Board. But some
  information say that only 144MB are on the redundant
  SCM Module.
  Help needed urgent.
  Regards
  Richard

  you can buy a SCM with 288Mb and 144MB.
  There is no specific SCM for the redundant slot.
  So what you get is what you buy.
  Gilles.

• Problem with redundancy in CSS 11051

  I have a problem with redundancy in CSS 11051. I use firewall load balancing and server load balancing. Load balancers which only load balance over 3 firewall switch from primary to master with no problems.
  problem is with load balancers which load balance over firewalls and over servers two. whene the master is shutdown, backup keeps master function, all services on backup LB are alive, but it is not possible to display web page on address 10.10.7.16. Even if I try from the network 10.10.7.0/24, so before firewalls. below my config. any help appreciate.
  ===primary LB=====
  !Generated on 10/30/2002 10:42:53
  !Active version: ap0500002
  configure
  !*************************** GLOBAL ***************************
  ip redundancy master
  no console authentication
  restrict ftp
  app
  app session 10.10.60.13
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.22.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.14 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  keepalive type tcp
  keepalive port 443
  service cc2
  ip address 10.10.3.130
  keepalive type tcp
  keepalive port 443
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  ======
  ===backup LB=====
  !Generated on 10/29/2002 20:47:30
  !Active version: ap0503015
  configure
  !*************************** GLOBAL ***************************
  ip redundancy
  console authentication primary none
  restrict ftp
  app
  app session 10.10.60.14
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  phy 100Mbits-FD
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.13 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  active
  service cc2
  ip address 10.10.3.130
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  =======

  Please visit the folloiwing page where you can find many configuration examples on configuring CSS for Load Balancing.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_configuration_examples_list.html
  Hope it helps.

• Problem with ACL in CSS-to-CSS redundancy configuration

  I have two CSSes - first is master, second is backup. When I enable ACL on master CSS, it can't see more the backup CSS. My first rule is to allow all traffic between both CSSes. I have CSS 11050 with 4.10 Build 10.
  Here is a part of my config:
  --- begin ---------------------------------------------------
  !************************* INTERFACE *************************
  interface e8
  bridge vlan 254
  description "css1 <-> css2 (net 192.168.254.0/30)"
  !************************** CIRCUIT **************************
  circuit VLAN254
  ip address 192.168.254.1 255.255.255.252
  redundancy-protocol
  !**************************** NQL ****************************
  nql n_csw_to_csw
  ip address 192.168.254.1 255.255.255.255
  ip address 192.168.254.2 255.255.255.255
  !**************************** ACL ****************************
  acl 1
  clause 1 bypass any nql n_csw_to_csw destination nql n_csw_to_csw
  apply circuit-(VLAN254)
  --- end ---------------------------------------------------
  Where is the problem? Is it a bug in my current version or an error in my configuration?
  Thanks
  Thomas Kukol

  at first step read http://www.cisco.com/warp/customer/117/css_packet_trace.html
  and trace your unworking configuration
  if you give flow option 0xffffff you should see why ACL didn't pass app traffic..
  second idea is to use normaln acls w/o nql....
  with permit keyword...
  share expirience here again 8-)