Cisco asr 1001 compatible fiber modules

Hello

We recently purchased a cisco asr 1001 router and I have a number of interface units. I want to fill these with fiber modules.

Can you tell me what fiber modules are compatible Please? SFP regular ok to use or is there a special series of asr of FPS to use?

Thank you very much

Paul

Paul,

You reason that GLC - T & GLC - SX - MM is not supported with the ASR1000 platform.

The following link confirms that:

http://www.Cisco.com/en/us/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html#wp131775

More FPS are supported with ASR1000 platform:

SFP-GE-T

SFP-GE-S
SFP-GE-L
SFP-GE-Z
CWDM SFP
DWDM SFP

GLC-BX-D
GLC-BX-U

I handled a similar case yesterday where GLC - T wouldn t aith ASR1k & I confirmed that it would be not be funded in the future as well.

HTH,

Amit

Tags: Cisco Network

Similar Questions

  • DMVPN spoke of issues after migration double ISR2 3925 hub to ASR-1001 X

    Hello world

    After our hub solution migration DMVPN double ISR2 3925 to ASR - 1001 X (running asr1001x - universalk9.03.12.03.S.154 - 2.S3 - std.SPA.bin) we started to have some problems with tunnels rays beat (which goes up and down) and sometimes never came.

    Running 'show dmvpn' speak it is stuck in State PNDH to our hub. To solve the problem, we run 'stop' and then 'non-stop' on the tunnel interface to actually speak that DMVPN Monte. Also runs "clear encryption session " on the shelf often solves the problem. So, it seems that the question has something to do with IPSEC.

    When the problem occurred, and then debug crypto ipsec, crypto, crypto isakmp and crypto engine socket the following can be seen on the hub:

     Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending NOTIFY DPD/R_U_THERE protocol 1 spi 140130067548488, message ID = 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): seq. no 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):purging node 629121681 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:41 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP: set new node 3442686097 to QM_IDLE Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 3442686097 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): processing NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 0, message ID = 3442686097, sa = 0x7F72986867D0 Jun 25 10:01:41 SUMMERT: ISAKMP:(46580): DPD/R_U_THERE_ACK received from peer , sequence 0x64B2238C Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):deleting node 3442686097 error FALSE reason "Informational (in) state 1" Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:41 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:42 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A438 Jun 25 10:01:42 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:42 SUMMERT: ISAKMP:(46580):purging node 1111296046 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 928225319 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing SA payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Checking IPSec proposal 1 Jun 25 10:01:44 SUMMERT: ISAKMP: transform 1, ESP_AES Jun 25 10:01:44 SUMMERT: ISAKMP: attributes in transform: Jun 25 10:01:44 SUMMERT: ISAKMP: encaps is 2 (Transport) Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in seconds Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (basic) of 3600 Jun 25 10:01:44 SUMMERT: ISAKMP: SA life type in kilobytes Jun 25 10:01:44 SUMMERT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jun 25 10:01:44 SUMMERT: ISAKMP: authenticator is HMAC-SHA Jun 25 10:01:44 SUMMERT: ISAKMP: key length is 256 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):atts are acceptable. Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Active open, socket info: local  /255.255.255.255/0, remote  /255.255.255.255/0, prot 47, ifc Tu3300 Jun 25 10:01:44 SUMMERT: IPSEC(recalculate_mtu): reset sadb_root 7F7292E64990 mtu to 1500 Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending Socket Ready message Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NONCE payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing ID payload. message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):QM Responder gets spi Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer  Jun 25 10:01:44 SUMMERT: IPSEC(crypto_ipsec_update_ident_tunnel_decap_oce): updating profile-shared Tunnel3300 ident 7F7298B2BF80 with lookup_oce 7F7296BF5440 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x14F40C56(351538262), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27873 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: IPSEC(create_sa): sa created, (sa) sa_dest= , sa_proto= 50, sa_spi= 0x3B4731D7(994521559), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 27874 sa_lifetime(k/sec)= (4608000/3600), (identity) local= :0, remote= :0, local_proxy= /255.255.255.255/47/0, remote_proxy= /255.255.255.255/47/0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Received IPSec Install callback... proceeding with the negotiation Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Successfully installed IPSEC SA (SPI:0x14F40C56) on Tunnel3300 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): sending packet to  my_port 500 peer_port 500 (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Sending an IKE IPv4 Packet. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Node 928225319, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2 Jun 25 10:01:44 SUMMERT: ISAKMP (46580): received packet from  dport 500 sport 500 ISP1-DMVPN (I) QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP: set new node 1979798297 to QM_IDLE Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing HASH payload. message ID = 1979798297 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 351538262, message ID = 1979798297, sa = 0x7F72986867D0 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580): deleting spi 351538262 message ID = 928225319 Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 928225319 error TRUE reason "Delete Larval" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):peer does not do paranoid keepalives. Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x3B4731D7) Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):deleting node 1979798297 error FALSE reason "Informational (in) state 1" Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 25 10:01:44 SUMMERT: ISAKMP:(46580):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jun 25 10:01:44 SUMMERT: IPSEC: delete incomplete sa: 0x7F729923A340 Jun 25 10:01:44 SUMMERT: IPSEC(key_engine_delete_sas): delete SA with spi 0x3B4731D7 proto 50 for  Jun 25 10:01:44 SUMMERT: IPSEC(update_current_outbound_sa): updated peer  current outbound sa to SPI 0 Jun 25 10:01:44 SUMMERT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Jun 25 10:01:44 SUMMERT: CRYPTO_SS(TUNNEL SEC): Sending request for CRYPTO SS CLOSE SOCKET

     #sh pl ha qf ac fe ipsec data drop ------------------------------------------------------------------------ Drop Type Name Packets ------------------------------------------------------------------------ 3 IN_US_V4_PKT_FOUND_IPSEC_NOT_ENABLED 127672 19 IN_OCT_ANTI_REPLAY_FAIL 13346 20 IN_UNEXP_OCT_EXCEPTION 4224 33 OUT_V4_PKT_HIT_IKE_START_SP 1930 62 IN_OCT_MAC_EXCEPTION 9 #sh plat hard qfp act stat drop | e _0_ ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- Disabled 1 82 IpFragErr 170536 246635169 IpTtlExceeded 4072 343853 IpsecIkeIndicate 1930 269694 IpsecInput 145256 30071488 Ipv4Acl 2251965 215240194 Ipv4Martian 6248 692010 Ipv4NoAdj 43188 7627131 Ipv4NoRoute 278 27913 Ipv4Unclassified 6 378 MplsNoRoute 790 69130 MplsUnclassified 1 60 ReassTimeout 63 10156 ServiceWireHdrErr 2684 585112

    In addition, after you run "logging dmvpn rate-limit 20' on the hub

     %DMVPN-3-DMVPN_NHRP_ERROR: Tunnel292: NHRP Encap Error for Resolution Request , Reason: protocol generic error (7) on (Tunnel:  NBMA: )

    On the talks both the following can be seen debugging as well:

     *Jun 25 09:17:26.884: ISAKMP:(1032): sitting IDLE. Starting QM immediately (QM_IDLE ) *Jun 25 09:17:26.884: ISAKMP:(1032):beginning Quick Mode exchange, M-ID of 1599359281 *Jun 25 09:17:26.884: ISAKMP:(1032):QM Initiator gets spi *Jun 25 09:17:26.884: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.884: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.884: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Jun 25 09:17:26.884: ISAKMP:(1032):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Jun 25 09:17:26.940: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032): processing HASH payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032): processing SA payload. message ID = 1599359281 *Jun 25 09:17:26.940: ISAKMP:(1032):Checking IPSec proposal 1 *Jun 25 09:17:26.940: ISAKMP: transform 1, ESP_AES *Jun 25 09:17:26.940: ISAKMP: attributes in transform: *Jun 25 09:17:26.940: ISAKMP: encaps is 2 (Transport) *Jun 25 09:17:26.940: ISAKMP: SA life type in seconds *Jun 25 09:17:26.940: ISAKMP: SA life duration (basic) of 3600 *Jun 25 09:17:26.940: ISAKMP: SA life type in kilobytes *Jun 25 09:17:26.940: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Jun 25 09:17:26.940: ISAKMP: authenticator is HMAC-SHA *Jun 25 09:17:26.940: ISAKMP: key length is 256 *Jun 25 09:17:26.940: ISAKMP:(1032):atts are acceptable. *Jun 25 09:17:26.940: IPSEC(ipsec_process_proposal): proxy identities not supported *Jun 25 09:17:26.940: ISAKMP:(1032): IPSec policy invalidated proposal with error 32 *Jun 25 09:17:26.940: ISAKMP:(1032): phase 2 SA policy not acceptable! (local  remote ) *Jun 25 09:17:26.940: ISAKMP: set new node -1745931191 to QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 834718720, message ID = 2549036105 *Jun 25 09:17:26.940: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:26.940: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:26.940: ISAKMP:(1032):purging node -1745931191 *Jun 25 09:17:26.940: ISAKMP:(1032):deleting node 1599359281 error TRUE reason "QM rejected" *Jun 25 09:17:26.940: ISAKMP:(1032):Node 1599359281, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Jun 25 09:17:26.940: ISAKMP:(1032):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1 *Jun 25 09:17:34.068: ISAKMP (1032): received packet from  dport 500 sport 500 Global (R) QM_IDLE *Jun 25 09:17:34.068: ISAKMP: set new node 1021264821 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032): processing HASH payload. message ID = 1021264821 *Jun 25 09:17:34.072: ISAKMP:(1032): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = 1021264821, sa = 0x32741028 *Jun 25 09:17:34.072: ISAKMP:(1032):deleting node 1021264821 error FALSE reason "Informational (in) state 1" *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:34.072: ISAKMP:(1032):DPD/R_U_THERE received from peer , sequence 0x64B2279D *Jun 25 09:17:34.072: ISAKMP: set new node 716440334 to QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 834719464, message ID = 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032): seq. no 0x64B2279D *Jun 25 09:17:34.072: ISAKMP:(1032): sending packet to  my_port 500 peer_port 500 (R) QM_IDLE *Jun 25 09:17:34.072: ISAKMP:(1032):Sending an IKE IPv4 Packet. *Jun 25 09:17:34.072: ISAKMP:(1032):purging node 716440334 *Jun 25 09:17:34.072: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Jun 25 09:17:34.072: ISAKMP:(1032):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Jun 25 09:17:35.356: ISAKMP:(1032):purging node 206299144

    Obviously something seems to be wrong Phase 2 not to come. But why is it going up after having erased the session encryption or close the tunnel interface and activate the interface of tunnel has spoken?

    Very weird. Also, in looking at att the hub debugging messages it seems that Cryptography is associated with evil Tu3300 tunnel interface when it is Tu2010. Normal or Bug?

    The configuration of the hub looks like this:

     crypto keyring ISP1-DMVPN vrf ISP1-DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp keepalive 10 3 periodic crypto isakmp nat keepalive 10 crypto isakmp profile ISP1-DMVPN keyring ISP1-DMVPN match identity address 0.0.0.0 ISP1-DMVPN keepalive 10 retry 3 crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile ISP1-DMVPN set transform-set AES256-SHA AES256-SHA-TRANSPORT set isakmp-profile ISP1-DMVPN vrf definition ISP1-DMVPN description DMVPN-Outside-ISP1 rd 65527:10 ! address-family ipv4 exit-address-family ! ! interface TenGigabitEthernet0/0/0 no ip address ! interface TenGigabitEthernet0/0/0.71 description VPN;ISP1-DMVPN;Outside;VLAN71 encapsulation dot1Q 71 vrf forwarding ISP1-DMVPN ip address  255.255.255.128 no ip proxy-arp ip access-group acl_ISP1-DMVPN_IN in ! ip route vrf ISP1-DMVPN 0.0.0.0 0.0.0.0  name ISP1;Default ip access-list extended acl_ISP1-DMVPN_IN permit icmp any any permit esp any host  permit gre any host  permit udp any host  eq isakmp permit udp any host  eq non500-isakmp deny ip any any vrf definition 2010  description CUSTA - Customer A  rd 65527:2010 route-target export 65527:2010 route-target import 65527:2010 ! address-family ipv4 exit-address-family ! ! interface Tunnel2010 description CUSTA;DMVPN;Failover-secondary vrf forwarding 2010 ip address 10.97.0.34 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map multicast dynamic ip nhrp network-id 2010 ip nhrp holdtime 120 ip nhrp server-only ip nhrp max-send 1000 every 10 ip tcp adjust-mss 1340 tunnel source TenGigabitEthernet0/0/0.71 tunnel mode gre multipoint tunnel key 2010 tunnel vrf ISP1-DMVPN tunnel protection ipsec profile ISP1-DMVPN shared router bgp 65527 ! address-family ipv4 vrf 2010 redistribute connected metric 10 redistribute static metric 15 neighbor 10.97.0.39 remote-as 65028 neighbor 10.97.0.39 description spokerouter;Tunnel1 neighbor 10.97.0.39 update-source Tunnel2010 neighbor 10.97.0.39 activate neighbor 10.97.0.39 soft-reconfiguration inbound neighbor 10.97.0.39 prefix-list EXPORT-IVPN-VRF2010 out neighbor 10.97.0.39 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.39 maximum-prefix 5000 80 default-information originate exit-address-family

    Configuring spoke:

     crypto keyring DMVPN01 pre-shared-key address 0.0.0.0 0.0.0.0 key  crypto isakmp policy 10 encr aes authentication pre-share crypto isakmp invalid-spi-recovery crypto isakmp profile DMVPN01 keyring DMVPN01 match identity address 0.0.0.0 keepalive 10 retry 3 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256-SHA-TRANSPORT esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN01 set transform-set AES256-SHA-TRANSPORT set isakmp-profile DMVPN01 vrf definition inside rd 65028:1 route-target export 65028:1 route-target import 65028:1 ! address-family ipv4 exit-address-family ! interface Tunnel1 description DMVPN to HUB vrf forwarding inside ip address 10.97.0.39 255.255.255.240 no ip redirects ip mtu 1380 ip nhrp map 10.97.0.33  ip nhrp map multicast  ip nhrp map 10.97.0.34  ip nhrp map multicast  ip nhrp network-id 1 ip nhrp holdtime 120 ip nhrp nhs 10.97.0.33 ip nhrp nhs 10.97.0.34 ip nhrp registration no-unique ip nhrp registration timeout 60 ip tcp adjust-mss 1340 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 2010 tunnel protection ipsec profile DMVPN01 shared router bgp 65028 ! address-family ipv4 vrf inside bgp router-id 172.28.5.137 network 10.97.20.128 mask 255.255.255.128 network 10.97.21.0 mask 255.255.255.0 network 10.97.22.0 mask 255.255.255.0 network 10.97.23.0 mask 255.255.255.0 network 172.28.5.137 mask 255.255.255.255 neighbor 10.97.0.33 remote-as 65527 neighbor 10.97.0.33 description HUB1;Tunnel2010 neighbor 10.97.0.33 update-source Tunnel1 neighbor 10.97.0.33 timers 10 30 neighbor 10.97.0.33 activate neighbor 10.97.0.33 send-community both neighbor 10.97.0.33 soft-reconfiguration inbound neighbor 10.97.0.33 prefix-list IROUTE-EXPORT out neighbor 10.97.0.33 maximum-prefix 5000 80 neighbor 10.97.0.34 remote-as 65527 neighbor 10.97.0.34 description HUB2;tunnel2010 neighbor 10.97.0.34 update-source Tunnel1 neighbor 10.97.0.34 timers 10 30 neighbor 10.97.0.34 activate neighbor 10.97.0.34 send-community both neighbor 10.97.0.34 soft-reconfiguration inbound neighbor 10.97.0.34 prefix-list IROUTE-EXPORT out neighbor 10.97.0.34 route-map AllVRF-LocalPref-80 in neighbor 10.97.0.34 maximum-prefix 5000 80 exit-address-family

    If more information is needed, please say so.

    Any help or advice would be greatly appreciated!

    Thank you!

    It is possible that you touch it--the failure of negotiations of phase 2:

    https://Tools.Cisco.com/bugsearch/bug/CSCup72039/?reffering_site=dumpcr

    [Too little detail to say with certainty:]

    M.

  • Are Cisco 1130ag APs compatible with Cisco Wireless LAN Controller virtual?

    Are Cisco 1130ag APs compatible with Cisco Wireless LAN Controller virtual?

    It's... AP compatibility depends on the code that runs on the WLC. This is a matrix that is a good reference.

    http://www.Cisco.com/en/us/docs/wireless/controller/5500/tech_notes/wire...

    Sent by Cisco Support technique iPhone App

  • Installation of the fiber Modules

    We have 2 switches Catalyst 3560 - X and bought 2 devices C3KX-NM - 10G with 4 modules SFP - 10 G-SR-S and they ran OM3 fiber that has been tested. Why fiber connections do not come to the top? What Miss me?

    We have:

    Ran non-stop

    Put the modules in slots 2 and 4

    Make sure that the hardware is compatible

    Help, please...

    Thread one end of the cord autour.

  • Combatiability fiber Module

    Hello

    I need to know who is Cisco C3850-NM-8-10 G switch Module is Compatible with the Cisco ONS-TR-100-LX10 (Sonet Mux).

    Thank you

    I don't think that there is compatible options.  The closest would be GLC - FE - 100LX, but it is not listed as being compatible with a 3850.  I don't quite see 3850 SFP listed as 100LX in support.  So I think you're out of luck.

    http://www.Cisco.com/c/en/us/TD/docs/interfaces_modules/transceiver_modules/compatibility/matrix/100MB_Tx_Matrix.html

  • Satellite A50-110: the search for compatible memory modules

    Im looking for memory, I can use on my Satellite A50-100.
    Is it possible to expand my internal memory with a standard 1 GB-Dimm DDR Pc2700?

    Hello

    I think you mean the common memory modules and memory no internal.
    The A50-100 doesn't support internal memory.
    This laptop supports locations memory simple towing and both are expandable.

    So now for the decision-making modules support:
    You can use the PC2700 DDR - RAM and these are compatible:
    PC2700 256 MB (PA3311U - 1 M 25)
    PC2700 512 MB (PA3312U - 1 M 51)
    1024MO PC2700 (PA3313U-1M1G)

    Hope I could explain everything

  • Cisco Nexus 1000V Virtual Switch Module investment series in the Cisco Unified Computing System

    Hi all
    I read an article by Cisco entitled "Best practices in Deploying Cisco Nexus 1000V Switches Cisco UCS B and C Series series Cisco UCS Manager servers" http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.html

    A lot of excellent information, but the section that intrigues me, has to do with the implementation of module of the VSM in the UCS. The article lists 4 options in order of preference, but does not provide details or the reasons underlying the recommendations. The options are the following:

    ============================================================================================================================================================
    Option 1: VSM external to the Cisco Unified Computing System on the Cisco Nexus 1010

    In this scenario, the virtual environment management operations is accomplished in a method identical to existing environments not virtualized. With multiple instances on the Nexus 1010 VSM, multiple vCenter data centers can be supported.
    ============================================================================================================================================================

    Option 2: VSM outside the Cisco Unified Computing System on the Cisco Nexus 1000V series MEC

    This model allows to centralize the management of virtual infrastructure, and proved to be very stable...
    ============================================================================================================================================================

    Option 3: VSM Outside the Cisco Unified Computing System on the VMware vSwitch

    This model allows to isolate managed devices, and it migrates to the model of the device of the unit of Services virtual Cisco Nexus 1010. A possible concern here is the management and the operational model of the network between the MSM and VEM devices links.
    ============================================================================================================================================================

    Option 4: VSM Inside the Cisco Unified Computing System on the VMware vSwitch

    This model was also stable in test deployments. A possible concern here is the management and the operational model of the network links between the MSM and VEM devices and switching infrastructure have doubles in your Cisco Unified Computing System.
    ============================================================================================================================================================

    As a beginner for both 100V Nexus and UCS, I hope someone can help me understand the configuration of these options and equally important to provide a more detailed explanation of each of the options and the resoning behind preferences (pro advantages and disadvantages).

    Thank you
    Pradeep

    No, they are different products. vASA will be a virtual version of our ASA device.

    ASA is a complete recommended firewall.

  • Cisco ASR 1 k bug Bash

    https://Tools.Cisco.com/bugsearch/bug/CSCur02734

    http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/Cisco-SA-20140926-bash

    The ASR 1 k running 15.4 (1) based on this bug No. S shows that it is vulnerable to bash bug. Is there more information on this and is there a solution?

    Depending on the version of the software is affected by this bug?

    Software Cisco IOS, IOS - XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3 (1) S1, VERSION of the SOFTWARE (fc1)

  • Cisco 1921: aboard the hw module not used?

    Hello

    I have a 1921 Cisco who has an IPSec connection to the outside, but despite this, it seems that the "Accelerator" hw module is not used because the stats are all zeros (see below). Also, I can see that the module is enabled (using the crypto engine see the brief), but the router connection to the sw module (with the help of see the crypto engine connections flow)

    What could that be caused by?

    See you soon,.

    Sylvain

    gw#show crypto engine accelerator statistic Device:   Onboard VPN Location: Onboard: 0      :Statistics for encryption device since the last clear       of counters 4294967 seconds ago                    0 packets in                           0 packets out                              0 bytes in                             0 bytes out                                0 paks/sec in                          0 paks/sec out                             0 Kbits/sec in                         0 Kbits/sec out                            0 packets decrypted                    0 packets encrypted                        0 bytes before decrypt                 0 bytes encrypted                          0 bytes decrypted                      0 bytes after encrypt                      0 packets decompressed                 0 packets compressed                       0 bytes before decomp                  0 bytes before comp                        0 bytes after decomp                   0 bytes after comp                         0 packets bypass decompr               0 packets bypass compres                    0 bytes bypass decompres               0 bytes bypass compressi                    0 packets not decompress               0 packets not compressed                    0 bytes not decompressed               0 bytes not compressed                    1.0:1 compression ratio                1.0:1 overall           Last 5 minutes:                    0 packets in                           0 packets out                              0 paks/sec in                          0 paks/sec out                             0 bits/sec in                          0 bits/sec out                             0 bytes decrypted                      0 bytes encrypted                          0 Kbits/sec decrypted                  0 Kbits/sec encrypted                     1.0:1 compression ratio                1.0:1 overall gw#show crypto engine brief         crypto engine name:  Virtual Private Network (VPN) Module         crypto engine type:  hardware                      State:  Enabled                   Location:  onboard 0               Product Name:  Onboard-VPN                 HW Version:  1.0                Compression:  Yes                        DES:  Yes                      3 DES:  Yes                    AES CBC:  Yes (128,192,256)                   AES CNTR:  No      Maximum buffer length:  0000           Maximum DH index:  0000           Maximum SA index:  0000         Maximum Flow index:  2000       Maximum RSA key size:  0000         crypto engine name:  Cisco VPN Software Implementation         crypto engine type:  software              serial number:  02FBA4F2        crypto engine state:  installed      crypto engine in slot:  N/A gw#show crypto engine connections flow Crypto engine: Software Crypto Engine       flow_id   ah_conn_id  esp_conn_id     comp_spi           245                 245       0x2F12           246                 246       0x4E13 Crypto engine: Onboard VPN       flow_id   ah_conn_id  esp_conn_id     comp_spi

    Hey, Sylvain.

    If you are looking for suite-B on hardware support, then you must upgrade to train 15.2 (4) M.

    See the release notes for more details

    http://www.Cisco.com/en/us/docs/iOS/15_2m_and_t/release/notes/15_2m_and_t.PDF

    "IPSec required with Suite B algorithms are now supported by the hardware encryption engine on the.

    Cisco Integrated Services routers generation 2:800 Series, series of 1900, 2901, 2911, 2921, 2935R,

    3925th and 3945TH, which each integrated hardware acceleration of encryption VPN.

    Suite B necessary includes four suites in the user interface of encryption algorithms to use with IKE

    and IPsec, which are described in RFC 6379 and RFC 6380. Each suite consists of a cipher

    algorithm, a digital signature algorithm, an algorithm agree key and a digest of hash or message

    algorithm.

    Suite B provides an improvement in the overall security of Cisco's VPN IPsec, and it allows additional

    Security for large scale deployments. Suite B is the recommended solution for organizations that need

    Advanced security encryption for the wide area network (WAN) between remote sites.

    To get detailed information on the features of Cisco IOS IPsec to 15.2 (4 M) that support the Suite B"

    This should answer your question.

  • SafeNet and Cisco VPN Client Compatible?

    I have been using the Cisco VPN for quite awhile with no problems. Recently, we have added a Watchguard Firebox somewhere else and have installed the Client of Watchguard MUVPN, otherwise known as a customer of Safenet.

    Since the installation, I could not yet properly use the Cisco Client. If I disable the two Services of Safenet, I invited to my user id and password and connect to the Cisco Concentrator and get an ip, etc. However, I can't ping anything on the network.

    My solution is to completely uninstall both clients and reinstall the Cisco by itself. This is not very practical.

    If anyone know a fix for this I'd appreciate comments.

    Thank you

    Patrick Dunnigan

    Hi Patrick,

    I only got lucky with the SafeNet customer brand Watchguard with the 4.0.x releases of the Cisco client. I think Cisco 4.6 clients use a newer driver from the DNE or else that plays well with SafeNet.

    In any case, here's how to set up PC that requires both clients:

    First, install the Cisco VPN client. Restart the application, and then stop and disable the Windows service.

    Install the client for Watchguard, reboot as requested.

    Then, stop and set to manual both SafeNet services, then start and set to automatic the Cisco service.

    Delete the shortcut in your Start menu Startup group safecfg.exe (or the key of HKLM\MS\Windows\CurrentVer\Run, where he gets set.)

    Delete the shortcut to start for the Cisco VPN client as well.

    Whenever you want to use the Cisco customer, you can just launch the Dialer to IPSec. If you want to run the SafeNet client, stop the Cisco service, start the services of SafeNet, then run safecfg.exe. A few batch files facilitate this process for users.

    Hope that helps,

    Chris

  • Licensing of 1001 ASR

    Hello, try as I might I can't find a document that says;

    'How to enable encryption on a 1001 ASR' or "enable advanced ip features" on the 1001 ASR.

    Can anyone help please. My Kit list.

    Cisco ASR1001 system, Crypto, 4 GE built-in, double P/S

    Cisco ASR1001 4 GB of DRAM

    Advanced Services Cisco ASR 1000 IP license

    ASR 1001-Cisco IOS XE - UNIVERSAL ENCRYPTION

    License of IPSEC for ASR1000 series

    Upgrade from 2.5 Gbps to 5Gbps license for ASR 1001

    What is the process to activate the characteristic 2.5gbps to 5gbps or encryption?

    Thank you

    Chris

    Chris,

    All licenses feature Cisco ASR 1000 are focused on the honor; in other words, they are not applied through a product Activation Key (PAK), except for the "technology package licenses" and the license upgrade (2.5 to 5 Gbps) performance on Cisco ASR 1001 models.

    (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html)

    Q. what are the key new features with the Cisco ASR 1001 compared to other ASR 1000 Series routers chassis?

    A. The Cisco ASR 1001 series introduced the concept of the integrated daughter (IDC) card, which is an element scalable nonland on the chassis of the ASR 1001 to provide capabilities (e/s). At the time of the first ship (FCS) client, the Cisco ASR 1001 is available in 3 different versions: the ASR 1001 frame base (part number ASR1001), ASR1001-2XOC3POS with a daughter card chassis integrated with 2 ports ASR1001-4XT3 with a daughterboard integrated with 4-port T3 and OC3 POS. The second phase of the ASR 1001 launched a new 3 chassis: ASR1001-hard DRIVE with built in 160 GB hard drive; the ASR1001-4X1GE with an integrated daughter card providing 4ports 1GE. and the ASR1001-8XCHT1E1 with an integrated daughter card providing multiplexed 8-port T1/E1. In addition, the Cisco ASR 1001 is the first chassis of the Cisco ASR 1000 series, which implements the activation of the software which is the same concept of activation of software as seen on other Cisco offerings, for example on the router Cisco ISR G2 Series. 2 different types of licences will be applied to the FCS, via the activation of the software. First of all, the sets of features offered through the basis of intellectual (K9 and non - K9), Advanced IP Services (K9 and non - K9) and Advanced Enterprise Services (K9 and non - K9). Second, the upgrade of the default execution of 2.5 Gbit/s to 5 Gbps is possible via a license to upgrade performance enabled software (part number to use when ordering of three chassis ASR1001 for the upgrade of 5 Gbps performance is FSL-ASR1001 - 5 G). Other features such as firewalls, encryption is expected to be activated on the 1001 ASR in the future software.

    How to activate a license once you have a PAK (product authorization key):

    1. go to www.cisco.com/go/license

    2. tap the PAK you received on the form and submit it;

    3 activate the license on the ASR1000.

    FAQ on https://tools.cisco.com/SWIFT/Licensing/jsp/Cisco%20Licensing%20FAQ%20-%20June%202011.pdf

    For software activation orders, appointments on:

    http://www.Cisco.com/en/us/docs/iOS/CSA/configuration/guide/csa_commands.html

    HTH.

    Cheers, Gustavo

  • Investigation on compatibility of combine fiber HP Module.

    I have a Cisco switch s 2960 PoE installed.

    I was wondering if the fiber HP #AJ718A ( http://h30094.www3.hp.com/product/sku/3790470 ) module is compatible with it.

    If it is compatible, is there much difference between it and the cisco GLC-SX-MM?

    Thank you

    I was wondering if the HP Fiber module #AJ718A   ( http://h30094.www3.hp.com/product/sku/3790470 ) is compatible with it.

    No, it won't.  You insert the SFP in a Cisco 2960 S and the port goes into 'err - disable' until you remove them.

    is there much difference between it and the cisco GLC-SX-MM ?

    Not a lot of difference.  There are only a few FPS manufacturers that provide components for the major manufacturers like HP and Cisco.  The difference is that Cisco has inserted a brand Cisco SFP IDPROM algo.  The unit will interrogate the component and if the extracted from the IDPROM hash values do not match, then the port goes in "err - disable.

  • Record of equipment for the Cisco AnyConnect client NAM module

    Hi all

    Forgive me if this has been asked before or on the Cisco site somewhere (I could just find)

    Are there hardware specifications for the Cisco Anyconnect Network Access Manager module?

    Where can I find what wifi chipset is compatible with?

    Thanks in advance for your answer.

    Compatibility with the NAM module is based on the chipset not guest OS. The current operating system compatibility is listed here.

  • UNI-DIRECTIONAL on 1001 ASR feature

    Hello

    I have a router ASR 1001 last 3.9.2S current execution code.

    The Uni-directional feature was introduced in 3.9 S

    However...

    With the license of IPBase the Uni-directional command does not appear in configuration mode.

    But when I activate the trial license AdvancedIPServices and restart, the UNI-DIRECTIONAL command appears now in Setup mode.

    I don't see that it documented anywhere in the reference command/notes version IOS XE etc. you need to have the Advanced IP Services feature set allowed to use UNI-DIRECTIONAL on the ASR feature 1001. Anyone know if this is correct or is it an error or a bug?

    See you soon

    Hello

    Which can be seen in the browser functionality. If you select s 3.9 and Ip Base you want to see the unidirectional link detection section (you can filter by function name using like match stringUniDir). If you select Advanced featureset Services - you will find in the list.

    Niko

  • Cisco series ASR DMVPN Phase 3 Support

    Hello

    You have an idea if the routers Cisco ASR takes in charge phase 3 of DMVPN recently? Or when they will support?

    Although there is no support for the ASR on Cisco documantations, you can see the shortcut commands and redirect PNDH

    on the IOS of the ASR. I have it configured, but it doesn't seem to work.

    Thank you very much

    Best regards

    3 phase DMVPN is supported from version 2.5 front.

    If you are already running this version or later, please kindly open a TAC case to better study the question.

Maybe you are looking for