L4 Traffic Mon
Does the traffic monitor support Cisco ports in spanned mode? We're trying to get it set up here, but not getting a lot of traffic picked up..
Andrew,
Another thought came up. I wanted to make sure that you are aware the the L4TM will only log bad traffic. So you won't see all the traffic in the trafmon logs, like you would in the access logs.
If you are trying to verify that the L4TM is working, I recommend telnetting from your client to www DOT ieplugin DOT com.
Please do NOT go there with your browser - it is a malware propagation site.
If the span is working properly, the WSA should see this traffic and log it in the trafmon logs.
Similar Messages
-
Traffic in SXMS_XI_AUDIT_DISPLAY doesn't match traffic in RWB Perf Mon
I have got a traffic log in RWB:
Time Interval: last month
Agregation Interval: one month
Other options initial.
So the traffic is Size*Number. But that value doesn't match result of SXMS_XI_AUDIT_DISPLAY report in XI ABAP...
What the cause of this problem? maybe I must patch some components?I found the couse of unmatch - perfomance monitoring log stores only for two weeks, so "month agregation" realy shows only a half of month traffic.
So there's a question: is it possible to change logging period? -
ASA 5505, how to configure DMZ to Inside traffic flows
Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
router up 100 days 1 hour
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0 : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1 : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2 : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3 : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4 : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5 : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6 : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7 : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013 -
1 server, 2 networks how to route traffic to both
Hi i have NW65SP7
what i'm trying to do is
1. to have users come in thru the data network (192.168.0.0) and the traffic
go back out thru the default gateway (192.168.0.1) and
2. i want LDAP traffic to go in thru the other network (10.1.0.0) and
backout thru the same networks gateway (10.1.0.1).
1. works fine and all seems to go up and down the right network, however 2.
comes down 10.1.0.0 and backout thru the default gateway on 192.168.0.1. I
don't\can't have this as the firewall rejects the packet as the source and
destination networks are different ie. the fw sees the packet come in thru
10.1.0.0 but when the server sends it back out thru 192.168.0.0 the firewall
rightly drops it
How do i get 2. to work as i want, can this even be done on NW.
What i've done so far is
a. enabled Static Routing
b. created a default route (192.168.0.1) with a metric of 2
c. created a network route for 10.1.0.0 (10.1.0.1) with a metric of 1"Thorsten Kampe" <[email protected]> wrote in message
news:[email protected]...
>* Steven Lim (Mon, 08 Dec 2008 01:57:27 GMT)>
>> ok i'll try again but i thought that i did expalin it so i'm not sure how
>> my
>> second attempt will go ;)
>
> Is the NetWare server the router? Which addresses do the server's
> interfaces have? Which default gateway do the hosts in the network have?
> Any static routes?
No the netware server is not the router
The server has 1 interface but two vlans trunked to the one interface, each
vlan has a separate IP. I can ping each IP on each of the trunked vlans
fine. I'm using Broadcom Q57 NICS and the QASP\BASP advanced driver to
support the trunked vlans. Don't let that confuse the issue though..it's
basically the same as having two nic interfaces connected to two seperate
networks in this case lets say 192.168.0.10 and 10.0.0.10
Just so we're on the same page, we have a very large routed network with
over 250 subnetworks with 4 10G interconnected core routers each with a 10G
distribution routers, buildings\user\server networks hang of the
distribution routers . Client machines are distributed accross the network
and are not on the same vlan\subnet as the servers.
A server on 192.168.0.0 will have a default gateway of 192.168.0.1 and
servers on 10.0.0.0 will have a default gateway of 10.0.0.1 there are no
clients machines on these subnets....btw we don't really have a 192.168.0.0
network..i'm just using this as an example.
The NW server has 1 static route configured as the default gateway on
192.168.0.1...and i've been trying to work out how to configure another
static route to make sure that all incoming and outgoing traffic for
10.0.0.0 stays on 10.0.0.0 or whatever else i need to do to get it working
>> i have two networks 192.168.0.0 and 10.0.0.0
>>
>> 1. I want all traffic that originates from 192.168.0.0 to go back thru
>> the
>> 192.168.0.0 gateway on 192.168.0.1 (currently the default gateway
>> configured
>> in inetcfg static routing table).
>
> In case the NetWare server is the router you only have to enable routing
> - the server's default gateway is completely irrelevant for that. Of
> course the hosts in the networks have to have the router as the default
> gateway (or a static route).
Clients are fine, lets say that they are on 192.168.1.0 to 192.168.255.0 and
they have default gateways on their subnets the go thru x.x.x.1 (eg.a
192.168.1.0 machine will have a default gateway of 192.168.1.1 and a
192.168.2.0 machine will have a default gateway of 192.168.2.1 etc)
>> 2. I want all ldap traffic, in my case this will be ldap port 389 and
>> 636,
>> that originates from network 10.0.0.0 to go back thru the gateway
>> 10.0.0.1.
>
> Routing is not (application) protocol specific. You can either route all
> IP packets or none a certain route. Please have a look at the routing
> table of your computer to see what I mean.
Yes i understand that routing is not application\protocol specific
When you say "have a look at the routing table" i assume you mean the
netware server....i've done that using TCPCON..i can see the issue..just not
sure how to get it to do what i want
> Also what you might want is called source routing[1] and this is mostly
> blocked because it opens a huuuuge security hole.
>
>> This is required because the firewall requires that if a response is
> to go
>> out to a client then then it must go out over the same network that it
>> originated from. This is the part that's not currently working. At the
>> moment the query comes in from 10.0.0.0 and the response tries to goes
>> out
>> via the deafult gateway on 192.168.0.1 the firewall blocks the outgoing
>> traffic....basic stuff!!!
>
> I wonder where and how you put that firewall if you have only two
> subnets and one router. Is this Bordermanager on the NetWare server?
See above re. the network...the firewall\s are blades within the core
routers and support virtual firewalls that can be applied to any part of the
distribution\access layer of the network.
Does that make any more sense???
> Thorsten
> [1] http://en.wikipedia.org/wiki/Source_routing -
ISG: Service with traffic policing counts dropped packets.
Hello,
Our company has a router Cisco 7304 NPEG100. ("show version" in the bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts packets that has been dropped by traffic policing.
Here is example of my definition of service in RADIUS:
User-Name = 'Internet-Service'
Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
Cisco-AVPair += "accounting-list=ISG_ACCT"
Cisco-Service-Info += "QU;256000;D;512000"
Acct-Interim-Interval += '60'
When I remove Cisco-Service-Info += "QU;256000;D;512000" from service definition, all traffic are counting correctly.
I did not found in Bug Details, which version of IOS, I should use in my 7304 router where this bug is fixed.
Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 30-Oct-09 12:35 by vpernank
ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE
SOFTWARE (fc4)
7304 uptime is 17 hours, 24 minutes
Uptime for this control processor is 17 hours, 24 minutes
System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
System restarted at 18:46:54 TSK Mon Mar 22 2010
System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of memory.
SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
4 slot midplane, Version 67.49
Last reset from software reset or reload
4 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1021K bytes of non-volatile configuration memory.
62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
Configuration register is 0x2102I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs. Here's an example of one that does make it through:
5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
I am not allowing all the traffic across the box. The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone. That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
Any other suggestions?
-Mat -
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Hi guys,
Couldn't really get into logic of bridge-domain and hsrp coexistence. How traffic will be flooded?
Imagine following topology:
Bridge-domain and hsrp is running between ASR1 and ASR2.
Host C has two network adapters. Both are in UP state, but only one of them is forwarding traffic.
I am curious, what path traffic will take from host A to host C and from B to C in situation when :
1) net.adapter #1 is active
2) net.adapter #2 is active
p.s. active router for hsrp remains the same.
We have captured traffic on the devices, and it was a bit confusing to me that standby hsrp router was forwarding traffic from host B out of g0/0/0/0 and pw 3
I would appriciate any help...Okay, that really make sence. Thank You very much for the explanation!
Yes, You are right, that's RNC.
Theoretically the MAC address should be flushed away from the memory when the switchover of the network card appears, because, the connection for some seconds goes down.
Could You please tak a look on the following output:
As I understand, both ASR's do know where 0040.4384.8260 (This is RNC NPGEP mac address) is. So basically there should not be any flooding..
RP/0/RSP1/CPU0:ASR9k-1#sh l2vpn forwarding bridge-domain RNC:RNC3_TEST mac-address detail location 0/0/CPU0
Mon Dec 2 21:05:25.639 EET
Bridge-domain name: RNC:RNC3_TEST, id: 20, state: up
MAC learning: enabled
MAC port down flush: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC Secure: disabled, Logging: disabled
DHCPv4 snooping: profile not known on this node
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
IGMP snooping: disabled, flooding: enabled
Routed interface: BVI3, Xconnect id: 0x8000001f, state: up
IRB platform data: {0x14000a, 0x1, 0x0, 0x80000000}, len: 16
Bridge MTU: 1500 bytes
Number of bridge ports: 2
Number of MAC addresses: 2
Multi-spanning tree instance: 0
Mac Address: 0000.0c07.ac03, LC learned: N/A
Resync Age: N/A, Flag: static, BVI
Mac Address: 6c9c.ed0a.2e3d, LC learned: N/A
Resync Age: N/A, Flag: static, BVI
GigabitEthernet0/0/0/0, state: oper up
Number of MAC: 1
Statistics:
packets: received 48765801690, sent 309298266072
bytes: received 33416543382293, sent 54307173696538
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 0040.4384.8260, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: local
Nbor 10.9.9.253 pw-id 3
Number of MAC: 1
Statistics:
packets: received 19771488146, sent 198111062527
bytes: received 10977874479587, sent 50825792902418
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 6c9c.ed0a.9ced, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 2558
RP/0/RSP1/CPU0:ASR9k-2#sh l2vpn forwarding bridge-domain RNC:RNC3_TEST mac-address detail location 0/0/CPU0
Mon Dec 2 21:05:49.504 EET
Bridge-domain name: RNC:RNC3_TEST, id: 15, state: up
MAC learning: enabled
MAC port down flush: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC Secure: disabled, Logging: disabled
DHCPv4 snooping: profile not known on this node
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
IGMP snooping: disabled, flooding: enabled
Routed interface: BVI3, Xconnect id: 0x8000001a, state: up
IRB platform data: {0xf000a, 0x1, 0x0, 0x80000000}, len: 16
Bridge MTU: 1500 bytes
Number of bridge ports: 2
Number of MAC addresses: 3
Multi-spanning tree instance: 0
To Resynchronize MAC table from the Network Processors, use the command...
l2vpn resynchronize forwarding mac-address-table location
GigabitEthernet0/0/0/0, state: oper up
Number of MAC: 0
Statistics:
packets: received 782133119087, sent 620642426712
bytes: received 514958352902308, sent 107302134940298
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Nbor 10.9.9.254 pw-id 3
Number of MAC: 3
Statistics:
packets: received 297905813562, sent 17722149746
bytes: received 68165206300571, sent 10642920750826
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic arp inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
Mac Address: 0000.0c07.ac03, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 510
Mac Address: 0040.4384.8260, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 510
Mac Address: 6c9c.ed0a.2e3d, LC learned: 0/0/CPU0
Resync Age: 0d 0h 0m 0s, Flag: global
L3 encapsulation Vlan: 3582 -
Receive IPv6 traffic - kernel panic?
I configured an IPv4 -> IPv6 tunnel on my firewall via he.net and set my default route for inet6 traffic to the remote side. Then I got a /64 network assigned from he.net and IP'd my internal network, include my MacBook Pro running OS X 10.4.8.
I can do a traceroute6 from my Mac to external sites just fine. It uses the IPv6 tunnel exactly as expected (I set my default route for IPv6 on my Mac to be the IPv6 address of the internal interface of my firewall). When I tried to use an external site to do a traceroute6 back to my Mac, it panicked!
Perhaps there is some problem with the Intel version of the Yukon driver (Marvell Yukon gigabit ethernet)? Has anyone else had kernel panics when on the receiving end of inbound IPv6 traffic (that wasn't in response to an outbound connection)?
Here's the crash report:
panic(cpu 0 caller 0x0035BEAC): freeing free mbuf
Backtrace, Format - Frame : Return Address (4 potential args on stack)
0x251e3db8 : 0x128d1f (0x3c9540 0x251e3ddc 0x131df4 0x0)
0x251e3df8 : 0x35beac (0x3e9c7c 0x1dfba 0x87c4b9fe 0x1dfba)
0x251e3e38 : 0x7314a4 (0x36e07600 0x0 0x251e3e68 0x1a1ec0)
0x251e3e58 : 0xa6d454 (0x237f1000 0x36e07600 0x0 0x2)
0x251e3e88 : 0xa6bad0 (0x237f1000 0x36e07600 0x0 0x38dbc80)
0x251e3ea8 : 0xa6ed7c (0x237f1000 0x0 0x1000000 0x133b25)
0x251e3f08 : 0x398a1f (0x237f1000 0x38dbc80 0x1 0x37b5d08)
0x251e3f58 : 0x397bf1 (0x38dbc80 0x135ec3 0x0 0x37b5d08)
0x251e3f88 : 0x397927 (0x38d7480 0x0 0xee6b280 0x13869f)
0x251e3fc8 : 0x19a74c (0x38d7480 0x0 0x4 0x4eae6b8) Backtrace terminated-invalid frame pointer 0x0
Kernel loadable modules in backtrace (with dependencies):
com.apple.iokit.AppleYukon(1.0.7b3)@0xa69000
dependency: com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
dependency: com.apple.iokit.IOPCIFamily(2.1)@0x5ee000
com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
Kernel version:
Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386
Model: MacBookPro1,1, BootROM MBP11.0055.B08, 2 processors, Intel Core Duo, 2.16 GHz, 2 GB
Graphics: ATI Radeon X1600, ATY,RadeonX1600, PCIe, 256 MB
Memory Module: BANK 0/DIMM0, 1 GB, DDR2 SDRAM, 667 MHz
Memory Module: BANK 1/DIMM1, 1 GB, DDR2 SDRAM, 667 MHz
AirPort: spairportwireless_card_type_airportextreme (0x168C, 0x86), 0.1.27
Bluetooth: Version 1.7.9f12, 2 service, 0 devices, 1 incoming serial ports
Network Service: Built-in Ethernet, Ethernet, en0
Network Service: AirPort, AirPort, en1
Serial ATA Device: ST910021AS, 93.16 GB
Parallel ATA Device: MATSHITADVD-R UJ-857
USB Device: Built-in iSight, Micron, Up to 480 Mb/sec, 500 mA
USB Device: Apple Internal Keyboard / Trackpad, Apple Computer, Up to 12 Mb/sec, 500 mA
USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mAMTU on the ethernet interfaces of the Mac and the inside the firewall are both 1500 (normal). My switch is only FE so the Mac's NIC auto-neg'd to 100/full. The MTU of the 4->6 tunnel is 1280. I believe that's because of the encapsulation overhead (it has to send the IPv6 packets inside IPv4 packets).
In any case, it's not using Jumbo Frames (I don't think the switch even supports them).
I was thinking it might be a problem with the longer address and endianness. For instance, maybe on the Intel platform they did a quick patch to make the address pointer move over a fixed 4 bytes, then read backwards by the length of the address. That would work fine for 4 byte (i.e. IPv4) addresses, but on 16 byte (IPv6) addresses it would go horribly wrong (shift 4 bytes, then read backwards 16 bytes, uh oh!).
Apparently it only affects some of the code paths, because I can send out IPv6 packets and accept the responses. It was only when I received an unsolicited IPv6 packet that it panicked.
It's all just a wild guess any way. I would like to experiment with it a little more, but I really don't feel like causing multiple kernel panics and possibly corrupting my file system from the resulting hard-resets. -
Show dot11 statistics client-traffic
I'm trying to interpret output from the 'show dot11 statistics client-traffic' command in autonomous IOS version 15.2(4)JB4 on a 3600-series access point. Finding a detailed description of each data point being reported has been very difficult - c'mon Cisco! For my purposes I'm most interested in what is being reported in the 'Retry' and 'RSSI' fields. It seems like RSSI in dBm is being reported but I'd like confirmation from someone who knows because in older versions of IOS it seems like this value might have been a percentage value on a scale of 0 to 100% with 0 being -113dBm and 100 being -10dBm.
Here is a sample of the output from my access point:
SURVEY_AP1#show dot11 statistics client-traffic
Dot11Radio0: -- Client Statistics
---Clients 0 AID VLAN Status:S/I/B/A Age TxQ-R(A) Mode Enc Key Rate Mask Tx Rx BVI Split-ACL Client-ACL L2-ACL
RxPkts KBytes Dup Dec Mic TxPkts KBytes Retry RSSI SNR
(Client) MaxPri DefUniPri DefMultPri WiredProt
IP Address Pauses Idle RateTx RateDataTx RSC
MVL Req=0, In=0
Video Report: Cnt Rate Retries/Tot
8021x auth in prog 0 allowed 0
Dot11Radio1: -- Client Statistics
---Clients 0 AID VLAN Status:S/I/B/A Age TxQ-R(A) Mode Enc Key Rate Mask Tx Rx BVI Split-ACL Client-ACL L2-ACL
7cd1.c379.2d10 1 0 30 40144 000 03E 60 0-0 (0) 3F80 200 0-10 00FFFFFFFF000000000 0817 00C
RxPkts KBytes Dup Dec Mic TxPkts KBytes Retry RSSI SNR
7cd1.c379.2d10 294 25 59 0 0 155 16 98 43 45
Agr TxLt TxRP St ACQ/TW TxACQ Stats
7cd1.c379.2d10 p0 64 138 0 0 1 1 0 243 243 0 0 0
7cd1.c379.2d10 p1 20 30 0 0 1 1 0 0 0 0 0 0
7cd1.c379.2d10 p2 20 30 0 0 1 1 0 0 0 0 0 0
7cd1.c379.2d10 p3 20 138 0 0 1 1 0 0 0 0 0 0
7cd1.c379.2d10 p4 20 30 0 0 1 1 0 0 0 0 0 0
7cd1.c379.2d10 p5 20 30 0 0 1 1 0 0 0 0 0 0
7cd1.c379.2d10 p6 20 30 0 0 1 1 0 10 10 0 0 0
7cd1.c379.2d10 p7 20 30 0 0 1 1 0 5 5 0 0 0
Tx Params Pri BA TxLt AggrSz MaxL AvgL
7cd1.c379.2d10 0 4 138 64 65460 111
7cd1.c379.2d10 1 0 30 20 65460 0
7cd1.c379.2d10 2 0 30 20 65460 0
7cd1.c379.2d10 3 0 138 20 65460 1500
7cd1.c379.2d10 4 1 30 20 65460 0
7cd1.c379.2d10 5 1 30 20 65460 0
7cd1.c379.2d10 6 0 30 20 65460 0
7cd1.c379.2d10 7 0 30 20 65460 0
(Client) MaxPri DefUniPri DefMultPri WiredProt
7cd1.c379.2d10 0 0 0 0
IP Address Pauses Idle RateTx RateDataTx RSC
7cd1.c379.2d10 192.168.0.100 00004 000000 0 0 [0]0x10C [6]0xA7
Block Ack Pri, Rcv Wind Timeout SeqNum Held, Xmt Wind Timeout
7cd1.c379.2d10 0 64 0 D20 0 64 0 4, 0 0 0
7cd1.c379.2d10 4 0 0 1, 0 0 0
7cd1.c379.2d10 5 0 0 1, 0 0 0
LBF Indx BfPkts NbfPkts BfTmr PktCnt
7cd1.c379.2d10 RIA 1 18 130 4 17
MVL Req=1, In=1
Video Report: Cnt Rate Retries/Tot
8021x auth in prog 0 allowed 0
SURVEY_AP1#
Thanks in advance for any assistance.You want the RSSI (Radio Signal Strength Indicator) and the SNR (Signal-to-Noise Ratio) of a particular client?
You have to run one or two commands then. The first one is "sh dot11 s". This will show you the wireless MAC address of a client. Copy-n-Paste the MAC address of your choice and use the command "sh dot11 s ".
Does this answer your question?
Please don't forget to rate useful posts. Thanks. -
WAAS installed without Central Manager. not compressing traffic
Hi,
I installed 2 SRE modules in 2 ISR G2 router and configure them without Central Manager, but they are not doing compression, Traffic is going to Branch to Head Office but without compression.
My configuration is similar to this link
http://2and2is5.wordpress.com/2011/03/30/configuring-cisco-waas-on-a-sre/
I want to compress http, exchange and cifs traffic.
I don't have Central Manager, could WAAS works without Central Manager ?
Can anyone help me with that.
Thanks in Advanced.Hi Arslan
WAAS requires a Central Manager however once they are setup it doesn;t technically require one in order to continue to to optimise traffic. If your WAAS environment is setup correctly and is intercepting the traffic http and CIFS should automatically been compressed with LZ compression. WAAS can accelerate Exchange however it depends on how your Exchange environment is setup and whether it is encrypted? If its encrypted via SSL you will need a WAAS Central manager to accelerate it.
To check if you WAE's are running correctly type in "show cms info" on the WAAS and you will probably see your WAE is status is not online:
WAE2#sh cms info
Device registration information :
Device Id = 3107921
Device registered as = WAAS Application Engine
Current WAAS Central Manager = ##.##.##.##
Registered with WAAS Central Manager = ##.##.##.##
Status = Online
Time of last config-sync = Mon Sep 24 13:18:51 2012
CMS services information :
Service cms_ce is running
You can check the accelerator status with the below command:
WAE2#sh accelerator
Accelerator Licensed Config State Operational State
cifs Yes Enabled Running
epm Yes Enabled Running
http Yes Enabled Running
mapi Yes Enabled Running
nfs Yes Enabled Running
ssl Yes Enabled Running
video No Disabled Shutdown -
Unable to capture traffic with Ethanalyzer on N5K-5548
Version - 5.0(2)N2(1)
My understanding is that we need
1) Access-List defined, with statistics configured to get matched traffic onto control plane
2) Access-List applied to an interface, via command "ip port access-group mycap in"
3) ethanalyzer command, ex; "ethanalyzer local interface mgmt capture-filter "net 1.1.1.0/24" (also tried interfaces inbound-hi & inbound-low)
I see matches on the access-list, but not seeing anything captured.
What am I missing?
ip access-list mycap
statistics per-entry
10 permit ip any 1.1.1.0/24
20 permit ip 1.1.1.0/24 any
30 permit ip any anyjust fyi.. on a similar sidenote we are going to enchance the capability of capture filter to collect the necessary statistics via the following enhancement
CSCsz99277 - ethanalyzer capture filter broken
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz99277 -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
How can I eliminate delays in one NIC when there is traffic on second NIC
Using LabVIEW TCP/IP VIs, my LV application is accessing a database though a LAN, and through a second NIC, it is controlling an instrument. The instrument is connected directly to the computer NIC with a cross-over cable. I have made a permanent route for the IP address of the instrument in the IP route table. The LAN and the instrument have different subnet numbers. Using a packet sniffer, I don't see any traffic meant for the LAN going to the NIC connected to the instrument. The OS of the computer is Windows XP and the NICs are PCI cards.
The message traffic to the instrument suffers from intermittent delays when there is traffic going to the LAN.
How can I eliminate the delays? What could be the cause of the delays? Thanks in advance for your recommendations and suggestions.Hi LabBard,
Could you tell us a little more about the device that you are connected to? What you could try is to have a VI accessing the LAN, and a separate VI communicating with the instrument, and see how things play out.
Let us know how it goes!
Rasheel -
Possible to segment traffic between 2 interfaces? And other questions...
I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
Thanks.I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
You have some type of hardware firewall/security appliance.
You have some type of wireless access point.
You don't seem to have any type of router or switch in your configuration.
You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
So my questions are:
Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
Anyway, a little more info would be helpful.
Oh and if I have this totally worng in what I think your doing.. My mistake.
Tom N. -
Multiple gateways for different Traffic on ASA 5510 firewall
Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@Cyes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate!
Maybe you are looking for
-
Project cannot render again due to disk drive name change
Recently I installed a new motherboard and processor. When I came back up my drives all have different labels, except for the C: drive. My encore project which rendered successfully before now gets this error in the middle of rendering and burning to
-
If I reset my network settings, is it bad?
hello. i have the iphone 4s. the wifi at my house will NOT work i did everything... if i was to reset my network settings what would happen!? is it bad? (not the wifi, under settings on my phone then genral then reset) thanks!
-
In the Toolbar I have a JButtons. I created the JButtons with Icons. When I click on a button it is putting a dotted line right around the Icon. How can I get rid of that? Thanks.
-
I have two signals. Signal 1: 0-5V trigger signal. During the time duration of interest, the trigger will go high 4 times for 1ms each. In my software, I need to find the last trigger, which I can do easily. Signal 2: From about 0 to 30ms, the si
-
Has anyone figured out the sync problem with Outlook. After my 1st sync, like others, I had two calenders +(home and outlook calender+). I just synched again and now I have three (+home, outlook calender, and calender+). Data is not being transferred