6500 ip flow top-talkers
Hi All,
i would like to enable "ip flow-top-talkers" in 6500 in native mode.
this command is not supported in current version.
is there any alernative command or it won't support.
running ios is s72033-pk9sv-mz.122-18.SXD5.bin
Thanx in advance for the response.
Regards,
Rajesh
This command was introduced only from 12.2(25)S and this feature was integrated into 12.3(11)T. So,if you are using any lower version other than this,this command will not work at all.If possible,better download any of the above 2 versions from cisco website and upgrade your IOS.
Similar Messages
-
what happened to this command in the new IOS 15.1(1) with flexflow;
sh ip flow top-talkers...
Thanks,
SinanHi Maicon,
Under "ip flow-top-talkers", you need to configure "sort-by" as it's required to run top-talkers command.
Yoong Seong -
"show ip flow top-talkers" output question
Hello all,
I have a question about the "show ip flow top-talkers" command. The top enry for this 1841 router with a T1 connection is always this line:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se0/1/0 64.32.253.138 Local 71.16.240.14 32 6EB0 306B 2366K
How do I get more information about this connection? I looked at ip protocol 32 and it says it is the MERIT Internodal Protocol. Also what does the bytes field mean? Is that bytes per second or per "flow"?Hello,
protocol is 0x32 (in hex) = 50 (dec). This protocol is ESP. I assume, this flow is an IPSEC tunnel.
The endpoint is your device (regarding to dest interface = local). The "Bytes" field means number of
bytes in the flow. It is not releated to bytes/sec. Please, feel free to contact me if you need more
information.
Kind regards,
Jan Nejman
Caligare, co.
http://www.caligare.com/ -
Does WCCP skew results of 'ip flow top-talkers'?
I have a router that has been configured to show ip flow top-talker information. I recently added a WAAS to this site that is using WCCP redirection. The 'top-talkers' output on the router still works - but shows source/destination of the router and WAAS device as the talkers for all traffic that has been redirected. I'm not able to see that actual client IPs for that traffic .. and that is the majority of my traffic. Is there any way to still be able to view this traffic as I did before? If I dump netflow to an actual netflow server instead of using top-talkers will that work - or will it display the same thing?
Router configuration:
interface multilink1
ip flow ingress
interface gi0/0
ip flow ingress
ip flow-top-talkers
top 25
sort-by bytes
Now when I do a 'show ip flow top-talkers', here's what I see: 10.10.11.18 is WAAS and 10.10.255.11 is loopback of the router.
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 141M
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 12M
Gi0/0.1 10.10.11.124 Gi0/0.1 10.10.10.53 06 1058 0A26 1801K
Gi0/0.1 10.10.11.54 Gi0/0.1 10.10.10.5 06 0E0C 0A26 882K
Gi0/0.1 10.10.11.107 Gi0/0.1 10.10.10.50 06 043D 05D6 736K
Gi0/0.1 10.10.11.60 Gi0/0.1 10.10.10.5 06 0409 0A26 723K
Gi0/0.1 10.10.11.103 Gi0/0.1 10.10.10.5 06 0407 0A26 713K
Gi0/0.1 10.10.11.120 Gi0/0.1 10.10.10.14 06 0456 05D6 531K
Gi0/0.1 10.10.11.237 Gi0/0.1 10.10.10.27 06 238C 110E 527K
Gi0/0.1 10.10.11.62 Gi0/0.1 10.10.10.53 06 C00E 05D6 463K
Gi0/0.1 10.10.11.125 Gi0/0.1 10.10.10.30 06 12A1 1F90 355K
Gi0/0.1 10.10.11.115 Gi0/0.1 10.10.10.14 06 042C 05D6 336K
Gi0/0.1 10.10.11.137 Gi0/0.1 10.10.10.6 06 04AC 0D3D 244K
Gi0/0.1 10.10.11.154 Gi0/0.1 10.10.10.53 06 0A0D 0A26 216K
Gi0/0.1 10.10.11.66 Gi0/0.1 10.10.10.6 06 C018 05D6 195K
Gi0/0.1 10.10.11.91 Gi0/0.1 10.10.10.5 06 0439 05D6 145K
Gi0/0.1 10.10.11.58 Gi0/0.1 10.10.10.14 06 0458 05D6 134K
Gi0/0.1 10.10.11.127 Gi0/0.1 10.10.10.30 06 0618 1F90 115K
Gi0/0.1 10.10.11.18 Local 10.10.255.11 11 0800 0800 96K
Gi0/0.1 10.10.11.147 Gi0/0.1 10.10.10.14 06 118F 0A26 88K
Gi0/0.1 10.10.11.95 Gi0/0.1 10.10.10.14 06 0C35 0D3D 84K
Gi0/0.1 10.10.11.105 Gi0/0.1 10.10.10.27 06 C98F 01BD 70K
Gi0/0.1 10.10.11.117 Gi0/0.1 10.10.10.53 06 CB1A 0D3D 41K
Gi0/0.1 10.10.11.65 Gi0/0.1 10.10.10.14 06 0EF9 05D6 40K
Gi0/0.1 10.10.11.112 Gi0/0.1 10.10.10.21 06 08D5 0D3D 37K
Thanks!I believe the problem is caused because I have the WAAS appliance in the same subnet as users. I am using the 'egress-method negotiated-return intercept-method wccp' on the WAAS to send the traffic back to the router. This uses GRE, which is causing the cache flow data to show up the way it is.
I will have to move the WAAS to a different subnet and change the return method. -
So I stumbled upon the ip flow-top-talkers feature and attempted to configure it on a 3560-X running 12.2(58)SE2. It allowed me to configure this:
ip flow-top-talkers
top 5
sort-by bytes
cache-timeout 60000
Then on the interface I am interested in:
interface GigabitEthernet0/21
ip flow ingress
Which results is (drum roll please....)
Switch#show ip flow top
% Cache is empty
No joy. So I checked the config guide for unsupported commands, these are not listed.
Then I thought maybe it had to be on a layer 3 interface (g0/21 is layer 2) so I did "ip flow ingress" on an SVI, same results.
So then I checked feature navigatore for "Flexible Netflow - Top N Talkers Support". 12.2SE is not listed, but 15.0(2)SE is.
Questions:
- Is the existence of the commands in 12.2(58)SE just an oversight? Functionality seems to almost be there, just not quite.
- Does neflow need to be enabled on a layer 3 interface or will it work on layer 2 (assuming platform support of course)
Thanks,
-JeffDoes your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image. -
Cannot config "ip flow-top-talkers" on 7606-S
We have a router 7606-S is running IOS 12.2 (33r) SRD2 and Internet BGP protocol.
I tried to enable Flow Top Talkers on it to check Top 10 flow talkers.
1.configure interface:
Router(config-if)#ip flow ingress
2.configure
Router(config)#ip flow-top-talkers
but it shows:
Router((config)#ip flow-top-talkers
^
% Invalid input detected at '^' marker.
Router(config)#ip flow-?
flow-aggregation flow-cache flow-capture flow-egress flow-export
I then tried command
Router#show ip flow top-talkers
% Top talkers not configured
Can anyone advice if anything I miss please?
Thanks in advance.Does your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image. -
Cisco2821 - ip flow top talkers = cache is empty
Hi Everyone,
I've been fighting an issue with a 2821 router for some time now. I'm trying to pull the top talkers from an interface, however the cache is empty. I verified the configuration with a known working 2821 and the output for the interfaces are the same. Any help would be greatly appreciated!
NON-WORKING:::
interface GigabitEthernet0/0
description P2P Comcast NLAN to ENET
ip address 10.103.2.6 255.255.255.0
ip flow ingress
ip flow egress
duplex full
speed 100
interface GigabitEthernet0/1
description connect to JDR_3560_2
ip address 10.200.12.1 255.255.255.0
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 25
sort-by bytes
logging 10.100.1.17
logging 10.100.1.119
WORKING CONFIG:
interface GigabitEthernet0/0
description Comcast MetroEthernet CID: 54.VLXP.006454.CPLC
ip address 10.103.2.5 255.255.255.0
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip igmp query-interval 125
duplex full
speed 100
service-policy output WAN-EDGE
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.6.111 2055
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 30
sort-by bytes
ip mroute 0.0.0.0 0.0.0.0 10.103.2.240
logging 10.100.1.17
logging 10.100.1.40
logging 10.100.1.119Hi,
I'm not a Netflow expert by let's try; config seems to be correct, could you post the output of
sh ip flow export
sh ip flow top-talker
sh ver
enrico -
Hi Folks,
I was trying to use the top talkers feature to find the culprits hogging my bandwidth. I am pertty new top talker feature and its implemented on a 6500 with sup720. I have a couple of queries w.r.t this.
* tried to configure the cort by bytes feature got a warning that its not supported on the hardware based model.So is there any way to use sort by bytes on the sup 720?
* The O/P fileds of a show ip flow top-talkers are usually,
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts( had to use sort by packets due to warning)
Now is this pkts field the number of packets calculated between the cache-timeout value or is it the total seen so far? Will it be the same for sort by bytes too? Total bytes seen for this flow rather than a realtime bytes/sec or bytes/cache time-out value.
If this is the case then its actually not a real time top talker value right? Please help
Thanks,
PrakadeeshThe --command -- sh ip cache flow shows the cache-timeout value only not the collective bytes of data ; if you need the Total bytes seen for this flow you need to use the Crannog netflow Tracker kind of tools or you need to use " ip accounting " and clear the counter manually as and when required !!!
And it its actually a real time top talker value for that specifed cache-timeout value and i found most of the time it shows the correct top-talker many times !!!!!!!!!!!!!!!!!!! -
Netflow top-talkers configuration
Hello
I would like to know the purpose of these configuration commands :
ip flow-top-talkers
top 50
sort-by packets
cache-timeout 2000
match source address 192.1.1.97/32
match destination address 192.1.1.110/32
This is extracted from a documentation from Cisco.
For me there is no sense to configure a top talkers : how do we know that this will be the top talkers ?
Thanks for help
RegardsTop talkers are based on the conversations or flows generating the heaviest traffic on your routing device. A flow refers to traffic from source A to source B through any interface of the router and "heaviest traffic" means volume of traffic generated. They can be sorted based on any one of the following criteria:
1. By the total number of packets in each top talker
2. By the total number of bytes in each top talker
There are further filter options, which can done using "match statements".
For eg, if you simply enable top talkers for 50 and set the sort feature based on packets, the 50 conversations who were sending the most traffic (volume - KB, MB, GB) will be taken and displayed. The displayed conversations will be sorted based on the packet counts in the flow.
If you add an match IP source statement to the above example, then the same as above is done but only flows whose source IP is the same as in the match statement is captured.
If you add a match source and destination IP, then only the top 50 flows between those 2 IP Addresses will be captured and displayed.
Regards,
Don Thomas Jacob
www.netflowanalyzer.com
NOTE: Please rate posts and close questions if you have got the answer. -
How to get Top Talkers on ASA ?
hi Friends,
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.
As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
Can someone help me out in this ?
Regards
Nirav BhattI know this is an old thread, but I'm hoping this will come in handy for anyone doing a search.
All our 5505's and 5510's are on ASA 8.2(5) and didn't get some of the nicer "top 10" features that come with later versions. I always assumed it was due to the ASA version, but I built an ASA recently on 8.2(5) which has ASDM 7.1(2) on it and the pie charts for top talkers is there now.
I'm in the process of updating all our devices to ASDM 7.1(2) and it's given us a lot more visibility of the network. -
ASA5505 - IP FLOW TOP or IP Accounting
How does one find the top user or IP accounting with this ASA5505 v7.22 device?
With 1841 ISR:
sh ip accounting
sh ip flow top
Very lame if they don't have similar commands or capabilities on the ASA series.David,
The version that you are running is very old. The IP accounting Im not sure what it does, but the show IP flow, I am almost 99% sure that it has to do with Netflow, which was introduced on the ASA in version 8.2 and higher.
Just looked for the IP accounting and mostlikely, all that you are asking for is implemented on Netflow, here is more info:
https://supportforums.cisco.com/docs/DOC-6114
You can upgrade to 8.2.1 not having to do much of a change, now that you know that you are running an old version, please do not consider to (mind as well) upgrade to the latest version without reading what it first needs to be done. The upgrade to 8.2.1 should not be much of a change.
Mike Rojas -
I've just upgraded my firmware and now when I text the words break at the end of line and don't scroll to the next line.
Do you have 'Keep with previous' switched on in the paragraphs on those pages?
Avoiding a last line on the next page is easier with 'Keep line together'. You can find both in 'Keep options' in the paragraph menu. Also, I find it easier to mark a paragraph with 'Start in next frame'. You don't have to touch the frames that way. -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
How to apply Qos in the precedence of cache server
m in an isp and iwant to apply the QOS to enhance my network internet performance
actually i have two requests , i will start with showing brief topology about my network and start asking the questions .
here is the topology below :
from the topology above , my access is only on R1 which is BGP internet gateway router and R2 is my ISP router.
1- i want to apply Qos on R1 so that a subnet of 32 ips to have gurantee bandwidth of 30M .
assume the subnet is 10.20.30.0/27 that need to be bw gurantee .
2- i want the download traffic by idman or ftp on my Router R1 dont exceed 50 % of my total bw .
i mean that i have 450M bandwith from my isp , & sometimes we have a slow in browsing , so i want to enhance the browsing quality because its more important that downloading files from internet.
here is my two requests above , i dont know how it will work with the precedence of the cache server .
anyway , i will paste my config of router and i will replace my puplic ips with xxx for privacy .
7200Gateway#sh run
Building configuration...
Current configuration : 10149 bytes
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 7200Gateway
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 50000
enable secret xxxxxxxxxxxxxx
no aaa new-model
ip source-route
ip wccp 80 redirect-list CACHE80
ip wccp 90 redirect-list CACHE90
ip cef
no ip domain lookup
ip accounting-threshold 4294967295
login block-for 180 attempts 3 within 60
login quiet-mode access-class telnet
login on-failure log
login on-success log
no ipv6 cef
multilink bundle-name authenticated
username xxxxxx password xxxxx
archive
log config
hidekeys
interface GigabitEthernet0/1
description LAN
bandwidth 230000
ip address 10.160.150.2 255.255.255.0
ip wccp 80 redirect in
ip policy route-map CACHE-REDIRECT
load-interval 30
duplex auto
speed auto
media-type rj45
negotiation auto
interface FastEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/2
description Cache
bandwidth 150000
ip address x.x.x.x 255.255.255.248
ip wccp redirect exclude in
load-interval 30
duplex auto
speed 1000
media-type rj45
negotiation auto
interface GigabitEthernet0/3
description Internet
bandwidth 230000
ip address x.x.x.x 255.255.255.252
ip wccp 90 redirect in
load-interval 30
duplex full
speed 1000
media-type sfp
negotiation auto
router bgp zzzzzzz
no synchronization
bgp log-neighbor-changes
network xxxx mask xxxxx
network xxxx mask xxxx
network xxxx mask xxxxx
network xxxx mask xxxx
network xxxx mask xxxxx
network xxxx mask xxxx
redistribute connected
redistribute static
neighbor zzzzzzzz remote-as zzzzzzz
neighbor zzzzzzz password zzzzzzz
neighbor zzzzzz route-map Pipo out
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
no ip http server
no ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 5000
ip access-list extended bb
permit ip xxxx.xxxx.xx.0 0.0.1.255 any
ip access-list extended CACHE80
permit tcp xxxxxxx any eq www
ip access-list extended CACHE90
permit tcp any xxxxx.0 0.0.0.255
ip access-list extended pipo
permit ip xxxxx xxxxxxx any
permit ip xxxxx xxxxxxx any
ip access-list extended private
permit tcp 172.16.0.0 0.0.255.255 any eq www
permit ip 10.20.30.0 0.0.0.255 any
ip access-list extended telnet
permit ip xxxxxx xxxxxxx.255.255 any log
permit ip xxxx xxxxx 0.0.0.255 any log
ip prefix-list bb seq 5 permit xxxxx
ip prefix-list bbseq 10 permit xxxxxx
logging history size 500
no cdp run
route-map pipo permit 10
match ip address prefix-list pipo1
route-map pipo permit 20
match ip address prefix-list newsubnet
set metric 500
set origin incomplete
set as-path prepend xxxxxxxxx
route-map permit 10
match ip address prefix-list bibo
route-map CACHE-REDIRECT permit 10
match ip address private
set ip next-hop 1vvvvvv
route-map CACHE-REDIRECT permit 20
match ip address bibo e1
set ip next-hop vvvvvv
route-map CACHE-REDIRECT permit 30
match ip address pipo
set ip next-hop vvvvvvvvvv
route-map CACHE-REDIRECT permit 100
snmp-server community xxxxxx RO
control-plane
dial-peer cor custom
line con 0
password xxxxxxxx
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 60 0
password xxxxxxxxxxxxxxxxx
logging synchronous
login local
endHi Vinay,
Please check the program. I have used the replace statement but it is not working.
IF NOT v_sap_bom_rec IS INITIAL.
Spliting the records at '~' delimiter
SPLIT v_sap_bom_rec AT c_del INTO wa_bom_file-model_name
wa_bom_file-product_code
wa_bom_file-description
wa_bom_file-product_type
wa_bom_file-mfg_part_num
wa_bom_file-mfg_part_desc.
REPLACE cl_abap_char_utilities=>horizontal_tab IN wa_bom_file-mfg_part_desc WITH space .
wa_bom_file-status = c_status.
APPEND wa_bom_file TO i_bom_file.
But it is not working.
Please help me..
Thanks
Neelima -
Cisco 1812 wireles setup, can't get it to work
Hello everyone,
I've read trough the "871 wireless setup" topic, which I found very helpful, but I still can't get my wireless working. Basically I have a Cisco 1812W and I would like both wireless and wired to be on the same subnet. We aren't using DHCP, so the IP's are all static (even for the wireless clients). I can connect to my wireless SSID, but ping doesn't go trough either way. Wired connections are working fine. So the wireless client is connected, but has no IP address as far as the router goes (show Dot11 associations shows it's IP as 0.0.0.0) , but the wireless client does have an IP set up.
I guess I'm overlooking something in my config, so here it is (i took out the firewall rules and aaa setup, they aren't relevant if i'm not mistaken and there's a limit to post size):
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server <removed>
ip name-server <removed>
crypto pki trustpoint TP-self-signed-1358229530
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1358229530
revocation-check none
rsakeypair TP-self-signed-1358229530
crypto pki certificate chain TP-self-signed-1358229530
certificate self-signed <removed>
quit
username <removed>
bridge irb
interface Null0
no ip unreachables
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address extip extsubnet
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect SDM_MEDIUM out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface FastEthernet9
interface Dot11Radio0
description 802.11g
no ip address
encryption mode ciphers tkip
ssid <removed>
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <removed>
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
description 802.11a
no ip address
shutdown
encryption key 1 size 40bit 7 1ED10A3EC0C5 transmit-key
encryption mode wep mandatory
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
interface Vlan1
description $FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
bridge-group 1
interface BVI1
ip address <internal router ip> <subnet>
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 <external router IP> permanent
ip flow-top-talkers
top 5
sort-by bytes
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
<bunch of static nats>
<access rules>
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
line aux 0
line vty 0 4
access-class 102 in
password 7 <removed>
transport input ssh
scheduler allocate 4000 1000
webvpn context Default_context
ssl authenticate verify all
no inservice
endOkay, I've somewhat figured it out. Apparently my WPA-PSK configuration doesn't work with the integrated Broadcom adapter found in the laptop I was testing it with.
Either that or my WPA-PSK configuration is broken.
I switched over to an open network with no encrpytion and everything works now.
Maybe you are looking for
-
We are running Windows Server 2003 with Terminal Services for approximately 10 remote users. A few days ago, some users started to complain about not being able to print pdf documents to their printer. I discovered that the print dialog box doesn't o
-
Assigning Asset Recon GL Account
Hi Guys, Where do we assign the Asset Reconciliation Account to an Asset? Does it flow from the Asset Class? IF so..Where do we assign this GL account.. Thanks, Kris..
-
Hi I have a situation where Material are using 2V and the material inventory left with some price difference . For example we have issued PO for 10 pieces as Project Stock @ 10 $ each , At the time of MIRO we have a price diff of 0.50$ each piece . B
-
How do I concatenate strings in JSF expressions (EL)?
So I want to do something like: <h:outputText id="foo" value="msgs['label.' + prop]" /> "prop" is a variable involved in a loop using a dataTable. It'll have a string value like "firstName" or something. 'msgs' refers to a resource bundle initialized
-
Ignore required fileds when click on af:ShowDetilItem
I am using jdeveloper 11.1.2 I have jsf page with two showDetailItem in each one I have <af:region> which is task flow with jsff page contain required fields I need when click on showDetailItem to take me to this component without displaying error me