ACLs never apply to traffic generated by the router

Similar Messages

• My Wi-Fi just says connecting, but never connects. I've rebooted the router and the phone.

  Well that was it. My Wi-Fi just says connecting but never connects. I've rebooted the router and the phone. LG G2

      ETea,
  Sorry to hear about the trouble with Wi-Fi. Let's get you connecting again. Are other Wi-Fi capable devices able to connect without issue? Go to Settings and touch Wi-Fi. Touch your network and select "Forget." Touch "Search" on the bottom. Once the phone detects the network again, touch the network, enter your password and select connect. Let us know if you get connected.
  BrianP_VZW
  Follow Us on Twitter @VZWSupport

• QoS Marking Traffic Generated by Network Device

  I am working on defining QoS configuration standards for Catalyst 3750, 4500 and 6500 platforms. I would like to provide preferred treatment to some of the protocols commonly used for network management (i.e. telnet, ssh, etc...). I have no issues with classifying and marking traffic generated by a NMS or PC connected to a switch but I can not figure out how to classify and mark traffic generated by the switch itself. It won't do any good if traffic from the NMS or PC to the device is preferred but the response from the device is unmarked/best effort.
  The only way that I can see to do this is to apply an input policy on the upstream device to classify and mark the network management traffic. I would prefer to do it on the device itself. Does anyone know if that is possible?
  I'm assuming that any traffic generated by the switch would be ignored by an output policy, similar to the way that traffic generated by the device will by-pass access-lists. Even if this is a bad assumption the 3750 does not support output policies, so I'd still be stuck there.
  It was suggested that I look into applying the policy to the control plane however on the platforms that options is available, policies can only be applied to the input. Which I believe is the wrong direction.
  Anyone have other suggestions on how to accomplish this or is this a lost cause?

  You can use local PBR to do this. Check out the local policy-map
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm#wp1001002

• Very high data traffic generated by Nokia Messagin...

  Is anyone else seeing really high data use on their phone log following last week's Messaging outage?
  Up until last week's outage, the data traffic generated by Messaging was about 5kb an hour (with no new emails sent or received). Presumably this small amount of data traffic results from the Nokia email server "pinging" the phone periodically to keep the connection open.
  But after last week's outage and issues with passwords being requested etc etc, I saw that the data traffic generated by the Messaging app has gone through the roof - about 400 - 500kb an hour!  Again, this is with no new emails sent or received - so theoretically is just the server pinging the phone to keep the idle connection open!
  I reinstalled Nokia Messaging on my phone (E61i) - no difference - the data generated by the Messaging app is still 400 - 500 kb an hour (it stops when I take Messaging offline).  
  I have friends roaming in Ireland and their phone has had the same problem - the data traffic generated by their Messaging app is sky high and they have had to shut it down because of the high cost of data whilst roaming.
  I also newly installed Messaging on another phone (N95) that I have, using a brand new email account and a new T-mobile SIM card, and guess what - that phone also has sky high data traffic due to Messaging.
  What is going on??  Can someone at Nokia Messaging please sort this out?  Anyone roaming with Nokia Messaging enabled is facing hugh data charges from their network.

  The data traffic occurs in phones which are on a home network (mine in the UK) and on a roaming network (my friends traveling in Ireland).  Interestingly, I've now checked with another friend who is roaming in Italy and they also use Messaging but haven't seen any high packet data issues with their phone.
  The data traffic shows up in the Packet Log, as well as on the actual T-Mobile network account (plus the charges for the data!)  Accessing a T-Mobile UK account online shows all packet data use - in this case, 120-150 kb every 15 minutes, whereas before last week it was 1-2kb every 15 minutes.  
  When I "Go Offline" with Nokia Messaging, the high data traffic stops, both on the Packet Log and network account, so I am 100% certain this is due to Messaging.

• Measure / Analyze traffice on a 17xx router

  Hi,
  I've got a cisco 17xx router with a 2MB connection and some branch offices connected with VPN tunnels to this router.
  Since a few days we have some annoying delays.
  Since the router is the only device between the LAN and the internet, what commands can I use to analyze the traffic going to the router?
  Regards,

  Enable NetFlow on the router: in config mode, enter "ip cef" to enable Cisco Express Forwarding on the router, and "ip route-cache flow" on the interfaces.
  From the command line interface, "show ip cache flow" will show you in real-time the active flows across your router. Keep in mind that the protocol ("Pr"), source port ("SrcP") and destination port ("DstP") will be listed in hexadecimal.
  For example, protocol 11 in hexadecimal is really protocol 17 in decimal, which is UDP; 06 in hex is 06 in decimal, which is TCP; and 01 in hex is 01 in decimal, which is ICMP.
  Similarly, port 0019 in hex is port 25 in decimal, which is SMTP; port 0035 in hex is port 0053 in decimal, which is DNS; and port 0050 in hex is port 0080 in decimal, which is HTTP.
  If you enable NetFlow Data Export to a computer that is running a program such as
  ManageEngine™ NetFlow Analyzer 4
  http://manageengine.adventnet.com/products/netflow/
  you can not only track your bandwidth usage over time, you can also drill down and see exactly what you're doing with that bandwidth, where your users are going, when they went there, etc. And the application converts the hex to decimal for you, so it's easier to interpret.

• Wirless issues... not the router!!!

  My roommate and I bought a router back in July and it worked great for my iBook G4 and her PC... we started having issues with the router and just got it replaced but now, I can no longer connect to our wireless network. I ran the router set-up disc through my computer hoping this would help but it's done nothing.
  I click on our network, and all I get is "There was an error joining the Airport Network". I have tried going under Internet Connect but it won't even let me pull up our network without the error message so I can't adjust the settings (password, security key, etc.).
  The router is a Linksys WRA110-V1. I checked the box, it works with macs and like I said above, it worked great up until a few weeks ago. I have no trouble connecting to other networks; it's just ours.
  Any suggestions??? Thanks!!!

  You could try that, although you would have intentionally had to set it up using those. Most people will just plug it in and start using it, never even adjusting any settings in the router, thereby leaving the default login and password in place. If you think you set it up at one time, by all means, try all the login and passwords that you might have used.
  This is a fairly common problem however, and I would suggest repairing your permissions in the disk utility which is in the utilities folder inside the applications folder. It should be done any time something isn't working right. When you open the window in that utility, you click on your hard drive icon in left column and then select repair permissions at the bottom of the window. When it's finished, you can close the window and go back and try to connect again.

• Can you set the Tax Code value in the Product Import File to "Tax Never Applies"?

  We have taxable and non-taxable items in our store and I need to be able to set all non-taxable food items to "Tax Never Applies" in the Product Import document. Does anyone know a work around for this? Applying this setting to hundreds of items is not ideal at all.
  Many thanks in advance!
  -Eric

  Did you ever get an answer?  I'm in the same boat...the only way I can seem to not charge tax to my wholesale clients is to set "tax never applies".  But I got over 300 products...how can I do it "en mass"???
  Anybody??
  I tried creating a special tax code at 0% but that didn't do it either.
  thanks in advance,
  Scot.

• Since the NEW version has been installed, I've receive an update notice of a critical update. Each time I select to apply that update the dialog display never apply any update, it looks to be in a processing state but never completes.

  Any Firefox updates are set to automatically update on my computer. I currently have version 4.0.
  Since the NEW version has been installed, I've receive an update notice for a critical update several times. Each time I select to apply that update the dialog display never apply any update, it looks to be in a processing state but never completes. Of late I've had 2 unexpected issues surface. (1) a Flash Player stopped flashing, an "player stopped" message appeared, "send error report" and a reload player message was included. (2) I just received a error message > 400 "Bad Request" when the browser first opened. This has never happened before.
  Michael Armstrong
  mikes16arms

  It is a Remote Desktop Client Update 3.7.1
  Thank you for answering. I apologize it has taken me so long to get back in here.
  I just realized that I wrote that I installed from app store originally, but I must correct that statement. I never paid for the app so it must have come preinstalled on my 2011 iMac. I was confused since the update is through the store so I assumed I downloaded it. Sorry for any miscommunication.
  So to be clear, even though I have never remotely administered / accessed my computer and I no longer have ARD on my computer, it is normal to have the client update appear in my App Store. Is that correct?
  I appreciate your assistance.

• How to apply LLQ QoS to traffic generate by router?

  There is a voice gateway at the remote site, the voice card connect to the local pstn, for qos, the router must prioritize the voice traffic which is generated locally.
  So is there any idea?

  No, it doesn't work. please see below:
  R2#sh ip local policy
  Local policy routing is enabled, using route map QoS
  route-map QoS, permit, sequence 10
  Match clauses:
  ip address (access-lists): IP_QOS_5
  Set clauses:
  Policy routing matches: 11060 packets, 950804 bytes
  Local Policy match many packet of IP prcendence 5 or RTP traffic. But... CBWFQ only match a little RTP packet...
  Class-map: Voice (match-any)
  5 packets, 458 bytes
  30 second offered rate 0 bps, drop rate 0 bps
  Match: protocol rtp
  5 packets, 458 bytes
  30 second rate 0 bps
  Queueing
  Strict Priority
  Output Queue: Conversation 136
  Bandwidth 70 (%)
  Bandwidth 358 (kbps) Burst 8950 (Bytes)
  (pkts matched/bytes matched) 0/0
  (total drops/bytes drops) 0/0

• Wireless guest users cannot ping if ACL is applied

  Hi friends,
  This is the first time I am trying my hands on wireless gears. I have 2500 WLC and 1142 AP (which I converted from Standalone to LAP).
  I have a layer 3 POE switch where i am using port 1 for the WLC which is a trunk port.
  Port 2 is for the AP using access vlan 111
  Port 3 is trunk port going to a router where i am running dhcp server for the VLANs which are as follow:
  VLAN 110 -Corp Wireless (10.1.110.0/24)
  VLAN 111 - AP-Mgmt (10.1.111.0/24)
  VLAN 999 - Guest (10.1.101.0/24)
  I wanted to block the traffic from the Guest VLAN 999 but when i apply the ACL on the Guest Interface created on the WLC, I dont see any pings going across and neither I see any hit counts on the deny statement as if the ACL is never applied.
  Can some one guide me to the right direction if i am missing anything??
  Thanks,
  Mohit

  rdvorak wrote:Put the ACL on the WLAN not on the interface.
  But applying the ACL to the interface will affect all WLANs that utilize that interface!!!
  Rating useful replies is more useful than saying "Thank you"

• Should ACL be applied on port in Closed mode

  Hi,
  while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.
  According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows 
  ip access-list ext ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Drop all the rest
  deny ip any any log
  But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.
  So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport 
  Thanks,
  Aditya

  Hello Aditya-
  Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896
  You have two options:
  1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network. 
  2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed
  I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.
  I hope this helps!
  Thank you for rating helpful posts!

• ACL to allow SNMP traffic

  I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
  ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
  Additional permit statements omited.

  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
  Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
  Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
  permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
  etc..
  Jon

• Not working traffic inside of the same interface

  Hi Guys.
  I need your help to configure a Cisco ASA 5510.
  Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
  1. The Subnet of the main office (192.168.1.253)
  2. A router  (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
  I have so allowed any traffic incoming to the inside interface as follows:
  access-list inside_access_in extended permit ip any any
  and I have permitted traffic intra interface as follows:
  same-security-traffic permit intra-interface
  Then I created a static route:
  route inside 192.168.8.0 255.255.255.0 EXTERNAL_ROUTER 1
  Now I can successfully ping the destination:
  Pinging 192.168.8.10 with 32 bytes of data:
  Reply from 192.168.8.10: bytes=32 time=135ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=146ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=143ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=188ms TTL=123
  Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the conncections from "inside" (firewall) does not allow the connection.
  It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.
  Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
  Please help :-(
  Thanks,
  Dario Vanin

  Ahh OK, telco router.
  You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).
  Here is sample configuration on TCP State Bypass:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
  access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
  access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
  class-map tcp-bypass-cm
     match access-list tcp-bypass-acl
  policy-map tcp-bypass-policy
     class tcp-bypass-cm
         set connection advanced-options tcp-state-bypass
  service-policy tcp-bypass-policy inside

• Export of PDF errors after the PDF generates on the server (File I/O error)

  We have Crystal 9 reports engine, developed with VS2003, which is being called from a VS2008 web app on a 32-bit server. The reports have been working okay, unless the file is of size > 600K. Then, right after the PDF is created in the C:\Windows\Temp, the export fails to display it on the screen, throwing the following error:
  Error in File C:\WINDOWS\TEMP\temp_c2e5676e-7d48-413e-9dca-fd2615f236c6.rpt: File I/O error.
  at [1].[1]D(Int16   , Int32   ) at CrystalDecisions.CrystalReports.Engine.FormatEngine.Export(ExportRequestContext reqContext) at CrystalDecisions.CrystalReports.Engine.FormatEngine.Export() at CrystalDecisions.CrystalReports.Engine.ReportDocument.Export() at commisionstatement.CommissionStatementPDF.Page_Load(Object sender, EventArgs e) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain()
  The issue is quite frustrating as it doesn't indicate what the cause of it is. It is not clear whether this is a timeout issue and what Timeout setting applies. The report objects have a default CacheTimeOut set as CachedReportConstants.DEFAULT_TIMEOUT. How long is this? is there any other setting on the server that can overwrite this timeout? What does the Export method need in order to find and pull the file on time?
  Note that the report generates on the server and if it's not too big, will display on the Client's browser.
  Your help will be greately appreciated.
  Thank you,
  Sonya

  Hi David,
  So we were finally able to test with the increased timeout, which we set to 5 min:
  <httpRuntime
              executionTimeout="300"
              maxRequestLength="4096"
              useFullyQualifiedRedirectUrl="false"
              minFreeThreads="8"
              minLocalRequestFreeThreads="4"
              appRequestQueueLimit="100"
              enableVersionHeader="true"
          />
  Unfortunately, now we started getting other errors, related to the limit of the licenses:
  A Crystal Reports job failed because a free license could not be obtained in the time allocated. More licenses can be purchased direct from Crystal Decisions or through the Crystal Decisions Online Store.
  According to page 8 of the article below, we should be able to purchase more such licenses free of cost:
  http://www.sdn.sap.com/irj/boc/go/portal/prtroot/docs/library/uuid/7006fc4c-6a1e-2b10-8ea8-9019b136fa90?quicklink=index&overridelayout=true
  Could you let us know how to proceed in order to obtain the licenses?
  Thank you,
  Sonya

• Re: How to disable MIG 7 Traffic Generator in simulation

  Hi Everyone,
  I was wondering how can I disable vivado traffic generator in simulation?
  I have fine tune my DDR channel and need to disable traffic generator for simulation purposes, however, I don't see any option in MIG7 GUI interface, or any parameter that I can pass to traffic generator from my top level simulaion file to stop traffic generator for issuing command and putting random rd/wr data on my  DDR bus.
  Any idea?
  Thanks,
  Mike

  Hi,
  If you generate the IP alone there will not any tarffic gen, only example design comes with tarffic gen(right click on .xci and choose example design)
  So while generating the IP there is no GUI option to disable traffci gen.
  But if you attempt to link user deisgn top with memory model then you have to be ultimately careful in passign the parameters and mapping the signals
  instead if you are running MIG example design simulation but wanted to drive your own tarffic,  you can simply commet out tarffic gen in example_top and have your own fsm for driving the MIG user intefrace.
  Hope this helps
  -Vanitha