ASA Modular Policy Framework - Global vs. Interface
I understand from the Cisco documentation that a service-policy applied to an interface on an ASA 5500 series firewall, will override the default global service-policy. However, I am not clear on whether it will override the entire global service-policy, or only the parts where they overlap. In other words, would the resulting service-policy on the interface in question be just what was applied in the service-policy on the interface, completely replacing the global service-policy? Or, would it be a combination of the global and interface service-policies, with the interface one taking precedence where they overlap?
if I wanted an interface to have the same service-policy as the global service-policy plus on other item, can I just add the one item in a service-policy that I apply to the interface, or do I have to replicate all the items from the global policy, plus the one additional item, and apply that to the interface.
Thank you.
Hi,
Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with FTP inspection, and an interface policy with TCP normalization, then both FTP inspection and TCP normalization are applied to the interface. However, if you have a global policy with FTP inspection, and an interface policy with FTP inspection, then only the interface policy FTP inspection is applied to that interface.
Here is a doc for detailed study:
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html
Hope this clears out your doubt.
Thanks,
Varun
Similar Messages
-
ASA 5505 - Cannot ping outside natted interface
Hello,
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network
Could someone help me to resolve this? I have looked for ASA documentation through the internet and still got nothing.
Thank you in advance
the config are:
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name domain
enable password ********** encrypted
passwd ************ encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 172.88.188.122 255.255.255.248
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name domain
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 172.88.188.123 eq smtp
access-list outside_in extended permit tcp any host 172.88.188.123 eq pop3
access-list outside_in extended permit tcp any host 172.88.188.123 eq www
access-list outside_in extended permit icmp any any
access-list outside_in extended permit icmp any any echo-reply
access-list inside_out extended permit tcp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit udp 192.168.1.0 255.255.255.0 any
access-list inside_out extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 172.88.188.128
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,outside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.88.188.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 1048575
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:865943aa325eb75812628fec3b1e7249
: endYou are looking for this. 2 options, dns doctoring, or hairpinning (2nd part of document.) Post back if you need help setting it up.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Hairpinning would look like this in your scenario.
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside) 172.88.188.123 192.168.1.253 netmask 255.255.255.255
static (inside,inside) 172.88.188.124 192.168.1.251 netmask 255.255.255.255
static (inside,inside) 172.88.188.125 192.168.1.5 netmask 255.255.255.255 -
Applying Metric and Policy Settings globally
Hi,
I wish to remove some Metric and Policy Settings globally.
Example: I want to remove monitoring for percentage of space left in tablespaces. Instead, I want to make all tablespaces auto-extensible and only monitor disk space.
I don't want to go into the configuration of each and every database in order to do this. There must be a way to globally remove out-of-box configurations and globally add a custom configured one, or is that not true?
Thank you for any insights!
MariaIt disappears only because there is a drop down at the top that says to filter "metrics with thresholds" just switch that to "All metrics" and you will see the blank ones again. As for the disabling a collection. A collection is used for many metrics. When you go to disable a metric collection, by clicking on the link for "Every 15 minutes" (for example). It will list all of the metrics that you will no longer collect data for.
Again, I would suggest not stopping the collection, and simply blanking out the thesholds. Thats the way it was designed.
Eg. Disabling Archive space used collection will disable the following other metrics:
Archive Area Used (%)
Archive Area Used (KB)
Dump Area Directory
Dump Area Used (%)
Dump Area Used (KB)
Free Archive Area (KB)
Free Dump Area (KB)
Total Archive Area (KB)
Total Dump Area (KB) -
Tcode for global idoc interface parameters
hi,
can any one say me the tcode for global idoc interface parameters.Hi,
Welcome to SDN.
check this link might help you.
tcodes for ALE
Regards,
Amit
Reward all helpful replies. -
ASA rpf-check DROP, ASA checking NAT in the incorrect interface
Hi
My current architecture is :
Internet <--> FW <--> ASA <--> LAN
FW <--> ASA
we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
the "vpn" interface is used to grant access to our LANs from remote Offices
let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
below the current configuration :
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0
interface GigabitEthernet0/2
nameif vpn
security-level 0
ip address 192.168.12.2 255.255.255.0
object-group network Inside_LANs
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo
access-list Inside-to-outside extended permit udp any host TimeServer eq ntp
access-list Inside-to-outside extended permit ip object-group Inside_LANs any
global (outside) 1 interface
global (outside) 2 192.168.11.60 netmask 255.255.255.255
nat (inside) 1 access-list Inside-to-outside
nat (inside) 2 192.168.6.0 255.255.255.0
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.13
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list Inside-to-outside
match udp inside any inside host TimeServer eq 123
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.10
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
match ip inside host 192.168.2.10 outside any
static translation to 192.168.11.10
translate_hits = 76643, untranslate_hits = 188597
Additional Information:
example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.4.40
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list Inside-to-outside
match ip inside 192.168.4.0 255.255.255.0 vpn any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.6.30
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 192.168.6.0 255.255.255.0
match ip inside 192.168.6.0 255.255.255.0 vpn any
dynamic translation to pool 2 (No matching global)
translate_hits = 117, untranslate_hits = 0
Additional Information:
our questions :
1) why ASA don't check the reverse path route before checking the NAT ?
if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
when ASA check a server with static NAT it find a match in the outside interface but even so it discard it and the connection Work. (example 2)
when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
why ASA checking the global NAT even if it's not the correct interface ?
Why it's working for static NAT and not working for the dynamic one ?
Thanks a lotHi,
It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
But to me the situation in its current form looks the following.
Example 1
To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
Example 2
This seems to be working as expected also.
According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
Example 3 and 4
These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
Hope this helps :)
- Jouni -
BIS and Sender Policy Framework
I have a user that is using a BlackBerry Curve and is setup with At&t BIS service and has no problems receiving messages. The company this person works for has a SPF policy ( http://en.wikipedia.org/wiki/Sender_policy_framework ) that restricts which servers can send out as the the domain. The company will not modify their SPF record to include RIM's or the carriers servers and connecting the user to our BES service is unfortunately not an option. Our SMTP server is listed as a valid sender in this domains SPF policy.
Is there any way to specify a specific SMTP server for a device that is using the BIS service?
Thanks in advance!!!Hi,
Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with FTP inspection, and an interface policy with TCP normalization, then both FTP inspection and TCP normalization are applied to the interface. However, if you have a global policy with FTP inspection, and an interface policy with FTP inspection, then only the interface policy FTP inspection is applied to that interface.
Here is a doc for detailed study:
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html
Hope this clears out your doubt.
Thanks,
Varun -
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
ASA access from inside to outside interface
Hi
We need to make acces on our ASA device from inside network to outside interface.
The situation is next:
We have public external ip address and we need to access it from our inside network.
Can you please tell me if it is possible to do this?
Thank you.That's right, the solution is named Hairpinning aka U-turn.
The dynamic rule was the one suggested in my first reply:
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one -
ASA 8.2(1) Global and NAT statements, natting certain internal hosts
Hi, I have what I believe will be an easy question, but I cannot find the answer and cannot afford to test it on our production ASA.
I am running an ASA firewall, we are performing PAT with one Public IP Address for all inside traffic accessing the Internet. We need to implement a solution where whenever two or three internal hosts/servers access the Internet, they need to appear to come from a unique public IP, different than the current Global IP for all other internal traffic. I understand I could Nat thier Internal IP Address to a public IP, but I don't need each server to have it's own public IP, I'd like for all of them to share one.
Thoughts on how to accomplish this? Thanks!Hi,
To my understanding you would just create a new Dynamic PAT configuration using different NAT ID for these hosts.
Though when you create a separate Dynamic PAT for some hosts with a new NAT ID you will have to make sure that this NAT ID has a rule towards any interface they had before.
In a very basic setup there should only be Dynamic PAT between your "inside" and "outside" interfaces (presumed thats what they are called on your firewall)
This would mean that if you had for example a network 10.10.10.0/24 and you performed Dynamic PAT for that network using the "outside" interface IP address you would then configure the following
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
So the above is probably the type of configuration you have at the moment?
For the 2/3 hosts you have that need a different PAT IP address you could probably configure something like this (1.1.1.1 is just an example IP instead of the actual public IP address that is different from the interface IP address)
global (outside) 2 1.1.1.1
nat (inside) 2 10.10.10.1
nat (inside) 2 10.10.10.2
nat (inside) 2 10.10.10.3
If the original ID 1 NAT rule had "global" statements for some other interface then you would most likely need ID 2 configurations for those too. Though generally Dynamic PAT is only performed towards other external networks which usually means only the "outside" interface.
Without seeing the configurations I dont think I can say much more.
Naturally "packet-tracer" is an excellent command to confirm what what NAT/PAT is applied for a hosts connection.
For example if you wanted to test host 10.10.10.1 applied ASA configurations/rules towards some external hosts you could issue this command
packet-tracer input inside udp 10.10.10.1 12345 8.8.8.8 53
This should tell you what NAT translation is performed for this traffic (it simulates a destination port UDP/53 connection towards 8.8.8.8). Naturally you can also confirm things through firewall logs and the translation table of the device.
Active translations on the firewall you can show with the command
show xlate
It does have a lot of additional parameters after the "xlate" if you want to have more specific output
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Group Policy Management | No such interface supported
Running Windows Server 2008 R2 as a Domain Controller and when I open Group Policy Management, click on a GPO, then click on the Settings tab, it pops up an error message that says "No such interface supported". I've found several articles
that talk about registering .dll files and I've done that and nothing. I've uninstalled GPMC and reinstalled and that didn't fix anything. Can anyone help resolve this?Hi Jason,
Before going further, do we have other domain controllers? If yes, does GPMC work correctly on these domain controller? GPMC reports the error "No Such interface supported" normally is due to a missing or corrupted Windows component.
Besides, do we update the server to the latest? If not, we can update the server to the latest and then reinstall the GPMC to see if the issue persists.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards
Frank Shen -
EDN not available throws runtimeFault - Fault Policy Framework unable to catch it
Hi Team,
I have been working on some error handling scenarios for EDN .
From my observation if BPEL is used to publish the event, BPEL Fault policy cannot catch EDN errors (e.g., EDN unavailable) but BPEL catch activity can catch it.
Steps performed :
1. Create a BPEL to publish the event to EDN.
2.Create fault policy to catch BPEL runtime fault .
3.Go to weblogic console to change EDNdatasource target to get "EDN datasource not available error".
4.Test your BPEL.
My requirement is to retry such faults and invoke human intervention after retry failure using BPEL.
Please let me know how to achieve thisFollow the oracle documentation
- http://docs.oracle.com/cd/E28271_01/dev.1111/e10224/bp_faults.htm#BABIGGIB
*The fault management framework catches all faults (business and runtime) for an invoke activity.*
Hope that helps.
P.S. The fault management framework main purpose is to define a enterprise wide standard policies to handle the faults that will be applied to various/all composite. Hence your specific fault that is specific to a composite should not creep into to fault management framework as this is not the enterprise standard i.e., every composite may have to handle the invalid variable, based on where it occurred and for what variable it occurred. -
Manage ASA via VPN on its outside interface
I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet. VPN is setup on outside interfaces of those ASAs. Now my trouble is to manage those region offices' ASAs from headquater network. I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA. My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.
How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?
I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map. Will it work?
Cisco Supermen have an idea?
Thanks a lot.I am by no means any Superman, but i think i can help
You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).
Eg:
For SSH:
ssh inside
For Syslog:
logging host inside
For SNMP:
snmp host inside
Plus, you would also need to configure: management-access inside on all your regional offices ASA.
Hope that helps. -
Hello,
i configured the fault policy with the folllowing values:
<Action id="ora-retry">
<retry>
<retryCount>60</retryCount>
<retryInterval>1</retryInterval>
</retry>
</Action>
But when i look at the audit-tab in the BPEL-Console, i see only 50 retries, until the action fails.
Has retryCount a maximum of 50 retries?
Best regards and thanks for your help
FriedrichHi again.
Has anyone been able to use any kind of Xpath function inside a policy file? If so, could you please share the code fragment including the namespace declarations and the conditions?
Does anyone know if Fault Management Framework at least support the use of Xpath functions?
Thanks.
Denis -
"mpls ip" global vs interface level command
What is the purpose of "mpls ip" global command? I think just enabling mpls on an interface by using "mpls ip" should be sufficient, but then what is the purpose of the global level command?
Usage Guidelines
Globally enabling MPLS forwarding does not enable it on the interfaces. You must enable MPLS forwarding on the interfaces separately.
MPLS forwarding of packets along normally routed paths (also called dynamic label switching) is enabled by this command. For a given interface to perform dynamic label switching, this switching function must be enabled.
The no form of this command stops dynamic label switching for all the interfaces regardless of the interface configuration; it also stops distribution of labels for dynamic label switching. However, the no form of this command does not affect the sending of labeled packets through the LSP tunnels.
link:
http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/command/reference/cpt93_cr/cpt93_cr_chapter_010.html#wp1254011620
HTH -
Global vs interface switch command
Hello, If I have a command globally which applies on all switch ports but then I want to configure one port with a different command not apply the global command on the switch. When i configure that port will it take effect the new command configure for that port and disregard the global command that was apply on the other ports?
Well without testing and not knowing more details about what command you wish to try - I think that more specific (in this case interface command) will take precedence above global one...
Plese do some testing - in this particular case it's about 5min job...
BR,
Dragan
Maybe you are looking for
-
How to Convert the content in BLOB field into a PDF file...
Hi, I am having PDF files stored in BLOB column of a table in Oracle Database (11G R2). I want to retrieve the files back and store them in hard disk. I am successful in storing the content as a file with '.doc' but if I store the file as '.pdf', ado
-
Why can't TextEdit open more than 5 links at a time in Yosemite?
Why can't TextEdit open more than 5 links at a time in Yosemite? In the previous OS, I could highlight many links at a time, right click and then select "Open URL" to open the links in Safari. Now, if I select more than five links at a time (and some
-
Wireless Mighty Mouse Not Scrolling After Update to 10.6.8
The use to work wireless migthy mouse stop working after system update to 10:6:8 Tried pair and unpair and re-setup, downloading USB Overdrive and uninstall it, still no used. This is frustrating, Apple, your service had not improved and getting wo
-
When I sign off on yahoo email. I get a blank page on every tab if any are opened. I have to exit out & restart firefox . It does not happen w/any other browser. I have no malware or viruses. Please advise.
-
Published interactive project works in IE but not in Chrome???
My buttons and interactions are working through an Internet Explorer browser, but loose their functionality when play via Chrome. Anyone have any ideas?