Cisco Profiler NetFlow

Similar Messages

• Cisco Profile 55 H323 mode Off after restart

  Hi All,
  We have a Cisco Profile 55 that for some reason after a restart switchs H323 Mode to off after a restart.
  Through the web interface if you browse to Configuration -> System Configuration -> Network services -> H323 Mode is the first setting.
  I have set it to On and save it twice now but after a restart it has changed back to off!
  Any idea's what would be causing this would be a great help.
  Thanks
  John

  Hello John -
  As Martin as mentioned above, when using CUCM, H323 isn't supported.  Actually starting with TC7 as seen in the TC release notes, on pg 7, when registering an endpoint to CUCM, H323 becomes disabled.
  Taking a look at the following TelePresence Admin Guide with CUCM, on pg 11, it mentions that when using a TelePresence endpoint registered to CUCM, the default call protocol is SIP, this is because CUCM is SIP only.
  In order to make H323 calls, you'll need to rely on either a VCS-C/E or Expressway-C/E to do the SIP to H323 interworking as I don't believe CUCM can.  Expressway is preferred when using CUCM.

• Cisco 6506 Netflow configuration

  I configured netflow to capture data received by vlan 950. 
  vlan 950 has an ip 10.198.0.12. But the output is capturing only packets with source ip of this subnet only.
  why is it not showing any traffic received from outside? or sent to outside hosts?

  Hi Rafael,
  you need an Assurance License for that feature to work
  check the below link:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/guide_c07-714720.html
  Thanks-
  Afroz
  [Do rate the useful post]

• Cisco Prime- Netflow Export Issue

  Dear All,
  We are observing high bandwidth being utliized between ASR1004 and Cisco Prime 2.1 after enabling "ip netflow exporter". Is there any way to mitigate it..?

  Yes - use sampled Netflow which statistically samples the flows instead of trying to send every single one back to Prime Infrastructure.
  The IOS-XE configuration guide section on Netflow describes how to set it up.

• Cisco 4331 Netflow Commands

  Greetings,
  Trying out these new Cisco 4300 series routers and apparently some commands have changed... to be more specific I am trying to configure netflow and none of the traditional commands work:
  #conf t
  ip flow-export source gig 0/0
  ip flow-export version 5
  ip flow-export destination 10.1.1.40 (port #)
  int gig 0/0
  ip flow egress
  ip flow ingress
  ip route cash-flow
  #exit
  I can't seem to find an admin manual for these, can someone please tell me what the new commands are?
  Kind regards,
  Juan

  Flexible NetFlow is what you need if you are sure your device and IOS supports it. Here is a sample NetFlow v9 or Flexible NetFlow configuration:
  http://www.solarwinds.com/documentation/en/flarehelp/netflow/content/orionnetflowag-ciscoflexiblenetflowconfiguration.htm
  Regards,
  Don Jacob
  http://www.solarwinds.com/netflow-traffic-analyzer.aspx
  PS: Dont forget to rate and close helpful answers.

• Cisco Profile 52/55 Dual - displays video on only one screen after software upgrade 7.1.4

  Hi,
  I've upgraded the Profile 52/55 Dual system to TC 7.1.4 and it no longer shows video on both screens during a conference. It displays content on the second screen fine. It worked in version 6 so I wonder if something changed in the software or the endpoint requires some additional configuration.
  I've checked settings under Configuration > System Configuration > Video > Monitors and it's set to Dual. I've changed it few times and set it back to Dual but this didn't resolve the issue. I can't see any dual screen option key added under system information but I assume it has a dual screen option hence it's a dual screen system.
  Do I need to change any settings?

  Hi Patrick
  Thank you very much for your response.
  The system doesn’t have a remote control as such, it’s an MX700 so it has the 10inch touch panel, I had some engineers onsite attempting to bring the self-view image up using the panel but the only image that they managed to retrieve was a self-view PIP on the main image.
  If I change the self-view settings in the configuration nothing appears to happen on the codec, the second monitor will only display the presentation, it’s as if the system is stuck in dual screen presentation only, even though when I set the system to dual screen, flick it back to single screen, set it to dual screen, back to the same situation no image unless there is a presentation being sent.
  I have ensured that these settings are forced on the system
  xconfig Video Monitors: Dual
  xconfig Video CamCtrlPip CallSetup Mode: Off
  xconfig Video SelfviewDefault Mode: Off
  xconfig Video SelfviewDefault OnMonitorRole: Second
  xconfig Video SelfviewDefault FullscreenMode: On
  But no matter what I do I am unable to get the behaviour that I expect, this is why I have posted on this forum, I seem to think that the problem may be related to a software bug, however I am unable to downgrade as that would stop the control panel from working (this system doesn’t have a remote), and I see no mention of a second monitor issue reading the release notes, I have checked the online bugs and cannot find anything there either. so I am wondering if someone in Cisco has any idea as to what is happening here.
  I thought about trying to use TC console to see if I could force a layout via this tool / or at least see what layouts are on the system, however the TC console version 6 will not connect to this system (I think this is more firewall related than system, as standard telnet and ssh attempts fail also).
  Again I appreciate any and all assistance provided greatly, I am completely baffled as to what is happening here.
  Cheers

• Cisco NAC profiler

  Hi,
  I have few doubts if any1 can clear out it will be great. i have NAS OOB real ip gateway deployment in my network.
  Assuming all the ports are Nac_controlled. Hence as soon as the client plugs in they will be in auth vlan.
  now i have a cisco nac profiler in my network which i am going to configure for IP phones and printers.
  for example if the port the ip phone is connected to it will be under auth vlan also.
  hence as soon as ip phone as gets connected it, cisco profiler will see the profile and change the auth vlan to its respective vlan by mapping the profile with nac profile which we have mapped in the profiler and given the vlan in the NAC user profile for the ip phone.
  please correct me if i am wrong, for the understanding of the working. I need to profile ip phones. i am not able to bridge the connection.
  it would be great help if you can help me out.
  thanks in advance.

  Dear Nitesh,
  The IP phones should be configured to work on the Voice VLAN; the NAC Manager on its OOB config can only manage the access VLAN for the switch port.
  Given this, the correct config for the filters for the IP Phones is "ignore", as described here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1092789
  The NAC Profiler can help to add these filters without manual intervention, so you should configure the Profiler with the appropriate NAC event that configures the filter for the IP Phone MAC address to "ignore".
  This won't cause the port to change status NAC wise, as the NAC Manager will simply "ignore" the MAC notification for the IP Phone(s).
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Can MPLS aware Netflow ver. 9 be enabled on the catalyst switches 6500

  HI, I'm working for KOREA TELECOM, and currently providing MPLS VPN.
  We're planning to provide our customer with traffic report using NetFlow..
  I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. So, I ' m curious about that Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
  Thank you , in advance.

  NetFlow is now integral to Cisco 6500. A configuration we recommend is as below:
  mls netflow     // This enables NetFlow on the Supervisor.
  mls nde sender version 7
  mls aging long 64  // This breaks up long-lived flows into (roughly) one-minute segments.
  mls aging normal 32  // This ensures that flows that have finished are exported in a timely manner.
  mls flow ip interface-full
  mls nde interface
  The  next two commands will help to enable NetFlow data export for  bridged  traffic which is optional. You can specify the list of VLANs  here to  enable bridged traffic.
  ip flow ingress layer2-switched vlan
  ip flow export layer2-switched vlan
  Apart from this, NetFlow has to be enabled on the MSFC using the below commands.
  ip flow egress       // This command has to be executed on all the L3/VLAN interfaces.
  ip flow-export destination {hostname|ip_address} 9996  // The hostname or IP address of the flow server
  ip flow-export source {interface} // The interface through which NetFlow packets are exported. eg: Loopback0
  ip flow-export version 9
  ip flow-cache timeout active 1
  snmp-server ifindex persist
  The new Cisco Flexible NetFlow actually allows for export of MPLS specific information (I believe it is stack lables) in addition to information on IP Address, port, etc. But you will need a tool that can support these additional fields. Otherwise you can view IP, port, protocol, etc related information from MPLS links.
  Regards,
  Don Thomas Jacob
  ManageEngine NetFlow Analyzer

• What version of ASA software supports Netflow for traffic analyzing?

  What version of ASA software supports Netflow for traffic analyzing. The version of software we are running on the PIX is 7.2.4. Bottom line, I need to know if it’s able to send any “netflow” data to an analyzer. I have not found anything that states it supports it.
  Any help or guidance is appreciated.
  Thanks!

  What version of ASA software
  supports Netflow for traffic analyzing. The version of software we are
  running on the PIX is 7.2.4. Bottom line, I need to know if it’s able
  to send any “netflow” data to an analyzer. I have not found anything
  that states it supports it.
  Any help or guidance is appreciated.
  Thanks!
  Hi,
  Till now only Cisco ASA 5580 Series uniquely addresses the challenge of high-performance security event handling through advancements in Cisco's NetFlow v9 technology.
  check out the below link
  http://newsroom.cisco.com/dlls/2008/prod_012208.html
  Hope to help
  If helpful do rate the valauble post
  Ganesh.H

• 5505 - netflow style data??

  I need to know if I can pull Netflow style data (Top Talkers, Top Sessions, etc) from ASA 5505s?  We are looking at buying some but I need to be able to export this kind of data to my managment station which is also a collector. I have read on this forum that 8.2 and above should support Netflow but I have read conflicting information. Can anyone verify this for me? Also, if there are other options to get this information, I would like to know as well.
  Thank you,

  Hi Bro
  Yes, Cisco ASA FW running on software image code 8.2 and above support netflow, but version 9 only. Hence, third party tools such as Solarwinds Real-Time Netflow Analyzer cannot be used here, as this tool supports Netflow version 5 only.
  Cisco’s NetFlow collector doesn’t support Cisco ASA as stated in this link;
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html
  For this reason, you might wanna look into ManageEngine Netflow Analyzer. This product supports Netflow version 9. Hence, you can configure your ASA to export NetFlow version 9 packets to this tool instead.
  Cisco ASA configuration via ASDM for NetFlow can be seen from the below link;
  http://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm
  Cisco ASA configuration via CLI for NetFlow can be seen from the below link;
  https://supportforums.cisco.com/docs/DOC-6113
  http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html
  For further details on this subject, you could also refer to https://supportforums.cisco.com/thread/2071273
  P/S: If you think this comment is useful, please do rate them nicely :-)

• SPA 122 remove restricted access domains

  Hello
  My spa 122 has a customization profile active and i want to remove it. But i don't know how to do it. Firmeware Update, Factory reset, disabling provisioning don't help.
  I tried to create a sample config file with the Cisco Profile Compiler but no luck, the spa 122 tell me everytime Restore failed...
  All i want is to remove the settings from the customization, like "restricted access domains" ect.
  Can anyone help me?
  Thanks
  mfg
  Pascal

  OK thank you Dan for your answer.
  I bought the box from an ISP, but i don't want to use this ISP, so i can not reset the config to default settings without customization ect? With a sample.cfg file from anywhere?

• Searches not finding files... any suggestions?

  Hello,
  I am using a Mac Pro desktop with two external firewire drives. I was doing a search for files I know exist on one of the external drives and the search pulled up nothing. I went to my drive and found the files alive and well but the search in the finder won't find them. I tested out a bunch more files and folders on that drive and 95% of the files the search wouldn't find. It found a couple of files on that drive but that's it. Again, when I go to the finder the files are there. This is causing me a lot of problems because since the finder can't find the files my applications can't either. Does anyone have any suggestions? Do I need to rebuild the drive index or something? Should I use disk warrior? Any help is greatly appreciated. Thanks.

  Why doesn't Spotlight find files or folders? Why is there no simple file finder utility for Snow Leopard? Seems like I can find certain files (usually files which I already know where there are), but not the folders or files I'm actually looking for. In this case I'm looking for a Cisco profile file that ends with .pcf, but I have had the problem many times before. Am I missing something, or is the capability simply not there? Is there some kind of built-in feature that lets you find only the files that naive users can see?
  Also, I'm uncertain about the difference between searching for a string that is part of a file or folder name, and a string that is within contents of the file. I would like to be able to choose which I'm searching for.

• External posture validation server LanDesk vs. ACS

  Hi,
  I want you to ask wheather somebody has same problem as me and how did you solve it.
  I want to validate security of hosts with LANDesk® Security Suite 8.7 in cooperation with ACS. My problem seems to be in comunication between ACS and LanDesk validation server. Landesk server in log says that no scan has been made on the host. But when i dont forward LanDesk credentials to LanDesk and I Validate them on ACS, it works. I mean ACS can determine whether the scan has been made and with which result.
  So I think problem isn't in CTA or LanDesk host agent(when they send right credentials). It seems to be somewhere between ACS and LD server.
  Didn't you have similar problem?
  p.s. I have been imported LanDesk plugins into CTA and attributes definition file into ACS. But I am not sure if the External posture validation setup in URL field should be "http://ip.a.d.d:12576/pvs.exe" which i found in LD documentation. In google i found another URL "http://ip.a.d.d:12576/avp.exe". None of them works properly. And on LD server isn't such a file.
  Thans for help
  Daniel Sebek

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• Access Accounting and Billing

  hi,
  i have a scenario where users from remote offices access internet through ho internet link (centralised). The solution required is, when the user tries to access the internet, the access is authorised based on the remote IP sbnet/username from proxy server, and then a counter starts for download size / connection time, on which an usage billing data is required to be generated. customer will provide for th unit which will be used for generating the cash bill to the user.
  Please suggest if there is any solution for this using AAA and/or some other cisco software.
  cheers!
  Nilanjan

  check this section,
  http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
  In above link go for links under "Latest Cisco IOS NetFlow Documentation"
  Also, check the,
  Case Studies
  Data Sheets
  Presentations
  Press Coverage
  Q&A
  White Papers
  Regards,
  Prem