Class-map for CSC ignores
I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
permit ip 172.16.1.0 255.255.255.0 any
deny ip any any
or the other way around?
deny ip 172.16.1.0 255.255.255.0 any
permit ip any any
thats right
but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
and will match any other web traffic
but nothing else
i mean no smtp,pop3 or ftp
if u want to match any thing else after the deny or ignore statement
u have to make permit ip any any
after u match it with class-map
apply it to a policy map
like polic-map global_policy (which is the default global policy)
class-map (ur calss-map name)
csc fail-open
then
service-policy global_policy global
in this case it will be applied to all interfaces
good luck
Rate if helpful
Similar Messages
-
ACE ignoring class map depending on source???
I have a problem with a the load balancing "not working" properly depending on the source.
The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
Here is the config:
rserver host FE1-app
description frontend app
ip address 192.168.137.69
inservice
rserver host FE2-app
description frontend app
ip address 192.168.137.74
inservice
serverfarm host FE1-app
rserver FE1-app 80
inservice
serverfarm host FE2-app
rserver FE2-app 80
inservice
serverfarm host FE-app
rserver FE1-app 80
inservice
rserver FE2-app 80
inservice
class-map type http loadbalance match-all COOKIE-FE1
2 match http cookie secondary ld cookie-value "fe1"
class-map type http loadbalance match-all COOKIE-FE2
2 match http cookie secondary ld cookie-value "fe2"
class-map match-all VIP-app
2 match virtual-address 192.168.138.39 tcp eq www
policy-map type loadbalance first-match VIP-app-loadbalance
class COOKIE-FE1
serverfarm FE1-app
class COOKIE-FE2
serverfarm FE2-app
class class-default
serverfarm FE-app
policy-map multi-match INT470
class VIP-app
loadbalance vip inservice
loadbalance policy VIP-app-loadbalance
loadbalance vip icmp-reply
interface vlan 470
description lb_rpfedrift
ip address 192.168.138.36 255.255.255.240
alias 192.168.138.35 255.255.255.240
peer ip address 192.168.138.37 255.255.255.240
service-policy input remote_mgmt_allow_policy
service-policy input INT470
no shutdownHi Federico,
The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
I hope this helps
Daniel -
Class-maps used for load balancing on ACE
I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
I am looking for specific information for the following :
1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
- Should each VIP have a seperate class-map or can list them together?You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
I am writing a sample that will hopefully help you on this
class-map match-all app1-vip
match virtual-address 10.1.1.1 tcp eq 80
class-map match-any app2-vip
match virtual-address 10.1.1.2 tcp eq 443
policy-map type loadbalance first-match L7app1
class class-default
server-farm App1-farm
policy-map type loadbalance first-match L7app2
class class-default
server-farm App2-farm
policy-map multi-match All-vips
class app1-vip
loadbalance vip inservice
loadbalance policy L7app1
loadbalance vip icmp-reply active
class app2-vip
loadbalance vip inservice
loadbalance policy L7app2
loadbalance vip icmp-reply active
int vlan 100
ip address 10.10.10.101 255.255.255.0
service-policy input All-vips
Syed Iftekhar Ahmed -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
Number of class maps (QOS) supported on 7200 and 7600
Hi,
Have few queries on class maps for QOS, putting forward for your comments/inputs.
1. Want to know if there are any limitation (s) on the number of class maps (to be applied inbound/outbound) that can be configured on the 7200 and 7600 routers.
2. Is there any imitation on the numbers (of class maps) in general or will it depend on the sum total of BW configured in the classes? I mean which one will be the deciding factor i.e. if the limit is wrt to the configured classes or the number of classes can't go beyond the consolidated bandwidth configured on the interface.
Kindly share details on the same and if there are any recommendations.
Thanks! in advance.From: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_q_and_a_item09186a00800cdfab.shtml
"Q. How many classes does a Quality of Service (QoS) policy support?
A. In Cisco IOS versions earlier than 12.2 you could define a maximum of only 256 classes, and you could define up to 256 classes within each policy if the same classes are reused for different policies. If you have two policies, the total number of classes from both policies should not exceed 256. If a policy includes Class-Based Weighted Fair Queueing (CBWFQ) (meaning it contains a bandwidth [or priority] statement within any of the classes), the total number of classes supported is 64.
In Cisco IOS versions 12.2(12),12.2(12)T, and 12.2(12)S, this limitation of 256 global class-maps was changed, and it is now possible to configure up to 1024 global class-maps and to use 256 class-maps inside the same policy-map." -
Policy map/ class map/ service policy for IOS xr
Hi,
I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
the IOS xr version we are using is 4.3.4
I was hoping someone could help me out by giving me a configuration example I could follow.
Thank you.for instance like this:
policy-map police-in
class class-default
police rate 10 mpbs <optionally set burst>
policy-map shape-out-parent
class class-default
shape 10 mpbs <optional burst config>
service-policy shape-out-child
policy-map shape-out-child
class class-default
queue-limit 10 packets
int g 0/0/0/0
service-policy police-in in
service-policy shape-out-parent out
also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
and the support forum article of "asr9000 quality of service architecture"
xander -
How to get OIDs of indexes for class-map ?
I have policy-map configured on cisco router with some class-maps inside. I need to draw a graph traffic passing through these classes. To make a graphs I use Cacti which use SNMP query to draw the graphs (object name cbQosObjectsIndex).
How to get OIDs of class-map indexes ?
I tried to do this by following query:
#snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1
but the answer was:
iso.3.6.1.4.1.9.9.166.1.5.1.1.1 = No Such Object available on this agent at this OID
The information i need is contained at the OID 1.3.6.1.4.1.9.9.166.1.15.1.1.7:
# snmpwalk -c community_string -v 2c 192.168.0.252 1.3.6.1.4.1.9.9.166.1.15.1.1.7
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.1277 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13363 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13383 = Gauge32: 0
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13435 = Gauge32: 734000
iso.3.6.1.4.1.9.9.166.1.15.1.1.7.1251.13481 = Gauge32: 233000Because 192.168.0.252 1.3.6.1.4.1.9.9.166.1.5.1.1.1 is marked "non-accessible" according to http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=cbQosObjectsIndex
You'll need to obtain the indices as explained in this blog post:
http://pierky.wordpress.com/2009/04/09/cisco-class-based-qos-snmp-mib-and-statistics-monitor-for-nms/
Joe wrote a very illustrative post on the subject of snmptables: https://supportforums.cisco.com/message/3051004#3051004
And if your IOS supports it, you would want to configure the following to keep the indices from changing after every reboot or OIR:
"snmp mib persist cbqos" -
Match-any or Match All For Class-map On Nexus?
I have an access-list MANAGEMENT
permit udp any eq snmp any
permit udp any any eq snmp
permit tcp any any eq telnet
permit tcp any eq telnet any
permit tcp any any eq 22
permit tcp any eq 22 any
My question does it matter if I use a match-any or match-all. I want to match anything in the access-list to classify the traffic correctly
class-map type qos match-any MANAGEMENT
match access-group name MANAGEMENT
Or
class-map type qos match-all MANAGEMENT
match access-group name MANAGEMENT
I understand a match-any is an or and a match-all is an and function. Does this apply to an access-list for a class-map?
ThanksIt applies to match statements within the class map. In your case, you're only using one match statement, so there will be no difference between match-all and match-any, no matter how many entries are in the ACL. If your class map had two different ACLs in two different match statements , then the and/or logic of match-all and match-any would come into play.
-
Total drops for class-map class-default
Hi,
I have a gigabit ethernet interface on a 2951 configured with 4x sub interfaces providing connectivity to our four WAN sites. Each sub interface services a 100mb connection to another site.
I have configured a QoS policy and attached to each sub interface with the primary function of limiting each sub interface to 100mbs. I am now seeing drops (total drops) on the class default and not sure why. I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Any ideas?
Class-map: class-default (match-any)
175934881 packets, 95319007968 bytes
5 minute offered rate 23000 bps, drop rate 0000 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/340/0
(pkts output/bytes output) 314212026/180287074028
policy-map PM-Branch-QoS
class CM-OAM
set dscp af11
class CM-Network
set dscp cs6
class CM-VC
bandwidth percent 5
class CM-Citrix
set dscp af21
class CM-CAPWAP
set dscp af22
policy-map PM-WAN
class class-default
shape peak 100000000
service-policy PM-Branch-QoSDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I would not expect to see any drops on this interface as it never even reaches 15mb (15%) capacity.
Your expectations might be incorrect. Often percentage of bandwidth capacity measurements are misunderstood.
Let's assume your ingress is 100 Mbps. Let's also assume your measuring over a five minute period. Lastly, assume the ingress transmits at 100% for 1 minute and then stops for 4 minutes. Bandwidth utilization across the 1 minute would be 100% and 0% for the other 4 minutes, but it would be 20% for the 5 minutes.
But if the 100 Mbps was sent at 100% for each 12 seconds, and not sent for each 48 seconds, 5 minute utilization would still be 20% but unlike the prior 1 minute stats of 100% and 0%, each minute would now also be 20%.
So these first two examples show how bandwidth utilization don't reveal what's happening within the measured time period.
Since ingress was same bandwidth as egress, in the above, there would be no queuing.
If ingress is gig, though, suppose gig ingress arrives for 6 seconds and stops for a remaining 4 minutes and 54 seconds. This too would measure as 20% usage across 5 minutes, but since it will take 60 seconds to transmit the same traffic at 100 Mbps, packets will need to be queued. If queuing buffers are insufficient to hold all the packets, some will be dropped.
The above is a long way of saying, if your ingress rate exceeds your egress rate, there can be a need to queue packets, and if queuing is insufficient, packets will be dropped, this even if utilization is "low". Most likely, you have occasional "bursts" if ingress bandwidth exceeds the egress bandwidth.
From your actual stats, the drop rate percentage is so low, you might not need to concern yourself with the few drops you're seeing. If it is a concern, you might be able to reduce the drop rate by increasing egress buffering, but doing so, also increases egress queuing delay. -
On activating persistent class: There is no mapping for one or more fields
Hi all,
I'm using an ECC 6.0 system.
I've just created a persistent class and defined the persistence. When I try to activate the class activating fails and I get the message "There is no mapping for one or more fields."
I did not, in fact, use all the fields of the database table I defined the persistence on. When I do use all the fields activating the class works without a problem.
However, as far as I know it should be possible to select only some of the fields when defining the persistence (the only fields I have to select are all the key fields of the table and I've done this).
Has anybody encountered the same problem or has anybody any idea on this?
Cheers,
KathyHi Kathy,
this is exactly what I meant.
If you'd like, then you can also take a look at the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/b0/9d0a3ad259cd58e10000000a11402f/frameset.htm
There under Mapping, you can find:
"You must map all columns of a database table to attributes. If you only want to manage some of the columns using Object Services, you must create a database view."
Making attributes private doesn't change the fact, that you still map all fields. If you have a lot of fields, which you don't want to map, then I will again suggest, that you define a DB-view. This will boost the performance of your implementation.
In case you need "quality 1st" performance, then I would suggest to use an ABAP implementation with internal tables, instead of the Persistent Service.
HTH,
Hristo -
Class Refresh for Class mapped through Relation not Query
We have Class A which is root of Domain Object Tree for our Application.
We have Class B. Relationship for A -> B is one to one with Use Indirection turned on.
Back reference (B->A) is also one to one with Use Indirection turn on.
When we try to do getB() on Class A (i.e. A.getB()). Query is fired only on first
access call to get(). We have a query to get Class A which always refresh A
but not B. We tried setting Caching Policy - Always refresh on Class Descriptor for
Class B. But still the query is not fired on object B when A.getB() is called.
I need to class to be always refresh as this can get added on deleted outside
Toplink Application. Hence is always need to refresh the Class B.
What should We do.Refreshing in TopLink is based on queries. When you are accessing getB(), you are simply resolving a Java reference. (ie A.b). If B must always be refreshed I would recommend not mapping A.b attribute. Instead getB() should always issue a refreshing query.
--Gordon -
Specifying table with jdbc-class-map-name
Greetings
How do I specify the name of the table to map to when using the jdbc-
class-map-name hint?
In my jdo file, I have specified:
<class name="Customer" objectid-class="CustomerId">
<extension vendor-name="kodo" key="jdbc-class-map-name" value="base">
<extension vendor-name="kodo" key="table" value="PERSONS"/>
</extension>
but when mappingtool generates the mapping file, the "table" hint
is ignored, and I end up with the following in the .mapping file:
<class name="Customer">
<jdbc-class-map type="base" table="FRED.CUSTOMER"/>
What I really want to see in the above jdbc-class-map is:
table="FRED.PERSONS"
I am using the property setting: kodo.jdbc.Schemas: FRED
Note that mapping fields to columns using jdbc-field-map-name
seems to work fine...
Any clues? Thanks.
droo.You can't specify table or column names via mapping tool hints. The
typical way to change the default names is either to override the
getValidTableName/getValidColumnName methods in a custom DBDictionary
for systematic changes, or to follow the process outlined in example 7.6
on this page:
http://www.solarmetric.com/Software/Documentation/latest/docs/ref_guide_mapping.html#ref_guide_mapping_mappingtool_examples -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
Issue with xsd Data type mapping for collection of user defined data type
Hi,
I am facing a issue with wsdl for xsd mapping for collection of user defined data type.
Here is the code snippet.
sample.java
@WebMethod
public QueryPageOutput AccountQue(QueryPageInput qpInput)
public class QueryPageInput implements Serializable, Cloneable
protected Account_IO fMessage = null;
public class QueryPageOutput implements Serializable, Cloneable
protected Account_IO fMessage = null;
public class Account_IO implements Serializable, Cloneable {
protected ArrayList <AccountIC> fintObjInst = null;
public ArrayList<AccountIC>getfintObjInst()
return (ArrayList<AccountIC>)fintObjInst.clone();
public void setfintObjInst(AccountIC val)
fintObjInst = new ArrayList<AccountIC>();
fintObjInst.add(val);
Public class AccountIC
protected String Name;
protected String Desc;
public String getName()
return Name;
public void setName(String name)
Name = name;
For the sample.java code, the wsdl generated is as below:
<?xml version="1.0" encoding="UTF-8" ?>
<wsdl:definitions
name="SimpleService"
targetNamespace="http://example.org"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://example.org"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
>
<wsdl:types>
<xs:schema version="1.0" targetNamespace="http://examples.org" xmlns:ns1="http://example.org/types"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:import namespace="http://example.org/types"/>
<xs:element name="AccountWSService" type="ns1:accountEMRIO"/>
</xs:schema>
<xs:schema version="1.0" targetNamespace="http://example.org/types" xmlns:ns1="http://examples.org"
xmlns:tns="http://example.org/types" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:import namespace="http://examples.org"/>
<xs:complexType name="queryPageOutput">
<xs:sequence>
<xs:element name="fSiebelMessage" type="tns:accountEMRIO" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="accountEMRIO">
<xs:sequence>
<xs:element name="fIntObjectFormat" type="xs:string" minOccurs="0"/>
<xs:element name="fMessageType" type="xs:string" minOccurs="0"/>
<xs:element name="fMessageId" type="xs:string" minOccurs="0"/>
<xs:element name="fIntObjectName" type="xs:string" minOccurs="0"/>
<xs:element name="fOutputIntObjectName" type="xs:string" minOccurs="0"/>
<xs:element name="fintObjInst" type="xs:anyType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="queryPageInput">
<xs:sequence>
<xs:element name="fPageSize" type="xs:string" minOccurs="0"/>
<xs:element name="fSiebelMessage" type="tns:accountEMRIO" minOccurs="0"/>
<xs:element name="fStartRowNum" type="xs:string" minOccurs="0"/>
<xs:element name="fViewMode" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://example.org"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://example.org" xmlns:ns1="http://example.org/types">
<import namespace="http://example.org/types"/>
<xsd:complexType name="AccountQue">
<xsd:sequence>
<xsd:element name="arg0" type="ns1:queryPageInput"/>
</xsd:sequence>
</xsd:complexType>
<xsd:element name="AccountQue" type="tns:AccountQue"/>
<xsd:complexType name="AccountQueResponse">
<xsd:sequence>
<xsd:element name="return" type="ns1:queryPageOutput"/>
</xsd:sequence>
</xsd:complexType>
<xsd:element name="AccountQueResponse" type="tns:AccountQueResponse"/>
</schema>
</wsdl:types>
<wsdl:message name="AccountQueInput">
<wsdl:part name="parameters" element="tns:AccountQue"/>
</wsdl:message>
<wsdl:message name="AccountQueOutput">
<wsdl:part name="parameters" element="tns:AccountQueResponse"/>
</wsdl:message>
<wsdl:portType name="SimpleService">
<wsdl:operation name="AccountQue">
<wsdl:input message="tns:AccountQueInput" xmlns:ns1="http://www.w3.org/2006/05/addressing/wsdl"
ns1:Action=""/>
<wsdl:output message="tns:AccountQueOutput" xmlns:ns1="http://www.w3.org/2006/05/addressing/wsdl"
ns1:Action=""/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="SimpleServiceSoapHttp" type="tns:SimpleService">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="AccountQue">
<soap:operation soapAction=""/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SimpleService">
<wsdl:port name="SimpleServicePort" binding="tns:SimpleServiceSoapHttp">
<soap:address location="http://localhost:7101/WS-Project1-context-root/SimpleServicePort"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
In the above wsdl the collection of fintObjInst if of type xs:anytype. From the wsdl, I do not see the xsd mapping for AccountIC which includes Name and Desc. Due to which, when invoking the web service from a different client like c#(by creating proxy business service), I am unable to set the parameters for AccountIC. I am using JAX-WS stack and WLS 10.3. I have already looked at blog http://weblogs.java.net/blog/kohlert/archive/2006/10/jaxws_and_type.html but unable to solve this issue. However, at run time using a tool like SoapUI, when this wsdl is imported, I am able to see all the params related to AccountIC class.
Can some one help me with this.
Thanks,
Sudha.Did you try adding the the XmlSeeAlso annotation to the webservice
@XmlSeeAlso({<package.name>.AccountIC.class})
This will add the schema for the data type (AccountIC) to the WSDL.
Hope this helps.
-Ajay
Maybe you are looking for
-
How to setup iTunes on shared computer so others cant buy music at my expns
I want to use iTunes on my work computer (which other people sometimes use) without allowing others to purchase music on my credit card. Background: I've been using iTunes at home for 2 years and had an iPod for 13 months. I like how iTunes works. I
-
Cisco Video Advantage 2.120 Windows 7 all updates. Eseries Dell laptop with built in Camera (docked - Lid Closed) USB compatible camera on Monitor.. I have recently installed Cisco video advantage and during testing noticed that it preffered to use
-
Can mini iPad be temporarily disabled if not in possesion
Can a mini iPad be temporarily disabled if not in possession, but have serial number and contract when I purchased it?
-
Graphics card issue iMac 21.5" mid 2011
Hello, I have a 21.5" mid 2011 iMac with windows 7 64bit installed and when I open DxDiag it says to me that my graphics card has 221MB of dedicated memory instead of 512. Can this problem negatively affect the computer's performance (for example whi
-
Why does it keep saying that an error occurred when downloading iOS 8?
Why does it keep saying that an error occurred when downloading iOS 8?