Does IPv6 traffic "pass-through" or "drop" by cisco waas?

Similar Messages

• Does user traffic pass through Controller and Aironet 1030?

  Hi All,
  I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
  Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
  Jason,
  best regards,

  Hi Jason,
  Hopefully this info will clear this up for you;
  Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
  A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
  Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
  Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
  A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
  At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
  Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
  If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
  From this doc;
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• Only some of the traffic passing through inline vlan pair

  Here is my network setup
     firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
  configuration in core switch
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  interface GigabitEthernet1/2.37
  description **** ****
  encapsulation dot1Q 237
  ip vrf forwarding VRF37
  ip address 10.2.37.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.37.75
  standby 1 priority 110
  standby 1 preempt
  interface TenGigabitEthernet9/1.11
  description ****   ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  configuration in Distribution switch:
  interface TenGigabitEthernet9/1.11
  description ****  ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.37
  description ********
  encapsulation dot1Q 337
  ip vrf forwarding VRF37
  ip address 10.2.37.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
  i am using the monitoring port gi0/8
  config in core switch
  intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
  IDSM
  physical-interfaces GigabitEthernet0/8
  subinterface-type inline-vlan-pair
  subinterface 11
  description
  vlan1 211
  vlan2 311
  exit
  subinterface 37
  description
  vlan1 237
  vlan2 337
  exit
  Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
  MAC statistics from interface GigabitEthernet0/8
     Statistics From Subinterface 11
        Statistics From Vlan 211
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
        Statistics From Vlan 311
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
  Statistics From Subinterface 37
        Statistics From Vlan 237
           Total Packets Received On This Vlan = 3189658726
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3549575166
           Total Bytes Transmitted On This Vlan = 64165872092928
        Statistics From Vlan 337
           Total Packets Received On This Vlan = 3549575166
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3189658726
           Total Bytes Transmitted On This Vlan = 64165872092928
     Statistics From Subinterface 38
        Statistics From Vlan 238
           Total Packets Received On This Vlan = 2215151150
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 126546964
           Total Bytes Transmitted On This Vlan = 64165866995200
        Statistics From Vlan 338
           Total Packets Received On This Vlan = 126546964
           Total Bytes Received On This Vlan = 64165866995200
           Total Packets Transmitted On This Vlan = 2215151150
           Total Bytes Transmitted On This Vlan = 64165872092928
  Give me idea experts , so that i can resolve this issue.
  Help me thanks in advance

  I believe the issue is because of the config below:
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
  The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
  What we need to remember is IDSM does not do routing, and it can only bridge vlans.
  Hence we have to force to packet to go through the IDSM.
  Here is what we do when we use IDSM to see traffic going between vlans.:
  Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
  IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
  A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
  In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
  In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
  I can understand if this is a bit tricky to understand.
  Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
  It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
  https://supportforums.cisco.com/docs/DOC-12206
  - Sid

• Black box able to log traffic passing through...

  Hi
  I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
  We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
  Do you know if Cisco provide something like that ? Other vendors ?
  Any other idea how to be compliant with this request ?
  Thanks
  Pls advise
  Ric

  Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

• Cache "dist-test" does not support pass-through optimization

  I have noticed this message in the log of my Extend proxy JVM. It is logged at INFO level.
  The cache dist-test does not support pass-through optimization for objects in internal format. If possible, consider using a different cache topology.
  The Extend proxy JVM is running as a storage disabled node of the cluster.
  Any ideas what is causing it?
  dist-test is configured like this:
    <caching-scheme-mapping>
      <cache-mapping>
        <cache-name>dist-*</cache-name>
        <scheme-name>near-entitled-scheme</scheme-name>
      </cache-mapping>
    </caching-scheme-mapping>
    <caching-schemes>
      <near-scheme>
        <scheme-name>near-entitled-scheme</scheme-name>
        <front-scheme>
          <local-scheme>
            <eviction-policy>HYBRID</eviction-policy>
            <high-units>1000</high-units>
          </local-scheme>
        </front-scheme>
        <back-scheme>
          <distributed-scheme>
            <scheme-ref>dist-default</scheme-ref>
          </distributed-scheme>
        </back-scheme>
      </near-scheme>
      <distributed-scheme>
        <scheme-name>dist-default</scheme-name>
        <serializer>
          <class-name>com.tangosol.io.pof.ConfigurablePofContext</class-name>
        </serializer>
        <lease-granularity>member</lease-granularity>
        <backing-map-scheme>
          <local-scheme>
            <listener>
              <class-scheme>
                <class-name>{backing-map-listener-class-name com.oracle.coherence.common.backingmaplisteners.NullBackingMapListener}</class-name>
                <init-params>
                  <init-param>
                    <param-type>com.tangosol.net.BackingMapManagerContext</param-type>
                    <param-value>{manager-context}</param-value>
                  </init-param>
                </init-params>
              </class-scheme>
            </listener>
          </local-scheme>
        </backing-map-scheme>
        <autostart>true</autostart>
      </distributed-scheme>
    </caching-schemes>I presume it is something to do with the near-scheme because I do not see the message if I map dist-* caches directly to the dist-default scheme
  Cheers,
  JK.

  Hi Jonathan,
  You are getting the warning because a near cache caches Objects. Since the the proxy service is using POF, it must deserialize the POF serialized value in order to put it in the near cache. You don't see the message when you cache directly to the dist-default scheme because that scheme is configured to use POF, which allows the proxy service to pass the POF serialized value directly through to the distributed cache service.
  Thanks,
  Tom

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Does IPv6 traffic support enabled for icloud?

  Hi Everybody,
        Since all ISP's started IPv6 deployment just wanted to know whether IPv6 traffic support enabled for icloud application?

  Apple does not support the 3rd party drives.  To enable it (without installing another software package), you can visit the website:
  http://digitaldj.net/2011/07/21/trim-enabler-for-lion/
  I ran the series of commands on my Mac Pro and it did enable TRIM.
  the webpage even has a backup/back-out procedure.
  Without TRIM, my computer was running extremely slowly.  After enabling TRIM, my computer ran substancially faster.

• Analog to digital, how does one actually pass through a TRV120 or TRV950E ?

  I would need some technical advice on how to connect a camera with pass-through feature in between a VCR and the computer.
  I am trying to copy VHS-C cassettes to the Mac via a Digital8 Sony TRV-120. I use A/V pin connector from the VCR, Firewire to the Mac. I get the VCR image on the TRV's LCD, but nothing on the Mac. iMovie says the camcorder is empty, dot. If I put a tape inside, iMovie launches the tape and I get the image from the tape. I was pretty certain that the TRV-120 had the pass-through feature, having seen it mentioned on some reviews. Is there a special manipulation to do? Or do I need the sVHS cable? (would be weird).
  Otherwise, I tried the TRV950E as a converter. The only way I could make the link work through is by recording the analogue signal onto the camcorder tape. I thought it would be easier, am I missing something?
  Thanks in advance for your help!
  Paul

  In my unnEUtered Sony TRV320E Analog to DV passthrough goes like this:
  1. Take the tape out of the camcorder
  2. Connect the analog device's audio and video to the camcorder's minijack, use the S-Video jack for video if the output device supports S-Video
  3. Put the camcorder into VTR-mode
  4. Select A/V->DV out: ON, in VTR mode's menu choices
  5. Disable the info display on the the camcorder by toggling its DISPLAY button
  6. Put iMovie (or other DV application) to the Camera Mode
  The analog image should now appear on the camcorder's screen as well as on the iMovie's screen.
  Note that if you have a tape in the camcorder, you have to put the camcorder's VTR into REC mode (you may pause the tape) but this is not advisable because it produces wear to the tape.
  * Note that the SCART which comes with the European nEUtered TRV320E camcorder is Out-only.
  Notice that some analog to DV passthrough converters (like the TRV320E) don't work in iMovie HD 6.0.2 like they do in iMovie 4.0.1:
  http://www.sjoki.uta.fi/~shmhav/iMovieHD_6_bugs.html#analogDV

• TUNNEL UP BUT NO TRAFFIC PASSING THROUGH

  Hello, we have a customer that has been working with us like 1 month with no problem. We did a connection between a fortigate firewall and a Cisco 2811. Now the tunnel is up but no traffic is going and coming through it. I did remake the whole configuration for this costumer: Key, cryptomap and access-list. The tunnel comes up but again, no traffic is coming or going.
  Any hints ?
  Thanks.

  Hi,
  Below is an excellent document on Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
  If this doc does not help, do post your configuration along with the Src and Dest IP Addresses that you are trying to ping across the tunnel.
  Regards,
  Arul
  *Pls rate if it helps*

• High delay when traffic passes through the tunnel

  Hello,
  i have a dmvpn topology, .
  When i try to ping the real ip on the hub's outside interface from the spoke, the delay is approximately 100ms, but when i ping the tunnel ip address the delay becomes 4000ms.
  Your help is really appreciated

  Can you post the configuration?
  Did you set the MTU of the tunnel interface correctly?
  Also check the switching (CEF/Process Switching) configuration.
  Regards
  Farrukh

• Pass-through optimization

  I just upgraded our env from 3.3.1 to 3.4.2-patch05.
  I was intrigued by the following message in my log file.
  INFO | jvm 1 | 2009/06/19 23:43:02 | [INFO ] 2009-06-19 23:43:02.053/7571.909 Oracle Coherence GE 3.4.2/411p5 <Info> (thread=Proxy:ExtendTcpProxyService33:TcpAcceptorWorker:1, member=10): The cache "XYZ" does not support pass-through optimization for objects in internal format. If possible, consider using a different cache topology.
  I have no idea what it means...
  Any information about this appreciated.
  Thanks
  Sumax

  Hi Sumax,
  starting with 3.4.0 it is possible to configure your cache services and invocation services to store the data internally and communicate over the network in the POF format instead of the old Java serialization/ExternalizableLite format (EL from now on).
  Since from start the Coherence Extend clients used the POF format to communicate with the proxy, if EL was used as the serialization format within the service in the cluster, then the proxy node had to convert the data from EL to POF and vice versa. This required the deserialization of most data passing through the cluster (except for types that are known to both EL and POF... i.e. Strings and Java primitives). This was an expensive step in both CPU and memory terms.
  On the other hand, if you configured your service to use POF as its serialization format, then this conversion step is no more necessary, and the proxy can pass through the data from the service to the client in a streaming manner so the CPU cost is negligible and the memory cost is just a much smaller buffer size. This, along with the related effects of POF being used within the TCMP cluster as a storage and communication format is one of the greatest performance improvements the 3.4 release introduced.
  Obviously, if you just dropped in 3.4 jars instead of 3.3, then you did not configure the services to use POF.
  To configure so, you first have to ensure that all classes which are sent over the network are properly configured for POF serialization (they implement PortableObject or have a corresponding serializer and the user type is properly registered in pof-config.xml). Then you can enable the POF serialization either on a service by service basis (using the <serializer> element in the service configuration within the coherence-cache-config.xml). You can enable the POF format for all services with a single Java property (I don't know it off my head) but it is safer to go service by service.
  Best regards,
  Robert

• Web Pass-Through Does Not Redirect

  We have an issue in which when a client connects to the guest/pass-through WLAN, it does not automatically redirect to the "accept" page. Instead, it only works if you manually input an IP address into the web browser which will then bring up the "accept" page... then users can go ahead and surf the web. Does the controller forward DNS traffic in advance of a user clicking "accept"?

  I think I found part of the problem.
  We have two internal DNS servers and only one had "recursion" enabled. Even though both were in DHCP, it appears that the WLC was only allowing requests to one DNS server. (The one with recursion disabled.) For example: when connected to the guest WLAN, I was unable to run "nslookup" and resolve on both DNS servers. Only one server would respond... yet, as soon as an HTTP request is hijacked and I click the "accept" button, it allows me to run an "nslookup" against both DNS servers. I'm wondering if, for security purposes, if the controllers only allow DNS resolution requests to one IP initially until the "accept" button is clicked.

• How does client certificate get passed through TMG/ISA to destination server (eg. SCCM)?

  To avoid the 403.7 errors when the destination server requires certificate authentication, how does SSL bridging reverse proxy inspect the traffic for safety without breaking the certificate authentication?
  I'm not asking for specific configuration steps on this.  I just want an easy to understand overview on the process of how the laptop or smartphone authentication device certificate would pass through while TMG/ISA is still protecting the destination
  from attacks. 

  I'm not sure if SSL Bridging is the same with Cert Authentication,...but...
  The way it works when Bridging SSL for published SSL web sites is by the ISA having a copy of the same Cert used on the published site.  You buy the cert for the Site and install it on the web server and get it set up with the site,..then export it
  with the private key.  Take the exported Cert and install it on the TMG and configure it into the Web Publishing Rule.
  The SSL tunnel coming in terminates at the TMG,...meaning the SSL Tunnel was only between the user and the TMG (not between the user and the site as it would appear on the surface). Then the traffic is inspected or whatever would be intended to do with it.
  Then a new distinct independent SSL Tunnel is created between the TMG and the SSL Site and the traffic is passed on to the site at that point.  AFAIK, the Reverse Proxy only happens between the two tunnels while the traffic is unencrypted.

• Cisco ASA - Pass Through QoS Traffic

  Hi Sirs,
  Given the following topology:
       Switch - IP Phone (Branch) |----| Router |----| MPLS |----| Router |----| ASA |----| Switch - Voice Network (Head Office)
  My question, the ASA can impact the QoS traffic to pass through it?
  Thank you!
  Rafael Trujilho

  Hi Andrew,
  I want the ASA does NOT take any markings, NOT impacting the quality applied to voice traffic.
  Regards,
  Trujilho

• DMS Document upload: does it pass through sap DMS ?

  Dear All,
  We have a question concerning the transmission of documents from the client to DMS and the Content Server: does the document need to pass through the sap server ?
  Document upload (create document CV01N)
  Does the document go directly from the client to the Content server OR does it pass through the sap DMS before to be stored in the CS ?
  Document download (read document CV03N)
  Does the document go directly from the CS to the client OR does it pass through the sap DMS server ?
  This could be interesting to know for network performances.
  best regards,

  Hi Gurus
  is the cache server a default funtionality from the content server or any configuration is required from our part.
  is that the cache server acts as the RAM of our system?
  please explain the partitioning or biferfication of the Content server, as you told
  content server is divided into storage catagories and  this in turn in to content repositories,
  please  clarify below points,
  1)any server or PC can be made as Content server by insatalling the content server CD if iam right ?
  2) Practical and funtional benifits of partitioning content server into content repositories is it for authorization and storing data by naming convection or can it also help in copiying data from a specific content repository if needed, ( is content repositories a logical partition or practical partition like B,C,D, F drives of our PC hard disk)
  3) can /should there be multiple content server installation for a particular (production) client.
  4) Can Archiving  be done say by creating a separate content repository inside the same Content server, or is it mandatory to have a separate archiving server itself,
  please give some idea with examples
  Thanks and regards
  Kumar