Double tagged traffic on L3 Interface

Similar Messages

• How to make ASR9000 bridge domain forward traffic between sub interfaces of same physical interface?

  Hi,
  I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/10.3122 l2transport
  description CUSTOMER A CORE
  encapsulation dot1q 3122
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/10.3122
  When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
  interface GigabitEthernet0/0/0/5.21 l2transport
  description CUSTOMER A WAN
  encapsulation dot1q 21
  rewrite ingress tag pop 1 symmetric
  interface GigabitEthernet0/0/0/5.22 l2transport
  description CUSTOMER A WAN2
  encapsulation dot1q 22
  rewrite ingress tag pop 1 symmetric
  l2vpn
  bridge group WANLINKS
    bridge-domain CUSTOMERA
     interface GigabitEthernet0/0/0/5.21
     interface GigabitEthernet0/0/0/5.22
  If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
  Is this because tag rewrites are not happening since packets don't leave the physical interface?
  How can I work around this and establish a L2 connection between the two subinterfaces?
  Thank you

  a vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
  If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
  you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
  that might give a hint to what the precise issue in your forwarding is.
  regards
  xander

• "mpls traffic eng passive-interface" mapping on XR

  Dears,
  ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
  Thanks

  Hello Amr,
  There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
  HTH,
  Rivalino

• How to monitor the traffic on network interface card NIC

  hello friends
  i m dong a network based project
  in that i need to calculate the incoming
  and outgoing traffic on network interface
  Can anyone help me regarding this...
  any API that i van use, i know abt JPCAP
  but unable to use that in this repect...
  Thanks in Advance

  sorry for any mistake....
  i m new to java
  Actually using JPCAP we can capture the packets
  and process them..may save to file or some thing like that
  but how to know the current incoming and outgoing traffic...on NIC
  and also how much it is capable of...
  can u tell me any good tutorial
  i really need to do that
  thanks for concern

• Routing traffice using 2 interfaces

                  my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900

  You can use PBR.
  Here are 2 documents with examples:
  http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
  https://supportforums.cisco.com/docs/DOC-1634
  HTH

• Force http traffic to specific interface

  Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
  Thanks in advance.

  I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
  Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
  FE 0/0 goes to our fw, then to lan
  FE 0/1 goes to DSL
  S 0/2/0 goes to T1
  Here is my config:
  router#show run
  Building configuration...
  Current configuration : 4506 bytes
  ! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
  ! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  boot-start-marker
  boot system flash c2801-ipbasek9-mz.124-8.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200 debugging
  logging console critical
  enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
  no aaa new-model
  resource policy
  clock timezone MDT -7
  clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ip source-route
  ip cef
  ip tcp synwait-time 10
  no ip bootp server
  ip name-server 198.60.22.2
  ip name-server 198.60.22.22
  username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
  ip address 199.104.124.210 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  description $FW_OUTSIDE$$ETH-LAN$
  ip address 192.168.2.2 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  ip policy route-map toDSL
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1/0
  interface FastEthernet0/1/1
  interface FastEthernet0/1/2
  interface FastEthernet0/1/3
  interface Serial0/2/0
  ip address 204.228.133.46 255.255.255.252
  interface Vlan1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip route-cache flow
  ip route 0.0.0.0 0.0.0.0 204.228.133.45
  ip route 192.168.2.0 255.255.255.0 192.168.2.1
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  logging trap debugging
  access-list 111 permit tcp any any eq www
  no cdp run
  route-map toDSL permit 1
  match ip address 111
  set ip next-hop 192.168.2.1
  control-plane
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  exec-timeout 30 0
  privilege level 15
  login local
  transport input ssh
  transport output ssh
  line vty 5 15
  access-class 102 in
  privilege level 15
  login local
  transport input ssh
  scheduler allocate 20000 1000
  ntp clock-period 17178101
  ntp update-calendar
  ntp server 198.60.22.240 source Serial0/2/0
  end

• QoS for voice tagged traffic

  I am trying to confirm my assumption that given voice traffic arriving at an AP or wireless bridge is already tagged with COS (and TOS) precedence, the wireless device will properly deal with it by default.
  It appears from the documentation, but isn't explicitly stated, that the only QoS configuration required is to classify and tag (COS) packets. If they are tagged already, no configuration is required.
  Is this correct?
  Also, are COS precedence values preserved across a wireless bridge link, or must they be re-tagged at the far end?

  Hi there,
  in "Configuring QoS" of the Aironet 1310 Configuration Guide
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804ed713.html
  it reads:
  "Precedence of QoS Settings
  When you enable QoS, the access point/bridge queues packets based on the Layer 2 class of service value for each packet. The access point/bridge applies QoS policies in this order:
  1. Packets already classified—When the access point/bridge receives packets from a QoS-enabled switch or router that has already classified the packets with non-zero 802.1Q/P user_priority values, the access point/bridge uses that classification and does not apply other QoS policy rules to the packets. An existing classification takes precedence over all other policies on the access point/bridge.
  Note Even if you have not configured a QoS policy, the access point always honors tagged 802.1P packets that it receives over the radio interface."
  Hope this helps
  Martin

• IDSM missing traffic on trunk interface

  Hi
  I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
  Monitor setup is like this
  monitor session 10 source interface Gi1/2
  monitor session 10 source interface Gi7/1
  monitor session 10 filter vlan 22 - 23 , 208
  monitor session 10 destination intrusion-detection-module 5 data-port 1
  where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
  The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
  Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
  Regards
  Fredrik Hofgren

  What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
  It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
  /Fredrik

• Possible to segment traffic between 2 interfaces? And other questions...

  I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
  If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
  So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
  Thanks.

  I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
  You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
  You have some type of hardware firewall/security appliance.
  You have some type of wireless access point.
  You don't seem to have any type of router or switch in your configuration.
  You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
  So my questions are:
  Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
  If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
  If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
  If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
  Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
  I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
  Anyway, a little more info would be helpful.
  Oh and if I have this totally worng in what I think your doing.. My mistake.
  Tom N.

• WCCP on ASA & traffic between physical interfaces on ASA

  Hello,
  I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
  Eth 0/0 : Outside (to internet)
  Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
  Eth 0/1.211 : Vlan211 (20.21.10.0/24)
  Eth 0/1.212 : Vlan212 (20.21.20.0/24)
  Eth 0/1.220 : Vlan220 (20.22.0.0/16)
  Eth 0/2 : WAAS (20.21.30.0/24)
  I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
  I get this error message:
  3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
  How can I fix this?
  My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
  wccp 61 redirect-list WCCP_To_LAN
  wccp 62 redirect-list WCCP_To_WAN
  wccp interface outside 62 redirect in
  wccp interface LAN 61 redirect in
  access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
  access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
  I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
  Thanks
  Ankit

  common guys
  Am I doing something wrong here?
  No one replies to my posts. I had the same experience with the previous one.
  Is this not the right forum for this query???
  Ankit

• Switch sending tcp traffic to incorrect interface

  Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately. 
  Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported.  Switch is a 3750x with version 12.2. 

  I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
  I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
  Default config for both ports:
   switchport access vlan 101
   switchport mode access
   ip access-group ACL_DEFAULT in
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  Am I missing something? Was this an attack? Was it a fluke? 

• Slow tcp traffic over ge0 interface

  I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.

  I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
  I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
  Default config for both ports:
   switchport access vlan 101
   switchport mode access
   ip access-group ACL_DEFAULT in
   authentication event fail action next-method
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
   spanning-tree bpduguard enable
  Am I missing something? Was this an attack? Was it a fluke? 

• Calculate traffic amount on interface

  Team:
  I have not deployed any monitoring software yet; however, Cacti is in the works. But is it possible to change ‘five minute input rate / five minute output rate’ time interval from 5 min to secs and get an accurate account of traffic going over a FastEthernet interface? Would I choke the hardware (3750) if I can change this attribute? Would this be a good method to see the load/traffic values in real time?
  BACKGROUD:
  The server team has deployed a new SQL server, and the DB devs are complaining that it is slow. I am suspecting that more traffic is going over the interfaces then what the ‘server team’ and ‘db devs’ indicated because they know I would raise a stink. I do not have access to the database server, nor the other end, yet I have access to network gear between the points.
  Since I have never faced this type of issue, or problem – I need some direction and/or suggestions on how to troubleshoot this type of issue.
  Thanks
  JJ

  Hi Jason,
  Issue the command load interval 30  on the interface and it will start displaying the input/output rate for 30 secs.
  This won't impact the efficiency of the switch..
  For further troubleshooting of the issue check for any output drops/ input errors/crc in the show interface fax/y output.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Limit traffic on router interface

  Dear all,
  how can i limit Upload/download bandwith on router interface.
  please help me
  thanks with regards
  vikas kumar

  HI,
  You can police the traffic in ingress/egress but the support may depend of your hardware. Please refer to the following link for more information:
  http://www.cisco.com/en/US/partner/docs/ios/qos/configuration/guide/polcing_shping_oview_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  HTH
  Laurent.

• Relay traffic out same interface

  Is it possible to relay traffic out of the same interface?  For instance we have a computer on the Internet that only is accessible from our network.  I'd like users to connect to our network, look at the ACL, and then connect to the remote computer.  So basically I'm going right back out the same interface.  VPN->outside interface->Internet.  I'd still want split tunneling to be enabled and have this apply to only a specific IP or subnet.   Is this possible?

  This is the packet tracer result:
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside
  Phase: 3
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I can see the traffic comming from the VPN client to the IP, so the route is working.  I get a teardown and built message in the log, but nothing saying the traffic is denied.
  I think this info should cover what you're looking for:
  group-policy GroupPolicy_ZSSL attributes
  wins-server none
  dns-server value 192.168.1.8 192.168.1.47
  vpn-tunnel-protocol ikev2 ssl-client
  default-domain value company.com
  webvpn
  anyconnect profiles value ZSSL_client_profile type user
  username company password xxxxxxxxxxxxxx encrypted privilege 15
  tunnel-group companyVPN type remote-access
  tunnel-group companyVPN general-attributes
  address-pool VPNPool
  authentication-server-group MicrosoftIAS LOCAL
  accounting-server-group MicrosoftIAS
  default-group-policy companyVPN
  password-management
  tunnel-group companyVPN ipsec-attributes
  ikev1 pre-shared-key *****