IDSM missing traffic on trunk interface
Hi
I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
Monitor setup is like this
monitor session 10 source interface Gi1/2
monitor session 10 source interface Gi7/1
monitor session 10 filter vlan 22 - 23 , 208
monitor session 10 destination intrusion-detection-module 5 data-port 1
where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
Regards
Fredrik Hofgren
What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
/Fredrik
Similar Messages
-
Revision: 16142
Revision: 16142
Author: [email protected]
Date: 2010-05-16 14:21:40 -0700 (Sun, 16 May 2010)
Log Message:
Insync Refactorings, Module lib: Added missing parameters from IModuleInfo interface. Maven: Take Persistence out.
Modified Paths:
cairngorm3/trunk/libraries/Module/src/com/adobe/cairngorm/module/ModuleInfo.as
cairngorm3/trunk/libraries/ModuleTest/.actionScriptProperties
cairngorm3/trunk/libraries/lib-parent/pom.xml
cairngorm3/trunk/samples/insync/insync-basic/src/InsyncContext.mxml
cairngorm3/trunk/samples/insync/insync-basic/src/insync/application/RefreshSearchAfterSav eController.as
cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ContactList.mxml
cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ContactsNavigator.mx ml
cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/PictureInput.mxml
cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/Toolbar.mxml
cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ToolbarPM.as
cairngorm3/trunk/samples/insync/insync-basic/test/insync/application/RefreshSearchAfterSa veControllerTest.as
cairngorm3/trunk/samples/insync/insync-basic/test/insync/presentation/ToolbarPMTest.as
cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/.actionScriptProperties
cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/appli cation/RefreshSearchAfterSaveController.as
cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/prese ntation/ContactFormPM.as
cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/prese ntation/PictureInput.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/test/insync/contacts/appl ication/RefreshSearchAfterSaveControllerTest.as
cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/.actionScriptProperties
cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesModule.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesModuleRig.mxm l
cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesRigContext.mx ml
cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/.actionScriptProperties
cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule .mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule Rig.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule RigContext.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/application/Compo seMessageController.as
cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Cont entViewStack.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Tool bar.mxml
cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Tool barPM.as
cairngorm3/trunk/samples/insync/insync-modularExtended-shell/test/insync/presentation/Too lbarPMTest.as -
"mpls traffic eng passive-interface" mapping on XR
Dears,
ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
ThanksHello Amr,
There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
HTH,
Rivalino -
How to monitor the traffic on network interface card NIC
hello friends
i m dong a network based project
in that i need to calculate the incoming
and outgoing traffic on network interface
Can anyone help me regarding this...
any API that i van use, i know abt JPCAP
but unable to use that in this repect...
Thanks in Advancesorry for any mistake....
i m new to java
Actually using JPCAP we can capture the packets
and process them..may save to file or some thing like that
but how to know the current incoming and outgoing traffic...on NIC
and also how much it is capable of...
can u tell me any good tutorial
i really need to do that
thanks for concern -
Routing traffice using 2 interfaces
my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900
You can use PBR.
Here are 2 documents with examples:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
https://supportforums.cisco.com/docs/DOC-1634
HTH -
Swtichs lost connection in trunk interface but still turn on
Dear Friends,
Since a week ago i have problems withs 4 or 5 access switchs that randomly lost the connection in trunk interface. The led in trunk interface turns off and i have to go to the site and turn off manually the switchs an then turn on to stablish again the connection. Before to turn off the switchs the logs shows:
Jan 11 09:23:55.155: %SW_MATM-4-MACFLAP_NOTIF: Host fc99.471f.23bf in vlan 174 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:55.255: %SW_MATM-4-MACFLAP_NOTIF: Host e490.699f.86fe in vlan 117 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:55.591: %SW_MATM-4-MACFLAP_NOTIF: Host e41f.1377.3d65 in vlan 413 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:55.625: %SW_MATM-4-MACFLAP_NOTIF: Host f0f7.55b6.3f68 in vlan 413 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:55.759: %SW_MATM-4-MACFLAP_NOTIF: Host 0040.8cf5.5eb0 in vlan 113 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:56.589: %SW_MATM-4-MACFLAP_NOTIF: Host 0016.6c78.c1f4 in vlan 170 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:56.589: %SW_MATM-4-MACFLAP_NOTIF: Host 0016.6c76.a951 in vlan 170 i
s flapping between port Gi1/0/4 and port Gi1/0/11
Jan 11 09:23:57.806: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
rnet1/0/1, changed state to down
This is common in all the switches that lost connection. The MACs are different in all switches so i cannot know if there are an specific host that causes the problem. Please your support.Hi Reza,
Both ports are trunk.
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
Any idea? -
Fiber refusing to pass layer 3 traffic / Copper trunk works
Hello everyone
crazy issue here.. everything looks like it should be working but doesnt!
a summary would be our 3750 switches will not trunk over fiber (SM or MM) to our core 6500. They work just fine over copper.
The funny thing is, ONE 3750 works over a SM fiber run.
Our goal is to have redundancy to all switches, 1x copper trunk and 1x fiber trunk. running spanning tree mode rapid-pvst. VTP mode transparent (all VLANs are created manually on all switches --- they exist.)
however, the fiber trunks on 2 switches will only pass layer 2 (CDP neighbor has full detail, mac address-table builds off the 6500) but will not ping the directly connected 6500. we are using cisco brand SFP/GBICs GLC-SX-MM &GLC-LH-SM (we are sure the correct SFP is used with correct fiber type)
debug arp / debug ip packet shows Switch B & C never actually learn the core's mac address and tie it to the IP of 153.29.45.1. all switches have a default gateway of 153.29.45.1.
SWITCH A :
interface GigabitEthernet1/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet1/1/1 description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode dynamic desirable interface Vlan48
ip address 153.29.45.67 255.255.255.192
no ip redirects
no ip proxy-arp
SWITCH B:
interface GigabitEthernet1/1/1 description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 switchport mode trunk interface GigabitEthernet2/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 interface Vlan47 ip address 153.29.45.8 255.255.255.224 no ip redirects no ip proxy-arp
SWITCH C:
interface GigabitEthernet1/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet1/1/1description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk
interface Vlan48 ip address 153.29.45.81 255.255.255.192no ip redirects no ip proxy-arp
CORE(6500):
interface GigabitEthernet2/40 description Switch_B_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 switchport mode trunk interface GigabitEthernet2/43 description Switch_A_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet2/40 description Switch_C_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk
interface GigabitEthernet3/43 description Switch_A_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet3/40 description Switch_B_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 36,37,47,172,500 switchport mode trunk interface GigabitEthernet3/44 description Switch_C_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface Vlan47 description Internal_Management ip address 153.29.45.1 255.255.255.224 no ip redirects no ip proxy-arp interface Vlan48 description Management ip address 153.29.45.65 255.255.255.192
Summary: copper links work fine on all 3 switches. switch A & B refuse to pass layer 3 data on Fiber trunks. all were recently updated to version 12.2(53r) SE2 (c3740e-universalk9-mz.122-55.SE8.bin). Core is on 12.2 (33) SXI12 (s72033-adventerprisek9_wan-mz.122-33.SXI12.bin).
any suggestions are appreciated.Leo: here ya go
GigabitEthernet3/43 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 2894.0f57.437a (bia 2894.0f57.437a) Description: FiberTrunk-to-SwitchA MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:24, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 191000 bits/sec, 67 packets/sec 5 minute output rate 752000 bits/sec, 112 packets/sec 92584292 packets input, 25411211351 bytes, 0 no buffer Received 315527 broadcasts (83158 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 148923032 packets output, 114663742745 bytes, 0 underruns 0 output errors, 0 collisions, 6 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out GigabitEthernet6/1 is down, line protocol is down (notconnect) Hardware is C6k 1000Mb 802.3, address is 001a.a22d.6984 (bia 001a.a22d.6984) Description: FiberTestPort MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 0/255, rxload 0/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 01:52:33, output 01:51:56, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 218 packets input, 26637 bytes, 0 no buffer Received 182 broadcasts (63 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 9476 packets output, 1084062 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
let me know if you'd like to see anything else. -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit -
Hi,
I want to capture all traffic in a certain vlan (74) from two switches. I use a remote vlan to accomplish this.
The problem is that I see on the wireshark trace traffic which is traveling from one switch to the other but I don’t see traffic which remains within one switch.
So:
switch 1: server 1&2
switch 2: server 3&4
all interfaces in the same vlan (74)
remote vlan = vlan 745
connection switch 1 -> switch 2 = trunk (vlan 74 & 745)
action - on wireshark trace
ping server1 <-> sever 2 - no
ping server1<-> server 3 - yes
ping server 3 <-> server4 - no
I found some examples for the configuration and these are more or less the same as mine; so why is this not working as expected?
My config:
Switch 1 (3560)
monitor session 1 source vlan 74 rx
monitor session 1 destination remote vlan 745
switch 2 (4948)
monitor session 1 source vlan 74 rx
monitor session 1 destination remote vlan 745
monitor session 2 destination interface Gi1/17
monitor session 2 source remote vlan 745
Wireshark pc on port 17
Thanks for any help
HansHi Hans
May I suggest this config for you to try:
switch 1
monitor session 1 source vlan 74 rx
monitor session destination remote vlan 745
switch 2
monitor session 1 source remote vlan 745
monitor session 1 destination interface Gi1/17
monitor session 2 source vlan 74 rx
monitor session 2 destination interface Gi1/17
Cheers
Stephen. -
Possible to segment traffic between 2 interfaces? And other questions...
I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
Thanks.I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
You have some type of hardware firewall/security appliance.
You have some type of wireless access point.
You don't seem to have any type of router or switch in your configuration.
You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
So my questions are:
Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
Anyway, a little more info would be helpful.
Oh and if I have this totally worng in what I think your doing.. My mistake.
Tom N. -
Some fields missing from the Information interface
On iTunes 12 I can’t find the "Description" field that was in the Video page.
The field still shows in the list of songs, but it doesn’t appear on the new "Information" interface. And I don't think this is the only field missing compared to the previous Information interface. Can anyone help? Thank you.... before you click Get Info.
tt2
YES!
Thank you turing! That really helped.
(it seems a bit of a complication to me, the system was just fine as it was, but what do I know?) -
Switch sending tcp traffic to incorrect interface
Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately.
Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported. Switch is a 3750x with version 12.2.I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
Currently, i have an Cisco IE3000 switch, with an interface defined as a trunk. The other end is unknown to me, but I know it transmits tagged frames. I just don't know which VLAN-ids are in use - so I was thinking on doing some debugs to learn the VLAN-ids. Remote end does not transmit BPDUs
That would require me to define all VLANs, which may be to much for the IE3000. It supports only 1005.
A debug telling me that a packet have been dropped because the VLAN is not defined - would be the way... -
Slow tcp traffic over ge0 interface
I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.
I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1.
Default config for both ports:
switchport access vlan 101
switchport mode access
ip access-group ACL_DEFAULT in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
Am I missing something? Was this an attack? Was it a fluke? -
Force http traffic to specific interface
Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
Thanks in advance.I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
FE 0/0 goes to our fw, then to lan
FE 0/1 goes to DSL
S 0/2/0 goes to T1
Here is my config:
router#show run
Building configuration...
Current configuration : 4506 bytes
! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot-start-marker
boot system flash c2801-ipbasek9-mz.124-8.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
no aaa new-model
resource policy
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 10
no ip bootp server
ip name-server 198.60.22.2
ip name-server 198.60.22.22
username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 199.104.124.210 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.2.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip policy route-map toDSL
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1/0
interface FastEthernet0/1/1
interface FastEthernet0/1/2
interface FastEthernet0/1/3
interface Serial0/2/0
ip address 204.228.133.46 255.255.255.252
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 204.228.133.45
ip route 192.168.2.0 255.255.255.0 192.168.2.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
access-list 111 permit tcp any any eq www
no cdp run
route-map toDSL permit 1
match ip address 111
set ip next-hop 192.168.2.1
control-plane
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178101
ntp update-calendar
ntp server 198.60.22.240 source Serial0/2/0
end
Maybe you are looking for
-
CI_ANLU structure in the table ANLU(R/3 System)
Hi, Cud u pls tell me what is the CI_ANLU include structure(which is not defined) in the table ANLU. Due to CI_ANLU structure, I am gettig following error: TRANSF_1_1_1> [ZBAPI_FIXEDASSET_GETLIST_RFCSSCallFunction_17408] [ERROR] [SAP STATUS: E] [SAP
-
Canopus ADVC 300 compatible with FCPX ?
The title says it all. Compatibility with FCPX would make my transition forward much easier as I still need to convert VHS from time to time. Thanks.
-
Creation of an additional Literal in the cartdetaillistblock.ascx
Hi all, My question would be: How can i create, in the ./cartdetaillistblock.ascx control, a Local Literal, similar to the Literal with the ID="sysPrice" so that I can manipluate the Price value without breaking the Data flow while updating the Quan
-
Did my hard drive crash? What is this screen?
I was out of town for a couple days and came home to an a screen I'd never seen before. When I turned on my MBP, a gray screen booted up with 2 folders - one said "Hard Drive HD" and the other said "Recovery 10.8.2". Not knowing what was going on, I
-
How Forecasting is done in PP & how it is related with MRP/Planning?