IDSM missing traffic on trunk interface

Hi
I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
Monitor setup is like this
monitor session 10 source interface Gi1/2
monitor session 10 source interface Gi7/1
monitor session 10 filter vlan 22 - 23 , 208
monitor session 10 destination intrusion-detection-module 5 data-port 1
where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
Regards
Fredrik Hofgren

What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
/Fredrik

Similar Messages

  • [svn:cairngorm3:] 16142: Insync Refactorings, Module lib: Added missing parameters from IModuleInfo interface.

    Revision: 16142
    Revision: 16142
    Author:   [email protected]
    Date:     2010-05-16 14:21:40 -0700 (Sun, 16 May 2010)
    Log Message:
    Insync Refactorings, Module lib: Added missing parameters from IModuleInfo interface. Maven: Take Persistence out.
    Modified Paths:
        cairngorm3/trunk/libraries/Module/src/com/adobe/cairngorm/module/ModuleInfo.as
        cairngorm3/trunk/libraries/ModuleTest/.actionScriptProperties
        cairngorm3/trunk/libraries/lib-parent/pom.xml
        cairngorm3/trunk/samples/insync/insync-basic/src/InsyncContext.mxml
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/application/RefreshSearchAfterSav eController.as
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ContactList.mxml
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ContactsNavigator.mx ml
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/PictureInput.mxml
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/Toolbar.mxml
        cairngorm3/trunk/samples/insync/insync-basic/src/insync/presentation/ToolbarPM.as
        cairngorm3/trunk/samples/insync/insync-basic/test/insync/application/RefreshSearchAfterSa veControllerTest.as
        cairngorm3/trunk/samples/insync/insync-basic/test/insync/presentation/ToolbarPMTest.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/.actionScriptProperties
        cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/appli cation/RefreshSearchAfterSaveController.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/prese ntation/ContactFormPM.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/src/insync/contacts/prese ntation/PictureInput.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-contacts/test/insync/contacts/appl ication/RefreshSearchAfterSaveControllerTest.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/.actionScriptProperties
        cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesModule.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesModuleRig.mxm l
        cairngorm3/trunk/samples/insync/insync-modularExtended-expenses/src/ExpensesRigContext.mx ml
        cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/.actionScriptProperties
        cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule .mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule Rig.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-messaging/src/ComposeMessageModule RigContext.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/application/Compo seMessageController.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Cont entViewStack.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Tool bar.mxml
        cairngorm3/trunk/samples/insync/insync-modularExtended-shell/src/insync/presentation/Tool barPM.as
        cairngorm3/trunk/samples/insync/insync-modularExtended-shell/test/insync/presentation/Too lbarPMTest.as

  • "mpls traffic eng passive-interface" mapping on XR

    Dears,
    ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
    Thanks

    Hello Amr,
    There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
    HTH,
    Rivalino

  • How to monitor the traffic on network interface card NIC

    hello friends
    i m dong a network based project
    in that i need to calculate the incoming
    and outgoing traffic on network interface
    Can anyone help me regarding this...
    any API that i van use, i know abt JPCAP
    but unable to use that in this repect...
    Thanks in Advance

    sorry for any mistake....
    i m new to java
    Actually using JPCAP we can capture the packets
    and process them..may save to file or some thing like that
    but how to know the current incoming and outgoing traffic...on NIC
    and also how much it is capable of...
    can u tell me any good tutorial
    i really need to do that
    thanks for concern

  • Routing traffice using 2 interfaces

                    my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900

    You can use PBR.
    Here are 2 documents with examples:
    http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
    https://supportforums.cisco.com/docs/DOC-1634
    HTH

  • Swtichs lost connection in trunk interface but still turn on

    Dear Friends,
    Since a week ago i have problems withs 4 or 5 access switchs that randomly lost the connection in trunk interface. The led in trunk interface turns off and i have to go to the site and turn off manually the switchs an then turn on to stablish again the connection. Before to turn off the switchs the logs shows:
    Jan 11 09:23:55.155: %SW_MATM-4-MACFLAP_NOTIF: Host fc99.471f.23bf in vlan 174 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:55.255: %SW_MATM-4-MACFLAP_NOTIF: Host e490.699f.86fe in vlan 117 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:55.591: %SW_MATM-4-MACFLAP_NOTIF: Host e41f.1377.3d65 in vlan 413 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:55.625: %SW_MATM-4-MACFLAP_NOTIF: Host f0f7.55b6.3f68 in vlan 413 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:55.759: %SW_MATM-4-MACFLAP_NOTIF: Host 0040.8cf5.5eb0 in vlan 113 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:56.589: %SW_MATM-4-MACFLAP_NOTIF: Host 0016.6c78.c1f4 in vlan 170 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:56.589: %SW_MATM-4-MACFLAP_NOTIF: Host 0016.6c76.a951 in vlan 170 i
    s flapping between port Gi1/0/4 and port Gi1/0/11
    Jan 11 09:23:57.806: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
    rnet1/0/1, changed state to down
    This is common in all the switches that lost connection. The MACs are different in all switches so i cannot know if there are an specific host that causes the problem. Please your support.

    Hi Reza,
    Both ports are trunk.
    interface GigabitEthernet1/0/4
     switchport trunk encapsulation dot1q
     switchport mode trunk
    interface GigabitEthernet1/0/11
     switchport trunk encapsulation dot1q
     switchport mode trunk
    Any idea?

  • Fiber refusing to pass layer 3 traffic / Copper trunk works

    Hello everyone
    crazy issue here.. everything looks like it should be working but doesnt!
    a summary would be our 3750 switches will not trunk over fiber (SM or MM) to our core 6500. They work just fine over copper.
    The funny thing is, ONE 3750 works over a SM fiber run.
    Our goal is to have redundancy to all switches, 1x copper trunk and 1x fiber trunk. running spanning tree mode rapid-pvst. VTP mode transparent (all VLANs are created manually on all switches --- they exist.)
    however, the fiber trunks on 2 switches will only pass layer 2 (CDP neighbor has full detail, mac address-table builds off the 6500) but will not ping the directly connected 6500.  we are using cisco brand SFP/GBICs GLC-SX-MM &GLC-LH-SM  (we are sure the correct SFP is used with correct fiber type)
    debug arp / debug ip packet shows Switch B & C never actually learn the core's mac address and tie it to the IP of 153.29.45.1. all switches have a default gateway of 153.29.45.1.
    SWITCH A :
    interface GigabitEthernet1/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet1/1/1 description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode dynamic desirable interface Vlan48
    ip address 153.29.45.67 255.255.255.192
    no ip redirects
    no ip proxy-arp
    SWITCH B:
    interface GigabitEthernet1/1/1 description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 switchport mode trunk interface GigabitEthernet2/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 interface Vlan47 ip address 153.29.45.8 255.255.255.224 no ip redirects no ip proxy-arp
    SWITCH C:
    interface GigabitEthernet1/0/48 description CopperTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet1/1/1description FiberTrunk-to-Core switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk
    interface Vlan48 ip address 153.29.45.81 255.255.255.192no ip redirects no ip proxy-arp
    CORE(6500):
    interface GigabitEthernet2/40 description Switch_B_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 37,47,172 switchport mode trunk interface GigabitEthernet2/43 description Switch_A_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet2/40 description Switch_C_Copper switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk
    interface GigabitEthernet3/43 description Switch_A_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface GigabitEthernet3/40 description Switch_B_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 47 switchport trunk allowed vlan 36,37,47,172,500 switchport mode trunk interface GigabitEthernet3/44 description Switch_C_Fiber switchport switchport trunk encapsulation dot1q switchport trunk native vlan 48 switchport trunk allowed vlan 37,48,172 switchport mode trunk interface Vlan47 description Internal_Management ip address 153.29.45.1 255.255.255.224 no ip redirects no ip proxy-arp interface Vlan48 description Management ip address 153.29.45.65 255.255.255.192
    Summary: copper links work fine on all 3 switches. switch A & B refuse to pass layer 3 data on Fiber trunks. all were recently updated to version 12.2(53r) SE2 (c3740e-universalk9-mz.122-55.SE8.bin). Core is on 12.2 (33) SXI12 (s72033-adventerprisek9_wan-mz.122-33.SXI12.bin).
    any suggestions are appreciated.

    Leo: here ya go
    GigabitEthernet3/43 is up, line protocol is up (connected)  Hardware is C6k 1000Mb 802.3, address is 2894.0f57.437a (bia 2894.0f57.437a)  Description: FiberTrunk-to-SwitchA  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,     reliability 255/255, txload 1/255, rxload 1/255  Encapsulation ARPA, loopback not set  Keepalive set (10 sec)  Full-duplex, 1000Mb/s, media type is LH  input flow-control is off, output flow-control is off  Clock mode is auto  ARP type: ARPA, ARP Timeout 04:00:00  Last input 00:00:08, output 00:00:24, output hang never  Last clearing of "show interface" counters never  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0  Queueing strategy: fifo  Output queue: 0/40 (size/max)  5 minute input rate 191000 bits/sec, 67 packets/sec  5 minute output rate 752000 bits/sec, 112 packets/sec     92584292 packets input, 25411211351 bytes, 0 no buffer     Received 315527 broadcasts (83158 multicasts)     0 runts, 0 giants, 0 throttles     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored     0 watchdog, 0 multicast, 0 pause input     0 input packets with dribble condition detected     148923032 packets output, 114663742745 bytes, 0 underruns     0 output errors, 0 collisions, 6 interface resets     0 babbles, 0 late collision, 0 deferred     0 lost carrier, 0 no carrier, 0 PAUSE output     0 output buffer failures, 0 output buffers swapped out GigabitEthernet6/1 is down, line protocol is down (notconnect)  Hardware is C6k 1000Mb 802.3, address is 001a.a22d.6984 (bia 001a.a22d.6984)  Description: FiberTestPort  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,     reliability 255/255, txload 0/255, rxload 0/255  Encapsulation ARPA, loopback not set  Keepalive set (10 sec)  Full-duplex, 1000Mb/s, media type is LH  input flow-control is off, output flow-control is off  Clock mode is auto  ARP type: ARPA, ARP Timeout 04:00:00  Last input 01:52:33, output 01:51:56, output hang never  Last clearing of "show interface" counters never  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0  Queueing strategy: fifo  Output queue: 0/40 (size/max)  5 minute input rate 0 bits/sec, 0 packets/sec  5 minute output rate 0 bits/sec, 0 packets/sec     218 packets input, 26637 bytes, 0 no buffer     Received 182 broadcasts (63 multicasts)     0 runts, 0 giants, 0 throttles     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored     0 watchdog, 0 multicast, 0 pause input     0 input packets with dribble condition detected     9476 packets output, 1084062 bytes, 0 underruns     0 output errors, 0 collisions, 3 interface resets     0 babbles, 0 late collision, 0 deferred     0 lost carrier, 0 no carrier, 0 PAUSE output     0 output buffer failures, 0 output buffers swapped out
    let me know if you'd like to see anything else.

  • WCCP on ASA & traffic between physical interfaces on ASA

    Hello,
    I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
    Eth 0/0 : Outside (to internet)
    Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
    Eth 0/1.211 : Vlan211 (20.21.10.0/24)
    Eth 0/1.212 : Vlan212 (20.21.20.0/24)
    Eth 0/1.220 : Vlan220 (20.22.0.0/16)
    Eth 0/2 : WAAS (20.21.30.0/24)
    I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
    I get this error message:
    3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
    How can I fix this?
    My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
    wccp 61 redirect-list WCCP_To_LAN
    wccp 62 redirect-list WCCP_To_WAN
    wccp interface outside 62 redirect in
    wccp interface LAN 61 redirect in
    access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
    access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
    I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
    Thanks
    Ankit

    common guys
    Am I doing something wrong here?
    No one replies to my posts. I had the same experience with the previous one.
    Is this not the right forum for this query???
    Ankit

  • Rspan vlan missing traffic

    Hi,
    I want to capture all traffic in a certain vlan (74) from two switches. I use a remote vlan to accomplish this.
    The problem is that I see on the wireshark trace traffic which is traveling from one switch to the other but I don’t see traffic which remains within one switch.
    So: 
    switch 1: server 1&2
    switch 2: server 3&4
    all interfaces in the same vlan (74)
    remote vlan = vlan 745
    connection switch 1 -> switch 2 = trunk (vlan 74 & 745)
    action  - on wireshark trace
    ping server1 <-> sever 2 - no
    ping server1<-> server 3 - yes
    ping server 3 <-> server4 - no
    I found some examples for the configuration and these are more or less the same as mine; so why is this not working as expected?
    My config:
    Switch 1 (3560)
    monitor session 1 source vlan 74 rx
    monitor session 1 destination remote vlan 745 
    switch 2 (4948)
    monitor session 1 source vlan 74 rx
    monitor session 1 destination remote vlan 745 
    monitor session 2 destination interface Gi1/17
    monitor session 2 source remote vlan 745
    Wireshark pc on port 17
    Thanks for any help
    Hans

    Hi Hans
    May I suggest this config for you to try:
    switch 1
    monitor session 1 source vlan 74 rx
    monitor session destination remote vlan 745
    switch 2
    monitor session 1 source remote vlan 745
    monitor session 1 destination interface Gi1/17
    monitor session 2 source vlan 74 rx
    monitor session 2 destination interface Gi1/17
    Cheers
    Stephen.

  • Possible to segment traffic between 2 interfaces? And other questions...

    I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
    If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
    So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
    Thanks.

    I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
    You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
    You have some type of hardware firewall/security appliance.
    You have some type of wireless access point.
    You don't seem to have any type of router or switch in your configuration.
    You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
    So my questions are:
    Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
    If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
    If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
    If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
    Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
    I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
    Anyway, a little more info would be helpful.
    Oh and if I have this totally worng in what I think your doing.. My mistake.
    Tom N.

  • Some fields missing from the Information interface

    On iTunes 12 I can’t find the "Description" field that was in the Video page.
    The field still shows in the list of songs, but it doesn’t appear on the new "Information" interface. And I don't think this is the only field missing compared to the previous Information interface. Can anyone help? Thank you.

    ... before you click Get Info.
    tt2
    YES!
    Thank you turing! That really helped.
    (it seems a bit of a complication to me, the system was just fine as it was, but what do I know?)

  • Switch sending tcp traffic to incorrect interface

    Need help diagnosing a layer 2 networking issue. We had a report from an end user of slow file server access from his computer but local applications were responding normally. No one else was having issues in his area. Port mirrored the employees access port (Gi1/0/33) and noticed traffic from another computer crossing onto his port. Our design is to have one computer per port. This traffic was not intended for his computer as it was another employee opening and closing files on the file server (file server located on another switch). Checked MAC address table and his MAC address was the only one associated on the port. Traced the 2nd employees MAC address to a neighboring port (Gi1/0/35). Only MAC address associated on Gi1/0/35 was the 2nd employees. Cleared the mac address entry for Gi1/0/33 only and the extra traffic was eliminated immediately. 
    Why would a switch send tcp traffic to a port that a client does not communicate on? I asked the second employee if they noticed any issue in accessing the file server and none were reported.  Switch is a 3750x with version 12.2. 

    I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
    I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
    Default config for both ports:
     switchport access vlan 101
     switchport mode access
     ip access-group ACL_DEFAULT in
     authentication event fail action next-method
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
     spanning-tree bpduguard enable
    Am I missing something? Was this an attack? Was it a fluke? 

  • I need to see what VLAN-ids are present on a trunk interface. What debugs would help me achieve this?

    Currently, i have an Cisco IE3000 switch, with an interface defined as a trunk. The other end is unknown to me, but I know it transmits tagged frames. I just don't know which VLAN-ids are in use - so I was thinking on doing some debugs to learn the VLAN-ids.  Remote end does not transmit BPDUs

    That would require me to define all VLANs, which may be to much for the IE3000. It supports only 1005.
    A debug telling me that a packet have been dropped because the VLAN is not defined - would be the way...

  • Slow tcp traffic over ge0 interface

    I have a server that while using ge0 for UDP traffic, it uses full bandwidth, but for tcp is slow as hell.... ttcp is showing how slow it is, into the kbps rather than mbps. I want to know if there is a specific patch to fix this.

    I've been double checking everything this morning and I feel we were not attacked. All the MAC addresses in my capture are valid system addresses. ISE does not show any authorized machines attempting to connect to the switch. We have DHCP snooping enabled throughout the organization. That was a great article to learn from though.
    I've included a visio of the setup and a snippet of the wire capture and arp/mac tables as were captured during the incident. Traffic from the fileserver intended for employee 2 was flooding the port employee 1 was connected on. The destination MAC address of the packets were not meant for employee 1. 
    Default config for both ports:
     switchport access vlan 101
     switchport mode access
     ip access-group ACL_DEFAULT in
     authentication event fail action next-method
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
     spanning-tree bpduguard enable
    Am I missing something? Was this an attack? Was it a fluke? 

  • Force http traffic to specific interface

    Just setup a 2801 router. We have a Serial interface card on it connected to a T1 and eth1 connected to DSL. We want to force web traffic (http, https, ftp) to use the DSL connection. I tried a simple access-list to allow http to the DSL and deny to the T1, however it didn't seem to work. Then I noticed that in the SDM it has "default" rultes that always enable http. Do I need to disable the http server to get this access list to work or is there an easier way to force web traffic to a specific interface?
    Thanks in advance.

    I setup the route-map and access-list and applied it to FE 0/1 (DSL connection), however it still appears nothing is going through that interface. When I monitor it in the SDM, it shows 0% bandwidth usage.
    Just to double check I unplugged the DSL to see if web traffic stopped, but it was still going, I assume through the T1 at S 0/2/0.
    FE 0/0 goes to our fw, then to lan
    FE 0/1 goes to DSL
    S 0/2/0 goes to T1
    Here is my config:
    router#show run
    Building configuration...
    Current configuration : 4506 bytes
    ! Last configuration change at 10:29:45 MDT Fri Aug 4 2006 by admin
    ! NVRAM config last updated at 15:17:31 MDT Thu Aug 3 2006 by admin
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    boot-start-marker
    boot system flash c2801-ipbasek9-mz.124-8.bin
    boot-end-marker
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$EWDt$pvWzeNhilneb/EUJosxlv0
    no aaa new-model
    resource policy
    clock timezone MDT -7
    clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
    no ip source-route
    ip cef
    ip tcp synwait-time 10
    no ip bootp server
    ip name-server 198.60.22.2
    ip name-server 198.60.22.22
    username admin privilege 15 secret 5 $1$TF47$aa8RLf18isZxIwjOKfdmZ.
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
    ip address 199.104.124.210 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1
    description $FW_OUTSIDE$$ETH-LAN$
    ip address 192.168.2.2 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    ip policy route-map toDSL
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1/0
    interface FastEthernet0/1/1
    interface FastEthernet0/1/2
    interface FastEthernet0/1/3
    interface Serial0/2/0
    ip address 204.228.133.46 255.255.255.252
    interface Vlan1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip flow egress
    ip route-cache flow
    ip route 0.0.0.0 0.0.0.0 204.228.133.45
    ip route 192.168.2.0 255.255.255.0 192.168.2.1
    no ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    logging trap debugging
    access-list 111 permit tcp any any eq www
    no cdp run
    route-map toDSL permit 1
    match ip address 111
    set ip next-hop 192.168.2.1
    control-plane
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    exec-timeout 30 0
    privilege level 15
    login local
    transport input ssh
    transport output ssh
    line vty 5 15
    access-class 102 in
    privilege level 15
    login local
    transport input ssh
    scheduler allocate 20000 1000
    ntp clock-period 17178101
    ntp update-calendar
    ntp server 198.60.22.240 source Serial0/2/0
    end

Maybe you are looking for

  • CI_ANLU structure in the table ANLU(R/3 System)

    Hi, Cud u pls tell me what is the CI_ANLU include structure(which is not defined) in the table ANLU. Due to CI_ANLU structure, I am gettig following error: TRANSF_1_1_1> [ZBAPI_FIXEDASSET_GETLIST_RFCSSCallFunction_17408] [ERROR] [SAP STATUS: E] [SAP

  • Canopus ADVC 300 compatible with FCPX ?

    The title says it all. Compatibility with FCPX would make my transition forward much easier as I still need to convert VHS from time to time. Thanks.

  • Creation of an additional Literal in the cartdetaillistblock.ascx

    Hi all, My question would be: How can i create, in the ./cartdetaillistblock.ascx control,  a Local Literal, similar to the Literal with the ID="sysPrice" so that I can manipluate the Price value without breaking the Data flow while updating the Quan

  • Did my hard drive crash? What is this screen?

    I was out of town for a couple days and came home to an a screen I'd never seen before. When I turned on my MBP, a gray screen booted up with 2 folders - one said "Hard Drive HD" and the other said "Recovery 10.8.2". Not knowing what was going on, I

  • Sap pp-Forecasting

    How Forecasting is done in PP & how it is related with MRP/Planning?