Ip flow-top-talkers support
So I stumbled upon the ip flow-top-talkers feature and attempted to configure it on a 3560-X running 12.2(58)SE2. It allowed me to configure this:
ip flow-top-talkers
top 5
sort-by bytes
cache-timeout 60000
Then on the interface I am interested in:
interface GigabitEthernet0/21
ip flow ingress
Which results is (drum roll please....)
Switch#show ip flow top
% Cache is empty
No joy. So I checked the config guide for unsupported commands, these are not listed.
Then I thought maybe it had to be on a layer 3 interface (g0/21 is layer 2) so I did "ip flow ingress" on an SVI, same results.
So then I checked feature navigatore for "Flexible Netflow - Top N Talkers Support". 12.2SE is not listed, but 15.0(2)SE is.
Questions:
- Is the existence of the commands in 12.2(58)SE just an oversight? Functionality seems to almost be there, just not quite.
- Does neflow need to be enabled on a layer 3 interface or will it work on layer 2 (assuming platform support of course)
Thanks,
-Jeff
Does your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image.
Similar Messages
-
Cannot config "ip flow-top-talkers" on 7606-S
We have a router 7606-S is running IOS 12.2 (33r) SRD2 and Internet BGP protocol.
I tried to enable Flow Top Talkers on it to check Top 10 flow talkers.
1.configure interface:
Router(config-if)#ip flow ingress
2.configure
Router(config)#ip flow-top-talkers
but it shows:
Router((config)#ip flow-top-talkers
^
% Invalid input detected at '^' marker.
Router(config)#ip flow-?
flow-aggregation flow-cache flow-capture flow-egress flow-export
I then tried command
Router#show ip flow top-talkers
% Top talkers not configured
Can anyone advice if anything I miss please?
Thanks in advance.Does your switch have a network services module installed?
Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image. -
Hi All,
i would like to enable "ip flow-top-talkers" in 6500 in native mode.
this command is not supported in current version.
is there any alernative command or it won't support.
running ios is s72033-pk9sv-mz.122-18.SXD5.bin
Thanx in advance for the response.
Regards,
RajeshThis command was introduced only from 12.2(25)S and this feature was integrated into 12.3(11)T. So,if you are using any lower version other than this,this command will not work at all.If possible,better download any of the above 2 versions from cisco website and upgrade your IOS.
-
what happened to this command in the new IOS 15.1(1) with flexflow;
sh ip flow top-talkers...
Thanks,
SinanHi Maicon,
Under "ip flow-top-talkers", you need to configure "sort-by" as it's required to run top-talkers command.
Yoong Seong -
"show ip flow top-talkers" output question
Hello all,
I have a question about the "show ip flow top-talkers" command. The top enry for this 1841 router with a T1 connection is always this line:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se0/1/0 64.32.253.138 Local 71.16.240.14 32 6EB0 306B 2366K
How do I get more information about this connection? I looked at ip protocol 32 and it says it is the MERIT Internodal Protocol. Also what does the bytes field mean? Is that bytes per second or per "flow"?Hello,
protocol is 0x32 (in hex) = 50 (dec). This protocol is ESP. I assume, this flow is an IPSEC tunnel.
The endpoint is your device (regarding to dest interface = local). The "Bytes" field means number of
bytes in the flow. It is not releated to bytes/sec. Please, feel free to contact me if you need more
information.
Kind regards,
Jan Nejman
Caligare, co.
http://www.caligare.com/ -
Does WCCP skew results of 'ip flow top-talkers'?
I have a router that has been configured to show ip flow top-talker information. I recently added a WAAS to this site that is using WCCP redirection. The 'top-talkers' output on the router still works - but shows source/destination of the router and WAAS device as the talkers for all traffic that has been redirected. I'm not able to see that actual client IPs for that traffic .. and that is the majority of my traffic. Is there any way to still be able to view this traffic as I did before? If I dump netflow to an actual netflow server instead of using top-talkers will that work - or will it display the same thing?
Router configuration:
interface multilink1
ip flow ingress
interface gi0/0
ip flow ingress
ip flow-top-talkers
top 25
sort-by bytes
Now when I do a 'show ip flow top-talkers', here's what I see: 10.10.11.18 is WAAS and 10.10.255.11 is loopback of the router.
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 141M
Gi0/0.1 10.10.11.18 Mu1 10.10.255.11 2F 0000 0000 12M
Gi0/0.1 10.10.11.124 Gi0/0.1 10.10.10.53 06 1058 0A26 1801K
Gi0/0.1 10.10.11.54 Gi0/0.1 10.10.10.5 06 0E0C 0A26 882K
Gi0/0.1 10.10.11.107 Gi0/0.1 10.10.10.50 06 043D 05D6 736K
Gi0/0.1 10.10.11.60 Gi0/0.1 10.10.10.5 06 0409 0A26 723K
Gi0/0.1 10.10.11.103 Gi0/0.1 10.10.10.5 06 0407 0A26 713K
Gi0/0.1 10.10.11.120 Gi0/0.1 10.10.10.14 06 0456 05D6 531K
Gi0/0.1 10.10.11.237 Gi0/0.1 10.10.10.27 06 238C 110E 527K
Gi0/0.1 10.10.11.62 Gi0/0.1 10.10.10.53 06 C00E 05D6 463K
Gi0/0.1 10.10.11.125 Gi0/0.1 10.10.10.30 06 12A1 1F90 355K
Gi0/0.1 10.10.11.115 Gi0/0.1 10.10.10.14 06 042C 05D6 336K
Gi0/0.1 10.10.11.137 Gi0/0.1 10.10.10.6 06 04AC 0D3D 244K
Gi0/0.1 10.10.11.154 Gi0/0.1 10.10.10.53 06 0A0D 0A26 216K
Gi0/0.1 10.10.11.66 Gi0/0.1 10.10.10.6 06 C018 05D6 195K
Gi0/0.1 10.10.11.91 Gi0/0.1 10.10.10.5 06 0439 05D6 145K
Gi0/0.1 10.10.11.58 Gi0/0.1 10.10.10.14 06 0458 05D6 134K
Gi0/0.1 10.10.11.127 Gi0/0.1 10.10.10.30 06 0618 1F90 115K
Gi0/0.1 10.10.11.18 Local 10.10.255.11 11 0800 0800 96K
Gi0/0.1 10.10.11.147 Gi0/0.1 10.10.10.14 06 118F 0A26 88K
Gi0/0.1 10.10.11.95 Gi0/0.1 10.10.10.14 06 0C35 0D3D 84K
Gi0/0.1 10.10.11.105 Gi0/0.1 10.10.10.27 06 C98F 01BD 70K
Gi0/0.1 10.10.11.117 Gi0/0.1 10.10.10.53 06 CB1A 0D3D 41K
Gi0/0.1 10.10.11.65 Gi0/0.1 10.10.10.14 06 0EF9 05D6 40K
Gi0/0.1 10.10.11.112 Gi0/0.1 10.10.10.21 06 08D5 0D3D 37K
Thanks!I believe the problem is caused because I have the WAAS appliance in the same subnet as users. I am using the 'egress-method negotiated-return intercept-method wccp' on the WAAS to send the traffic back to the router. This uses GRE, which is causing the cache flow data to show up the way it is.
I will have to move the WAAS to a different subnet and change the return method. -
Cisco2821 - ip flow top talkers = cache is empty
Hi Everyone,
I've been fighting an issue with a 2821 router for some time now. I'm trying to pull the top talkers from an interface, however the cache is empty. I verified the configuration with a known working 2821 and the output for the interfaces are the same. Any help would be greatly appreciated!
NON-WORKING:::
interface GigabitEthernet0/0
description P2P Comcast NLAN to ENET
ip address 10.103.2.6 255.255.255.0
ip flow ingress
ip flow egress
duplex full
speed 100
interface GigabitEthernet0/1
description connect to JDR_3560_2
ip address 10.200.12.1 255.255.255.0
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 25
sort-by bytes
logging 10.100.1.17
logging 10.100.1.119
WORKING CONFIG:
interface GigabitEthernet0/0
description Comcast MetroEthernet CID: 54.VLXP.006454.CPLC
ip address 10.103.2.5 255.255.255.0
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip igmp query-interval 125
duplex full
speed 100
service-policy output WAN-EDGE
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 10.100.6.111 2055
ip flow-export destination 10.100.1.58 2055
ip flow-top-talkers
top 30
sort-by bytes
ip mroute 0.0.0.0 0.0.0.0 10.103.2.240
logging 10.100.1.17
logging 10.100.1.40
logging 10.100.1.119Hi,
I'm not a Netflow expert by let's try; config seems to be correct, could you post the output of
sh ip flow export
sh ip flow top-talker
sh ver
enrico -
Hi Folks,
I was trying to use the top talkers feature to find the culprits hogging my bandwidth. I am pertty new top talker feature and its implemented on a 6500 with sup720. I have a couple of queries w.r.t this.
* tried to configure the cort by bytes feature got a warning that its not supported on the hardware based model.So is there any way to use sort by bytes on the sup 720?
* The O/P fileds of a show ip flow top-talkers are usually,
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts( had to use sort by packets due to warning)
Now is this pkts field the number of packets calculated between the cache-timeout value or is it the total seen so far? Will it be the same for sort by bytes too? Total bytes seen for this flow rather than a realtime bytes/sec or bytes/cache time-out value.
If this is the case then its actually not a real time top talker value right? Please help
Thanks,
PrakadeeshThe --command -- sh ip cache flow shows the cache-timeout value only not the collective bytes of data ; if you need the Total bytes seen for this flow you need to use the Crannog netflow Tracker kind of tools or you need to use " ip accounting " and clear the counter manually as and when required !!!
And it its actually a real time top talker value for that specifed cache-timeout value and i found most of the time it shows the correct top-talker many times !!!!!!!!!!!!!!!!!!! -
Netflow top-talkers configuration
Hello
I would like to know the purpose of these configuration commands :
ip flow-top-talkers
top 50
sort-by packets
cache-timeout 2000
match source address 192.1.1.97/32
match destination address 192.1.1.110/32
This is extracted from a documentation from Cisco.
For me there is no sense to configure a top talkers : how do we know that this will be the top talkers ?
Thanks for help
RegardsTop talkers are based on the conversations or flows generating the heaviest traffic on your routing device. A flow refers to traffic from source A to source B through any interface of the router and "heaviest traffic" means volume of traffic generated. They can be sorted based on any one of the following criteria:
1. By the total number of packets in each top talker
2. By the total number of bytes in each top talker
There are further filter options, which can done using "match statements".
For eg, if you simply enable top talkers for 50 and set the sort feature based on packets, the 50 conversations who were sending the most traffic (volume - KB, MB, GB) will be taken and displayed. The displayed conversations will be sorted based on the packet counts in the flow.
If you add an match IP source statement to the above example, then the same as above is done but only flows whose source IP is the same as in the match statement is captured.
If you add a match source and destination IP, then only the top 50 flows between those 2 IP Addresses will be captured and displayed.
Regards,
Don Thomas Jacob
www.netflowanalyzer.com
NOTE: Please rate posts and close questions if you have got the answer. -
How to get Top Talkers on ASA ?
hi Friends,
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.
As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
Can someone help me out in this ?
Regards
Nirav BhattI know this is an old thread, but I'm hoping this will come in handy for anyone doing a search.
All our 5505's and 5510's are on ASA 8.2(5) and didn't get some of the nicer "top 10" features that come with later versions. I always assumed it was due to the ASA version, but I built an ASA recently on 8.2(5) which has ASDM 7.1(2) on it and the pie charts for top talkers is there now.
I'm in the process of updating all our devices to ASDM 7.1(2) and it's given us a lot more visibility of the network. -
ASA5505 - IP FLOW TOP or IP Accounting
How does one find the top user or IP accounting with this ASA5505 v7.22 device?
With 1841 ISR:
sh ip accounting
sh ip flow top
Very lame if they don't have similar commands or capabilities on the ASA series.David,
The version that you are running is very old. The IP accounting Im not sure what it does, but the show IP flow, I am almost 99% sure that it has to do with Netflow, which was introduced on the ASA in version 8.2 and higher.
Just looked for the IP accounting and mostlikely, all that you are asking for is implemented on Netflow, here is more info:
https://supportforums.cisco.com/docs/DOC-6114
You can upgrade to 8.2.1 not having to do much of a change, now that you know that you are running an old version, please do not consider to (mind as well) upgrade to the latest version without reading what it first needs to be done. The upgrade to 8.2.1 should not be much of a change.
Mike Rojas -
Work Flow of a Support Project
Hi Gurus,
Could Anyone mail the work flow of solving tickets by introducing new configuration in a support project and its authorizations to [email protected]
Regards,
SaroshAny AE project requires some planning. The more elements that are involved, the greater the level of planning. I just recently completed a project that involved 3D modeling, client supplied video to be used as a texture, and AE for final composite. We didn't draw any storyboards, but we did look at a bunch of similar animations and make a fist full of notes. If I were to attempt a James Bond style open I'd be sketching out storyboards, looking at every James Bond open that I could find, looking at every similar movie or TV show open that I could find, and brainstorming with colleagues, and working out a production timeline and budget. There's nothing worse than shooting some footage without a plan then trying to bend it into an concept that just doesn't fit.
I suspect you wanted a to do list. Well here it is.
1. Write a script for your open including all the elements that must be there
2. Turn the script into a storyboard
3. Block out the required shots so that they will work with your concept (IOW shoot your greenscreen footage with the same lens angle of view that you're going to use for the 3D camera in AE so that the perspectives match)
4. Do some tests in AE using at least shape layers for the elements
5. Make sure that you have all the tools you need (IOW plug-ins, cameras, lights, skills, music, sound effects)
6. Shoot what you've put on the storyboard
7. Shoot some extra footage
8. Start laying out the elements
9. Render out some motion tests
10. Refine, Refine, Refine
11. Wait a day or two
12. Final polish and render
Hope this helps. -
Cisco Cube Flow around mode supported for CVP 10
Hi Guys,
We are deploying CVP 10.5, our ingress gateway for the CVP is a CUBE. We know that in CVP 8.0 the media flow around is not supported, but we don't know if in the version 10 is supported. does anybody knows about it?Hi,
Please refer to page no 75. Its mentioned --With flow-around mode, you lose the ability to do DTMF interworking,transcoding, and other key functions such as telephone and media capabilities.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/srnd/10_5/CCVP_BK_C17804D9_00_cisco-unified-customer-voice-portal.pdf
I hope this will help you. -
Top Processors supported on 3000 N100 768-04U
Can anyone confirm the fastest processor I would be able to put in this system?
It currently has a T2060 processor.
I would like to go all the way to the t7200 if it will work...
thanks
--tmacIt seems that the N100 utilizes either the 945GM or 945PM chipset. If that's the case, you should be able to go up to the Core 2 Duo T7600 [2.33GHz]. However, you may experience elevated operating temperatures as the T7600 consumes more power than the Pentium Dual Core T2060.
**Please confirm the chipset with CPU-Z.
If you are looking for increased performance, a 7200RPM hard drive would be ideal.
Message Edited by ortegaluis on 04-15-2009 08:31 PM
Message Edited by ortegaluis on 04-15-2009 08:32 PM
\\ I do not respond to PM regarding individual tech support. Keep discussions in the forum for the benefit of others // -
Remote site to site VPN user cannot access LAN resources
Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
What do I need to do to fix this?
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SFGallery
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.16.0.1 172.16.3.99
ip dhcp excluded-address 172.16.3.200 172.16.3.254
ip dhcp pool SFGallery172
import all
network 172.16.0.0 255.255.252.0
domain-name xxxxxxxxxxxx
dns-server 10.10.10.10
default-router 10.10.10.94
netbios-name-server 10.10.10.10
ip domain name gpgallery.com
ip name-server 10.10.10.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.80
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint SFGallery_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair SFGallery_Certificate_RSAKey 512
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SFGallery_Certificate
certificate self-signed 01
xxxxxx
quit
license udi pid CISCO2911/K9 sn FTX1542AKJ3
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
hw-module sm 1
object-group network Corp
172.16.4.0 255.255.252.0
10.10.10.128 255.255.255.224
object-group network SFGallery
172.16.0.0 255.255.252.0
10.10.10.0 255.255.255.128
object-group network NY
10.10.10.160 255.255.255.224
172.16.16.0 255.255.252.0
object-group network GPAll
group-object SFGallery
group-object NY
group-object Corp
username xxx
username xxx
username xxx
username xxx
redundancy
no ip ftp passive
ip ssh version 1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TempVPN1# address xx.xx.xx.xx
crypto isakmp client configuration group SFGallery
key Peters2011
dns 10.10.10.10 10.10.10.80
wins 10.10.10.10 10.10.10.80
domain gpgallery.com
pool SDM_POOL_1
acl 111
save-password
split-dns gpgallery.com
max-users 25
max-logins 3
netmask 255.255.252.0
banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group SFGallery
client authentication list ciscocp_vpn_xauth_ml_3
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP-3DES-SHA3
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA1
match address 107
reverse-route
interface Loopback1
ip address 192.168.5.1 255.255.255.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description T1 Cybermesa$ETH-WAN$
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface GigabitEthernet0/1
description LANOverloadNet$ETH-WAN$
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.10.10.2 255.255.255.128
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group ReplicationIN out
duplex auto
speed auto
interface GigabitEthernet1/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
interface Virtual-Template2
ip unnumbered Loopback1
zone-member security sslvpn-zone
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
no ip address
ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ReplicationIN
remark CCP_ACL Category=1
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip any any
ip access-list extended ReplicationOUT
remark CCP_ACL Category=1
deny ip any any
no logging trap
logging 10.10.10.107
access-list 1 permit 192.168.1.2
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 72.216.51.56 0.0.0.7
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 1 permit 172.16.4.0 0.0.3.255
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit xx.xx.xx.xx 0.0.0.15
access-list 1 permit 10.10.10.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp object-group GPAll object-group NY eq www
access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
access-list 100 permit ip any host 10.10.10.2
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
access-list 100 deny tcp any host 10.10.10.2 eq telnet
access-list 100 deny tcp any host 10.10.10.2 eq 22
access-list 100 deny tcp any host 10.10.10.2 eq www
access-list 100 deny tcp any host 10.10.10.2 eq 443
access-list 100 deny tcp any host 10.10.10.2 eq cmd
access-list 100 deny udp any host 10.10.10.2 eq snmp
access-list 100 permit udp any eq domain host 10.10.10.2
access-list 100 permit udp host 10.10.10.80 eq domain any
access-list 100 permit udp host 10.10.10.10 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 72.216.51.56 0.0.0.7 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip 10.10.10.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 72.216.51.56 0.0.0.7 any
access-list 102 permit ip 172.16.0.0 0.0.3.255 any
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.127 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
access-list 103 deny tcp any host 172.16.0.1 eq telnet
access-list 103 deny tcp any host 172.16.0.1 eq 22
access-list 103 deny tcp any host 172.16.0.1 eq www
access-list 103 deny tcp any host 172.16.0.1 eq 443
access-list 103 deny tcp any host 172.16.0.1 eq cmd
access-list 103 deny udp any host 172.16.0.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
access-list 105 deny tcp any host xx.xx.xx.xx eq telnet
access-list 105 deny tcp any host xx.xx.xx.xx eq 22
access-list 105 deny tcp any host xx.xx.xx.xx eq www
access-list 105 deny tcp any host xx.xx.xx.xx eq 443
access-list 105 deny tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny udp any host xx.xx.xx.xx eq snmp
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 105 permit udp any eq domain host xx.xx.xx.xx
access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 106 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 106 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 106 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 deny ip 172.16.0.0 0.0.255.255 host 10.10.10.177
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 permit ip 70.56.215.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
access-list 109 remark IPSec Rule
access-list 109 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 109 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 109 remark IPSec Rule
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
access-list 109 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 109 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 109 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
access-list 111 permit ip 10.10.10.128 0.0.0.31 any
access-list 111 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 permit ip 172.16.4.0 0.0.3.255 any
access-list 111 permit ip 10.10.10.160 0.0.0.31 any
route-map SDM_RMAP_4 permit 1
match ip address 109
route-map SDM_RMAP_1 permit 1
match ip address 106
route-map SDM_RMAP_2 permit 1
match ip address 108
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.10.10.107 public
radius-server host 10.10.10.10 key HelloSFGal1#
control-plane
banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
flowcontrol software
line vty 0 4
access-class 102 in
transport input telnet
line vty 5 15
access-class 101 in
transport input telnet
scheduler allocate 20000 1000
endThanks so much, Herbert.
As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
I would delete these lines:
no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
and replace with these
ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
Then add:
access-list 150 deny ip host 10.10.10.95 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.95 172.16.8.0 0.0.3.255
access-list 150 deny ip host 10.10.10.130 10.10.10.160 0.0.0.31
access-list 150 deny ip host 10.10.10.130 172.16.8.0 0.0.3.255
access-list 150 permit ip host 10.10.10.95 any
access-list 150 permit ip host 10.10.10.130 any
route-map nonat permit 10
match ip address 150
Maybe you are looking for
-
MRI: How to deal with the NEW .js files being added to MassReplaceIt?
This question concerns the application "MassReplaceIt." I have read the Help menu on it but am not clear on it and want to make sure that my guess is correct before I go and do anything. THE RUN-UP TO MY QUESTION IS: I have 23 songs on my website. Ea
-
DECLARE PO_TSF_INDICATOR VARCHAR2(1); LOC_TYPE VARCHAR2(10); TSF_FROM_LOCATION VARCHAR2(50); PO_SUPP NUMBER(10); QTY NUMBER(12,4); BEGIN IF :SYSTEM.RECORD_STATUS = 'CHANGED' THEN PO_TSF_INDICATOR := TRIM(:B_REQUEST.LI_PO
-
i want to create 50 strings named str1 to str50. Do I have to write them all out or is there a way to loop construcing them?
-
All, Srinivas provided a really good info (https://www.sdn.sap.com/irj/scn/wiki?path=/display/bi/upgradefromBW3.XtoBI7.0+%28SP13%29) on the Post-BI7 Upgrade Task: 1) Activating the Internet Communication Manager 2) Converting Web objects 3) Conversio
-
I'm experiencing problems with my iPod and most likely will need to swap it. My question is, since I had mine personalized, do you think they will tell me to send it in? I only ask this cause I don't want to drive the hour and a half to the Apple sto