IPS and ECLB with Nexus vPC
Hi,
Have anyone configured ECLB in a pair of Nexus 7018 to "load balance" the traffic for several IPS Sensors.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a0080671a8d.shtml
I am not really sure if it works with Nexus. It works with Switch 6500 for sure,
Regards,
I think you can post this question on routing switching section as well , experts there have better suggestion related to port channel and hsrp.
Similar Messages
-
NX-OS firmware Upgradation in Nexus 5548 with Enhanced vPC with Dual Active FEX
Hi All,
Please tell me how to do "NX-OS firmware Upgradation in Nexus 5548 with Enhanced vPC with Dual Active FEX" without downtime for FEX.
The Server are connected to FEX.
Attached the diagram.Hi,
If the 5500s are layer-2 with vPC running between them than you can use ISSU to upgade.
here is doc to follow:
ISSU Support for vPC Topologies
An ISSU is completely supported when two switches are paired in a vPC configuration. In a vPC configuration, one switch functions as a primary switch and the other functions as a secondary switch .They both run the complete switching control plane, but coordinate forwarding decisions to have optimal forwarding to devices at the other end of the vPC. Additionally, the two devices appear as a single device that supports EtherChannel (static and 802.3ad) and provide simultaneously data forwarding services to that device.
While upgrading devices in a vPC topology,you should start with the switch that is the primary switch. The vPC secondary device should be upgraded after the ISSU process completes successfully on the primary device. The two vPC devices continue their control plane communication during the entire ISSU process (except when the ISSU process resets the CPU of the switch being upgraded).
This example shows how to determine the vPC operational role of the switch:
link:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/upgrade/513_N1_1/n5k_upgrade_downgrade_513.html
HTH -
W32.conficker.worm - detection and blocking with a IPS 4235
We have an IPS 4235 system with IPS-K9-5.1-8-E3 Engine and sig file IPS-sig-s368-reg-E3 in fron of our Firewall. We also (unfortunately) have the w32.conficker worm which is causing a DDOS and flooding the network with TCP 445 traffic. We are trying to set up the IPS to block this traffic before it hits our Firewall so that we can restore external WAN links.
The IPS system sucessfully detects this 445 traffic as signature ID 1302 and fills the event log, but even though we have enabled "deny connection inline" in the "signature configuration" - it still does not seem to block the 445 traffic. Has anyone seen this before, and could they advise us on how to effectively block this traffic?Hi,
Regardless of what the Signature fire's on you should still be able to set an action.
I could set it to fire on receiving any tcp syn and request a deny attack inline. If it is not working then I would question the configuration not the signature attribute.
A google search found this information regarding the worm. It seems to download a file via a random HTTP port. Perhaps you could look at using the AIC HTTP engine, and matching on the filename with a regex.
âThis malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm.â
Have you checked that there are no event action overrides configured that would overwrite your condition ?
Also have you ensured that the IPS is configured to never block certain address ranges ?
If you are seeing the signature fire then we can assume that the traffic flow has been setup correctly.
We cannot just block based on port 445 as we will be denying genuine RPC traffic. However we could customise the signature to fire based around a combination of the HTTP post or get. Or peer to peer RPC traffic.
HTH,
Jon Humphries
Nextiraone UK -
DCNM compatibilty with nexus 2000 and 5000 series
Hi,
I would to know if the DNCM can manage a Data Center composed with Nexus 2000 & 5000 series only!
Kind regardsHi reswaran,
The features are:
- Automatic network discovering and real- time topology.
- Network anomaliy detection (threshold, alarms, errors, ...)
- Use email or aletrs to notify notify operations staff of critical outages thant may be service-imapcting
- Centralized administration interface, with acces via web
- Securised acces and rights managment
- Stock of data in an exportable database
- Quick, simple qnd transparent deployment
- Monitoring WAN bandwith usage
- Configurable report generation
- Generation of the performance reports
- Provide network map
- Support several network unit
- Intergrated Syslog server
- Polling andt monitoring SNMP trap alarms
- Secure config distribution
- Support 200 devices
What kind of NMS can you recommend?
thanks a lot -
Is there an NXOS command to check to see if traffic is being dropped from traversing a Nexus vPC link?
iTunes 11 seems to shuffle just fine for me.
You can restore much of the look & feel of the previous version with these shortcuts:
Ctrl-B to turn on the menu bar.
Ctrl-S to turn on the sidebar (your device should be listed here as before).
Ctrl-/ to turn on the status bar.
Click the magnifying glass top right and untick Search Entire Library to restore the old search behaviour.
If you want to roll back to iTunes 10.7 first download a copy of the 32 bit installer or 64 bit installer as appropriate, uninstall iTunes and suppporting software, i.e. Apple Application Support & Apple Mobile Device Support. Reboot. Restore the pre-upgrade version of your library database as per the diagram below, then install iTunes 10.7.
See iTunes Folder Watch for a tool to scan the media folder and catch up with any changes made since the backup file was created.
tt2 -
Stackable switche options with Nexus range? - Nexus 3172
Hi all,
We are looking at upgrading our Rack switches. We have 3 racks and need about 80 10Gig copper/RJ45 server ports per rack. We are fairly price conscious.
I am new to Nexus product range, but have a lot of experience with Catalyst switches.
We are considering Nexus 3172T switches. But I’m not sure if they are really suitable because they don’t stack.
I would far rather a switch model that we can stack together so I don’t need to manage each switch individually (much as you would do with Catalyst 3750). We did look at Catalyst 4500X but they are too expensive.
Initially we only need Layer2 switches, but I would really prefer stackable switches in case we move to Layer3 switches (I don’t want to have to muck around with HSRP).
It really seems to be a big hole in the Cisco product range. Every other vendor we have looked at has a Virtual Chassis (Juniper, HP, Brocade) system that would be idea. Cisco have VSS in the 4500x but its pretty rubbish as it only allows two switches.
What sort of options do I have with Cisco Nexus at a reasonable price?
SimonI would suggest you read this white paper which details the pros and cons of direct connect storage.
http://www.cisco.com/en/US/partner/prod/collateral/ps10265/ps10276/whitepaper_c11-702584.html This paper captures all the major design points for Ethernet and FC protocols.
I would only add that in FlexPod we are trying to create a highly available solution and "flexible" solution; Nexus switching helps us deliver on both with vPC and unified ports.
NPV equats to end-host mode which allows the system to present all of the servers as N ports to the external fabric. In this mode, the vHBAs are pinned to the egress interfaces of the fabric interconnects. This pinning removes the potential of loops in the SAN fabric. Host based multipathing of the vHBAs account for potential uplink failures. The NPV mode (end-host mode) simplifies the attachment of UCS into the SAN fabric and that is why it is in NPV mode by default.
So for your last question, I will have to put my Product Manager hat on so bear with me. First off there is no drawback to enabling the NPIV feature (none that I am aware of) the Nexus 5000 platform simply offers you a choice to design and support multiple FC initiators (N-Ports) per F-Port via NPIV. This allows for the integration of the FI end-host mode described above. I imagine being a unfied access layer switch, the Nexus team enabled standard Fibre Channel switching capability and features first. The implementatin of NPIV is a customer choice based on their specific access layer requirements.
/Chris -
I have a problem with the synchronisation of my iPhone and iPad with Outlook 2007 on my 64-bit Windows 7 PC. For several years,
I have had no problems with the synchronisation by cord connection and iTunes between these programmes. However, a few months ago I decided to use Mobile Me. However, there were problems with duplication of calendars and then “rogue events” – which could not be deleted – even if deleted on Outlook and on the iPhone (or both at the same time) – they would just reappear after the next synchronisation. All other synchronisation areas (eg Contacts, Notes etc) work fine.
I have looked for help through the Apple Support Community and tried many things. I have repaired my Outlook. I have repaired my .pst file in Windows. I have re-installed the latest version of iTunes on my PC. I have re-installed the firmware on my iPhone. I have tried many permutations on my iPhone. I have closed down all Mobile Me functions on the iPhone. I have spent upwards of 24 hours trying to solve this problem.
What am I left with? Outlook works seamlessly on my PC. My iPhone calendar now has no events from my calendar, but does not synchronise through iTunes. Nor does it send events initiated on the iPhone to the Outlook. I am at the point of abandoning iPhones and iPads altogether. I need to have a properly synchronising calendar on my phone. Do you have any suggestions?In the control panel goto the "Lenovo - Power Manager" and click the battery tab, there is a maintenance button in there that will let you change the charging profile for your battery. (from memory, so exact wording may be off)
The lower the numbers you use there, the longer the battery *should* last. These batteries degrade faster at higher charge levels, however storing them at too low of levels is also not good for them... I've read that 40% is optimal, but just not realistic if you use your computer.
--- ThinkPad T61 / Win 7 / Core 2 / 4gb RAM / Nvidia / Still used daily --- ThinkPad Edge 15/ i5 / Win 7 / TrueCrypt / 8gb RAM / Hated it, died at 1 yr 1 mo old --- ThinkPad T510 / Win 7 / TrueCrypt / i5 / 8gb RAM / Nvidia / Current primary machine --- ThinkPad X220 / i7 / IPS / 4gb / TrueCrypt / My Road Machine -
Clear doubt on standalone IS and integrate with remote BI4
Hi IS expert,
Apologize for this question from a novice user. I just want to know will the metadata manager works well for linear data and impact analysis if standalone IS is installed and not sharing the common Business Intelligence Platform with BI4?
I reckon it should works for IS version 4.2 Patch2 as per Note 1907168 and i just need some confirmation on below question posted on Information Steward Deployment - Guidelines on sharing BI Platform Vs. Standalone Install - Enterprise Information Manag…
Note: - Starting 4.2 SP1 release (4.2 GA release), 'Standalone Deployment' using Information Platform Services offers same level of 'Simplified User Experience for BI users' with ability to view lineage from WEBI report or BI Launchpad as well as ability to access Metapedia terms associated with a report from BI Launchpad. For Information Steward 4.1 or earlier release 'Simplified User Experience for BI Users' was available only when Information Steward was deployed on 'Shared BI Platform'. This limitation is removed in Information Steward 4.2 SP1 release."
What's the exact meaning for the above, does it means starting from 4.2 SP1, linear data and impact analysis should work even without sharing the common BIP platform? And if yes, below steps from note 1907168 should be the right source to configure?
Additional Support
From IS 4.2 SP0 Patch 2, IS supports the lineage/impact and BOE Metadata Integrator with remote BI 4.1 SP1 (or higher compatible patches) when installing DS and IS with IPS 4.0 SP5 on the separate landscape.
For the new installation, the supported landscape is
On machine 1, install BI 4.1 SP1
On machine 2, install IPS 4.0 SP5 (or later patch), DS and IS 4.2 SP0 Patch 2
If users want the BI Launch Pad Integration feature from BI 4.1 SP1 (or higher compatible patches) or want to collect the metadata from BI 4.1 SP1 installed on machine 1, refer to the following SAP Note 1906580 to install and configure the following:
Configuring BI launch pad in Information Steward application
Installing the service to collect metadata from SAP Business Intelligence (BI) platform 4.1 SP1 or above.
Your kind input is very much appreciate.
Thanks,
Nicholas ChangNicholas,
this was especially related to the customers who want to use the direct and native integration of the Data Lineage and Impact Analysis Graphs and the Metapedia Terms within the BI Launchpad itself.
Before IS 4.2 SP1 customers who wanted to enable their BI Users to view e.g. directly within the BI Launchpad the information where the data for a specific report was coming from were only able to do that when the IS installation was on top of the BI installation. Now they can even have a separated installation of their BI and IS (on IPS), but are still able to view the lineage and impact analysis within the BI Launchpad.
This does not affect the collection of metadata information from the BI system and also from the beginning of IS it was possible to view lineage and impact analysis or metapedia terms within the IS UI itself, independent of the standalone or on-top installation.
Niels -
IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services
Hi Folks -
Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
Hope to see you there.
-Robert
Cisco invites you to attend a 30-45 minute Web seminar on IPS Best Practices delivered via WebEx. This event requires registration.
Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management Services
Host: Robert Albach
Date and Time:
Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
To register for the online event
1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
2. Click "Register".
3. On the registration form, enter your information and then click "Submit".
Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
For assistance
http://www.webex.com
IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation. If you wish to be excluded from these invitations then please let me know!Hi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
Can IPS and AntiBot work in Active - Active Mode
Hi,
When we propose two firewalls in Active - Active mode with IPS module and Anti-Bot Licences, will the firewall along with IPS and Anti-Bot work in Active - Active mode? If not, how do the other OEM's claim that they are able to run their UTM in Active- Actvie Mode.Hi,
I haven't seen any type of limitation with IPS and Botnet Traffic filtering on Multiple context mode; so it should work fine.
Luis -
My IPS appliance is not synchronizing with the NTP, below are the logs that I am getting.
NTP Statistics
= remote refid st t when poll reach delay offset jitter
= 172.21.3.137 172.21.1.10 5 u 746 1024 377 1.409 -13801. 532.147
= *LOCAL(0) 73.78.73.84 5 l 8 64 377 0.000 0.000 0.001
= ind assID status conf reach auth condition last_event cnt
= 1 20556 b0f4 yes yes none reject reachable 15
= 2 20557 96f4 yes yes none sys.peer reachable 15
status = Not Synchronized
Nov 20 21:53:37 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 20 22:10:42 sensor daemon.info ntpd[15975]: synchronized to LOCAL(0), stratum=5
Nov 20 22:11:48 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 20 22:27:35 sensor daemon.notice ntpd[15975]: time reset -3.797142 s
Nov 20 22:31:56 sensor daemon.info ntpd[15975]: synchronized to LOCAL(0), stratum=5
Nov 21 02:44:59 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 21 03:02:05 sensor daemon.info ntpd[15975]: synchronized to LOCAL(0), stratum=5
Nov 21 03:10:38 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 21 03:26:34 sensor daemon.notice ntpd[15975]: time reset -9.364510 s
Nov 21 03:30:58 sensor daemon.info ntpd[15975]: synchronized to LOCAL(0), stratum=5
I tried changing the NTP server to other Cisco Devices, but still the IPS is not syncronizing with any NTP. How can I fix this.
Please help,
ThanksHello!
It seems that your problem is that your ips internal ntp server and ntp server at 172.21.3.137 both have the same ntp stratum - 5. From sent logs we see that your ips gets synchronized with both ntp servers:
Nov 20 21:53:37 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 20 22:10:42 sensor daemon.info ntpd[15975]: synchronized to LOCAL(0), stratum=5
Nov 20 22:11:48 sensor daemon.info ntpd[15975]: synchronized to 172.21.3.137, stratum=5
Nov 20 22:27:35 sensor daemon.notice ntpd[15975]: time reset -3.797142 s
NTP stratum is like route metric - how far is your ntp server from a most accurate clock?(http://en.wikipedia.org/wiki/Network_Time_Protocol)
Please, try to set up ntp server 172.21.1.10 at you ips. This ntp server apparently will have 4 as ntp stratum.
With best regards -
IPS and IDS- ARP Inbalance-of-Requests and TCP High Port Sweep
Does anybody knows about ARP Inbalance-of-Requests and TCP High Port Sweep IPS signature? We've been receiving numerous numbers of alerts with this kind of signature in the IPS.
Actually, I'm planning to tune these events in IPS and I really need your inputs if it is safe to tune. Based on my investigation, most of the source and destination IP's are internal to our network (e.g servers, workstation and other device).
I think this is false positive incidents...
Best regards,
CarlouThis will be a normal signature to see triggered if you are watching outbound traffic from your internal network. As long as the source of the traffic is your internal hosts, and the destination is external hosts, this is likely just normal behavior.
This signature triggers when a single host sends TCP SYN packets to a number of different hosts, perhaps because of multiple web sessions going, or pop-up windows while web surfing.
Check this bug-id:CSCsh94361 -
How to pre-provisioned N2K FEX(N2K-C2248TP-E-1GE) with Nexus 9372
HI Team,
Kindly assist for pre-provisioning the N2K(N2K-C2248TP-E-1GE) FEX with Nexus 9372.
Tried using the below commands just similar to/with Nexus 5K, but no luck with Nexus 9372
In case of 9K,
Nexus 9372# sh fex
FEX FEX FEX FEX
Number Description State Model Serial
103 Row C_Rack11_N2248TP Online N2K-C2248TP-E-1GE
105 Row D_Rack10_N2248TP Online N2K-C2248TP-E-1GE
Nexus 9372(config)# slot ?
*** No matching command found in current mode, matching in (exec) mode ***
<1> The slot number (aka module number)
Nexus 9372# slot ?
<1> The slot number (aka module number)
In case of 5K,
Nexus 5548(config)# slot ?
<1-199> Enter a slot numberHello GN
2248/2224 FEX does auto-negotiate speed to either 100Mbps or 1000Mbps depending on what the far end is advertising. For duplex, the FEX only supports full duplex.
So if you hard code speed to 100 on the FEX and auto-negotiating on the far end, the far end autonegotiating device would do 100/half.
24-10-4948-1#sh run int gigabitEthernet 1/1
Building configuration...
Current configuration : 193 bytes
interface GigabitEthernet1/1
description ***used by prkrishn***
no switchport
ip address 1.1.1.100 255.255.255.0
logging event link-status
end
24-10-4948-1#sh int gigabitEthernet 1/1 status
Port Name Status Vlan Duplex Speed Type
Gi1/1 ***used by prkrish connected routed a-half a-100 10/100/1000-TX
24-10-4948-1#
GC-TAC-EFT-5596-A(config-if)# sh run int eth109/1/1
!Command: show running-config interface Ethernet109/1/1
!Time: Wed May 23 08:41:15 2012
version 5.2(1)N1(1)
interface Ethernet109/1/1
spanning-tree bpdufilter enable
speed 100
GC-TAC-EFT-5596-A(config-if)#
GC-TAC-EFT-5596-A(config-if)# sh int ethernet 109/1/1 counters errors
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards
Eth109/1/1 4 1 0 5 0 0
Port Single-Col Multi-Col Late-Col Exces-Col Carri-Sen Runts
Eth109/1/1 0 0 0 0 0 4
Port Giants SQETest-Err Deferred-Tx IntMacTx-Er IntMacRx-Er Symbol-Err
Eth109/1/1 0 -- 0 0 0 0
TDR is not supported on any interface on the Nexus 5000 and the message you see when you try it for FEX interfaces is misleading for sure. -
How can integrate IPS and WAAS???
I have been working a lot with troubles to integrate an IPS 4240 in my WAAS plataform. A lot of signatures comes up when I have actived IPS. I found out some tips about disabled specific signatures and install the appliance in IDS mode.
¿Anybody known how i can conduct a transparently integration with these technologies?When the IPS sensor is placed outside of the optimization path, then both IPS and WAAS will work well. The IPS sensor blocks the TCP option 21 that WAAS uses to initiate the WAAS setup. The IPS sensor cannot handle the sequence number manipulation that WAAS currently uses. It's outside the RFC and the sensor will block those packets by default.
-
Configuring Tacacs with Nexus 1000v
Hi Experts,
Does anyone share a sample configuration of AAA (Tacacs+) with Nexus 1000v? I have found some documents, but it only covers authentication, no one document found that can cover authorization, and accounting in detail with Nexus 100v.
Thanks and Regards,
Ahmed Shahzad.Hi Experts,Does
anyone share a sample configuration of AAA (Tacacs+) with Nexus 1000v?
I have found some documents, but it only covers authentication, no one
document found that can cover authorization, and accounting in detail
with Nexus 100v.Thanks and Regards,
Ahmed Shahzad.
Hi Ahmed,
Check out the below link for TACAS configuration in Nexus 1000
http://cco.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/security_4tacacs.html
Hope to Help !!
Ganesh.H
Maybe you are looking for
-
Will the new MacBook Air be able to handle what I need it for?
I'm about to buy my first ever Mac, exciting right? Anywho, I was set on getting a MacBook (or possibly pro) then the new MacBook Air came out, after looking at it and doing a bit of research it seems to be a fantastic computer but I'm not sure if it
-
I got an iTunes gift card for Xmas and when scratching code it ripped so now you can't make out part of it what do I do
-
Editing plug-in settings on the fly...
OK, so I'm starting to get used to this program, starting to grasp the automation. Now, I've been able to save settings onto plugins where I want the plugin set to at certain points. Is there a way for me to, say, instantly set the automation to matc
-
Several days ago, after receiving a 7MB attachment, I stopped receiving email on my Yahoo POP account. Browser access to the Yahoo server works fine. I obviously deleted that message and attachment but curiously, it and only it continued to be downlo
-
Problem in Sales Opportunity to display the all completd activities
Hi All, We have a scenario. AFTER completing opportunity A (which is shown in sales assistant tab Flagged completed for Activity), we have to create another opportunity B. while creating B, the system should check if it same BP then it should reflect