Limiting traffic?

Similar Messages

• Deploying vlan and limiting traffic from not reaching network core

  Folks:
  I am reading CCNP Switch 642-813 official Certification Guide (isbn=978-1-58720-243-8) and I’m a little confused as to the following on page.71 –
  “You should not allow VLANs to extend beyond the Layer 2 domain of the distribution switch. In other words, the VLAN should not reach across the network’s core and into another switch block. The idea again is to keep broadcasts and unnecessary traffic movement out of the core block”.
  Can anyone offer a different way of stating this or offer a picture or a diagram? I am having a hard time visualizing what this is trying to say – is this refereeing to two different switch blocks/stacks on either side of a switch core if I were to the draw the topology flat?
  Thanks
  JJ

  JJ
  This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.
  So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.
  The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.
  What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.
  What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.
  The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.
  There is usually no need to extend vlans to or across the core  ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.
  One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.
  I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.
  Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.
  Hope that helps and i haven't confused you more.
  Feel free to ask further if needed.
  Jon

• Tips on Limiting internet access

  I hope the following helps people on limiting traffic at home, it started off as a how to, but then realised it was going to be too complicated, so i thought i would just give people some tips so they have a starting point. Please comment if you have your own guides on how to do it  Limiting internet on your local network can be a very complex issue, that is why there are software packages available such as Net Nanny that make it easier for you. If you are tech savy you can do it yourself provided that your modem supports features such as QoS, URL Filtering, WAN\LAN Firewall and Timed Profiles QoS, stands for Quality of Service meaning you can have traffic slowed if you decide you don’t want to fully ban them.URL Filtering can be used to ban only certain sites.Firewall is the enforcer of the rules.Timed profiles establish a start and end time of when certain actions should take place, for example only ban traffic between 10 AM and 7 AM If you want to do this on a cable modem make sure that your cable modem is bridged before you go out and get a router that is able to do the above functionality If you have ADSL you have two choices, either get a modem router combined or you use your existing bigpond modem and get a router. If you just get a router make sure you bridge the modem for the following to work correctly If you are stuck on how to bridge your modem the following might help http://whirlpool.net.au/wiki/adsl_modem_router_bridge_mode I have found that Billion modems work the best as they are the most feature rich and are constantly updated. They are relatively affordable and can be purchased from the likes of JMG Technology, MSY and others. For example the 8800AXL AC ADSL Router is only $144 Here is some advise on how to set it uphttp://forums.whirlpool.net.au/archive/909150    

  Good article, thank you

• How to Limit Group to Reach Host at Specified Port

  Is it possible on the CVPN30XX platform to limit users in a group to reaching only a certain host at a particular port number? I know I can create a network list that limits traffic to a particular destination. But then I want to further limit the traffic to just one specific port - e.g. users would be allowed ssh to a bastion host if they passed authentication. Thanks much.

  I found the filters and rules needed to do this. Never mind. It's just been a while since I needed to do this.

• Ise inline Posture

  ..

  Understanding the Role of Inline Posture
  An Inline Posture node is a gatekeeper that enforces access policies and handles change of authorization (CoA) requests. An Inline Posture node is positioned behind the network access devices on your network that are unable to accommodate CoA, such as wireless LAN controllers (WLC) and virtual private network (VPN) devices.
  After the initial authentication of a client (using EAP/802.1x and RADIUS), the client must still go through posture assessment. The posture assessment process determines whether the client should be restricted, denied, or allowed full access to the network. When a client accesses the network through a WLC or VPN device, Inline Posture is responsible for the policy enforcement and CoA that these devices are unable to accommodate.
  Inline Posture Policy Enforcement
  Inline Posture uses RADIUS proxy and URL redirect capabilities in the control plane to manage data plane traffic for endpoints. As a RADIUS proxy, Inline Posture is able to tap into RADIUS sessions between network access devices (NADs) and RADIUS servers. NADs can open full gate to client traffic. However, Inline Posture opens only enough to allow limited traffic from clients. The restricted bandwidth allows clients the ability to have an agent provisioned, have posture assessed, and have remediation done. This restriction is accomplished by downloading and installing DACLs that are tailored for specific client flow.
  Upon full compliance, a CoA is sent to the Inline Posture node by the Policy Service ISE node, and full gate is opened by the Inline Posture node for the compliant client endpoint. The RADIUS proxy downloads the full-access DACL, installs it, and associates the client IP address to it. The installed DACL can be common for a number of user groups, so that duplicate downloads are not necessary as long as the DACL content does not change at the Cisco ISE servers.
  The Inline Posture policy enforcement flow illustrated in the figure above follows these steps:
  1. The endpoint initiates a .1X connection to the wireless network.
  2. The WLC, which is a NAD, sends a RADIUS Access-Request message to the RADIUS server (usually the Policy Service ISE node).
  3. Inline Posture node, acting as a RADIUS proxy, relays the Access-Request message to the RADIUS server.
  4. After authenticating the user, the RADIUS server sends a RADIUS Access-Accept message back to the Inline Posture node.
  There can be a number of RADIUS transactions between the Endpoint, WLC, Inline Posture node, and the Cisco ISE RADIUS server before the Access-Accept message is sent. The process described in this example has been simplified for the sake of brevity.
  5. The Inline Posture node passes the Access-Accept message to the WLC, which in turn authorizes the endpoint access, in accordance with the profile that accompanied the message.
  6. The proxied Access-Accept message triggers Inline Posture to send an Authorization-Only request to the Policy Service ISE node, to retrieve the profile for the session.
  7. The Policy Service ISE node returns an Access-Accept message, along with the necessary Inline Posture profile.
  8. If the access control list (ACL) that is defined in the profile is not already available on the Inline Posture node, Inline Posture downloads it from the Policy Service ISE node using a RADIUS request (to the Cisco ISE RADIUS server).
  9. The Cisco ISE RADIUS server sends the complete ACL in response. It is then installed in the Inline Posture data plane so that endpoint traffic passes through it.
  There may be a number of transactions before the complete ACL is downloaded, especially if the ACL is too large for one transaction.
  10. As the endpoint traffic arrives at the WLC, the WLC sends out a RADIUS Accounting-Start message for the session to the Inline Posture node.
  The actual data traffic from the endpoint may arrive at the Inline Posture untrusted side before the Accounting-Start message is received by the Inline Posture node. Upon receiving the RADIUS Accounting-Start message, the Inline Posture node learns the IP address of the endpoint involved in the session and associates the endpoint with the ACL (downloaded and installed earlier in the session). The initial profile for this client endpoint could be restrictive, to posture the client before being given full access.
  11. Assuming the restrictive ACL allows only access to Cisco ISE servers, the endpoint is only allowed actions such as agent downloading and posture assessment over the data plane.
  12. If the client endpoint is posture compliant (as part of the restricted communication with Cisco ISE services earlier), the Policy Service ISE node initiates a RADIUS Change of Authorization (CoA) with the new profile. Hence, a new ACL is applied at the Inline Posture node for the session. The new ACL is installed immediately and applied to the endpoint traffic.
  13. The endpoint is then capable of full access to the enterprise network, as a result of the new profile that was applied to Inline Posture.
  A RADIUS stop message for a given session that is issued from the WLC, resets the corresponding endpoint access at the Inline Posture node.
  Best regards,
  Mantej Mangat

• Network Load Blaancing within a CRM Dynamics 2011 implementation

  Hello,
  I was wondering if anyone can shed any light on this topic. We have implemented Microsft NLB to be used with our implementation of CRM Dynamics.
  Basically we host all servers within a single VLAN within our network. This has included all the CRM servers that are within the clusters.
  We have set NLB to use Multicast and effectively made manual ARP entries on our core cisco switches so that client requests know how to route to the NLB cluster.
  Basically we have experienced some issues whereby we have had network flooding to all ports on our switch (Other servers on the server VLAN are on the same VLAN as the CRM servers). This has had an impact on performance of other applications.
  So my questino to everyone is whether we should be using unicast, multicast or IGMP multicast? No one can really explain to use what the setting should be to eliminate the possbility of affecting other services within our environment.
  Alan Pang

  IGMP Multicast.
  http://technet.microsoft.com/en-us/library/cc731616.aspx : The
  IGMP multicast check box enables IGMP support for limiting switch flooding by limiting traffic to "Network Load Balancing ports" only. That is, enabling IGMP support ensures that traffic intended for an NLB cluster
  passes through only those ports serving the cluster hosts and not all switch ports. 
  The switcht know what MAC are behing what port on the switch, so it multicast in a intelligent's way.
  On the other way, you really can't isolate those CRM's server ?
  If it disconnect ICA session, does that mean you are hosting desktop on that VLAN ? So it's Desktop <-> Remote Computer or ThinClient ?
  If yes, it's kinda easy to re-allocate then to a new VLAN, as your DDC make all the brokering. Just use ListOfDDCs registry in worst case.
  Regards, Philippe

• Lightweight APs drop out after Land Attack

  Hi
  We have a WLAN consisting of a WLC 4402 and 11 lightweight APs. For security/compliance reasons we have a Cisco PIX firewall that sits between the WLC (outside) and the APs (inside). The APs are allowed to form LWAPP tunnels through the firewall (inside access-list) to the WLC and the WLAN works as expected.
  The firewall then limits traffic from the WLAN (outside access list) to certain the internal systems.
  I have noticed that every so often the firewall logs show continuous "Land attack from 0.0.0.0 0.0.0.0" messages then all APs are disconnected (all lights flash).
  Just wondering if anybody else has seen this or has had a similar setup
  TIA
  Gary

  Hi Sandeep
  Forgeot to mention that the firewall is in transparent mode so there isn't any NATing or routing going on. The article doesn't cover the fact that the IP source and destination IP addresses are 0.0.0.0
  Regards
  Gary

• Allow VPN client to connect from the inside to another remote network

  Hi, if I have a Cisco VPN client software on the inside of network and client is to connect to a remote network, over the internet. What ports need to be opened and on the outside interface/inside/both?
  Thanks.

  Basically, all you need is UDP port 500, NAT-T will do the rest.
  Connections are initiated from the inside and while everything is allowed in that direction, this should work by default.
  If you have an access-list that limits traffic from inside to outside, you might need to allow this traffic.
  Regards,
  Leo

• Itunes connectivity

  Connecting to iTunes store and Gracenote song names connectivity errors.  Could it be with the latest Windows Update?  I last downloaded a song from the store on 10/23.

  "I hope this helps you. I had the same problem (posted a message after yours). Just found that changing my firewall settings to allow UDP traffic, allowd me to connect to the store. Hope that works for you."
  That is an unlikly solution to a problem that is the iTunes server its self.
  My computer is running on "invisible mode" and I have downloaded plenty, and browsed plenty in the past several days. I can connect to the iTunes music store, the images DO get filtered (broken key chains because of limited traffic). While that may have appeared to be a solution, it could have been that, in fact you just got lucky and could connect. I do not recommend anyone messing with firewall setting however, becuase this can be dangerous, and you may forget to change them back.
  I recommend you wait until Apple releases an official statement and/or fixes the problem.
  As for the Original Poster... I would be willing to bet it will be fixed by tommorow.
  Have fun on your trip.

• Is there any way to see a tunnel's bandwidth in the ASA?

  Is there any way to isolate the bandwidth a tunnel is getting through an ASA?
  And is there any way to isolated the tunnel's packet loss/fragmentation OUTSIDE or INSIDE?

  Hi,
  I understand that you want to limt the bandwidth  for traffic across the tunnel to 4 Mbps. Here is the sample
  configuration to achieve the same
  Let me give you a sample config for rate limiting traffic passing your ASA :-
  This *eg* puts a limit to the  traffic* 4 Mbps.
  ASA(config)# access-list rate extended permit ip
  ASA(config)#class-map bandwidth
  ASA(config-cmap)# match access-list rate
  ASA(config-cmap)#exit
  ASA(config)#policy-map policy_bandwidth
  ASA(config-pmap)#class bandwidth
  ASA(config-pmap-c)#police input 4000000 exceed-action drop
  ASA(config-pmap-c)#exit
  ASA(config-pmap)#exit
  ASA(config)#service-policy policy_bandwidth interface inside  / *applies
  the policy to inside interface* /
  You can also refer the follwoing doc :-
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate
  Hope this helps'
  Sian

• Thoughts on MacMini as an OS X Server

  Hi
  I am considering getting the Leopard server when it realeases and would like to use the macmini for hardware.
  At present I'm running a debian machine with two ethernet cards where the debian machine works as a software firewall and router in so much as other machines on the network go through that machine to get on the internet (NAT etc). i.e the Debian machine is the front to the outside world.
  The macmini only has one ethernet card so one would have to get a hardware router/firewall for the internet connection.
  I have however been thinking that one could use the built in usb or firewire port to attach an additional network card. I do not have any experience with that type of card and do not know if they have bad performance or not.
  Does anyone have any experience with this kind of solution pr perhaps a better suggestion? I suppose one could have two macmini but I would guess that apple would require me to buy two licenses for the server then.
  I know that some people say that hardware router/firewalls are better and some say not, and either way I would have to have some kind of hardware so that the rest of the machines can get connected (router). SO in that sense it's a moot point.
  What I am thinking is that I want the os-x server to be the front end and the staunch guardian of all incoming and outgoing traffic and so any router would be inside the firewall and not on the outside, this is to minimize the internal machines exposure to the outside world.
  The network I'm talking about is small with fairly limited traffic. We are talking less than ten machines. I am by no means an expert in this matter and this post is mainly in the hopes of starting a discussion on how people set up their networks using a macmini, or perhaps simply to point out that my way of thinking is misdirected.
  Thanks for your patience

  Are the other users on the same LAN? or are they remote (e.g. accessing the server across the internet).
  If they're on the same LAN then you don't need to do anything with port forwarding or firewalls - that's only needed if the users are remote.
  To share any folder you have three basic steps to do.
  1) If users should have their own logins on the server, create accounts using Workgroup Manager.
  If the users are all sharing a common set of files then they could use one generic account, otherwise create accounts for each user.
  2) Using Server Admin.app, connect to your server and click the File Sharing icon.
  From here you select a folder on your disk that you want to share. It can be any directory you like
  3) Start the file sharing services (via Server Admin)
  You'll need to decide which services to offer the clients. If they're all Macs then AFP is all you'll need (or want). If you have PC users then you'll probably want SMB, and if you have other UNIX (or Linux) clients then you'll probably want NFS.
  That's it. Users should be able to connect to your server's IP address using whatever protocol you've enabled.
  If the users are remote you'll need to take extra steps to open your firewall/NAT router, although you have to consider the security implications of doing this (e.g. letting everyone into your network).

• My wifi is connected but doesn't work

  The download speeds on my iPhone 4 via wifi dropped from 18+ Meg's to .23 Meg's
  The upload speeds are good at about 7.8 Meg's and holding.
  My phone always shows signal and connection and doesn't
  Disconnect at all. I have had this phone for a year and this issue started the
  Beginning of dec. Is there a seperate transmit and receive antena?
  Any ideas would be great.
  Thanks

  The wifi is connected I've verified this by enabling airplane mode.
  The icon for wifi is on and I can pass limited traffic.
  (see former post). Turned off cellular data and 3G too.
  I get .23 on the download and 7.9 on the upload.
  So I'm pretty sure I'm connected to the wifi access point.
  I'm showing the phones Mac address in the routers arp table too.
  4 laptops, 2 other iPhones and 2 iPod touches all connect to this same
  Access point with speed test results from 10-18 Mbps On the download.
  3-8 Mbps on the upload.

• 1300 Bridge: VLAN and encryption question

  Hi!
  I configured a 1300 bridge with dot1q-VLANs and tkip/wpa encryption:
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 91 mode ciphers tkip
  encryption vlan 150 mode ciphers tkip
  ssid skylink
  vlan 1
  authentication open
  authentication key-management wpa
  infrastructure-ssid
  wpa-psk ascii 7 xxxx
  short-slot-time
  cca 0
  concatenation
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  rts threshold 4000
  channel 2472
  station-role root
  payload-encapsulation dot1h
  antenna receive right
  antenna transmit right
  infrastructure-client
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.91
  encapsulation dot1Q 91
  no ip route-cache
  bridge-group 91
  bridge-group 91 spanning-disabled
  interface Dot11Radio0.150
  encapsulation dot1Q 150
  no ip route-cache
  bridge-group 150
  bridge-group 150 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  ntp broadcast client
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0.91
  encapsulation dot1Q 91
  no ip route-cache
  bridge-group 91
  bridge-group 91 spanning-disabled
  interface FastEthernet0.150
  encapsulation dot1Q 150
  no ip route-cache
  bridge-group 150
  bridge-group 150 spanning-disabled
  Is it necessary to set the
  encryption vlan 91 mode ciphers tkip
  encryption vlan 150 mode ciphers tkip
  so that all VLANs are crypted?
  How can I examine that all VLANs are crypted?
  Best regards
  Michael Simon

  No. As there is no SSID assigned to VLAN 91 and 150, I was by the TME (Technical Marketing Engineer) that the 1300 should use the encryption defined in the native VLAN (VLAN 1 in your case) to transport traffic on VLAN 91 and 150. I have not taken any wireless sniffer trace to verify it though.
  There are a couple of ways to verify it:
  1. a wireless sniffer trace
  2. debug dot dot 0 trace print xmt rcv
  Please be very careful when use option #2. Option #2 turns the wireless bridge into a wireless sniffer. If there are heavy traffic between the two bridges, the wireless bridges will crash. Please use option # 2 in test environment or limited traffic.

• Slow Ping Times... Your opinion!

  I am having unusually slow ping times at various times thru a wireless LWAPP network. I can be right next to (20 feet) away and ping times can vary 10-20ms. Occasionally they may go higher and I may lose a packet occasionally. On Autonomous Wireless networks I have designed this has never been an issue in any wireless network (40+). I am new to LWAPP/Controllers so I am not sure what to expect. I have read the notes for the 4.0.179 code on the controllers and found this:
  Pinging from a Network Device to a Controller Dynamic Interface Pinging from a network device to a controller dynamic interface may not work in some configurations.
  When pinging does operate successfully, the controller places Internet Control Message Protocol(ICMP) traffic in a low-priority queue, and the reply to ping is on best effort. Pinging does not pose a
  security threat to the network. The controller rate limits any traffic to the CPU, and flooding the controller is prevented. Clients on the WLAN associated with the interface pass traffic normally.
  Would this statement hold true of general pings from the wireless network thru the network to let's say a router on the wired network?
  I rely heavily on pings to test layer 3 mobility and WLAN connectivity. Any ideas how to better test this?

  This only holds true to pinging the controller, therefore the statement "limits traffic to the CPU". Traffic to other network devices does not go through CPU, so it is unaffected.
  RF is a shared medium, and each site is different form the last. Also remember that LWAPP APs can change channels, and also briefly go off-channel to scan for rogues, noise, interference, etc... but retransmissions should take care of that. Long answer short, without a wireless sniffer, there's no confirming where your packets are going.

• Slow ping times to WAN

  I have been having long ping times for a number of months.
  Sat Dec 20 11:59:37 PST 2014
  PING grc.com (4.79.142.200): 56 data bytes
  64 bytes from 4.79.142.200: icmp_seq=0 ttl=246 time=432.479 ms
  64 bytes from 4.79.142.200: icmp_seq=1 ttl=246 time=656.406 ms
  64 bytes from 4.79.142.200: icmp_seq=2 ttl=246 time=571.545 ms
  64 bytes from 4.79.142.200: icmp_seq=3 ttl=246 time=374.386 ms
  64 bytes from 4.79.142.200: icmp_seq=4 ttl=246 time=416.910 ms
  64 bytes from 4.79.142.200: icmp_seq=5 ttl=246 time=651.202 ms
  64 bytes from 4.79.142.200: icmp_seq=6 ttl=246 time=546.907 ms
  64 bytes from 4.79.142.200: icmp_seq=7 ttl=246 time=465.887 ms
  64 bytes from 4.79.142.200: icmp_seq=8 ttl=246 time=690.900 ms
  64 bytes from 4.79.142.200: icmp_seq=9 ttl=246 time=394.714 ms
  --- grc.com ping statistics ---
  10 packets transmitted, 10 packets received, 0.0% packet loss
  round-trip min/avg/max/stddev = 374.386/520.134/690.900/112.483 ms
  The ping times have been over 1000 at times:
  64 bytes from 8.8.8.8: icmp_seq=0 ttl=43 time=6807.569 ms
  64 bytes from 8.8.8.8: icmp_seq=1 ttl=43 time=5814.579 ms
  64 bytes from 8.8.8.8: icmp_seq=2 ttl=43 time=4820.814 ms
  64 bytes from 8.8.8.8: icmp_seq=3 ttl=43 time=3827.357 ms
  64 bytes from 8.8.8.8: icmp_seq=4 ttl=43 time=2836.152 ms
  64 bytes from 8.8.8.8: icmp_seq=5 ttl=43 time=1841.476 ms
  Setup:
       Airport Extreme 7.7.3
       MacBookPro 10.10.1
       iMac 10.10.1
       iphone, iPad, Apple TV, Roku, etc.
  The slow ping times are both on the wired and wireless networks. Even with the wireless turned off on the Airport, the long ping times continued. The slow ping times are on all machines. I had TimeWarner out here for two weeks making sure the problem was not on their side. It wasn't.
  When I reboot the Airport, the ping times start out at 15-20ms for the first few minutes, then the ping times start climbing up to around 500ms.
  Any ideas, suggestions?

  This only holds true to pinging the controller, therefore the statement "limits traffic to the CPU". Traffic to other network devices does not go through CPU, so it is unaffected.
  RF is a shared medium, and each site is different form the last. Also remember that LWAPP APs can change channels, and also briefly go off-channel to scan for rogues, noise, interference, etc... but retransmissions should take care of that. Long answer short, without a wireless sniffer, there's no confirming where your packets are going.