Peer-to-Peer Traffic Flow on Same AP
Hi Valued Professionals,
Can someone please verify the traffic data path for traffic on a non-FlexConnect SSID that is sent from a client of AP1 to another client of AP1 on the same SSID?
1. Is it bridged locally by AP1 to the receiving client on the same SSID on the same AP1?
2. Is it forwarded to the WLC to be tromboned (i.e. sent back) to the same AP1 for transmission to the receiving client?
I have seen a few posts on this and nothing really conclusively believable, so please provide some more concrete insight.
To re-iterate, this is about traffic between two clients connected to the same SSID on the same AP.
HREAP is NOT in use (i.e. no FlexConnect as Cisco now call HREAP).
Peer-to-Peer blocking is also NOT in use.
Kindest Regards,
J
In the case of Wireless controller + Switch + AP scenario.
Go to WLC admin page, click on NEW to create WLAN SSID. 2106 can support up to 8 ssid IIRC.
say you created SSID WLAN1, click on edit. and select Management as interface. this SSID would be associated with your internal VLAN.
Before you create the 2nd WLAN SSID. Go to CONTROLLER->INTERFACES->give your dynamic interface a name and a VLAN ID. this VLAN ID must be the same as your switch port (switchport mode access,switchport access VLAN ID)this dynamic interface is for your DSL VLAN.
repeat the same SSID creation as WLAN SSID1 and name it SSID2 or etc.
also at your DSL router, assign it to be DHCP server. under the new WLAN SSID2 click edit.and change the interface named to be the dymanic interface name that you created.and make sure admin status is enabled.and client connect to the SSID2 will get the ip from your DSL dhcp.
just my 0.002 cent worth
Similar Messages
-
ACE - Inter-context traffic flow.
Experts ,
Could you please guide me for a traffic-flow mentioned below ?
Connection flow:
client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}
[Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8] <= {User Context test2}
There are two context test1 & test2 on the same ACE box resides in a CAT6k .. Just curious to know how to redirect the server (10.106.24.133) context test1 to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..
context test 1
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
rserver host SITMA21
ip address 10.106.24.133
probe PING
inservice
rserver host SITMA22
ip address 10.106.24.138
probe PING
inservice
serverfarm host L17SVWOASIS03_FARM
description oasis-sso-stg2 server farm
failaction purge
probe TCP-80
rserver SITMA21 80
inservice
rserver SITMA22 80
serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM
rserver OASIS-SSO-STG2_OOS_REDIRECT
inservice
sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY
serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM
timeout 10
replicate sticky
Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..
If that is the case then
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?
Or this can done with a default route to the VIP on the contexts?Configs
=====
CSS - Context 1
============
probe tcp qaahmapp1-ssl-475_PROBE
port 475
interval 5
passdetect interval 5
connection term forced
rserver host HS_PROD.sanovia_447-ssl-a
ip address 10.99.0.13
inservice
rserver host HS_PROD.sanovia_447-ssl-b
ip address 10.99.0.14
inservice
serverfarm host sanovia.qaahm.ssl
probe qaahmapp1-ssl-475_PROBE
rserver HS_PROD.sanovia_447-ssl-a 475
conn-limit max 4000000 min 4000000
inservice
rserver HS_PROD.sanovia_447-ssl-b 475
conn-limit max 4000000 min 4000000
inservice
parameter-map type http cisco_avs_parametermap
case-insensitive
persistence-rebalance
parsing non-strict
action-list type optimization http cisco_avs_bandwidth_and_latency
delta
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward-object
action-list type optimization http cisco_avs_obj_latency
flashforward-object
class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency
2 match http url .*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
class-map match-all sanovia.qaahm.ssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq https
policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb
class class-default
serverfarm sanovia.qaahm.ssl
insert-http x-forward header-value "%is"
policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt
class cisco_avs_obj_latency
action cisco_avs_obj_latency
class cisco_avs_img_latency
action cisco_avs_img_latency
class cisco_avs_bandwidth_and_latency
action cisco_avs_bandwidth_and_latency
policy-map multi-match POLICY
class sanovia.qaahm.ssl_CLASS
loadbalance vip inservice
loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb
optimize http policy sanovia.qaahm.ssl_CLASS-l7opt
loadbalance vip icmp-reply active
nat dynamic 2 vlan 20
appl-parameter http advanced-options cisco_avs_parametermap
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.1.1
========================================================================================
SCA - Context 2
============
crypto chaingroup GoDaddy
cert cisco-sample-cert
probe tcp AHM_QA-PROBE
port 8080
interval 5
passdetect interval 5
connection term forced
rserver host AHM_QA
ip address 10.99.1.76
conn-limit max 4000000 min 4000000
inservice
serverfarm host AHM_QA
rserver AHM_QA 8080
conn-limit max 4000000 min 4000000
probe AHM_QA-PROBE
inservice
parameter-map type ssl sanovia-ssl-parms
description This is where you tweak your SSL parms, cert, etc.
cipher RSA_WITH_RC4_128_MD5 priority 4
cipher RSA_WITH_RC4_128_SHA priority 5
cipher RSA_WITH_DES_CBC_SHA priority 3
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6
cipher RSA_WITH_AES_128_CBC_SHA priority 7
cipher RSA_WITH_AES_256_CBC_SHA priority 8
ssl-proxy service sanovia-ssl-proxy
key cisco-sample-key
cert cisco-sample-cert
chaingroup GoDaddy
ssl advanced-options sanovia-ssl-parms
class-map match-any AHM_QA-CLASS
2 match virtual-address 10.99.0.13 tcp eq 475
3 match virtual-address 10.99.0.14 tcp eq 475
policy-map type loadbalance first-match AHM_QA-CLASS-l7slb
class class-default
serverfarm AHM_QA
policy-map multi-match POLICY
class AHM_QA-CLASS
loadbalance vip inservice
loadbalance policy AHM_QA-CLASS-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 10
ssl-proxy server sanovia-ssl-proxy
interface vlan 10
ip address 10.99.0.17 255.255.255.0
peer ip address 10.99.0.11 255.255.255.0
nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat
service-policy input POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.0.1
========================================================================================
CSS - Context 1 ( another VIP)
=======================
rserver host qaahmapp1-8080
ip address 10.99.1.217
conn-limit max 4000000 min 4000000
inservice
serverfarm host sanovia.qaahm.postssl
rserver qaahmapp1-8080 8080
conn-limit max 4000000 min 4000000
inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY
cookie insert
serverfarm sanovia.qaahm.postssl
timeout 45
replicate sticky
class-map match-all sanovia.qaahm.postssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq 8080
policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb
class class-default
sticky-serverfarm qanovia.qaahm.postssl-STICKY
policy-map multi-match POLICY
class sanovia.qaahm.postssl_CLASS
loadbalance vip inservice
loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb
loadbalance vip icmp-reply active
nat dynamic 2 vlan 20
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
=============================================================================
I have configured two vlans in CAT6k i.e vlan 10 & vlan 20 with the following ip's as mentioned in the route of ACE
10.99.0.1 & 10.99.1.1
Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page... there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....
Let me know if i am missing anything here.... Many thanks in advance...
thanks
Martin -
Trying to understand traffic Flow in a LWAPP wireless configuration.
I'm trying to understand at a high level how wireless traffic flow in the new LWAPP configuration. Based on what I can tell all wireless traffic must flow through the controllers prior to getting onto the LAN.
So lets say I have a LWAPP Access Point off an access switch in a remote closet and my controller is off my core switches. I want to communicate from my wireless PC to a wired PC on this same access switch. The traffic flows from the AP down to the core switch, through the Controller and back up to the access switch to the wired PC.
Is that correct?
If this is true my main concern is supporting APs from a central controller across a low speed WAN. Looks like I would not want to do that...You're right in your assumption. Data traffic travels from the client to the AP. The AP then encapsulates this data using LWAPP and forwards it to the Controller. The WLC then de-encapsulates (?) it, processes the traffic as necessary and then drops it onto the wired LAN.
So, in your scenario, the wireless client would send data to the AP. This would be encapsulated between the AP and the controller and then sent back again unencapsulated to the wired client.
Regarding using this system over a low speed WAN, there are two ways of doing this.
The first is to use a local WLC at the remote site (e.g. a WLC2006 or the new WLC network module for 2800/3800 ISR routers).
The second is to use AP1030s which are 'Remote Edge Access Points'. These aren't quite as lightweight as the rest of the 1000 Series in that they will bridge local traffic and only encapsulate traffic heading 'off site'. They will also continue to operate if connection back to the WLC is lost (the first WLAN configured on the WLC remains up on the REAP whilst connection to the WLC is lost).
I believe that the recommendation for these is a minimum of 2Mbps WAN connection. -
I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times? -
ASA 5505, how to configure DMZ to Inside traffic flows
Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
router up 100 days 1 hour
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0 : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1 : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2 : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3 : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4 : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5 : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6 : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7 : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013 -
Are the Tcodes which we use for work flow are same in ecc and crm
Are the Tcodes which we use for work flow are same in ecc and crm
Yes they are! the same enjoy!
Regards
Tatenda I H Chaibva! -
Hi Everyone,
We have SVI vlan on layer 3 core switch A.
this switch has connection to ASA and also to another B Layer 3 switch.
B Layer 3 switch connects to Layer 2 switch which has this vlan.
Need to undertsand traffic flow from user PC to Switch A.
Switch B has default route which is static to fw for subnet of vlan.
Now traffic goes from layer 2 switch to core Switch B then it has static route for that vlan which is ASA as next hop.
now traffic comes to ASA from there it goes to core Switch B which has SVI Vlan in it.
Also Core Switch A and B has trunk connection which carries that vlan.
Need to know if return traffic from core Switch A comes via ASA or by Switch B?
How can i check this?
Thanks
MAheshHello Mahesh,
Not sure if I undertsood the topology but anyway the way to test this would be creating captures on the interface where you think the ASA should receive the traffic, if you do not see the packets there well that would lead us to the returning traffic going to Switch B. -
Hi,
Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
For eg: session > acl > xlate > etc...
Are these checking different in both of the above scenarios ?Hi Felipe,
But i do see find difference while reading the below URL.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
I would like to know how is the traffic flow from outside to inside and inside to outside.
Hope you go it...
regards
rajesh -
Can we disable/avoid peer to peer traffic?
We have dozens of offices which all connect to Lync 2013 in a central datacenter via edge.
Most offices have two ISPs - a cheap high-bandwidth option (typically cable modem) and a pricier, low-latency EoC or bonded T1 connection. We use static routes to ensure that traffic bound for the Lync edge and reverse proxy interfaces goes over the
low-latency line. The default route is the cheaper line so all web/email/etc traffic goes out over that.
This works great except for peer-to-peer calls and video calls, which of course go out over the cheaper line and often experience quality degradation.
Is there a way we can force these peer to peer calls to instead route through the edge and avoid this issue? The extra load is less of a concern than the call quality issues.
Thanks!Hi,
Please note that: As a general rule, Quality of Service applies only to communication sessions on your internal network. When you implement QoS, you configure your servers and routers to support packet marking; however, you configure these devices to support
packet marking in a particular manner. You cannot assume that Quality of Service will be supported on the Internet or on other networks. Even if Quality of Service is supported on other networks, there is no guarantee that QoS will be configured the same way
that you configured the service on your network.
More details about QoS in Lync Server 2013:
https://technet.microsoft.com/en-us/library/gg405409.aspx?f=255&MSPPError=-2147217396
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support -
Port Disable for traffic flowing only one direction
Hi,
We use some Catalyst Express 500 and ESW-520 in our company.
But with the Catalyst Express 500 we have problem that we can't arrive to explain.
Some Gi port turn disable with this log error message :
Description: Gi1: This port is disabled because the traffic is flowing only in one direction. The cause might be incorrect cabling.
Recommendation: Make sure that cable is properly connected to the ports. For fiber connections, ensure that the transmit and receive fibers are connected correctly. Disable and Enable the port.
For the recommandation the cable is right, we change it and we change the switch by an other and the probleme continue.
If we change with a ESW-520 the problem don't arrive, but we can't change all our old switch for moment.
Any idea about this problem?Hi Guys,
Thank you all for your help. The packet was being dropped on the "implicit rule", that means that the packet was not finding an ACL to match.
I checked the ACLs that the VPN Wizard generates by itself when used to configure an IPSec connection, and the ACLs where correct and "before" the implicit rule . (They are called by default outside_cryptomap_"number")
It seems that since I am not using "sysopt connection permit-vpn" I have to add the same ACLs to the "Local Network" interface (VPN_LAN).
Since there was inbound ACLs related to the VPN_LAN interface, the firewall jumped directly to the "implicit rule".
So the result is that I have two times the same rules first inbound on the VPN_LAN and second on the default outside_cryptomap ACLs.
Greetings,
Daniel -
Can't get traffic flowing between VLANs on an ASA 5505
I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
When I try to ping there is no reply and the only log message is:
6 Aug 21 2012 09:00:54 302020 10.16.2.10 23336 10.105.11.6 0 Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
I have attached a copy of the router config.Hi Bro
I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
nat (inside) 0 access-list from-inside
nat (16jdc) 0 access-list from-16jdc
nat (16jda) 0 access-list from-16jda
clear xlate
nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
https://supportforums.cisco.com/thread/223898
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
-
Multiple Flows of Same Name in One File
(FM11 on Win7)
The Compare Documents utility reports that the same file has multiple flows of the same name, and so does not compare the files. Doh!
The report from the utility seems accurate.
I see two end-of-flow markers in the file, one on the second page and another on the final page.
The flow tag names of the text frames on the body pages are identical: BodyText.
The AutoConnect box on each is selected.
I still want to compare the files, so I try this:
When I do View > Master Pages and then go back to View > Body Pages, FM says some body pages in the file override their master page layout.
Do I want to override? I say yes.
I go to the body pages. Everything looks the same.
I try Compare Documents again. Same message.
So how do I join those two flows, even though they apparently are already Autoconnected and have the same name?
Or, as an alternative, how do gain the benefits of a Compare Documents operation in a file that contains two flows of the same name?
Best regards,iPhone will duplicate if you import contacts from your SIM card or namually add new contacts and save in iPhone memory instead of save in iCloud. So you have contacts from iCloud and from iPhone memory too.
Try to save your contacts just one place, like iCloud.
Hope it will be helpful -
Parallel flow using same Partnerlink
Hi all,
This is what i'm trying to do: i have a process that splits up in two parallel processes which are EXACTLY the same (only input differs very slightly). Later on these processes converge again to one.
So, I decided to build a process A that calls upon process B twice, using flow to have it in parallel. I realized I had to do something about getting the receive right. The thing to use looks to be the Correlation Set. However, Correlation set documentation is very meagre. I can't seem to understand the working of the 109.CorrelationSets example, as it looks to use a double correlation (?). It just confuses me.
I really need some help here, and would appreciate a very simple working example.
What I really need to know is:
- what steps to take (BPELDEV guide isn't enough help)
- where to place correlation (on invoke or receive in process A ?, on receive or reply in process B?)
- how to set the correlation value, or is it always derived on the basis of the "query" in the bpws:PropertyAlias?
Thanks in advance!Hi,
This is probably related to the fact that you cannot have two concurrently enabled activities with the same partner link, operation, and correlation set (this constraint can be found in the BPEL spec.) The correlation sets won't help you here because correlation sets are there to do instance routing (i.e. route an inbound message to the right process instance) but the problem here is not to route to the right process instance, but to route to the appropriate "receive" action... If there are two competing receive actions, the engine just go nuts, and this is why the above constraint was introduced in the BPEL spec.
One way to go around (assuming that the interaction between A and B is based on asynchronous send/receive), is to first send the two messages in a flow, and then wait for the response with a single receive (rather than two separate receive actions). Something like this:
<sequence>
<flow>
<invoke (send asynchronous message to B), no output variable here!>
<invoke (send asychrnous message to B), again, no output variable here!>
</flow>
set variable counter to 1
<while counter <= 2>
<receive one message from B>
increment variable counter by 1
</while>
</sequence>
With a colleague, we have written a more complicated version of this scenario, where we effectively can receive messages through the same partner link not from 2 process instances, but from any arbitrary number of process instances. See http://www.serviceinteraction.com and download the code sample for "one-to-many send/receive with dynamically determined partners".
I can send you the full Oracle BPEL project for this example if you think it would help. But I think that with the above information you should be able to proceed.
Regards
Marlon Dumas (m . dumas @ qut . edu . au) -
Multiple task flows on same page
Surely appreciate any help on this:
I am dropping the same bounded task flow as a region twice on the same jspx.
The region ids are different.
The task flow has a single fragment which is bound to a page definition.
The page def exposes a web service data control consuming two web methods: a fetch and a corresponding merge.
I am setting the data control scope to isolated.
My desire is to have two autonomous copies of the same bindings, one for each task flow.
Instead, setting the scope to isolated causes the second fragment to bind to nothing.
Setting the scope back to shared causes both fragments to access the same bindings.
Any help?
Thanks and Best regards,
JoshActually, let me correct this post.. since the above is a workaround and not the real issue.
The parent page publishes a contextual event that is subscribed to by the regional-ized bounded task flows.
These are two instances of the same task flow.
It appears that once the first task flow consumes this event, it is removed from the event queue, so it never reaches the second task flow.
This appears to be a bug in the ADF framework. I suspect it may be extending a limitation of the underlying JSF controller.
Please respond if you may have a resolution.
Thank you and Regards,
Josh -
Cisco asa traffic flow with destination nat
Hi Folks,
Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
RajeshThe ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
-or-
Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston
Maybe you are looking for
-
Question regarding export and import of Hyperion Security during upgrade
Hi Guys, We are upgrading Essbase, Integration Services from 7x to 9x which are utilizing Hyperion Hub and we are going to follow the method of uninstalling 7x and reinstalling 9x components. Now my question is, what is the best way of transferring s
-
[solved] xfce4-panel plugins keep crashing after update
I've been having problems with xfce4-panel after some recent updates. Several plugins for it, like the Action Buttons, CPU graph and Notification Area keep crashing right after being added to the panel. The error message isn't very helpful, just sayi
-
SQL Developer EA4 - compile/open spec/body take longer then 3.2.2
The Compile takes too long in compare to SQL Developer 3.2.2 Sometimes the SQL Developer freeze Sometimes a warning of low memory window come up and then goes away The Opening of Spec/body takes too long compare to SQL Developer 3
-
i am enrolled in the beta channel but because the notification popups are so quick i someties do not see that a new beta ver is available. i consult filehippo regularly to see what updates are out there but i want to have a way i can find what beta i
-
Why do we need downcasting in Java? What is the use of it?
Why do we need downcasting in Java? What is the use of it?