Store & Forward vs cut-through switching
Hey Guys,
Looking for expert opinion on what layer (AGG/Tor) what type of packet forwarding should be used specially in DC.
is there no buffering at all when we use cut-through ? I understand on TOR Store and Forward only make sense if high buffer cheap switches are being used.
On cisco.com i found for nexus 3k -• Store-and-forward mode activates automatically for a port when the switch identifies that the port is
oversubscribed and the ingress rate is greater than the switching capacity of the egress port.For example,
when the port ingress rate is 10 gigabit and the switching capacity of the egress port is 1 gigabit
However on other hand for 5 K- 10 G to 1 G is Cut-through.
Forwarding Mode Behavior (Cut-Through or Store and Forward)
SOURCE INTERFACE
DESTINATION INTERFACE
SWITCHING MODE
10 GigabitEthernet
10 GigabitEthernet
Cut-Through
10 GigabitEthernet
1 GigabitEthernet
Cut-Through
1 GigabitEthernet
1 GigabitEthernet
Store-and-Forward
1 GigabitEthernet
10 GigabitEthernet
Store-and-Forward
This makes me little bit confused appreciate if someone can clarify.
Thanks
Ajay
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Sorry, I'm confused about what you're confused about. If you're asking about 3K Nexus forwarding operation, and why it is what it is, that's something only Cisco can answer.
If you're asking about store-and-forward vs. cut-through, the latter is designed to decrease store-and-foward latency.
Historically, when 10 Mbps switches first came out, they added latency (remember, its per hop) not seen with 10 Mbps hubs. When 100 Mbps came out, store-and-forward latency decreased so the need for cut-through fell out of favor. (BTW, keep in mind there are issues starting forwarding a frame before you know you have a good copy.)
With 1g, 10g, 40g and 100g, store-and-forward latency is decreased even more but now we have applications that required ultra low latency. We also now perhaps have applications using jumbo Ethernet. So, there's been a bit of a revival of cut-through.
PS:
BTW, cut-through cannot work with ingress having a slower bit rate than egress.
Similar Messages
-
Understanding Cut-Through Switching Mode
Hello
i am learning about differents operation modes of Cisco Switch and i have a question about the Cut-Through Switching Mode:
Cut-Through mode tell the switch to forward a frame after opening only the first 14 bits. how this method can support Vlan Taging? the switch need to know if he can send into the trunk port he want to forward and need to check if the vlan he need to reach is allowed on the same port. the switch can see this only after seeing almost all the frame header.
thank you for your helpDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I mean, as part of the cut-through processing, the VLAN tag needs to be analyzed. If the ingress port is configured to support VLAN tags, then the cut-through needs to wait to see that portion of the frame. Likewise, if the egress port is VLAN tagged, the frame will need to held until the frame's VLAN tag can be constructed.
So, yes, cut-through could work with VLAN tags, it will just add a bit of latency. It's up to the device vendor to determine how, and under what conditions, cut-though will work.
Some cut-through swtiches support "fragment-fee", which means that look at more of the header. Some (at least years ago), would use fragment-free dynamically (based on loading). So, again, it's really up to the device vendor. (BTW, "basic" cut-though assumes the whole frame will be received, but that's not always a valid assumption.) -
Forwarding latency for various switches
i want to quantify the latency in my network, as part of an effort to determine whether or not we can deploy a new application
so i've grabbed my Finisar THG box (a hardware packet sniffer with an internal clock accurate to 20ns), a stack of various switches, and some cables. i plug the two ports of the THG box into a switch, send 1,000 pings at a specified internval from one THG NIC through the switch to the other THG NIC, subtract the packet insertion time, average the resulting pile of numbers, and come up with a figure for the forwarding latency (aka decision time) of the device. see my results below
now i want a sanity check. Cisco must perform this same test (possibly with fancier hardware, like SmartBits boxes) routinely on their gear ... where do they post these results? i've been poking around www.cisco.com without success
for interest, here are my numbers:
Catalyst 4003 100BaseT ports: 3170ns
Catalyst 4003 1000BaseSX ports: 705ns
[same forwarding latency for 64 byte and for 1518 byte packets]
Cat 4503 1000BaseSX 64 byte: 3300ns
Cat 4503 1000BaseSX 1518 byte: 7120ns
[why the change in forwarding latency depending on packet size? remember, i've already subtracted packet insertion time]
Cat 6506 1000BaseSX 64 byte: 5000ns
Cat 6506 1000BaseSx 1518 byte: 7120ns
Datacomm Aggregration tap 100Mb: 320ns
In-Line Finisar 100Mb tap: 0ns
NetGear 100Mb hub: 330ns
and finally, we ran a test across our production network (which translates into two access-layer Cat 4506s, two distribution layer Cat 6506s, one core layer Cat 6506, plus ~500m of cabling ... and came out with ~20us of latency, exclusive of packet insertion time. good stuff
-where does Cisco post the numbers they have recorded?
-with whom could i have a conversation about what drives fowarding latency in different Catalyst models? why, for instance, different packet sizes change decision time, in some models but not in others?
i'm wanting both a sanity check and a deeper understanding
--sk
stuart kendrick
fhcrcI don't believe you'll ever see those numbers published from a vendor (Cisco or any other).
Think marketing: With hard numbers being public information, the Marketing folks have a lot less "wiggle room" when producing their materials. It provides a hard/fixed target for the competitors, for their engineering and marketing.
Think back to ~1984 when Kalpana introduced Ethernet switching. Their product (a cut-through switch) produced latencies in the ~20s when everyone else's store & forward switches were in the 90s.
What happened? The marketing folks from the other companies (including Cisco) re-defined the term "Latency" in their marketing materials such that it favored their product (or at least made it look like a less-significant difference). It was wild .... some wanted it to mean firstbyte in/first byte out, others wanted first byte in / last byte out ...and everything in-between ,,, whatever worked for their product.
Cisco even came up with "Frag-Free switching" to capture the market generated by all the other vendors FUD campaign ("the fast switching of cut-through{sorta}, with the assurance of runt/frag-free switching offered by S&F").
Even numbers from the third party groups can be suspect. Our Lab (I worked at a different place then)had much of the same equipment used by the thrid-party groups ... and we can up (in some cases) with similar numbers (and sometimes different numbers)... without the spin, the products usually didn't produce the same happy results.
When the manufacturer is paying for the third-party to do the testing, the analysis tends to have a much more positive lean to it.
To finish it all off, in most cases, performance (assuming it's within acceptable limits) is only a small part of the purchasing decision. In many/most cases, pre/post sale support, stability and longevity of the manufacturer, implementation costs, interoperability, post-installation management, and other factors take the forefront of "why do I wanna buy this thing from those guys."
Meaning, would you rather buy the hottest box from a new company that may|may not be around next year, that may|may not integrate well with existing infrastructure, that may|ususally doesn't have a product that doesn't intergrate with the existing management platforms and may|may not have a decent support organization .... OR buy from a company that doesn't have the fastest box, but it's reliable, integrates well, has a good support organization, and has proven longevity (it'll be here next year) ... and the other (mostly positive) attributes?
Sorry for the long post, but it's an issue that's more complex than performance stats, and (to get back to the original point) Marketing likely requires some "flexibility" in their marketing materials and generally doesn't want hard specs beyond the usual packets-per-second, backplane throughput, and MTBF.
FWIW
Scott -
Cut through, fragment free config
Hi
Can someone please tell me how to configure cut through, fragment free and store & forward?
Can we configure this for each port seperately or do we have to do it to the whole switch?
How can we check the current switch type (cut through, fragment free or store and forward)?
What is the default mode?
Thanks in advance!As technologies improved the use of a cut throught switch was no longer needed. I mean that the chipsets and speeds are so much faster now then they were a few years ago that the benefit of having a store and forward switch is worth it. With a store and forward switch you can now manipulate and react to packets that would not be able to do with a cut through. By looking into the packet now you can make further decisions and drop or log the packet as malignant. With a cut through you can not make that decision. Another device (IDS, Firewall, etc..) will have to make that decision. One studies the cut through switch to understand the predecessor to what is now commonly used.....
-
The App Store said I needed to switch countries so I clicked the button and it switched it for me but now I can't update my apps but when I try to change it through settings it still says the country is the u.s. I don't know what to do to change it back
See > Change your iTunes Store country
Here > http://support.apple.com/kb/HT1311
If necessary Contact iTunes Customer Service and request assistance
Use this Link > Apple Support iTunes Store Contact -
Under Router Settings, Connectivity in Administration tab there is a Check box for "Cut through forwarding"
What is Cut through forwarding??
Regards,
William
Solved!
Go to Solution.I recommend disabling it
Cut Through Forwarding is a new feature for Linksys Smart Wi-Fi Routers (EA6300, EA6400 and EA6700) that increases the router’s performance through bypassing protocols that add extra overhead to router processing (such as packet level inspections, sorting, filtering, and queuing).
Enabling the Cut Through Forwarding feature will only apply to devices that are NOT part of any Parental Controls or Media Prioritization policies since those devices need to be packet inspected.
When disabled, there is no performance enhancement and all clients go through the extra router processing overhead.
QUICK TIP: This feature is enabled by default. Disabling this option may improve compatibility with other Wi-Fi devices and services. If you want to disable it, log in to your Linksys Smart Wi-Fi Account. Go to Connectivity > Administration. Under the Cut Through Forwarding section, uncheck the Enable checkbox.
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Need Help-How Store the input parameter through java bean
Hello Sir,
I have a simple Issue but It is not resolve by me i.e input parameter
are not store in Ms-Access.
I store the input parameter through Standard Action <jsp:useBean>.
jsp:useBean call a property IssueData. this property exist in
SimpleBean which create a connection from DB and insert the data.
At run time servlet and server also show that loggging are saved in DB.
But when I open the table in Access. Its empty.
Ms-Access have two fields- User, Password both are text type.
Please review these code:
login.html:
<html>
<head>
<title>A simple JSP application</title>
<head>
<body>
<form method="get" action="tmp" >
Name: <input type="text" name="user">
Password: <input type="password" name="pass">
<input type="Submit" value="Submit">
</form>
</body>
</html>LoginServlet.java:
import javax.servlet.*;
import javax.servlet.http.*;
public class LoginServlet extends HttpServlet{
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException{
try
String user=request.getParameter("user");
String pass=request.getParameter("pass");
co.SimpleBean st = new co.SimpleBean();
st.setUserName(user);
st.setPassword(pass);
request.setAttribute("user",st);
request.setAttribute("pass",st);
RequestDispatcher dispatcher1 =request.getRequestDispatcher("submit.jsp");
dispatcher1.forward(request,response);
catch(Exception e)
e.printStackTrace();
}SimpleBean.java:
package co;
import java.util.*;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import java.util.*;
public class SimpleBean {
private String user="";
private String pass="";
private String s="";
public String getUserName() {
return user;
public void setUserName(String user) {
this.user = user;
public String getPassword() {
return pass;
public void setPassword(String pass) {
this.pass = pass;
public String getIssueData() //method that create connection with database
try
System.out.println("Printed*************************************************************");
getUserName();
getPassword();
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
System.out.println("Loading....");
Connection con=DriverManager.getConnection("jdbc:odbc:simple");
System.out.println("Connected....");
PreparedStatement st=con.prepareStatement("insert into Table1 values(?,?)");
System.out.println("~~~~~~~~~~~~~~~~~~~~");
String User=getUserName();
st.setString(1,User);
String Password=getPassword();
st.setString(2,Password);
st.executeUpdate();
System.out.println("Query Executed");
con.close();
s= "Your logging is saved in DB ";
System.out.println("Your logging is saved in DB *****************");
return(s);
catch(Exception e)
e.printStackTrace();
return "failed";
}submit.jsp:
This is Submit page
<html><body>
Hello
Student Name: <%= ((co.SimpleBean)request.getAttribute("user")).getUserName() %>
<br>
Password: <%= ((co.SimpleBean)request.getAttribute("pass")).getPassword() %>
<br>
<jsp:useBean id="st" class="co.SimpleBean" scope="request" />
<jsp:getProperty name="st" property="IssueData" />
</body></html>web.xml:<web-app>
<servlet>
<servlet-name>one</servlet-name>
<servlet-class>LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>one</servlet-name>
<url-pattern>/tmp</url-pattern>
</servlet-mapping>
<jsp-file>issue.jsp</jsp-file>
<jsp-file>submit.jsp</jsp-file>
<url-pattern>*.do</url-pattern>
<welcome-file-list>
<welcome-file>Login.html</welcome-file>
</welcome-file-list>
</web-app>Please Help me..Thanks.!!!
--Dear Sir,
Same issue is still persist. Input parameter are not store in database.
After follow your suggestion when I run this program browser show that:i.e
This is Submit page Hello Student Name: vijay
Password: kumar
<jsp:setProperty name="st" property="userName" value="userValue/> Your logging is saved in DB
Please review my code.
login.html:
{code}<html>
<head>
<title>A simple JSP application</title>
<head>
<body>
<form method="get" action="tmp" >
Name: <input type="text" name="user">
Password: <input type="password" name="pass">
<input type="Submit" value="Submit">
</form>
</body>
</html>{code}
LoginServlet.java:
{code}import javax.servlet.*;
import javax.servlet.http.*;
public class LoginServlet extends HttpServlet{
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException{
try
String userValue=request.getParameter("user");
String passValue=request.getParameter("pass");
co.SimpleBean st = new co.SimpleBean();
st.setuserName(userValue);
st.setpassword(passValue);
request.setAttribute("userValue",st);
request.setAttribute("passValue",st);
RequestDispatcher dispatcher1 =request.getRequestDispatcher("submit.jsp");
dispatcher1.forward(request,response);
catch(Exception e)
e.printStackTrace();
}{code}
SimpleBean.java:
{code}package co;
import java.util.*;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import java.util.*;
public class SimpleBean {
private String userValue="";
private String passValue="";
private String s="";
public String getuserName() {
return userValue;
public void setuserName(String userValue) {
this.userValue = userValue;
public String getpassword() {
return passValue;
public void setpassword(String passValue) {
this.passValue= passValue ;
public String getissueData() //method that create connection with database
try
System.out.println("Printed*************************************************************");
getuserName();
getpassword();
Class.forName("oracle.jdbc.driver.OracleDriver");
System.out.println("Connection loaded");
Connection con=DriverManager.getConnection("jdbc:oracle:thin:@VijayKumar-PC:1521:XE","SYSTEM","SYSTEM");
System.out.println("Connection created");
PreparedStatement st=con.prepareStatement("insert into vij values(?,?)");
System.out.println("~~~~~~~~~~~~~~~~~~~~");
String userName=getuserName();
st.setString(1,userName);
String password=getpassword();
st.setString(2,password);
st.executeUpdate();
System.out.println("Query Executed");
con.close();
s= "Your logging is saved in DB ";
System.out.println("Your logging is saved in DB *****************");
return(s);
catch(Exception e)
e.printStackTrace();
return "failed";
}{code}
submit.jsp:
{code}This is Submit page
<html><body>
Hello
Student Name: <%= ((co.SimpleBean)request.getAttribute("userValue")).getuserName() %>
<br>
Password: <%= ((co.SimpleBean)request.getAttribute("passValue")).getpassword() %>
<br>
<jsp:useBean id="st" class="co.SimpleBean" scope="request" />
<jsp:setProperty name="st" property="userName" value="userValue/>
<jsp:setProperty name="st" property="password" value="passValue"/>
<jsp:getProperty name="st" property="issueData" />
</body></html>web.xml:<web-app>
<servlet>
<servlet-name>one</servlet-name>
<servlet-class>LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>one</servlet-name>
<url-pattern>/tmp</url-pattern>
</servlet-mapping>
<jsp-file>submit.jsp</jsp-file>
<url-pattern>*.do</url-pattern>
<welcome-file-list>
<welcome-file>Login.html</welcome-file>
</welcome-file-list>
</web-app>Sir I can't use EL code in jsp because I use weblogic 8.1 Application Server.This version are not supported to EL.
Please help me...How store th input parameter in Database through Java Bean -
How to forward DHCP requests through 1140N AP
We have an 1140N AP connected to a switch and our "network partner" controls the router and will hand out DHCP and do the NAT for this WLAN. How can I configure the AP to forward DCHP requests through.
I have WPA2 PSK (TKIP) setup and the client is able to authenticate however we fail to get an address. In this case the Ethernet interface was left alone so it has the default config and it gets a DHCP address fine. How can I configure this AP to enable the rest of the WiFI clients to get an IP?Here is my cleaned config. I put helpers everywhere and still can't an IP.
I don't have control over the switch or router that this will plug into nor the setup. The switchport it will plug into has a VLAN designated for Guest Wireless access. I suspect that I need to redo the config without VLAN10 involved correct?
Current configuration : 4880 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname [removed]
enable secret [removed]
no aaa new-model
dot11 syslog
dot11 ssid {removed]
vlan 10
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [removed]
crypto pki trustpoint TP-self-signed-1278736388
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1278736388
revocation-check none
rsakeypair TP-self-signed-1278736388
crypto pki certificate chain TP-self-signed-1278736388
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323738 37333633 3838301E 170D3032 30333035 32323138
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373837
33363338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BDA9 327F8A3C CFB3C216 F23AA107 CEEE007D CFC2A89C 9064A4F2 66A07EB7
EB7F3602 74B505D1 9A374875 1DC71A58 607632F3 2A41250B 6BB79B68 D5C1E00D
B7AA55EB 4E36668B 9BF92E94 C2B0699D A009902A D7A802D1 DCF699F2 99F20B0B
D5BAB32F 3F8749B2 6C641CF2 6BC7FE8C 3078876C DAC97CFD 69BA42E5 98F81B37
70830203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1561702E 736F732D 61642E73 74617465 2E6E762E 7573301F
0603551D 23041830 1680141A 78042A2D A7149DAC E90E1EAF 6496AB47 DF674630
1D060355 1D0E0416 04141A78 042A2DA7 149DACE9 0E1EAF64 96AB47DF 6746300D
06092A86 4886F70D 01010405 00038181 00B38305 C973DD31 F23C1B17 78181DF9
A5A8A409 FDBAEF54 DF94DB89 815954EA 45322B5B BDB32C6A F0353228 ADD4A398
CC249C49 A4C9C66D 08712AC7 7C5D12D5 C412933C 9E2893C3 4A432577 2FCA9A67
2F89FF79 8FA0DECD 88CBB2C1 A5DA778A 80839D51 1883EEE7 A8754EC9 283E25E0
7D91F064 AC633286 81232031 0BEF403E C1
quit
username [removed] privilege 15 password [removed]
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 10.135.14.1
no ip route-cache
encryption vlan 10 mode ciphers tkip
ssid [removed]
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip helper-address 10.135.14.1
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio1
no ip address
ip helper-address 10.135.14.1
no ip route-cache
encryption vlan 10 mode ciphers tkip
ssid [removed]
antenna gain 0
dfs band 3 block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.10
encapsulation dot1Q 10
ip helper-address 10.135.14.1
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
ip helper-address 10.135.14.1
no ip route-cache
ip http server
ip http authentication local
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner motd ^C
Access to this device is restricted to authorized users. Unauthorized access is a violation of state and federal, civil and criminal laws (e.g., NRS 205.4765). Evidence of unauthorized access will be provided to law enforcement personnel.
^C
line con 0
password [removed]
login local
line vty 0 4
password [removed]
login local
end
Current configuration : 4880 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname [removed]
enable secret [removed]
no aaa new-model
dot11 syslog
dot11 ssid {removed]
vlan 10
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 [removed]
crypto pki trustpoint TP-self-signed-1278736388
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1278736388
revocation-check none
rsakeypair TP-self-signed-1278736388
crypto pki certificate chain TP-self-signed-1278736388
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323738 37333633 3838301E 170D3032 30333035 32323138
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373837
33363338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BDA9 327F8A3C CFB3C216 F23AA107 CEEE007D CFC2A89C 9064A4F2 66A07EB7
EB7F3602 74B505D1 9A374875 1DC71A58 607632F3 2A41250B 6BB79B68 D5C1E00D
B7AA55EB 4E36668B 9BF92E94 C2B0699D A009902A D7A802D1 DCF699F2 99F20B0B
D5BAB32F 3F8749B2 6C641CF2 6BC7FE8C 3078876C DAC97CFD 69BA42E5 98F81B37
70830203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1561702E 736F732D 61642E73 74617465 2E6E762E 7573301F
0603551D 23041830 1680141A 78042A2D A7149DAC E90E1EAF 6496AB47 DF674630
1D060355 1D0E0416 04141A78 042A2DA7 149DACE9 0E1EAF64 96AB47DF 6746300D
06092A86 4886F70D 01010405 00038181 00B38305 C973DD31 F23C1B17 78181DF9
A5A8A409 FDBAEF54 DF94DB89 815954EA 45322B5B BDB32C6A F0353228 ADD4A398
CC249C49 A4C9C66D 08712AC7 7C5D12D5 C412933C 9E2893C3 4A432577 2FCA9A67
2F89FF79 8FA0DECD 88CBB2C1 A5DA778A 80839D51 1883EEE7 A8754EC9 283E25E0
7D91F064 AC633286 81232031 0BEF403E C1
quit
username [removed] privilege 15 password [removed]
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 10.135.14.1
no ip route-cache
encryption vlan 10 mode ciphers tkip
ssid [removed]
antenna gain 0
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip helper-address 10.135.14.1
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio1
no ip address
ip helper-address 10.135.14.1
no ip route-cache
encryption vlan 10 mode ciphers tkip
ssid [removed]
antenna gain 0
dfs band 3 block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.10
encapsulation dot1Q 10
ip helper-address 10.135.14.1
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
ip helper-address 10.135.14.1
no ip route-cache
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner motd ^C
Access to this device is restricted to authorized users. Unauthorized access is a violation of state and federal, civil and criminal laws (e.g., NRS 205.4765). Evidence of unauthorized access will be provided to law enforcement personnel.
^C
line con 0
password [removed]
login local
line vty 0 4
password [removed]
login local
end -
I moved from Japan to Australia. I need to change from Japan App Store to the Australian App Store. I get the following message every time I try using My MacID which was set up in Japan: "This Apple ID is only valid for purchases in the Japanese iTunes Store. You will be switched to that Store." At one point... by which path I do not remember... I was instructed to created a new ID. I fill out the new ID forms, but the address is rejected each time... quite confusing. Does it want a new name? But it says I cannot use an apple domain (tag?) even though I guess it has to be an apple address... ? So I have iTunes crdit cards purchansed in Australia, can't spend in AUstralian iTunes Store, get directed back to Japan each time, and can't open a new ID... What am I doing wrong? Thank you in advance. John. Australia.
You must have a separate Apple ID registered in the other store along with a valid bank-issued charge card in the other country, and a legal billing address in the other country.
Sorry... But... You cannot use other countries itunes stores.
You must be within the Country with a Valid Billing Address and Credit Card for that Country to use the iTunes Store of that Country..
iTunes Store Terms of Service
http://www.apple.com/legal/itunes/us/terms.html#SERVICE -
Can no longer access itunes store to update apps through itunes OR on iphon
I just updated to the 2.2 software on the iphone. Ever since, any time I try to update an application (or even check for updates) I get a message saying itunes can't connect to the store, check my network connection, etc. I get the same problem if I try to check for updates directly from the iphone or from itunes on my computer. I see many people are having problems with the itunes store. I assume that since I am having the same problem on my phone and on my computer, and since so many other people are having problems, that this is some kind of problem with Apple and not with my set up. However, I have not seen anyone else mention problems connecting from their phone the way I am.
Other than upgrading to 2.2 there is nothing different about my system - accept I did also try upgrading to the newest iTunes. The problem happened with version 8 and with whatever the current version is. I am using Vista - I never had any problem like this before.
Any help or comments would be much appreciated.I am also having this problem, i can no longer search for app's updates through the latest release of itunes 8.0.2 and also the latest iphone 3g update version 2.2 - this has been going on for about 15 hrs now. If i try to update through my iphone the the page eventually times out or comes up with "unable to connect to itunes store"., If i try through itunes itself, the windows comes up with the progress bar type thing and accessing itunes store, then after a while just comes up with "iphone sync complete, Ok to disconnect" - but i'm not syncing my iphone i'm trying to update the apps.....
Come on Apple get your act sorted out... -
ASA cut through proxy with RADIUS challenge response?
Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
Date: 15/11/2010
Time: 3:53:57 PM
Type: Information
Source: Server
Category: RADIUS
Code: I-006001
Description: A RADIUS Access-Request has been received.
AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
Details:
Source Location : 10.xx.21.24
Client Location : 10.xx.21.230:1025
Request ID : 31
Password Protocol : PAP
Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
Action : Process
What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
Date: 17/11/2010
Time: 2:29:31 PM
Type: Warning
Source: Server
Category: RADIUS
Code: W-006001
Description: An invalid RADIUS packet has been received.
AMID: 0xC19D988F83365F20151C3F6339DEC74B
Details:
Source Location : 10.xx.21.24:1812 (Authentication)
Client Location : 10.xx.21.230:1025
Reason : The sub-protocol of the received RADIUS packet cannot be determined
Request ID : 33
Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
Request Type : Access-Request
Thanks in advance
IBHi Ian,
sorry for the late reaction - do you still need help with this?
The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
aaa-server () host
no mschapv2-capable
Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
hth
Herbert -
Help: Problem with scrolling my html items and placed objects they keep cutting through my top menu
Basically whenever i place an html item in my Muse site or an object I encounter a problem when scrolling down past that object in the preview. I have a horizontal menu bar that sits on the top of my site and whenever I scroll down the html items and objects
cut through my menu. Is there any way to rectify this? - i've tried pinning objects but can't figure it out. Any help would be greatly appreciated.
Thanks,So you have a pinned Menu in the Master page but is being overlayed by the objects in page when you scroll down? If that is the case, select the Menu in the Master, right click on it and Move To Master Foreground.
Thanks,
Vinayak -
Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs
Hi,
We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
What we want:
ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
policy for that user.
Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
Thanks
LovleenPlease refer to below step by step config guide for security group access policies
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html -
FAQ: BC-SSF (Secure Store & Forward)
Version: 20060317
Q: Where can i find more information to the BC-SSF interface ?
A: Have a look on our ICC webpage in the SDN:
SAP NetWeaver - Secure Store & Forward and Digital Signatures (BC-SSF) [original link is broken]
Q: What costs are arising when we want our product to be certified ?
A: See also out SDN page under the headline "Price List".
Q: Is there a link/page for the already certified products for this interface ?
A: Sure, have a look on our ICC page under the headline "Certified Solutions"
Q: Who can we ask in case of general question ?
A: Have a look at our general ICC forum:
SAP Integration and Certification Center (SAP ICC)
Of course, if you have urgent requests you can send them also directly to our local ICC's:
ICC Walldorf in Germany: [email protected]
ICC Palo Alto in USA: [email protected]
ICC Bangalore in India: [email protected]
Q: Who can we ask in case of technical questions ?
A: This depends on the state of your certification project.
1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
2.) When the certification contracts have not been signed then you can ask questions in this forum.
Q: Can we just implement our own Hash algorithms or do we need to implement MD5 and SHA1 also ?
A: Both hash algorithms are mandatory for getting certified. This means you have to implement MD5 and SHA1 for the certification.
Q: There is a conflict between our signaturealgorithm and the MD5 and/or SHA1 hashalgorithm in the way that they are not allowed to be used together. What can we do ?
A: If this is the case then get in contact with your assigned integration consultant to find a way out of this situation.I have generate the Security certificate using STRUST.
I am calling function SSF_SIGN_BY_USER to digitally sign the document.
But I am getting CRC = 1 in return.
can anybody help me to assign SSF data to the User in su01.
I have to fill some fields by usign security certificate :
fields are : SSF ID , SSF ID Part2 , SSF Profile
Certficate is :
Owner : CN=DEB, OU=I0020538104, OU=Server, O=SAP Trust Community, C=DE
Issuer : CN=Server CA, OU=Server, O=SAP Trust Community, C=DE
Serial Number : 6B2CA5FC7E69D658100301001819
How to relate this. Please help -
ASA - cut through proxy authentication for RDP?
I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
OUTSIDE to INSIDE RDP is currently working.
I have 2 servers I want RDP open for..
[*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
[*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
What's required for OUTSIDE users to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
Here is my current config.
[code]
ASA Version 8.2(5)
hostname ASA5505
names
name 10.10.0.0 LANTraffic
name 10.10.30.0 SALES
name 10.10.40.0 FoodServices
name 10.10.99.0 Management
name 10.10.20.0 Office
name 10.10.80.0 Printshop
name 10.10.60.0 Regional
name 10.10.70.0 Servers
name 10.10.50.0 ShoreTel
name 10.10.100.0 Surveillance
name 10.10.90.0 Wireless
interface Ethernet0/0
description TO INTERNET
switchport access vlan 11
interface Ethernet0/1
description TO INSIDE 3560X
switchport access vlan 10
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
security-level 50
no ip address
interface Vlan10
description Cisco 3560x
nameif INSIDE
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Vlan11
description Internet Interface
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.224
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
domain-name test.local
access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging device-id hostname
logging host INSIDE 10.10.70.100
mtu INSIDE 1500
mtu OUTSIDE 1500
ip verify reverse-path interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 LANTraffic 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
access-group RDP-INBOUND in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http Management 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.10.70.100 255.255.255.255 INSIDE
ssh Management 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username scott password CNjeKgq88PLZXETE encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
: end
[/code]You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).
Maybe you are looking for
-
Hi, I need to get the last day (working day) of the prior quarter. DateA is the date from my facttable, and DateB have values to use (history). I use an expression operator to calculate the correct day ID_DateB Between (TO_DATE(CONCAT('/01', DECODE(W
-
Hi experts and gurus, how can I send an HTML email which is displaying an image in the HTML context (table)? I'm using the 'SO_NEW_DOCUMENT_SEND_API1' like below: CALL FUNCTION 'SO_NEW_DOCUMENT_SEND_API1' EXPORTING document_data
-
Invisible bootcamp partition after failed removal
Hi everyone In the process of removing a Windows partition, I accidentally quit Bootcamp (trying to quit another application). Now, the partition neither shows up in Disk Utility nor anywhere else - of course disk space still taken. Disk repair didn'
-
anybody has experience with oracle 9i RAC and parallel werver installation and configuration on redhat linux with SCSI card and external SCSI disk enclosure? where to find which SCSI card is supported by linux? how about SCSI enclosure. Some SCSI has
-
Reflections in slideshow. can i turn them off?
is there anyway to get rid of the reflections in the slideshow's you can create? they're kind of annoying