Traffic leaking between PVLAN Isolated ports

Similar Messages

• Pls tel me what is the diffrence between snapshot isolation level of mssql and oracels isolation level

  Hi,
          In mssql i am using following things.
         I have two database D1 and D2, i am using snapshot isolation (ALTER DATABASE MyDatabase
  SET ALLOW_SNAPSHOT_ISOLATION ON) in both database.
  Following is the situation.
  1) There is  one SP sp1 ( it can be in any database d1 or d2), it updates d2 from d1.
  2) d2 is used for reading by web, execept above SP sp1
  3) d1 gets updation from web in readcommite isolation.
  4) both database will be on same instence of mssql.
  Q1) wanted to know how to implement the same thing in oracle 11x express edition.
  Q2) is there any diffrence between snapshot isolation level of mssql and oracel.
  any link would be help full.
  yours sincerely

  >Q1) should i set the option to OFF after the process(ts) is complete
  No keep it on.
  >Q2) ALLOW_SNAPSHOT_ISOLATION  ON , will affect other isolation level's transactions
  No it will not affect any other transaction isolation level.
  >Q3) is my choice of isolation level for process(ts) is correct or there can be any other solution.
  Seems fine, although there are probably many other solutions.
  David
  David http://blogs.msdn.com/b/dbrowne/

• How can I encrypt my data links between switch uplink ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me

  How can I encrypt my data uplinks between switch trunk ports ? I'm unable to use "cts Manual" command in C3560X switch.suggest me as I want to encrypt my switch-to-switch link with Cisco TrustSec.

  Hi 
  Login to switch & go to interface..
  There you can give tags.. (ISL & DONT1Q)
  Command switch-port mode trunk
  Switch-port trunk encapsulation ssl or dot1Q

• RV042 - direct browsing traffic to only one WAN port?

  Hi, I have a RV042 (firmware 1.3.13.02-tm). Is it possible to configure so traffic from a specific domain (incl. its sub-domains) is directed exclusively to one WAN port? If so, how can I do this? Thanks.

  Hi PAC, in a load balance environment it affects only outbound traffic which would use protocol bind to force traffic through a particular WAN port, meaning it won't affect inbound traffic.
  The access rules page only supports source interface but you may try to create an access rule that looks something like this;
  Action Allow
  Service - (Whatever service you're using)
  Source interface WAN 1
  Source IP address - Range of public IP address from the domain/sub domains
  Destination Ip address - The IP address of your subnet or specific nodes
  Now, if you're using a load balance environment, you may want to bind traffic to WAN 1 that originate from the specific hosts that make the request to the domain/sub domains to ensure the source IP address leaving the router otherwise it would be possible to have a different source IP going over the 2nd WAN.
  I'm not sure if it would work this way but to the best of my knowledge this would about be the only way to make it work since the router doesn't support telling inbound services to use a specific WAN.
  -Tom
  Please mark answered for helpful posts

• Ether channel between fiber optic ports any difference?

  I will appreciate any help about the below questions.
  there are two catalyst 4506 multilayer switches, Two SFP modules are installed on each switches for uplink purpose. (1000 Base SX fiber optic Gigabit ethernet SFP modules)
  I want to connect two switches each other. Question is;
  1.Can I bundle these two gigabit ports (ether channel) and get Two gigabit connection between switches ?
  2.If I can do it, what happens if one of the lines fails?
  I know I can configure ether channel between copper fast ethernet ports but I am not sure If I can benefit same feature for 1000 base SX fiber optic ports.
  Thank you very much for helping :)

  Hi Friend,
  You can run a command "sh port capabilities " and that will how that whether that ports are capable of etherchannel or not.
  Also AFAIK SFP ports are just the physical medium so it does not make a differece, they should be capable of etherchannel.
  Also if one port of the channel goes down traffic will start trasversing through the other port so it will take care as redundancy. It will behave like other etherchannel which you cofnigure with copper ports.
  HTH, if yes please rate the post.
  Ankur

• Can't get traffic flowing between VLANs on an ASA 5505

  I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
  So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
  From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
  I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
  When I try to ping there is no reply and the only log message is:
  6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
  I have attached a copy of the router config.

  Hi Bro
  I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
  Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
  nat (inside) 0 access-list from-inside
  nat (16jdc) 0 access-list from-16jdc
  nat (16jda) 0 access-list from-16jda
  clear xlate
  nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
  Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
  https://supportforums.cisco.com/thread/223898
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
       

• Pvlan (promiscuous port) not permitted on etherchannel

  This is probably an often-asked question:  I've read in the 7K v5.0(2) NX-OS docs, the 6500 12.2SXF/SXH IOS docs and the 5K docs that the pvlan feature  cannot co-exist with etherchanneling on the same uplink.  This would assumedly include promiscuous trunk ports.
  This seems so counter-productive and self-defeating.  Especially where the 7K vPC feature is cfg'd requiring LACP etherchannels from the single switch into both 7Ks.
  What am I missing here?  Is there a work-around short of new dedicated links?  The cost of the 10G optics for that approach is prohibitive.  Is it possibly on the road-map for some future upgrades?
  Maybe I could configure an unconditional port-channel with no protocol, no negotiation?  I'm waiting on the vDC licensing to let me direct-connect the lab 5Ks.
  Thank you,
  Ken Johnson

  Required info:
   system image file is:    bootflash:///n5000-uk9.6.0.2.N2.2.bin
   system compile time:     10/4/2013 12:00:00 [10/04/2013 22:23:49]
  interface port-channel4001
    description SERVER1
    switchport mode trunk
    switchport access vlan 201
    switchport trunk native vlan 201
    storm-control broadcast level 1.00
    storm-control multicast level 1.00
    storm-control unicast level 1.00
    vpc 4001
  interface Ethernet107/1/47
    description SRV1
    no lldp transmit
    no cdp enable
    switchport mode trunk
    switchport access vlan 201
    switchport trunk native vlan 201
    storm-control broadcast level 1.00
    storm-control multicast level 1.00
    storm-control unicast level 1.00
    channel-group 4001 mode active
    no shutdown

• Traffic prioritisation on trunked switch port

  Good afternoon all. I am looking into traffic policing and shaping and neither seem to do what I need to do. Basically on a trunked switch port, I would like to prioritise traffic coming into a port by it's VLAN tag, the trunk connects to an ESX host.
  The above options seem to be more about prioritising certain traffic for passing on to downstream devices. Can anyone shed any light on whether this is possible please? I am thinking it would need to be done on the ESX host at the moment...
  Thanks!

  Hi Colhignett,
  Hope the below link might help your query.
  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/vlntgqos.html#wp1049430
  Regards
  Karthik

• 'Only' NAT'd Traffic Allowed Between ASA Interfaces

  I've just setup (2) ASAs. In doing so, I've run into the same problem on each one (i.e., I must configure NAT on each interface for the traffic to flow between them)
  Accordingly to my literature and videos I've been through, I should not have to perform NAT for the traffic to move between the different interfaces.
  Questions:
  What have I done wrong?
  What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.
  Notes about my configurations:
  Same security level traffic is permitted
  All interfaces have their security levels set to 100
  I've reset the ACLs to allow all traffic as well (*this is a lab)
  All tcp-udp traffic is inspected by default on ASAs
  Many thanks.
  Fred

  NAT-Control: NA, deprecated.
  Without Nat-Control: As I mentioned previously, I must use NAT, or the traffic will not flow between interfaces. This is my problem. It doesn't make sense that I should need to use NAT for traffic to flow between the different interfaces.
  Notes about my configurations:
  Same security level traffic is permitted
  All interfaces have their security levels set to 100
  I've reset the ACLs to allow all traffic as well (*this is a lab)
  All tcp-udp traffic is inspected by default on ASAs
  Questions:
  What have I done wrong?
  What do I need to do to have this run as I expected it would (*without NAT)? While it appears harmless to have it setup this way, it just doesn't look 'clean' to me.

• Diff between the J2ee port,webdispatcher port and ICM port

  HI All,
  Can some one please explain the diff between the web dispatcher port and J2ee port, I am able to under stand the diff between the web dispatcher port and the ICM port. What I understood is that all the requests will be passed to ICM through the web dispatcher , but what is the j2ee port refers ?
  Thanks & Regard
  Rajesh Meda

  Hi Rajesh,
  The Webdispatcher,ICM servers as services to reach the ABAP and Java stack respectively. ICM is thread oriented.
  Any communication flows through Webdispatcher ---> ICM ---> ABAP/Java Stack.
  Every instance has a ICM process in it. Webdispatcher is mainly used for load balancing and to be placed in DMZ zone for more protection of the communication channel. All the communication happens via port . Each of the service can be reached by independent ports or via Webdispatcher>ICM> J2ee.
  Like direct port for J2ee we also have direct port for ABAP message server.
  Hope this clarrifies. Kindly let me know in case of further queries.

• Difference between protect/restrict port security violation action?

  Hi all,
  I've read the documentation, but found the explanations a bit vague. Could someone please explain the difference between these two?
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/comref/s1.htm#wp1184020
  Thanks.

  Only difference is that, security violation counters are incremented in restrict, while its not incremented in protect.
  So each time a violation occurs and you do a show port-security on that port.
  Switch# show port-security interface fastethernet0/1
  Port Security: Enabled
  Port status: SecureUp
  Violation mode: Shutdown
  Maximum MAC Addresses :50
  Total MAC Addresses: 11
  Configured MAC Addresses: 0
  Sticky MAC Addresses :11
  Aging time: 20 mins
  Aging type: Inactivity
  SecureStatic address aging: Enabled
  Security Violation count: 0
  The counter above in bold will be incremented when restrict is configured, and will not increment, if protect is configured.
  Either ways, the packets from the insecure hosts will be dropped, if a violation occurs.
  HTH
  Sankar.

• E1 (ISDN) Failover between 2 E1 ports in same router

  I have two Asterisk based VoIP servers and each has an E1 card installed. 
  One is a primary and the other a secondary (standby).
  I am in the UK and have 1 ISDN E1 line from BT giving us our incoming/outgoing calls.  At the moment this is hard wired to our primary however if there is a failure with the primary it's a manual shift to the secondary.  I would like to automate this.
  I have been looking at dedicated E1 failover units but these are either very hard to come by or horrendously expensive
  I've therefore just had a thought but would like some clarification from the Cisco forum as to whether this would work or not.
  I have a Cisco 2901 with 2 WIC cards giving 4 E1 ports.  Is it possible to configure this to act as an E1 failover?
  I'm not wanting to convert anything to IP, I want it all done with E1, so for example:
  BT Line in goes to WIC port 1
  WIC port 2 has primary
  WIC port 3 has secondary
  Primary and Secondary can both make outgoing via BT line however only port 2 is receiving incoming from BT, however if there is a loss of service on the primary all incoming from BT then routes automatically to WIC port 3
  It all sounds plausible to me but as I said I don't want to do any conversion to IP as there is sensitive modem traffic and would like to minimise this as much as possible.
  Any advice would be greatly appreciated
  Thanks

  Hello,
  What you describe is pretty simple to configure from a Cisco point of view.
  To do this you would configure two dial peers each of which point to the same destination number bt with different preferences and destination ports. A basic sample configuration is shown below:
  dial-peer voice 2 pots
  destination pattern 1...
  preference 1
  voice-port 2
  dial-peer voice 3 pots
  destination pattern 1...
  preference 2
  voice-port 3
  In the sample config each dial peer points to the destination pattern 1...
  The dots are wild cards so the number range would be 1000 to 1999.
  Dial peer 2 has the better preference and so will be used if available and will send calls out of port 2.
  Dial peer 3 has the worse preference and so will only be used if dial peer 2 is fully utilized and another call arrives (this is not possible in your setup) or if the port used by dial peer 2 is down. 
  In a real config the port numbers would likely be different and some extra commands would be needed but hopefully this would give you the basics of how this would work.
  In this setup the Cisco router itself becomes a single point of failure so I am not sure that it improves things much over just having a single Asterisk server.
  I am wondering whether it would be possible to wire both Asterisk servers to the BT PRI circuit and have the interface on the second server shut down.
  The second server could then somehow monitor the first server and if it went down it could bring it's own ISDN card up. You could do this with Cisco routers using Embedded Event Manager and I am sure you could do something similar with Linux scripting.
  Hope this helps and let us know how you finally solve this issue.
  James

• Line Protocol flapping between 2 routed ports over a 1Gb circuit

  Hi,
  We currently have a 1Gb circuit between 2 sites that is presented to us as copper ethernet on both ends. 
  One end is a Cisco 4948, the other a 3750E.
  Our switching connect into the ISP NTE devices.
  Both our switch ports are routed ports on a P2P subnet.
  The A-end (3750E) of the circuit is showing up/up
  But the B-end (4948) the interface flaps constantly (up then drops after 3 seconds). The time until the interface shows up again varies between 4-10 seconds.
  Throughout the flaps there is not a time when we can ping between both switches.
  The B-end switch has been replaced. And the cable between the B-end switch and the B-end NTE has been tested fully.
  The configuration on the interfaces are fairly standard:
  - ip address
  - speed auto
  - duplex auto
  (I've tried all combinations of speed/duplex settings at both ends)
  The ISP attended the B-end NTE and reported a loss of signal from our B-end Switch. They report that a test from the B-end NTE to the A-end is successful.
  What further steps could be taken to troubleshoot this?
  No configuration changes were made at the time of the issue.
  Is this firmly an ISP issue to investigate?
  Any suggestions welcome.
  Thanks,
  Kyle

  Hello
  i am suprised the ISP didn't investige both end on this circuit !
  - Have you check physically on the Nte device for errors ( rx -tx  link LEDs etc )
   - powered the Nte down -chaned the cabling BOTH of ends?
   - used a different port?
    - performed a TDR ?
   - get the isp to attend site A
  res
  paul

• Difference between HTTP Server port and HTTP Server listen port

  Hi,
  What's the difference between the following?
  Oracle HTTP Server port = 7780
  Oracle HTTP Server listen port = 7781
  They are the ports used in my 9ias 9.0.3 instance.
  Please advise.
  Thank you.

  Hi,
  The server port, 7780, is port where HTTP server response and listen ports are other ports tha HTTP Server can listen. In IAS, the default configuration, the server port is response for Web Cache and Web Cache connect with HTTP Server in listen port.
  Marcio Mesti

• Load distribution not so even for multicast traffic (ECMP) between a GSR 12410 (XR) and a CRS-1 router

  Hi,
  I have a scenario in which I see the multicast S,G streams are distributed not so even in the 3 interfaces between a GSR 12404 (XR 3.8.4) and a CRS1 (XR 3.6.2). The multicast mode is SSM.
  The total S,G (sources and multicast groups) are 82.
  The topology is as follows:
                                                 ---link 1--------
   Multicast sources ----- CRS1 ---link 2-------- GSR12404------- Receivers
                                                  ---link 3--------
  From the total of 82 S,G coming from multicast sources, I see the following S,G distribution between the three links:
  Link 1: 37 S,G
  Link 2: 21 S,G
  Link 3: 24 S,G
  The big question is why the Link 1 has very different number of S,G compared to link 2 and link 3?
  Multipath is enabled on both links. I copy the multicast configuration of CRS and GSR that is the same:
  multicast-routing
   address-family ipv4
    interface GigabitEthernet0/2/0/0
     enable
    interface GigabitEthernet0/2/1/1
     enable
    interface GigabitEthernet0/2/1/2
     enable
    nsf
    multipath
    ssm range SSM
  Thanks,
  Carlos.

  Hi Agherardi,
  Did you try to disable your firewall and refer the following KB to confirm you have choose the correct Affinity and Load-Balancing Behavior of the Custom Port Rule.
  Specifying the Affinity and Load-Balancing Behavior of the Custom Port Rule
  https://technet.microsoft.com/en-us/library/cc759039(v=ws.10).aspx
  More information:
  Using NLB
  https://technet.microsoft.com/en-us/library/bb687542.aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]