Traffic on interfaces trunk - Network Ingraestructure

I wanted to know if it is normal that all traffic on my network this through all trunk ports of switches
I set a sniffer and a switch connected without any connection trunk only to validate, the sniffer see that you are getting all network traffic through the trunk.
What can be causing this behavior and what considerations should be taken apart filtering vlans?
Regards.

Now I might have misunderstood your concern but I'll give it a shot:
Trunks carry traffic for multiple vlans and with no filtering in place they carry traffic for all vlans configured, normally you will see broadcasts e.g. DHCP or ARP requests going through all the trunk ports on a switch (that are not STP Blocking). This is normal behaviour.
However if your sniffer is picking up a lot of packets that are meant for unicast destinations going out all trunk ports and also being captured by your sniffer over some time, then could be something else. CAM Overflows result in the switch flooding packets out all ports that are in the same vlan and out all trunk ports on which the vlan is allowed. This would result in the behaviour you observed. you can use the show mac address-table count to verify mac address space.
Hope this helps

Similar Messages

  • UBLR dosen´t work in an interfaces trunk?

    I´m configuring Aggregate policer in a Sup720-3B, I need to configure Aggregate Policer in a Trunk interfaces, It´s required to limit the bandwidth for vlan to L2 through an interface trunk, between two catalyst.  But it´s dosen´t work. The configuration that I am using is:
    S6509#run int giga 3/2
    Building configuration...
    Current configuration : 167 bytes
    interface GigabitEthernet3/2
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    no ip address
    service-policy input LIMIT
    end
    S6509#
    S6509#show ip access-lists TRAFFIC
    Extended IP access list TRAFFIC
    10 permit ip any any
    S6509#
    S6509#show class-map Daniel
    Class Map match-all Daniel (id 1)
    Match access-group name TRAFFIC
    S6509#
    S6509#
    S6509#show policy
    S6509#show policy-map
    Policy Map LIMIT
    Class Daniel
    police flow mask src-only 2000000 200000 conform-action transmit exceed-action drop
    S6509#
    S6509#
    hostname S6509
    boot system flash disk1:s72033-advipservicesk9_wan-mz.122-18.SXF14.bin
    logging buffered 32768 debugging
    logging rate-limit all 1000
    enable secret 5 $1$Oewp$4FbojEBx0Nn.sXO1ZzhIj/
    class-map match-all Daniel
    match access-group name TRAFFIC
    policy-map LIMIT
    class Daniel
    police flow mask src-only 2000000 200000 conform-action transmit exceed-action drop
    S6509#show mls qos
    QoS is enabled globally
    Policy marking depends on port_trust
    QoS ip packet dscp rewrite enabled globally
    Input mode for GRE Tunnel is Pipe mode
    Input mode for MPLS is Pipe mode
    QoS Trust state is DSCP on the following interface
    Gi3/4
    Vlan or Portchannel(Multi-Earl) policies supported: Yes
    Egress policies supported: Yes
    ----- Module [5] -----
    QoS global counters:
    Total packets: 233
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 0
    IP packets with COS changed by policing: 0
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0
    S6509#
    S6509#
    S6509#show policy-map interface gigabitEthernet 3/2
    GigabitEthernet3/2
    Service-policy input: LIMIT
    Class-map: Daniel (match-all)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: access-group name TRAFFIC
    Class-map: class-default (match-any)
    0 packets, 0 bytes
    5 minute offered rate 0 bps, drop rate 0 bps
    Match: any
    S6509#

    Contact the wireless carrier to which the iPhone is locked and
    ask that carrier if they provide unlocking and if you qualify.
    What is the exact wording of any error message you receive?

  • 'show interface trunk' output

    My question is..
    interface Gi0/1 on access switch (Switch A) configured as trunk port allowing multiple vlans (say vlan 100-105)
    Now, this interface Gi0/1 on switch A has no issues and configured fine.
    Another switch B connected to Switch A and working fine.  both sw A & sw B up and working fine
    But,  switch B is now say disconnected from Switch A  which causes the interface Gi0/1 on SW A go down.
    when I do a "show interface trunk" on Switch A, will the output show trunked vlans 100-105  or the output will not show  the trunked vlans as the interface on Switch A is down  because the Switch B is disconnected???
    Basically, all I want to know is   when an interface configured for trunking multiple vlans go down   will the "show interface trunk"  command list those vlans 100-105 in the output  ???
    Thanks for  looking into my q

    When the link is down, you will get a "blank" output to the command "sh interface trunk".

  • How much VLAN traffic on .1Q trunk

    Hi guys, we have two 6509 connecting to each other with eight L2 links which are .1q trunks. There are VLAN interfaces on both 6509 for vlan10 and vlan20. My question is how to find out how much vlan10 and vlan20 traffic going through on link1? I know we can get the stat on vlan interface, but are there any other ways to check it out on trunk interface?
    6509 - eight .1Q trunks - 6509
    Thanks. Leo

    Hi rapper36,
    From:
    http://blogs.catapultsystems.com/cfuller/archive/2012/06/22/opsmgr-2012-resource-requirements-and-usage-recommendations-for-agent-and-agentless-monitoring-scom.aspx
    OpsMgr 2012 Agentless Monitoring resource requirements:
    Processor: < 1% average increase in processor utilization
    Disk: < 1 average increase in pages per second
    Disk: < 1 MB data (as there is no %programfiles%\System Center Operations Manager folder created)
    Network: < 1 MB data sent and received to the system during installation
    Memory: 14 MB less available memory
    Time to Deploy to Monitored state: 2.5 minutes
    After the agent was appearing as monitored the performance counters gathered prior to the installation were compared to those gathered after installation. The results indicate additional overhead associated with the Operations Manager 2012 agentless monitoring
    after the agent was appearing as monitored.
    Processor:  < 1% average increase in processor utilization
    Disk: < 1 average increase in pages per second
    Disk: < 10 MB
    Network:  < 1 MB/min additional traffic
    Memory:  < 1  MB less available memory
    Natalya
    ### If my post helped you, please take a moment to Vote as Helpful and\or Mark as an Answer

  • Having issues on ASA 5510 pass traffic between interfaces

    I am trying to pass traffic between two internal interfaces but am unable to.  Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    nameif ct-users
    security-level 100
    ip address 10.12.0.1 255.255.0.0
    same-security-traffic permit inter-interface
    access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
    access-list inside_access_in extended permit ip any any
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (ct-users) 0 access-list inside_nat0_outbound
    nat (ct-users) 1 0.0.0.0 0.0.0.0
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    access-group inside_access_in in interface inside
    access-group inside_access_ipv6_in in interface inside
    access-group inside_access_in in interface ct-users
    access-group inside_access_ipv6_in in interface ct-users
    On both networks I am able to access the internet, just not traffic between each other.
    A packet-tracer reveals the following (it's hitting some weird rules on the way):
    cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab827020, priority=1, domain=permit, deny=false
    hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    NAT divert to egress interface ct-users
    Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad5bec88, priority=12, domain=permit, deny=false
    hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
    hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 5
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
    hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 6
    Type: NAT-EXEMPT
    Subtype:
    Result: ALLOW
    Config:
    match ip inside any ct-users 10.12.0.0 255.255.0.0
    NAT exempt
    translate_hits = 2, untranslate_hits = 2
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
    hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 7
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    match ip inside 192.168.5.0 255.255.255.0 ct-users any
    static translation to 192.168.5.0
    translate_hits = 1, untranslate_hits = 15
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xadf7a778, priority=5, domain=nat, deny=false
    hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 8
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
    match udp inside host 192.168.5.2 eq 1514 outside any
    static translation to 184.73.2.1/1514
    translate_hits = 0, untranslate_hits = 0
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab8e2928, priority=5, domain=host, deny=false
    hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=192.168.5.2, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 9
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
    hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 10
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xada0cd38, priority=5, domain=host, deny=false
    hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=10.12.0.0, mask=255.255.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 11
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
    hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 12
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 189385494, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: ct-users
    output-status: up
    output-line-status: up
    Action: allow

    how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
    Are the NAT commands there because you were trying different things to get this working?  I suggest you use the command no nat-control instead.  Depending on the version of ASA you are running it may already be disabled by default.  In version 8.4 and later nat-control has been removed completely.
    Please remember to select a correct answer and rate helpful posts

  • Cisco 2950 Gigabit interface trunking

    This is the small part of the network design that i want to seek advice from the forum .
    ++ we have two cisco 2950 switch
    switch1 ==gigabit trunk == switch2 .
    we want trunking to enable between these two two switches by using there gigabit ethernet interface ie
    switch 1 interface GigabitEthernet0/1 is connected to switch 2 interface GigabitEthernet0/1 and switch 1 interface GigabitEthernet0/2 is connected to switch 2 interface GigabitEthernet0/2.
    i need advice in following areas
    ++ what cable do we need to connect these switches (i guess cross over cable will do )
    ++ do we have configuration on the tech tip page
    for achieving the same ?

    Hello,
    for the trunk connection you need a four twisted-pair crossover cable:
    Figure B-11 Four Twisted-Pair Crossover Cable Schematics for 10/100/1000 and 1000BASE-T Ports
    http://www.cisco.com/en/US/partner/products/hw/switches/ps628/products_installation_guide_chapter09186a0080346679.html#wp1020386
    You can either configure 802.1Q or an ISL trunks between your switches. For 802.1Q the configuration would look like this:
    Switch1
    interface GigabitEthernet0/1
    switchport trunk encapuslation dot1q
    switchport mode trunk
    interface GigabitEthernet0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    Switch2
    interface GigabitEthernet0/1
    switchport trunk encapuslation dot1q
    switchport mode trunk
    interface GigabitEthernet0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    And for ISL encapsulation, the configuration would look like this:
    Switch1
    interface GigabitEthernet0/1
    switchport trunk encapuslation isl
    switchport mode trunk
    interface GigabitEthernet0/2
    switchport trunk encapsulation isl
    switchport mode trunk
    Switch2
    interface GigabitEthernet0/1
    switchport trunk encapuslation isl
    switchport mode trunk
    interface GigabitEthernet0/2
    switchport trunk encapsulation isl
    switchport mode trunk
    You could also configure a GigaChannel to bind both interfaces into one logical link, for better throughput. For 802.1Q:
    Switch1
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface GigabitEthernet0/1
    switchport trunk encapuslation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    Switch2
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    interface GigabitEthernet0/1
    switchport trunk encapuslation dot1q
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    channel-group 1 mode on
    And for ISL:
    Switch1
    interface Port-channel1
    switchport trunk encapsulation isl
    switchport mode trunk
    interface GigabitEthernet0/1
    switchport trunk encapuslation isl
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/2
    switchport trunk encapsulation isl
    switchport mode trunk
    channel-group 1 mode on
    Switch2
    interface Port-channel1
    switchport trunk encapsulation isl
    switchport mode trunk
    interface GigabitEthernet0/1
    switchport trunk encapuslation isl
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet0/2
    switchport trunk encapsulation isl
    switchport mode trunk
    channel-group 1 mode on
    HTH,
    GP

  • ISCSI & Server LAN Traffic in Same Trunk Port

    Hi,
    I plan to use a Cisco UCS Rack mountable C200 server with a dual port PCIe card with TOE iSCSI. Is it acceptable to:
    To use just one dual port PCIe card for both iSCSI storage traffic and server LAN traffic - separated by VLANs? - With the ports connected two upstream swtches (for redundancy) and the switch ports configured as Trunks for both iSCSI & data VLANs??
    To use 1GE TOE iSCSI ports instead of 10GE TOE iSCSI ports
    To use a TOE iSCSI port for server data VLAN traffic??

    Yes doable. Also you can mark iSCSI with cos 2 and 9000 MTU with certain badwidth gaurantee for your iSCSI traffic and rest stays in default queue.
    class-map type qos iSCSI-qos-class
         match cos 2
    policy-map type qos iSCSI-qos-policy
         class iSCSI-qos-class
              set qos-group 2
         class class-default
              set qos-group 0
    class-map type queuing iSCSI-queuing-class
         match qos-group 2
    policy-map type queueing iSCSI-queuing-policy
         class type queuing iSCSI-queuing-class
              bandwidth percent 30
         class type queuing class-default
              bandwidth percent 70
    class-map type network-qos iSCSI-network-class
         match qos-group 2
    policy-map type network-qos iSCSI-network-policy
         class type network-qos iSCSI-network-class
              mtu 9216
         class type network-qos iSCSI-network-class
              mtu 1500
    system qos
         service-policy type qos input iSCSI-qos-policy
         service-policy type queueing output iSCSI-queuing-policy
         service-policy type network-qos iSCSI-network-policy

  • Checking L2/L3VPN traffic path through SP network (for ECMP)

    Folks,
    Scenario:
    CE1-----PE1=====P1=====P2=====PE2-------CE2
    Lets say CE1 and CE2 are doing L2VPN and all hops between PE1, P1,P2 and PE2 have more than one equal cost paths (ECMP).
    I am trying to ascertain a way of knowing what path the EoMPLS traffic would take inside the SP core.
    Some vendors say the way the hashing works is that if a PE finds its got more than one path to the egress PE, it would do hashing based on src/dst MAC and in other cases if a P device finds its got more than one path to egress PE, it would do hashing based on VC-label.
    In either case, lets say we know what hashing method the P or PE device is using, obviously we would need an easier method to determine what path a pseudowire would take inside the provider network - Again, some vendors use what is called a "pseudowire traceroute" to determine this path. A pre-requisite of this is that at the time of setting up of the PW, the control word needs to be turned on.
    I am looking for more knowledge on whether someone knows how the pseudowire traceroute would work and the process behind the PW traceroute which uses the control word ? more like how we know a normal traceroute works is through UDP pakcets with incremenyting TTL... and so forth
    Anyone ??

    Hello Ulatif,
    it looks like that mpls traceroute for a pseudowire is not possible.
    Actually the VCCV should be under the implementation of ping mpls and ping mpls pseudowire. The following document is a little old but explains the basic concepts under ping mpls and traceroute mpls.
    http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/gslsppt.html#wp1156080
    However, sh mpls l2transport vc detail provides the choice for a specific pseudowire between two parallel paths
    see this example from our network:
    sh mpls forw 10.80.0.25
    Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop   
    Label  Label or VC   or Tunnel Id      Switched      interface             
    21     295           10.80.0.25/32     0             Te1/2      10.82.0.233
           341           10.80.0.25/32     0             Te1/6      10.82.0.237
    sh mpls l2transport vc det
    Local interface: Te1/7 up, line protocol up, Ethernet up
      Destination address: 10.80.0.25, VC ID: 1, VC status: up
        Output interface: Te1/2, imposed label stack {295 372}
        Preferred path: not configured 
        Default path: active
       Next hop: 10.82.0.233
      Create time: 7w4d, last status change time: 6w4d
      Signaling protocol: LDP, peer 10.80.0.25:0 up
        Targeted Hello: 10.80.0.24(LDP Id) -> 10.80.0.25
        Status TLV support (local/remote)   : enabled/supported
          Label/status state machine        : established, LruRru
          Last local dataplane   status rcvd: no fault
          Last local SSS circuit status rcvd: no fault
          Last local SSS circuit status sent: no fault
          Last local  LDP TLV    status sent: no fault
          Last remote LDP TLV    status rcvd: no fault
        MPLS VC labels: local 1429, remote 372
        Group ID: local 0, remote 0
        MTU: local 9216, remote 9216
        Remote interface description:
      Sequencing: receive disabled, send disabled
      VC statistics:
        packet totals: receive 5172156, send 5361948
        byte totals:   receive 676971483, send 917397631
        packet drops:  receive 0, seq error 0, send 610
    This solves the question at source PE or destination PE of the pseudowire but I agree that in the middle in your scenario there are other possible choices of intermediate nodes.
    All I can say is that once a path is chosen by source PE it determines a complete path because intermediate nodes will make a choice and keep it.
    Hope to help
    Giuseppe

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • Vlan x traffic block on trunk

    Hi ,
    Can someone please explain me why a trunk link, between two cisco switch, not allow a vlan x  traffic if vlan x is not locally configured ?
    In my lab I have three switch (2950 but it is the same with 2960 3750 etc).
    Switch 1 is connected by trunk to switch 2 and switch 2 is connected by trunk to switch 3.
    Switch 1 and switch 3 has configured vlan 10 and interfaces vlan 10 instead Switch 2 has not configured vlan 10
    Vtp is disabled (transparent mode) in all switch
    Switch 2 not permit switch1 to ping switch3 until I not configure vlan 10.
    2950#sh int fa 0/9 status
    Port      Name               Status       Vlan       Duplex  Speed Type
    Fa0/9                        connected    trunk      a-full  a-100 10/100BaseTX
    2950#sh int fa 0/9 trun
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/9       on           802.1q         trunking      1
    Port      Vlans allowed on trunk
    Fa0/9       1-4094
    Port        Vlans allowed and active in management domain
    Fa0/9       1-2,11,101
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/9       1-2,11,101
    2950#sh vtp status
    VTP Version                     : 2
    Configuration Revision          : 0
    Maximum VLANs supported locally : 128
    Number of existing VLANs        : 8
    VTP Operating Mode              : Transparent
    VTP Domain Name                 : daniele
    VTP Pruning Mode                : Disabled
    VTP V2 Mode                     : Disabled
    VTP Traps Generation            : Disabled
    MD5 digest                      : 0x63 0x6C 0xF9 0xF6 0xB9 0xDC 0xBE 0xF3
    Configuration last modified by 192.168.0.103 at 0-0-00 00:00:00
    2950#
    It seem that vlan 10 is pruned but I don't understand why (vtp is disabled)
    Thanks a lot for you help
    Daniele

    Hi lnrdnl78d,
    so will give this ago not quite sure how a uploaded images looks,
    i have mocked up what i have understood from your explanation so feel free to correct me if i have got this wrong :) 
    however assuming in this situation that VTP is enabled (which i know you have disabled in yours, but hoping this helps)
    in this situation client 1 sends a broadcast to client two.
    with VTP pruning enable switch 2 will learn that switch 4 has no ports connected to VLAN 2
    so the trunk link to Switch 4 will have VLAN 2 pruned from the trunk link
    but   2 and 3 will receive the broadcast and switch 3 will be the only one to forward it out the connected port
    from my understanding this is what you have configured in your lab apart from switch 4 but added it to fit the example
    does this help demonstrate it at all or am i way off ?

  • New network interfaces appear / networking fails

    Hi
    I have a strange behaviour of my ethernet networking interface. Every time I restart the mac the network connection is lost (I usally keep it in sleep and have no problems for days and weeks).
    As soon as I enter the network setup I get the message that a new network connection has been found, called "Ethernet (integrated) 1 (or 2, 7, 8 number increases)"
    If I look at my network configuration I see a long list of "Ethernet interface ((null))" and in beetween some "Ethernet (integrated) 1)" and the like
    It usally takes a couple of restarts of the network preferences and then the interface appears in the "network status" view and the mac connects to the router.
    I don't have any external networking cards and the like, just the ibook and a standard router. The router also connects to our mac mini without any problems I it ran for at least half a year with the ibook before this occured.
    I would be very thankfull for any help since this is very annoying.
    BTW I don't move the computer around and it is connected with a network cable.
    Cheers
    Peter

    1st step, get Applejack...
    http://www.versiontracker.com/dyn/moreinfo/macosx/19596
    After installing, reboot holding down CMD+s, then when the prompt shows, type in...
    applejack AUTO
    Then let it do all 5 of it's things.
    At least it'll eliminate some questions if it doesn't fix it.
    2nd step, trash, (or drag to the desktop), these files...
    /Users/nnnn/Library/Preferences/com.apple.internetconnect.plist
    /Library/Preferences/SystemConfiguration/preferences.plist
    /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
    /Library/Preferences/com.apple.networkConfig.plist

  • Standard traffic flow in a network

    HI
    when we work in a network then we face a problem overflow of trafic/packet .
    so If normal 100 user in a network work then how packet flow in a second ?.
    Like example normal condition in a router
    processor 30% and when it ups 50% or avobe then wrong something.
    so anyone advice me standerd flow of packet in a network ?.
    Thanks
    Biplob

    Other things to keep in mind are things that drive the processor utilization up, like access lists, and things that (may) unnecessarily use the bandwidth, like routing updates.
    Depending on the topology / layout of your network, you may be better off using static routes.
    Also check to see that only the features you are using are enabled on the router ... every additional process adds some load to the processor.
    Other sources may be excessive broadcasts. Have you checked the hosts for worms and viruses?
    Similar problem; Are any of your hosts allowed to use applications like BitTorrent or other streaming services? Many of those applications will bring up a server process and (server or not) eat a large chunk of the bandwidth.
    Post some of your interface stats and a typical router config. Some description or diagrams of the network would also be helpful.
    Good Luck
    Scott

  • Traffic prioritisation on trunked switch port

    Good afternoon all. I am looking into traffic policing and shaping and neither seem to do what I need to do. Basically on a trunked switch port, I would like to prioritise traffic coming into a port by it's VLAN tag, the trunk connects to an ESX host.
    The above options seem to be more about prioritising certain traffic for passing on to downstream devices. Can anyone shed any light on whether this is possible please? I am thinking it would need to be done on the ESX host at the moment...
    Thanks!

    Hi Colhignett,
    Hope the below link might help your query.
    http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/vlntgqos.html#wp1049430
    Regards
    Karthik

  • Unauthenticated traffic allowed into corporate network by Reverse Proxy

    The mobility solution for Lync 2013 requires unauthenticated traffic to be passed into the corporate network, where it is then authenticated by Lync web services.  So how do I convince my "security guys" that allowing this unauthenticated
    traffic through a reverse proxy is safe?

    You can say the Microsoft Lync and Exchange 2013 were designed with security in mind and so on and so forth, and it's true.  The security risk is slim, and there are much easier attack vectors to target.  But you're right, the Lync 2013 client
    does not support pre-authentication and users connecting to the Lync Web App anonymously require no authentication.  I don't think you'll be able to convince them if they just don't like the idea of sending traffic to Internal servers unauthenticated. 
    In the end, someone will have to make a business decision, do you want to enable this functionality or not?
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Catalyst 6500 L3 interface trunk

    We have a catalyst 6509 with IOS version 12.1(26)E6. On a layer 3 interface can we configure trunking as normal router?

    So, then you need to create 1 interface vlan for each subnet
    int vlan 10
    ip address 10.10.1.0 255.255.255.0
    int vlan 20
    ip address 10.10.2.0 255.255.255.0
    create the vlans
    vlan 10
    vlan 20
    use trunk on the interface giga...
    and you'll have inter-vlan routing.
    check this link:
    http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml
    Please rate all helpful post.
    Vlad

Maybe you are looking for

  • If I buy the Creative Cloud, will I have access to the CS6 apps as well?

    I was just wondering if the Creative Cloud Student bundle comes with both the CC versions and the CS6 versions of the apps. I am most interested in the CS6 version of Photoshop.

  • How can I access HTTP services via Extendscript from PPro CC

    I attempting to build an HTML5 panel for Premiere Pro that retrieves assets from a third party REST API but there seems to be no support for Socket or XMLHttpRequest objects in this application which there is for others. (I get Error: Socket does not

  • XML Tag Name too long, won't run from a procedure

    I have a select statement that creates an xml file using the xmlelement syntax. When I run the select statement on its own it runs fine and the xml file is generated with no errors. I'm building a procedure that does a bunch of stuff, with the end pr

  • Radio button problem in jdeveloper.

    Hello all.. I am new to Jdeveloper and infact to CSS and stuffs. In a fix now regarding <tr:selectOneRadio> styling. For brevity.. <tr:selectOneRadio styleClass="radioClass" contentStyle="font:25px bold;"> the above is the code i have, but the proble

  • ITunes won't recognize my Logitech devices?

    On previous versions of iTunes, I was able to control songs (forward/back/pause), but with the newest version these functions no longer work. Is there any way I can make this work again? Thanks.