WAAS supprt for GRE traffic?

We have WAAS running at both our data center and branch offices. We are connecting the WAAS device to the WAN routers directly and using WCCP for redirection. Some of our branch to data center traffic is running through GRE tunnels which begin/end in our branch and data center server switches. Question - can WAAS optimize traffic that is already in GRE tunnels?

Greg,
congiufre your redirection on the lan and wan interface service 61 on the lan interface and 62 on the wan interface. the wan interface in question is the gre tunnel.
Regards.

Similar Messages

SRE External Gig port for WCCP traffic?

Has anyone been successful with using the external Gig port on the SRE modules for WCCP traffic? Has anyone tried it?
I'd like to reduce the CPU on my ISR-G2 routers that have the SRE modules running WCCP GRE. I'd like to use the external gig port on the SRE module for the WCCP traffic, which will allow me to use WCCP L2. Is this even feasible? Or maybe I just need to add WCCP L2 on an SRE as a New Feature request to Cisco?
According the to Cisco documentation....
The external service-module interface can be used to monitor LAN traffic. You can also select the external interface as the management interface for the SM. The external interface cannot be used for downloading applications.
Visible only to the SM software on the Cisco SM-SRE, the external service-module interface is the Gigabit Ethernet interface connector on the Cisco SM-SRE faceplate. The external interface supports data requests and data transfers from outside sources, and it provides direct connectivity to the LAN through an RJ-45 connector.

Tammy,
What is preventing you from configuing WAAS on SRE with L2 WCCP / Mask assignment via the internal interface? This is totally feasible.
If you are trying to decrease CPU utilization on your router, don't expect switching from GRE to L2 to make a drastic difference. The ISR G2 is a software based platform, as such WCCP (whether L2 or GRE) is processed by the CPU with CEF assistance.
True removing the GRE encapsulation will save some processing overhead, but in the end it's the PPS (packets per second) your router is handling that's driving the CPU.
Remember when you add WCCP / WAAS to the flow it's no longer packet in/ packet out on the router. Compressed data in on WAN, out to WAAS, uncompressed from WAAS back to Router, out on the LAN, then the reverse... uncompressed data on the LAN in to the router, out to WAAS, compressed from WAAS out to the router, then out on the WAN. So depending on the compression observed you will see > 2x the amount of traffic being processed by the router.

WAAS solution for Novell (NCP)

Hi,
I have a customer who is usng Novell. We want to deploy WAAS solution for the customer. My question is, Cisco does support Novell (NCP)? If it does, where I can find the document how to deploy.
Thanks

NCP version 5 and above runs over IP, so it will be optimized. There were some issues up until Version 4.0.15, relating to header offsets in the way traffic is delivered.
This issue was tracked under bug id CSCsk82695 and was addressed in 4.0.15 and later maintenance releases.

Passing GRE traffic across ASA

Hi,
I have an enviroment where I do need to pass the GRE traffic between two routers, the ASA-5510 is in between them.
Your help is appreciated. Sending a URL for similar setup, is great.
Sami

Hi,
Have you tried adding a static NAT for the router's external interface which is located behind the inside interface of the ASA ?
Example .. let's say the router which is behind the inside (higher priority) interface of the ASA is 10.10.10.10 then you could add a static as below
static (inside,outside) 10.10.10.10 10.10.10.10 mask 255.255.255.255
Note: the above assumes that the second router is behind the outside interface (lower priority) of the ASA and that the second router knows how to reach 10.10.10.10. Obviously 10.10.10.10 should also know how to get to the second router.
next you will need to allow GRE on both interfaces.
access-list inside-out permit GRE host 10.10.10.10 host
access-list outside-in permit GRE host host 10.10.10.10
access-group inside-out in interface inside
access-group outside-in in interface outside
Give it a try ..
I hope it helps .. please rate it if it does !!!

Administration port - network channel for admin traffic

I am trying to configure a separate channel for Administration traffic on weblogic. I followed the oracle docos and configured the SSL, domain wide admin port, server listen address, ‘admin’ channel.
The issue is admin traffic in not happening through the newly created channel.
L2 network is not getting used. I can’t see any activity in the monitoring tab of new Channel. Also the netstat is showing that the port 9101/9102 is getting used on the 192.168.100.218 and not on 10.254.252.849.
I also tried by setting up the newly created channel weight as 51, but no luck.
Is JMX connectivity related to admin channel?
Any help is highly appreciated. Thanks.
Ipconfig:
Admin: adminserver701.mycompany.internal, 192.168.100.238, 10.254.252.808
Managed: appserver701.mycompany.internal, :192.168.100.218, 10.254.252.849
Domain wide admin port: 9101
Admin:
Listen address –> adminserver701.mycompany.internal
Channel –> admin -> 10.254.252.808/9101
Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.808:9101
Managed:(appserver701)
Listen address –> appserver701.mycompany.internal
Admin port override: 9102
Channel –> admin -> 10.254.252.849/9102
Startup -> -Dweblogic.admin.ListenAddress=admin://10.254.252.849:9102
AdminServer Logs:
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613346> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.runtime .>
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613353> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.edit .>
####<Feb 18, 2013 1:53:33 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[STANDBY] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159613367> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://adminserver701.mycompany.internal:9101/jndi/weblogic.management.mbeanservers.domainruntime .>
####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616699> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.238:9101 for protocols admin, ldaps, https.>
####<Feb 18, 2013 1:53:36 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361159616700> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.808:9101 for protocols admin, ldaps, https.>
####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "Default" is now listening on 192.168.100.238:7001 for protocols iiop, t3, ldap, snmp, http.>
####<Feb 18, 2013 1:55:12 PM EST> <Notice> <Server> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-000000000000001a> <1361159712920> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.238:7002 for protocols iiops, t3s, ldaps, https.>
ManagedServer Logs:
####<Feb 18, 2013 2:54:19 PM EST> <Info> <JMX> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163259911> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://appserver701.mycompany.internal:9102/jndi/weblogic.management.mbeanservers.runtime .>
####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "Channel-0" is now listening on 10.254.252.849:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:20 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1361163260350> <BEA-002613> <Channel "DefaultAdministration" is now listening on 192.168.100.218:9102 for protocols admin, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.100.218:7102 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
####<Feb 18, 2013 2:54:58 PM EST> <Notice> <Server> <appserver701.mycompany.internal> <adp_ms01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <d3208ed6c2482016:-46ac5fed:13ceba69a8e:-7ffe-000000000000000e> <1361163298045> <BEA-002613> <Channel "Default" is now listening on 192.168.100.218:7101 for protocols iiop, t3, CLUSTER-BROADCAST, ldap, snmp, http.>
AdminServer logs update while starting managed:
####<Feb 18, 2013 2:54:57 PM EST> <Info> <JMX> <adminserver701.mycompany.internal> <soa_as> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <cd259038c7dcf5a8:-26ac3ba0:13ceb6f767d:-8000-0000000000000162> <1361163297488> <BEA-149506> <Established JMX Connectivity with adp_ms01 at the JMX Service URL of service: jmx:admin://appserver701.mycompany.internal:9102 /jndi/weblogic.management.mbeanservers.runtime.>
Admin Server :
[oracle@adminserver701 bin]$ netstat -an | grep 9101
tcp 0 0 10.254.252.808:9101 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.238:9101 0.0.0.0:* LISTEN
tcp 0 0 192.168.100.238:9101 192.168.100.218:59038 ESTABLISHED
I am wondering if the JMX connectivity is using the server listen address (adminserver701.mycompany.internal) which will by default resolve to 192.168.100.238. Is there a way to force JMX to use 10.254.252.808?

Hi
For first question the answer is no. With the administration port, you enable the SSL between the admin server and Node manager-managed Servers. You can still use the web console.
For teh second question, you can use ANT or can use the WLS Scripting ..you can get more details in dev2dev.bea.com
Jin

Which is prioritized for multicast traffic if FastSwitching and CEF is enable?

Hello
Here is the related configuration and output of show command below,
In my understanding, there are 3 swtching mode, CPU, fast-swthing and CEF swthing,
But if FastSwthing and CEF swithing are enable both, then which swithing mode is prioritized for mutlicast traffic?
interface Vlan302
ip address 10.0.20.1 255.255.255.0
3750X#sh ip int vlan 302
Vlan302 is down, line protocol is down
Internet address is 10.0.20.1/24
Broadcast address is 255.255.255.255
*omit
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is enabled
IP route-cache flags are Fast, CEF
*omit
interface Vlan301
ip address 10.0.10.1 255.255.255.0
no ip mroute-cache
3750X#sh ip int vlan 301
Vlan301 is down, line protocol is down
Internet address is 10.0.10.1/24
Broadcast address is 255.255.255.255
*omit
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF, No Distributed
*omit
Product : Cat3750X
IOS version : 15.0(2)SE5
Best Regards,
Masanobu Hiyoshi

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm not 100% certain, but I believe FastSwitching and CEF switching apply to unicast, not multicast. Your "IP mroute-cache" command enables/disables fast multicast switching.
On a 3750, switching should be hardware based, for unicast and multicast, unless TCAM resources are insufficient. If hardware switching falls back to non-hardware switching, you'll likely find process vs. Fast vs. CEF vs. multicast doesn't matter, all too slow.

WAAS Configuration for 3750 Switch

I am configuring a 3750 switch with 12.2(52)SE according to:
(from https://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750_scg.pdf )
This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port 2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN 301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets received from the client interfaces to the application engine.
Note Only permit ACL entries are being used in the redirect-list; deny entries are unsupported.
Switch# configure terminal
Switch(config)# ip wccp web-cache 80 group-list 15
Switch(config)# access-list 15 permit host 171.69.198.102
Switch(config)# access-list 15 permit host 171.69.198.104
Switch(config)# access-list 15 permit host 171.69.198.106
Switch(config)# vlan 299 WEB SERVER
Switch(config-vlan)# exit
Switch(config)# interface vlan 299
Switch(config-if)# ip address 175.20.20.10 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 299
Switch(config)# vlan 300 WAE
Switch(config-vlan)# exit
Switch(config)# interface vlan 300
Switch(config-if)# ip address 171.69.198.100 255.255.255.0
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 300
Switch(config-if)# exit
Switch(config)# vlan 301 CLIENTS
Switch(config-vlan)# exit
Switch(config)# interface vlan 301
Switch(config-if)# ip address 175.20.30.20 255.255.255.0
Switch(config-if)# ip wccp web-cache redirect in
Switch(config-if)# exit
Switch(config)# interface gigabitethernet1/0/3 - 6
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 301
Switch(config-if-range)# exit
===================================================================
Question: How do I configure my WAE to play nicely with this switch?

Hi James,
Here is the link to WCCP config part on WAE:
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html#wp1041742
In your case, if my understanding is right, VLAN300 is where you want to connect WAE and WAE is also L2 adjacent. if that is true, here is the config you need on WAE:
wccp router-list 1 171.69.198.100
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign l2-return
wccp version 2
Please note that 3750 supports L2 redirection only with redirect IN statements on 3750 interfaces connected to servers and clients.
Hope this helps.
Regards.

Outbound PAT for SMTP traffic

Cisco ASA 5505, Software 8.0(3)
ASA IP: xxx.xxx.xxx.yy4/29
This is part of my ASA config that ensures PAT for incomming SMTP traffic:
access-list acl_inbound_outside extended permit tcp any host xxx.xxx.xxx.yy7 eq smtp
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.yy7 ftp 172.27.1.1 smtp netmask 255.255.255.255
access-group acl_inbound_outside in interface outside
This ensures SMTP traffic to xxx.xxx.xxx.yy7 reach my SMTP server.
But outgoing SMTP traffic is from xxx.xxx.xxx.yy4 (WAN IP of ASA).
How can I set up that ONLY SMTP traffic from 172.27.1.1 is PATed behind IP xxx.xxx.xxx.yy7 and other traffic from 172.27.1.1 will be NATed to
xxx.xxx.xxx.yy4?

Hi,
It seems that there is either a typo or mistake in the configuration above.
You are forwarding "ftp" port to "smtp" port
Shouldnt it be
static (inside,outside) tcp xxx.xxx.xxx.yy7 smtp 172.27.1.1 smtp netmask 255.255.255.255
So in addition to forwarding the "smtp" port you also want all outgoing "smtp" traffic from this single host/server to use the public IP address xxx.xxx.xxx.yy7
Then you can configure this
access-list SMTP-POLICYPAT remark Policy PAT for SMTP traffic
access-list SMTP-POLICYPAT permit tcp host 172.27.1.1 any eq smtp
global (outside) 25 xxx.xxx.xxx.yy7
nat (inside) 25 access-list SMTP-POLICYPAT
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni

The access to our new chess hall may be blocked by your local firewall. You would need to reconfigure your firewall to open port 15010 for TCP traffic.

How do I do the following so I can get into my chess program??
The access to our new chess hall may be blocked by your
local firewall. You would need to reconfigure your firewall to open port 15010
for TCP traffic.

This is not really Firefox related.
What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions

Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
   keyring ISR_Keyring
   self-identity user-fqdn [email protected]
   match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overload

How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post.

Which network is Oracle using for RAC traffic ? where you will get info ? ?

Hi,
I am using two node RAC on Oracle 10g R2 (10.2.0.3.0) version on SUN Solaris 10 . I want to know "Which network is Oracle using for RAC traffic ? where you will get info "
--Kumar

Hi Kumar,
In 10g, you can query x$ksxpia. If the cluster_interconnect information is stored in OCR (default), you will get
SQL> select INST_ID,PUB_KSXPIA,PICKED_KSXPIA, NAME_KSXPIA,IP_KSXPIA from x$ksxpia;
If you specified the cluster_interconnects parameter in your init.ora:
Columns to look in : INST_ID P PICK NAME_KSXPIA IP_KSXPIA
And also you can use 'oradebug ipc' to see which interconnects the database is using:
SQL> oradebug setmypid
SQL> oradebug ipc
Hope it helps...
Thanks
LaserSoft

Cascade Catalyst 3560 switch for loaded traffic

I have a layer 3 Catalyst switch 3560 with 24 FE interfaces.
I need to pump traffic from traffic generator into port 1 and propagate it to other ports; the last port will be connected back to the traffic generator.
I suppose that I need to cascade some of the switchports but how do I configure the catalyst switch for this setup? Is it making use of routed port and static routing?

Hi Ankur,
Thanks for the reply.
The traffic generator are layer 3 interfaces which I can assign IP address.
You mentioned that I do not need any routing, but I require traffic coming from the traffic generator(e.g FE1) going into switchport 1 to traverse through the rest of the switchports before exiting from the last switchport back to the traffic generator(e.g FE2). Therefore, I need advice on how to setup the catalyst switch to achieve this.If I assign ip address for this traffic to end at the traffic generator-FE2, the generated traffic will enter the switch at switchport 1 and directly exit from the last switchport without any traversing done. Btw, do I need to cascade my switch with cross cable in this aspect?
Thanks in advance for your advice.
Regards,
Raymond

ACE Normalization for SMTP Traffic

Hi,
I was facing issue with the ACE normalization and that was stopping my SMTP traffic. When i disabled it globally my SMTP traffic is working fine. But due to the audit i cannot disabled it for all the traffic. I want to disabled the normalization only for the SMTP por 25 traffic.
I am trying to create the L4 policy as mention below but unable to set the partameter require for to disable the normalization.
class-map match-any SMTP_CLASS
match port tcp eq 25
parameter-map type connection TCP_SMTP_MAP
no random-sequence-number
exceed-mss allow
policy-map multi-match TCP_SMTP_POLICY
What else i need to reacll in parameter-map in order to disable the normalization for SMTP traffic.
Pleae help.

Hi,
I have attached the capture when normalization was enabled (not working) and capture when normalization was disabled.
Please review and let me know how to achive this by fine tunning the parameters.
We are seeing lot of tcp retransmission error etc.
I have done some research and normalization deals with the following below mentoin parameters.
exceed-mss-----Configure behavior if a packet exceeds MSS
random-seq-num-disable----Disable TCP sequence number randomization
reserved-bits-----Configure Reserved bits in TCP header
syn-data-----Configure behavior for a SYN packet containing data
tcp-options-----Configure TCP header options
urgent-flag-----Allow/Clear Urgent flag

Monitoring GRE traffic with Netflow

Hi,
I have a GRE tunnel between an 3660 and a 3725. Under this tunnel there are many routers from SP, that we not even can see.
The problem is that at Netflow it shows me only a high GRE traffic, giving me only details if using Nbar but still like that loosing all of informations available at Netflow reports (Conversations, source, etc).
So, does anybody knows what should be configured at routers to enable netflow detailed informations of GRE tunnel?
Rds,
Alex

ip flow-cache timeout active 5
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination [Server IP] 9996
interface Tunnel0
description tunnel vers rct2sin2
bandwidth 27000
ip address x.x.x.x x.x.x.x
ip mtu 1472
ip nbar protocol-discovery
ip route-cache flow
ip tcp adjust-mss 1432
load-interval 30
These are my confiurations and the router is a 3660.
Rds,
Alex

Ignoring TCP handshake & Sequence Numbers for STT Traffic

Hi,
I have to pass STT traffic through a Cisco ASA (details on STT are here http://tools.ietf.org/html/draft-davie-stt).
STT traffic looks like TCP traffic (i.e. it uses IP protocol 6 and is sent to a specific destination port) but is stateless. It doesn't perform TCP handshake, i.e. TCP flags are used differently same goes for sequence numbers.
Is there any way to disable to regular TCP handshake and sequence numbers checks? I saw that there might be a chance to do something for the handshake with the embryotic connection limit but I'm not sure about the sequence numbers.
Assume ASA 8.6.
Thanks,
Ben

Hi,
You can configure tcp state bypass only for this traffic, for the rest the firewall would check the tcp state of the packet, here is the doc:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC

WAAS supprt for GRE traffic?

Similar Messages

Maybe you are looking for