I have a 7204VXR Router, with Neflow. The collection for all interfaces is ok, but one interface (Gigabitethernet 1/0), is not showing the egress traffic in the pictures. The configuration has "ip route-cache flow", ip flow egress, and ip flow ingress set. But, is not showing the egress traffic.
View 4 RepliesWe have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
why ip flow egress is not functioning on 7600?When I do "sho ip cach flow", I can see only inbound flows.
View 5 Replies View RelatedI am trying to pass Traffic thru the IPSEC tunnel but it does not work ([Cisco Router 892] <---> [Cisco ASA 5510] <---> [Cisco Router 892]) The Cisco ASA 5510 doesn't pass traffic UDP=500 & UDP=4500 ports...
View 1 Replies View RelatedI've been thinking about this for a while and I can't seem to find a comforting answer: Assume you have three datacenters connected over a WAN. Each datacenter has its own Internet and firewall, and each firewall has a trusted network, untrusted network (Internet), and DMZ: [code]
-DMZhostA has inbound access from the Internet over port X.
-DMZhostB has outbound access to DMZhostC over port Y.
-DMZhostC has outbound access to the trusted network over port Z.
If DMZhostA gets compromised from the Internet, the attacker can indirectly access the trusted network through DMZhostC, assuming the services running on the given ports are vulnerable/poorly secured.How do you track this web of access? This is a simple scenario with just three firewalls and datacenters, but it gets proportionally more complex and harder to track as the network gets larger. Manually tracking the traffic flow seems tedious, slow, and inefficient.
My question is pretty straight forward but here is some background information. I would like my browsing traffic to funnel through my phone's 3G or WiFi connection. Is there any information out there on how to direct the browser to use the second internet connection? I was thinking about setting up a VPN using the second nic and somehow instruct the browser to use the specific proxy. I have no idea if that is even possible though.
The need for this is pretty simple. I do not want my browsing habits being logged by my company's network. Also while maintaining the current corporate connection so Outlook and RDP programs continue to function correctly.
I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
View 14 Replies View RelatedI am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
View 1 Replies View RelatedWe are facing one issue at the Customer site as Cisco 7600 series Router's having issue for reflection of traffic flow through netfluke as using by Customer to get bandwidth utilization report for our WAN links.Recently we have brought this 7606S router into production and moved some of our WAN links to this router and We are not getting proper bandwidth utilization report in netfluke after configuring netflow in this device.
HTAINCHN21XXXCR001#sh ver
Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-IPSERVICES-M), Version 12.2(33)SRB5, RELEASE SOFTWARE (fc2)
HTAINCHN21XXXCR001#sh run int gi1/12
[code]....
I'm receiving multicast traffic (400Mbps) on port 9/38 and sending it out on port gi9/48. I'm trying to achieve that traffic will stay within the card without using the switchfabric,
View 2 Replies View RelatedI am looking for the way to define an idle timeout for specific flows on an ASA5580 by using Cisco security manager. For ex I needed to define a specific idle timeout for connections beetween specific devices (Devices in vlan1, Device2 in vlan2).To test it I did following changes by CLI and it works fine. access-list L1 extended permit ip <@IP1> <mask1> host <@IP2> class-map CM1 match access-list L1 policy-map PM1 class CM1 set connection timeout idle 02:00:00
I try do do the same configuration with CSM in order to be able to manage each changes only by using CSM.So I defined Access control list, Traffic flow and then I define timeout in CSM --> PIX/ASA/FWSM Platform --> Service Policy Rules --> IPS, QoS and Connections Rules -> connections settings -> Traffic flow idle time-out. The problem is that each time I deploy the configuration with CSM I loose the timeout config line which is the most important for my application..
We have been deploying Cisco SF200-24P switches for our systems for over a year now. They connect to a Cisco 881 router. In many cases we are also deploying Cisco AP541s.Over the last few months, on an intermittent basis, the switches will simply freeze, blocking all traffic flow. The power LED also goes dark. It appears the switch has frozen. The only thing that seems to revive the switch is a hard reboot by pulling the power cord. In the last couple of weeks, one site in particular has gone down a handful of times. That client of our is fed up. Our patience is running thin too.
I cannot see any indications in the logs to any event that might give a clue as to the problem. We definitely see this problem with the 1.2.7.76 firmware and the 1.2.9.44 (latest as of typing this). Not sure if with earlier 1.1.2 firmware.Without a fix, we likely will have to change switches and possibly vendors as we need a reliable switch.I see some vague references to a similar problem. And one reference to a SG300 series having what sounds like the same issue.
I've been digging into some performance issues on a LAN that has a couple of 2960s. The monitoring software I'm using has indicated a high amount of discarded outbound packets (up to 5%). The suggested resolutions were to enable flow control.
My question is does enabling flow control on all ports interrupt network traffic at all? this is a production network so I had already planned on doing it during off hours but also wanted to know if I should be prepared for any significant drop in traffic.
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X
2. VLAN 100 - ( SVI IP address 192.168.100.1 /24)
3. VLAN 200 - ( SVI IP address 192.168.200.1 /24)
4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
we have a cissco 4506-e switch with ios version 03.02.05.SG . We ae currently facing a strange problem . Vlan interfaces configured in he switch are not showing input and output traffic, whereas the traffic is seen on the Gig interfaces mapped to the respective vlans . We also tried configuring the load-interval 30 , but there is no change . Interace 3/5 is mapped to vlan 5 . For this issue we have also done the IOS upgrade from 3.1.1SG to 3.2.5SG recently still the issue is same. [code]
View 2 Replies View Relatedwhy I would be getting traffic on my outside interface that has a destination address which is not my assigned outside address? I recently set up my ASA 5505 on the network and gave it an available outside address of say 192.x.x.250 on interface vlan 100. When I assign vlan 100 to e0/0 and bring the port up, I start seeing lots of traffic pour into the ASDM Syslog with various destinations belonging to my subnet but that are not actually destined for my specific outside address of 192.x.x.250.They are showing a destination of say 192.x.x.85 or 192.x.x.29.
View 3 Replies View RelatedIn regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies View Relatedi have a question regarding egress queuing on cat6500 modules. e.g. WS-X 6704 has 1p7q4t is egress-modell. my goal is to limit the priority queue to 15% of the available bandwidth. i can put weights on the wrr-queues and limit their ressources: "wrr-queue bandwidth 50 20 15 0 0 0 0." but this isn´t possible for the priority-queue. only available command is "priority-queue queue-limit 15" but this only restricts the buffer to 15%.
at the end of the day i want to prevent that the wrr-queues don´t have remaining bandwidth when the priority-queue is saturated.
is there an easy way to restrict the bandwidth of the priority queue or do i have to implement additionally some kind of policing?
I have a question that so far I haven't been able to find a suitable answer for. This is focused from an ISP perspective. So suppose I have the following scenario:
I have a BGP transit area. On each edge of the my network I have a e BGP connection to the same client for redundancy. This client has his own ASN, iBGP and prefixes. I'm receiving the same NLRI from the client through both sides. Let's assume he's advertzing the prefix 10.10.0.0/16 through both ends. I'm receiving it with no problems and I'm passing it along to the next providers with whom I also have multiple ingress and egress points.
Something like this:
PROVIDER A PROVIDER A
| |
eBGP eBGP
| |
CLIENT A (ASN65100) --- eBGP --- MYROUTERA(ASN65200) ----- iBGP --- MYROUTERB(ASN65200) --- eBGP --- CLIENT A(ASN65100)
| |
eBGP eBGP
| |
PROVIDER B PROVIDER B
Let's say my client pays for a 10Mb. Both links are configured to 10Mb so that each can handle the load in case the other one fails and both are always active. So my question is:
How can I shaped or police the client's traffic across multiple points of entry on different routers so that it won't go beyond the 10Mb. The same scenario applies on how can I limit traffic coming from the providers A, and B destined to the client's prefix: 10.10.0.0/16.
I don't mean using MED, local-pref, weight. Sure I can funnel all the traffic through one single point, but consider that I'm also trying to move away from basic routing and more into PfR, which mean that I have more granular control of the flows. Perhaps there is a PfR service-policy or something that can work.
For this scenario I'm using 7200 as my routers. If there is a solution that assumes any other model don't hesitate to post it. TLDR; How can I police or shape across multi interfaces on different routers?
I have a 2811 Router with two fast ethernet wic cards installed. I need traffic to go out one interface, but it's received back through another. Both interfaces have public IP's and the same subnet, and are connected directly to satellite modems. One can receive data / the other only send.
View 3 Replies View RelatedProblem: My traffic coming inbound appears to be marked but is not marked when egressing.
Setup:
Ingress from encoder G3/9->> Egress G8/1Default DSCP/COS map table (DSCP 24 is COS3)
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
------------------------------------
dscp: 0 8 16 24 32 40 48 56
1. Any reason COS 3 is not marked outbound on this traffic? I'm determining this by doing a wireshark off of interface g8/1. The traffic appears to be marked on the ingress correctly but does not maintain its mark on the egress. I can confirm this with equipment on other Ethernet links in produciton as well as my test port listed in the config below with wireshark.
FYI: Unfortunately with my cards in the 6509 I cannot port mirror and see outbound multicast (determined through a TAC case). Because the STB does not understand tagged traffic I setup the native vlan for it to function. To see the multicast with tags I temporarily remove the native command and do the wireshark to see the multicast. It still shows a COS setting of 0. I will try to attach a capture of a multicast packet.
interface GigabitEthernet3/9 description Mulicast Encoder
switchport
switchport access vlan 962
switchport mode access
logging event link-status
load-interval 30
having a bit of trouble setting up our 5510. None of us have ever played with a firewall before. We've got most of the basics covered. I was able to get to the outside world to do a software update to the box, but my laptop that sits in the inside can't see the outside. We only have the default access rules in place at the moment. Our old ISA firewall rules don't really translate all that well to this new box.
View 2 Replies View RelatedI have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ?
View 1 Replies View RelatedI have ASA 5510 with 8.3 version and using multi context. I created a new context ABC and tryed to add routes in the context for the ABC networks it would not work. There was an error in the log stating, “failed to locate egress interface”. I changed the metric on the static routes from 1 to 2 and it started working. Is it normal in a multi context?
View 4 Replies View RelatedI have ASA 5505, in routed mode, basic license.I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.
Here is sample of my config file:
interface Vlan1
nameif inside
security-level 100
ip address 162.160.1.3 255.255.255.0
!
interface Vlan2
[code]....
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
I have an issue where I'm seeing output discards on pretty much all my ports configured for QoS. The switches are cisco WS-C3750V2-48PS running 12.2(50)SE1. There are four switches stacked using stack cables. The QoS implemeted was auto-qos with no modifications to the standard config. All ports are in queue-set 1. The phones connected are Cisco 7942's. Already did the standard check for speed duplex mismatch, crc's, runts, giants, etc...No discards before the QoS was applied. No bug ID's I could find regarding these switches and this IOS version. The one thing noticed is that 99% of all the drops are from queue's 2 and 4 or 1 and 3 doing the below command.
**I've limited the cut and paste as to not clutter the discussion until someone requests something else**
show platform port-asic stats drop
Port 18 TxQueue Drop Statistics
Queue 0
Weight 0 Frames 0
Weight 1 Frames 0
[Code]....
I have a cisco 7204 vxr that terminates a 300 meg ethernet circuit asn well as an mpls DS-3. CPU increases along with utilization of the ethernet circuit. When the utilization gets to around 150 Mbps on the receive, the cpu is maxed out at 100%. I am wondering if the router can support the amount of traffic coming through it. The majority of the traffic is voip using g729 codec, so packet size is small. We are no where close to peak utilization and cpu is at 39%. Here is what I see currently:
#sh verCisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)Technical Support: [URL] 1986-2008 by Cisco Systems, Inc.Compiled Thu 13-Mar-08 10:40 by prod_rel_team
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(15), RELEASE SOFTWARE (fc3)
uptime is 3 years, 1 week, 3 days, 6 hours, 40 minutesSystem returned to ROM by Reload CommandSystem restarted at 08:26:49 UTC Wed May 14 2008System image file is "disk2:c7200-advipservicesk9-mz.124-15.T4.bin"
This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.
[code].....
when using egress netflow (v9) and output marking.
The topologie : Server <-----> R1 1>-----<1 R2 2>----<2 R3
R2 is a 7200 with c7200p-adventerprisek9-mz.124-15.T11.bin What I'm doing :- R2 forwards ping packets from Server to R3. When they arrive on R2, icmp packets are marked with CS3
- I change the DSCP to CS4 on R2 before forwarding packet to R3. I'm using for that an output service-policy on the R2-2 interface like this : interface ATM2/0.36 point-to-point
ip address 192.168.1.1 255.255.255.252
ip flow ingress
ip flow egress
[Code]....
We have a cisco 7204 VXR and would like to know the module which has two fastethernet port. We tried a PA-2FEISL-TX but it did not work.
View 1 Replies View RelatedToday we got a new cisco 7204 with NPE-G2 , so we wanna to configure to root for the internet so here is my scenerio
1- Public Ip address =155.155.155.20
2 Private Ip Address =192.168.2.0 /24
3- Gateway = 155.155.155.1
4-DNS Server = 194.155.12.133
Interfaces:
1- Gigabite 0/1 - We put this for Public ip address
2- Gigabite 0/2 - and this for Private Ip address
how to route this for the internet . after routed we want our client computers to get internet from Gigabite 0/2 Interface
is 633+ seconds (approximately 10 minutes) load time normal for a Cisco 7204 router? I find that it takes forever for the router to do :Self decompressing the image". I tried the latest IOS and tried different bootloaders but it doesnt seem improve it?
View 2 Replies View RelatedWe have point to point metro ether net link terminating on 7204VXR router.On this point to point link we are configuring GRE over ip sec. Problem is when the traffic exceeding 8mbps we started getting packet drops. from the Cisco documentation it seems the tunnel bandwidth is by default 8mbps and there is parameter like Inherit/receive but those actually not change the tunnel interface bandwidth.If we just give tunnel bandwidth with bandwidth mentioned it allows me to give option of 100mbps but again the tunnel interface bandwidth remains 8mbpos only and probably that 100mbps is useful only for routing decisions.
i am using advance security 12.4.15T12 image. Whether this is a limitation or any other way to go beyond 8mbps for the tunnel interface (7204VXR-NPEG1 processor)
I'm trying to configure a egress netflow in a 6500 (VSS) with VS-S720-10G supervisor. I foud some old posts and understood that netflow wasn't supported on 6500 but i found a new document and it seems that netflow is supported in Supervisor Engine 2T:[URL] Does the netflow still not supported in VS-S720-10G? It's weird because the command is supported:
#sh run int vlan 4
Building configuration...
Current configuration : 353 bytes
!
interface Vlan4
ip address X.X.X.X 255.255.0.0
[cod]....