Cisco Switching/Routing :: Capturing Traffic Flows From 3750 To 6509 Then To Netflow
Aug 6, 2012
I am aware that the 3750 switches are not able to support Netflows, so I have created a SPAN port and spanning traffic from a specific port. I would like to create a seperate VLAN and trunk the traffic from the SPAN port down to the 6509 switch and then capture all the traffic for that VLAN on the 6509.
I have configured Span port on our 4510. We have an application 5view server to monitor trafic connected to G9/17 Since we have changed the network connection from physical Giga port and add a Port-channel instead, we don't see any more trafic from the new Port-channel to G9/17
I have a RSPAN session configured between a Cisco 3750 and Cisco 2950 switches and I dont see the traffic I am expecting to see on the destination port. I only see broadcast traffic .. HRSP hellos etc. Below is what I have configured on both switches.
At present we are having a 4900 series switch where we are running one monitor session.Additionaly we are in need of capturing VLAN traffic and set the destination to 2 * GE ports , both are in the same switch.Due to the limitation of two monitor sessions per switch , we thought of putting the destination ports as port channel but it looks like it is not supported.
We have Cisco Catalyst 6509-V-E VSS Switch with Sup2T und IOS Version 15.0(1)SY2. We are gettin input netflow information from the gi2/3/7 but not output ... I am not sure why it does not work.
I've been researching the 3750-x Netflow support but I'm not 100% sure of how much support it has. From what I've read the only way to get NetFlow support is to install a specific module that provides NetFlow. I also heard about how it might support s-flow but I haven't found out for sure.
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Any major difrrence between Netflow v/s Netflow-Lite?
I am trying to understand if Cisco 4948E can do the same job as Cisco 4500E or not and difference between Netflow v/s Netflow-Lite will work for me to select correct product.
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
i recently identified all switch ports in my network on 6509 core were Transmitting Mail server Exchange traffic that was destined for Unicast NLB cluster. and it was impacting various HOST machines NIC cards/performance.After reading this article, i moved NLB CAS servers behind a dedicated cisco Switch.
[URL]
Now My core switch can learn mac address across its trunk port where CAS servers are connected on dedicated switch. but still i can see traffic Transmitting out to my all switch ports of same VLAN ( same as NLB VLAN).
On a Catalyst 6509 switch I have configured wccp protocol in order to redirect the Http traffic to a Bluecoat SG8100. It was working fine until a new L3 interface implementation.Thereafter I was unable to redirect the http traffic due to an error reported from the Cat6509: [code] After some checks I supposed that the problem should be the UDP 2048 port connection between the Switch and the Bluecoat while the switch L3 port and the bluecoat are on the same Lan. A deep analysis found that the WCCP protocol seems to be as follow:
-Proxy address 10.64.28.240 to Switch Port 10.64.28.250 Here I Am -Switch Port 10.64.28.250 to Proxy address 10.64.28.240 I See You -Switch Port 10.66.0.251 to Proxy address 10.64.28.240 UDP 2048 packet (dropped by firewall)
It's strange to me that the first dialog is correctly handled by the correct Cat6509 interface while the UDP packets are flowing from another Vlan interface not configured with the WCCP and apparently not involved on the protocol.Last of all the WCCP is now disabled and unusable?
I'm receiving multicast traffic (400Mbps) on port 9/38 and sending it out on port gi9/48. I'm trying to achieve that traffic will stay within the card without using the switchfabric,
We run a workers camp here and we currently have around 2500-3000 people using our 100MB internet pipe. We are upgrading the pipe to 200MB soon but I still would like to limit how much bandwidth everyone is using.
We allow streaming media such as Netflix, youtube, apple TV and of course .So it gets full pretty fast. We have QOS implemented although I wasn't here when it was done so I don't know a lot about it. I would like to limit IPs to a certain amount of bandwidth. [code]
We are a new medical school located in PA. Just have just completed a new building and are now working on getting our network finished. Here is the situation we have a 50MB Internet Connection that comes into our network that then hits the ISPs Cisco 3750 which sends it to two of our Cisco 3750s for redundancy. From the 3750 goes into our Cisco 6509 with a FWSM module, then out from there to our distribution switches which are all Cisco 2960s.
What we would like to do is to control how much WAN connectivity each of our VRFs get. Right now we have a Faculty, Student, and Research VRF formed, and are trying to figure out the best spot where we can say Faculty gets 30MB of Bandwidth, Students gets 10, and Research gets 10. If possible would like burst capabilities.
So I've just discovered the Cisco ASA is not capable of performing policy-based routing.
I am in a position where I need to manipulate traffic flows from the inside network outwards for TCP80 & TCP443 traffic toward a transparent proxy server while default routing the remainder of the non-matching traffic.
Can anybody think of a way to do this with the ASA? Would a destination NAT work?
For example:
nat (inside,outside) source static any any destination obj_any proxy_object service tcp 80 80 nat (inside,outside) source static any any destination obj_any proxy_object service tcp 443 443
We have a 6509 series of core switches and 3750 series of L2 switches, There is no default gateway or any static routes to any IP.VLAN 1 is made admin down and another vlan is used for all communication here in this environment
Attached is configuration for reference But still I am able to take telnet or SSH. I want to know how telnet or SSH or tacacs authentication happens without any static or default route.
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
I am planning to upgrade the current core switch(3750) to 6509 series switch. Since we have a production network running we have to plan for an online core switch upgrade.
Been dealing with a strange problem for several days now. It started out with a problem that I thought was VTP related but ended up being something else. I setup a span port on a 3750 that I am connected to that was mirroring the trunk connection coming into the switch.
Never saw an VTP traffic come across the connection but doing a sh vtp status indicated the traffic was arriving and getting processed. When I found some debug commands (debug sw-lan vtp), I was also able to see the packets go between switches. Seeing this issue concerns me that there is other traffic that isnt showing up during a span session.
I know that doing a span on a switch, especially using a trunk port as a source, isnt a good idea. Since I didnt have a TAP at time, this was my only choice. I have since borrowed a NetOptics TP-CU3 tap from a good friend and was able to confirm the VTP traffic was going across the trunk connection between switches.
Have a quick question regarding inter-vlan routing on a 3750. Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw). I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x. I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch. I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to. The ASA is set to nat internal traffic for all the vlans.
Now my question: short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this? I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example. I was thinking to create an acl like this:
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
and then applying this to the interface for the appropriate vlan.
We have a remote office with a Cisco 3750-X switch with the IP-Services feature set connected via dark-fiber to a 6509-E at the corporate office. We plan on migrating the remote office to a new network (new acquisition) to subnet 10.10.10.0 on VLAN 20 which has an existing subnet of 192.168.100.0 and we would like to run both in parallel using their existing switches (Dell) and the new 3750-X.
I’m curious as to the best way to keep the traffic local between the two subnets using the 3750-X and if necessary put the 192.168.100.0 network on a VLAN. I thought about routing between the two networks via IP routing on the 3750-X but the new workstations default gateway is the 6509-E and existing workstations is a SonicWALL within the remote office. The default gateway for the new workstations can be moved from the 6509-E as a last resort.
I have 2 new 3750g devices in a small environment. switch1 acts as our collapsed core and has ip routing enabled, and is connected to a ASA 5510. There are 3 HP l2 switches connected to switch1 as well. switch2 is simply a server switch. switch1 and switch2 have a 2port etherchannel between them, and a vlan trunk carrying 4 vlan's. traffic between any 2 hosts on switch2 (same vlan) are slow. (average 300Mbits/sec) If I move one of those hosts to switch1, speeds increase by 3 times. (average 900 Mbits/sec). Additionally, traffic between any 2 hosts on switch1 are quick. testing is done with iperf as well as timing 1gig file transfers.
I don't see any errors or drops anywhere, and there are no other symptoms other than slow transfer beteween hosts on switch2. I just got 2 more of these 3750's to put in a 2nd site that we have, put a quick configuration on them, and have the same result. Other than switch1 having ip routing enabled, the configs are pretty much identical.
Quick question. I have a site - site tunnel that is up and running between a Pix 515E and a 3050 appliance.Tunnel is up and running but on the pix side I dont see traffic from a couple of subnets behind the inside interface.On the vpnallow access list there are no hits So I setup a capture on the inside interface to see if the packets is making it to the inside interface and nothing. There is some traffic making it thru the tunnel that would have to hit the inside int first and even that doesnt showup in the capture.
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
we have three separated network segments going to one Cisco 3750 switch all is L2 .. from this switch is 100 mbit uplink.we need to apply some Qos mechanism not to saturate line by traffic from one network.. Configuration from various reason CANNOT be done on switch where 100Mbit line is terminated.. so all must be done on SW1,2,3..Correct me if iam wrond but as switches doesnt see traffic from other network iam affraid only think we can do is limit bandwidth on links going into SW1,2,3 to 33 Mbit.I found commad srr-queue bandwidth limit.But links going to SWs are 1Gbit so if i force bandwidth to 10% (minimum what command allows) its 100 Mbit..If I force speed on those links to 100Mbit and than apply srr-queue bandwidth limit to 30% doest it work.??. Will srr-queue bandwidth limit speed to 30Mbit?? Or srr-queue bandwidth limit is calculated from maxim speed of interface?
I am trying to mark http packets from a web server with DSCP ef, but when I am doing a traffic capture all http packets have tos 0x0.I am able to mark UDP and ICMP packets originated from this server, but not any TCP traffic.The web server is in VLAN 20This is my config mls qos ip access-list extended MARK-HTTP-ACL permit tcp host 10.10.10.10 eq www. [code]
We would like to setup a link to our DR site that is separate from our main network traffic. This link will be used by an EMC VNX SAN for replication traffic. The SAN will be plugged into a fiber port on a 3750 switch and going out from the same switch (going in as multimode, going out as single mode) into a patch panel that runs over to the DR site (about a mile away). At the DR site it will go from the fiber panel into another 3750 switch which ends up going back out of that switch into our DR SAN.
I'm wondering what the best way would be to configure the fiber ports to accomplish this. I'm affraid that the replication traffic will find it's way over through another route and congest our main network unless configured appropriately.
Unable to limit traffic on catalyst 3750 gigabit ports it has fiber modules,
I want to limit traffic 2mb per port
I have tried srr-queue and policier but it is not working and there is no ratelimit command under any interface, Applying policy to output is not supported of the interface
policy-map rate-limit class class-default police 2000000 8000 exceed-action drop int gi1/0/3 service-policy input rate-limit