Hello everyone, Is there a way to configure Netflow not to export DHCP traffic? I'm exporting flows from an ISR 1941 router to nProbe and I don't want to see traffic between 0.0.0.0 and 255.255.255.255.
... View more
So I configured this on a real router (1941) and it works as expected. The problem with Packet Tracer may be due to the IOS/device difference or a bug.
... View more
It get's interesting. Changing the class map from class-map type inspect match-all LAN->WAN_CMAP
match input-interface FastEthernet0/0 to class-map type inspect match-all LAN->WAN_CMAP
match protocol icmp fixes the problem but when PAT is configured it breaks similarly. Pinging from the LAN zone to the WAN zone fails with "encapsulation failed" for the incoming reply and Packet Tracer also says that the ZBF cannot find a zone pair. I just don't get it.: Router#debug ip packet
Packet debugging is on
Router#
!--- Outgoing packet has no problem ---
IP: tableid=0, s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), routed via RIB
IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), g=10.0.1.2, len 128, forward
!--- Incoming packet cannot be encapsulated, due to ZBF not finding a zone pair (according the Packet Tracer) ---
IP: tableid=0, s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), routed via RIB
IP: s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), g=10.0.0.2, len 128, forward
IP: s=10.0.1.2 (FastEthernet0/1), d=10.0.0.2 (FastEthernet0/0), len 128, encapsulation failed Router#sh run
Building configuration...
Current configuration : 1112 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
class-map type inspect match-all LAN->WAN_CMAP
match protocol icmp
!
policy-map type inspect LAN->WAN_PMAP
class type inspect LAN->WAN_CMAP
inspect
!
!
!
zone security WAN
zone security LAN
zone-pair security LAN->WAN source LAN destination WAN
service-policy type inspect LAN->WAN_PMAP
!
!
interface FastEthernet0/0
description LAN
ip address 10.0.0.1 255.255.255.0
zone-member security LAN
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN
ip address 10.0.1.1 255.255.255.0
zone-member security WAN
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
!
ip flow-export version 9
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
... View more
Can you guys help me figure this out? Inter-zone communication is interrupted with "encapsulation failed". This is a minimal proof of concept simulation in Packet Tracer to start getting into ZBF. One router with two interfaces, each on one zone: LAN and WAN. A host on each side. The policy map inspects traffic entering through the LAN interface. My intention is to only allow interzone packets for traffic originated in the LAN. Debugging failed pings LAN->WAN shows: IP: tableid=0, s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), routed via RIB
IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), g=10.0.1.2, len 128, forward
IP: s=10.0.0.2 (FastEthernet0/0), d=10.0.1.2 (FastEthernet0/1), len 128, encapsulation failed Router#sh run
Building configuration...
Current configuration : 1099 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
class-map type inspect match-all LAN->WAN_CMAP
match input-interface FastEthernet0/0
!
policy-map type inspect LAN->WAN_PMAP
class type inspect LAN->WAN_CMAP
inspect
!
!
!
zone security WAN
zone security LAN
zone-pair security LAN->WAN source LAN destination WAN
service-policy type inspect LAN->WAN_PMAP
!
!
interface FastEthernet0/0
description LAN
ip address 10.0.0.1 255.255.255.0
zone-member security LAN
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN
ip address 10.0.1.1 255.255.255.0
zone-member security WAN
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end Thanks a lot! EDIT: Inspecting the packet encapsulation in Packet Tracer it shows: "Zone-Based Policy Firewall does not find a zone pair." I only have one zone pair LAN->WAN. Isn't ZBF NAT-aware?
... View more
My goal is to make the WAN interface of my router "stealth" to unsolicited TCP incoming packets. That is so that it simply drops packets without a match in the NAT table instead of replying ICMP host unreachable. The router is behind my ISP modem and it's NATting between the LAN and WAN. I configured Zone Based Firewall (ZBF) but a scan of the WAN still sees the ports closed instead of stealth. I'd greatly appreciate any insights. This is my configuration: class-map type inspect match-all LAN_TO_WAN_CLASS_MAP match access-group 1 ! policy-map type inspect LAN_TO_WAN_POLICY class type inspect LAN_TO_WAN_CLASS_MAP inspect class class-default drop log ! zone security LAN zone security WAN zone-pair security LAN_TO_WAN source LAN destination WAN service-policy type inspect LAN_TO_WAN_POLICY ! interface GigabitEthernet0/0 description WAN ip address dhcp client-id GigabitEthernet0/0 ip nat outside ip virtual-reassembly in zone-member security WAN duplex auto speed auto no cdp enable ! interface GigabitEthernet0/1 description LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security LAN duplex auto speed auto ! ip forward-protocol nd ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! access-list 1 permit 192.168.0.0 0.0.255.255
... View more
That was very helpful. Based on your explanation and chart, I remembered that my set channel width for the ac radio currently was 40 MHz. I bumped it to 80 MHz and got the expected 867 Mbps back on both clients. Looks like the Netgear R7000 does that automatically because it's nowhere in it's GUI.
... View more
Here's the output:
(R01k_WLC) >show client detail F8:16:54:DB:8F:62 Client MAC Address............................... f8:16:54:db:8f:62 Client Username ................................. N/A AP MAC Address................................... 58:97:1e:b2:8c:e0 AP Name.......................................... R01k_AP AP radio slot Id................................. 2 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 2 Hotspot (802.11u)................................ Not Supported BSSID............................................ 58:97:1e:b2:8c:e6 Connected For ................................... 816 secs Channel.......................................... 153 IP Address....................................... 192.168.1.110 Gateway Address.................................. Unknown Netmask.......................................... Unknown IPv6 Address..................................... fe80::40b7:c647:3442:ade0 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... 4 Client E2E version............................... 1 QoS Level........................................ Silver Avg data Rate.................................... 0 Burst data Rate.................................. 0 Avg Real time data Rate.......................... 0 Burst Real Time data Rate........................ 0 802.1P Priority Tag.............................. disabled CTS Security Group Tag........................... Not Applicable KTS CAC Capability............................... No WMM Support...................................... Enabled APSD ACs....................................... BK BE VI VO Power Save....................................... OFF Current Rate..................................... m9/400.0 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0, ............................................. 48.0,54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes Audit Session ID................................. c0a801030000000f567f7d64 AAA Role Type.................................... none Local Policy Applied............................. none IPv4 ACL Name.................................... none FlexConnect ACL Applied Status................... Unavailable IPv4 ACL Applied Status.......................... Unavailable IPv6 ACL Name.................................... none IPv6 ACL Applied Status.......................... Unavailable Layer2 ACL Name.................................. none Layer2 ACL Applied Status........................ Unavailable mDNS Status...................................... Enabled mDNS Profile Name................................ default-mdns-profile No. of mDNS Services Advertised.................. 0 Policy Type...................................... WPA2 Authentication Key Management.................... PSK Encryption Cipher................................ CCMP (AES) Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 0 Quarantine VLAN.................................. 0 Access VLAN...................................... 0 Client Capabilities: CF Pollable................................ Not implemented CF Poll Request............................ Not implemented Short Preamble............................. Not implemented PBCC....................................... Not implemented Channel Agility............................ Not implemented Listen Interval............................ 250 Fast BSS Transition........................ Not implemented Client Wifi Direct Capabilities: WFD capable................................ No Manged WFD capable......................... No Cross Connection Capable................... No Support Concurrent Operation............... No Fast BSS Transition Details: Client Statistics: Number of Bytes Received................... 866230 Number of Bytes Sent....................... 1235826 Total Number of Bytes Sent................. 1235826 Total Number of Bytes Recv................. 866230 Number of Bytes Sent (last 90s)............ 447079 Number of Bytes Recv (last 90s)............ 344915 Number of Packets Received................. 3759 Number of Packets Sent..................... 3081 Number of Interim-Update Sent.............. 0 Number of EAP Id Request Msg Timeouts...... 0 Number of EAP Id Request Msg Failures...... 0 Number of EAP Request Msg Timeouts......... 0 Number of EAP Request Msg Failures......... 0 Number of EAP Key Msg Timeouts............. 0 Number of EAP Key Msg Failures............. 0 Number of Data Retries..................... 10970877236 Number of RTS Retries...................... 0 Number of Duplicate Received Packets....... 0 Number of Decrypt Failed Packets........... 0 Number of Mic Failured Packets............. 0 Number of Mic Missing Packets.............. 0 Number of RA Packets Dropped............... 0 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ -58 dBm Signal to Noise Ratio...................... 35 dB Client Rate Limiting Statistics: Number of Data Packets Recieved............ 0 Number of Data Rx Packets Dropped.......... 0 Number of Data Bytes Recieved.............. 0 Number of Data Rx Bytes Dropped............ 0 Number of Realtime Packets Recieved........ 0 Number of Realtime Rx Packets Dropped...... 0 Number of Realtime Bytes Recieved.......... 0 Number of Realtime Rx Bytes Dropped........ 0 Number of Data Packets Sent................ 0 Number of Data Tx Packets Dropped.......... 0 Number of Data Bytes Sent.................. 0 Number of Data Tx Bytes Dropped............ 0 Number of Realtime Packets Sent............ 0 Number of Realtime Tx Packets Dropped...... 0 Number of Realtime Bytes Sent.............. 0 Number of Realtime Tx Bytes Dropped........ 0 Nearby AP Statistics: R01k_AP(slot 0) antenna0: 215 secs ago................... -37 dBm antenna1: 215 secs ago................... -31 dBm R01k_AP(slot 1) antenna0: 212 secs ago................... -60 dBm antenna1: 212 secs ago................... -50 dBm R01k_AP(slot 2) antenna0: 212 secs ago................... -59 dBm antenna1: 212 secs ago................... -54 dBm DNS Server details: DNS server IP ............................. 0.0.0.0 DNS server IP ............................. 0.0.0.0 Assisted Roaming Prediction List details: Client Dhcp Required: False Allowed (URL)IP Addresses (R01k_WLC) >
... View more
I just set up a 3602I AP with an RM3000AC 802.11ac module and a WLC 2504. Now my ac capable clients are reporting 400 mbps connected to the 5 GHz ac. The thing is these same devices reported more than 800 mbps before when connected to an ac consumer router Netgear R7000.
I am using the same channels and automatic radio power now. Am I missing something here?
... View more
The specs sheet for the 802.11ac module AIR-CAP3602I-A-K9 does mention CleanAir. However, I have this module inserted into an AP AIR-CAP3602I-A-K9 controlled by a WLC AIR-CT2504-5-K9 and the ac radio is showing as not CleanAir capable. Is this a limitation of the WLC or am I missing something?
Thanks!
... View more
Hello.
I see that the output for #show dot11 associations has a Name column. I wonder if it is possible to assign a an arbitrary name to the associated clients in order to distinguish them better.
I bought an AIR-CAP3602I-A-K9 AP recently to dive into the APs world. Yesterday I turned it into autonomous and now I'm setting it up.
Thanks!
... View more