Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I need to make sure that our Nexus switches are hardened on the Internet and I'm really bothered that the ACL for SNMP works but leaves the port open. The ACL works in that if I attempt this from a host not allowed in the ACL, the Nexus will not acce...
Question Summary:How do I set the p-bit (COS value) for multicast traffic ingressing on an interface?Additional details:Although I have had success matching all IP traffic ingressing from the encoder/streamer (multicast source) I want to match only m...
Problem: My traffic coming inbound appears to be marked but is not marked when egressing.Setup:Ingress from encoder G3/9->> Egress G8/1Default DSCP/COS map table (DSCP 24 is COS3) Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -----------...
It seems that mac-filtering and PACL's is rather straight forward but its not working on my L2 interface. Port-security works but this is not useful when trying to filter based on OUI. What am I doing wrong in my config?Linux box:Obviously on the sam...
Goal:How do I disable these ICMP messages on my ASA? Version 8.0(3)6 Problem:In my log file I have 343520 entries per hour of just ICMP messages! We're installing some new equipment and it does a plentiful amount of ICMP traffic which is used for its...
So the solution is to place an additional ACL to block SNMP on each port exposed to the Internet to make the SNMP ACL work properly? That isn't sound engineering and I hope that's not Cisco's answer.FYI: I use the OOBM interface for management, syslo...
Success! Using this extended list to specify the multicast works as needed:access-list 104 permit udp any 224.0.0.0 15.255.255.255 different from the ACL I found in a posting earlier which doesn't work:access-list 81 permit 224.0.0.0 15.255.255.255
I found that matching on the destination port number works as well:access-list 104 permit udp any any eq 8208 sho policy-map int g3/9 input GigabitEthernet3/9 Service-policy input: MARK_INBOUND_IPTV class-map: IPTV (match-all) Match: ...
Quick follow-up on my old post. Not seeing the tags was a span bug. The simple fix is to choose a higher session number. For instance I tried the same source/destination ports but as session 3 and it works. This was determined through a TAC case.
Port security works but I can't use a wildcard mask to filter based on OUI.What solutions are available to me if mac filtering and VACL's are not applicable?
