Hi, I've managed to make it working but I still have a problem: I cannot interpret the data. Most of the traffic appears to come from an UNKNOWN AS: what does it mean? Thanks. Alessandro
... View more
Hi, I've configured Flexible Netflow on a Cisco ASR 1000, IOS XE Version 15.3(3)S2 to keep trace of the Source and Destination AS numbers of the traffic going to and coming from the Internet. This is an example of what I get with the command "show flow monitor Flow-Monitor cache format record" that shows the content of the Netflow local cache: IP SOURCE AS: 34618 IP DESTINATION AS: 0 INTERFACE INPUT: Gi0/0/1.907 INTERFACE OUTPUT: Gi0/0/1.901 FLOW DIRECTION: Input counter bytes: 80 counter packets: 2 timestamp first: 12:07:22.820 timestamp last: 12:07:22.852 IP SOURCE AS: 6739 IP DESTINATION AS: 21469 INTERFACE INPUT: Gi0/0/0.909 INTERFACE OUTPUT: Gi0/0/0.950 FLOW DIRECTION: Input counter bytes: 62 counter packets: 1 timestamp first: 12:07:15.557 timestamp last: 12:07:15.557 IP SOURCE AS: 0 IP DESTINATION AS: 20746 INTERFACE INPUT: Gi0/0/1.901 INTERFACE OUTPUT: Gi0/0/1.907 FLOW DIRECTION: Output counter bytes: 61890610 counter packets: 62462 timestamp first: 11:59:01.573 timestamp last: 12:07:26.724 Most of the flows show IP SOURCE AS = 0 or IP DESTINATION AS = 0: what does it mean? Thanks. Alessandro
... View more
Hi, I'm using Whatsupgold as a Netflow collector . When I configure Flexible Netflow on a Cisco ASR 1000 as follows: flow exporter Whatsupgold destination 192.168.10.10 source GigabitEthernet0/0/0.970 ttl 10 transport udp 9999 flow monitor Flow-Monitor exporter Whatsupgold record netflow-original interface GigabitEthernet0/0/1.909 ip flow monitor Flow-Monitor unicast input ip flow monitor Flow-Monitor unicast output it works because the record is configured as "netflow-original" and it uses the old standard keys. But when I try to use a custom record like this: flow record AS-Path match routing source as peer match routing destination as peer match ipv4 destination address collect counter bytes long collect counter packets long collect timestamp sys-uptime first collect timestamp sys-uptime last ! ! flow monitor Flow-Monitor exporter Whatsupgold record netflow-original Whatsupgold does not show anything. Is it something wrong with the configuration or there is a compatibility issue between the new version of Netflow and Whatsupgold? Thanks Alessandro
... View more
Thanks Fnu for your kind reply, but if you have a look at the "show resource usage" I posted, you can see some values I can't understand. Focusing on ssl-connections: Context A has a MIN = 1000, while MAX is 1000 Context B has MIN = 500 and MAX = 0 Context C has MIN = 250, and MAX = 0 Context D MIN = 1500 > MAX = 1200 and so on: how is it possible? And it's the same for other variables: the MAX column is 0 while MIN is "something" (or MIN > MAX). I really can't understand.
... View more
I configured a HTTPS-HEAD Keepalive in a GSS that fails even if the server responds correctly. The problem could be that the server responds with a not trusted certificate. Does anyone know what the GSS's behaviour is in this particulal case? Thanks. Alessandro
... View more
Sorry guys, I've already caused two headaches and I feel a bit guilty... Seriously speaking, I just think there's a lack of good scenarios in books: they always show very simple situations and, in that way, they end up in not being exhaustive at all. Anyway, no rush, take your time, and thanks again!
... View more
But the question is: is that example correct? How is it possible that (assuming that all other port states are correct) on the network segment SW2-SW3 the Designated Port is on SW3 instead of SW2? If it were on SW3 it would mean that the cost of the path SW3-SW4-SW2-SW1 is lower than the cost of SW2-SW1, that is obviously impossible. I simply think we are discussing about an impossible situation.
... View more
Hi Jon, thanks for your answer but I don't understand some of those ports' roles. Let's call Nxy the network that connects SWx and SWy, Cxy the cost associated to it (100 for Ethernet, 19 for FastEth., 4 for GigabitEth. ), Pxy the port from where SWx "sees" SWy [i.e. (SW2)P23-----N23-----P32(SW3), C23 is N23's cost]. If I'm not mistaken, P32's and P23's role and state should be swapped (assuming that all other ports' roles and states are correct), with P23 as DP and P32 in Blocking state (since it's neither DP nor RP). This consideration comes from the fact that the DP on a network has to be chosen on the switch, connected to that network, with the smallest root path cost. SW3's root path cost is C12 + C24 + C34 (the one associated to the root port) that is obviously bigger than C12, that is SW2's root path cost. So the DP on N23 must be P23 on SW2. As an example, you can assign these costs to the networks and the STP will lead to the same loop-free tree as in your drawing: C12 = 4 C13 = 100 C23 = 19 (or 100) C24 = 4 C34 = 4 Now, the two blocking ports are P31 and P32, both on SW3. Both BLK ports are also ALTN ports. The ALTN port that will be put into FW state in case of fault, will be the one receiving BPDUs with the best root path cost. If there's a fault on N12, SW3's P34 (the root port) won't be receving BPDUs anymore (it's 802.1d STP's behaviour), and the same will happen to P32. So, the only available ALTN port will be P31. This port can be immediately put into forwarding state with no loop. Even if the fault happened on N24 or N34, the Uplinkfast would work, either with P32 as the best choice or P31 (depending on C23's value). Of course I'm not saying that this is true in any case: simply I can't conceive an example where this is not true. Alessandro
... View more
From the CCNP SWITCH Book: "The UplinkFast feature on Catalyst switches enables leaf-node switches or switches at the ends of the spanning-tree branches to have a functioning root port while keeping one or more redundant or potential root ports in Blocking mode. When the primary root port uplink fails, another blocked uplink immediately can be brought up for use. [...] UplinkFast also makes some modifications to the local switch to ensure that it does not become the root bridge and that the switch is not used as a transit switch to get to the root bridge. In other words, the goal is to keep UplinkFast limited to leaf-node switches that are farthest from the root." I don't get the point why the Uplinkfast should be enabled only on leaf-node switches. Can you give me an example of a transit switch where putting the port that receives suboptimal BPDUs into FW state, immediately after the failure of the link connected to the Root port, could bring to a loop? Thanks in advance for help. Alessandro.
... View more
Hello. We have a WAP Gateway architecture with three groups of servers that contain, each, a serverfarm of Wap Gateways and one Radius server (the three groups share the same VIP). We need the following behaviour: the Radius traffic that comes from the client (that points a VIP) is sent to one of the three Radius servers (round-robin). Then, the WAP traffic (type 1 or 2, that is WSP or HTTP protocol), that also points a VIP, is balanced across the WAP GW Servers of the same group of that Radius server. Is this possible with IOS SLB and how? Thanks a lot. Alessandro
... View more
I would like to know if it is possible to implement an architecture where a Load Balancer (CSS or CSM) transparently intercepts HTTP traffic and redirects it, with load balancing, to a group of proxy servers that performs IP spoofing. I know, from an example ( http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801adbe2.shtml ) that, on the CSS, this is possible with a single proxy (in the example a Cisco Cache Engine), configuring two routes to the same destination (the client network), one that points the gateway and one the Cache. Is this feasible also with a number of proxies (or Cache Engines)? In this case, do I need just to add a route to the same destination that points every single proxy as a gateway? How to implement the same thing on the CSM? Thanks. Alessandro
... View more
Hello. In a CSM, when a real server fails, the relative SNMP trap does not contain the ip address of the real server. Is it possible to set SNMP in order to have the IP Address of the real server inserted in the trap? Thanks.
... View more
Hello. How does the HTTP Probe with Method GET work on CSM and what is the difference with CSS? CSS calculates the HASH of the web page it receives as a first answer and considers that as a REFERENCE HASH, to compare with subsequent answers. Is the behaviour of the CSM the same? In the CSS it is also possible to insert the HASH in the configuration as a reference HASH. I did not find such a command on the CSM. Is that feature not present on CSM? Thanks.
... View more
Thanks for your answer. I have another, more precise question about this issue: I know that some commands of CSM can result as disabled on some older version of Sup and MSFC software. Is it correct to say that, if I upgrade the CSM Software and verify that every command I need is enabled on the current Sup and MSFC, I can accept that release? In other words, is it sufficient to verify that one command is accepted, to say that it is correctly supported and working? If the answer is YES I just need to verify that the commands are enabled to accept a new version of CSM, without doing any new functional test. Thanks.
... View more