[c-nsp] cisco-nsp Digest, Vol 60, Issue 37
Vikas Sharma
vikassharmas at gmail.com
Mon Nov 12 06:08:40 EST 2007
Hi Peter,
Thanks, in FWSM provide HSRP kind of functionality.... my question is
answered.
Regards
Vikas Sharma
On Nov 12, 2007 3:47 PM, <cisco-nsp-request at puck.nether.net> wrote:
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
> 1. Re: unsuppress-map : is this correct? (Collins, Richard (SNL US))
> 2. Re: WAAS (Brett Looney)
> 3. Re: WAAS (Brett Looney)
> 4. Re: ios fw & pptp & 12.4(17.8)T (Gert Doering)
> 5. Re: traffic flow in 6500 switch with FWSM and IDSM (Vikas Sharma)
> 6. Re: traffic flow in 6500 switch with FWSM and IDSM (Peter Rathlev)
> 7. hsrp and igp (Pavel Gulchouck)
> 8. Re: hsrp and igp (Phil Mayers)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 11 Nov 2007 09:50:47 -0800
> From: "Collins, Richard (SNL US)" <richard.1.collins.ext at nsn.com>
> Subject: Re: [c-nsp] unsuppress-map : is this correct?
> To: <cisco-nsp at puck.nether.net>
> Message-ID:
> <
> 5EB3F2186312524B9473E17C1B5D6423184FE357 at USNWK101MSX.ww017.siemens.net>
>
> Content-Type: text/plain; charset="us-ascii"
>
> It did seem to work for me in the lab. I believe you have to use
> standard
> ip access lists and not prefix lists in the route-map.
>
>
> Here is the peer router R4 without the unsuppress-map being used (shows
> only aggregate).
>
> Rack1R4#sh ip bgp
> BGP table version is 7, local router ID is 4.4.4.4
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
> r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
> *> 197.22.5.0 6.6.6.6 0 6 5 i
> *> 197.68.0.0/16 6.6.6.6 0 0 6 5 i
> *> 197.68.21.0 6.6.6.6 0 6 5 i
> Rack1R4#
>
> After I put the unsuppress in the peer, I get back two of the three
> specific networks I wanted.
>
> Rack1R4#sh ip bgp
> BGP table version is 15, local router ID is 4.4.4.4
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
> r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
> *> 197.22.5.0 6.6.6.6 0 6 5 i
> *> 197.68.0.0/16 6.6.6.6 0 0 6 5 i
> *> 197.68.3.0 6.6.6.6 0 6 5 i
> *> 197.68.5.0 6.6.6.6
>
>
> Here is the upstream Router R6
>
> Rack1R6#sh ip bgp
> BGP table version is 15, local router ID is 155.1.0.6
> Status codes: s suppressed, d damped, h history, * valid, > best, i -
> internal,
> r RIB-failure, S Stale
> Origin codes: i - IGP, e - EGP, ? - incomplete
>
> Network Next Hop Metric LocPrf Weight Path
> *> 197.22.5.0 10.10.56.5 0 0 5 i
> *> 197.68.0.0/16 0.0.0.0 100 32768 5 i
> s> 197.68.3.0 10.10.56.5 0 0 5 i
> s> 197.68.5.0 10.10.56.5 0 0 5 i
> s> 197.68.21.0 10.10.56.5 0 0 5 I
>
> router bgp 6
> no synchronization
> bgp log-neighbor-changes
> aggregate-address 197.68.0.0 255.255.0.0 as-set summary-only
> ..
> neighbor 4.4.4.4 unsuppress-map map1
> neighbor 10.10.56.5 remote-as 5
> no auto-summary
> !
>
> access-list 3 permit 197.68.3.0
> access-list 5 permit 197.68.5.0
>
> !
> route-map map1 permit 10
> match ip address 3 5
>
>
> -Rich
>
>
>
>
> On Sat, Nov 10, 2007 at 06:44:02PM +0200, Tassos Chatzithomaoglou wrote:
> > According to:
> >
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hi
> rp_r/rte_bgh2.htm#wp1115114
> >
> > "To selectively advertise routes previously suppressed by the
> aggregate-address command, use the
> > neighbor unsuppress-map command in address family or router
> configuration mode".
> >
> > Which, if i understand correctly, means that whatever route-map you
> use in unsuppress-map, it only
> > influences the prefixes that were suppressed by using the
> "aggregate-address" command.
> >
> > I have a case where i use this command and although the specific
> network i define in the route-map
> > is correctly unsuppressed, all the other networks (which were not
> being summarized, but were being
> > advertised) are now suppressed. Am i doing something wrong?
> >
> > --
> > Tassos
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 60, Issue 36
> *****************************************
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 12 Nov 2007 08:09:50 +0900
> From: "Brett Looney" <brett at looney.id.au>
> Subject: Re: [c-nsp] WAAS
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <0c9001c824b7$fd07a190$f716e4b0$@id.au>
> Content-Type: text/plain; charset="Windows-1252"
>
> > On Nov 9, 2007 1:39 AM, Brett Looney <brett at looney.id.au> wrote:
> > > > AFAIK, no tunnel between WAE boxes? is it correct? how can this
> work?
> > >
> > > No tunnel. Only the data segment of the packet is compressed - headers
> are
> > > left alone. This lets the router still do QoS, etc.
> >
> > Regarding following setup:
> > Datacenter equiped with WAE
> > IP MPLS WAN
> > Remote Office A equiped with WAE
> > Remote Office B without WAE
> >
> > Whitout Tunnel, how the central WAE know that Data to Office A should
> > be compressed and data to Office B should not?
>
> The WAE inserts TCP option 33 into the stream. If it sees option 33 come
> back from the remote end it knows there is another WAE at the other end
> and
> forms a peer relationship. Because it doesn't see option 33 come back from
> office B it will not form a peer relationship and therefore not compress
> to
> that site.
>
> This function also forms part of the failback mechanism - if the remote
> WAE
> goes away compression will stop because option 33 has disappeared.
>
> BTW - this option 33 thing causes an issue when firewalls (particularly
> ASA
> and PIX) are in the mix as they strip all unknown TCP options. You must
> configure firewalls to leave option 33 alone.
>
> B.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 12 Nov 2007 10:43:50 +0900
> From: "Brett Looney" <brett at looney.id.au>
> Subject: Re: [c-nsp] WAAS
> To: <cisco-nsp at puck.nether.net>
> Message-ID: <0cc701c824cd$7be37920$73aa6b60$@id.au>
> Content-Type: text/plain; charset="Windows-1252"
>
> > Ok how do you configure and ASA not leave option 33 alone?
>
> First, define an access list that matches all traffic that will flow
> between
> the WAE boxes:
>
> access-list WAAS-Traffic permit ip <source> <destination>
>
> Then, in your ASA config do the following:
>
> tcp-map WAAS
> tcp-options range 33 33 allow
> class WAAS-Class
> match access-list WAAS-Traffic
> policy-map global_policy
> inspect waas
> class WAAS-Class
> set connection random-sequence-number disable
> set connection advanced-options WAAS
>
> You will need ASA code 7.2(3) or later for this to work properly.
>
> B.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 12 Nov 2007 08:50:12 +0100
> From: Gert Doering <gert at greenie.muc.de>
> Subject: Re: [c-nsp] ios fw & pptp & 12.4(17.8)T
> To: Garry <gkg at gmx.de>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Message-ID: <20071112075012.GO661 at greenie.muc.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> On Tue, Oct 30, 2007 at 05:54:31AM +0100, Garry wrote:
> > I don't know if it's related, but I had problems with IPSEC forwarding &
> > NAT on 12.4(16) ... IKE would work, but after that, packets just didn't
> > come through ... had a TAC case open, 16.9T pre-release fixed the
> > problem, but as it wasn't an official release, I went back to
> > 12.4(15)T1, which worked fine (tested by TAC) in that regard ...
>
> One should point out that "going from 12.4(16) to 12.4(15)T1" is in no
> way "going back".
>
> 12.4(x)T and 12.4-with-no-letters are *completely different* IOS trains,
> with very much different bug and feature sets. (And I'd never use a T
> train, unless I can't avoid it due to the need for a specific feature
> which is not in a no-letters IOS).
>
> Which has been explained on this list a zillion times.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 12 Nov 2007 14:01:46 +0530
> From: "Vikas Sharma" <vikassharmas at gmail.com>
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
> To: "Fred Reimer" <freimer at ctiusa.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID:
> <cca140000711120031jf02f002s4058208e37776627 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> Can I configure FWSM as a default gateway for my internal vlans (similar
> to
> HSRP configuration on MSFC for vlans)? i.e inside packet will first hit
> fwsm
> then MSFC !!!
>
> If u have some doc on this pls share if possible..
>
> Regards
> Vikas Sharma
>
> On Nov 7, 2007 7:00 PM, Fred Reimer <freimer at ctiusa.com> wrote:
>
> > There are many ways that you can configure the 6500 with a FWSM
> > and IDSM. It depends on what you want to do with it. You can
> > place the MSFC (routing entity) inside or outside of the FWSM. I
> > prefer inside unless there is a really good reason to have it
> > outside (such as routing sessions to providers, etc) as you don't
> > need to secure it quite as much as when it is on a publically
> > accessible address. You could also use VRF on the MSFC and have
> > one instance on the outside and one on the inside (or a bunch of
> > instances and one on each DMZ interface of the FWSM also). For
> > the IDSM you also have an option of in-line mode or not. You
> > want in-line mode if you want IPS functionality, and promiscuous
> > mode if you want IDS functionality. Again, you can place the
> > IDSM inside or outside the FWSM, but it really makes sense to
> > drop malicious traffic before it even reaches your FW. Perhaps
> > have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC -
> > inside networks. You really need to talk to, or hire, a security
> > specialist.
> >
> > Fred Reimer, CISSP, CCNP
> > Senior Network Engineer
> > Coleman Technologies, Inc.
> > 954-298-1697
> >
> >
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas
> > Sharma
> > Sent: Wednesday, November 07, 2007 3:14 AM
> > To: cisco-nsp at puck.nether.net; Oliver Boehmer (oboehmer)
> > Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
> >
> > Hi,
> >
> > I have FWSM and IDSN-2 on 6500 switch. Since I am not a security
> > guy I am
> > not able to visualize how traffic flow will take place in this
> > situation. My
> > requirement is to secure internal traffic from external / DMZ
> > traffic and
> > inspect malicious traffic. Can someone give me the logical
> > picture how
> > packet will flow inside 6500 switch? whether it will first go to
> > FWSM then
> > to MSFC or first to MSFC then firewall? I have vlan (SVIs)
> > created on msfc
> > and these ips are default gateway for my internal traffic.
> >
> > Any help is appreciated...
> >
> > Regards
> > Vikas Sharma
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 12 Nov 2007 09:52:56 +0100
> From: Peter Rathlev <peter at rathlev.dk>
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Message-ID: <1194857576.3758.11.camel at localhost.localdomain>
> Content-Type: text/plain
>
> On Mon, 2007-11-12 at 14:01 +0530, Vikas Sharma wrote:
> > Can I configure FWSM as a default gateway for my internal vlans (similar
> to
> > HSRP configuration on MSFC for vlans)? i.e inside packet will first hit
> fwsm
> > then MSFC !!!
>
> Yes you can. :-) If you avoid creating the SVI ("interface Vlan"), but
> still send the VLAN to the firewall, the MSFC doesn't interfere. Like
> this:
>
> ! *** 6503-fwsm-rp ***
> vlan 100
> name fwsm-test
> exit
> !
> interface range GigabitEthernet1/1 - 2
> description LAN-facing interfaces
> switchport trunk allowed vlan add 100
> exit
> !
> firewall vlan-group 1 100
> !
> firewall module 2 vlan-group 1
> !
> ! (Maybe "no interface Vlan100" to delete it)
> !
>
> ! *** fwsm sys context ***
> context admin
> allocate-interface vlan100
> exit
> !
>
> ! *** fwsm admin context ***
> nameif vlan100 fwsmtest security50
> ! ... etc.
>
> > If u have some doc on this pls share if possible..
>
> It depends on your software version. This is for 3.1:
>
> http://www.tinyurl.dk/2175
> (
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg.html
> )
>
> Take a look at the "Configuring the Switch for the Firewall Services
> Module" chapter.
>
> Regards,
> Peter Rathlev
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 12 Nov 2007 11:58:22 +0200
> From: Pavel Gulchouck <gul at gul.kiev.ua>
> Subject: [c-nsp] hsrp and igp
> To: cisco-nsp at puck.nether.net
> Message-ID: <20071112095822.GV19273 at happy.kiev.ua>
> Content-Type: text/plain; charset=us-ascii
>
> Hi
>
> How can I configure HSRP with two routers and track condition
> if I want that IGP (OSPF) always route to active (not standby)
> gateway?
> And another issue: can I configure HSRP in which standby router
> routes local segment via active router but not directly?
>
> I've try following confguration for local segment 10.0.0.0/24
> and virtual gateway 10.0.0.1.
> First router:
>
> interface gi0/1.100
> ip address 10.250.0.2 255.255.255.0
> no ip proxy-arp
> standby ip 10.250.0.1
> standby ip 10.0.0.1 secondary
> standby priority 15
> standby preempt
> standby track 1
> ip route 10.0.0.0 255.255.255.0 Gi0/1.100 track 1
> router ospf 100
> redistribute static subnets metric 20
>
> Second router:
>
> interface gi0/1.100
> ip address 10.250.0.3 255.255.255.0
> no ip proxy-arp
> standby ip 10.250.0.1
> standby ip 10.0.0.1 secondary
> standby priority 10
> standby preempt
> ip route 10.0.0.0 255.255.255.0 Gi0/1.100 111
> router ospf 100
> redistribute static subnets metric 30
>
> In this case almost all works good (even for /30 clients networks)
> except of arp. :-( Not all devices replies for request
> "arp who-has 10.0.0.5 tell 10.250.0.2" because of 10.250.0.2 is
> not at local segment for this device.
>
> Any solution?
> Or any another ideas how can I configure ospf redistribution depends
> of hsrp state or of track condition?
>
> Thanks.
>
> --
> Pavel
>
>
> ------------------------------
>
> Message: 8
> Date: Mon, 12 Nov 2007 10:17:11 +0000
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: [c-nsp] hsrp and igp
> To: gul at gul.kiev.ua
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <1194862631.20171.14.camel at doorstop.net.ic.ac.uk>
> Content-Type: text/plain
>
> On Mon, 2007-11-12 at 11:58 +0200, Pavel Gulchouck wrote:
> > Hi
> >
> > How can I configure HSRP with two routers and track condition
> > if I want that IGP (OSPF) always route to active (not standby)
> > gateway?
>
> Very difficult. The only realistic solution I have seen is a route map
> on the redistribute statement, referencing a prefix-list and increasing
> the route metric; and use EEM to dynamically add/delete entries in the
> prefix list.
>
> Vile.
>
> > And another issue: can I configure HSRP in which standby router
> > routes local segment via active router but not directly?
>
> Similar issue to above.
>
> >
> > I've try following confguration for local segment 10.0.0.0/24
> > and virtual gateway 10.0.0.1.
> > First router:
> >
> > interface gi0/1.100
> > ip address 10.250.0.2 255.255.255.0
> > no ip proxy-arp
> > standby ip 10.250.0.1
> > standby ip 10.0.0.1 secondary
> > standby priority 15
> > standby preempt
> > standby track 1
> > ip route 10.0.0.0 255.255.255.0 Gi0/1.100 track 1
> > router ospf 100
> > redistribute static subnets metric 20
>
> Ah. Interesting approach.
>
> What is the definition for the track?
>
> >
> > Second router:
> >
> > interface gi0/1.100
> > ip address 10.250.0.3 255.255.255.0
> > no ip proxy-arp
> > standby ip 10.250.0.1
> > standby ip 10.0.0.1 secondary
> > standby priority 10
> > standby preempt
> > ip route 10.0.0.0 255.255.255.0 Gi0/1.100 111
> > router ospf 100
> > redistribute static subnets metric 30
> >
> > In this case almost all works good (even for /30 clients networks)
> > except of arp. :-( Not all devices replies for request
> > "arp who-has 10.0.0.5 tell 10.250.0.2" because of 10.250.0.2 is
> > not at local segment for this device.
>
> Correct, that doesn't work reliably. Hmm: "arp source-ip blah" command
> is needed.
>
> >
> > Any solution?
> > Or any another ideas how can I configure ospf redistribution depends
> > of hsrp state or of track condition?
>
> As above: route map/prefix list/event manager.
>
> It would be a lot easier if Cisco provided this functionality natively.
> This is an FAQ :o(
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 60, Issue 37
> *****************************************
>
More information about the cisco-nsp
mailing list