[c-nsp] cisco-nsp Digest, Vol 60, Issue 52
Vikas Sharma
vikassharmas at gmail.com
Mon Nov 19 00:38:02 EST 2007
Thanks for the support...
Regards
Vikas
On 11/16/07, cisco-nsp-request at puck.nether.net <
cisco-nsp-request at puck.nether.net> wrote:
>
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
>
>
> Today's Topics:
>
> 1. Problems with CiscoWorks LMS 3.0, Device Fault Manager,
> Mail-Notifications (Enno Rey)
> 2. Re: BGPoPPPoEoA ?! (Gerald Krause)
> 3. Re: Cat6509 and transparent firewall (Ruben Alvarez)
> 4. Re: Auto MD on Catalyst 4948? (Asbjorn Hojmark - Lists)
> 5. Re: traffic flow in 6500 switch with FWSM and MPLS VPN
> (Vikas Sharma)
> 6. Re: traffic flow in 6500 switch with FWSM and MPLS VPN
> (Peter Rathlev)
> 7. Re: traffic flow in 6500 switch with FWSM and MPLS VPN
> (Ramcharan, Vijay A)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 15 Nov 2007 20:53:38 +0100
> From: Enno Rey <erey at ernw.de>
> Subject: [c-nsp] Problems with CiscoWorks LMS 3.0, Device Fault
> Manager, Mail-Notifications
> To: cisco-nsp at puck.nether.net
> Message-ID: <20071115195338.GD87025 at ws23.ernw.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> I'm currently struggling with setting up mail notifications with
> CiscoWorks' DFM. The goal is simple: to send notification mails based on
> alerts and/or incoming SNMP traps. I've seen this working successfully in
> one environment but some time ago I tried in vain with LMS 2.6 at the
> time, being confronted with the same kind of problems I currently encounter
> (and I gave up then. In fact one of the reasons to upgrade the current
> systems to LMS 3.0 was the failure of getting it running at that time).
>
> There are two major pieces that have to be configured: notification groups
> and subscriptions. One can modify/configure "event sets" (I tried with and
> without those), but - according to the documentation - using no events sets
> means that all events/levels of severity are used. The setup seems not too
> difficult once one understands the structure (albeit I might miss sth) but
> despite quite some efforts and modifications not one single mail gets sent
> (even though quite a few alarms can be seen in the alarms view and quite a
> lot of SNMP traps are coming in). The setup is as follows:
>
> CiscoWorks LMS 3.0 running on W2K3 server, both fully patched (=> DFM
> 3.0.1).
> Set up some user defined groups in Common Services (CS), performed device
> inventory and some work in other modules, everything seems to work fine for
> approx. 180 devices.
> Set up syslog based mail delivery in RME which works smoothly (so no
> problems with mail delivery in general).
> Alert views in DFM work fine, too.
> Tried to get mail notifications running in DFM with
> - different device groups,
> - different notification groups,
> - with (all|none|some) defined events sets,
> - some subscriptions
>
> and I never see _any_ effort to send any mail at all. No port 25 traffic
> at all in wireshark (with the exception of the syslog stuff from RME which
> works smoothly). I've no idea what could be wrong. This is a fresh install,
> fully licensed, so no problems with updating modules (which might have been
> one of the reasons for failure in the past). I see some errors in various
> DFM logfiles (e.g. in aad.log and others) though that I do not really
> understand. They may be related or not. However from my understanding of
> Java stuff and exceptions they _seem_ not related.
>
> Does anybody have any idea what could be wrong? Am I missing something
> obvious?
> I will probably open a TAC case after the weekend but was hoping for some
> clue from the people here before...
>
> thanks in advance,
>
> Enno
>
>
>
>
> --
> Enno Rey
>
> ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
> PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
>
> Handelsregister Heidelberg: HRB 7135
> Geschaeftsfuehrer: Roland Fiege, Enno Rey
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 15 Nov 2007 21:29:39 +0100
> From: Gerald Krause <gk at ax.tc>
> Subject: Re: [c-nsp] BGPoPPPoEoA ?!
> To: cisco-nsp at puck.nether.net
> Message-ID: <200711152129.39760.gk at ax.tc>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Ok, but I need none if the GW IP address from the PPP negotiation is the
> loopback IP address on the PE in question. That's why I have no configured
> static route on the CE.
>
> On Thursday 15 November 2007 20:47:56 Aaron wrote:
> > Don't forget the static for the loopback
> >
> > On Nov 15, 2007 2:30 PM, Gerald Krause <gk at ax.tc> wrote:
> > > On Thursday 15 November 2007 17:40:54 Adam Greene wrote:
> > > > Lots of o's in that subject line ...
> > > >
> > > > I'm trying to set up a BGP session over a PPPoEoA DSL line. This is
> in
> > > > the context of setting up redundant DSL lines to a single provider
> > > > router. I control both ends (PE and CE). PE is 7200 NPE 200, IOS
> > > > 12.3(15b). CE is 1841, IOS 12.4(17).
> > > >
> > > > I can't establish the BGP session. Both sides are in active state,
> but
> > > > won't go further.
> > > >
> > > > The PE ATM interface is configured as IP unnumbered pointing to
> > > > Loopback 0. The CE BGP neighbor thus points to the PE Loopback IP
> > > > address. The PE BGP neighbor points to the IP address assigned to
> the
> > > > CE Dialer (a /32 from the /23 block on the PE Loopback).
> > > >
> > > > I saw that the CE was reporting that the external BGP neighbor is
> not
> > > > directly connected, so I issued "neighbor A.B.C.D
> > > > disable-connected-check" to no avail.
> > > >
> > > > I tried specifying the update-source interface on both ends
> (loopback 0
> > > > on PE, Dialer1 on CE) again to no avail.
> > > >
> > > > I'm wondering if I have to do something at the neighbor A.B.C.D
> > > > transport level, like disabling path-mtu-discovery (this is a wild
> shot
> > > > in the dark).
> > > >
> > > > Has anyone else successfully established BGP over PPPoEoA before?
> > >
> > > Yes, and it (still) works. As Aaron and Peter already mentioned you
> > > should use "ebgp-multihop" on both systems. Our config looks like
> this:
> > >
> > > CE config:
> > > ==========
> > > !
> > > interface Dialer1
> > > ! local IP address is always 10.250.250.50/32 and
> > > ! remote-GW IP address 10.255.255.255 - from PPP/RADIUS
> > > ip address negotiated
> > > encapsulation ppp
> > > ...
> > > !
> > > !
> > > router bgp 65534
> > > neighbor 10.255.255.255 remote-as 123
> > > neighbor 10.255.255.255 ebgp-multihop 2
> > > ...
> > > !
> > >
> > > PE config:
> > > ==========
> > > !
> > > interface Loopback101
> > > ip address 10.255.255.255 255.255.255.255
> > > !
> > > !
> > > router bgp 123
> > > ...
> > > neighbor 10.250.250.50 remote-as 65534
> > > neighbor 10.250.250.50 ebgp-multihop 2
> > > neighbor 10.250.250.50 update-source Loopback101
> > > ...
> > > !
>
>
> --
> Gerald (ax/tc)
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 15 Nov 2007 12:58:46 -0800
> From: "Ruben Alvarez" <raa at opusnet.com>
> Subject: Re: [c-nsp] Cat6509 and transparent firewall
> To: "'Richard Golodner'" <rgolodner at infratection.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <000901c827ca$51501920$f3f04b60$@com>
> Content-Type: text/plain; charset="us-ascii"
>
> All,
>
> The first solution I tried works. You can add a ip address secondary on a
> VLAN interface. Works great.
>
> -----Original Message-----
> From: Richard Golodner [mailto:rgolodner at infratection.com]
> Sent: Monday, November 12, 2007 6:28 PM
> To: 'Ruben Alvarez'
> Subject: RE: [c-nsp] Cat6509 and transparent firewall
>
> Ruben, let us all know how you have made out. This is an interesting one.
> Best of luck, and skill.
> Richard
>
> -----Original Message-----
> From: Ruben Alvarez [mailto:raa at opusnet.com]
> Sent: Monday, November 12, 2007 7:30 PM
> To: 'Richard Golodner'
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cat6509 and transparent firewall
>
> No NAT. we are testing this in a lab so I'll know if it works beforehand.
> I'm going to trunking with the PF or secondary VLAN.
>
> -----Original Message-----
> From: Richard Golodner [mailto:rgolodner at infratection.com]
> Sent: Monday, November 12, 2007 2:00 PM
> To: 'Ruben Alvarez'
> Subject: RE: [c-nsp] Cat6509 and transparent firewall
>
> Ruben, what kind of Natting scheme is the client using. I think that needs
> to be explored before your question can be answered. If there is none,
> then
> you may be able to trunk the switchport. If you have the hardware, try and
> replicate the config and see what happens. I am no expert but have had
> some
> experience with pf.
> Sincerely, Richard Golodner
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ruben Alvarez
> Sent: Monday, November 12, 2007 4:24 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6509 and transparent firewall
>
> Hello,
>
> I have a client with a transparent firewall connected to my Cat 6509. Its
> running PF firewall running on a server and currently I have then on a
> VLAN
> with an interface VLAN as their gateway. The client has requested more IP
> addresses. They don't want to renumber and I can't expand their current
> /28
> so I'm trying to think of a way to route another subnet to them.
>
> My first thought was to give them another VLAN and turn their switchport
> to
> a trunk, but I don't know if a firewall like that can trunk with a Cisco
> switch. Anyone have any ideas about this? The firewall has no IP address
> for it is a bridge.
>
> Thanks.
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 15 Nov 2007 22:13:44 +0100
> From: Asbjorn Hojmark - Lists <lists at hojmark.org>
> Subject: Re: [c-nsp] Auto MD on Catalyst 4948?
> To: Vincent De Keyzer <vincent at autempspourmoi.be>
> Cc: cisco-nsp at puck.nether.net
> Message-ID: <1195161224.5908.6.camel at Swimmer2U.hojmark.net>
> Content-Type: text/plain
>
> On Thu, 2007-11-15 at 09:09 +0100, Vincent De Keyzer wrote:
> > in the datasheet for the 4948 on CCO, I can't find a reference to auto
> > MD. Can anybody help?
>
> The 4948 does Auto-MDI/MDI-X.
>
> > I have a device in the field (so not at hand), and I need to know
> > whether I need to order cross cabling or not from the data center guys.
>
> It is my experience that you get better performance (link up /
> convergence) when you use the correct cable. Auto-MDI/MDI-X takes some
> time.
>
> -A
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 16 Nov 2007 12:28:08 +0530
> From: "Vikas Sharma" <vikassharmas at gmail.com>
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS
> VPN
> To: "Fred Reimer" <freimer at ctiusa.com>
> Cc: cisco-nsp at puck.nether.net
> Message-ID:
> <cca140000711152258u54998b41he3f7bb2925a98329 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Fred,
>
> The link shows me the option of configuring multiple SVIs but my question
> is
> if i assigned these vlans to VRF created on 6509, will fwsm understand
> this?
>
>
> I can do this conf on the switch for fwsm -
>
> firewall vlan-group 50 55-57
> firewall module 8 vlan-group 50
>
> but my SVI have to be in vrf for mpls forwarding. Does FWSM support this
> kind of vrf functionality?
>
> Regards
> Vikas Sharma
>
>
> On 11/16/07, Fred Reimer <freimer at ctiusa.com> wrote:
> >
> > Yes, it works fine. You would need to configure the option on
> > the SUP to allow multiple SVI's to be configured when they are
> > assigned/trunked to the firewall. See here:
> >
> > http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuratio
> > n/guide/switch_f.html
> >
> >
> > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> > Senior Network Engineer
> > Coleman Technologies, Inc.
> > 954-298-1697
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Vikas Sharma [mailto:vikassharmas at gmail.com]
> > > Sent: Thursday, November 15, 2007 6:20 AM
> > > To: Fred Reimer; cisco-nsp at puck.nether.net; Oliver Boehmer
> > > (oboehmer)
> > > Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM
> > > and MPLS VPN
> > >
> > > Hi,
> > >
> > > on the same line i have few more doubts. pls help me to
> > > solve this.
> > >
> > > I have 5 vlans namely data, voice , video and CCTV. Packet
> > > coming out of access switch will go to SVI and then come to
> > > FWSM as firewall-group has been configured. Now I want to
> > > integrate this LAN to my MPLS cloud. I have created two vrf
> > > (one for voice/data and video) and another for CCTV and
> > > importing and exporting to all remote sites.
> > > My question is how does FWSM behave when default gateway is
> > > on MSFC svi (i have created dot1 q interfaces on svi and
> > > assign vrf forwarding to respective interfaces). Since on
> > > svi i have configured vrf forwarding, will FWSM understand
> > > the firewall-group in this case?
> > >
> > > any help is greatly appreciated....
> > >
> > > Regards
> > > Vikas Sharma
> > >
> > > On 11/12/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > Can I configure FWSM as a default gateway for my
> > > internal vlans (similar to HSRP configuration on MSFC for
> > > vlans)? i.e inside packet will first hit fwsm then MSFC !!!
> > >
> > > If u have some doc on this pls share if possible..
> > >
> > > Regards
> > >
> > > Vikas Sharma
> > >
> > >
> > >
> > > On Nov 7, 2007 7:00 PM, Fred Reimer
> > > <freimer at ctiusa.com> wrote:
> > >
> > >
> > > There are many ways that you can configure the
> > > 6500 with a FWSM
> > > and IDSM. It depends on what you want to do
> > > with it. You can
> > > place the MSFC (routing entity) inside or
> > > outside of the FWSM. I
> > > prefer inside unless there is a really good
> > > reason to have it
> > > outside (such as routing sessions to providers,
> > > etc) as you don't
> > > need to secure it quite as much as when it is on
> > > a publically
> > > accessible address. You could also use VRF on
> > > the MSFC and have
> > > one instance on the outside and one on the
> > > inside (or a bunch of
> > > instances and one on each DMZ interface of the
> > > FWSM also). For
> > > the IDSM you also have an option of in-line mode
> > > or not. You
> > > want in-line mode if you want IPS functionality,
> > > and promiscuous
> > > mode if you want IDS functionality. Again, you
> > > can place the
> > > IDSM inside or outside the FWSM, but it really
> > > makes sense to
> > > drop malicious traffic before it even reaches
> > > your FW. Perhaps
> > > have it look like Internet -- IDSM -- MSFC --
> > > FWSM -- MSFC -
> > > inside networks. You really need to talk to, or
> > > hire, a security
> > > specialist.
> > >
> > > Fred Reimer, CISSP, CCNP
> > > Senior Network Engineer
> > > Coleman Technologies, Inc.
> > > 954-298-1697
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto: cisco-nsp-bounces at puck.nether.net
> > > <mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of
> > > Vikas
> > > Sharma
> > > Sent: Wednesday, November 07, 2007 3:14 AM
> > > To: cisco-nsp at puck.nether.net; Oliver Boehmer
> > > (oboehmer)
> > > Subject: [c-nsp] traffic flow in 6500 switch
> > > with FWSM and IDSM
> > >
> > > Hi,
> > >
> > > I have FWSM and IDSN-2 on 6500 switch. Since I
> > > am not a security
> > > guy I am
> > > not able to visualize how traffic flow will take
> > > place in this
> > > situation. My
> > > requirement is to secure internal traffic from
> > > external / DMZ
> > > traffic and
> > > inspect malicious traffic. Can someone give me
> > > the logical
> > > picture how
> > > packet will flow inside 6500 switch? whether it
> > > will first go to
> > > FWSM then
> > > to MSFC or first to MSFC then firewall? I have
> > > vlan (SVIs)
> > > created on msfc
> > > and these ips are default gateway for my
> > > internal traffic.
> > >
> > > Any help is appreciated...
> > >
> > > Regards
> > > Vikas Sharma
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-
> > > nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-
> > > nsp <https://puck.nether.net/mailman/listinfo/cisco-nsp>
> > > archive at
> > > http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> > >
> >
> >
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 16 Nov 2007 11:56:18 +0100
> From: Peter Rathlev <peter at rathlev.dk>
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS
> VPN
> To: cisco-nsp <cisco-nsp at puck.nether.net>
> Message-ID: <1195210578.7985.6.camel at localhost.localdomain>
> Content-Type: text/plain
>
> On Fri, 2007-11-16 at 12:28 +0530, Vikas Sharma wrote:
> > The link shows me the option of configuring multiple SVIs but my
> > question is if i assigned these vlans to VRF created on 6509, will
> > fwsm understand this?
>
> I don't know if it's depends on HW/Supervisor/IOS, but yes, you can put
> your local SVI's in VRF's. We have a setup with a Cat6506E with Sup32
> running IOS 12.2(18)SXF6 with VRF-enabled SVI's in firewall vlan-groups.
>
> Technically I don't think the FWSM cares whether the interface is
> VRF-enabled or not. I just sees some ethernet traffic on some VLANs. But
> test it first. :-)
>
> Regards,
> Peter Rathlev
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 16 Nov 2007 14:19:37 +0000
> From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS
> VPN
> To: Peter Rathlev <peter at rathlev.dk>, cisco-nsp
> <cisco-nsp at puck.nether.net>
> Message-ID:
> <920440C0851A0E4D949947D25A8DADDA03556FFF at ASHEVS002.mcilink.com>
> Content-Type: text/plain; charset=US-ASCII
>
> Vikas, I've found it immensely helpful to think of the FWSM as a
> separate device (as in PIX) that is just connected to the switch by
> means of the associated VLANs rather than physical cables. In my early
> experience with the FWSM I had trouble separating the FWSM from the
> switch when thinking of traffic flow.
>
> Whatever layer 3 config you have on the switch as such, won't be
> associated with the FWSM and will work if you consider the FWSM as just
> another next hop. There are probably scenarios where this may not hold
> true but I have not run into one of those as yet.
>
> Vijay Ramcharan
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: Friday, November 16, 2007 5:56 AM
> To: cisco-nsp
> Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN
>
> On Fri, 2007-11-16 at 12:28 +0530, Vikas Sharma wrote:
> > The link shows me the option of configuring multiple SVIs but my
> > question is if i assigned these vlans to VRF created on 6509, will
> > fwsm understand this?
>
> I don't know if it's depends on HW/Supervisor/IOS, but yes, you can put
> your local SVI's in VRF's. We have a setup with a Cat6506E with Sup32
> running IOS 12.2(18)SXF6 with VRF-enabled SVI's in firewall vlan-groups.
>
> Technically I don't think the FWSM cares whether the interface is
> VRF-enabled or not. I just sees some ethernet traffic on some VLANs. But
> test it first. :-)
>
> Regards,
> Peter Rathlev
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 60, Issue 52
> *****************************************
>
More information about the cisco-nsp
mailing list