Main Menu
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Gunter

#1
What is the proper way of providing the client machines with the needed updates and the firewall with access to update their malware signatures in a high secured network where internet access is not provided to the firewall and the client machines?
#2
Yes, this might be my issue. Since this Nexus model doesn't filter in the outward direction I have to apply the ACL in the other port. Thanks all for your thoughts.
#3
I was expecting that the listner hosts would be blocked in the inward direction when hitting the rule 

"1 deny ip any 224.0.0.0/4 log"

The listener hosts on remote-location are accessing the network through this port to get the streams. So, I thought blocking their request to get the stream would stop the traffic in the outbound direction. But, It appears to me now that the video streams are already flooding in the outward direction on the port before the listener even request it (since using Multicast dense-mode). I will try to apply the ACL in input direction on another port facing the distribution switches and see if it works. Thanks for your thoughts.


#4
Because the source is Any and the destination is the multicast IP that the user on the remote location is accessing to get the stream, which is outgoing traffic on the port. Also;

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/93x/b-cisco-nexus-3000-nx-os-security-configuration-guide-93x/b-cisco-nexus-3000-nx-os-security-configuration-guide-93x_chapter_01000.html#task_1274985
quote:
Applying an IP ACL as a Port ACL
Applies an IPv4 ACL to the interface or PortChannel. Only inbound filtering is supported with port ACLs


So even though it lets you apply " ip access-group roystream out" it's going to do nothing.
#5
I am trying to block all outgoing multicast streams on my edge switch nexus 3k. The port is connected to a remote location and is a trunk port. I have devices receiving video streams inside my network through this port and I need to keep it working, while only stopping the devices on the remote-location from taking video streams from my network. I tried to accomplish this using access lists.

1- I created an access list as below:

IP access list remote-location
10 deny ip any 232.10.10.1/32 vlan 835
11 deny ip any 224.52.74.17/32 vlan 835
12 deny ip any 224.2.42.17/32 vlan 835
13 deny ip any 224.2.42.16/32 vlan 835
14 deny ip any 224.2.51.60/32 vlan 835
15 deny udp any 224.91.40.1/32 eq 2001 vlan 835
16 deny udp any 224.91.40.2/32 eq 2003 vlan 835
17 deny udp any 224.91.40.4/32 eq 2007 vlan 835

I applied it in the inward direction on the port as below:

interface Ethernet1/7
description **connected to remote-location**
ip access-group remote-location in
no lldp transmit
no lldp receive
switchport mode trunk
switchport trunk native vlan 835
switchport trunk allowed vlan 835,837
load-interval counter 1 5
load-interval counter 2 5
 

My interface outgoing traffic rate is not dropping.

input rate 1.68 Gbps, 154.36 Kpps; output rate 1.80 Gbps, 193.82 Kpps  <-- expecting to see output rate equals to almost zero

 

Can anyone please help me to achieve this?
#6
Hi, I want to configure two ports 10Gbps to have full load balancing = 20Gbps between Cisco ASR 1002X two SPA ports and Cisco nexus 3064PQ. I don't think I prefer the flow-based load balancing since I want to split the traffic equally between the two interfaces and therefore with flow-based I might endup with one link being utilized more than the other since it uses src or dst mac to put traffic on one link. Can someone post a step by step configurtion example of implementing that?
#7
Hi folks, I have an IF/RF station that is receiving RF signals from satellites, then converted to IP to be encoded, decoded, multiplexed, and modulated again to RF so that it's sent to wireless and wired network to reach the receivers to watch satellite TV.  The station has a network of L3 cisco switches configured with ip pim dense mode under each vlan that is participating in a multicast stream.in order to connect the streams' multicast group addresses to the devices that is re-generating the streams. The question here is that I believe that we should move from PIM dense mode to sparse mode but I need a good reason to convince the management to do that since they are saying we don't need because all the devices are requesting all the streams always in any case so there's no need to convert it to sparse mode. Any ideas about if in such cases where the devices requesting the streams are densly populated on all the vlans it's still recommended to switch to sparse mode?

Note that we have only L3 switches and no routers at all.And ip multicase routing is enabled on all the switches.