Re: [cisco-ttl] CEF problemi from Serhat Uslay on 2009-05-13 (Cisco Teknik Tartisma Listesi Arsivi)

From: Serhat Uslay <serhat.uslay_at_....>
Date: Wed, 13 May 2009 11:54:06 +1000

Mesut,
4500 ler uzerinde "sh ip cef 10.0.81.1" ciktisini bana yollarmisin ? bu dokumana (
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cef.html#wp1150531 ) gore 4500 uzerindeki normal "load sharing" in "destination IP based olmasi gerekiyor.Yani senin banka trafiginin ayni baglanti uzerinden gitmesi lazim. Bir de ayni komutu 6509 uzerinde dene. Eger her sistemde "destination IP based load balancing" varsa firewall uzerinde snoop yada tcpdump ile gelen ve cikan paketlere bakmamiz lazim. Eger CEF bir sekilde "packet based" ise onlari bu komutla degistirebilirsin (bunu herhalde bir dene cunku, TCP portlari nida kullanacak hash yaparken sadece destination IP degil.) ip cef load-sharing algorithm include-ports source destination]

kolay gelsin

Serhat

Mesut CAP <mesutcap_at_gmail.com>
Sent by: cisco-ttl_at_yahoogroups.com
13/05/2009 01:07 AM
Please respond to
cisco-ttl_at_yahoogroups.com

To
cisco-ttl_at_yahoogroups.com
cc

Subject
Re: [cisco-ttl] CEF problemi

Merhaba;

Asagidaki durumda problem cikiyor yani bankalar baglantiyi birden sonlandiriyor.

4500#
O*IA 0.0.0.0/0 [110/2] via 10.0.1.25, 00:00:04, Port-channel2 ---> 6500-2

[110/2] via 10.0.1.21, 00:00:04, Port-channel1 -----> 6500-1

6500#
S* 0.0.0.0/0 [1/0] via 10.0.3.250 -->FW-2

[1/0] via 10.0.2.250 ---> FW-1

4500'te, 6500 lerden birine statik route yazdigimda sorun yok. Su anki yapida 2 firewall kullanilmis cikislari ayri. Yapiyi degistirmek su an icin
pek mumkun degil.
Serhat, 4500'e bagli bir PC den firewall'a veya internette bi yere trace yaptigimda hep ayni yol kullaniliyor.

4500#traceroute
74.125.79.99

Type escape sequence to abort.
Tracing the route to 74.125.79.99

1 10.0.1.25 0 msec -->Port-channel2
10.0.1.21 0 msec -->Port-channel1 --> Burda normal olmayan bisey varmis gibi???

    10.0.1.25 0 msec -->Port-channel2
  2 10.0.3.250 12 msec 8 msec 12 msec -->FW2   3 * * *
  4 * *

Source adres olarak 4500 deki bir Vlan verdigimde;

4500#traceroute
Protocol [ip]:
Target IP address: 74.125.79.99
Source address: 10.0.81.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort.
Tracing the route to 74.125.79.99

  1 10.0.1.21 0 msec
    10.0.1.25 4 msec
    10.0.1.21 0 msec
  2 10.0.3.250 4 msec
    10.0.2.250 0 msec
    10.0.3.250 4 msec
  3  *  *  *

4 * * *
5 *

Firewall'a trace yaptigimda;

4500#traceroute
Protocol [ip]:
Target IP address: 10.0.2.250
Source address: 10.0.81.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort.
Tracing the route to 10.0.2.250

  1 10.0.1.25 0 msec
    10.0.1.21 0 msec
    10.0.1.25 4 msec
  2  *  *  *
  3  *  *  *

4 * * *
5 * *

Sinan, tesekkur ederim, loglama sansi olabilir de, loglamaya gerek kalmadan
4500 te route tablosuna esit metrikli 2 yol soktugumda zaten bankalara giremiyoruz. Diger sitelere giriliyor oysaki. 6500 lerde de 2 yol var ama 4500 lerde 2 yol oldugunda problem cikiyor. Sonuc boyle olunca sorunu 4500 lerde ariyorum umarim dogru yerdir.

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya 
da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu 
tutulamazlar.Yahoo! Groups Links






lll 
Zurich is proud to support football as an Official Partner of the Hyundai 
A-League 




----
This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.



[Non-text portions of this message have been removed]

Received on Wed May 13 2009 - 10:07:29 CEST

This archive was generated by hypermail 2.2.0 : Wed May 13 2009 - 10:07:30 CEST