Serhat;
Gruba mail atmadan once bahsettiginiz dokumani okudum ve o komutu denedim
sonuc alamayinca mail atmistim. Firewallar stack olsa loglari izliycem ama
ayri ayri yerlerde bagimsizlar.Son care olarak ya static route larla devam
edicez yada cisco dan destek istiyecez.
Yardimlarin icin tesekkurler. Istedigin cikti asagida.
4500#sh ip cef 10.0.81.1
10.0.81.1/32
receive for Vlan81
4500#
On Wed, May 13, 2009 at 4:54 AM, Serhat Uslay <serhat.uslay_at_zurich.com.au>wrote:
>
>
>
> Mesut,
> 4500 ler uzerinde "sh ip cef 10.0.81.1" ciktisini bana yollarmisin ?
> bu dokumana (
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cef.html#wp1150531
> ) gore 4500 uzerindeki normal "load sharing" in "destination IP based
> olmasi gerekiyor.Yani senin banka trafiginin ayni baglanti uzerinden
> gitmesi lazim. Bir de ayni komutu 6509 uzerinde dene. Eger her sistemde
> "destination IP based load balancing" varsa firewall uzerinde snoop yada
> tcpdump ile gelen ve cikan paketlere bakmamiz lazim.
> Eger CEF bir sekilde "packet based" ise onlari bu komutla
> degistirebilirsin (bunu herhalde bir dene cunku, TCP portlari nida
> kullanacak hash yaparken sadece destination IP degil.)
> ip cef load-sharing algorithm include-ports source destination]
>
> kolay gelsin
>
> Serhat
>
>
> Mesut CAP <mesutcap_at_gmail.com <mesutcap%40gmail.com>>
> Sent by: cisco-ttl_at_yahoogroups.com <cisco-ttl%40yahoogroups.com>
> 13/05/2009 01:07 AM
> Please respond to
> cisco-ttl_at_yahoogroups.com <cisco-ttl%40yahoogroups.com>
>
> To
> cisco-ttl_at_yahoogroups.com <cisco-ttl%40yahoogroups.com>
> cc
>
> Subject
> Re: [cisco-ttl] CEF problemi
>
> Merhaba;
>
> Asagidaki durumda problem cikiyor yani bankalar baglantiyi birden
> sonlandiriyor.
>
> 4500#
> O*IA 0.0.0.0/0 [110/2] via 10.0.1.25, 00:00:04, Port-channel2 ---> 6500-2
> [110/2] via 10.0.1.21, 00:00:04, Port-channel1 ----->
> 6500-1
>
> 6500#
> S* 0.0.0.0/0 [1/0] via 10.0.3.250 -->FW-2
> [1/0] via 10.0.2.250 ---> FW-1
>
> 4500'te, 6500 lerden birine statik route yazdigimda sorun yok. Su anki
> yapida 2 firewall kullanilmis cikislari ayri. Yapiyi degistirmek su an
> icin
> pek mumkun degil.
> Serhat, 4500'e bagli bir PC den firewall'a veya internette bi yere trace
> yaptigimda hep ayni yol kullaniliyor.
>
> 4500#traceroute
> 74.125.79.99
>
> Type escape sequence to abort.
> Tracing the route to 74.125.79.99
>
> 1 10.0.1.25 0 msec -->Port-channel2
> 10.0.1.21 0 msec -->Port-channel1 --> Burda normal olmayan bisey
> varmis gibi???
> 10.0.1.25 0 msec -->Port-channel2
> 2 10.0.3.250 12 msec 8 msec 12 msec -->FW2
> 3 * * *
> 4 * *
>
> Source adres olarak 4500 deki bir Vlan verdigimde;
>
> 4500#traceroute
> Protocol [ip]:
> Target IP address: 74.125.79.99
> Source address: 10.0.81.1
> Numeric display [n]:
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 74.125.79.99
>
> 1 10.0.1.21 0 msec
> 10.0.1.25 4 msec
> 10.0.1.21 0 msec
> 2 10.0.3.250 4 msec
> 10.0.2.250 0 msec
> 10.0.3.250 4 msec
> 3 * * *
> 4 * * *
> 5 *
>
> Firewall'a trace yaptigimda;
>
> 4500#traceroute
> Protocol [ip]:
> Target IP address: 10.0.2.250
> Source address: 10.0.81.1
> Numeric display [n]:
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 10.0.2.250
>
> 1 10.0.1.25 0 msec
> 10.0.1.21 0 msec
> 10.0.1.25 4 msec
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * *
>
> Sinan, tesekkur ederim, loglama sansi olabilir de, loglamaya gerek
> kalmadan
> 4500 te route tablosuna esit metrikli 2 yol soktugumda zaten bankalara
> giremiyoruz. Diger sitelere giriliyor oysaki. 6500 lerde de 2 yol var ama
> 4500 lerde 2 yol oldugunda problem cikiyor. Sonuc boyle olunca sorunu 4500
> lerde ariyorum umarim dogru yerdir.
>
> [Non-text portions of this message have been removed]
>
> ------------------------------------
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
> da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.Yahoo! Groups Links
>
> lll
> Zurich is proud to support football as an Official Partner of the Hyundai
> A-League
>
> ----
> This email is intended for the named recipient only. It may contain
> information which is confidential, commercially sensitive, or copyright. If
> you are not the intended recipient you must not reproduce or distribute any
> part of the email, disclose its contents, or take any action in reliance. If
> you have received this email in error, please contact the sender and delete
> the message. It is your responsibility to scan this email and any
> attachments for viruses and other defects.
> To the extent permitted by law, Zurich and its associates will not be
> liable for any loss or damage arising in any way from this communication
> including any file attachments. We may monitor email you send to us, either
> as a reply to this email or any email you send to us, to confirm our systems
> are protected and for compliance with company policies. Although we take
> reasonable precautions to protect the confidentiality of our email systems,
> we do not warrant the confidentiality or security of email or attachments we
> receive.
>
> [Non-text portions of this message have been removed]
>
>
>
[Non-text portions of this message have been removed]
Received on Wed May 13 2009 - 15:17:41 CEST