Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
3
Replies

Content switch 11500 and IDS

Gomez
Level 1
Level 1

‎03-14-2007 07:23 AM

The public interface of my content switch is mapped to a vlan with public addresses. My servers are on a diffent VLAN --> private address schema. On the VLAN where i define my VIP addresses i also have an intrusion detection system installed. We often see packets on the sniffer that have a private address, this should not be happening. The content switch should only forward packets with an ip = to the VIP and not the actual ip of the server.

It looks like to content switch often doesn't do nat to the vip address.

Can anybody help me on the problem.

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-14-2007 07:56 AM

the packet that you see is most probably a FIN.

When the client closes the connection, the CSS keeps it open a few more sec to allow the FIN from the server to go through nated.

But if the FIN comes later, it will be forwarded un-nated.

This is well-known.

There is no way to prevent this.

Gilles.

0 Helpful

Gomez
Level 1
Level 1
In response to Gilles Dufour

‎03-14-2007 08:29 AM

Thank you gilles, is there any official documentation on this? You ar right when you say it is always a FIN.

Kind regards,

Frederik

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Gomez

‎03-14-2007 09:24 AM

Frederik,

I do not know if this was documented or not.

It might be but I do not have a link.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents