Cisco :: ASA 5505 Introducing Networking Loops
Jun 19, 2012
Have a number of organisations that I work with who are currently all changing their ISP to a different one. The company who are supporting this are introducing a new router and firewall to the network and removing the old layer 3 switch. Firewalling and filtering was previously done off site but will now be handled by the ASA 5505. I personally do not have permission to configure the ASA (nor would I know how to) So these places are set up with 2 ip ranges, so int 0 on the ASA is 10.0.0.1, int 1 is 10.0.1.1. The Cisco ASA has been configured with the same settings on it's required ports as the old layer 3 switch had, so nothing much has to change on the internal network. Problem is that the old layer 3 switch must have only been passing data through at layer 3, so basically not switching and not creating networking loops. It seems that due to certain required network topologies, switch A is connected to switch B, which is connected to switch C, which is connected to the ASA, but switch A will also be plugged into one of the interfaces on the ASA (creating a loop). As I've said, this was not a problem with the layer 3 switch but now the ASA must be switching at layer 2 (I guess...?) as well as routing to the internet (which is required for both ports, which are vlans) and so is messing up the lan with a switching loop.
can the ASA 5505 be configured so as to allow access to the internet for both vlans/ip ranges while also preventing switching loops being created? It seems definite that this is being caused by the introduction of the 5505 as the old setup was exactly the same, it's just that the 2 cables have been plugged into the 5505. We do not have the option of using STP here as the rest of the switches on the network are unmanaged.
View 11 Replies
ADVERTISEMENT
Jan 3, 2013
We are thinking of introducing ASA's into our setup instead of using FWSM for our firewalls with our 6500. Currently we use multiple contexts with the FWSM, as we provide hosting services for multiple clients and want them behidn their own firewall. My question is how can we make this happen with an ASA. Since with the FWSM we use the backplane of the 6500 and SVI's for all interfaces between them. For example if we have 20 clients what will be the ideal setup for us to use with an ASA. If we can infact use mutiple contexts how can we? Is there a way we can maybe bundle all the ports in the ASA into the 6500 as a layer two trunk port and continue to use SVIs to manage all the clients.
View 3 Replies
View Related
Apr 8, 2013
We've put in a 3750 at our corp hq (Detroit). We did this to break up the current flat 172.16.0.0 /16 network into separate VLAN's for various purposes. We plan on doing that at another site (Farmington), which will become a DR site. We are running EIGRP throughout the organization over an OPTEMAN netowrk and also sending routes to a managed MPLS network which uses BGP. BGP redistributes into EIGRP and vice versa. I've attached a pdf of the network. The 3750 core at the corp hq is a temp core, hopefully upgrading to Nexus within a year or two. This problem didn't exist until the 3750 was introduced and became the gateway for the site. The OPTEMAN router was the gateway and was on the same VLAN as the MPLS router.
So, in detroit we have an Detroit-MPLS router, Detroit-3750, and Detroit-OPTEMAN. What I'm seeing is that the routers I'm getting from the MPLS router make it to the 3750. The 3750 advertises those routes to the Detroit-OPTEMAN router. However, the OPTEMAN router doesn't advertise these routes any further..
In Farmington, it is currently set up like Detroit used to be set up. There is a flat network and both routers are on the same VLAN, no L3 core switch. Routes come in from the MPLS, get advertised to the Farmington-OPTEMAN router, distributes the routes out to all OPTEMAN connected routers, including Detroit. However, Detroit is not passing that route to the 3750.
When we made the 3750 stack the core, we didn't change anything else, except for some IP changes. Why these routes aren't fully redistributing?
Detroit-3750 Stack
WS-C3750G-24TS-S <-Stack master running c3750-ipservicesk9-mz.122-55.SE7.bin
WS-C3750X-12S-E <-Running c3750e-universalk9-mz.122-55.SE7
show sdm prefer
The current template is "desktop routing" template.
[Code]...
View 6 Replies
View Related
May 15, 2012
I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?
View 4 Replies
View Related
May 21, 2012
Is this a good price *NEW* for this unit...325.00
NEW SEALED* Cisco ASA5505-BUN-K9 Firewall 10-User
I assume 10-user means this device comes with a 10 user VPN license? Is there anything else I should be looking for when purchasing an ASA? Mainly looking to use my NetGear WNDR3700 as just a WiFi AP and not my edge device.
View 19 Replies
View Related
Aug 11, 2011
I am planning to imlpement an ASA 5505 in my home network and I am wondering if this is a valid configuration. I am wondering if it is necessary to have 3 separate internal subnets or if these can be cabeled together in a more efficient fashion?
I plan to keep the 2 servers (game, e-mail) branched off the ASA directly in a DMZ configuration. The rest of the clients connect through the wireless/wired router.
Any unforseen problems with a setup like this (Modem -> Firewall -> Internal Router)? I have read sites that say I will have to accept an IP via DHCP for the ASA's external interface.
View 1 Replies
View Related
Oct 25, 2012
Shopping for a new home router/firewall. Trying to decide between a Cisco ASA 5505 or a juniper equivalent. What are everyone's thoughts?
View 16 Replies
View Related
Dec 6, 2012
What if i run ospf in all of the routers in network diagram ? does it caus loops ? if so how to prevent it ?
View 8 Replies
View Related
Jul 20, 2012
A friend of mine faced an interview, the question is what if there is no STP feature in the switches over the network and what would be the alternate method to avoid any sort of loops?
I guess we can think beyond till layer 3 devices by using some split horizon commands?
View 18 Replies
View Related
Sep 6, 2012
For last few days I've been reading about Spanning Tree Protocol ,L2 protocol and understood how it prevents loop in network ,various steps in STP but one thing i wanted to know how STP actually detects the loops in network so that it can prevent it.Somewhere I read STP uses BPDU as probe and detects loops I mean how it happen is when switch send a BPDU with Destination Address as multicast and receive same BPDU again mean there is loop in network .But is it how STP detects loops in network?
View 5 Replies
View Related
Sep 23, 2012
I am a network tech at a local school district (easily enterprise network). I am just a worker bee, so have no say in the design of the networks. Our topo at a site goes WAN rtr---LAN rtr (6500 of 3550)----distro switches----access switches.
Now at most of our sites we use Extreme, which has a handy feature called ELRP Extreme Loop Recovery Protocol, despite the name, this mechanism just detects loops, in the logs we can see, ok...off the LAN rtr, port 2, then on port 2 we see whats hanging off it...ok, loop off port 5 of that switch.....and work your way down the room.
We do not have STP on our network (dont ask) and yes, logging is not set to standards also......what is the best way to detect loops? Commonly these loops come from classrooms that have mini-sw's that are looped onto themselves or a wall jack connected to mini sw and that mini sw then connected to another wall drop going back to same sw. Sometimes I disable all ports minus the WAN uplink on the LAN router, then enabled ports one by one while having a LR hooked up to a user facing rj45 port on the 6500 and when the LR (link runner) shows 100% util, I know that port is now suspect.
View 5 Replies
View Related
Dec 14, 2011
Any opinion on what could cause loops on nexus 5000 ports that are connected to esx hosts ?
View 3 Replies
View Related
Jan 20, 2012
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
View 5 Replies
View Related
Nov 15, 2012
I used to have the problem where QuickVPN keeps on trying to verify the network because the RV042 cannot get the final ping to the client.I then bought a RV042 HW version 3 on the VPN side and I installed RV042's at the clients as well.This may look like overkill but believe me, it gives peace of mind, it made things a whole lot better, everybody happy.I am going to set up tunnels but for the time being the clients use QuickVPN. The above setup is all good if people access the vpn from the same source.
I now have a problem where one of our people is in Vietnam and she cannot access the vpn due to the "verifying network" loop.Looking at the log everything looks great, I compared a successful connect with an unsuccessful one and the logs are identical.The only difference is that the final ping is blocked (recorded in the QuickVPN log on the client side).The client uses W7 with firewall on.No need to repeat suggestions, such as turing printer sharing off, I have been through all that. isn't this simply caused by the ISP in Vietnam blocking pings ?
View 2 Replies
View Related
May 22, 2013
We have an environment where users create a lot of bridge loops. We have tried to send E-mails about it and educate the users but it is almost a lost cause at this point. The loops are created when users don’t pay attention and they plug a patch cable coming off of an access port up to ANOTHER access port by mistake.
All of our access ports are from 3750 stacked switches. The way we tried to deal with this in the beginning was with BPDUGuard and ERRDiable (BPDUGuard) auto recovery. We turned BPDUGuard on globally and left BPDUGuard auto recovery at the default value (I believe it was 30 seconds). so a loop would be detected and after 30 seconds, the switch would try to enable the port and if the loop still existed, close the port for 30 more seconds. Then we started having problems with printers getting "fried". Their NICs would die out and the control board would need to be replaced. After a lot of troubleshooting and testing, it was determined that allowing the ports to come out of ERRDisabled state would flood the network and the packets would generate in the millions per second range and fry the NIC of these printer.
The fix for this and saving the printers was terrible. We removed ERRDisable auto recovery and just let the ports that are looped stay in an ERRRDisabled state. We wait for the user to figure out the loop and try to use the port and then put in a work order. Then we physically visit the site and verify the port was shut (ERRDisabled) from a loop and we bounce the port (shut/no shut) and everything is resolved. I did lab tests with a switch looped and a printer on the switch and watched it fry. We have had no printers fry after we removed the auto recovery protocol at every location. Only the locations where loops existed and auto recovery protocol running were printers going bad. What I found during my lab tests was that each time the port was auto-recovered (yes, for that millisecond while it checks if a loop still exists), more packets were re-generated and eventually enough was re-broadcastthat printers would go down. We never had a problem with computer NICs. I guess the cheaper printer NICs couldn’t handle the broadcast storms created by this. I tried playing with the auto recovery timers and even the highest setting would eventually re-create these storms.
So my question is what best practices are others using? Should we get rid of BPDUGuard and just try to let spanning-tree handle these bridge loops? Is there something else I can try? I’m not CCNA by any means, just trying to do what I can in my environment. Manually visiting sites when loops occur is becoming more and more my job, though and I have plenty of other things to be doing.
View 9 Replies
View Related
Feb 22, 2012
Stange problem which I encountered today, I have a Cisco 2960 which is connected to a netgear. The switch started showing itself in CDP and was running STP. I checked the cables physically today and noted 3 uplinks to the netgear, all port on the Cisco active and forwarding and green lights.
The Cisco was running STP, I changed it to R-PVST and the lights on the Cisco went crazy and I got the message port flapping on the switch but the switch did not block any ports (all ports on same vlan).
There after I changed it back to stp and the switch blocked the other up links apart from one.
Sure R-PVST is far superior than STP?
View 5 Replies
View Related
Mar 19, 2011
My mum is running Windows 7 Home Premium on her laptop, with AVG Free Anti-Virus. She uses Chrome, Firefox, and Safari. Cookies are enabled on all browsers.I'm running Ubuntu "Lucid Lynx" 10.04. I use Chromium and Firefox, occasionally Opera. Cookies are enabled on all browsers.I also have an iPad, which is running the latest software. Never had a problem with cookies before.My brothers use Facebook through Xbox. They can't log in either.My router settings are set to allow cookies, and according to my ISP, my internet is up and doing fine.Now, the issue ...My mum noticed a login loop when she tried to get into Facebook. Every time she tried to log in, it would just redirect her to the login screen. I tried the same thing to no avail. I can't log in to some other sites as well, such as Photobucket. I can't upload to tinypic either. However, as you may have noticed, I can log in to forums just fine - however, it only keeps me logged in for one session, even if I ask it to remember me.My neighbours don't seem to be having this issue - except for the neighbour that shares our internet. She can't log in to Facebook either. I thought it might have something to do with our IP, so I tried using the Tor/Vidalia proxy assistant to log in to Photobucket from a different server/location. It worked. So, we can log in to various websites via proxy, but not from our home IP.
View 5 Replies
View Related
May 7, 2011
My roommate has just gotten a second hand laptop and he's trying to connect it to the Wireless network so that he can browse the internet from his room.However, although all the settings are correct, attempting to connect to the network loops.It comes up showing the Wireless Networks available, I select the network and click connect, it then asks for the encryption key. I enter the key and hit connect again, it comes up with the 'Connecting' pop-up and then loops back to the Available Networks screen again.There are no error messages, it just goes back to the starting screen and it hasnt connected.The Laptop in question is a Lenovo T60 with a Intel PRO/Wireless 3945ABG card.The router is a TP-Link TD-W8960N.
View 5 Replies
View Related
May 12, 2013
I have a Cisco EA4500 wireless router. The only issue I have had with this router is when power gets disconnected or if I have a power outage, I have to go through some loops to get it to work again usually taking upwards of 45 minutes to fix.
View 1 Replies
View Related
Oct 23, 2011
I recently installed a very basic version of XP on my old laptop (Gateway MT3707).After hours of searching for the correct drivers, I found them, and installed them. After installing the correct drivers for wireless internet I was able to pull up the list and find my network on it.When double clicking on our wireless network it asks for a network key (also called WEP key or WPA key).Now we have a password for our network, but after an exhausting amount of tries that won't work. I not sure if that is what its looking for. In our apartment we run mac OSX, windows vista, etc., but usually the password for the network is satisfactory. I have never ran into this problem.I hate to be a noob, but I don't know where to go from here.
View 6 Replies
View Related
Mar 2, 2011
Having some serious problems on the networking front here at home. I have 3 PC's and 2 Xbox's that run constantly. Our Internet bandwidth is Insight's 50.0 which is 50Mb download speed 5Mb upload speed. The problem we're having is this. Ever since we upgraded from dual 20Mb lines on a Cisco RV042 to a 50Mb on a DIR-655 we've been having latency issues. I have everything turned off in the router. It's basically there to give out IP numbers and thats it. All security is handled from the PC's themselves. Bandwidth tests are fine, I sustain download speeds above 7MB/s using download managers. But pings are terrible. Xbox live is terrible, PC online gaming is terrible. Pingtest.com is terrible. Only when behind routers. I've tried it behind 3 seperate routers. The DIR-655, the Belkin f5d8236 that insight provided me, and the cisco rv042 originally used for dual wan routing. all of which are met with serious failure.
If I plug directly in to the modem pings are fine. Add a router and pings go to shit.
View 14 Replies
View Related
Sep 24, 2012
I have 3 LAN connections. I m using 3 modems and 3 switches to connect all the pcs in LAN.but now i want 1 pc as a server which have connected all the 3 lan network with it.so that everyone can share its file to server and even all clients. Should i have to create VPN or homenetwork to connect with server? and i must have to install microsoft windows server in server pc?
View 4 Replies
View Related
May 15, 2013
I want to deploy a high availability solution for web servers in two data centers. In the primary data center I have deployed a group of web server and I want two deploy additional servers in a secondary data center for disaster recovery and high availability. Reviewing the documentation, looks like the GSS4492 is the solution for my company needs but I am not sure if I have to implement just the GSS or if I need a ACE4700 integrated with the GSS?.
View 1 Replies
View Related
May 30, 2012
My laptop (Win 7 x64) can currently access all the shares on the XP computers in my home network but,although I can see it, I cannot access the laptop from my main xp computer. I haven't tried to access it from the other xp computers downstairs. I have read the guide on this site as well as 3 or 4 other threads on this subject but am unable to resolve the issue. Completing the network setup so that I can look into my laptop from this main xp computer. My laptop has a wireless internet connection but I also have it plugged into my wired home network for sharing. I will provide other details as needed. I suspect that some essential services for file sharing may not be running on the laptop, but I'm not sure.
View 19 Replies
View Related
Jul 16, 2012
I have been looking at ways of networking my printer in my office. The problem being that my printer does not have any kind of inbuilt networking capacity.So I thought I could connect it via USB to my router as it has a USB port on it.The router is an Orange Bright Box - In the specs for the router it says that the USB port is for file sharing, mentions nothing of connecting a printer to it
View 2 Replies
View Related
Sep 11, 2011
Trying to network between a Windows 7 computer and a Windows XP computer is possibly the hardest thing I have ever done.I have googled for hours and hours and none of the solutions seem to be working.I will try to explain what I have already done. Although I have done loads and I am sure I am missing some things.I have a Windows 7 laptop and for this exercise I shall call it WIN7. I have a Windows XP computer and for this exercise I shall call it WINXP.Both computers are in the same network which I have called SAMNETWORK. I have enabled permission to Everyone in folder sharing settings on WIN7. I have turned on Sharing and I have made myself discoverable with no password set on Network and Sharing Advanced Settings. Both user accounts on the XP and 7 machines are the same and both passwords are the same. I have turned all firewalls off. The WINXP computer has sharing enabled.
I have done a lot more things including installing LLTP (sp.?) and changing registry entries like Lsa/anonymous something like that (can't remember the actual directory) but I have changed registry entries as I have read elsewhere on the web and I have changed the network from home to work but that did nothing etc. etc. But everything that everyone suggests is just not working and I have been looking for about 4 hours now so you can imagine I have tried everything I have found!Anyway, my 7 laptop can see WINXP but when I click on it, it states that Windows cannot access \WINXP. The WINXP computer can see shared folders from WIN7 but it also states that it is not accessible. However, I did once get the WINXP computer to access the WIN7 shared folders. However, that doesn't even work now. I need the WIN7 to access the WINXP files. [code]
View 1 Replies
View Related
Feb 22, 2011
Running Windows XP Im a bit Dizzy as i can't seem to workout what's going wrong or what im doing wrong lol!!!8 Pc's on the network, all can view files etc.apart from one Pc Lets just call this "Bob1"It keeps asking for user name and password, now there's no user name or password on the giving pc, file and sharing is open and all the right ports giving. what i can't understand is that the reaming 7 pc's on the network has the same setup and files permissions, on the same subnet and can ping each other to my knowledge.So just to prove myself wrong i made a password for the pc that was asking for one on the network and this still did not work.so to cut the story short 7 pc's can search each other fine but on "Bob1" keeping asking for user name and password.
View 3 Replies
View Related
Mar 3, 2011
I am having trouble with setting up connection between pc using windows 7 and a laptop using windows xp. Do I have to setup a separate network on my laptop?
View 1 Replies
View Related
Feb 10, 2011
I am trying to use the existing rg-6 in a building for internet but am not sure how far a coax can go and still get a good signal strength?
View 1 Replies
View Related
Dec 25, 2012
I am trying to add an XP computer to our (already) Win7 computer.Now...I have connected the xp computer to the external modem that gived the 7 it's signal by way of ethernet cable). I went through changing and matching up the workgroup names, and.....turned on "Network Discovery" on the 7 end....after everything is said and done...I DO get the internet signal to the xp, but knock out the 7, altogether.
View 4 Replies
View Related
Oct 2, 2012
i got CCNA but i feel that it doesn't teach me how to build networks for business and how to chose an network architecture. What is the best way to learn this? Also, what is the best way to learn how to build a wireless network for a company that runs on multiple floors without user losing wifi connectivity when they roam
View 19 Replies
View Related
Sep 22, 2011
ACE20 module with A2(3.3)I have tried to config a NAT-pool with two adresses, but only one is used.
View 6 Replies
View Related
Sep 10, 2011
I have two LANs in my house, one 10/100 base and the other 10/100/1000, but one internet connection that I would like to have access to on both networks. Right now I have two Belkin routers for each network. In addition I have a Cisco 2600 and 3660. I know they are old, but they seem to be in operational order. Can I use those to combine to two networks? The only thing I want to maintain is the speed on the gig network, from the router to the PC's and devices.
View 6 Replies
View Related
