I am having two sites, at one site the ISP is terminated on 2900 Router and at one site ISP is terminated on 3500 L3 Switch. Now need to configure the IP SLA on this. In the current setup I am having two 2900 routers at one location and 3500 L3 switches which by point to point link.
View 1 RepliesI have DSL 8Mbps DL and 768kbps UL The setup look like this:Internet -> Modem -> Cisco Router -> Firewall -> Switch Core - > Multiple switches like sfe2000p? CiscoRouter: i use port gig0/1 for PPPoE and i use port gig0/2 for LAN static Router port gig0/2 with 122.54.144.153/29 connected directly to Firewall port13 with 122.54.144.154/29 ?i want 122.54.144.153/29 will my default gateway ? include no limit bandwidth,filter etc at router, Firewall will be DHCP Server and control the bandwidth, filtering etc and the client computer should get 8Mbps
Mode: Routing
Encapsulation: PPPoE
Username: xx
Password: xx
Service Name: ISP name
[code]....
I want to configurate Cisco SSL AnyConnect VPN on cisco router 2900 series.when i install this license on router after that can i configurate ssl anyconnect vpn? Must I be first enable EULA then install this license?
View 0 Replies View RelatedI've been looking around Cisco's website but I can't find an answer to this -- If the 2900 platform suppots WCCP redirection using GRE?
View 1 Replies View RelatedIf there is a router ISRG2 2900 with SEC license and without HSEC license, there is a limit in count of cumulative encrypted VPN tunnels of 225. Which commands can show us a number of current tunnels on the router, so we can see if we are near this limit of 225?
View 4 Replies View RelatedI have a problem configuring URL redirect on ACE 30 (Version A4(1.0)).When a user enters IP address or a name of a service [URL], the ACE module should redirect him to the page [URL]. Here is my non-working config:
access-list OUTSIDE line 8 extended permit tcp any any eq https access-list OUTSIDE line 16 extended permit tcp any any eq www access-list OUTSIDE line 24 extended permit icmp any any
probe http Test_HTTP_1 port 80 interval 60 passdetect interval 30 passdetect count 2 request method head url /index.html expect status 200 200 open 1
rserver redirect URL_Redirect_01 webhost-redirection [URL] 302 inservicerserver host S1 ip address 10.0.0.2
inservicerserver host S2 ip address 10.0.0.3
[code]....
it works, ACE load balances to rservers. Of course, user must enter full url.With redirection configured, user recieves HTTP url redirect message with correct address [URL], but his browser does not display the page. Even directly entered full url does not display it while redirection is configured.Alternatively, does ACE30 already support url rewrite?
I have 2 ACE4710 in HA enviroment, they receive connection from Internet. What I need to configure is following:
The ACE have configured two URL, with the same port and VIP Address, for example:
URL-1: www.xxxxx.com
URL-2: www.xxxxx.com/Admin
VIP Address: 10.10.10.10
Port: 8443
All clients point to unique VIP and Port configured, I need to know if I can apply any filter or rule that allows me to distinguish when a customer goes to the URL1 or URL2.If any client try to access to URL-2, your traffic must be deny.In summary, from Internet I should be able to go only to URL-1.
We are deploying a Microsoft Exchange 2010 server environment, which will have a ACE 4710 front end. What we are finding is that if a server goes down, a client will need to re-authenticate to a new server. The server team has informed me that if they use Microsoft SLB this does not happen. They have also mentioned that we are getting basic authentication, rather than NTLM. As a result I have read several posts/articles which mention forcing NTLM on the ACE, but none go into real detail.
A couple of official Cisco documents point to having the Exchange Server, and Client both set to use NTLM. So on the server you do not need to select MAPI encryption. I am told this is not an option here, because a multitude of clients are supported, from Outlook 2003, through to 2010.
I have a request to configure an ACE30 for Oracle Hyperion utilizing SSL termination at the SSL offloader(ACE30). Any sample configuration or template of some sort that could guide me through what needs to be configured. We have many applications on the ACE#) but this is the first time we are going to try SSL termination.
View 3 Replies View RelatedIm trying to configure an ACE 4700 so that SSL termination is done on the ACE and HTTP reaches the weblogic server instance. I have a working setup of a Apache reverse proxy doing SSL offloading and using a weblogic module and that works fine Was reading [URL]. Any working config example for doing this with the ACE4700
View 2 Replies View RelatedCurrently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru to backend web servers. This all works fine.
My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should a web server crash or become unavailable I need to redirect that backend connection to another web server.
Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point have all the connections forwarded to 2nd server.Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
We are using an ACE20 module running version A2(3.2).I have a question regarding IP stickyness and the timeout parameter.I found this in the "Server load balancing configuration guide" (in a section entitled: "Configuring a Timeout for IP Address Stickiness"):
"The sticky timeout specifies the period of time that the ACE keeps (if possible) the IP address sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the module opens a new connection or receives a new HTTP GET on an existing connection that matches that entry."
The parts in bold seem to point to the fact that the timeout is an "inactivity timeout" as the counter is reset on every new connection.The next section in the documentation is entitled: "Enabling an IP Address Sticky Timeout to Override Active Connections" and says:
"By default, the ACE ages out a sticky table entry when the timeout for that entry expires and no active connections matching that entry exist. To specify that the ACE time out IP address sticky table entries even if active connections exist after the sticky timer expires, use the timeout activeconns command."
This seems to contradict the previous statement.So my question is: is the IP stickyness timeout an "inactivity timeout" or not?
I need configure HTTP Compression by hardware on CSS 11503. I make config like this [URL]
My config:
service s1
ip address 10.1.66.11 (web server)
keepalive type none
[Code].....
I have trouble with new installation LB ACE 4710 for Oracle application load balance. Problem: Unable to PING VIP - 10.11.10.55 / 24
Below are the simple configuration parameters:
1. ACE 4710 is connected with Cisco 3560 Switch - L2 Trunk (Channel Group)
2. Cisco 3560 Switch is connected with Cisco 6500 Switch (Core) also L2 Trunk
3. There are 3 Vlans,(255, 310, and 370), Vlan 255 is management Vlan
4. Real Servers and Virtual IP are part of Vlan 310
- VIP - 10.11.10.55
- Real Server1 - 10.11.10.46
- Real Server2 - 10.11.10.47
5. Gateway is 10.11.10.1 (vlan 310), 10.11.70.1 (Vlan 370)
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies View RelatedI am looking for a Cisco document that gives me the,IP through-put on 2901, 2911 and 2921 routers with Policy based routing applied.,IOS version 15.1.3TOther processes, EIGRP Stub, VLAN routing, SRST,MGCP gateway (analog and PRI).
View 1 Replies View Relatedi have 3 access-list configured IN | Out on my Border router (MARTIAN) ,i have to look which one block some of the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output.
View 3 Replies View Relatedlatest IOS version is from 18Nov11 and with little amount of traffic it keeps cpu usage sky-high until it starts losing packets (I've tried performance fine tuning according to cisco webpages and saw little difference)
Downgrading isn't an option as 15.2.1 version doesn't implement everything I need...
Is GET VPN be a better choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want an expert opinion.
Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?
It is stated in the deployment guide for GET VPN that "Network Address Translation (NAT) is not supported by GETVPN. NAT must be performed before encryption or after decryption when GET is used." However the NAT capability is required on all the routers.
The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does the new ISM VPN modules would allow the routers to achieve 100 mbps of throughput with the services mentioned above?
provide my some (official) info regarding the MBTF for the C2900 and C3900 routers (2911 and 3945)? This info is currently not part of the data sheets.
View 0 Replies View RelatedI want to know if the Cisco 2900 series can do UC without having to buy any other hardware.I read through the 2900 series datasheet, and i can understand it does.But will want to clarify if i do not need any other hardware except the Unified Communications License for Cisco 2901-295.Does this mean all i need to activate UC is buying this license?My organisation wants to do UC, especially Voice and Wireless.It requires APs, IP Phones(both wired and wireless).To achieve this on a 2900 series, is all i need just the UC license to work, and then my IP Phones both wired and wireless once plugged to the switch connected to the 2900 series starts working?Or do i still need to buy another hardware for the Unified communication Manager Express ?
View 1 Replies View RelatedService policy output command is not supporting on Vlan interface of Cisco 2900 Router.I am having one HWic 4ESW Card and configured VLAN interface. But Service policy output command is not supporting.Same config is supporting in the Cisco 2800 Router.
View 13 Replies View RelatedWe will be getting a circuit from the same ISP at two of our sites and will be doing eBGP. Couple of notes. 1. We are fully aware of the risks associated with depending on a single ISP and have mitigated them as much as possible with the ISP. 2. We will be getting assistance on the eBGP setup from the ISP, so I’m not as concerned with that config at this point.
Site Summary
Site A:Cisco 2900 Series (RtrA) connected to single Ethernet based ISP circuit (ISP-1-A)eBGP will run between RtrA and ISP-1-A, default routes from provider onlyLayer 2 Switch (SwA) connected to LAN of RtrA and uplinks to SwB
Site B:Cisco 2900 Series (RtrB) connected to single Ethernet based ISP circuit (ISP-1-B)eBGP will run between RtrB and ISP-1-B, default routes from provider onlyLayer 2 Switch (SwB) connected to LAN of RtrB and uplinks to SwA
I need advise on the LAN side redundancy. Our goal is redundancy; load balancing is not a concern (If load balancing ever becomes a concern I will look at GLBP). We have several devices on the LAN side of the routers that can only use a single gateway. Given that I’ve surmised I need to use HSRP in some way for LAN gateway redundancy.
1. HSRP with Object Tracking, No IGP.HSRP handles LAN gateway failover if a router dies. Object tracking ensures LAN gateway failover if an interface fails or if an interface is up, but there is an upstream traffic issue. ie. track the physical WAN interface and use an IP SLA icmp to track a specific upstream IP incase of an upstream traffic issue.
2. HSRP with OSPFHSRP handles LAN gateway failover if a router dies. OSPF redistributes eBGP default routes to RtrA and RtrB so that each router should have a route to the ISP even if they loose their local ISP circuit. i.e if ISP-1-A on Router A goes down, Router A knows to send traffic out ISP-1-B via RtrB. In other words, traffic enters RtrA LAN, but exits on RtrB WAN.
3. HSRP with iBGP HSRP handles LAN gateway failover if a router dies. I have no experience with BGP, but assuming this would work similar to the OSPF solution above except for the required iBGP config and possible route reflectors?
I have a 2900 ISR that my VPN clients connect to using IPSEC over UDP. I am having periodic problems, especially with clients connecting through DSL, where they connect and immediately drop. Sometimes this is resolved by users updating their home router firmware. I'd like to issue a new client PCF file using IPSEC over TCP to see if that resolves the problems.
Can I have both running at once, and what do I need to add to the 2900 to enable this connectivty without breaking the existing clients? If the test is successful, I will migrate all users to the new configuration. This ISR is also used to support L2L connectivity for a handful of sites.
I try to setup a basic GTS shaping on a cisco ISR G2 2900
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)
Cisco CISCO2901/K9 (revision 1.0) with 1957856K/40960K bytes of memory.
ipbase ipbasek9 Permanent ipbasek9
the policy-map was applied to a svi interface (vlan interface)
And my problem is the shape isn't effective, in my attempt the max bw is 20Mb and I have gigabit interface
I know this kind of setup is classic and I see it working on older ios version 12.x
config:
interface VlanX
ip address X X
no ip redirects
[code].....
We are in the process of switching to a new internet provider in our office and have run into some problems. Our old setup was with AT&T, where they provided a managed router which linked to our internal switch and also provided NAT to the internal IP of our email server.Our new setup right now is just the internet coming in through a cable connected to a switch, we were told we needed to provide our own router. Someone donated a Cisco 2900.What should our proper set-up be? Should the internet come in directly to the router and then to our switch, or should it go to the switch they provided, then the router, and then our switch?Also, there seems to be some confusion about whether or not we need anything else to get the internet to work. There are slots for network cards in the router. Does it come with at least one built in we can use, or do we need to provide one?
View 1 Replies View RelatedI've problem with IP SLA probes between two different routers.2900 (c2900-universalk9_npe-mz.SPA.151-4.M4.bin) here is set "ip sla responder" only and 2800 (c2800nm-advipservicesk9-mz.124-24.T2.bin) here is set two type of tests "udp-jitter" and "icmp-jitter" - temporary, used to check for availability of 2900 router.As a result, I've what udp-jitter doesn't work at the same time icmp-jitter test is OK.Here are the settings of IP SLA tests
ip sla 281
icmp-jitter 172.25.28.1 source-ip 192.168.28.6 num-packets 100
tos 128
frequency 120
ip sla schedule 281 life forever start-time after 00:05:45
[code]...
I have bought DRAM MEM-2900-2Gb for 2921, and received the following error...
Validation failed for DIMM0
*****System halted*****
%SPD info: DIMM0: Invalid DIMM type (only UDIMMs are supported)
I am looking to setup for BGP with the following conditions:
Client has two 2900 routers, each connecting to a seperate ISP
Client has a Sonic Firewall with a link to each router
Client owns their own /24 block of public IPs and has their own AS Number.
Client has a public /24 and /25 from the corresponding ISPs
Client has supplied the following routing rules they would like to use:
-Anything from their own public subnet should advertize via the two ISP's with best path selection
-Anything from the respective ISP public subnets should use only their link (The ISP's are not auth'd to advertize the other's network)
The two routers are directly connected to eachother and each has a link going to the Sonicwall.
I have this small network comprising of around 40 users complaining about the poor speed. And they have 2900 WAN router having 10M service. The interesting thing is that they are using proxy server for all the communication.I am very new to the server side of thing-and wanted to confirm if the proxy server is packed full to its capacity for serving to clients' requests making it slow or its something to do on the network like WAN link being overloaded or showing errors.I did "sh interface g0/1" (WAN interface) and to me it looks there is not much load as the tx and rxload values are fairly ok. (as shown below). Moreover the output drops is 7341. I am still guessing if thats not too bad??
The other thing I did was to test the "sh ip nat transalations" which is all coming from the PRoxy server and was wondering if that is the place of bottleneck. Currently there were showing around 570 entries. Below are the output from there as well. Also, I was keen to know what is the "----" indicates in some of th output? [code]
Any way to disable the usb console port on a 2900 series router?
View 2 Replies View RelatedI have a hub / spoke configuration, with about 9 spokes. All connect ot the main office over a VPN, all native Cisco routers (2900 series)I want to use netflow to monitor traffic, and I started, but my results are not what I expected. I don't think I configured it properly.
Several interfaces have sub-interfaces, so if I'm reading correctly, I only export flow from the physical intyerface, not the sub-interfaces. Correct?I want both inbound and outbound traffic, so do I use the command twice with ingress and egress?What is the difference between V5 and V9?
Finally, how does NBAR fit in this? I want to see applications as well as just packets.