Cisco :: Cat6506E / Netflow In A Dual-homed Hosting Environment
Jul 12, 2011
We're trying to set up netflow based billing for our hosting environment. We're dual homed to two different ISPs using BGP peering with each (ASN 18817). The drawing below shows the logical setup: The routers are each Cat6506E with Sup32 and PFC3B/MFSC2A running 12.2(33)SXJ. The direct link between is layer 3 (routed ports) for iBGP peering. The dark line is a layer 2 LAN made up of multiple switches (not shown) each connected to both 6500's with spanning-tree for loop protection. These switches also provide a layer-2 path between routers but the configured BGP peering is set to the layer-3 port IP on the link. There is at least one firewall connected directly to a 6500. The firewalls are all ASAs connected to any one of the not-shown mid-span switches. The router interfaces to the layer-2 LAN is a VLAN SVI using GLBP to provde a redundant gateway. There are multiple subnets on this vlan configured as secondary IP addresses on the VLAN interface (and in the GLBP gateway configs).
The question is: how do we collect stats from all traffic to/from the internet without collecting any local traffic (firewall to firewall) and without getting duplicate flows sent to our collector?
I was hoping to just put "ip flow ingress" and "ip flow egress" on the ISP facing L3 ports but that's not actually collecting outgoing flows (appears egress netflow may not be supported on the 6500). I added "ip flow ingress" to the VLAN interface but that didn't seem to fix it so I also addes the global command "ip flow ingress layer2-switched vlan 50". However after a small change to the layer2 LAN some (but not all) of our clients saw a near doubling of bandwidth (according to netflow). We compared the netflow stats to the server port usage stats for one client and it looks like we were under reporting before the change and appear to be over-reporting now. I'm thinking the overage is either because we're counting MLS traffic flowing between subnets on the layer-2 LAN but can't verify. With GLBP moving the default gateway and MSTP blocking at least one uplink from a mid-span switch to a 6500, traffic flows can be difficult to predict. Especially when you don't know exactly when a flow gets accounted. For instance, if a packet comes into one 6500 becase that's the only layer-2 path to the gateway BUT the gateway is currently on the other 6500, does the first 6500 count that flow or does the second one count it or will both? etc etc.
View 1 Replies
ADVERTISEMENT
Mar 6, 2007
In the LAN network 4507R as core switch configured with several vlans.One vlan connects to the dual homed routers which in turn connecting to the single isp. I need to configure the HSRP for the internal vlans and the same time to use the load balancing or failover using the dual homed routers to the isp.
View 7 Replies
View Related
May 3, 2012
My company has a single 2811 WAN router with dual uplilnks to different ISPs right now. Recently we have had a major hardware failure issue that resulted in network outage. My manager reconsidered my recommendation of dual WAN routers but told me we had limited budget so could only afford one new router.
So now we are looking at solution of 2811 + 2911 with same license level. We don't have any special feature, just basic routing, basic BGP and static routes. I need to know what the implication of having different WAN router model is.
View 6 Replies
View Related
Mar 13, 2012
Any major difrrence between Netflow v/s Netflow-Lite?
I am trying to understand if Cisco 4948E can do the same job as Cisco 4500E or not and difference between Netflow v/s Netflow-Lite will work for me to select correct product.
View 2 Replies
View Related
Jan 30, 2011
I have DS3's to two different providers. Each is hosted on its own 7206. The 7206's are connected to each other and both connections to the internet route traffic in and out just fine. Failover between the two is working as well. The issue I have is that one DS3 is used more than the other because it has the best route to most of our remote offices. I wanted to see if theres a way to make one of my routers posess a more attractive route to a given subnet. Of course, in the event of a router or provider failure, I would want the other router to start routing the traffic for that office.
View 1 Replies
View Related
Nov 25, 2012
What is the best hosting for vpn. I'm thinking bluehost, but is there anything better/cheaper. I prioritize the features: reliable, features (ftp, ssh, phpbb, perforce, etc.)
View 1 Replies
View Related
Jan 9, 2012
I am running a smaller hosting company and i am currently looking at a Cat6506 switch with a SUP720 Supervisor Engine. I have also been looking at a Cat6509 with a SUP2-GE Supervisor Engine. At the moment i am getting my connection from a ISP but i am going to get my own BGP AS now.. My question is just, how much will the SUP720 be able to route, and how many routes will i need to get it to route my packets in and out of my AS? I have seen that the full BGP table is over 400,000 and the SUP720 is only capable of 256,000, but do i really need the full table? I
major differences between the SUP720 and SUP2-GE Supervisor Engines?
View 7 Replies
View Related
Mar 29, 2011
You are appointed as a system administrator for a large company which has its own computer intranet hosting 150 workstations and around the same number of users. Write few points explaining the roles you would expect to take on as part of your new employment in terms.
View 2 Replies
View Related
Feb 21, 2011
Is it possible for Windows 7 to host multiple domains? I have seen that it is available for plenty of other OSs and I am sure that it is. I just wanted to make sure.
View 2 Replies
View Related
Feb 28, 2012
I am playing Hidden Stroke online and i can join games but i cant host, when i create a game my IPV4 address shows up instead of my IP address which means no one can see the game. I am a guest PC on my home Wifi.PS i have already opened all the ports that the game requires to play.
View 5 Replies
View Related
Mar 23, 2011
On Windows XP, my integrated NIC stops working after hosting a server. The server starts fine, ports are forwarded, firewall is down, modem is fine, but when I receive a connection, it shows they have made a connection, but then they drop, as do I. I can't browse or ping anywhere. I have to physically disconnect, then reconnect the ethernet cable to the port, or restart the computer. Upon ipconfig, the adapter is set with the Windows default ip (169.x.x.x) and cannot be /release'd or /renew'd.
View 10 Replies
View Related
Aug 23, 2011
So 3 days from now im getting comcast cable....12 mbps download and 3mbps upload (something like that)I want to know if I can host servers in online games such as... modern warfare 2 and black ops...pretty much any popular first person shooter. I noticed that every game I play I am not host and I am lagging...my current connection is 2.5 MBPS download and 0.4 MBPS upload.
View 9 Replies
View Related
Aug 7, 2011
how much RAM is requied on server hosting CiscoWorks. Our CiscoWorks is running like snail. We have 3200 logical devices configured on it. Specially browing different pages of CiscoWorks is very very slow.
how big hard drive will be enough for CiscoWorks with below applications installaed and configured with 3200 devices.. Currently we have 65GB Harddrive and its 85% full.
Server Platform: Windows 2003 server 32-bit
Server RAM: 4GB
Hard Drive: 63GB-CiscoWorks is installed on this Harddrive.
Another Partition of Harddrive is 130GB and its 100% free.
LMS: 3.2.1
RME: 4.3.1
CM:5.2.1
View 2 Replies
View Related
Apr 30, 2013
I recently signed up with AT&T U-Verse. They required that I buy a 2Wire 3600 HGV router. I looked up how to forward ports -- and even called an AT&T representative -- and I am sure that I forwarded them correctly. I'm trying to host a Minecraft Server. I forwarded port 25565 in TCP and in UDP. After that wouldn't work, the AT&T representative said that the traffic was being blocked from my side. I then checked my Windows Firewall and allowed all proper applications -- Minecraft and Minecraft Server. When that wouldn't work, I went in an manually added exceptions to Windows Firewall for TCP - 25565 and UDP - 25565 Inbound and the same for Outbound. Nothing.I have tried to check the ports in DMZ mode with Windows Firewall disabled -- they are still timing out. What should I do?
View 7 Replies
View Related
Dec 12, 2011
I am setting up a webserver to host our website on our local network. When I'm browsing from an external network, I can pull our website example.com and a sub domain test.example.com. However, when I'm browsing from our internal network, I cannot pull up test.example.com. I am not sure if this is due to propigation issues or what.When I do nslookup from external, it shows my network's main IP address. When I do it from local, it can't find an address and says non-existent domain.Should I have any problems connecting to my website if it is using my external IP address? Will this be a loopback problem? If so, how can I resolve this?
View 3 Replies
View Related
Jan 8, 2012
I had setup 2 servers at home. I'm now in need of hosting 4 websites. I have 4 static public ip's. I'm currently using a router with DD-WRT firmware installed. I have setup up as static NAT. X.X.X.27 to 192.168.0.100, X.X.X.28 to 192.168.0.101. This is my current setup for the existing 2 webservers which host a website each. I notice apache allows for multiple websites per server. One of the server's is a dell 2500 with 2 NIC's and will not be a problem assigning two ip's. The second server only has 1 NIC. Should I buy another NIC card for the second server or could I get by using a virtual NIC? The load on the servers isnt heavy. Only bout 20 clients connect to them daily.
View 8 Replies
View Related
Dec 24, 2011
a few days ago i had a router dlink 2740b and i made a dedicated server of call of duty4 where my friends and i played. yesterday i changed my router with another dlink 2740b f1 version (a new version of the same router): i make port forwarding for the cod4 server but the server doesn't go online....i see it only in local....but my friends and i don't see it in the internet server in the game menù...
View 1 Replies
View Related
Aug 19, 2011
I would like to setup multiple DMZs for our hosting servers. Currently there is a single DMZ in which our reverse proxy servers are connected using a public IP address. The idea is to have the reverse proxy forward the request from the Internet to the hosting servers in another DMZ. The purpose of the hosting DMZ is to protect it from the outside as well as from the inside. There will also be a development DMZ where we can test content prior to going live with the website.
Network: We currently have two Cisco 6509's (Core) with a FWSM in each running active/stanby configuration. There is a 10Gb Fiber connection between each Cisco switch to two Cisco 4948s (Top of Rack Switches). I can either setup OSPF or Trunking between the core and top of rack switches. The Cisco 4948s will support VLAN 7 (hosting DMZ 10.0.7.0/24) and VLAN 8 (development DMZ 10.0.8.0/24). Each webserver is connected to both Cisco 4948 for redundancy.
Question: If I have a single interface connecting both VLANs 7 and 8, either through Layer 2 or 3, then how can pass both DMZ traffic to the appropriate servers? The reason why the servers are in the same rack connected to the same two switches is that we are using Blade Servers and VMWare.
View 3 Replies
View Related
Feb 19, 2012
I would like to make a design with 4 Nexus 5596UP. 2 of them equipped with Layer 3 Expansion Module so they can serve as core layer and the other 2 Nexus used as Layer 2 for aggregation server layer.The 2 Nexus in the core layer will run HSRP and will peer with ISP via BGP for Internet connection The 2 Nexus in the aggregation layer will be configured as layer 2 device and have FEX and switches connected to them.What I am ensure of is how the vpc and port-channel configuration should look like between the 4 nexus. What I was thinking is to run vpc between the 2 Nexus in the aggregation layer and between the 2 Nexus in the core layer. Than I was thinking of connecting each Nexus in the aggragtion layer to both Nexus in the core layer using port-channel and vice-versa.
View 3 Replies
View Related
Dec 17, 2012
how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.
View 2 Replies
View Related
Mar 29, 2012
I wanted to ask a question about the diagram I have included. We are bringing up 2 MPLS WAN connections and would like some specifics on the best design. We are using BGP to the providers. From there we have big questions. We can run BGP internal and are licensed to do so on the N5K's. The N5Ks are currently using HSRP for inside LAN clients as default gateway. We want to load balance and provide redundant routes using a dynamic approach. Should we use BGP internal utilizing the connections between the routers? Should we use HSRP on the routers? How best to get the routes to the N5K and should we be considering this?
View 5 Replies
View Related
Feb 21, 2013
I run 2 RV042 V1 for home and office with Gateway to Gateway VPN connection with single WAN connection in use. Everything works like a charm!
I was even able to create VPN connection with 2 WAN connection on one Router and 1 WAN connection on another with Smart link failover and VPN Tunel Backup.
I got problem though when i tried more complex connection diagram. [URL]
So basically I now have 2 ISP connections on each point with Static IPs and I'd like VPN Connection to be alive for ALL 4 options automatically with failovers (smart links) And tunel backups but i'm not sure if that's ever possible with my equipment.
View 2 Replies
View Related
Jan 5, 2012
I want to create a network with a bunch of routers and switches to be used as a test network for company employees to remotely login and learn networking.I don't want this network to interfere with the rest of the network in any way.I am basically trying to create a stub network or a passive network!!
View 4 Replies
View Related
Jan 23, 2013
Currently I'm with a pure Cisco shop, running every LAN Switched infrastructure (even in the HQ datacenter) with PVST+, I'm noticing in the documentation I've read and labs I've created that RSTP is... great, and I've observed that even the uplinkfast functionality seems to be build in by just enabling rapid-pvst. Of course I'll propose a migration plan, document the network, diagram it entirely and provide effective steps to implement the change, but that's assumed from any get'go.
View 1 Replies
View Related
Mar 11, 2012
i am using L3MPLS VPN services from a provider.They are doing QOS, like my Voice, Data, ICMP. all traffic is classified in their network and take different paths.Now sometime when we face voice issues, simple ICMP ping , TCP ping, will not give me insight if there are any packet losses, since Voice packets are taking someother path with in MPLS cloud due to DSCP marking of Voice pack to 46.is there any tool in which i can change DSCP value of my packets and test out network response? or any monitoring tool that can do this by default?i am looking for freeware at the moment or trial
View 1 Replies
View Related
Nov 9, 2011
question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
View 2 Replies
View Related
Feb 27, 2011
I am using the "File exist"-check in my Dynamic Access Policies to be sure that VPN-computers are corporate. I would like to place the file in each users %APPDATA%-directory, but it seem that the ASA cannot use variables when specifying the path? Is there a way to do this or do I have to use a absolute path in the check?I am running a ASA 5520 with sw 8.4(1).
View 1 Replies
View Related
Apr 2, 2011
Are the users' download speeds depend on the hosting company's owner's internet speed? Let say if I was running my own server with my internet speed 1mb and LAN 100mbps, are my clients' download speeds restricted to maximum 1mb of any content from my server?
View 3 Replies
View Related
Mar 4, 2013
Today, we have a server running SNA that connects to router via the following. Vitrual Server --> Nexus 1000v ---->Nexus 7010 ---->2800 series router.We are trying to move server to new environment where it is Virtual Server ----> Nexus 1000v ----- Fabric Interconnect-----Nexus 55xx-----Nexus 7010-----2800 router.
View 2 Replies
View Related
Nov 8, 2012
Here is what I am attempting to do.
1. I have a 1042N AP configured as a Workgroup-Bridge attaching to a Lightweight Access Point.
2. LWAPP AP is on a 5508 series Controller.
3. I have MAC Authentication configured through an Ciso ACS box running 5.2 code. And that portion is working.
4. I want to lock this WGB down even further with a second layer of security. I am thinking WPA2 -AES.
View 2 Replies
View Related
Oct 17, 2011
I am looking for a Cisco firewall to replace a Sonicwall NSA240 firewall in SME environment?
View 3 Replies
View Related
Apr 26, 2011
Need securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
View 2 Replies
View Related
Mar 7, 2013
I was asked to mount ACESMs on each of the CAT6K switches of a VSS cluster (one ACESM on each individual switch).On a non-VSS environment, the "svclc module <slot> vlan-group <group>" command is used to bind the VLAN group to the module on a certain slot. But now I am facing a VSS scenario, I will need to combine switch and slot in order to reference each of the individual modules...
How do I "index" each of the ACESMs in a VSS cluster? ¿Is there an extension of the aforementioned command to be able to combine switch and slot information?
View 1 Replies
View Related
