Cisco Firewall :: 2811 Router For 100Mb WAN Link?
Nov 29, 2011
I'm looking into upgrading my WAN link to 100Mb via Fast Ethernet link. I'm waiting to hear from ISP about what exact technology they use, but according to my manager they will be coming in over fiber and then terminate to copper. I currently have 2811 in production with two T1 cards bundled together. 2811 has basic configuration with only 2 ACLs. I have ASA 5510 for NAT, Ipsec and other services. What router or networking device (layer 3 switch, such as 3560G perhaps??) should I use to accomodate 100Mb link? It seems that 2811 will not handle that kind of bandwith..In short the max recommended bandwidth limits for the 28xx series are as follows:
2801--2 Mbps
2811-4 Mbps
2821-8 Mbps
2851-12 Mbps
I don't want to create a bottleneck and am looking for appropiate solution to accomodate 100Mb link. Also, could ASA 5510 become a bottleneck in my scenario?According to Cisco docs ASA5510 can handle 300Mbps of firewall througput, but I'm not sure how it'd work in production...
View 1 Replies
ADVERTISEMENT
Feb 20, 2012
I want to know which router can be used on 100mb cable connectionThe router will be using the connection from cable modem on bridge mode/modem mode with eth to routerI kind of have a idea looking at performance ratings but ppl have mixed opinions when you enable NAT and ACLs etc etc285129013825.
View 5 Replies
View Related
Sep 30, 2011
if i plug a cisco 880 router in to a 100MB WAN Ethernet circuit what throughput will i get? on cisco site it says 25mb/sec but if it is Ethernet shouldn't it be done in hardware and get the full 100mb/sec?
I know that a 1841 plugged in to a 40MB WAN circuit can match that speed but Cisco site say it only can do E1 speed.
View 3 Replies
View Related
Aug 11, 2011
I am pretty new to the configuration of a DMZ and I have the task of setting one up.I have a Cisco 2811 Router running Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3), 2 FE interfaces.One FE is connected to the WAN, with a loop back interface configured with the public IP for Internet access in the office.The other FE has 2 sub interfaces configured, one for data and the other for voice traffic.Users within the office are configured to use the data VLAN to access the internet through the WAN.
Now we are setting up some new services and we require to have DMZs setup.I want to setup 3 zones now that the different servers would reside in. How can i achieve this using the existing infrastructure I have?I have an idea to create more subinterfaces and assign them to the zones, but I am still not sure how this would play out. I have been on this for the whole day and unable to make significant progress.
View 5 Replies
View Related
Nov 28, 2011
I am assuming, that the slowest component on a network determines the connect speed? I am having a small network with 4 pcs and 2 of them show 1GB connect speed while the other 2 show 100MB. What would cause 2 units to run at the 100MB speed on a Gigabyte-Switch and Router?
View 3 Replies
View Related
Aug 16, 2011
you have a Cable Modem and are paying for 30MB/sec download or better service, but the network connection on the cable modem is only 10/100; all very common today.Your network connection is showing it's connected at 100 (computer - router - cable modem)....now on the technical side, remember that a 100 MB network connection can only transfer data at a maximum rate of 12.5 MB/sec (not something the normal home user knows or even thinks about).So here's the question; why would you pay for 30MB/sec download speeds when the cable modem itself can only transfer (in theory) 12.5MB/sec to you over the network?
View 3 Replies
View Related
Nov 27, 2011
I have three ESW-540-24 10/100/1000 Switches in a small school environment
1. ESW performs as a server switch for out small cluster of VMWare ESXi Hosts and iSCSI SAN with a link-aggregation/lacp/etherchannel connection to the backbone switch, and a Link-Aggregated Connection to the thrid ESW switch via a multimode optic fibre link to a near-site backup and DR location
2. The second ESW acting as network backbone links back to the server switch and our older LinksysSRW224G4 (four SRW224G4s) switches using Aggregated Links / LACP to reduce bandwidth contention and allow for link redundancy
3. The third ESW as mentioned previously is at the backup DR location linked back to Switch 1
When using Single 1GB links between these three switches I can almost saturate the 1GB link (80-95% utilisation) as soon as link aggregation is configured by bonding 2x 1GB links together to form an etherchannel link utilisation will not exceed 100MB (network monitor graph on a server/ workstation runs flat at 10% utilisation) I have tested this multiple times useing large file transfers accross our SANs (which have high enough throughput to saturate links) and can confirm that performance degradation occurs as soon as an etherchannel is configured on the same ports (regardless of manually setting admin speed and duplex of copper ports etc) all indicators specify that ports are running at 1GB even though throughput REDUCES by 90%.
We are not running the latest firmware yet (2.0.3), however I have read the release notes for newer versions (2.1.16 and 2.1.19) and there is no indication of a fix for etherchannel/lacp performance issues.
View 5 Replies
View Related
Mar 9, 2012
I'm having an issue with my Cisco 2811. The Internal FastEthernet0/1 interface is showing Link up but Protocol down. I have tried various combinations with the speed and duplex on the port and having no luck.The port connects to our Fortigate 110c router.
View 5 Replies
View Related
Mar 2, 2012
i have 2 routers 2811 interconnected together ,1 of these router running in circuit with 2 Mbps over Internet the 2nd one use MPLS Circuit with a bandwidth of 4Mbps,how configure the routing to route over the MPLS while IPSec act as standby
View 1 Replies
View Related
Nov 6, 2012
So I recently got a new computer today and it won't let me use my 100mbps of internet bandwidth. (Asus Sabertooth Z77 with an Intel 82579v gigabit lan controller) I noticed that at the LAN connection properties>Properties>Configure>Link Speed tab the 'Speed and Duplex' option was on Auto Negotiation and it was only accepting (or supporting) the 10mbps Full Duplex. When I switched it to 100mbps Full Duplex it would mark my connection icon with a red cross and when I clicked diagnose it said "Please connect your ethernet cable or your cable might be broken". So I tested my internet speed with that same cable on a different computer (laptop) and it worked with 40Mbps, so I don't think the cable is broken. Also I just recently downloaded some drivers but one was specifically for the Intel LAN controller but I'm a total noob for all of this computer stuff I don't know if it messed it up or something. Is it the motherboard that's not working correctly?
View 3 Replies
View Related
Aug 14, 2012
Is there a big difference in operating AP's when they are uplinked at 100mb vs 1000mb? We have 2 "main" offices that have AP's that are all connected to our access switches at 100mb. Recently with the addition of mobile devices, phones, etc we are seeing some issues. Today, we had a meeting room that had 20+ people connected to one AP and they started seeing issues of people getting disconncted or unable to connect.Just wondering if the uplink could have anything to do with this, or if we are just over subscribing the APs?
View 5 Replies
View Related
Jun 4, 2012
I have a Cisco WRVS4400N on the latest firmware and I have just had my Virgin internet connection upgraded to the 100Mb. Once i thought it was upgraded i checked with a broadband speed test and it came back as 15Mb download and 5Mb upload. Before i rang Virgin i thought i'd check with a direct connection from my pc straight to the modem. Ran the speed test and it came back as 100Mb download and 5Mb upload. I thought the best thing to do is restore my settings back to factory and its still the same.
View 7 Replies
View Related
Jun 4, 2013
I'm trying to configure and etherchannel between 2 switches. A 3750 and a 3750G, but the port channel is down: 3750. [code]
View 2 Replies
View Related
Feb 24, 2013
Am trying to joing a Joining SF 300-48P 10/100mb Switch to a SRW2038 Gigabit Switch,
I purchased a "Cisco SFP+ Copper Twinax Cable - Twinaxial cable - SFP+ - SFP+ - 1 m" but I am uable to get connection
View 1 Replies
View Related
Sep 4, 2012
I have a c3560 switch that has two gig fiber modules in it. I need to uplink fiber to one of these at 100mb. This is because this port will be rate limited to 20mb and 10 percent is the lowest you can go with the rate limiting command. Is there a 100mb fiber module i can insert in the 3560
View 1 Replies
View Related
Nov 1, 2011
does cisco 2811 support?if no, can i make it work for BGP?also, i want to know the configuration of bGP for twoo ISPs for link failover.it will be google if u tell me step by step approach for configuring it
View 1 Replies
View Related
Jun 3, 2013
I have a module of HWIC-4ESW installed into Cisco 2811 router where 3 WAN link is terminited. Suddently WAN links stopped working from last night. I have performed shutdown and no shutdown in the interface but still the the WAN link was not working. After performing a reboot the WAN link started working. No error logs were generated while the WAN link was down.
View 4 Replies
View Related
Aug 7, 2011
I have 2811 Cisco ISR and two ISP links - one is 8 Mbps and the second is 4 Mbps. The question is - is it possible to aggregate link speed up to 12 Mbps?
View 4 Replies
View Related
Apr 18, 2012
I try to implement the url filtering feature on a cisco 2811 router and whenever i enable the parameter map patterns the router retuns (after some time)
%Unable to compile obj regex.[code] The result is that the router blocks ALL webpages without giving a block page message.
View 2 Replies
View Related
May 26, 2012
I have a 2811 ISR configured to provide the following services to my network:
Internet access to LAN users Cisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)?
While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
View 5 Replies
View Related
Jul 31, 2011
4402's been running quite happily until recently. I have 11 wlan's configured, but only 5 are enabled at this moment in time.
There are 26ap's connected to the 4402, a mixture of 1130's and 1142's. The memory error in the subject is popping up quite frequently.
No reference I can find on this forum or other Cisco.com.
*osapiReaper: Aug 01 14:35:07.004: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory went below 100MB
*osapiReaper: Aug 01 14:34:56.996: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory went below 100MB
*osapiReaper: Aug 01 14:34:46.988: %OSAPI-1-MEM_LEAK_LOW_ALARM: osapi_task.c:5105 Free System Memory(code)
View 2 Replies
View Related
May 17, 2011
I have attached a drawing of our network. We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns. I am trying to get one side up and running before I worry about redundancy and so forth. For this reason I have set all the HSRP priorities to 110 on the left 6509. I have HSRP running between the ISP routers and V LAN 101 of the 6509's. This works as I can ping yahoo and Google just fine from the 6509 switch. I can't get from my laptop connected to V LAN 23 to the internet.
It doesn't even attempt to NAT as there are no translations. I have public address assigned by my ISP configured between the ISP routers and my 6509 on V LAN 101. I then have the public address assigned to V LAN 100. I configured V LAN 100 on the switch and V LAN 100 on the FWSM with the IP address in the drawing. I have my NAT statements and route in my FWSM according to the drawing as well. On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers. I can reach anything on the inside of my network, including the old network addresses from V LAN 23.
1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?
2. If I have to configure NAT at the FWSM, does this requires me to extend the public network down to the FWSM?
3. I'll take any examples you may have as I am stuck.
View 2 Replies
View Related
Jul 31, 2012
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
View 3 Replies
View Related
Jan 19, 2011
My ADSL light switches off randomly during downloading a 100mb file. I just cannot complete the download. This has been happening ever since I switched my router to a wireless iBall Baton 150M.
View 9 Replies
View Related
Nov 2, 2011
I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together. I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH. In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider. I think I'm pretty close to getting this to work, but something isn't quite right. My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds. If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic. [code]
I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT. However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.
View 1 Replies
View Related
May 31, 2013
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
View 9 Replies
View Related
Sep 20, 2011
I came across this site. I wanted to produce a better incoming ACL at home and work to prevent known bad sites
Here is their list of the Top 10 Global Spammers is out. The biggest surprise on the list is Korea, as it takes over the number one global spammer spot from China. With the improved high speed internet infrastructure in Korea and ease of network access, who knew Korea would be on the rise.
Here is the complete Global Spanner Top Ten List for the first quarter
[URL]
Korea
China
India
Russia
Turkey
Viet Nam
Ukraine
Brazil
Venezuela
Pakistan
When I sort the list, it is over 16k lines of ACL!
My question relates to what performance limits I would find.
Can I actually put that many lines in an ACL?
Will the router choke and do any other work
I have attached the sorted ACL list for you to review
Any of the following router lines will accept a list that large and still run acceptably?
2811
2911
3925
2945
View 1 Replies
View Related
Jan 7, 2012
I have a Cisco 2811 running Advance Enterprise v 15.1-2. I've just configured it using ccp for internet access (on 2 lines) and a firewall. The configuration is pretty much all default and I used the ccp wizard to create a 'medium-secure' firewall. I have 2 blocks of public IP addresses for my internal network and for the DMZ. The 2800 is configured as follows:
- 2 x default routes. one to each dialer.
- 6 zone pairs as follows:
- ccp-zp-self-out (seems to mostly work... I can ping any IP address from a console but not a hostname)
- ccp-zp-in-out (works fine, both interfaces seem to be in use)
- ccp-zp-in-dmz
- which by default set to ccp-permit-dmzservice
- which inspects ccp-dmz-traffic
- which matches group dmz_traffic and has a class map dmz-traffic
- cnc-zp-dmz-out which is set to ccp-inspect. (my own zone pair to allow systems in the DMZ zone to see the internet. This works fine.)
- ccp-zp-out-dmz (works fine. I can see my web server from any system outside my own network)
- ccp-zp-out-self (which, I guess allows anything permitted to get to the 2811)
Internet works from within the DMZ and in-zone. The outside can access my dmz servers. The inside can access most things on the outside using the firewall rules.
1) Although I have the zones set up to allow the same access from in->dmz as I do from out->dmz and out->dmz seems to work, I cannot seem to access anything in the dmz from the inside.
2) When setting up the firewall I ticked the box for 'allow PPTP clients to make connections from the inside' (or something like that). I cannot seem to make a PPTP connection from my workstation.
I have scoured the internet for guides, looked through these forums & the cisco configuration guides and experimented all day but still cannot figure this out.Do I need a special route between the inside and dmz? I have seem references to static routes on ASA firewalls but the command 'static (inside,dmz)...' does not work on a 2800 series router.
View 7 Replies
View Related
Jul 8, 2012
Our network administrator restricts all our new 1Gb switches to only 100Mb, to which he claims it will increase overall performance. Preventing devices from bottlenecking the network. (that is, only restricting the main switch ports, not the uplinks)For example we have a new building with 2x WS-C2960S-48TS-L connected together with FlexJack and then a 1Gb Fiber connection back to our core switch.
This building is on it's own subnet and there is little broadcast traffic. I don't see the point other than it hinders the potential speed we could use. Labs are set up in this building and 1Gb is MUCH faster when it comes to imaging and software deployment.
View 8 Replies
View Related
Mar 8, 2013
I have a Cisco 2811 router and i want to experiment on the IOS firewall.The thing is, none of the commands that are proposed in online guides - like ip inspect, ip audit, etc. - seem to be working. I just get "unrecognized command" on a router that is supposed to support such features. I'm wondering if it has something to do with the IOS image.
My show version output is this:
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.3(11)T9, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 13-Dec-05 08:24 by ccai
[code]....
View 5 Replies
View Related
May 6, 2011
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies
View Related
Feb 3, 2011
I have a Cisco 3725 running IOS 12.3. I have three WAN connections (2 x 100Mb and 1 x 2Mb serial) and I need to replace the 2Mb serial connection with a further 100Mb connection. However, I have not got any spare 100Mb sockets.My plan is to use a switch that supports VLANs, connect the three WAN connections to the switch, each in their own VLAN, then connect the switch to one port on the router, configuring the switch port as a trunk (so that it passes all three VLANs across the link) and configuring the router so that for that single Ethernet interface, it has three subinterfaces each configured for a VLAN that matches the VLAN used for the corresponding WAN connection.
I am a bit rusty on my IOS so I wanted to run this all past the community for feedback. [code] Any thoughts on whether or not that will work? Are there any commands from the original interface configurations that I CANNOT use when moving them to a subinterface? I'm thinking that the speed & duplex commands need to be removed?
View 4 Replies
View Related
Nov 8, 2011
I want to configure BGP but i am finding it very difficult to know BGP as I am new to this concept.
What is theoretical and practical approach to configure bgp??
I have to configure my office router 2811 for two ISPs which will be acting as fail-over.
I have to start it from scratch.
View 5 Replies
View Related
