Cisco Firewall :: Possible Limitation Of ASA 5505 DSCP Markings
Aug 19, 2012
following about a limitation on the ASA5505.I have a client that has a number of branch offices on a Gen-I OneOffice network. For complex and political reasons, we can’t trust all nodes on that OneOffice network. We need to put a firewall at each branch office between their local network and the OneOffice router.
To avoid having to either readdress the OneOffice routers (politically difficult) or readdress each branch office (logistically difficult) we’ve suggested using a transparent mode ASA5505 firewall between each sites OneOffice router LAN switch.
Recently I’ve discovered the client is deploying Avaya VOIP phones into the offices using QOS/DSCP over the OneOffice network from Avaya units in some offices. I figured I’d need to trust DSCP on the way though the ASA and went about looking at how to achieve that.
I found the following document relating to configuring QOS on the ASA: url...
This suggests in the DSCP and Diffserv Preservation section that “DSCP markings are preserved on all traffic passing through the ASA.” However, in the Guidelines and Limitations section it suggests QOS isn’t supported in transparent mode.I’m a bit worried that the DSCP markings won’t pass through the ASA5505 in transparent mode.
View 3 Replies
ADVERTISEMENT
Apr 3, 2013
How the dscp-cos or cos-dscp mapping takes place in c892 router? There is no command like "sh mls qos maps" in c892 like we have in c2951 or c3925.
View 3 Replies
View Related
Apr 25, 2012
I have a requirement to preserve markings end to end across a network utilising 3750X switches, I am marking the packets without a problem, but due to the rewriting function the marking is being overwritten by ther COS-->DSCP maps.To simplify the scenario I have set up a test environment (see Diagram) and am using ICMP as a simple test using ICMP to test with Both 3750 have 12.2(35)SE5 3750-1
mls qos
mls qos rewrite ip dscp
ip access-list extended ICMP
permit icmp any any
Class-map ICMP
match access-group name ICMP
[code]....
I have used wireshark to verify that the packets are being marked, with the' mls qos rewrite ip dscp' they are, without rewriting does not occur.Moving my sniffer to the 3750-2 I am monitoring the Layer3 connection (marking preserved), however on the layer 2 trunk the marking has been reset to 0 , if I remove the 'mls qos rewrite ip dscp' from 3750-2 then I see the marking on the layer 2 trunk, however I am then unable to remark anything generated on this switch. I believe with the 'mls qos rewrite ip dscp' enabled the L3 to L2 transistion removes the IP DSCP sets the COS to 0 and themnthe COS to DSCP mapping ensures the DSCP is set back to 0.I have tried implementing additional marking policies on 3750-2 but to no avail.What I need is ensuring that that a frame / packet marked in 3750-1 can keep it's marking to the end system over layer 3 and a layer 2 trunk. The only place I wan t the marking to be stripped off is when the dot1q tag is removed as it goes through an access port.
View 1 Replies
View Related
Sep 12, 2011
I'm testing QoS with a 3750-X
I want to mark traffic in the 192.168.126.0/24 subnet with DSCP EF.
I've entered this command :
mls qos
class-map match-any class_126
match access-group 2
policy-map mark_dscp_126
[Code]....
View 5 Replies
View Related
Aug 6, 2011
Does the limitation on ASR 1000 series RP1 with regard to maximum number of match statements per class-map?. I have more than 30 match statements under my class-maps but when I apply the service policy on the interface, I get the error "cannot configure more than 16 matching statements per class-map for the interface”.I am running 3.1.0 S on an RP1. Is it a hardware limitation just like the older Cisco 10Ks?
View 1 Replies
View Related
Jun 27, 2011
Due to lack of address space, I have to go to NAT for our wireless guest users.Are there any limitation with WLC/NGS when comes to NAT?I have four 5500 WLCs, should I put them in 1 mobility group, at 2 different locations?
View 1 Replies
View Related
Dec 3, 2011
I am wondering what is the TOS value equivalent to DSCP value AF31? I am wondering what is the TOS value equivalent to DSCP value AF31?I have tried to use the charts but I couldn’t understand how to convert it.
View 5 Replies
View Related
May 17, 2011
1) which DSCP marking to use for ex90s(HD video)?
2) as a test we are planning do to deploy ex90 at few of locations. at location 1 we will do DSCP EF marking while at the other location we will do DSCP AF41 for video..assume, LOC1 calls LOC2: so, when video traffic from LOC1 arrives to LOC2 will it be marked as EF? and when traffic from LOC2 arrives LOC1 then traffic will be marked as AF41? if yes, then will there be any issue sometimes in case if we run out of bandwidth for EF?
View 2 Replies
View Related
Nov 28, 2012
I ran into interesting issue on Sup-2T. As you probably know, QoS CLI is changed on this new supervisor. I'm looking to translate incoming dscp-marked packets, into exp-marked on egress.Now, according to documentation - Catalyst 6500 Release 15.0SY Software Configuration Guide - this functionality is still called mutation-map and is configured under 'platform qos map exp-mutation'. The problem is quite simple – there is no 'platform qos map exp-mutation' on 2 different machines I checked upon. Here:
Some-6513(config)#platform qos ? 10g-only qos pure 10G mode aggregate-policer Named aggregate policer marking marking keyword
police police keyword protocol protocol keyword queueing-only queueing-only (no QoS rewrite, no policing) rewrite packet qos rewrite enable/disable statistics-export qos statistics data export
View 2 Replies
View Related
Jul 26, 2012
I work in a manufacturing firm where we have offices at 3 different places say A,B and C. Our ERP server is at our original unit A from where we accessed it at B and C through remote desktop application till now. But now we have hired cloud services to connect to our main ERP server. We are in the process of installing the cloud application on our server at B during which we are encountering a problem. The cloud service provider is asking for domain name and password for the DSCP server based at the orignal unit (A) which no one in the company seems to have any idea about. Our IT guy at A has resigned and has not been replaced. Our IT guy at B is inexperienced and just following the instructions of service provider who is stuck at DSCP domain name and ID. How can I know the domain name and password of DSCP server so that the process moves on?
View 5 Replies
View Related
Oct 7, 2011
My company's spent the last few weeks struggling with an issue with their VPN backups where select packets were being lost.
View 7 Replies
View Related
Aug 18, 2009
According to product bulletin no 3209 for the Cisco 4400 series, the Access Point supports 802.11e WMM.
My question goes to DSCP mapping, according to IEEE and your bulletin the DSCP field in the IP header should be set to 46 (10110 00) for mapping to a 802.11 QoS voice priority 6/7.But my Wireshark trace revealed 4400N is mapping toward with 802.11 QoS is set to Priority 5 Video.
If I google DSCP mapping toward 802.11 QoS all IEEE documention I found says EF /Voice should have 46 or 101xxx in the DSCP IP field but running through Cisco and HP docs gives 46 or 48 as value, that is the correct value. [code]
View 5 Replies
View Related
Jun 14, 2012
I am running 1.1.24 and spa303 phones I have a qos policy setup to mark all packets
The following is my qos
information 192.168.1.15/24
makring enabled
cos/DSCO DSCO
Value 0xb8
On my upstream device I only allow traffic that is marked with this dscp value. No traffic is coming through. RTP traffic is marked because it comes off the phone marked but I would expect the qos Policy so mark everything going to that ip space to be marked.
View 1 Replies
View Related
Aug 2, 2012
I have a 1262 that will be setup as a WGB and wirelessly connect to a Cisco MESH AP. A switch and clients will hang off of the 1262 WGB. How many clients can a 1262 WGB support?
View 4 Replies
View Related
Aug 10, 2011
i have few questions about MAC adress limitation. We have in our network cisco RV042 router, SLM2048 switch and WAP4410n AP.
My 1. question: is it possible to disable internet connection for concrete mac adress based on scheduling?
For example: between 23:00 - 5:00 this mac adress will not connect to internet.
If yes how i could do that?
My 2. question: is it possible that if this "mac adress" is connected for 5 hours than disconnect it for 6 hours?
View 2 Replies
View Related
Apr 17, 2011
I have a NMWLC6 module connected to a 3825 ISR using 1140N APs. Latest (but one) code. I had two SSIDs configured and deployed in the default AP group. Last week I needed to deploy a third SSID for unencrypted webauth, I created the interface and WLAN associated with the interface and the sub interface/svi on the WLAN-controller 0/1 with dot1q. All created with no problem and enabled, however the SSID was not available to clients and did not show up as available WLANs under AP groups menu. Out of desperation I created a new AP group and added an AP to it and hey presto all three WLANs were available and the third is now visible to clients! Is this normal behaviour? Is the default AP group limited to two SSIDs? (a quick google failed to find any documented limitation!) or is something weird going on?
View 2 Replies
View Related
Mar 6, 2011
We have a deployment of 400 store. Each of those have 2 GRE tunnels running over MPLS & 2 GRE Tunnels running over Internet leading to our 2 data-centers. At each Data-Center, we have 1 ASR-1002 connecting both MPLS & Internet MPLS tunnels (800 total per router).
I saw in the documentation that OER & PfR cannot support more than 20 external interface (in our case GRE tunnels) per MC. Does it means that we need to have 20 routers acting as MC to be able to use PfR for our Internet GRE tunnels ?
Is there any more scalable solution for this ? How big company address this issue when they have a lot of interface to run PfR ?
View 3 Replies
View Related
Jul 7, 2011
I have LMS3.2 running and have set up daily log rotation of my SYSLOG file via Common Services-Server-Admin-Log Rotation. In LMS2.6 I set this up from the command line and was able to set the number of rotations to 120. I found in LMS3.2 setting up the rotation via the GUI that the number of rotations is limited to 90.
View 1 Replies
View Related
Sep 14, 2011
I have
MLS : C6509-E
SUP : VS-S720-10G
PFC : VS-F6K-PFC3CXL
I'm trying to find out what is its limitation for encrypted traffic via SVTI there .
I don't have a SPA for the ip sec .
View 2 Replies
View Related
May 15, 2013
I am getting a very strange problem where 4500 switch is remarking the packet with dscp 1 to 0.
Let me explaint the setup. I have two PCs connected on same switch but on different modules. PC1 is conencted to Gi4/19 and PC2 is connected to
Gi2/43. Both the ports has been configured to trust the dscp. Below are the configuration:
interface GigabitEthernet4/19
switchport access vlan 6
switchport mode access
[Code].....
View 7 Replies
View Related
May 29, 2013
The Cisco 3560 uses a relatively simple classification scheme, assuming you consider only what happens when the forwarding decision has been made. These switches make most internal QoS decisions based on an internal DSCP setting. The internal DSCP is determined when the frame is forwarded. What internal DSCP setting means?
View 5 Replies
View Related
Feb 20, 2011
My new small router 866vae crashes and makes cold reboots every 20-30 minutes. I updated IOS, but it didn't work. The logs show texts like this:
Possible software fault. Upon reccurence,crashinfo, "show tech" and contact Cisco Technical Support. http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip dns serverip nat inside source list 101 interface Dialer0 overload!dialer-list 1 protocol ip permitmac-address-table aging-time 15no cdp run!access-list 23 permit 192.168.1.0 0.0.0.255access-list 101 permit ip 192.168.1.0 0.0.0.255 anyaccess-list 111 permit udp any eq bootps any eq bootpcaccess-list 111 permit tcp any anyaccess-list 111 permit udp any anyaccess-list 111 permit icmp any any echo-replyaccess-list 111 permit icmp any any time-exceededaccess-list 111 permit icmp any any unreachableaccess-list 111 permit icmp any any administratively-prohibitedaccess-list 111 permit icmp any any echoaccess-list 111 permit gre any any!control-plane!!line con 0login localno modem enableline aux 0line vty 0 4access-class 23 inprivilege level 15login localtransport input telnet!scheduler allocate 60000 1000!end
View 10 Replies
View Related
Jul 21, 2012
i did on cisco 2960S switch at user ingress interface. but the marking is not showing in show policy-map interface gig 1/0/10 interface and ACL is not showing any match.
I also had a config reference from 2960S cisco guide.
access-list 103 permit tcp any any eq 80
access-list 104 permit tcp any any eq 23
access-list 105 permit icmp host 172.24.68.4 any
class-map IN_HTTP
match access-group 103
class-map IN_TELNET
match access-group 104(code)
View 1 Replies
View Related
Jan 26, 2012
Looking to link up to 6513 chassis via 6704 10 gig cards.
I have a 6513 on the 8th floor and one on the 3rd floor in same building. Distance would be approx 150' max. New 10 gig cabling was installed between these floors.
I would like to use 2 10 gig ints on each 6704 to form a port channel (LACP) between the 2 environments.
So far I have been unable to get the links up between 6704's.
View 2 Replies
View Related
May 6, 2012
Customer wants to place a single 1552E to cover a particular area in his campus, and it will be placed on a tower, and the question is concerning the height. I can not find any particular height limitation such as 5 meters, 10 meters, etc. I understand this will influence the sign propagation as well as throughtput to the users, but can not find a matrix or a best practice guide for that.
View 1 Replies
View Related
Jun 26, 2012
I want to use a subnet mask of 255.255.254.0. The setup window doesn't allow me to type in that mask, rather it only allows me to choose from options on a drop down menu (which doesn't include that mask). Is there a way to do this?
View 2 Replies
View Related
Feb 19, 2012
our WAN is connected via L2WAN and using EIGRP to connect the sites. Currently there are 35 EIGRP neighbors over L2WAN and we are to install 15 more sites and will be connected to the same L2WAN. Some sites are still using Cisco 2651XM and we would like to know if it can still handle another 15 EIGRP neighbors. Some sites are 2800 and 2900 routers. And is there any other things to consider for EIGRP over L2WAN?
View 5 Replies
View Related
Oct 29, 2012
For the past week, I have tried to setup the PPTP VPN server on the RV180. The setup was straight forward, but I could not log-on no matter what I tried. I decided to call Cisco small business support, and as I was talking to the engineer, it mysteriously started to work. I was puzzled and somewhat embarrassed because I'd hate to admit it was an id10t problem on my part. As I tried a few different configurations, I began to realize there might be a limitation in the RV180 PPTP VPN server with the current firmware (1.0.1.9).
In short, the RV180 PPTP only works with 192.168.xxx.xxx/24 subnet. My setup has 3 vlans: vlan1 in 172.xxx.xxx.xxx/24 subnet, vlan2 192.168.0.xxx/24, and vlan3 10.xxx.xxx.xxx/24. My originally plan was to keep vlan3 isolated by disabling inter-vlan routing, but I needed a way to manage a couple of devices on vlan3 remotely, thus I wanted to setup a VPN in the 10.xxx.xxx.xxx/24 subnet. This turned out to be the reason why it never worked before. Today when I called Cisco support, I assigned the PPTP VPN server a 192.168.0.xxx ip range, and it worked. Later, I tried assigning 172.xxx or 10.xxx ip addresses to the PPTP VPN server, and they both failed to work. I created another test vlan4 with 192.168.2.xxx/24 subnet, and assigned the PPTP VPN server to that vlan, and it worked again.
I'd like to mention that I already configured the 10.xxx.xxx.xxx/24 subnet with a few devices before I replaced my router with RV180, and I don't want to have to change and test the setup of all the devices. Another reason I want to have my VPN server outside the 192.168.xxx.xxx range is that it's way too commonly used by wifi hotspots that it increases the chance of wifi and vpn in the same subnet.
I can test a few more configurations, but I think the results will be the same. Perhaps Cisco should test the RV180 in the lab to confirm what I found.
View 2 Replies
View Related
Mar 17, 2013
any information regarding height limitation for installing the above ceiling mounted antennas. And is there a separation between the 2 antennas when mounted in the ceiling.
View 6 Replies
View Related
Jan 13, 2013
I need to know it the adsl router SRP547w or SRP546 permits to set class B subnetting ( or class A) on the Lan interface. I read the model SRP527 has a limitation to set ip address on the lan interface but I did not find any information about 547 or 546.
View 0 Replies
View Related
Aug 30, 2011
access point and the limitation on the users connected to the SSID using a wireless lan controller. From the installation guide I see an incredible thing:
Supported User Count Only fifteen users are allowed to connect on the WLAN Controller WLANs provided on the 600 series at any one time. A sixteenth user cannot authenticate until one of the first clients de-authenticates or a timeout occurred on the controller. Note: This number is cumulative across the controller WLANs on the 600 series. For example, if two controller WLANs are configured and there are fifteen users on one of the WLANs, no users will be able to join the other WLAN on the 600 series at that time. This limit does not apply to the local private WLANs that the end user configures on the 600 series designed for personal use and clients connected on these private WLANs or on the wired ports do not affect these limits.
Is it possible a terrible limitation like this ?
View 9 Replies
View Related
Sep 7, 2011
How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?
View 1 Replies
View Related
Apr 24, 2012
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
View 1 Replies
View Related