Any router (I'm considering ASR 1002 with 10GE SPAs) that can support the following:
-10GE interfaces
-can handle 1.5Gbps but scales up to 5-6Gbps different seasons
-take on full internet routes from 2-3 providers
-will live on the internet edge
I have a very basic networking question If I have, say, 3750's (or any L3 switch, capable of routing) at the edge and a 4500 at the core, where should I route? At the edge? At the Core? Both?
View 4 Replies View RelatedApart from the ability to participate in BGP, is there any reason you should use a router on an internet edge rather than the SG-300 switch?
View 4 Replies View RelatedWhat is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
From My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
View 25 Replies View Relatedsetup the Physical connectively of IPS 4240 on the Internet edge with the ASA 5520, how the topology will be
f this a good design with IPS Appliance at nternet Edge
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
View 3 Replies View RelatedUsed a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
View 3 Replies View RelatedIf my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
View 9 Replies View RelatedHow to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. configuration examples for both the edge router and the Asa?
View 3 Replies View RelatedWe are replacing a DS3 Internet connection with a 100 Mbps fastE connection from a Tier 1 Provider. I currently have a Cisco 7204VXR with 512 Mb DRAM and 128 Mb of Flash and two 10/100 ports that is connected to the DS3. I also have a 3845 with 1 Gb of DRAM and 256 Mb of Flash with two 10/100/1000 ports available.
We are currently running BGP, below is the summary
BGP table version is 88880414, main routing table version 88880414
379041 network entries using 44347797 bytes of memory
379043 path entries using 19710236 bytes of memory(code)
I have implement MPLS L3VPN on my network to provide service to customer and right now we plan to have service VPLS on our same router. What is needed to run the VPLS in our MPLS network ? I heard that we need addictional switching module and upgrade my IOS to support it but I am not sure.
View 2 Replies View RelatedI want to terminate the IP Sec VPN tunnel on the Cisco ASR 1002 router, but it shouldn't have be bedirectional traffic to the other end., and it should be answer only, We don't run tunnle over GRE (no IPSec profile), just IPSec only. I found there is a command "crypto map *** client configuration address respond" but it looks it is global command and we have lots of VPN terminated on the Cisco ASR 1002 router, How can we configure the "Answer Only" for only one specific VPN tunnel and it won't impact the others?
View 2 Replies View RelatedI get this error when updating the IOS on our ASR 1002 router:
Calculating SHA-1 hash...done
validate_package: SHA-1 hash:
calculated e581b06d:923b1cc8:e5497571:66f9de35:70fd0ac8
expected aedab318:d8f213f5:36e12355:f70fa900:5c12d08c
SHA-1 hash doesn't match
boot: error executing
Is there someplace where I can configure the expected SHA-1 hash?
My company has purchased a second ASA for fail over reasons and I'm needing to attach it to my core router (ASR 1001). Currently I'm running the connection between my ASA and my Core as a /19 ie. ASA-10.10.10.2/19 -- ASR-10.10.10.1/19. I know the 2nd interface on the ASR will need to be on a different network segment then the first connection (10.10.10.1/19). What would be the best way to segment this out with out breaking up my /19?
Run /30 segments for each interface? Use a VLan ?
I don't want to use up my Internet rout able IP's on /30 segments. Attached diagram.
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
I have a cisco 3560 switch set up as my edge router. It is working as my external demarc switch and edge router. It is sitting between the ISP's switch and my ASA firewall. It's a very basic configuration with port 1 set up with a fixed ip and switchport turned off which is connected to the ISP switch. VLAN2 is configured with an IP address and 3 ports, two of which go to different firewalls.
I found that I cannot ping a specific address from the inside interface (VLAN2), but I can from the outside interface Gig0/1. I have a few deny commands in an access list, but they don't apply to the network i'm trying to access, and I haven't had any other inaccessible networks otherwise.
Here's my config minus passwords and full IP ranges. There are two ranges, one with xxx and one with xx. The xxx is set as secondary, but is the one we really use.
Current configuration : 4808 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname my-rtr-ext!boot-start-markerboot-end-marker!enable secret 5 !
!!no aaa new-modelsystem mtu routing 1500ip routing!
[Code] ............
Region : Others
Model : TL-MR3420
Hardware Version : V2
Firmware Version :
ISP : YU KENYA
most service providers in our country dont have 3G or 4G support,but all the same i bought an MR3420 router in the hopes that since my modem is listed,it would still connect even if on an EDGE/2G network like YU-Kenya.But this is not the case,the router does not recognize the modem i.e it says the modem is unplugged but when i look at the logs,it indicated it detected the modem but LTE was set to zero. providing a modem bin file for compatibility under EDGE/2G connection otherwise my router will be of no use to me.
Region : Poland
Model : TL-MR3220
Hardware Version : V1
Firmware Version :
ISP : Bite
Router TL-MR3220 works well on 3G network, but is not works 2G (edge) network. 3G network is not suported in my location, only 2G. My modem is Huawei E 173. In location 2G network Router show: 3G/4G USB Modem: Unplugged.
I was asked to configure a new ASR 1002 today and after successfully puttintg the config on the router (via TFTP) the router will no longer communicate with anything. There is nothing in the config to cause this (it was actually pulled off a working production ASR 1002) and I am unable to ping a local loop back IP while consoled into the router?? I removed the config, reloaded the router and configured a new loop back - same issue cannot ping the loop back or anything else connected to this router.
View 7 Replies View RelatedWe have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.what is the usage of key, we need a separate key for every device? or. [code]
View 9 Replies View RelatedI have an ASR 1002. Behind that and across another small MAN network (considered inside) I have an ASA. On the remote end, I have a simple 2811.
I need to create a vpn peer from the remote router to both the ASR (to hand off traffic there) and also a peer at the ASA (to encrypto across the MAN). The ASR1002 has the serial connection (DS3) to our MPLS cloud in which the remote is on the opposite side of.
So basically, I've created a single isakmp policy with two crypto map's by the same name but set to different peers and placed on the remote router then applied it to the serial interface. This works fine. Now i throw in the ASA which is behind the ASR. However, the connection still comes through that ASR to get to the ASA.After setting it up, it works as long as I don't have the crypto map applied to the ASR. If i apply the crypto map to the so interface of the ASR, my asa vpn connection stops working.It almost seems as if the crypto map on the ASR is grabbing my enrypted traffic destined for xx.xxx.24.14 and trying to do something with it. [code]
Why can't i peer from my remote router to both the ASA and the ASR on the opposite end of the serial link?
My SIP provider is not convinced that my ASA and Edge Router is not altering the SIP packets. On the ASA I've removed the inspect SIP, and H323, what else needs to be done to make the firewall not mess with the SIP Traffic.
Packets are flowing in/out.
access-list hbg-outside-198_access_in extended permit udp host <SIP HOST> object sfipoffice_o eq sip
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o gt 49152
access-list hbg-outside-198_access_in extended permit udp any object hbgipoffice_o lt 53246
Here are my Policy Maps.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
[code]...
On the 3825 Its jsut a pretty simple config that jsut routes packets form one interface to another, all Public Addresses, so no NAT on it.
I've been trying to set up my new Cisco 1921 Router to provide internet access to my local network but with no success. I've been reading guides and looking at videos and I have to be missing something becaouse I can't access internet (ping/tracert) from my local network.
The DHCP server works fine and the clients on my local network gets ip-adresses from the router but can't ping or tracert outside the local network.
[code]....
We have 400 branches is ended on ASR 1002 router. ASR 1002 is the Hub router. When we disconnect/connect WAN interface or Shut/no shut tunnel interface, at the moment, router is not reacheable via telnet.
But if i disable the EIGRP on tunnel interface, tunnel are ok, then when i enable eigrp on tunnel interface, all eigrp neighbourhoods are OK.Is there any way to limit NHRP or EIGRP packets ?
I need to make some changes on our network. We currently have two sites 150 miles apart we join both by way of fiber and on each side we have Cisco 3750 stack switches, configure trunking for all V lans on one port in site one then through the the long haul fiber to site two with site one using 10.1.1.30 and site two using 10.1.1.40 as their default gateway, with static routing all V lan sub nets to the other sites default gateway life is good.
My question - seeing how we have sites using the same sub net 10.1.1.x to trunk all data to each site through switches; we need to now change the network and add each site to the MPLS network, site one switch 1 IP address 10.1.1.30 going to MPLS router one with FA0/0/0 using IP 10.1.1.31, site two having switch 1 IP address 10.1.1.40 going to MPLS router one with FA0/0/0 using 10.1.1.41. I need to know will this work.
We have the same sub net in each site 10.1.1.x to the MPLS routers then the external router interface connecting each site to local switches, will this cause any problems by using the same local sub net for each site?
I would like to know the technical Specification regarding the AC power supply for ASR1002.
I need to know the following:
Voltage
Amp
BTU
Watt
BTU and AMP for ASR 1002?
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
View 3 Replies View RelatedI have one ASR 1002 router and one GSR router. when i insert SFP-OC48-IR1 module with GSR and connect 100 Mb link that comming from MUX then the GSR port is up but when the link is connect with ASR with same module the port not going up.i had cross check the module GSR to ASR but the problem remain same.
View 1 Replies View RelatedI have Cisco router ASR 1002-F on which I have created two subinterface, Gigabitethernet 0/0/1.333 and Gigabitethernet 0/0/2.111. I try to bridge those two subinterface but no success. I can create bridg-group and everything needed but I can not add subinterface to specific bridge-group. If I try write command bridge-group on subinterface there is not even possible to chose this command.
View 1 Replies View RelatedOK ran into a little problem with getting this to work. Only group members participate in the encryption process, correct?
I have numerous remotes all coming into one central location. I set up a KS and have currently only 2 of the remote routers set up as GM's, with the intention of the others coming into play as I move forward. Here is basically what I have in my KS and GM's:
KS
crypto isakmp policy 10 encr aes authentication pre-share group 2crypto isakmp key testkey address [code].........
GM's
crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime [code]....
So I applied the crypto map to the serial interfaces on my routers on either side of the cloud (central-ASR1002 and remote-ISR1841). When I did this, ALL the remotes went down and I'm not sure why. Even the ones that didn't have anything to do with gdoi. Ya, it wasn't good. I thought that only the group members would be affected.
Is it the fact that my acl is encrypting any to any? Surely I don't have to reverse that and have two statements with the same syntax. I'm basically just trying to encrypt all traffic from specific remotes back to the central side. However, I'm trying to do it without taking down the rest of my network .
We are running LMS 3.2 with IPM 4.2 installed....and we are looking to do IPSLA monitoring on a couple of our Cisco ASR's with IOS-XE code installed.
I looked at the IPSLA feature mapping and it only talks about supported IOS code....do we need to upgrade our current IPM module to a current version?