Cisco Switching/Routing :: 10.10.10.10 / Outside NAT With Overlapping IPs In VRFs?
Apr 7, 2013
I have 10.10.10.10 in 2 VRFs (lite) on 2 different VLANs What i would like to achieve:- if i connect to 172.16.7.125 in the global VRF then translate it to VRF1 10.10.10.10 destination address.- if i connect to 172.16.3.162 in the global VRF then translate it to VRF2 10.10.10.10 destination address IMHO the solution is quite simple:ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1 ip nat outside source static 10.10.10.10 176.16.3.162 vrf VRF2 However the router thinks something else:
R1(config)# ip nat outside source static 10.10.10.10 172.16.7.125 vrf VRF1
R1(config)# ip nat outside source static 10.10.10.10 176.16.3.162 vrf VRF2% 10.10.10.10 already mapped (172.16.7.125 -> 10.10.10.10)
IMHO this configuration should be valid. The global VRF has two IPs (172.16.7.125 and 172.16.3.162) while the 2 other VRFs work happily with the two identical 10.10.10.10 destinations as they should. The two translations should be easily distinguished as these are from two different VRFs.Either i am missing something or it is a problem in IOS.
IOS is 12.4(25f)
HW is 3845
View 1 Replies
ADVERTISEMENT
Mar 1, 2013
I am having an odd issue on a couple of new 3750X switches.I am trying to configure VRF-lite and it is not recoginizing the command.Does that make any sense? I have goggled the syntax ans it should be right.
View 12 Replies
View Related
Jan 11, 2012
We are trying to test multicast between VRFs configured on Nexus 7Ks. Two Nexus 7Ks are configured for VPC. Multicast Server is in one VRF where as Receiver is in another VRF. The two VRFs are connected to each other via Checkpoint Firewall (Active/Active cluster in unicast mode). All routes have been established and connectivity tested between multicast server and receiver using ICMP.Using, windows mcast.exe multicast stream is generated from server (in one VRF) intended to be received by receiver (in second VRF). Every time, only one multicast packet is received by the receiver and rest all packets are being dropped. Server and Receiver are VirtualMachines configured on VMWaresame chassis which is connected to two Nexus 5Ks (VPC configured).
View 1 Replies
View Related
Aug 30, 2012
I have run into a very strange problem while doing pre-deployment vPC/STP testing in the lab with a pair of Nexus 7000s.
The basic configuration is as follows:
2x Nexus 7000 VDCs (ver 6.0(4)) are configured as vPC peers and connected with a vPC peer-link (redundant on different 10G blades) and a vPC peer-keepalive link. The switches also act as HSRP and EIGRP routers. The N7K-A switch is nominally configured as STP root and HSRP prime for all VLANs, N7K-B switch is STP backup root and HSRP secondary. STP version is PV-RSTP+. As it stands now STP root and vPC prime are on different switches, STP root is on N7K-A and vPC prime is on N7K-B.
3x Layer-2 access switches (3750-1, 3750-2, 3560-1) are configured as access switches and connected to the Nexus 7Ks with a 1G uplinks in V-pattern.
3750-1 and 3560-1 are configured for vPC as Port-Channel10 and Port-Channel12 respectively. 3750-2 is configured for STP. Vlan 35 is shared between all three switches and is enabled on the vPC peer-link (overlapping vPC and STP domains). The downlink port to the STP-only 3750-2 on N7Ks is configured as "vpc orphan suspend".
Everything seems to work fine and pings on VLAN 35 between access switches (that have mgmt interfaces in VLAN35) recover rapidly after failures. However, if I break the vpc peer-link the ping between the two vPC switches 3750-1 and 3560-1 stops. Moreover, this appears to be sporadic in nature with some vpc peer-link failure attempts recreating the problem and some not. Sometimes the problem manifests itself when the peer-link is brought back up rather than taken down.
After doing a bit of troubleshooting, I have isolated the problem to MAC address blackholing. Basically when the peer link is taken down, MAC Address table on the vPC primary switch, N7K-B, (I believe during vPC convergence) forces the traffic destined from 3750-1 to 3560-1 through the STP only switch 3750-2, which apparently goes through the RSTP convergence and enables its alternate link to N7K-B before vPC has finished its convergence. After vPC convergence is finished the path through the STP-only access layer switch 3750-2 no longer exists, as vPC will take down all vPC ports and suspend orphan ports on the vPC secondary switch (N7K-A). However the MAC Address table on N7K-B still points through the 3750-2 access layer switch instead of directly through Port-Channel 12 on N7K-B and thus creates a traffic blackhole. Issuing a ping or bouncing SVI interfaces on N7K-B fixes the problem.
View 1 Replies
View Related
Nov 21, 2012
I want to create following setup, wanted to know that how is this achievable
3 VRF on nexus 7k and all VRFs connected to each other in following manner through virtual firewall contexts
N7K-VRF1----FW-CONTEXT1----N7K-VRF2---FW-CONTEXT2-----N7KVRF3
| | |
SERVER1 SERVER2 SERVER3
Now i want that SERVER1 should be able to speak to SERVER2 and SERVER3 and i want to exchange routes betwene VRFs through OSPF.
View 10 Replies
View Related
Dec 2, 2012
Can we use single ospf process for multiple VRFs in Nexus 7k. If yes is there a document to show how ?
View 0 Replies
View Related
Jul 14, 2011
We are a new medical school located in PA. Just have just completed a new building and are now working on getting our network finished. Here is the situation we have a 50MB Internet Connection that comes into our network that then hits the ISPs Cisco 3750 which sends it to two of our Cisco 3750s for redundancy. From the 3750 goes into our Cisco 6509 with a FWSM module, then out from there to our distribution switches which are all Cisco 2960s.
What we would like to do is to control how much WAN connectivity each of our VRFs get. Right now we have a Faculty, Student, and Research VRF formed, and are trying to figure out the best spot where we can say Faculty gets 30MB of Bandwidth, Students gets 10, and Research gets 10. If possible would like burst capabilities.
View 3 Replies
View Related
Jun 1, 2012
I am trying to trouble-shoot / map out a large network with a freaking butt load of over lapping IP addresses
View 8 Replies
View Related
Apr 18, 2011
how to make NAT work for some future projects (remote offices with overlapping networks, L2L VPN with overlapping networks, etc). Using this as a guide [URL] I was able to get it to work using an ASA and a router (initial configuration below). I'm able to ping from host1 to 40.40.40.2 (host 2) and it works, as does pinging from host 2 to 50.50.50.2 (host 1). The issue I'm having now is that I've replaced that router with another ASA (second configuration below). Once I've done that, I can no longer reach the end device with the NAT'd IP address. If I take out ASA1 and swap in a router (basically reversing the router/ASA in the initial configuration) it works fine as well. I'm only seeing issues when using two ASAs. I've verified that ICMP and telnet are permited inbound on the ASAs as well. I even tried seperating the final host with another router (third configuration).
Initial configuration:
Host 1 --------------------------- Router -------------------------- ASA--------------------------- Router ---------------------- Host 2
30.30.30.2 e0: 30.30.30.1 in: 10.10.10.2 e1: 20.20.20.1 30.30.30.2
NAT: 50.50.50.2 e1: 10.10.10.1 out: 20.20.20.2 e0: 30.30.30.1 NAT: 40.40.40.2
[code]....
View 1 Replies
View Related
Nov 25, 2011
Our IPS has given us a second range of IPs as we were running out. Unfortunately, they can only give us two non overlapping range. I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges. This is not a failover scenario -- and I need outward facing servers on both ranges. It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).I have one NIC designated outside that will need to cater for both wans. As there are two subnet there are two gateways. How do I keep the traffic on track?
View 4 Replies
View Related
Feb 14, 2012
I'm trying to connect two operlapping networks via IPsec.
Details:Site_A use ASA 5510 with software version 8.0(4)32. Site_A use 10.100.0.0/24, 10.100.1.0/24 and 10.100.2.0/24 inside networks. 10.100.0.0/24 is directly connected to ASA (as vlan10), 10.100.1.0/24 and 10.100.2.0/24 are routed.Site_B use Linux box and networks 10.100.1.0/24, 10.100.2.0/24, 10.100.3.0/24 and so on (basically 10.100.x.0/24). I didn't set up this ASA, we took over this infrastructure without any documentation whatsoever.
According to link posted above I should use dual NAT. Site_B will see networks in Site_A as 10.26.0.0/22, and Site_A will see networks in Site_B as 10.25.0.0/24. Site_A is allowed to access only 10.100.1.0/24 in Site_B, and Site_B is allowed to access all 10.100.x.0/24 networks in Site_A - hence /22 mask in 10.26.0.0/22. I'd like to, for example, ssh from host in Site_B to host in Site_A using 10.26.1.222 as destination ip address (and it should be translated to 10.100.1.222 on the Site_A side). I'm looking for something like ip nat type match-host in Cisco routers - I want to translate only network part of the address an leave the host part intact. Anyway, following the steps from the link posted above everything is ok till the command:
static (companyname,outside) 10.26.0.0 access-list fake_nat_outbound
which results in:
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.6/443 to outside:x.x.x.178/443 netmask 255.255.255.255
WARNING: real-address conflict with existing static
TCP companyname:10.100.0.20/25 to outside:x.x.x.178/25 netmask 255.255.255.255
WARNING: real-address conflict with existing static
[code]...
View 2 Replies
View Related
Jun 6, 2012
I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.
I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.
Can this work if their are no duplication of IP addresses?
View 25 Replies
View Related
Jan 13, 2012
In my LAN, I have always been used an Aironet 1250 for internal use and always work fine. Now, I added a 3com AP but both AP are not correct. When I turned off the AIRONET 1250, the 3COM AP settings works fine. When both are turn on, the 3COM AP loses connectivity all the time.I have heard about the overlapping channels in 802.11b/g networks.
View 8 Replies
View Related
Feb 4, 2013
I have an ASA5510, and site-to-site VPN with several remote clients. I have to add another client but their network range overlaps an existing tunnel. Both are using 172.16.0.0/16. I would like to 1-to-1 NAT them as 172.17.0.0/16.
Is it possible to perform the NAT on my device, post-decryption, or is it necessary that I have them perform the NAT at their end?
View 2 Replies
View Related
Dec 13, 2012
I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
2- Any sample config for ASA 5520 for this type of network?
View 3 Replies
View Related
May 21, 2011
I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening.
View 3 Replies
View Related
Mar 3, 2011
I have 3 ASA 5505 Firewall, I am creating Site 2 Site Full mesh tunnel with each firewall, the problem i am facing is two of the firewalls internal schema are same, Like Site 1 has an Internal Schema: 192.168.0.0, Site 2 has an Internal Schema 192.168.0.0, Site has an Internal Schema 10.10.10.0
For that i have to create a policy static nat and access list??
I configurred a access-list like below,
access-list vpn_ih_site3_site1 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0access-list vpn_ih_site3_site2 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
View 10 Replies
View Related
Jan 29, 2013
I am buying a Nexus 5K (N5K-C5548UP-FA) with the layer 3 card (N55-D160L3 - Nexus 5548 Layer 3 - Daughter Card).The switching capacity of it is 960 Gbps but I know I should expect less doing the Layer 3 function (it will only be used with static routing).What switching/routing capacity should I expect? How can I estimate it? What else should I consider?
View 1 Replies
View Related
Jan 11, 2012
we've had an issue with our network, we have 2 6509 connected with redundancy, which are connected with 2 x 4900 Switches, from which are connected to a ESX Chassis for visualization, the thing is that the ESX stopped working, and the 4900 switches, and the main core were suffering from overload, they hang on it very well, in order to stop the overload, one of the links to the ESX Chassis were disconnected from one of the 4900 switches. The CPU usage from the 4900 and the core(6509) went down below 40%, and then they started to migrate the virtual servers from the chassis to another 2 chassis that were added right after. They were actually working well, but suddenly the 6509 changed to the other supervisor after everything was OK. We were wondering what could have been the cause of this, maybe the virtual servers migrations, maybe the overload from the ESX ? We also had a few question, is there any need to reload the cores every few months as a planned task ? Because the cores have been up for more than 1 year. And also is there any kind of of tool to monitor the CPU status, or the status overall from the cores or the switches ?
View 3 Replies
View Related
Oct 18, 2011
I am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
View 5 Replies
View Related
Sep 10, 2012
I would like to know if Catalyst WS-C3750G-48TS-E recognizes and understand Cisco VSS ( Virtual Switching System) . Is there a List available which tells us which Old Catalyst Switches or current switches understand Cisco VSS?
View 3 Replies
View Related
Jul 4, 2012
We are in the process of switching our infrastructure of our routing/firewalls/vpns over to cisco. We are switching our first location and one of the issues I'm struggling with is windows authentication pass-through for internally hosted web pages. Meaning, user inside our network has the 2921 as their default gateway, they try to access a web page that is hosted on the internal network but is secured with windows authentication. In the past, because they are logged into the domain internally, the website authenticates and loads. After switching to the Cisco, it asks for a password even though they are logged in.
Because its the web server that actually authenticates I'm not sure why the router isn't allowing that to happen, but I can't think of anything else that could be causing this behavior.
View 4 Replies
View Related
Apr 9, 2010
Does the nexus 7010 support virtual switching yet? All of the posts I have found from about a year ago say that it is going to be supported, but there were no dates listed. I heard the same thing from Cisco a while back, but haven't followed up with it.If it is supported finally are there any configuration guides available for it?
View 7 Replies
View Related
May 12, 2013
I have the following devices :
-1 VM Host
-2 Layer 3 switches
I would like to provide full redundancy for all vlans being used by VM Guests on the VM Host as well as the management vlan being used by the VM Host.I have created two LACP etherchannel connections on the VM Host. Each etherchannel from the host consists of 4 ports spanning a single NIC. One etherchannel connection goes to a trunked etherchannel connection on switch 1, and the other etherchannel connection goes to a trunked etherchannel connection on switch 2.Switch 1 and switch 2 have an etherchannel connection between them that carries all of the vlans in the topology.Vlan 2 is the managment vlan. Vlans 3, 4, and 5 are vlans that VM guest systems will be using for normal data traffic.
I intend to use switch 1 as the VRRP active router and spanning-tree root bridge for vlans 2 and 3.I intend to use switch 2 as the VRRP active router and spanning-tree root bridge for vlans 4 and 5.The spanning-tree configuration is using multiple spanning-tree with two instances. Instance 1 has vlans 2 and 3 associated and Instance 2 has vlans 4 and 5 associated. I would like to have this topology be fault tolerant to the point where if one of the etherchannel links between the host and one of the switches goes down, (for example, if switch 1 was powered off) traffic will be automatically redirected through the other functional link. I believe that my VRRP configuration would allow for a fairly quick failover of layer 3 services, but I am not certain that my design will be functional at a layer 2 level.
What I am uncertain about is how spanning-tree will converge. I am assuming that the virtual switch on the VM host will not be forwarding any BPDUs being sent by either switch. Would either of the links connecting to the host be considered a redundant link by either switch?Would the link between switch 2 and the host be inactive for all vlans in MST instance 1 during normal operation?Conversely, would the link between switch 1 and the host be inactive for all vlans in MST instance 2 during normal operation? Would all links remain active for ALL vlans? Would this mean that some traffic may travel through switch 2 to reach switch 1 instead of going directly to switch 1?
View 1 Replies
View Related
Jan 21, 2012
As per my understanding 6509 all slots are dual channel, so 9 slot * 40 per slot (20 g in and 20 g out) = 360 GB How cisco claim the 720 ?? What about the 6513 chassic switch fabric connection?
View 5 Replies
View Related
Aug 6, 2012
It is said that the switching fabric of WS-C3750X-24T-E is 160Gbps.Could any body tell me what is switching fabric, any relevance or difference from forwarding rate?,Is there any document to know how will the switch reach the 160Gbps full switching fabric performance?
View 5 Replies
View Related
Mar 21, 2012
I got Two Distribution Switches of Cisco 3750G. Each Distribution have two 3750G switches stacked. I also have one Cisco 3750V2 Access Switch connected to both Distribution. When I am checking for redundancy, I can only get redundancy test pass for one link not atall for other. If I have a link up with Distribution 1 only then its fine; but disappointment with Distribution 2 link. I can see that the switch priorities of Dist 2 is not correct ie. Master's priority is 10 and Member's is 15.
My question is that due to misconfigured priorities on Distribution 2 stack switches I am failing with redundancy if ONLY Dist 2 is up and Dist 1 is down.
View 4 Replies
View Related
Sep 20, 2012
I am seeing a strange situation on my 6500 switch?By having snmp walk on '1.3.6.1.4.1.9.9.109.1.1.1.1.3' (== cpmCPUTotal5sec), I came to know that there are two processor and the cpu util for switching processor is gone to 88 % and some time creeps to 99 %.
snmpwalk -v2c -c "removes" sw6500 '1.3.6.1.4.1.9.9.109.1.1.1.1.3'
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.1 = Gauge32: 12 (--- this is for CPU of Router Processor )
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.3.3 = Gauge32: 99 (--- this is for CPU of Switching Processor )
but when I do sh process cpu on the console, all looks normal as it shows cpu utilization of RP. why the value is so high on the switching processor ?
View 1 Replies
View Related
Jul 24, 2011
It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
View 1 Replies
View Related
Oct 8, 2012
Lucien is a customer support engineer at the Cisco Technical Assistance Center. He currently works in the data center switching team supporting customers on the Cisco Nexus 5000 and 2000. He was previously a technical leader within the network management team. Lucien holds a bachelor's degree in general engineering and a master's degree in computer science from Ecole des Mines d'Ales. He also holds the following certifications: CCIE #19945 in Routing and Switching, CCDP, DCNIS, and VCP #66183
View 1 Replies
View Related
Jan 17, 2013
My management has tasked me to give them a high level overview of the different switching we can choose for our new building.
This is what I know so far.4 Closets, each closet has 450 ports,One MDF room that is will contain one UCS Chassis and a Nimble iSCSI SAN.
I am working on the spreadsheet and it looks like this (Not totally filled):
2960s3560x3750x45064510Approx cost (Each, 48PORT, POE+, 10G uplink, Dual PS, IP BASE)
6K7K8K45K75KMax Capacity192432432192384Backplane speed206464520520ProLeast ExpensiveStackable to 9Stackable to 9ProDual PSDual PSDual PSDual PSDual PSProLayer 3 opt
Layer 3 optDual SupsDual SupsConExpensiveExpensiveConNo Dual PSConLayer 2 OnlyCannot stack more than 4
For the MDF I would like to use 2 Nexus 5548's with FEX's, and the layer 3 daughter board. For the IDF's I was thinking of two 4010's.
View 12 Replies
View Related
Oct 7, 2012
I configure HSRP on Router 2951 as a primary router, and Router 2811 as backup router. But when I am switching off my Primary router the backup router is taking 2 mins to take over form primary router.
[code]....
View 4 Replies
View Related
Sep 13, 2012
Why Cisco implements so much switching capacity in their switches Obviously,16 Gbps of permutation performance is too much for the 8,8 Gbits (24*200+2*2000) needed by ports so why they put so many bandwidth?
View 3 Replies
View Related
