Cisco 2811 runs ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic. Is there any way to capture the outbound traffic?
We have some ASR WAN routers which have a dedicated 400M interface to a remote site.
Servers on our Local network source the data through some firewalls via 10G interfaces, which connects to 4500X WAN switches then to the Routers on 1G links.
The sources are rate limiting the traffic but the routers are periodically dropping packets which I think is mostly due to burstiness in the traffic between as it traverses through from 10G links to 1G then to 400M.
How to setup traffic shaping on the 4500X outbound port to our WAN routers.I'd like to see if we could buffer and smoothe out the traffic as it exits the 4500X WAN switch 1G port to the WAN Routers.
I was previously using SDM for our Cisco 2811, and this past week installed CISCO Configuration Professional so I could have access to a bandwidth/traffic monitor.
I have successfully started the monitoring service and monitored traffic from within CCP, but it appears that if I turn off the computer I am using to monitor the traffic, it stops collecting data until I start CCP and the monitor up again.
Is there a way (maybe with IOS console commands) that I can have the monitor always running, so I can pull up, say, a week's worth of info at any time? Leaving the computer on all the time is not an option, and currently I have only a few days of data, then a big empty chunk, and then what I have collected since I started it back up today.
ISRG2 (c2951-universalk9-mz.SPA.152-4.M1.bin) has 512 MB of DRAM. Periodically it runs out of memory: [code]
1. Why "show process mean" command shows less memory than 512 MB? Processor Pool (248 MB) + I/O Pool (58 MB) ~ 310 MB only?
2. *Init* process holds more memory than normal (202 MB). What may cause this?
Is there any challenge to upgrade core switch 6500 series from Nexus 7009 which runs NxOS, because i have 3750X series switches connected at distribution and access layer in my network topology??
Is there any challenge if we place NxOS in core and IOS in distribution and Access layer??? how we are able to match sh run config in existing 6500 switch to Nexus 7009 NXOS?
I have two ISP, I want to divide Inbound to ISP1 and Outbound to ISP2.
View 3 Replies View RelatedWe're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.
How to rate limit a 3560 inbound and outbound using different QoS methods. I've read about vlan class maps/policy maps, using the rate limit command on the physical interface, using the srr-queue bandwidth command(it's a gig switch so not sure that would work) and marking all packets and then applying QoS. I'm just learning QoS so trying to figure all of this out and find the best way to do things.
Also, I was told to do this because it's not advisable to have a connection to your ISP that is not 10mb or 100mb on a switch, since they are not divisible by 10 and it can cause issues?
I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits), as well a a WInXP box. All of these are connected to the same switch, which is connected to the inside port of my PIX 515.
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that matter - will not go through the PIX (from inside to wan). I have verified this by first, using wireshark to watch the packets being sent out from the client box, then by using the trace function in the PIX to see that the packets ARE arriving at the inside interface, but ARE NOT sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP box, all works: in the PIX trace, I see the packets arrive at the inside interface, and leave the wan interace. And access to these sites are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same configuration (except IP addresses). Only in the last several months has this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something else. I don't have any support license, and have not been able to get any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60
PS: Since this PIX is at its end of life, I was wondering if any of the software upgrades would be now available without a license?
We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
I've also enabled IPSec pass-through Inspection to no avail.
how should we configure our ASA to enable this kind of traffic?
I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50
[Code].....
I'm trying to add an outbound policy on Layer3 interface on a 6500. The will be used to prioritize voice traffic. The environment contains 2 sites with 2 6500's each with VSS and a metro Ethernet link between them. I seem to be having problems prioritizing the voice across this link.
View 1 Replies View RelatedWe have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years. In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity. Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA. It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
I have tried the following without success:
1) I completely wiped the configuration (configure factory-default)
2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex). It was previously set to be auto-negotiation (default) on both speed and duplex. As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.
A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached: JWillar@email.com on 8/21/2011 9:49 AM Could not deliver the message in the time limit specified. Please retry or contact your administrator. <630.SM.Local #4.4.7>
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.
I've been testing some QoS policies, and I have not been able to make a type QoS policy work in the outbound direction. Simple example:
ip access-list QOS-VOICE
10 permit ip any 10.120.11.0/24
20 permit ip 10.120.11.0/24 any
class-map type qos match-any IN-VOICE
description Voice/VoIP/IPT
[code]....
The 7Ks are running NX-OS 5.2(4). Just wondering - has any one got an outbound qos policy to work on a N7K?
I'm intending to purchase a switch for work,and I need to limit the bandwidth of one of the ports to 25 Mbit upload and 25 Mbit download (we have 100/100 Mbit connection and the customer is only paying for 25). I been trying to find information on how this could be "properly" done and what kind of switch I need to buy. As far as I have understood, most L2+ switches support outbound rate limiting, but not inbound, and as I only want the customer to have 25 mbit up and down, I need both.
I been looking at a Cisco Catalyst 3560 switch, and I'm first and foremost wondering if I can limit the inbound AND outbound bandwidth on this switch? Perhaps it can even be done on a simpler, cheaper, switch - as I rather not spend more money then necessary?
Lastly, how to do it, limit the inbound and outbound bandwidth on a single port (perhaps on the above mentioned switch, if possible), to 25 Mbit?
I am attempting to block outbound traffic for a specific PC on my LAN using the ASDM.
View 2 Replies View RelatedI want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
View 1 Replies View RelatedI am trying to block outbound and inbound traffic on TCP 5222 and 5223 on E2500 but cannot figure out how. The reason is I have kids in my house using KiK (texting app) on iPads, iPods etc. My goal is to eliminate this applications ability to function for ANY wireless device connected to my WLAN.
View 1 Replies View RelatedI have four 2811 routers with IOS 12.4(15)T installed. Embedded Event Manager was introduced in IOS 12.3(4)T, why do I not have it?! I've been at this for over a month, when I try to see the command 'event manager' I get Unrecognized command? According to all EEM documentation I can find, this should work on our machines!
View 4 Replies View Relatedi have 2811 router and i am coneccted via concole so i want to copy the 2811 ios to my PC is that possible?
how or give my the right decument to do this.
* idon't want to use TFTP becuse i have no ethernet connection to the router(only concole)
[URL]The Cisco 2811 does not support the HWIC-4T1/E1 module. But, I installed HWIC-4T1/E1 on the 2811 running 124-24.T2.
View 3 Replies View RelatedThis is a 2811 rotuer running Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2) Not sure why this isn't working. Can see it expects to parse the command. Can see this device is vtp server. Can see other vlans were defined here.
Router(config)#vlan ?
accounting VLAN accounting configuration
ifdescr VLAN subinterface ifDescr
Router(config)#vlan 35
^
% Invalid input detected at '^' marker.
[code]....
Just double-confirm that 2811 is compatible with HWIC-2FE based on your experience? Which IOS is compatible with HWIC-2FE? [URL]
View 3 Replies View RelatedI am facing a problem on a 2811 router. The CPU is remaining around 60% and the router throughput is reaching at most 18 MB while according to the data sheet the 2811 maximum throughput is 61MB. I have checked the output interpreter in order to try and figure out the cause of the high CPU and to determine if it is affecting throughput but there are not processes consuming more than 10%. I have attached the show tech-support and the show process cpu history outputs.
View 11 Replies View RelatedI currently have a 2811 and a LAN setup via a sub-interface FA0/1.3 and using a HWIC-AP I have a sub-interface dot11radio 0/1.5. I have them setup to work and surf the inet great, but I have recently been overly annoyed with the fact that the wifi cannot access windows shares on desktops and visa versa with the laptops.
The trick to make this happen is currently they are not on the same subnet. I know the answer is bridging the interfaces but when I do this using the simple commands:
bridge 1 protocol ieee
interface x & y
bridge-group 1
Although what should be simple has failed (good thing I tftp'd my working config). Here is my current configuration.
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
[Code].....
Whether Cisco has part number for the large fan in 2811. I know p/n for small fan is already there, but I can't find any for large one( I think it s fan 3).
View 10 Replies View RelatedWe have a site and on that site we have a server which is down form last two days. However , to manage these devices we are not using any tools. We are not able to find this server that where it is located and on which switch it is connected to.
I want to know that the timer for mac address is 5 minutes and arp timeout is 4 hours . Is there any way to find out the mac address of the server . I feel like this can we done with cef ? Is it true or not I am not sure. I am running 3750 stacks and 2811 routers. 3750 stacks are working as layer 3 devices. They are also running the pretty new IOS 12.2(53)SE.
According to my understanding now a days CEF entry does not expire if we are not using them. They remain in cache as we are running with destination base CEF.
I purchased several Cisco 2811 with Advanced IP Services - they are version 12.2.X
The product number looked like this
CISCO2811-HSEC/K9 2811 Bundle w/AIM-VPN/SSL-2,Adv IP Serv,10 SSL lic,128F/512D
I need to upgrade the IOS to version 15.1 - Do I require a license ? What happens if I install it without a License ? Am I entitled to a free license as I am not changing the software type (ADV IP Serv) ?
I have a remote site on a 2811 IOS 12.4(15). Interface FA 0/0 faces the ISP and is set for DHCP. What command can I run to see all of the information given out with the IP lease from the ISP? I need to find out what the IP address of the DNS servers are.
View 3 Replies View Relatedwe have 2811 router with multiple servers connected to it's lan from which there are monitoring servers in between , the router suffers always from high cpu utilization
configuration has alot of ACLs & NAT & IPSEC Tunnel with wan bandwidth 20 M? Is there any method to reduce the high CPU utilization shown below !!
CPU utilization for five seconds: 90%/80%; one minute: 93%; five minutes: 90%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
104 737029848 427864243 1722 5.45% 5.65% 5.65% 0 IP Input
253 63392216 11081854 5720 1.04% 1.15% 1.12% 0 IP NAT Ager
260 82602372 137425723 601 0.64% 0.64% 0.66% 0 PDU DISPATCHER
[code]....
I have a Cisco 2811 Router. I have two VLANS on the router. The first one of course is VLAN 1 and the second one is one that I created from reading everything from this forum.. it is called VLAN 531
On VLAN one I have an IP address of 10.8.1.1 and on VLAN 531 I have an IP Address of 172.16.1.1, now what I can do is this... I can.. from a workstation on the 10.8.0.0 segment, ping 172.16.1.1 and one server on that segment that has an IP address of 172.16.1.50, which is fine, but what I really want to be able to do is ping our email server which is on a 10.21.0.0 segment and I cannot. Any commands on what I would need to do to make this work as I would like the 172.16.0.0 segment to ping any other part of my LAN of my choosing.