I currently have a Cisco 3945 router deployed and I am reaching the CPU's max during peak usage. The 3945 supports ~500Mbps Fast/CEF Switching and I need something at least double that capacity.
I need the ability to have at least 8 RJ-45 10/100/1000 connections. I also need the ability to NAT.
I'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. [code] What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.
View 1 Replies View RelatedI have a 3945 router with two interfaces connected to my firewall, one to the management interface and another to my dmz. I'm running eigrp between all my network devices. The problem I'm running into is when I try to ssh to the management interface of the 3945 the traffice hits the firewall, then goes right to the management interface as it should, but the return traffic is trying to use the dmz interface since that is how the router knows to get back to my computers network. I created 2 route-maps to try and address this issue. [code] I've applied the MANAGE_IN route-map to all interfaces that might have inbound traffic destined for the management network and applied the MANAGE_OUT route-map to the management interface. The MANAGE_IN policy appears to be functioning correctly, the MANAGE_OUT doesn't appear to be functioning correctly. When I look at traffic from my host going to the management interface I see it still trying to return through the dmz interface.
View 11 Replies View Relatedthe router IPSec VPN config for remote users using Cisco VPN Client 5.0.07
Router 3945 IOS C3900-UNIVERSALK9-M Version 15.1(4)M4
Here is VPN related config part and log from router and client.
aaa new-model
!
!
aaa authentication login default none
aaa authorization network default none
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
[Code]...
I highlighted strings with possible problems of of unabling to connect but doesn't know what to do with it.
if the Cisco 3945 router requires any license for it to run HSRP. Also advise which IOS runs HSRP on the 3845 router.
View 3 Replies View Relatedterms of Performance for 3925, 3925E and 3945.
didn't see much different between 3925 and 3925E except an additional port.
I understand that the password has to be changed the first time we login to Cisco 3945 router but i failed to do that and its not allowing me to connect using default username/password.
View 7 Replies View RelatedCBWFQ kicks in when the interface becomes congested and there is no available space in the queue but I need to find a solution to the scenario below:Im using a Gigabit interface on the 3945 Router that connects to the ISP. The ISP limits bandwidth to 60Mb so I need to make sure when I reach the limit of the 60Mb the router starts using the BW percentages defined in the policy-map using classes. any kind of traffic go out as it wants but as soon as the 60Mb limit is reached, the priorities defined by the traffic classes will kick in just as if the interface ran out of queues (as CBWFQ usually works).
View 7 Replies View RelatedWe are having problems with a two router 3945 in HSRP and a switch 2960.The two routers are connected to the switch 2960 through differentes ports. The problem is that we loose connection between the router and the switch.When we excute the command: show cdp neighbor at router, it shows nothing.If we try to make ping to the 2960 switch it is no reachable.If we make ping to the other router 3945 it is not reachable.All other function of the router are o.k.We are attaching the IOS of the routers and switch 2960 and a document in which make reference to a BUG in which mention about arp overwrite due arp attack which produce DoS.
View 2 Replies View RelatedI am using DHCP/TFTP to autoconfigure a 3945 router. The router properly obtains an IP address and finds the correct TFTP server. The issue lies in the download of the configuration file from the TFTP server. The router downloads the file, gives the "Ok" message, and prompts you to press Return to get started. When I view the running-config, several commands are missing from the Serial 0/0/0 section (HWIC-2T). If I modify the config file on the TFTP server to use Serial 0/0/1 instead and repeat the process, the configuration file loads without any issues and Serial 0/0/1 has all of the commands.
I also tried moving syntax around in my config file, but the end result is still the same. If I use Serial0/0/0 - I don't get all of the commands. If I use Serial 0/0/1, I do.
connecting a Cisco 3945 Router to an Ethernet WAN Link. The service provider has provided a 100M Ethernet Single Mode Fiber handoff to the customer premises with SC Connector. The CPE configuration proposed for this setup is like this. [code]
Since the SFP has LC Connector, i suppose i need to have an SC-LC Cable for connecting the Ethernet link. Do i need anything else, apart from above?
We are thinking of following classic design, would Nexus 5K can have 2 seperate connections to each VDC? Nexus 7K w/ different VDC (Internal / DMZ ) Can Nexus 5K have a VPC connection to Nexus 7K to Internal VDC as well as DMZ VDC, and seperate traffic?
View 3 Replies View RelatedI have cisco WS-C2960S-48FPS-L stacked. Weekly twice, my PoE connections are dropped and when the device is restarted, everything starts working normal. This issue happens weekly once or twice. [code] I can see that there is a bug id : CSCtg86211 and no work around for it. Any updates received from Cisco TAC ?
View 7 Replies View RelatedI have an ASA5510 from which I am using 3 interfaces.
-One interface have the main internet connection router
-One interface is attache to a switch 3750 and has multiple virtual interface configured on it
-One interface has another internet connection router.
What I am trying to do is to have only one of the Vlan using the second internet connection and not the first one.
My idea was to just have a static route who says that on interface VLAN_B (for the special VLAN), all traffic goes to 2nd internet router interface. But it does not route. All I have is a default route configured : on interface Internet1 0.0.0.0/0 goes to 1st internet router interface.
I have 2 2911 routers that will be connected via fiber with an ethernet Gig handoff to each router. Each router will then be connected to local networks on a second ethernet interface on the router. I have always connected routers via serial connections so this is new to me. Outside of the usual ethernet interface addressing configuration, is there anything else that would need to be configured on the 2 routers?
View 1 Replies View RelatedIs there a maximum number of licenses for connections to a 877?The reason I ask is that our routers are managed by a datacentre and when I asked for the login details I was told that I couldnt have them due to licensing reasons with no other explanation.
View 1 Replies View RelatedDoes the Nexus 5548P support 1 gig SFP connections ? Here is the image file we are running ?
bootflash:/n5000-uk9.5.0.2.N2.1.bin
I have two 3750 stacks that are currently connected using two1GB fiber connections in an etherchannel. I now added new switches to each stack with 10GB modules in them. We would like to bring up the 10GB connection, but still have one of the 1GB lines as a backup, or even the whole etherchannel. Is there a way for us to make the 10GB the main and the 1GB the standby?
View 3 Replies View Relatedurl..This says an ISR G2 3945 can achieve 502.78 Mbits when CEF fast switching. Is this per port or total for the whole box? Since the router will hold dozens of switch ports and several gig routed ports I don't understand what this half gig switching speed means.
View 5 Replies View RelatedI started having connectivity issues between my core 4506E (Sup7E) and Cisco 2960S. There were input and CRC errors on Te int (SFP 10Gb - LRM) on 2960S, which cause the interface to reset and drop connections. While troubleshooting this issue, I have replaced patch cords and also had the tech checking the fiber. He said that there was some residue on one of the connectors, so the light levels fluctuated in 1300nm, but worked fine in 850. Well LRMs are using 1300, so he re-polished the tips, which worked to stabilize the light levels. After all that, I was still receiving the input/CRC errors, but the connection was NOT dropping. As my last resort I swapped the SFPs between the core and 2960, thinking I should start having issues on the core end. Well, here's what happened: I stopped receiving input/CRC errors on 2960 (also no errors on the core), but 2960s started generating Rx power high alarms: [code]
View 1 Replies View RelatedI am a fairly basic configs that I just can’t figure out what I am doing wrong. I have what I would consider a fairly basic config that I just can’t seem to get to work and I am sure it is something I am just not doing or grasping. Basically I have two 3560 switches that I would like to connect together with four 1Gb ports and trunk four vlans across said port-channel, I created the port-channel and set it to switchport trunk encapsulation dot1q I then set all four ports to channel-group # mode on. With that setup I can’t ping from switch to switch on the nonnative vlan.
View 6 Replies View RelatedWe have Cisco 3945 Router with SM-ES3-24P Switch Module. when we tried to configure routing in Router and Layer 3 ports on Switch module, the inter-communicaiton is not working?
how we can use routing in 3945 with SM-ES3-24P module?
I've a 3945 with SM-ES3G-24-P module installed and tried to configure some routing but it doesn't work .
1. L3 interface on the switch modules (with ip address configured)
2. OPSF on the router with connected interface redistribute (which includes the switch module L3 interfaces)
I don't see any of the switch module L3 interfaces routes in the router, not even the connected interface.
SM
-----
int g0/1
no switchport
ip add 1.1.1.1 255.255.255.0
Router
---------
int g0/0
ip add 2.2.2.2 255.255.255.0
router ospf 1
redistribute connected
network 2.2.2.2 0.0.0.0 area 0
I have a 2911 router where I was configuring the device to allow remote desktops connections. Everything is working properly, but for some reason my ACL has disappeared.
View 5 Replies View RelatedI'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
I was wondering if I could use the CISCO3945 Integrated Gigabit Ethernet WAN ports for routing, I need to enable BGP and I was willing to use one of those ports.
View 2 Replies View RelatedI have Cisco 871 router with 12.3. OS version.
1. I'm interested if it's possible to block certain contetn only at certain time ? e.g. We would like to block facebook from 7:00 to 10:00 and from 11:00 to 15:00. I was going through cisco manuals but can't find the right answer to this.
2. Cisco 871 has 4 LAN interfaces and one WAN interface. Currently WAN interface is connected to adsl modem in bridge mode and LAN 0 interface is connected to switch.
I'm interested if I could use remaining 3 LAN interfaces for adsl connections same as I'm using WAN interface. Then I would create vlans that would use LAN interface 0. Each of those VLAN's would use different adsl connection.I would assign different IP to each VLAN's so users would be able to change their gateway and use different ADSL connection.
Does the RV042 have the ability to VPN to an iPhone?
View 1 Replies View RelatedI have Windows 7 64 Bit Pro PC connected directly to the router via Ethernet.This is I will call Ethernet Connection 1.I also have a Windows XP Pro SP3 computer connected to the same router but via a wireless connection.I have both PC's connected together via an Ethernet cable. This I will call Ethernet Connection 2.It all works fine, but I only want my PC's to communicate via Ethernet connection 2.Currently, if I disconnect the Ethernet cable between the computers I can still access the files on the Windows 7 computer via the wireless connection on the Windows XP computer.I've tried to see if this is discoverable by other people using the router by installing Ubuntu on the Windows XP machine and looking at the available networks. Lo and behold, my Windows 7 machine is discoverable and accessible - albeit by a password. This is with the Ethernet cable between the computers unplugged.I have both networks on the Windows 7 machine set to public and all sharing options switched to off. Both computers have the same workgroup name. Worryingly I can still connect to the Windows 7 machine via Ubuntu wirelessly without even using the same workgroup name!All I want to do is connect the two computers via Ethernet Connection 2. I don't want any sharing information going to the router too and hence other poeple being able to see it. Ethernet Connection 1 on the Windows 7 machine is for the internet only (same as for the wireless connection on the XP machine).
View 1 Replies View RelatedAny Router that is capable of logging the amount of data down/up loaded from/to each connected device with amount of data and date and time stamp.
View 1 Replies View RelatedI have one Cable Modem/Router built in (Netgear CGD24N) and I wish to use two routers (the other being the DIR-655). The Netgear is a fantastic Cable Modem but a ****py router, but I wish to use both. One will be situated upstairs and the other downstairs.I have connected the two at different locations via the wall and the DIR-655 successfully went to the Netgear login page (as I went to 192.168.0.1) but internet connection was not working, whereas the Netgear internet was working. This was connected LAN to LAN.
Another procedure I have tried was connecting to them LAN - INTERNET (INTERNET being the D-link one) and received the following message: "The addressing of the Internet side learnt thru DHCP conflicts with the addressing selected for the LAN side. Internet communications will be disabled until you have changed the LAN side addressing to resolve the problem."
I read a number of older posts indicating that there was no ability to walk the arp table on an ASA 5510; wondering if that has changed at all?
Is there a syslog message that is generated when a new arp entry is added? Is that the only way to do this is to programmatically ssh into the ASA and grab the output from a 'show arp' command!
Ok I realise that the 825 doesn't have the ability to create static LAN routes. Is there a workaround or is this somthing that may be implemented in the future. It's a real let down to find this feature missing in an expensive router such as this.
View 1 Replies View Related