Cisco Switching/Routing :: 5510 / 2811 - MPLS Options At Company HQ
Apr 30, 2012
I've studied and labeled out MPLS and MPLS VPNs several times. The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books. I've attached a diagram.
We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo. This allows our HQ office to reach the private sub nets in our core without using a Cisco VPN client. The problem we are running into is that this seems to be putting undue strain on the Cisco 2811. I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed. During this time, certain Cisco SCCP phones on our Broad works platform cycle while the SIP phones on the same platform are OK. We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private sub net communication. The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table.
The flow would be this:
-going to a public address use the public internet routing table
-going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.
This is a little different of a set up from most of the VRF VPN examples I've seen. Most of those the CE devices is completely private. This is not the case at our HQ.
What are my best options to secure branch office connection to HQ over Provider MPLS cloud. Our existing Setup
<<HeadQuarter>> :: DataCenter hosting Email, ERP, Intranet, Voice Services 10mb link to Service Provider over MPLS CloudMPLS is terminated on a 3825 Router running advance Services
<<BrancOffice>>::Total 10 In Country Branch Offices2mb Link to Service Provider over MPLS CloudTotal users in each branch : 20 MPLS is terminated on a 2811 Router running advance Services
I'm looking for Routing Design scenarios to complete our configuration needs for remote branches. We will have two 1921 routers in each location, one with a T1 from our MPLS carrier, the other with a DSL connection from an ISP. The T1 router will have an assigned AS and use BGP to router back to head quarters. The DSL router will have an IPSec tunnel back to an ASA 5510 at head quarters. I envisions a GRE tunnel from the DSL router back to head end routers connecting to MPLS at head quarters. Not sure yet how to manipuate the routing between head quarters and the branches such that the T1 router is the primary route to and from the branches and the DSL router is for failover/backup.
i have 2 routers 2811 interconnected together ,1 of these router running in circuit with 2 Mbps over Internet the 2nd one use MPLS Circuit with a bandwidth of 4Mbps,how configure the routing to route over the MPLS while IPSec act as standby
To check if this is enough to built point-point MPLS between 2811 abd 3745Maybe some other technology should to be used for point-to-point connection?Basically, there should be transparent connection between routers.Also, it's possible to use ISP routers as MPLS endpoints for MPLS, so seems just etherenet connection required
We have about 200 spokes (2811 routers), each one connected to two hubs(7206VXR with NPE-G2) via a separate DMVPN. DMVPN is over MPLS cloud provided by the local operator. On the hubs we get very frequently these type of messages
.Feb 9 16:00:10.402: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is down: Interface Goodbye received.Feb 9 16:00:11.658: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel3) is up: new adjacency
On the spoke Feb 9 13:36:48: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is down: holding time expiredFeb 9 13:36:51: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 10.X.X.X (Tunnel0) is up: new adjacency
I think the default eigrp hello and holding timers (5,15) are not suitable since these are wan links.
I have 2 Catalyst 2960S (24 ports and 48 ports). Can I stack them using the Uplink connection instead of the stack modules. I know Stack module is the best option but it is kind of expensives (half price of the 24 ports switch) and I only need to stack no more then 2 switches.
I am going to get some wyse thin clients up and running on our departments. Each department communicate with the main-office through Cisco C1812 routers.
In order to get functionally DHCP up and running, I need to
A - Configure some Dhcp options on the C1812 routers B - Perform a DHCP relay from each department to the main-office
Option B will cause some additional issues, so is not preferred.
The question is: Does the Cisco DHCP-client have an option for configuring DHCP options? I need to put in among others, an option 161, a string value pointing to a ftp-server. Can this be done? And if it can, what is the right syntax
I have recently started working here, therefore I am not certain of the IOS-version on the router, as I still not have the logon-information, but I will aqquire this shortly.
On occasion employees are downloading large files for business purposes, at very fast speeds. This has the potential to overwhelming our Internet circuits which causes our Customers problems accessing our Web Hosting services.
Our network is comprised mostly of 2960S switches for the employees. Webservers are connected to other 2960(nonS) switches and directly into the 6509 VSS.
Customer’s traffic comes in through one pair of ASA’s. Employee’s traffic is handled by another pair of ASA’s.
Employee traffic flows from the 2960’s, past an L3 SVI on the 6509, then through the Employee ASA’s, then to the ASR’s, then out to the ISP#1 or ISP#2
Web Server traffic flows from the 2960’s or 6509, to the Customer ASA, then to the ASR’s then out to ISP#1 or ISP#2. Web server traffic does not flow through an L3 SVI.
The goal is to allow employees the ability to have the most bandwidth they can, however customer traffic always has to be preferred in the event of a ISP circuit approaching its limit.
I'm troubleshooting a 3750 switch stack problem where computers are showing input and CRC errors. I'd like to be able to execute a "show interface" command that will show me only the line showing the switch port and the line showing the input errors, but so far I can't figure out a way of combining those two parameters.
If I do "show interface | include Ethernet[0-9]�" I get all the lines showing the port numbers:
GigabitEthernet1/0/1 is up, line protocol is up (connected) GigabitEthernet1/0/2 is up, line protocol is up (connected) GigabitEthernet1/0/3 is up, line protocol is up (connected)
When quoting a Catalyst 3750X with PoE (WS-C3750X-48P-E) the Dynamic Configurator Tool allows to include as the secondary power supply option the Catalyst 3K-X 350W AC Secondary Power Supply (C3KX-PWR-350WAC/2), but the default included primary power supply is the Catalyst 3K-X 715W AC Power Supply (C3KX-PWR-715WAC). My questions are the following:
1. Will this combination of power supply work?
2. Will the C3KX-PWR-350WAC/2 be able to power up the switch if the primary power supply of 715W fails?
3. Will the PoE will be lost if the primary power supply fails and only the secondary power supply of 350W keeps working?
4. If this secondary power supply of 350W is not suitable for PoE, why it is available as a secondary power supply option in the Dynamic Configurator Tool for a PoE switch?
Got 2 of these switch stacked and there is some changes that we are going to undertake which will require us to utilize the whole 8 or 4 (2 from each switch) SFP ports. Just need some adivce on which particular fiber modules should I procure. Does this switch support 10GB of SFP ?
What are the options avilable to add a cat3560 g switch to a stack of 3750x switches.?is there a connector avilable ?or is it possible to trunk via fiber ? cat 3560 has 4 sfps and 224 10/100/1000 ports with poe. cat 3750 stack has a 10 gb up link . What are the possible options?
I got remote offices connected to our DataCenter some via MPLS and some via VPN terminated on Cisco ASA 5510. I am running OSPF on LAN and BGP for MPLS sites. To have reachability to VPN remote offices I added 'redistribute static in OSPF' and to have rechability to sites connected via metro link i added 'redistribute connected'
I have configured DHCP snooping on a WS-3560G-48PS running IOS 12.2(58)SE2 ipservicesk9 variant.When I enable DHCP snooping clients don't get IP addresses, when DHCP snooping is disabled, everything works fine.I have set up a SPAN port and run a capture (attached) on the traffic. Wireshark notes the Seconds elapsed field appeared to be encoded in little-endian but only on some packets. Apart from that, I can see nothing wrong with the DHCP Offer responses from my DHCP server.Attachment config.txt contains the interesting parts of the configuration. Please note g0/32 has been set to ARP inspection trust as without working DHCP snooping it would require a static bind.Is there any way of figuring out which option can't be parsed? Is there a way to force forwarding of unparsable DHCP packets while still running DHCP snooping?
I have a couple of WS-C3750X-48T-L and a couple of WS-C3750X-12S-S, I want to stack all four of them together into a single stack. WS- C3750X-12S-S are running c3750e-universalk9-mz.122-58.SE2 whereas WS-C3750X-48T-L are running c3750e-universalk9-mz.122-55.SE3.I have got a couple of queries as under:What are the options to achieve putting all these 4 switches into a single stack? Can the LAN Base switches upgraded to IP Base?
I'm going to start the evaluation of implementing the virtualization of our campus LAN using MPLS.We'll get many inter-VLAN routing domains per VRF on the same LAN infrastructure.The LAN infrastructure is based on C6500 implementing VSS.Do you have experience with this kind of setup?Any known/faced issue that might prevent the setup of MPLS on VSS enabled C6500?
I have a 2921 router and want to use mpls feature. Right Now we are using c2900-universalk9-mz.SPA.151-4.M1 image but mpls static cross connect” is not working with this image. And will this image(c2900-universalk9-mz.SSA) be worked?
We have the problem that MPLS labeled packets are not being processed on EHWIC-1GE-SFP-CU if L3PDU + Shim-Header exceeds 1500 bytes.When we move the config exactly to the on-board Interface Gi0/0 it works with put any problems. [code]
I need to confirm internet access from remote network through MPLS cloud to another site. Let me explain. We have a MPLS network with Wind stream as listed in the visio drawing; site 1 has internet access through the Time-Warner cloud for all users. Site2 has internet access through the Wind stream MPLS router. Site three has no internet access, and only has LAN access layer2 through Windstream routers to Site1 for networks 192.168.0.0/24, 10.1.1.x/24. My question is can we give everyone at Site 3 internet access through the MPLS network down into Site 1 using the Time-Warner ISP cloud.
I placed routes on the Site 3 3750 stack IP route 192.168.50.x 255.255.255.0 to the interface of the MPLS router at site3, then at site 1 we have IP route 192.168.50.x 255.255.255.0 to the MPLS interface, and able to ping all anything on the 192.168.50.0 network. I added the IP route 0.0.0.0 0.0.0.0 192.168.50.x the MPLS router interface, we do not have internet access at Site 3 using Site 1 network.
I confirmed at Site 1 from the Cisco 3750 switch we can ping 4.2.2.2 = Google. How to confirm this will work and what’s required to complete this connection to give everyone at site 3 internet access through Site 1 Time-Warner.
I thought I saw a post/question in regards to "how to" configure a Broadband backup for a MPLS circuit.. What I am trying to do is use a cable/dsl/ broadband (secondary) connection as a backup to a MPLS circuit (primary). I have EIGRP and BGP configured on both the branch endpoint and the tunnel headend. The tunnel is used by the interface that connects to the secondary circuit. The branch location router is a 1841 and the "headend" tunnel router is a 3825. I am wondering about the configuration/syntax of a "weight" or static route that can be used to have data flow over the tunnel when the MPLS circuit goes down - and then switch back to the MPLS circuit when it comes back on line.
We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers. We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain, the point to point links alone just to get one additional VRF on each floor required far too many Vlans.As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
I am attempting to install an asa 5510 at my hq. Our MPLS network is provided by our ISP and the routers are managed by them. They will be working with me to add the needed routes to the routers. Using version 8.4.1 That said, here is my challenge:
I am connecting the MPLS routers and WAAS device to my core switch(also performing inter-vlan routing) in VLAN 2. There are 3 connections needed for the mpls equipment and they are all in vlan 2 on my core switch. The firewall (ASA 5510 with security plus licensing) also has an interface (outside) in vlan 2.
e0/0 shutdown no nameif
[Code]....
configuration guides or suggest TAC as they have been a bit inconsistent with this issue thus far. What am I missing because I cannot get to where inside interface of the firewall is pingable by the lan and the outside interface of the firewall is pingable by the lan.
I have four 2811 routers with IOS 12.4(15)T installed. Embedded Event Manager was introduced in IOS 12.3(4)T, why do I not have it?! I've been at this for over a month, when I try to see the command 'event manager' I get Unrecognized command? According to all EEM documentation I can find, this should work on our machines!
I have 2 cisco 1941/K9 vpn router. I have configured both with LAN ip address given by our vpn provider which is 172.10.10.1 and the other is 172.10.20.1. Both IP addresses are configured to GigabitEthernet port 0/0 on both routers.
1. Is it possible to configure our own set of ip address like 10.71.10.1 and 10.71.50.1 on the GE 0/0 port?
2. Or can we configure our own set of ip addresses (10.71.10.1 and 10.71.50.1) to GigabitEthernet port 0/1 and maintain the other ip addresses on port 0/0?
The first purpose is to have our own set of ip addresses for LAN connection and I will be able to connect or telnet whichever ip address or port is up.
This is a 2811 rotuer running Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2) Not sure why this isn't working. Can see it expects to parse the command. Can see this device is vtp server. Can see other vlans were defined here.
