Cisco Switching/Routing :: Apply A QOS For Traffic LAN In ASR 1001?
Jan 31, 2013
i want to apply a QOS for my trafic LAN, in my ASR 1001 , the LAN is connected with ge0/0/0 interface and it configured with the service instance to bridge vlan 1 ( i do that for OTV ) i put service policy in "service instance 1" to marking data with ef31 but i noticed that the class "plateform_datacenter" match the trafic and the ACL associate to this class not mach any trafic trafic !
tha policy-map march trafic for Datacenter :
sh policy-map interface gigabitEthernet 0/0/0 service instance 1
GigabitEthernet0/0/0: EFP 1
Service-policy input: MARKING-OTV
Class-map: Platforme_DC (match-any)
[code].....
View 9 Replies
ADVERTISEMENT
Oct 30, 2012
I'm configuring CoPP for an ASR 1001 router with consolidated IOS XE Version: 03.07.01.S. And I'm trying to use 'DROP' command under policy map to drop.un wanted traffic. But the drop command is not listed.
[code]...
View 6 Replies
View Related
Mar 24, 2013
when i make a trace route on an ASR 1001 router to 172.23.30.7 I get the following output:
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.99.192 0 msec
192.168.99.191 1 msec
192.168.99.192 0 msec
2 172.23.30.243 1 msec 1 msec 1 msec
3 172.23.30.7 1 msec 1 msec 1 msec
Is there a loop between 192.168.99.191 and .192 (this are two routers with hsrp .190) or is this normal behavior when using trace route on an asr 1001?
View 2 Replies
View Related
Dec 11, 2012
I am migration an IPsec site to site VPN config to a new ASR1001 router «facing» a Linux box (ipsec-tools + racoon). As the Debian Linux does not offer VTI, I am using a crypto map.
The working config is given below with the corresponding logs on the Linux side.
When I try to apply this previously working config to the ASR1001, I get the following error :
000855: *Dec 12 18:28:21.859 UTC: %ACE-3-TRANSERR: IOSXE-ESP(14): IKEA trans 0x1350; opcode 0x60; param 0x2EE; error 0x5; retry cnt 0
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: initiate new phase 1 negotiation: 194.214.196.2[500]<=>130.120.124.8[500]
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: begin Identity Protection mode.
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD
Dec 12 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt(code)
View 8 Replies
View Related
Apr 9, 2013
deploy OTV using ASR 1001 between 2 data-centers? We want to acquire HSRP localization there, but at this moment I can only see lots docs are saying how to do this on N7K, not ASR. I saw it has a FHRP filtering enabled by default when the OTV configuration is done, and also see there is a access-list created by default call otv_filter_fhrp, Im just wondering besides this IP ACL there should be MAC ACL applied?
View 3 Replies
View Related
Dec 18, 2011
I have a few new ASR 1001s throwing false environmental alerts.According to the logs, the inlet temp is in excess of 100 degrees C.When I telnet to the routers, they're well within tolerance (30-32C),Running 15.1(1)S and bug toolkit shows no related issues or caveats.
View 1 Replies
View Related
Dec 27, 2012
recently i removed the squid cache from the 7200 router so that i could apply the Qos on the router my topology is simple i have 7200 with two working interfaces
GI0/1====>LAN
Gi0/3====>to isp and working bgp
have 550 Mega BW from isp . at the rush hour , the quality of browsing becomes worse .i just need a Qos to apply it on the 7200 router so that the priority for my traffic as follow:
1- browsing has the highest priority
2-youtube has the 2nd priority after browsing
3-download & other applications have the 3nd priority.
View 8 Replies
View Related
Dec 7, 2011
Access-group only allows me to set the mode.access-group > mode > prefer > port > int g2/1,Those are the only options available to me, it doesn't allow me to go.ip access-group <name> in or out or access-group <name> in or out.
I realize the commands may be a little off, I don't have a switch nearby. When I get on our 3750 there are no issues, it allows you to apply the ACL the conventional way. I just can't seem to find any way to apply an ACL on an interface on the 6506 though.
View 1 Replies
View Related
Dec 23, 2012
I was wondering if I am able to add a redundant power supply to an asr 1001 router that is in production without losing connectivity or causing any diruption to the Users - is it hotswappable?
View 1 Replies
View Related
Oct 26, 2011
what license do I need to create a IPSEC tunnel? I have an ASR 1001, running? [code]
View 2 Replies
View Related
Feb 15, 2012
configuration of NAT on an ASA 5520. On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0). I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?
I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?
View 9 Replies
View Related
Mar 21, 2013
I got this 3640, trying to apply a service-policy (output and input), but seems like I do it something wrong...because he only apply the output policy... here the config, I already try to config the service police inside the fa0/0, but is not showed at all, he only show the output, its like I never apply that
View 1 Replies
View Related
Nov 1, 2011
I've set up my 3560 to do routing. Now, I'm looking for a way to apply acl restrictions to the vlan interface ip address itself.
View 1 Replies
View Related
Apr 22, 2012
Here is my configuration below , i have upgraded my C-3750 switch IOS from IPbase to IPservices , after upgrading i have tried to apply PBR on my Vlan 4 and failed , when i am tying to apply route-map to Vlan4 the command was taking but i am unable to see the route-map when sh run , i am giving the command as "ip policy route-map TTSL" in my Vlan4 , below is the configuration.
In Vlan2 i have connected one ISP and Vlan4 I have connected one ISP , my local subnets are 192.168.1.x and 192.168.2.x , now i want to route the 192.168.1.x traffic from Vlan2 and 192.168.2.x Traffic from Vlan4 .
sh boot
coreswitch#sh boot
BOOT path-list : flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin
[Code].....
View 9 Replies
View Related
Sep 26, 2011
I have some specific traffic that I am attempting to pull off of VLAN 310 at the router, apply a route-map that sends this specific traffic back down to the switch on VLAN 55 (and the private address) and once it hits the switch apply a route-map on that VLAN 55 interface directing the same traffic over to the 72.x.x.9 address which goes through a FAP box back up to the router on another interface.
I have attached the config information, I know this isnt the best practice way to do this however right now this is how I have to do this.When runing a trace from the net traffic stops at .2 and when running a trace from my test /30 it stops at .2 as well. I am not sure what to do at this point
[code]...
View 6 Replies
View Related
Sep 25, 2012
I need to apply DHCP snooping on 4500 series switches working as L2 in my Network. We have external DHCL Server in another location connected with 6500 series switch.
Running EIGRP Configured Voice & Data Vlan both
DHCP Server -------- 6509 switch<----------------------------------->6509 Switch -------- 4500 switch ----------------------------------------------------------Ip Phones.
(ving Redundant) (ving Redundant)
I need to know whether the configuration which I mentioned in scenario is enough for apply DHCP snooping in my network.
View 4 Replies
View Related
Jul 9, 2012
Example config
int g2/24
service-policy output test
#and/OR
int g2/24.10
encap dot1q 10
ip address 10.1.1.1 255.255.255.0
service-policy output test
View 5 Replies
View Related
Sep 15, 2011
I have a 4510R-E chassis with SUP7-E running IOS XE version 3.01.01.SG. I am unable to create a port-channel and apply auto-qos for VOIP.If I configure auto-qos on the physical interfaces, I get this message when I try adding them to the port channel:
"The attached policymap is not suitable for member either due to non-queuing actions or due to type of classmap filters."
Auto-qos is not an available command in the port-channel interface configuration, but if I try adding the service policies that were created by auto-qos to the port channel manually, it lets me apply the input policy but on the output policy I get this message:
"A service-policy with queuing actions can be attached in output direction only on physical ports."
With the input policy applied to the port-channel interface, I tried addign the output policy to the physical ports and I got this message:
"A service-policy with non-queuing actions should be attached to the port-channel associated with this physical port."
Is there a way to get the auot-qos policies applied to the port-channel properly?
View 3 Replies
View Related
Feb 16, 2012
I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet 192.168.80.0/24..Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
View 8 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Apr 2, 2012
We're in the process of swapping in a new pair of ASA5520s and Catalyst 3750s to support two separate business units. We want Firewall A and Switch A to handle traffic for Org A (VLAN 100). Similarly, firewall B and Switch B should handle traffic for Org B (VLAN200). But we want to be able to fail traffic over in case of firewall or switch failure. Traffic between the two Orgs is being routed at the switch level. [code]
The uplink interface on each switch is currently a routed port with a static address on the uplink subnet. This works fine in a normal state. However, when we fail over one of the firewall contexts to the other chassis, this results in the inability to route internal traffic because the internal interface is now physically connected to a different switch with a different IP port address (obvious in hindsight). The question is, rather than a routed port, what would be the proper way to handle traffic between the switches and firewalls in a failover scenario? If I make the uplink ports into trunks, won't this cause all packets destined for either firewall to hit both both? Seems like that's not the way to go either? [code]
View 0 Replies
View Related
Oct 3, 2010
We've got a cisco 2821 router which periodically stops routing all traffic. It seems to happen about once every 2 weeks, and I can't find anything that could be causing it. There are no entries in the log and the router stays up and running but requires a restart to begin processing traffic again. We're running 12.4(13r)T11.Any thoughts, or troubleshooting steps to track this down?
View 7 Replies
View Related
May 29, 2012
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies
View Related
Feb 21, 2013
I have an 891w as my edge device for my home office. I have a VLAN for family use (wired and wireless) that routes out to the internet just fine. I have a second VLAN assigned to a VPN tunnel that backhauls traffic to my corporate network (wired and wireless) and all of the traffic gets to the corporate network fine when I am on that VLAN.
However, while I am on the VPN VLAN, no traffic gets to the internet. I believe it is because I have the gateway of last resort (0.0.0.0) set to the WAN IP address provided by my ISP, so DNS is resolving against corporate, but because there is no specific route, it is trying to dump the traffic back out the WAN without traversing the VPN tunnel.
View 4 Replies
View Related
Jan 17, 2013
I have two Cisco 7606 routers using BGP to connect our customers to the internet. Recently we added a new 1G circuit in addition to an existing 1G circuit and all traffic inbound is now on this new 1G circuit. We would like to shift some of the inbound traffic over to the other 7606. Our Tier provider has the same AS number for both paths. One path goes directly to New York and the other goes to Boston then New York.
View 1 Replies
View Related
Feb 18, 2013
I have a 3560X switch with interfaces 36-48 on the same LAN. All interfaces are switchports. Hosts on 38, 39 and 40 are multicast senders: all sending to the same single multicast address. Hosts on 36 and 37 are receivers, having joined that multicast group. I created an SVI for the LAN and put it in ip pim passive. (That is the only PIM mode allowed for an SVI with my IOS.) Show ip igmp snooping groups shows that 36 and 37 are the only interfaces in this group. I attach a laptop to interface 42 and Wireshark, and the laptop is receiving the multicast traffic. The laptop does not join the group. I expect it would not see the traffic.
View 4 Replies
View Related
Jul 14, 2010
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
View 4 Replies
View Related
Nov 15, 2011
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
View 21 Replies
View Related
Jan 29, 2013
I have two switches (2960S's) both with IP Phones on VLAN100..We need to monitor voice traffic via a monitor port on SW1 of all VLAN100 traffic on both switches.The following is what we have configured, but we cannot see VLAN100 traffic on SW1
According to Cisco doco you cannot have a SPAN and RSPAN on the same session, however since these are two sessions on SW1, I would have thought it to be OK.
View 4 Replies
View Related
Apr 16, 2013
Is there a way to block lan to lan traffic (except lan to gateway/gateway to lan traffic of course) on a Cisco 2960?
View 9 Replies
View Related
Mar 10, 2012
I have the attached setup. now i would like to limit my ftp transfer to 10 mb from a specific vlan to ftp server on the STM-4 (622) link. what would be the best way to limit ftp traffic to 10 mb .
following is my switch deatils
Video_Main#sh verCisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.02.00.SG RELEASE SOFTWARE (fc4)Technical Support:
[URL]
Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.All rights reserved. Certain components of Cisco IOS-XE software arelicensed under the GNU General Public License ("GPL") Version 2.0. Thesoftware code licensed under GPL Version 2.0 is free software that comeswith ABSOLUTELY NO WARRANTY. You can redistribute and/or modify suchGPL code under the terms of GPL Version 2.0. For more details, see thedocumentation or "License Notice" file accompanying the IOS-XE software,or the applicable URL provided on the flyer accompanying the IOS-XEsoftware.
[code]....
View 2 Replies
View Related
Feb 23, 2013
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies
View Related
Nov 21, 2012
I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies
View Related