Cisco :: VRF Aware Peering With Straight BGP?
Mar 24, 2013
I have a scenario where I may have to run VRFs on a router that is currently facing an ISP as a BGP peer. peering two BGP peers, one of which is VRF aware (and hence configured within the address-family ipv4 vrf X subsection) and the other is not? (the BGP aware and internet facing segment will go into its own VRF where previously this router was only in that VRF and hence had no awareness).Are there any caveats or restrictions? Does the presence of the VRF throw the ISP peer?
View 3 Replies
ADVERTISEMENT
Apr 10, 2012
I have two 7204VXR with NPE-G2 and 1Gb of ram. One router has 2 eBGP peers and the other has 3. The routers receive all internet routes from the 5 peers and send 2 internal routes. There is an iBGP peering between both routers. On all peers I have a route-map to send only our routes.
All was working fine since a couple of months when I suddenly saw an increase of memory on one of the router (router B), 1 hour later the memory was 100% and router crash and reboot. The other router (router A) with the same hardware capacity, same ram and same amount of routes was working good. After router B restart, I shut all eBGP peering on it, keeping only iBGP with router A, ram used was the same as router A (about 50% used) but CPU was about 30% used by process Router BGP whereas router A which has active traffic and active eBGP is only 20% and bgp process i almost 0%. Restarting peers one by one on router B cause the same issue, increase of memory then crash, even with only one peer.
What I suspected :
- A peer on router B but I can't isolate one because the problem appears with each taken one by one
- Not enough memory, but router A has the same number of routes and don't have any problem
- IOS version ? same on both 12.4.(15)T1
- Why process router BGP use 30% on router B when all eBGP peers are shut except iBGP and no traffic pass.
- A routing loop but I only send internal routes to peers and only have one iBGP session with no sync nor redistribution with an IGP
Of course I can't run any debu ip bgp on routers as the number of routes is very large (300K).
View 1 Replies
View Related
May 15, 2013
Topology :
PE router-T (ASN 1111) ----eBGP---- CE router-T (ASN 65500) ----iBGP---- CE router-V (ASN 65500 ) ----eBGP---- PE router-V (ASN 2222)
When We have configured in this mannger everything is working fine. Only thing is that I can not receive all the NEtwork updates coming from PE- Router - V in CE router T. It's due to synchroization rule (I have not tunrned off synch in CE Router T.) Now for Load sharing purpose I have applied one Route map on iBGP peering from CE Router V to CE router T in OUT direction mentioning any routes coming via ASN 65555 than set Local Preference = 150 and will prefer path via MPLS SP - V. Rest via MPLS SP - T.
But as soon as I have applied the Route-Map. It's not reflected.When I have applied clear ip bgp * on CE rotuer - V than I can see two routes in CE router - T with LP 150 and default. Everything is working OK.
When trying to check the auto failover by Shuting LAN int of CE router-V --- Failover is also working via CE router-T.When reenabling the LAN int ----- After that iBGP perring is flapping continuolsly. Finally We have remove the route-map ad it was stable.
find the route map :
CE Router - V
router bgp 65500
!
address-family ipv4
[code].....
I have also checked the MTU issue between these two Peer (LAN int. of both the CE routers) by pinging each other with size 1500 with df-bit set.
View 5 Replies
View Related
Mar 20, 2011
i have an Cisco ASR 1002 Router. I would like to connect our dezentral location to the Router.Unfortunately has this location an standard DSL connection with an dynamic offical IP Address.I have found an Config witch can handle an dynamic IP Addess (enclosed).
Is it possible to works witch the "set responder-only" command togehter with an dynamic crypto map? How I can configure it.
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 300crypto isakmp key xxx address 0.0.0.0 0.0.0.0 no-xauthcrypto isakmp identity hostnamecrypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set dezentral-location esp-3des esp-md5-hmac
!
crypto dynamic-map fil 1 set transform-set dezentral-location set pfs group2 match address 150 reverse-route
!
crypto map Filialen 1 ipsec-isakmp dynamic fil
View 1 Replies
View Related
Sep 13, 2011
I have remote site in which site to site vpn is configured with hub site using 5510 model. now i am using load balancer in which 2 isp will terminate one is isfy and other is reliance . now i want if suppose ipsec-tunnel is configured primary with sify. if sify link fail at hub site then at remote site should be able to communicate with reliance that is secondary?
View 7 Replies
View Related
Jul 18, 2012
Are the RV042 and RV082 routers SIP AWARE?I haven't had any luck finding documentation stating such.
View 2 Replies
View Related
Aug 31, 2011
I purchased a D-Link switch that supports MDI-X so I should be able to use only straight through cables according to the manual. My Router (Wrt54gs) also supports MDI-X, yet when I plug a straight through cable from port 4 on router to port 1 on the switch -> then a straight through from port 2 on the switch to my computer, I don't get an IP address.If I connect a crossover cable from the router to port 1 on D link switch -> then straight through from port 2 to computer, it works just fine.I am going to purchase an extra crossover cable to use for this but I'm really curious as to why it wont work this way? DES-1105 is the model of the switch. "THE DES-1105 CAN BE CONNECTED TO ANOTHER SWITCH OR OTHER DEVICES (ROUTERS BRIDGES ETC) VIA A TWO-PAIR CATEGORY 3,4,5 UTP/STP STRAIGHT THROUGH OR CROSSOVER CABLE."
View 2 Replies
View Related
Apr 13, 2012
I installed Ad-Aware Pro 30 day trial. I enabled safe browsing but it doesn't allow me to open some websites. Ok, perhaps thats the point of safe-browsing but I need to enter those sites. So, I decided to disable it, but I don't know how. I clicked "off" on Ad-Aware's "Home" window, but the sites still not working. Theres a possibility that the websites I'm trying to enter are not going to work after I disable safe-browsing because there's something wrong with internet(I'll open another topic for that). But still, I'd like to see Firefox's "cannot found" window, not Ad-Aware's.
View 9 Replies
View Related
Mar 11, 2012
I am getting a hard time in order to understand the real difference between the two types of context aware licenses for the MSE:
1 . AIR-CAS-1KC-K9 - Context Aware License For 1K Clients and Tags (RSSI based)
2. AIR-CAS-1KT-K9 - Context Aware License For 1K Tags(RSSI, Chokeponts and TDOA)
For a regular network without any devices with tags such as RFID, I understand I do not need to get the .2, only .1, even though the .1 also is shared with clients at 1K of each. Also, the .2 does not say clients, only tags and advanced features as TDOA. Going through the Q&A it does not clearly says the difference, when to use one or the other.
View 3 Replies
View Related
Feb 6, 2011
I would like to know does MSE 3350 supports HA mode,I have 2 M|SE 3350 appliance and I want to configure one as primary and second as redundent for the primary,I am not finding any documentation for the same in the cisco website.
View 2 Replies
View Related
Oct 28, 2012
I just got done running CAT 6 wire's into different rooms and placing jacks on the wall which all works correcting going into the patch panel. The problem I am having is that the Access Points on the ceiling I decided to make it a little easier and use regular network cable and cut one end off and place it into the patch panel the same way as all the jacks. The AP's are POE and they are just not getting on the network. Do I need to do something different for this cable?The way I punched all the wall jacks and all the cables to the patch panel is by using section B on the jack so because of me cutting a cable and leaving one end on, should I use A or is there something else I should do?
View 3 Replies
View Related
Dec 28, 2012
I have one running UTP cable of around 50m, terminated at a point. Is it possible to split my cable so that i can terminate two points - so that i can connect my 2 Pc without a switch in.
View 1 Replies
View Related
May 21, 2011
I have a desktop and a laptop computer. both equipped with Gigabit Lan port... I connect them with Straight cable by assigning both computers IP address. I havnt use any switch or router between computers.... The problem is that my transfer speed is about= ~10MB/s..... As far i know the transfer speed should be around 70-80MB/s (125MB/s for Gigabit Lan).....
View 5 Replies
View Related
Oct 21, 2009
Does the MIR feature on the MSE 3350 requires the Context-Aware Service to work? I read that the system uses location, signal strength and coverage data in conjunction with monitor mode APs at each exit to trigger the roam. I just don't know if MIR does this on it's own or needs to get location from Context-Aware service.
View 2 Replies
View Related
Jan 20, 2013
I'm looking to deploy a pair of 6500s running VSS. VSS will be established over a pair of 40GBASE-SR4 QSFP+ transceivers in each switch.Do we need MTP/MPO crossover cables or straight through cables to connect the QSFPs?Since the two switches are sitting side by side the MTP/MPO cables will be passed directly between the two racks.As a result there will be no intervening fibre fobots used.
View 1 Replies
View Related
Jun 17, 2011
what is the difference between cat5e and straight cable?
View 3 Replies
View Related
Feb 9, 2012
easiest way to convert a cat 5e crossover cable to make it a straight? I have 2 PCs networked & am introducing a router & need to covert the cable without having to rewire it if possible.
View 1 Replies
View Related
Dec 5, 2012
I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
View 3 Replies
View Related
Feb 12, 2012
I have a Cisco SG200 26 Port Switch, 2 Cisco WAP4410N Access points, and a VLAN aware Router. I have created 4 VLAN's. For the sake of this conversation lets call them.
98 - Intel Vpro
99 - Management
100 - General
101 - Guest
The Access points are capable of doing V LAN tagging so I plan on having them tag a guest network as V LAN 101. That can get sent to the V LAN aware router and out. No problem. I have some devices, or management pages that I don't want accessible from the general network. (Intel V pro KVM, Remote Management Cards, AP Config Menus, Switch config menu...) . I need to be able to take a V LAN unaware device, plug it into port 1, and have it communicate with V LAN 98, 99 and 100.
View 1 Replies
View Related
Jun 9, 2003
I'm working for KOREA TELECOM, and currently providing MPLS VPN.We're planning to provide our customer with traffic report using NetFlow..
I read some documents which reads Netflow ver.9 can be enabled on Cisco GSR 12000 Series, but no mention about catalyst switches. Netflow ver 9 can be activated on catalyst 6500 series.. because the point where switch is located already have mpls encapsulated packet ( mpls vpn packet).
View 3 Replies
View Related
Apr 3, 2012
I have site with two links, one for internet traffic and one for voice, they have seperate public IP ranges. There is an existing site to site VPN between the site and a datacentre. The site device is a 2801 with a WIC-4ESW and the datacentre is an ASA 5510. The internet link is heavily contended and due to certain priority users complaining about the pseed of their connection, we decided to route these users over the voice link, and I did this using PBR. I created an SVI on the router and used one of the ports on the 4ESW to connect to the voice router.
I wanted to also create another site to site with a peer address on the voice link, so I configured a VRF, put the SVI into that VRF and created a static default route for the VRF. I set the VRF for a subnet of the existing LAN using PBR and I created a keychain for the VRF, set up an isakmp profile for that VRF and created the crypto map.
The site to site won't come up, and debugs are showing some weird stuff in the Proxy ID's and indicate that there is no crypto map exists for the interface.
I wish I could use VTI, but due tio the ASA at the remote end, I can't.The configs and debugs are below.
ip vrf VOICE_ROUTER
description **VRF for VPN PBR and QoS for Finance Users**
crypto keyring VPN2MH vrf VOICE_ROUTER
pre-shared-key address 2.2.2.2 key *********
[code]....
View 2 Replies
View Related
Jul 17, 2012
UTP cables are crossover cables or straight through??
View 5 Replies
View Related
Jul 20, 2011
I'm trying to test fast roaming using a Cisco 2100 Series controller and 2 1140 APs. The initial authentication succeeds fine and the wireless connection works ok using WPA2+CCKM and LEAP with a Cisco ACS radius server.The problem is that the client does not attempt to preauthenticate with the other AP because the RSN Capabilities IE in the AP beacons and probe responses do not set the RSN Preauthentication capable bit. I can't figure out what it takes to get the APs to indicate to clients that it can do preauthentication. I'm been crawling through all the documentation I can find, to no avail.
View 1 Replies
View Related
Aug 22, 2011
We are about to share a 10 MBit ISP connection with 2 others companies, and they are going to split the bill up into 3,3 and 4 Mbit, so we where thinking that we could setup a switch before their and ours router and provide them with a static IP from our ISP. But is it possible to set a bandwidth limit on the ports of a Cisco Catalyst 2960-8TC, so that we can set a limit of 3,3 and 4 on 3 ports.
View 1 Replies
View Related
Dec 3, 2011
I want to PAT my project of WLAN and i attached the document, how I create the Testing Criteria of the said scenarios, PAT document includes WCS 7.0, WLC 5508, MSE 3310, Cisco AP 3502e and ACS 4.2.
View 0 Replies
View Related
Jul 12, 2012
I have cisco ASA5510 firewall using in my network but unable to bolck Url's unwanted. can i block the [URL] on the asa by using regular exp.
View 3 Replies
View Related
Mar 1, 2012
I have 7 POE switches that have ESI IP phones attached. I have two VLANS, 1 and 2. VLAN 2 is used for voice and is defined in each switch.The ESI IP phones connect to my POE switch ports and the pc attaches through the ESI IP phone.
I have had voice quality issue between floors in my building. Talking to others on my floor via the IP phone, there are no voice quality issues. [code]
View 1 Replies
View Related
Nov 18, 2012
is it possible to connect Cisco Ap-1242AG with non-cisco wireless router to work as repeater?
View 1 Replies
View Related
May 1, 2012
I am looking at a config on a 5550 FW, and am trying to make sense of the syntax of the following rules. I have been to the Cisco site, but can't find much on the syntax.
View 8 Replies
View Related
Mar 10, 2011
I currently use a device called the Access Enforcer which runs OpenBSD. I have 3 stable, working VPN tunnel's where the other side's device is a Cisco ASA 5520 or 5540. I was setting up my 4th VPN where the other side used a Cisco ASA 5520 and ran into issue's. The Cisco side can bring up the tunnel. Once the tunnel is up each side can talk to the other side. However, when the tunnel is dropped, the OpenBSD side cannot bring up the tunnel. The error received is on the OpenBSD device is "isakmpd[29581]: transport_send_messages: giving up on exchange from-XX.X.X.0/24-to-XX.XXX.XXX.240, no response from peer XX.XX.XXX.141:4500". I have been trying to figure this out for weeks now and can't seem to find the cause.
View 3 Replies
View Related
Dec 5, 2011
I am trying to configure a 3750G that has been sitting on the shelf for several months and am getting the following error -
% Error: Unable to create flash:/microcode_update% Error: It must not already exist
Normally, getting an error during POST isnt a good thing. My first thought was that flash was corrupted or flagged RO somehow. I did fsck flash: with no change. I next tried fsck /test flash:. It tested 77 blocks and performed 0 erasures. It had been running for about 15 minutes with no problems reported so far. Multiple reboots of the switch still report the same error.
I have reviewed the history of what I have done on this switch and finally think I found the problem. I noticed a microcode_update directory that I am not used to see on a 3750. Deleted the directory using the rmdir command and rebooted the switch. On reboot, I noticed that a front_end/ directory was listed as being created as well as fe_type_1 and fe_type_2 were created. The switch now boots up without any errors.
View 3 Replies
View Related
Jan 3, 2013
I have two Cisco Aironets 1401 connected to a Cisco Catalyst 3560 Switch. When users log onto the Wifi the APs authenticate with a Freeradius that then authenticates with LDAP.
Recently users have been getting kicked off of the network but I'm not sure why.If so how do I set these APs to roam with my setupd?For all I know there could be an issue with the switch I'm just not sure where to start when it comes to troubleshooting this issue.
View 17 Replies
View Related
Dec 29, 2012
Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 0,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.
View 19 Replies
View Related
