Cisco WAN :: 1811 How Will OSPF And VRRP Factor-in To Such A Setup
Sep 29, 2012
I currently have a working metro ethernet connection between our main office and a branch office. I am tasked with building a redundant route for this site, in case the metro-E line goes down. We are purchasing two cable internet lines at each sight and I plan on buying two Cisco routers to do the VPN tunnel via the new cable Internet connection. The metro ethernet connection currently has two HP 3500s on each atm.2 questions:
-How will OSPF and VRRP factor-in to such a setup?
-What Cisco routers are recommended that can utilize this protocol?
The HP 3500s can do either OSPF or VRRP.I have been purchasing and setting up refurbed Cisco 1811 routers for other VPN tunnels and they work great.
View 2 Replies
ADVERTISEMENT
Dec 1, 2009
I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
View 9 Replies
View Related
Jul 14, 2011
I am a new owner of a Cisco 1811, brand new. So im trying to follow this,
[URL]...
But when i get to this,
it won't continue, if i cancel this and not setup the WAN connection then log back into after it's rebooted i can see both lan's * both disabled * when i enable 0 it wont allow me to click add or do anything else to setup the WAN connection
View 19 Replies
View Related
Aug 8, 2012
I was trying to setup a Nexus (5596 running NX-OS 5.1(3)N2(1)) to use the "ip ospf name-lookup"command that I am using on IOS-based routers. Unfortunately this command does not appear to be supported on NX-OS and I cannot find a replacement.Is this another feature that's left out of NX-OS?
View 4 Replies
View Related
Sep 22, 2011
I have 2 ASBR routers, AGFR01RTR03 and AGFR02RTR03, performing OSPF to OSPF redistribution in both ways for the same ***. They also do summarization for our private addressing scheme. It is all working just fine for that part (neighbors, summarization, redistribution).
AGDC01RTR01 --- AGDC02RTR01 (OSPF 1000 ABRs)
| |
| |
AGFR01RTR03 --- AGFR02RTR03 (OSPF 1000 / 53 ASBRs)
Let's focus on AGDC01RTR01 with a specific entry here (IP subnet is fake) :
Routing entry for 1.1.1.0/25
Known via "ospf 1000", distance 110, metric 300, type inter area
Last update from 10.2.244.76 on GigabitEthernet5/1, 1d03h ago
Routing Descriptor Blocks:
* 10.2.244.76, from 10.2.1.249, 1d03h ago, via GigabitEthernet5/1
Route metric is 300, traffic share count is 1
[code]...
View 15 Replies
View Related
Mar 14, 2011
Currently the OSPF network consist of 2 segment route via static route.One is AREA 0 and another AREA 10.Both network are seperate entity, only static route to route between 2 networks.But the static route do not provide the dynamically and flexibility, I plan to run routing between 2 networks via VLAN160 and VLAN162.
I still want to manitnace it was 2 different OSPFrouting domain.Can I run OSPF with differrent OSPF porcess ID?
View 8 Replies
View Related
Jan 1, 2013
I have a following question. I configured different authentication passwords in Master and slave VRRP setup.
View 2 Replies
View Related
Jan 30, 2013
Does Cisco 2911 support VRRP?I can’t find in datasheet anything about it.
View 2 Replies
View Related
Feb 14, 2011
One of our customers had 2 x 2800 series routers that they needed to reconfigure to support new services, The existing public subnet has 2 free ip addresses to use for the routers, unfortunetely even though the ISP can reconfigure this to create more addresses the customer cannot have any downtime (there are other routers in this subnet that are live) and therefore i had my hand forced into using VRRP as opposed to HSRP (3 addresses).
I used VRRP to share the master address as the VIP, so one address on the master, one on the backup, using the master address as the VIP.
This all works fine, outbound and inbound traffic failover as expected and preemption works just fine.
My problem is, he asked me to configure a remote access VPN. So i have configured the VPN to connect to the VRRP VIP. When the master is active, the VPN connects, traffic passes, all fine. When the master is switched off the VPN traffic hits the backup, as its now assumed the VIP, and completes phase 1, xauth works, but phase 2 will not come up and the client displayed "not connected".
So doing some debugs, the phase 2 policies are accepted, but i get the message
*Mar 1 01:36:21.451: IPSEC(validate_transform_proposal): invalid local address x.x.x.164
where x.x.x.164 is the VRRP VIP address, the physical address which has the crypto map applied is .165
So here lies the problem, the client is connecting to .164, the crypto map is applied to the interface the is configured with .165. Hence the "invalid local address"
I have found some documentation online that suggests that VPN redundancy is possible with HSRP, but not on the 2800 series router. I cant use HSRP as i have only 2 addresses, and i cant use that feature as my routers dont support it.
View 1 Replies
View Related
Mar 9, 2011
I would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies
View Related
Jan 2, 2012
How two factor authentication can be implemented using cisco acs 5.1 & vasco?
View 1 Replies
View Related
Apr 18, 2013
R11 is acting as host for testing purposes (pinging the DG's, and the ISP interfaces -> which are the lo0 address on the routers.I also have another question: How would I go about providing redundancy on the trunks from the Switch to the router?
View 2 Replies
View Related
Nov 22, 2011
I have found the HSRP configuration example in Cisco Metro Ethernet Switch ME-3600x/ME-3800x but unable to find the VRRP configuration exmaple in Configuration guide as well in Command Reference Guide.
I am using the IOS version ME-3600: S360XVK9T-12252EY and ME-3400: S340XBT-12253SE
command reference guide: [URL]
configuration guide: [URL]
Kindly confirm either these switches support vrrp commands or not? If yes, kindly share configuration example.
View 3 Replies
View Related
Jun 2, 2011
Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.
I would like to have one factor be a username and password and the second factor being a certificate on the device.
View 4 Replies
View Related
Dec 19, 2012
I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?
View 6 Replies
View Related
Jul 30, 2012
Two factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?
View 16 Replies
View Related
May 1, 2013
I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
View 5 Replies
View Related
Jul 10, 2011
I am facing strange behavior in Windows 7 and Windows Vista.I have a client program in my PC and server program outside network.I can see that some time TCP WINDOWS SCALING working and some time not.In first Log after 3 way handshakes established I can see data transfer happening bocs from log I can see it is settings SCALING factor.
But for some cases where I see that connection happened but data transfer not happening (May be my network does not work without Scaling..) I can see my WINSOWS TCP stack has not set SCALING in SYN request.Hence in 2 nd log I can see "Scale factor not supported"...though I enabled SCALING in my WINDOW .
You can see in 2nd log :: [ Win=8192 ( ) = 8192 ] - not settings scaling factor some time.How to fix this issue so that Windows 7 / Vista always set SCALING in SYN request.
My TCP Settings :::
Receive-Side Scaling State : enabled
Chimney Offload State : automatic
NetDMA State : enabled[code].....
View 1 Replies
View Related
May 2, 2012
I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers. I purchased an SA540 a month and a half ago. I have been on the phone with support of both Cisco and Verisign ever since. It appears no one actually knows how to make the product work. Finally I was told that they have only tested it on an SA520. So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540? If so, what is the trick? If not, how is Cisco advertising this product if it doesn't actually work?
View 3 Replies
View Related
Feb 20, 2013
I am using a bunch of Cisco 1721 routers for my T1 lines. We recently purchased Digi cell modems as a backup for the T1. On configuring vrrp to work on both devices I discovered that IOS 12.3(6c) does not support the "vrrp track" feature. After reviewing the Cisco Feature Navigator I could not see an IOS that will support the vrrp object tracking. Is that correct? The routers have T1 WIC's installed. If it does work what is the latest IOS that will work on this end of life product?
View 1 Replies
View Related
Apr 24, 2008
Our ISP hands us an ethernet link. ISP router has one address of (for argument sake) 1.1.1.0/30 net, - let's say they have 1.1.1.1 we have the other usable address of 1.1.1.2/30 assigned to our 3825 router. Is it possible to use hsrp or vrrp if there is not two valid/unique "wan" IPs to assign to our routers? For example, if we had a pair of 3825 routers? are we stuck with basically a manual failover or requesting our isp to provide a larger address wan block?
View 2 Replies
View Related
May 15, 2011
I am running IPv4 with OSPFv2 currently. However, I planed to deploy IPv6 in my network. Is it possible to deploy V6 with OSPFv3 without affecting current network traffic in V4?
View 7 Replies
View Related
Oct 18, 2011
I am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
View 5 Replies
View Related
Feb 20, 2013
Basically, he has an office he's supporting on a contract basis, they have a cable modem uplink. They move very large (100MB or so) EXCEL files to/from a server "somewhere out there"...The place has 19 users on cable modem (presumably commercial level). They're having "severe latency due to all the users". They're also using VOIP (not sure what product, shouldn't really matter)this doesn't pass the sniff test to me- I have 70+ users on 4 T1s and don't have the problems they claim to be having. Suspect they should be doing some packet sniffing to see who's camping on Youtube, but this is not an option....They're adding in a second cable modem line and want to bind both together. I immediately figured they should do QOS, dedicate the mission-critical traffic to 1 line and let it bleed over onto the other and take precedence if necessary. They have a Cisco 1811 router. I haven't messed with those before, but what I am seeing is they are a "fixed-configuration router". Obviously there has to be SOME config changeable- if for nothing other than IP assignment to interface and such. So what does Cisco mean by "fixed-config"? Is this basically a dumbed-down Linksys router?
View 19 Replies
View Related
Jan 8, 2013
I need some help in configuration of Cisco IOS VPN. Basically, we have 2 Cisco 1811 routers in our company. Router 1 - Production router (IP 192.168.x.254)Router 2 - VPN router (IP 192.168.x.251). All machines/servers inside our network has been configured with a default gateway of 192.168.x.254. Hence, all internet traffic will go through the production router.
Now, we want to deploy a new router (i.e. Router 2) which will be solely used for VPN purpose (such as DMVPN, IPsec site to site, VPN client configuration etc). I have configured Router 2 with Cisco VPN client and can connect to this using VPN client application from my home PC. However, once I connect to it, I am not able to ping anything inside this network other than Router 2 IP (192.168.x.251).
Is there anything else that I would need to put into the configuration so that I can ping everything inside the network?
View 4 Replies
View Related
Oct 19, 2011
i have cisco router 1811 , i make port forwarding for my mail server , so from outside i can access to the mail server via my mobile but inside lan i cannot because i use my global ip address at my mobile config .
View 12 Replies
View Related
Feb 28, 2012
I have some problems with making stable VPN between SRP512W and ISR1811.Configuration:
- IKE policy - 3DES/SHA1 group2(1024bits)
- crypto map on ISR1811
One of the main issues I've noted appears when SRP loose it's IP connectivity to remote router, even if this connectivity interruption lasts for only couple of seconds. When the IP connectivity is restored SRP is unable to re-establish the IPSec session. There is connect/disconnect option in SRP menu (Status -> VPN Status -> Connect/Disconnect) and automatic VPN disable (VPN -> Site-to-Site VPN -> IKE policy -> Enable Dead Peer Detection) yet I couldn't found any option for nor automatic mechanism for VPN reconnection when the IP connectivity is reestablished. This issue lead to interruption of Site-to-Site VPN service when there is some short outages within the ISP network.
Another issue is building GRE tunnels between the same devices. Can you verify my configuration? Belive it or not - I spent more than 4-5 hours and couldn't do it.Should I make some additional settings/configurations ?
View 1 Replies
View Related
Nov 9, 2011
i have two branch offices A & B both connected by a vpn. i am planning to add another isp on both the locations and have it just for the vpn. i.e have the second isp do just vpn and all other traffic go through the older ISP.. what are my options ? am not planning to add any extra hardware and also am not planning on acheiving any fail-over or load-balancing because i know ASA 5510 does not do load-balancing.
View 1 Replies
View Related
Aug 16, 2011
I got a new 1811 series router. Its sh version output is " flash:c181x-advipservicesk9-mz.124-11.XW6.bin". I need to upgrade to the latest IOS. How can i find a latest one? How can i upgrade to the latest one?
View 1 Replies
View Related
Jan 23, 2012
I am setting up my 2nd 1811 router for NAT and VPN. The 1st 1811 works great, completed a few months ago. On this 2nd 1811, I decided to just copy the working startup-config from the good, 1st router to this 2nd, and then change IPs and from there. I did not do the setup wizard, but just erased the startup-config, reloaded, gave temp IP on local LAN and copied good startup-config from TFTP server.
Question: on this 2nd 1811, I show this:
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip subnet-zero
I do not have this on the 1st, and I cannot get rid of it. Is this due to IOS versions?
On the 1st I have:
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T8, RELEASE SOFTWARE (fc3)
flash:c181x-advipservicesk9-mz.124-6.T8.bin
On the 2nd I have:
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(4)T1, RELEASE SOFTWARE (fc4)
flash:c181x-advipservicesk9-mz.124-4.T1.bin
View 10 Replies
View Related
Jul 17, 2012
I am having an issue where the GRE tunnels are up/up but are not pingable. The GRE tunnels are on a cisco 1811 and cisco 2811 routers The tunnel source and destination IP addresses are private addresses. These private addresses are pingable to each other and they are connected via IPSEC. The IPSEC tunnels are generated from the ASA to which the cisco routers connect. Probably the tunnels are up/up because keepalives are not configured. But I am still not able to see why I cnt ping the end points. The ACL for IPSEC in ASA includes the "permit gre host <Private IP 1> hist <Private IP 2>" commands.
View 2 Replies
View Related
Feb 27, 2011
I have a cisco router 1811 when powered displays the output below then it hangs at that point.
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: [URL]
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 393216 Kbytes of main memory with parity disabled
[code]....
View 10 Replies
View Related
Aug 21, 2012
Last night I had a crack at setting up PBR on my companies Cisco 1811.Joy, I thought, it's actually working. Alas I was wrong, the addresses were getting translated to our ADSLs external ip address but routed over our EFM.What I want to acheive is to send all HTTP(s) traffic from our workstations over the ADSL (FastEthernet1) whilst all other traffic and VPN goes out over our Bonded ADSL (FastEthernet0). There is also a minor failover in place for traffic routed to the ADSL in the route-map PBR_VLAN1. The servers are on IPs 200, 202, 204 and 240.
Anyway, I have re-written the configuration and xxx'd and x.a/b/c'd all the IP addresses I want to keep secret. Need to make sure that the PBR is correct, and will do what I want it to? I have a very small time-frame to get this correct and I dont want to fudge the bucket so to speak.
View 8 Replies
View Related
