Am applying a policy map to gig0/0interface vlan xIf i apply to either one only it is ok but if i apply it to the other interface it says ''configuration fail''.Am not also given the option to apply it to a particular interface as the one below
service-policy QoS_policy interface inside
Routers 1921
2801
Customer has three 881 routers. FE0 connects to their WAN, FE4 connects to their LANs. Two VLANs are configured on FE4. Class-maps and Policy-map created to detect voice traffic:
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
[Code]....
I have a Cisco 2801 with two DSL cards that are both routing to the internet, with NAT to the private LAN interface. I am using IP SLA and route maps to accomplish this load balancing. I have rsolved most of the issues that come with this setup, but I still have a major issue: I cannot SSH into both of the WAN addresses, only one. I have included whqat I think is the most relevant config info.
#sh run
! ........some info omitted........!
!
[Code].....
I run 2801 with 124-24.T3 and I have following problem: router is connected to internet over pppoe and ISP once per day breaks this link. so I get:
Jun 7 19:31:56.639 MSK: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
Jun 7 19:31:56.663 MSK: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
and I also have tunnel interface which endpoint is accessible over internet.
so I get:
Jun 7 19:31:56.679 MSK: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 68844500 - looped chain attempting to stack
Jun 7 19:31:57.635 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
Jun 7 19:31:59.199 MSK: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
this is not a problem, problem is that router when interface goes down removes service-policy output from it, so I receive such message every day from runcid:
ip ospf cost 1
ip ospf mtu-ignore
tunnel source Loopback1
tunnel destination 192.168.200.199
- service-policy output tunnel_mpr_gre
and have to restore policy manually.
I have a 1921 with 3 interfaces. One for the LAN and the other 2 are wan each with a public address. The 2 wan interfaces are used for redundancy. I would like to know how I can static nat the same port and inside address on both wan interfaces.So if the request comes in on one or the other it works. I know if I do a static nat to one of the wan interfaces and then add the same port and inside address to the other wan interface it replaces the previous configure.
View 5 Replies View RelatedThe tunnel connection is establishing correctly but when i change the priority in he hsrp configuration of my gig 0.1 interface to be the active on this router the cellular 0/0/0 interface goes down, by the way this is going to be my redundancy.
Code...
I am trying to figure out exactly what I need to buy to to connect to an ISP's fiber switch. We need to install a router between the fiber switch and our own core switch to be able to access the IP's allocated to the property. We installed a 1700 with the below config, but we want to purchase a brand new router and we were looking towards possibly the 1921 if the budget allows. Our distributor is telling us that we need to purchase an Ethernet WIC also, but if the router already has 2 ethernet interfaces, why do we need to purchase more hardware? I am a little out of the loop with routers at the moment, so I am not sure if they correct or not, just looking to see if this is the case and if so, why?
interface Ethernet0/0
ip address x.x.x.x 255.255.255.248
full-duplex
!
interface FastEthernet0/0
ip address y.y.y.y 255.255.255.252
speed 100
full-duplex(code)
I have a client with a 3750x stack. We've upgraded it to IP Services. We have a simple PBR setup. One access-list to forward traffic from a specific LAN ip to another gateway on the network.
I go to vlan1 (default vlan) to apply the PBR and the command takes with no errors, but do a "show run" and it doesn't show up under the interface.
I go to vlan1 and apply a PBR that doesn't exist and the command takes with no errors, and is listed under the interface in the config
I can apply the PBR globally and appears to work, but we can't have it there based on other issues it creates.
config: (all tracks are up)
C3750_stack#show sdm prefer
The current template is "desktop routing" template.
[Code]....
i just configured a C6K VSS with Sup2T, 15.1SY IOS software and a WS6724-SFP module with the follwing cos config:
auto qos default
table-map cos-discard-class-map
map from 0 to 0
map from 1 to 8
map from 2 to 16
[code]....
After applying the service policy to one interfac of the WS6724-SFP module the policy is deployed to all interfaces of the module. So far it should be ok but after a short time all interface of the module begin to go down an up and down and up ... flapping.
We want to puchase new Cisco ISR 1921/K9 . i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 172.16.1.2timeout 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20
Im asking above question because we will need to enable ip-sla on the mentioned router. as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base support only IP-SLA RESPONDER feature nothing else. If Cisco-921/K9 does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ?
c1900-universalk9-mz.150-1.M4.3
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FCZ1510C50V
Technology Package License Information for Module:'c1900'
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
[code].....
In regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies View RelatedIs there a way to view changes made in ASDM before hitting apply button?
View 2 Replies View RelatedWe have two L3 3560's. One 3560 has an upstream MPLS router. The other 3560 has an upstream backup VPN router. Both of these 3560's are L3 switches with IP routing enabled. I created a PBR on both so that specific traffic routes through the MPLS router, while other traffic routes over the backup VPN router. I'm trying to apply the PBR to the SVI's, on each switch. However, when I do a "sh run", the PBR does not appear under either SVI. I've enabled the SDM Routing template, made sure that ip routing was enabled, and even verified that the IOS has the capability. Not sure what else to check for.
View 8 Replies View RelatedI have an issue with applying a patch to an ACS 1121 appliance running version 5.2.0.26. I have 5 units that needed updating and the first one is the unit with the problem. The subsequent ones updated with no issues.
When I do a show version the 5.2.0.26.10 does not show. When I try to do a reinstall I get back patch all ready exists. When I try to do an uninstall I get back patch does not exist.
Is there a command can wipe out patch 10, so I can start over? The CLI factory-reset only wipes the web configuration not the running-config or IOS.
I'm trying to apply the following policy route in my switch 4948, but it suddenly crash. Is anything wrong in my commands? The switch is rebooting with an error:
System returned to ROM by abort at PC 0x0
My commands are:
access-lists 7 permit 10.140.22.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.220.24.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.216.36.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.216.38.0 0.0.0.255
[Code]......
1841 - IPBASE 12.4.7d
We provide internet access for a number of clients sitting on our WAN, at present they have un-restricted access to the full bandwidth of our 1Gb internet pipe. As they are only paying for a proportion of that we want to set a Mbps limit on the clients, and idealy the device should be transparent between our router and the clients.
I have been trying to set up rate limits on a bridge on our 1841.
#
bridge 1 protocol ieee
bridge 1 route ip
bridge 1 bridge ip
[Code].....
I have tried many combinations but can't get this to limit the traffic, the client still draws as much as they can.
Does rate limit work on bridged interfaces? or am I going to have to try it routed instead?
I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACl.
View 2 Replies View RelatedI am managing a firewall over remotely in my LAN itself. I started a continous ping to the Firewall IP and the response is less than 1 ms.
While applying some access control list to the firewall via putty ...Suddenly the latency is going hing and it is hitting xxxx ms. And also the acl are getting pasted on the screen by word by word. Sometimes i used to get some RTO for the Firewall IP Address inth eping response.
find the Firewall Version:
Cisco ASA 5510
Version : 7.2
Having more than 600 ACL's.
i have 7206VXR with trunk interface toward customers, now i'm trying to configure CBWFQ on one of the sub-interfaces for specific customer,while trying to apply parent policy which includes child policy i'm getting the following message:Must remove traffic-shape configuration first.
here is the configured policy:
ip access-list extended ACL_TEST_SRV
permit ip any host 192.168.10.1
permit ip host 192.168.10.1 any
!
class-map CM_TEST_SRV
match access-group name ACL_TEST_SRV
[code]....
I have tried to apply system image(present on local system )to a remote system using file sharing with imagex.exe , but it dint work.
View 2 Replies View RelatedHow do I apply the connection parameter map in a configuration like this to the service policy int827? Do I need to define the traffic? Can I specify only one source destination flow to apply the set tcp half-closed TCP normalization against?
policy-map type loadbalance first-match wss-1100-l7slb
class class-default
sticky-serverfarm sticky-srcip-1100
policy-map type loadbalance first-match wss-1101-l7slb
class class-default
sticky-serverfarm sticky-srcip-1101
[code].....
This isn't a big deal as the rest of the ACL works fine, but this is an annoynace since the web auth redirects to our company website (internal for now) after successful login.We have a Cisco WLC that provides access to our production and guest wireless environments. The guest environment of course is in a separate vlan (10.10.50.0/24). So I created this ACL:
access-list 107 permit udp any host 10.10.2.13 eq bootpc <----internal DHCP server
access-list 107 permit udp any host 10.10.2.13 eq bootps
access-list 107 deny ip any 10.10.0.0 0.0.255.255 <---all internal networks
access-list 107 deny ip any 172.28.16.0 0.0.0.255 <----DR Network
access-list 107 permit ip any any
int vlan 50
Desc "Guest wireless network"
ip access-group 107 in
This ACL basically gives the wireless guests access to an internal DHCP server and full access to the internet. For the 10.10.50.0/24 scope, the DHCP server assigns Internet DNS servers and my rationale is that wireless clients would access it via the external IP address but I suppose it doesn't work quite like that with the website being behind the same router as the client machines.
We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state. WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.
bcoh1fw50# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Disabled Ifc Failure 14:43:21 EST Jan 30 2013
[Code].....
Verizon recently sent an e-mail to a friend of mine suggesting that she modify the server settings in her Windows Mail (her OS is Vista -- ugh!) to use SSL. It's an easy change (have to change the POP3 port to 995 and the SMTP port to 465, and choose SSL/TLS for encryption).I know nothing about encryption protocols and what advantages they provide over unencrypted e-mail. For example, earlier this week, she received a hacker e-mail (the infamous "shipping confirmation" that appears to come from Amazon.com, but all the links open "redpouch.com", which immediately tries to upload malware to your computer). She (and I) have no idea how the hacker got her e-mail address -- or those of a dozen other addressees all of whom have the domain "verizon.net".It would appear the hacker got into Verizon's server and stole the addresses. Would using SSL make that impossible to do? If not, what extra security does it provide?
View 5 Replies View RelatedI have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).
So why i can't found this command ?
I have been trying to figure out a NAT issue on my 2811 and the inspect engine.I have 'ip inspect FW out' on my outside interface. If I turn it off, I also have to remove the access-list applying to inbound traffic on that same interface. Why is that? This whole thing centered around SIP registrations from devices on my LAN to my provider. The provieder is showing that I am registering from a high end port (1024 or something crazy). He said that it sounds like some type of SIP ALG or something on my router. For the life of me, I can't figure out what would be causing it. I am just using a standard route-map that points to the outside interface using 'overload'.
View 6 Replies View RelatedI'm using ASDM 6.2 with a FWSM on a 6500.
At the moment everytime I want to make a change to firewall rules I click apply and the rules are applied Immediately. I have to make multiple changes during the working day which I don't like to do.
What I would like to do is make changes during the day but not apply them until out of hours (some sort of batch mode). Like I can do in my check point firewalls.
I have a situation where two of my CGS-2520-16S-8PC switches are not applying POE power to the copper ports, but showing power inline, two ports are showing power applied. Shutting down the port and re-enabling it will return the port to normal and the phone will connect.
I'm running cgs2520-lanbasek9-mz.122-58.EY2 after using 122-58-se1. Happening on both, but i have more switches running EY2 with no issues at the moment. Using DC power supply averaging around 53v.
Having issues with HTTPS sites being very slow after applying KB2585542? Once you remove this Microsoft patch everything returns to normal. It appears that the CSS does not handle the split-ssl requests properly. I have opened a TAC case but am not really getting anywhere as we seem to be the only company that is having this issue.
View 2 Replies View RelatedAbout to apply a patch for the first time on the ACS 5.3 tonight. Ihave tftp'd it onto a directory i have created on the server. However my support hints i may havre to rename the file ? copy the latest patch file you got from Cisco – you may need to rename as gpg) Current filename is 5-3-0-40-7.tar.tar
So would i need to rename this as 5-3-0-40-7.tar.gpz . If so i will rename it on my pc and redownload it on tftp
I have applied for a dynamic dns service, but need applying in linksys E1000 settings
View 3 Replies View RelatedQuick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
View 2 Replies View Related