Cisco WAN :: 2900 - LAN Side Redundancy?
Nov 14, 2011
We will be getting a circuit from the same ISP at two of our sites and will be doing eBGP. Couple of notes. 1. We are fully aware of the risks associated with depending on a single ISP and have mitigated them as much as possible with the ISP. 2. We will be getting assistance on the eBGP setup from the ISP, so I’m not as concerned with that config at this point.
Site Summary
Site A:Cisco 2900 Series (RtrA) connected to single Ethernet based ISP circuit (ISP-1-A)eBGP will run between RtrA and ISP-1-A, default routes from provider onlyLayer 2 Switch (SwA) connected to LAN of RtrA and uplinks to SwB
Site B:Cisco 2900 Series (RtrB) connected to single Ethernet based ISP circuit (ISP-1-B)eBGP will run between RtrB and ISP-1-B, default routes from provider onlyLayer 2 Switch (SwB) connected to LAN of RtrB and uplinks to SwA
I need advise on the LAN side redundancy. Our goal is redundancy; load balancing is not a concern (If load balancing ever becomes a concern I will look at GLBP). We have several devices on the LAN side of the routers that can only use a single gateway. Given that I’ve surmised I need to use HSRP in some way for LAN gateway redundancy.
1. HSRP with Object Tracking, No IGP.HSRP handles LAN gateway failover if a router dies. Object tracking ensures LAN gateway failover if an interface fails or if an interface is up, but there is an upstream traffic issue. ie. track the physical WAN interface and use an IP SLA icmp to track a specific upstream IP incase of an upstream traffic issue.
2. HSRP with OSPFHSRP handles LAN gateway failover if a router dies. OSPF redistributes eBGP default routes to RtrA and RtrB so that each router should have a route to the ISP even if they loose their local ISP circuit. i.e if ISP-1-A on Router A goes down, Router A knows to send traffic out ISP-1-B via RtrB. In other words, traffic enters RtrA LAN, but exits on RtrB WAN.
3. HSRP with iBGP HSRP handles LAN gateway failover if a router dies. I have no experience with BGP, but assuming this would work similar to the OSPF solution above except for the required iBGP config and possible route reflectors?
View 2 Replies
ADVERTISEMENT
Apr 14, 2013
I'm working on a new DMVPN configuration with one 3745 at the hub site and a 1941 the spoke. I have internet through gsm for the primary line at the spoke and a dsl line for backup on spoke.I have one tunnel interfaces on both the hub and the spoke.Currently my VPN tunnel is coming up fine , however we are planing to do an ISP failover at spoke side . since in the tunnel interface i can only define one "tunnel source interface" which is gsm cellular interface , i don;t know how to use my another ISP for the same tunnel interface as it will always initiate traffic from gsm.
do i have to create another tunnel interface with same hub site , or do i need another hub as backup? is their any other way to create loopback interface and initiate the traffic from that loopback?
View 1 Replies
View Related
Mar 13, 2013
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
View 4 Replies
View Related
Mar 17, 2013
I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.So here is the LAN setup:ASA: 1.1.1.1UC540: 1.1.1.2The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30My PC uses the ASA as its default gateway, 1.1.1.1The ASA then has static routes to the UC networksRoute 10.1.1.1/24 1.1.1.2Route 10.1.10.1/30 1.1.1.2Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?Same-security inter and intra interface is enabled.So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.I am running ASA version 8.4.5?
View 1 Replies
View Related
Jan 30, 2013
My E1500 enters a state where the LAN-side (broadcast, etc.) works, but the WAN-side (internet connection) just goes away. If I go unplug and replug the E1500 the internet connectivity comes back.When this happens, the wireless indicator on my desktop (Dell with Intel wifi) says I have an internet connection, but I clearly don't.
View 2 Replies
View Related
Aug 25, 2011
If there is a router ISRG2 2900 with SEC license and without HSEC license, there is a limit in count of cumulative encrypted VPN tunnels of 225. Which commands can show us a number of current tunnels on the router, so we can see if we are near this limit of 225?
View 4 Replies
View Related
Sep 26, 2011
We need to setup a VPn to another company, but we both use 172.16.x.x/16. Would I need to get both sides to setup a VPn using 2 different subnet ranges and then get us to NAT it to our own range?I was thinking of making our side 10.7.x.x/16 and their side 10.6.x.x/16
View 1 Replies
View Related
Jul 1, 2012
i finally went out and bought a RB750 to play around with... after just messing around enough to figure out how to do something as simple as change the LAN side IP (like.... a million steps) i'm now wanting to try setting up a VPN server, wanting to start out simple and do a few normal things, and am finding it really difficult to even find documentation on how to do stuff..
View 4 Replies
View Related
Oct 27, 2011
I had all kinds of packet loss and I was ofcourse suspecting my ISP. But then I tested pinging my internal interface and found that it has packet loss as well. I have about 10% packetloss to my interface with 192.168.0.254, I have the same thing from several different inside hosts. My inside rule is the implicit one, any, any. service IP.In the log I can see a teardown and build of the icmp whenever the packet loss accour.There is no packet loss pinging the outside interface from the internet.
View 3 Replies
View Related
Dec 21, 2011
clear ARP cache from server side?
View 12 Replies
View Related
Jan 20, 2013
i successfully established site to site with 2 two ASA 5010. The problem is that traffic on not passing, This is current setup:1) Left side : only 1 private network 3) Right side : 1 private network, management network, 2 DMZ networks with public IP, On right ASA some netting is setup so servers in DMZ can be reached from private network. The goal would be that VPN client on left side can reach all resources on the right side (except management network, Just to get things going tunnel is built with only left and right private networks, but after tunnel is established i can't ping anything on other side.
View 4 Replies
View Related
Apr 7, 2013
A client of ours has an 881-K9 router that they have configured a VPN on, this was setup and configured prior to my joining the company. This client now needs to add more usernames to the VPN on the router side, and I've both searched here, and googled for how to add users to the VPN on the router, the only thing that comes up is adding clients (from the client end PC), and nothing to show how to create the users on the CLI from ssh on the router itself.
View 1 Replies
View Related
Nov 1, 2012
i have configured site to site VPN between asa 5520.
Site A (192.168.56.0/24)------ASA5520------Internet--------- ASA5520-------Site B ( 192.168.255.0/24)
VPN tunnel is up but i cant access LAN for each side. config Site A
host name CCASA
name 192.168.255.0 CCNetwork
dns-guard interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 41.41.38.156 255.255.255.248
[code]...
View 5 Replies
View Related
Oct 17, 2011
As shown in the diagram below, I have a central office and two branch offices, these offices are connected by a private routing service that has no connection to the Internet, the telecommunications operator in each office installs a router with a LAN and a WAN IP and configuration of these devices cannot be changed except the LAN IP. Only the central office network that is 192.168.0.0 have a router that has internet access. Remote offices have no access to the internet, what is needed is that remote offices can access the internet using ADSL router 192.168.0.254 at the central office. There are a small devices in each remote office that must connect to the internet and do not support any configuration except IP, mask and gateway, for example you cannot add a static route. Currently the pcs at remote offices has IP communication with the server from the central office using a static route.Does the solution would be to put some VPN routers between each LAN and the operator's routers (where RT yellow star appears in the diagram) and put the hosts of the two branch offices same IP range that the central office network?
View 3 Replies
View Related
Sep 18, 2011
Move icon from left to right
View 1 Replies
View Related
Dec 28, 2012
She has comcast xfinity with a the SMCD3GNV router which if you ever look it up has the worst wireless signal imaginable and I can second that. I was hoping to not have to touch the SMCD3GNV router and just add on to it by attaching a secondary router as a wap.What I plan to do (which I am sure has been exasterbated in forums but just want clarity) was to disable DHCP on the new n router ( cheaper than official wap) and set ip out of SMCD3GNV router DHCP ip range but in same subnet mask so probably 192.168.1.2. Then connect the SMCD3GNV router to the new router via ethernet and dont use wan port. Is this basically all I have to do? Do I need to change the channels on either devices since their next to eachother? or will them being next to eachother and same channel cause interference? I have read I can call comcast and turn the smcd3gnv into a bridge ( plain modem) but I would rather avoid calling them and see if 2 wireless access points next to eachother is okay.Also, I plan on doing this by going to microcenter.com and getting a router for 24.99 or less with a coupon I have. Is there any on their website that you would recommend for this setup? Also if you could check the wap on their website and see if you think its worth it to get one of those instead if under that price as well. I want to utilize wireless n signal . Also, the xfinity service she has is rated for 50mbps download and cannot remember the upload , I have tested this wired and it does actually achieve this or greater.
View 5 Replies
View Related
Jan 1, 2013
what command will show the clock rate as received on the DTE side of a back-to-back configuration?the show controllers command shows the configured clock rate on the DCE side.But how about viewing the received clock rate on the DTE side?
View 4 Replies
View Related
Jul 13, 2011
I have recently bought two 1800 cisco routers and have tried to connect them over wan serial link, but I am having problems when trying to access resources on the other side. I am a newbie to cisco and I wonder if the problem is with the configuration or the new routers or the serial link between the sites. Below is the show-running config results I have done on both routers; I can ping the serial interfaces from both sides and remotely, but I can't ping hosts or FE from other side.
View 8 Replies
View Related
Feb 9, 2013
I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate. Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?
View 4 Replies
View Related
Aug 23, 2012
Recently I have switched from DSL to Comcast Cable. In the PPoE settings you can disable DNS from ISP. However, now since I have to use DHCP I cannot disable the DNS from ISP.If I change the DNS on the LAN or change the DNS in my adapter properties (in local machine) this makes my Brother printer loose connectivity.How can I get the openDNS servers on the WAN side of the RV220?I do not have a static ip address from Comcast either....
View 5 Replies
View Related
Aug 2, 2011
I have now the sa`s stablished between SRP527w and cisco 857, but If i ping from a host of Cisco side to a host of SRP side I get only rx traffic on the tunnel, the stats keep tx at 0 and ping is not answered.My tunnel is to send some voice call into IPSEC tunnel keeping DSCP bits, It comunicate SRP voice vlan with Cisco lan.
I have on SRP 2 vlans:
1 Vlan for data on ports 1,2 and 4
1 voice vlan on ports 1,2,3,4.
I connect a netbook to port 3 and I can connect to internet but I cant reach by ping the other side of the tunnel?Maybe traffic from voice vlan is being natted with data vlan ip address?I need all traffic must go into the tunnel without being natted, on cisco side I have a policy to avoid nat but don know if SRP have any problem about it too.All gateways are ok ?
View 2 Replies
View Related
Feb 23, 2012
We want to use cisco 3845 and pick up IPSec, with remote side. But I am afraid that cisco 3845 can't handle 155 Mbits over IPsec. We will buy AIM- VPN/ SSL3 card. Is this sufficient?
View 3 Replies
View Related
Dec 29, 2011
Changed my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
View 1 Replies
View Related
Jan 27, 2012
I would like to set the router's dns entries but I don't see how to do that. Basic setup page has DNS setep for the DHCP scope but I don't want to push dns to my pc's. What I am looking to do is to use an alternate dns to what my service provder pushes and still have the abliity to route on my internal network.
View 1 Replies
View Related
Jan 9, 2011
The DIR-655 has a square button on the side of it. It looks like a refresh button. I don't know what it does, but I have pressed that button before, thinking it does something good. Nothing bad has happened after I pressed it , but I have no clue about what is does.
View 5 Replies
View Related
Dec 16, 2012
We have a CSS11503 that is currently being used to accept incoming HTTPS and SSH connections on a specific VIP and then PAT those client connections. I understand that it also PATs the server initiated connections. [code]
View 1 Replies
View Related
Oct 6, 2011
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
View 2 Replies
View Related
Jul 11, 2011
Is it possible to configure Easy VPN on brach side which has 877 series router and ADSL connection for internet such a way that for internet traffic it will use the local ADSL line and for the server in HQ it uses the tunnel.or for internet also it will go thrugth tunnel and uses internet link at the HQ?
View 3 Replies
View Related
Nov 27, 2012
I would like to allow PING on RV042 from WAN side only from specific IP address, but when I set the rule, RV042 does not respond on WAN side, because Block WAN Request is Enabled.BUT! When I disable "Block WAN Requests", now any IP can ping my router from WAN side. Although I set access rule to Deny Ping from WAN side to anyone, it still responds.
View 1 Replies
View Related
Oct 9, 2012
Since this router already set up for IPv6 and Dual-Stack traffic, would it be possible to give it the ability to get its IPv6 prefix from the WAN side of the router.
Example:
I have Comcast, and as long as my modem and router support IPv6, with the router also supporting DHCPv6-PD to get the /64 prefix from comcast.
I now have an RV180W so this is not an issue for me, but my father is inheriting the WRVS4400N from me and he is also on Comcast.
View 2 Replies
View Related
Nov 2, 2012
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505 Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled I can ping from internal LAN of HQ to internal LAN of branch but I cant ping from internal LAN of branch to internal LAN of HQ
HQ ASA 5520 Side
ASA Version 8.4(3)
host name aljoaib-fw01
[ code]....
Branch side ASA 5505
ASA Version 8.2(5)
host name GTC- DMM- FIREWALL
domain-name ALJOAIB.COM
enable password 7pgp93AEPfHtDc5N encrypted
[Code]....
Both sides have static ip address.
View 22 Replies
View Related
Feb 11, 2011
I am looking for a Cisco document that gives me the,IP through-put on 2901, 2911 and 2921 routers with Policy based routing applied.,IOS version 15.1.3TOther processes, EIGRP Stub, VLAN routing, SRST,MGCP gateway (analog and PRI).
View 1 Replies
View Related
Mar 22, 2012
i have 3 access-list configured IN | Out on my Border router (MARTIAN) ,i have to look which one block some of the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output.
View 3 Replies
View Related
