The Cisco 3560 uses a relatively simple classification scheme, assuming you consider only what happens when the forwarding decision has been made. These switches make most internal QoS decisions based on an internal DSCP setting. The internal DSCP is determined when the frame is forwarded. What internal DSCP setting means?
View 5 Repliesthere is something I find strange on C6500 about QoS: C6500 derive an internal DSCP value for it's internal use, but when configuring the qos mapping on output interfaces, only a cos value (I guess, an internal cos value) can be used. Is it a misunderstanding from me, or is it really illogic?
View 2 Replies View RelatedI've been working on a 3560 that doesn't seem to map dscp values to a new value: mls qos map dscp-mutation ToR1 22 24 to 46
[Code]....
On the router on the other side, I created an acl that matched on dscp 46, but it doesn't match on it. I've tried moving the mutation map to the ingress interface and I've tried setting dscp with a service policy instead of marking COS and using internal dscp. Where is the mutation map supposed to be placed: ingress or egress? Also, I added an entry in the acl on the router to see if I was mapping to dscp 24, and I am:
[Code]....
So it seems like the mutation map is being ignored completely. Any reason why?
How the dscp-cos or cos-dscp mapping takes place in c892 router? There is no command like "sh mls qos maps" in c892 like we have in c2951 or c3925.
View 3 Replies View RelatedI am trying to configure my catalyst swtich as an internal router.
I want to route traffic between 4 different subnets.
192.168.200.0 /24
192.168.201.0 /24
192.168.202.0 /24
10.10.10.0 /24
I have an intermittent issue happening on my company's firewall, and I'm at a loss as to how to troubleshoot further.
We recently made some changes to our network, which included moving an ASA 5505 from one location to another. In moving this we also connected it to a different switch. It used to hang off a Cisco 3560, and now it hangs off a ProCurve 5406zl.
The setup is that the ASA is connected on two ports to the HP, which is simply a layer 2 device sitting between the firewall and the uplink to our ISP. One port, e0/0, is the outside interface and is set to switchport access vlan 2. The second interface, e0/1, is set for vlan 1, also access mode. It has an IP of 10.0.0.2. The HP on the other end of that has an IP of 10.0.0.1. So outside VPN connections come through the HP to the ASA on e0/0, and back out the ASA on port e0/1 to reach devices on the internal network.
What happens is that when a user connects to the VPN, they can reach internal resources intermittently. For example, I tried to ping an internal server IP address (let's say 10.0.0.23) from my laptop, while on the VPN, and pings failed. However I could ping that IP from the ASA itself. Another example is that during one VPN connection I was unable to connect to an internal web server, but once I disconnected and connected ahain I could reach the server fine.
The intermittent nature of the problem made me think that it could be an ARP issue, that somehow the traffic is getting sent back out the wrong interface sometimes, hence the lack of communication. However when I did show switch mac-address | include mac address, using the base mac of the HP, I only saw the mac address of the HP on one interface, e0/1. That makes me think that things are working as they should. Although I guess maybe it should appear on both interfaces...? I don't know. How I can most effectively troubleshoot this? It seems like the symptoms are indicative of some kind of rookie mistake, but for the life of me I can't figure out what it is.
One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
Here is a copy of my config.
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Ciscso 2801 Router
[code]....
I have a cisco 3560 switch set up as my edge router. It is working as my external demarc switch and edge router. It is sitting between the ISP's switch and my ASA firewall. It's a very basic configuration with port 1 set up with a fixed ip and switchport turned off which is connected to the ISP switch. VLAN2 is configured with an IP address and 3 ports, two of which go to different firewalls.
I found that I cannot ping a specific address from the inside interface (VLAN2), but I can from the outside interface Gig0/1. I have a few deny commands in an access list, but they don't apply to the network i'm trying to access, and I haven't had any other inaccessible networks otherwise.
Here's my config minus passwords and full IP ranges. There are two ranges, one with xxx and one with xx. The xxx is set as secondary, but is the one we really use.
Current configuration : 4808 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname my-rtr-ext!boot-start-markerboot-end-marker!enable secret 5 !
!!no aaa new-modelsystem mtu routing 1500ip routing!
[Code] ............
We are having two sites seperated by half a mile and we are using dedicated 100 Meg link at the moment for intranet traffic, and now we got new 1 gig link and I am working to set it up, Service Provider came on site installed two circuits on both sites and fiber connectivity is tested succesfully betweeen sites, now I need to connect the circuits to our network and make the 1 gig link active to make traffic flow between sites and as well bring 100 meg as standby.
So to brief the issue:
Connectivity at the moment SiteA: Switch1(3560)------100Meg--------.SiteB: Switch 2(3560)
I Want to configure SiteA: Switch 3(4507)------1gig (Active)--------.SiteB: Switch 4(3560) SiteA: Switch1(3560)------100Meg(Standby)--------.SiteB: Switch 2(3560)
simple as connecting a fiber or ethernet link from external circuit on both sites to respective switches on their interfaces and configuring hsrp to enable redundancy. A
I have the following VPN site-2-site configuration.The trouble I'm having is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and visa versa. Think I have added the static routes and ACLs correctly on the 3560 switches (acting as gateways) and both PIX's to access the internal networks. Host 172.168.9.3 can ping 172.168.200.3 fine.
View 3 Replies View Relatedwhat does VXR and S means in these series?
View 1 Replies View Relatedby saying "open ports" in a router or PC or other Network System what we mean basically? what is opposite terminology, "closed ports"?-used or unused-sensitive-vulnerable or non vulnerable to attacks-exploited easily and when so may attacked and have much bad/serious consequences/results
View 2 Replies View Relatedsetting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
Is it possible to have ASDM and SSH authenticate via different means on a RADIUS server? In particular, I have a single aaa-server group that's used for both ASDM and SSH, but I want to limit ASDM access to only a particular group in Active Directory (for example). I looked at various different requests (from the server's perspective) to see if there was a way that they (ASDM requests and SSH requests) were differentiated but was unable to find any. It would be ideal if there was something inherent about the RADIUS request coming from ASDM vs SSH so that I could build that decision making into the RADIUS server.I know I could do this by just using a different aaa-server group for each access method, but I want to avoid that if possible.
View 7 Replies View RelatedWhat the user specification with the asa5505 means.there is a 50 user and an unlimited license with the asa5505. with 50 user does this mean that only 50 user can work simultaneously over the asa, or what?
View 10 Replies View RelatedThere is a port on 3560E, facing POP, this port is in the dedicated vlan, that is terminated on 7606 on SVI (peering point).There is configuration made on the 3560E port, that prevents storm of ucast or bcast kind. This is: switchport block multicast switchport port-security maximum 1000 switchport port-security switchport port-security violation restrict storm-control broadcast level bps 1m storm-control multicast level bps 1m storm-control action shutdown storm-control action trap no cdp enable no lldp transmit no lldp receive spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable. [code]
I want to get info not only about the fact of storm attack but also about at least source and destination of it (i.e. source and/or destination MAC). Perhaps this could be some logging messages.Are there any means for this on C3560E-UNIVERSAL-M (IOS ver 12.2(53)SE2) and 7606-S.
url..This says an ISR G2 3945 can achieve 502.78 Mbits when CEF fast switching. Is this per port or total for the whole box? Since the router will hold dozens of switch ports and several gig routed ports I don't understand what this half gig switching speed means.
View 5 Replies View RelatedWe run a hub&spoke network with dual GRE tunnels from each spoke site to seperate independant adsl routers at the hub.IPsec is enabled on each tunnel with crypto maps and then QOS is enabled with pre-classify for voice traffic priority. We also have defined a class for Citrix traffic by identifying port1494 traffic out and anything bound for our citrix servers IPs.Ok so the problem is that once the encryption comes up on the tunnels, the citrix programs wont connect. Take the crypto map off the tunnel and all works fine.
Here is the relevant config
crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp key **** address *.*.*.*
crypto isakmp key **** address *.*.*.*
crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to hub1
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 104 qos pre-classifycrypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to hub2
set peer *.*.*.*
set transform-set ESP-3DES-SHA match address 105 qos pre-classify
[code]....
I deliberately weight EIGRP to favour Tun0 and have Tun1 as a failover. I was thinking of Route-mapping the Citrix traffic to Tun1?
Today i saw on the router dir-655 log file that "UDHCPD Received a SIGTERM" and "received signal 15, good-bye" and the ip address was renewd after 14 days. I want to understand if it's normal behavior of the unit or not. I'm connected to cable modem that is stable more than 15 days.
here is the log of my router:
Oct 23 17:49:48 debug UDHCPD sending ACK to 192.168.0.3
Oct 23 04:01:15 debug Debu: Joining group 224.0.0.252 upstream on IF address 46.117.1.47
Oct 23 04:01:15 debug Debu: Leaving group 224.0.0.252 upstream on IF address 46.117.1.47
Oct 23 03:59:09 debug Debu: Joining group 224.0.0.252 upstream on IF address 46.117.1.47
Oct 23 03:43:58 debug gpio create pidfile /var/run/gpio_wan_green.pid
[code]....
We are trying to isolate the fault. From Aggregator a router, we are receiving MAC address of distant end ethernet interface of a SDH box and vice versa is also possible. However ther is no packet received. My question is does ping test is must to see if the path is through or just receiving MAC adress at both ends would mean that packets have to go over the path.
View 1 Replies View RelatedI'm testing QoS with a 3750-X
I want to mark traffic in the 192.168.126.0/24 subnet with DSCP EF.
I've entered this command :
mls qos
class-map match-any class_126
match access-group 2
policy-map mark_dscp_126
[Code]....
Does any know what " Last reset from system-reset " means? Is this becouse of a power failure or someone reloading the switch?
View 3 Replies View RelatedI am wondering what is the TOS value equivalent to DSCP value AF31? I am wondering what is the TOS value equivalent to DSCP value AF31?I have tried to use the charts but I couldn’t understand how to convert it.
View 5 Replies View Related1) which DSCP marking to use for ex90s(HD video)?
2) as a test we are planning do to deploy ex90 at few of locations. at location 1 we will do DSCP EF marking while at the other location we will do DSCP AF41 for video..assume, LOC1 calls LOC2: so, when video traffic from LOC1 arrives to LOC2 will it be marked as EF? and when traffic from LOC2 arrives LOC1 then traffic will be marked as AF41? if yes, then will there be any issue sometimes in case if we run out of bandwidth for EF?
I ran into interesting issue on Sup-2T. As you probably know, QoS CLI is changed on this new supervisor. I'm looking to translate incoming dscp-marked packets, into exp-marked on egress.Now, according to documentation - Catalyst 6500 Release 15.0SY Software Configuration Guide - this functionality is still called mutation-map and is configured under 'platform qos map exp-mutation'. The problem is quite simple – there is no 'platform qos map exp-mutation' on 2 different machines I checked upon. Here:
Some-6513(config)#platform qos ? 10g-only qos pure 10G mode aggregate-policer Named aggregate policer marking marking keyword
police police keyword protocol protocol keyword queueing-only queueing-only (no QoS rewrite, no policing) rewrite packet qos rewrite enable/disable statistics-export qos statistics data export
I work in a manufacturing firm where we have offices at 3 different places say A,B and C. Our ERP server is at our original unit A from where we accessed it at B and C through remote desktop application till now. But now we have hired cloud services to connect to our main ERP server. We are in the process of installing the cloud application on our server at B during which we are encountering a problem. The cloud service provider is asking for domain name and password for the DSCP server based at the orignal unit (A) which no one in the company seems to have any idea about. Our IT guy at A has resigned and has not been replaced. Our IT guy at B is inexperienced and just following the instructions of service provider who is stuck at DSCP domain name and ID. How can I know the domain name and password of DSCP server so that the process moves on?
View 5 Replies View RelatedMy company's spent the last few weeks struggling with an issue with their VPN backups where select packets were being lost.
View 7 Replies View RelatedAccording to product bulletin no 3209 for the Cisco 4400 series, the Access Point supports 802.11e WMM.
My question goes to DSCP mapping, according to IEEE and your bulletin the DSCP field in the IP header should be set to 46 (10110 00) for mapping to a 802.11 QoS voice priority 6/7.But my Wireshark trace revealed 4400N is mapping toward with 802.11 QoS is set to Priority 5 Video.
If I google DSCP mapping toward 802.11 QoS all IEEE documention I found says EF /Voice should have 46 or 101xxx in the DSCP IP field but running through Cisco and HP docs gives 46 or 48 as value, that is the correct value. [code]
I am running 1.1.24 and spa303 phones I have a qos policy setup to mark all packets
The following is my qos
information 192.168.1.15/24
makring enabled
cos/DSCO DSCO
Value 0xb8
On my upstream device I only allow traffic that is marked with this dscp value. No traffic is coming through. RTP traffic is marked because it comes off the phone marked but I would expect the qos Policy so mark everything going to that ip space to be marked.
I am getting a very strange problem where 4500 switch is remarking the packet with dscp 1 to 0.
Let me explaint the setup. I have two PCs connected on same switch but on different modules. PC1 is conencted to Gi4/19 and PC2 is connected to
Gi2/43. Both the ports has been configured to trust the dscp. Below are the configuration:
interface GigabitEthernet4/19
switchport access vlan 6
switchport mode access
[Code].....
My new small router 866vae crashes and makes cold reboots every 20-30 minutes. I updated IOS, but it didn't work. The logs show texts like this:
Possible software fault. Upon reccurence,crashinfo, "show tech" and contact Cisco Technical Support. http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip dns serverip nat inside source list 101 interface Dialer0 overload!dialer-list 1 protocol ip permitmac-address-table aging-time 15no cdp run!access-list 23 permit 192.168.1.0 0.0.0.255access-list 101 permit ip 192.168.1.0 0.0.0.255 anyaccess-list 111 permit udp any eq bootps any eq bootpcaccess-list 111 permit tcp any anyaccess-list 111 permit udp any anyaccess-list 111 permit icmp any any echo-replyaccess-list 111 permit icmp any any time-exceededaccess-list 111 permit icmp any any unreachableaccess-list 111 permit icmp any any administratively-prohibitedaccess-list 111 permit icmp any any echoaccess-list 111 permit gre any any!control-plane!!line con 0login localno modem enableline aux 0line vty 0 4access-class 23 inprivilege level 15login localtransport input telnet!scheduler allocate 60000 1000!end
following about a limitation on the ASA5505.I have a client that has a number of branch offices on a Gen-I OneOffice network. For complex and political reasons, we can’t trust all nodes on that OneOffice network. We need to put a firewall at each branch office between their local network and the OneOffice router.
To avoid having to either readdress the OneOffice routers (politically difficult) or readdress each branch office (logistically difficult) we’ve suggested using a transparent mode ASA5505 firewall between each sites OneOffice router LAN switch.
Recently I’ve discovered the client is deploying Avaya VOIP phones into the offices using QOS/DSCP over the OneOffice network from Avaya units in some offices. I figured I’d need to trust DSCP on the way though the ASA and went about looking at how to achieve that.
I found the following document relating to configuring QOS on the ASA: url...
This suggests in the DSCP and Diffserv Preservation section that “DSCP markings are preserved on all traffic passing through the ASA.” However, in the Guidelines and Limitations section it suggests QOS isn’t supported in transparent mode.I’m a bit worried that the DSCP markings won’t pass through the ASA5505 in transparent mode.
i did on cisco 2960S switch at user ingress interface. but the marking is not showing in show policy-map interface gig 1/0/10 interface and ACL is not showing any match.
I also had a config reference from 2960S cisco guide.
access-list 103 permit tcp any any eq 80
access-list 104 permit tcp any any eq 23
access-list 105 permit icmp host 172.24.68.4 any
class-map IN_HTTP
match access-group 103
class-map IN_TELNET
match access-group 104(code)