Cisco WAN :: 6509E - BGP Outbound Path Selection
Mar 4, 2013
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
ADVERTISEMENT
Sep 20, 2012
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
View Related
Jun 11, 2012
I have an issue that I am trying to track down. When I have 2 servers on the same VLAN on my AS pair, all is good because nothing leaves the switch. Where the issue is, is when I have 2 servers on different VLAN's and it requires a hop across the Core router pair. This hop drops the throughput rate by about 20-25% (from 44M to 35-36M)I think I know the issue, but want some input to from other to make sure I am not off-base. I have a pair of 6509E chassis' running Sup720 (VS-S720-10G) with CEF720 (X6748-GE-TX) modules. This is my Access Pair running VSS to look as 1 switch.
These tie into the Core pair of 6500E chassis' running Sup720 (Sup720-3B). This issue I see is that the core has a CEF720 card (6724-SFP), but the AS pair does not connect to the core on that card, they connect on a RJ45 Ethermodule (6148A-GE-TX) card. Would the fact that the AS pair does not connect to the core on the CEF7220 module on the core, cause the traffic to not make use of the CEF features of the Core and make each packet then have to be processed by the core instead of Express Forwarded?
View 1 Replies
View Related
May 5, 2010
have just set up a WLC 4402 as a Guest WLAN controller on the DMZ of our network. I have successfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was OK but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0.
View 31 Replies
View Related
Jul 8, 2012
I have Switch 6509E wich is the core of the network, and we have 4 llink form 4 ISPs, all the link will work at the same time?how can I confiugure the BGP , as I know if I configure bgp it will work with one ISP as an active link,if that link goes down it will automatically begin to work with other ISP. My question is that how can configure the network so that,some vlans work with one ISP, some vlans with the others and so on.If configure it with route map I will have to track every time to change the confiration if the links goes down, but I do not want to track it, Can I do anything with BGP to implement this task?The core of the network is Switch 6509E, intervlan routing is implemented on it, no dynamic routing is enabled.The firewall module installed on it the implementing the NAT processes.
View 7 Replies
View Related
Sep 7, 2011
I have a router with 2 WAN (MPLS) connections to two different IPSs.One connection is a 3mbs MLPPP connection and the other is a 10mbs MetroEthernet connection.Both use BGP to peer up with the ISP with private AS numbers (65001, 65002, etc)I want the router to always prefer (use) the BGP connection through the 10mbs link, but here are my considerations:I can't change the prefix length for the peers. In other words, BGP 65001 is going to advertise 192.168.21.0 /24 to its peer, and BGP 65002 is going to advertise the same network with the same mask.What is the best way to make sure the 10mbs link is always preferred? Can I do local preference?
View 6 Replies
View Related
Apr 26, 2013
I have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
LMS will not display the interfaces in the instance selection window if they are not active, but here the sub-interface are in active state but these are not available.
View 1 Replies
View Related
Jul 4, 2011
I am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
View 1 Replies
View Related
Jun 11, 2012
We purchased an ASA 5505 (ASA5505-BUN-K9) and more recently purchased the license to upgrade it from 10 to 50 users (L-ASA5505-10-50). I would like to provide remote access to users via AnyConnect - specifically, AnyConnnect on Windows plus the iPhone/iPad and Android versions. My understanding is that I should purchase the Anyconnect Essentials (L-ASA-AC-E-5505) and Anyconnect Mobile (L-ASA-AC-M-5505) licenses. Is this correct? If I do this, how many simultaneous remote access VPN connections (via Anyconnect clients) will the ASA then support?
Further, we did not initially purchase Smartnet with this device, but I would like to do so to gain access to software updates. Is there a site or document where I can locate the SKU #'s for Smartnet contracts that would be appropriate with our device?
The output of "show version" is below:
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
[code]....
View 2 Replies
View Related
Feb 21, 2011
We are going to purchase a Device , thte sites and also VPN server for remote access ( EzVPN), Should we use ASA or should we use Cisco 1800 series router with security software. The main purpose of this device is to terminate all VPN connections ( Site-to-site) and remote access.
View 1 Replies
View Related
May 4, 2011
Our company is in the process of replacing our old firewall with a Cisco ASA since our old firewall can handle only 170 concurrent users and we are expanding fast. Can I know what are the considerations when selecting from the different models of ASA currently we are debating if we should buy a 5510 or a 5520 also can I know if cisco ASA also have a limitations on concurrent users online in a lan like our old firewall. By the way we are a Call Center company(going 500 seats) so we are using VOIP(Asterisk using SIP and IAX).
View 1 Replies
View Related
Jan 24, 2012
i want to install a 3500e. I have a hole in my wireless network where this AP will be a perfect fit. I do have a wireless controller running code 6.x, so I think I will need to upgrade to 7 which is not a big deal.
The problem I have is the antenna selection. Since the AP has MIMO multiple-inputs multiple-inputs I’m perplexed on the type of antenna to choose. Since the environment is a warehouse the Omni directional would be preferred - should I also add the dipole antenna for close proximity to the AP. Also, I noticed in the getting started guide the 3500e has 6 external connection points 3 for 2.4 and 3 for 5 GHz. The antenna documentation says to use dual-band antennas, but this contradicts what is shown in the getting started guide. So what antennas should I get to make the 3500e work in a warehouse environment.
View 4 Replies
View Related
Jun 1, 2013
I am having two 6509E working in VSS and both are working fine. But the configuration register of command "remote command switch show boot" is 0x8000 which is different from that of RP (0x2102) .Now i want to change the value of configuration regsiter of SP to 0x2102.
View 1 Replies
View Related
Aug 16, 2011
We want to provide an end to encryption service using an ACE02 in a CAT 6509E. This is covered in the ACE config guide so should be OK. The issue is that we want to include traffic inspection using an IDSM2 so we need to seperate the decrypt and encryption stages and send cleartext traffic to the IDMS2. The Security and Virtualization in the Data Center pdf page 18/19 suggests that it might be possible. The design depicted there though is only doing SSL termination, then sending the clear text onto a WAF, and onto IPS but it does say end-to-end encryption is also possible.So in essence what we want to do is have traffic from clients destined for the server farm decrypted by the ACE and sent to the IDS. We then want the traffic to return from the IDS to the ACE to be encrypted and sent onto the server farm.
View 1 Replies
View Related
Apr 30, 2012
I have a new 6509E with 2 sup 2T cards. The 10GE ports on both sup cards will connect to 2 5548s. Can i connect the management interface on the new 6509E to the old 6509 until i free up space to bring the line cards over?
View 2 Replies
View Related
Jul 16, 2012
We have configured BGP on Cisco Switch 6509E, firewall module on the switch is making nat for all users,but users is not going to internet yet, I do not know hot to configure 6509E to give internet access to users.If I route default route to FWSM,then BGP will not work? If I route default route what is the meaning of BGP then?
I do not want to write static route because BGP should work (4 ISPs redundancy)
How to let users to go out to the internet throug BGP, but nat is being done on the firewall module on 6509, routing is beiing done on 6509,to to configure it?
View 4 Replies
View Related
Mar 5, 2012
simple question regarding WAN transit uplinks on a 6509E ad BGP. The Hardware configuration is:
Cisco 6509-E Chassis with enhanced Fan
WS-SUP720-3BXL
WS-X6748-GE-TX
Dual power supply and 1 G flash for Engine
I'm currently using both 1 gig uplinks on the SUP for my two carrier transit uplinks (BGP). I would like to add a third carrier transit uplink into my BGP. Can I utilize the 6748 for access to the SUP720 routing to expand my transit carrier uplinks? Any thoughts on options without having to go to a 10gig SUP720?
View 4 Replies
View Related
Jan 31, 2011
I've got a problem with a core 6509E and the multicast.A client has a system with cams for the physical security and they are connected to a vlan with this config:
interface VlanXip address 172.20.167.1 255.255.255.128ip helper-address 172.20.32.7ip pim version 1ip pim sparse-modeendThe thing is that we know that one server that shows the cams at the security office is flooding the network and the CPU CORE is over 95% always:
CPU utilization for five seconds: 99%/39%; one minute: 99%; five minutes: 99%
263 644650276 567873287 1135 51.99% 55.06% 55.35% 0 IP Input
[Code] ....
View 1 Replies
View Related
Dec 9, 2012
I have a couple of 6509-E combined in a VSS system. I need to upgrade them to support 8 (or 16 at max) 10G uplinks. I already used the two built-in VS-S720-10G fiber connectors for VSL links. Which Ethernet modules do you suggest to use? are there any related upgrades that I have to do?
supervisor used: VS-S720-10G
Chassis: WS-C6509-E
View 2 Replies
View Related
Jan 9, 2013
I am using Cisco 7609 IOS15.0(1)S1 and Cisco 3600 IOS 15.1(2)EY.I am trying to provision VPNs over MPLS network.All I found in the documentation is how I attach a whole interface to a VRF.However, I need to be able to attach a VLAN (or any other matching criteria, for that matter) to a VRF.In other words, I want to be able to attach port 1/1 vlan 100 to VRF-A and port 1/1 vlan 200 to VRF-B.
View 1 Replies
View Related
Feb 19, 2013
through asa webvpn we need to provide our user remote destkop access; we would not use static rdp:// bookmarks for this accomplishmet as this would grow too much management effort with bookmarks updating. Our strategy would be to give users the "url entry" bar where they can input the resource name (example: "pc-flavio.mydomain") so the management effort is outplaced to the guys who manage the dns server. This stated, we noticed that most end-users would get in troubles because of the default-ing "url-protocol" is http://, so they don't change it to the correct rdp:// from the drop-down list and don't have the java-rdp applet started. There is a chance to admin the default protocol for URL Entry Functions? Our setup is asa 5510 ver 9.1, act/stb failover.
View 2 Replies
View Related
Apr 14, 2011
I just installed a new ACS 5.1 to authenticate wireless PEAP users, so I created an Access policy "WirelessUsers" with identity store being Windows Active directory and all domain users are selected, and create a service rule that dictates that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "WirelessUsers", so this part worked perfectely, all domain users are able to gain wireless access via their DOMAIN/usernames and domain passwords. Now I want ACS local indentity store users (those local usernames can be the same or different from their AD usernames) to be able to manage those controllers, so I created another access policy "DeviceAdminUsers" with identity store being local users, another service rule which says that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "DeviceAdminUsers". The problem is that with the setup, whenenve when I try to SSH to WLC, ACS always put me in "WirelessUsers" access policy, even the login name does not have DOMAIN pre-pended or the login name simly does not exist in AD. if I put the second rule in front of first rule, I am able to authenticate with ACS local username/password and gain access to WLC, but wireless users will fail to authenticate, because ACS is trying to put regular wiress users in "DeviceAdminUsers" access policy. I would expect if username does not exist in AD, ACS should proceed with next rule. Similar requirement was easily achieved in ACS 3.3.
View 5 Replies
View Related
Feb 18, 2013
I'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool
(something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?
View 4 Replies
View Related
Feb 3, 2013
We have a campus with both office and industial areas with various propagation problems. Historically I have been installing and maintaining access points in the 1200 range, the latest being the 1242. All these have a similar antenna setup based on diversity pairs.Since Cisco seems to be dropping the old series any week now I have been looking at the 2602 as a replacement.I can find no good documentation on antenna selection and mounting suggestions for these.If I want a proper omni coverage pattern with dual band antennas, do I just set them to a H form assuming the unit is sitting on a wall?
View 1 Replies
View Related
Aug 20, 2012
I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
View 1 Replies
View Related
Jun 3, 2013
We have a deployment with six 1524SB mesh APs. Two are used as RAPs and face east and west respectively with directional antennas and two MAPs on each side with omni antennas. The RAPs are within 20 feet of each other. I set the bridge group name as east or west depending on which side of the mesh the equipment is located but noticed the downlink channel is set to 56 on both RAPs. I don't remember setting the channel for the RAPs, but they aren't using the global DCA.Would best practice be to change the downlink to unique channels on the RAPs, enable DCA (if it will let me), or is a unique bridge group name sufficient enough?
View 2 Replies
View Related
May 22, 2013
I have a mixed WAN environment with both eBGP and EIGRP routes. The BGP routes should always take precedence, when they exist. If no BGP routes exist I want the router to fail over to using the EIGRP routes. So far, this works fine.
The problem is, when the BGP route again becomes available (and the associated entry appears in the "sh ip bgp ... received-routes" output) the router is NOT relinquishing the EIGRP route. It remains in effect, showing as a "D" route int the route table even though there is a better ("B") route available. If I bounce EIGRP or the interface associated with it, the EIGRP route disappears and the BGP route reasserts itself, and everything will run correctly until the next time the BGP route disappears due to maintenance, line failure, etc.
My router is (C2900-UNIVERSALK9-M), Version 15.3(1)T
Here's the associated config
interface Tunnel101
description VPN backup WAN interface
bandwidth 7168
ip address 192.168.75.1 255.255.255.0
[code].....
View 7 Replies
View Related
Oct 23, 2011
I have a Cisco Aironet c where it is configured as an AP. I use a Pocket PC to access the AP, but after a period of use, the Pocket PC loses communication with the AP for a short period of time and the application that is utilized in the pocket closes. After a few seconds it automatically connects. Searching the logs of the AP found the following warning: "Packet to client 0017.2302.8a5e Reached max retries, removing the client", but this is not always alert appears.
View 0 Replies
View Related
Aug 7, 2012
I want to migrate a Cat 6503-E VSS to Cat 6509E VSS. We plan to use the same supervisor that we have on the Cat6503E, for minimizing the configuration change on the Doing this, the vss link will need to be changed, due to the fact that the supervisor slot will change with the Cat 6509, slot 5 instead of 1.
Question: is there a way to just change the vsl-link interface on a existing VSS ?
View 3 Replies
View Related
Jul 15, 2012
I have 2 Cat 6509-E switches in VSS configuration with 2 ACE modules. One in each Cat6k.
The ACE modules are running the following:
Software
loader: Version 12.2[120]
system: Version A2(3.2a) [build 3.0(0)A2(3.2a)]
We have only 2 contexts, the Admin and another one that we redirect traffic to WAAS equipment. The ANM soft running is only used for stats about the ACEs. It is version 5.2.
Since last week, the standby ACE module reboots on it own. It rebooted between 10 and 15 times until we had to leave the module PwrDown due to the constant reboots.
I tried to find any bug in the soft but I could not find anything related to that.
View 7 Replies
View Related
Feb 12, 2013
in our environment we have a 6509E as a core switch which is connected to five 3750G installed in remote sites and are layer 3 routes. the routing protocol is ospf. i am just wondering if we could possbily create a vlan in the core switch and extended it to the remote site throug layer 3 connection. The reason we are thinking to do this we want to have a server redundancy if one of the server goes in the core site we can just turn on the server which is in the same vlan in the remote site so that we can limit the downtime .
View 4 Replies
View Related
Jul 4, 2012
i am searching for the right SNMP-OID to poll the values of the CPU-load from a VSS (6509E)here a OID for VSS-Switch1 and a other OID for VSS-Switch2 values like cli-command "sh proc cpu" of the supervisor-module in slot 5.
View 1 Replies
View Related
Mar 26, 2012
I'm currently experiencing some problems with LMS 3.1 where inventory collection fails on cat6500 switches running 12.2(33)SXI1, Sup720.
I have changed the SNMP timeout to 30 seconds.
View 3 Replies
View Related
