I am using Cisco 7609 IOS15.0(1)S1 and Cisco 3600 IOS 15.1(2)EY.I am trying to provision VPNs over MPLS network.All I found in the documentation is how I attach a whole interface to a VRF.However, I need to be able to attach a VLAN (or any other matching criteria, for that matter) to a VRF.In other words, I want to be able to attach port 1/1 vlan 100 to VRF-A and port 1/1 vlan 200 to VRF-B.
View 1 Replies
We phace disconnections when having a dozen open connections.Does the Cisco devices have a documented limitation on the buffer size or the number of telnet connections?
View 1 Replies View RelatedI have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies View RelatedI am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
I would like to get using of course SNMP, list of client IPs connected to VLAN in Cisco Catalyst 3600.So far, I have pseudo-algorithm made by me which obtains those IP addresses, but I am not sure if this is done in right way :
1) Receive all IP addresses from Catalyst using oid 1.3.6.1.2.1.4.20.1.2. I get something like :
IP-MIB::ipAdEntIfIndex.10.10.2.1 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.2.251 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.3.251 = INTEGER: 151 and so on.
2) Get ifIndex of VLAN (oid 1.3.6.1.2.1.4.20.1.2.10.10.2.1.<IP_ADDRESS>) for particular IP address from above list :
IP-MIB::ipAdEntIfIndex.10.10.2.1 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.2.251 = INTEGER: 152
IP-MIB::ipAdEntIfIndex.10.10.3.251 = INTEGER: 151
3) Get VLAN name (oid 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.<IF_INDEX>) If_index is borrowed from list above :
IP-MIB::ipAdEntNetMask.152 = No Such Instance currently exists at this OID
IP-MIB::ipAdEntNetMask.151 = No Such Instance currently exists at this OID
In the third step I have this problem, that instance can not be found in OID. It is weird, because for about forty IP addresses i can find about their 10 VLAN names to which they are connected.
I have FWSM v4.0 installed on Cisco 7609 router and when I want to configure FWSM services on it, VLAN traffic is not passing through the FWSM or not Reaching upto fwsm
View 1 Replies View RelatedI have 4 autonomous AP 1142 with 2 ssids : SSID10,vlan10 & SSID20,vlan 20.I use ACS 4.2 in order to authenticate users (EAP-FAST). How can i restrict access base on ssid or on vlan?I want users that connect to SSID 10 to not have access to SSID 20 and the opposite.
View 7 Replies View RelatedI'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
and selected the group name from the AD. If I understand correctly, I should now see this group under:
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
However, it does not. Am I missing something?
I was unable to configure vlan-based qos on Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1) Seems to me my configuration is not working. Here is the output of the interface:
sh int G1/6 | i rate
Queueing strategy: fifo
30 second input rate 25231000 bits/sec, 4282 packets/sec
30 second output rate 46940000 bits/sec, 9257 packets/sec
And here is my configuration:
interface Vlan3
ip address 192.168.1.1 255.255.252.0
service-policy input TEST_IN_PMAP
service-policy output TEST_OUT_PMAP
[code]....
Why I can't see matches in ACLs? I've double checked the direction and seems to me it is correct. I can't see matches even I configure something like this:
10 permit ip host 192.168.1.168 any
20 permit ip any host 192.168.1.168
Why my output rate is higher than 30M? Is it bacause there is no matching traffic here in ACLs? I'm absolutely shure that this host with such ip connected to this interface:
#sh arp | i 192.168.1.168
Internet 192.168.1.168 0 feed.beef.f00d ARPA Vlan3
#sh mac address-table | i feed.beef.f00d
* 3 feed.beef.f00d dynamic Yes 0 Gi1/6
How do I...add a dos based computer to a network running windows 2003
View 1 Replies View RelatedI have a router with 2 WAN (MPLS) connections to two different IPSs.One connection is a 3mbs MLPPP connection and the other is a 10mbs MetroEthernet connection.Both use BGP to peer up with the ISP with private AS numbers (65001, 65002, etc)I want the router to always prefer (use) the BGP connection through the 10mbs link, but here are my considerations:I can't change the prefix length for the peers. In other words, BGP 65001 is going to advertise 192.168.21.0 /24 to its peer, and BGP 65002 is going to advertise the same network with the same mask.What is the best way to make sure the 10mbs link is always preferred? Can I do local preference?
View 6 Replies View RelatedI have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
LMS will not display the interfaces in the instance selection window if they are not active, but here the sub-interface are in active state but these are not available.
I am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies View RelatedI multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies View RelatedWe purchased an ASA 5505 (ASA5505-BUN-K9) and more recently purchased the license to upgrade it from 10 to 50 users (L-ASA5505-10-50). I would like to provide remote access to users via AnyConnect - specifically, AnyConnnect on Windows plus the iPhone/iPad and Android versions. My understanding is that I should purchase the Anyconnect Essentials (L-ASA-AC-E-5505) and Anyconnect Mobile (L-ASA-AC-M-5505) licenses. Is this correct? If I do this, how many simultaneous remote access VPN connections (via Anyconnect clients) will the ASA then support?
Further, we did not initially purchase Smartnet with this device, but I would like to do so to gain access to software updates. Is there a site or document where I can locate the SKU #'s for Smartnet contracts that would be appropriate with our device?
The output of "show version" is below:
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
[code]....
We are going to purchase a Device , thte sites and also VPN server for remote access ( EzVPN), Should we use ASA or should we use Cisco 1800 series router with security software. The main purpose of this device is to terminate all VPN connections ( Site-to-site) and remote access.
View 1 Replies View RelatedOur company is in the process of replacing our old firewall with a Cisco ASA since our old firewall can handle only 170 concurrent users and we are expanding fast. Can I know what are the considerations when selecting from the different models of ASA currently we are debating if we should buy a 5510 or a 5520 also can I know if cisco ASA also have a limitations on concurrent users online in a lan like our old firewall. By the way we are a Call Center company(going 500 seats) so we are using VOIP(Asterisk using SIP and IAX).
View 1 Replies View Relatedi want to install a 3500e. I have a hole in my wireless network where this AP will be a perfect fit. I do have a wireless controller running code 6.x, so I think I will need to upgrade to 7 which is not a big deal.
The problem I have is the antenna selection. Since the AP has MIMO multiple-inputs multiple-inputs I’m perplexed on the type of antenna to choose. Since the environment is a warehouse the Omni directional would be preferred - should I also add the dipole antenna for close proximity to the AP. Also, I noticed in the getting started guide the 3500e has 6 external connection points 3 for 2.4 and 3 for 5 GHz. The antenna documentation says to use dual-band antennas, but this contradicts what is shown in the getting started guide. So what antennas should I get to make the 3500e work in a warehouse environment.
through asa webvpn we need to provide our user remote destkop access; we would not use static rdp:// bookmarks for this accomplishmet as this would grow too much management effort with bookmarks updating. Our strategy would be to give users the "url entry" bar where they can input the resource name (example: "pc-flavio.mydomain") so the management effort is outplaced to the guys who manage the dns server. This stated, we noticed that most end-users would get in troubles because of the default-ing "url-protocol" is http://, so they don't change it to the correct rdp:// from the drop-down list and don't have the java-rdp applet started. There is a chance to admin the default protocol for URL Entry Functions? Our setup is asa 5510 ver 9.1, act/stb failover.
View 2 Replies View RelatedI just installed a new ACS 5.1 to authenticate wireless PEAP users, so I created an Access policy "WirelessUsers" with identity store being Windows Active directory and all domain users are selected, and create a service rule that dictates that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "WirelessUsers", so this part worked perfectely, all domain users are able to gain wireless access via their DOMAIN/usernames and domain passwords. Now I want ACS local indentity store users (those local usernames can be the same or different from their AD usernames) to be able to manage those controllers, so I created another access policy "DeviceAdminUsers" with identity store being local users, another service rule which says that if the authentication protocol is radius, network device belongs to WLC device group, the result service will be "DeviceAdminUsers". The problem is that with the setup, whenenve when I try to SSH to WLC, ACS always put me in "WirelessUsers" access policy, even the login name does not have DOMAIN pre-pended or the login name simly does not exist in AD. if I put the second rule in front of first rule, I am able to authenticate with ACS local username/password and gain access to WLC, but wireless users will fail to authenticate, because ACS is trying to put regular wiress users in "DeviceAdminUsers" access policy. I would expect if username does not exist in AD, ACS should proceed with next rule. Similar requirement was easily achieved in ACS 3.3.
View 5 Replies View RelatedI'm trying to configure IP pool selection by RADIUS on ACS 5-3-0-40-7.So, I went to configuring the cisco-assign-ip-pool (Cisco VSA 218) attribute within some test authorization profile but discovered that cisco-assign-ip-pool is an integer (?!) and (therefore) accepts digits only.
As far as I can remember, we used to put pool *names* within ip:addr-pool
(something along those lines: cisco-avpair = "ip:addr-pool=test-pool-1").
So how should we configure the values for this attribute in ACS 5?
We have a campus with both office and industial areas with various propagation problems. Historically I have been installing and maintaining access points in the 1200 range, the latest being the 1242. All these have a similar antenna setup based on diversity pairs.Since Cisco seems to be dropping the old series any week now I have been looking at the 2602 as a replacement.I can find no good documentation on antenna selection and mounting suggestions for these.If I want a proper omni coverage pattern with dual band antennas, do I just set them to a H form assuming the unit is sitting on a wall?
View 1 Replies View RelatedI try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
View 1 Replies View RelatedWe have a deployment with six 1524SB mesh APs. Two are used as RAPs and face east and west respectively with directional antennas and two MAPs on each side with omni antennas. The RAPs are within 20 feet of each other. I set the bridge group name as east or west depending on which side of the mesh the equipment is located but noticed the downlink channel is set to 56 on both RAPs. I don't remember setting the channel for the RAPs, but they aren't using the global DCA.Would best practice be to change the downlink to unique channels on the RAPs, enable DCA (if it will let me), or is a unique bridge group name sufficient enough?
View 2 Replies View RelatedI have a mixed WAN environment with both eBGP and EIGRP routes. The BGP routes should always take precedence, when they exist. If no BGP routes exist I want the router to fail over to using the EIGRP routes. So far, this works fine.
The problem is, when the BGP route again becomes available (and the associated entry appears in the "sh ip bgp ... received-routes" output) the router is NOT relinquishing the EIGRP route. It remains in effect, showing as a "D" route int the route table even though there is a better ("B") route available. If I bounce EIGRP or the interface associated with it, the EIGRP route disappears and the BGP route reasserts itself, and everything will run correctly until the next time the BGP route disappears due to maintenance, line failure, etc.
My router is (C2900-UNIVERSALK9-M), Version 15.3(1)T
Here's the associated config
interface Tunnel101
description VPN backup WAN interface
bandwidth 7168
ip address 192.168.75.1 255.255.255.0
[code].....
We have p2p link that interconnects our data centers and the bandwidth is 150 meg link.In the current architecture, one end of the link is Nexus 7k (data center 1) and other end is catalyst 65k (data center 2)..We are planning to migrate this link to routers. We planned to install 3945 router on both data center and move the p2p link to this routers. [code]
View 2 Replies View Relatedthe best antenna to use in high-ceiling environments, as in 25 feet or higher. He was in favor of using a high gain, omni, such as a the AIR-ANT1728. I was against this form of antenna due to their increased horizontal radiation and decrease of vertical. I was more in favor of an antenna similar to AIR-ANT24 30V-R. I've seen successful deployments with both options, but curious what the community has to say on the matter.
View 1 Replies View RelatedI'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
View 5 Replies View RelatedWe are ordering new COWs (Computer On Wheels) for the hospital and they will be using an Intel 6205 Wireless Chip which is a/b/g/n 2x2. The two new floors these devices will be going on will be our first internal hospital entry into 802.11n which I force the clients to run in the 5ghz range for N. Previous to this, all of my cows are G clients and use a 2.2dbi rubber duck for 2.4ghz.
I will be using 1142 AP's, if not 3502 and no I have not performed a survey yet as the floor is still in early construction, but equipment is required to be ordered now. I can tell you that I will be surveying for a voice grade. I suppose my confusion comes from what is the best antenna (obvious open ended question) for this card, being it has two connectors for the 2x2. Again, typically I would use a 2.2 dbi rubber duck for either 2 GHz or dual band 2/5 GHz. Is dual rubber ducks at 6inch spacing (half wavelength met on 2.4 GHz fall back) suffecient or are there other factors involved with the N.
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
I have a scenario with 2 7609s connected through a MPLS service with 10 GE. In each7609 we have a 24 port channelized T1 Circuit Emulation Over Card.
The requirement is in 2 parts. First, we need to provide a T1 emulation service between the 2 7609s T1 cards.
The second requirement is that in one end there is an OC3 port, so the customer wants to send the traffic from this emulated T1 onto the OC3.
I have two Cisco ASA 5510s that I would like to configure in an active passive failover setup. The ASAs are at the top of our rack and handle all our routing. We have been only using one ASA unit with one line from our ISP connected to the WAN/outside interface of the ASA. We recently had our ISP setup two lines into our rack using HSRP. I do not know what equipment they are running upstream of our ASAs but it is HSRP so it should be a set of Cisco routers/switches. Originally I thought I could just connect the 2nd new line to our 2nd ASAs WAN/outside port and setup failover using a crossover cable between the ASAs. After doing this config I had problems accessing some of our IPs in the subnet that the HSRP is part of. If I disconnected the 2nd ASAs WAN/outside line everything was fine. After talking with my ISP they explained that I need to connect both of my lines into our L2 network and then from there into the ASAs. Currently below the ASAs I have two Catalyst 3560-X switches. They are connected together with an ISL trunk and ASA-1s inside network connects to switch-1 and ASA-2 to switch-2. One idea was to connect each of the HSRP lines to each of my current switches and then from the switches to the ASA's WAN/outside interface. Finally back down from the ASA's to the switches via the inside interface that we have currently. This kind of seems messy and a poor choice. The other idea is to get two switches that would sit above the ASAs and connect the HSRP lines to them with the switches connected together. They would then connect to the ASAs. I like this idea better but I don't like having to buy two more full switches for this. These switches would only use a couple of ports and only handle just the HSRP ISP lines to the ASAs. Putting in two more 3560-Xs would be a big waste of money and space for this. So I was thinking of using two Cisco SG200-08, 8 port gigabit basic managed switches for this.
View 5 Replies View Related
