I am planning to deploye the fwsm with all this complexity, will this type of senario work or not means traffic will move from msfc to the core.. Is this right to create another svi int2 on msfc to move traffic from msfc to core-switch.
G0/1(cisco7613) Vlan10----Vlan10(inside)FWSM-(outside)vlan20---Vlan20(inside)(svi-int1)MSFC(outside)(svi-int2)Vlan30---Vlan 30G0/2(Core-Switch)-----internet--->
As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
is there any specific way to create the SVI Interface on MSFC , actually I need to create the two SVI Int on MSFC to enable routing in between two VLANs on 7613 chassis.
View 2 Replies View RelatedI need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?
I am in trouble with my cisco 1841 configuration.The "what I want to" schema: very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
View 1 Replies View RelatedI am in trouble with my cisco 1841 configuration. The "what I want to schema":very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
Steps (this what I think should be done):
1. Find all packets from A by acl
2. Route finded packets throught cisco1841 directly to internal ip address
It should be easy but it doesn't.
I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the outside interface
View 1 Replies View RelatedI have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0, SW 4.1(4)
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).
Our customer is experimenting really bad performance when running 10Gig traffic through FWSM on C6509. Test with1 Gig traffic are providing find result perfromance as expected in this document: url... I have made a simple drawing so everyone can understand the setup:
The issue is when running 10 Gig traffic between Netapp servers. This traffic is going though the FWSM and the perfomance are really bad: around 50 Mbit/sec. If the traffic is not going though the FWSM ther performance are around 900 Mbit/s.
The customer and I think that the issue is releated the buffer in the C6509 and the FWSM which has big trouble managing 10G to 1G traffic convertering between C6509 and FWSM 6 G etherchannel connection.
When running 10G traffic through FWSM the number of output drops are increasing as you can see on the output bellow. The last thing which is wired a is that the speed is showing 1000 Mbits and not 6000Mbits. [code]
I have FWSM v4.0 installed on Cisco 7609 router and when I want to configure FWSM services on it, VLAN traffic is not passing through the FWSM or not Reaching upto fwsm
View 1 Replies View RelatedWe have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
I have a sup 32 (WS-SUP32-GE-3B) i dont find any msfc card ? is there any command to check if msfc is present or offline/online ? Also will i be able to upgrade IOS for this sup with out MSFC ?
View 2 Replies View RelatedIf we have catos 6509 and MSFC and we need to connect new building with L3 I want to Do static route between two network i need to but ip in interface of switch should I but this ip on catos or MSFC,
Switch(config)# interface fastethernet 2/1
Switch(config-if)# ip address x.x.x.x x.x.x.x
In catos if want want do like above command what is the command .
we have a Nam module on a 7613. I have access to the router. but how can i know the how to access the Nam?
View 1 Replies View RelatedWe have built some policers to apply to vlan SVIs on our 7613 so that we can rate limit input and output traffic. We followed the Cisco formula and got this.
policy-map vlan-shape-3meg
class class-default
police cir 3000000 bc 562500 be 1125000 conform-action transmit exceed-action drop violate-action drop
There have been some complaints about this not actually meeting the limit. When I do a show policy-map interface xxx I get this. Based on that it looks like the Be value is being change to match the Bc value.
On a separate note, I noticed that every policer we built with the cisco formula actually ends up with a Tc greater than the max Tc of .125 seconds. It seems odd that a recommended formula would end up creating values outside the maximum allowed limits by the software.
I'm not a QoS expert so if any of this seems like basic stuff it's just because I'm a little slow on QoS.
Vlan2
Service-policy input: temp-remove
class-map: class-default (match-any)
Match: any
police :
[code]....
One other thing...in order to apply policers input and output on an SVI does mls qos vlan-based have to be configured on the trunks tagged with the corresponding Vlan?
I have a cisco 7613 router and need to connect a site using Optical fibre (BSNL) on gigabit port,we will use convertor to convert optical signal to electrical .What configuration must be done on router to ensure this point to point fibre connectivity between my router and another router at differnt POp.
View 7 Replies View RelatedI have Cisco 7613 on my edge(MPLS Backbone). CPU utilization is shooting to 100% at frequent intervals. When I tell vendors managing device they tell that it is happening due to one of my server(connected on Fast ethernet port of 100Mbps) generating heavy traffic. My questions are:
1. Can a router of 720Gbps capability be choked due to traffic generated by 100Mbps link?
2. Interrupt CPU process utilization is well below 10% at the said time. BGP router process consumes most of the CPU. Does this means that server in question is generating too many routing updates?
3. Is there any way that I can limit routing updates on a particular link?
4. how to check which link is causing more CPU utilization.
We have a 7613 w/ WS-SUP720-3BXL running 12.2(18)SXF11. We have a 48 port WS-X6748-GE-TX that has one interface that keeps getting output drops for anything over 200Mb/sec.
See the attached file which has more details and show results.
I have been using the Cisco7613 and FlexWAN with PA-8E1-IMA PortAdapter.It has been used for ITP (SIGTRAN) Today, I attemted to enter the Port Adapter 13 1 module with using command that "attach" command.But I couldn't that. and I could see the Error Message below." RTTYC_ ATTACH_ REQ Failed with return code 2 , aborting". This Module (13 1) is working normal. but why cannot enter to the PA ?
View 3 Replies View RelatedWhat would cause an interface to show up/up (looped), but you still can't ping that loop?...It is on a Cisco 7613 with an Enhanced FlexWan (WS-X6582- 2PA), with a Mx Serial PA, 8 ports (73-1580-10) and running IOS ver 12.2(33)SRE2 [code]
View 5 Replies View RelatedI got a problem when I try to create a VLAN in a 7613 router. The screen capature like the following:
router(conf)#vlan 1045
router(conf-vlan)#exit
VLAN(s) are not available in Port Manager
The VLAN is failed to create. The VLAN range which is failed to create is from 1001 - 1060.
We have Router CISCO7613,SSO redundancy configured with two Sup 720-3BXL running 12.2(33)SRC1 image. Even thought I've configured SSO, my standby sup remains in COLD state with the following logs generated.
Mar 20 22:07:32.514 IST: %ISSU-SP-3-PEER_IMAGE_INCOMPATIBLE: Peer image (c7600s72033_sp-ADVENTERPRISEK9-M), version (12.2(33)SRC1) on peer uid (8) is incompatible
Mar 20 22:07:32.514 IST: %ISSU-SP-3-PEER_IMAGE_INCOMPATIBLE: Peer image (c7600s72033_sp-ADVENTERPRISEK9-M), version (12.2(33)SRC1) on peer uid (8) is incompatible
Mar 20 22:08:48.263 IST: %PFREDUN-SP-4-INCOMPATIBLE: Defaulting to RPR mode (Runtime incompatible)
[code]...
These logs says that due to some reasons, the configuration is not being synchronized with active and standby sups and hence the redundancy mode remains in RPR mode and SSO not achieved, and hence COLD state. However, I couldn't find a reason why the configuration is not being synchronized, I've issued the command, redundancy config-sync ignore mismatched-commands, and everything worked fine, SSO achieved and standby sup came to HOT state.Now my query is,
1. Why the configuration was not synchronized and standby SUP got in COLD state??
2. Since I issued the suggested command, at least, some of the mismatched lines in configuration will be ignored, Will that create a problem when my Active sup fails and standby become active?
I have two ISPs. Each is on it's own subnet connected to the 6509 MSFC/Switch. FW1 is on 100.1.100.0/30 and FW2 is on 200.1.200.0/30 subnet. My goal is route all traffice going to the Internet from subnet 10.133.3.0/24 to FW1 and all other subnets across the organization to FW2. I am not sure if I need to use ACL / Static route combo, or just a static routes or ACLS?
View 5 Replies View RelatedI was wondering about command of Linkset subcommand at ITP7613.I have been using the Cisco7613 chassis for the ITP(SIGTRAN) service.
However, i know that the "tx-queue-depth" command is used for sctp multihoming buffersize that between primary and secondary path at the Link sub-command mode. but i can't adjust the changeover buffersize(retrieval buffer) that between link and another link at the Linkset subcommand mode.
It's above my comprehension.
My guess is that related to "plan-capacity-rcvd" command. it's right?I want to know command that adjust the buffersize of Link changeover.
I used to "ip routing" command in order to enable inter-vlan routing, for example with 3750 cisco. I have a 6503 cisco with SUP720 MSFC3. I was able to create some vlans but I can not configure inter-vlan routing.
sw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
swsur(config)#ip routing
[Code]....
Want to transfer email and email folders to a disk. I have Windows Vista on my computer and I use Comcast for an internet server.
View 2 Replies View RelatedIf i want to send a packet from one host to another host through a router, how will the packet be sent? I mean what are the stages that a packet can reach to the destination.
View 6 Replies View RelatedHow can I move the screen to the right because it is missing me a part so how can I do it?
View 1 Replies View RelatedCan I move my lynksys router to a new compuer and keep all the settings and MAC addresses that are set up or do I have to reset it and start all over again? I'm also installing a new modem.
View 2 Replies View RelatedI'm upgrading ASA firewalls from a 5510 (running 8.2.2 code) to a 5515-X (running 8.6.1 code). What is the best way to move the existing config to the new firewall? Can I simply copy it?
View 2 Replies View RelatedI have two ssid's on my 1130ag each with different security when I use wep I can get my email on my droid. When i connect to the second ssid and use wpk I can get to the in the Internet but my email will not move in Exchange.
View 3 Replies View Relatedim trying to move the config from an 3750 to 3750 PoE but without using the PoE options.I have allready download the config with tftp and upload it to the 3750 PoE. Now the new config is stored on the PoE switch but some of the old setting are still there. Not sure why, i think the config only overwrite the settings which are in the conf file and the setting which are not in the conf file but enabled on it will stay on the switch.After the upload of the config file I deleted all the config I do not need by hand.They are some settings i can't delete and I don't know why, this are the sittings:
1. each fastethernet port has this option: "no cdp enabled" this entry was no availble on the old switch, is the any possiblity to remove this entry?
2. the same for "no mls qos rewrite ip dscp"
3 and for this one "vlan internal allocation policy ascending"
I'm trying to move some configurations over to an ASA5510 and some of the commands are a bit different than I'm used to (worked on old pix before)
I've configured the following on the device:
Outside interface: 65.66.64.34/28
DMZ : 65.66.64.49/28
Inside : 10.2.3.3/26
===========================
The current firewall has the below configured on it (old Juniper)
10.2.3.0/24 gateway 10.2.3.15 **10.2.3.15 is the IP for 3750 switch on the inside LAN**
10.0.0.0/24 gateway 10.2.3.4 **10.12.175.4 internal vpn- will remove later but thats a different discussion**
0 0 gateway 65.66.64.33 **to internet
10.0.1.0 gateway 10.2.3.2 **10.2.3.2 represents mpls traffic
[code]...
The current set up for this network has an mpls router and a vpn concentrator as part of the network my aim currently is to replace the juniper with an asa5510 the changing of the vpn tunnels will be for a different time:
work station ===> switch (3750) DG to =====> MPLS (vendor owned and managed) ====> non mpls traffic ====> vpn concentrator ===>firewall ===> router
The above will need acls to go with the routes, which I should manage ok just want to make sure the routing is configured properly
