I am looking at this doc to use an ASA + 2911 to do Policy Based Routing with multiple ISPs.From the linked doc, under the PBR scenario, what should the IP addresses be for the routers connection to the ISPs? It isnt labeled.
I'm on my way of taking the CCNA Exploration, and even though I haven't got to the LAN Switching and Wireless course, one question does bug me. In your average LAN, does your average switch has an ip address, or is it a 'dumb' device like a repeater ? Is the same true for layer 2 switches and layer 3 switches or is there a difference in terms of IP addressing ? Can you even assign an IP address to a switch ? Would you want to do that and why ?
I have a IBM T23 laptop that I have reformatted and am trying to log onto my wireless internet via a linksys pcmcia card which When I try to connect it tells me I have private IP address and I am not sure how I can reconfig so that I can connect via my router to the internet.
Keep getting DHCP timeouts 169.254.x.x addressing. I think that the client laptop is not giving a response to the REQ from the DHCP server. Am I correct in my interpretation of the debug?
00:21:d7:93:f9:40 from Disassociated to Idle *apfReceiveTask: Jan 18 13:48:24.162: 58:94:6b:d0:41:08 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:21:d7:93:f9:40] *apfReceiveTask: Jan 18 13:48:24.162: 58:94:6b:d0:41:08 Username entry deleted for mobile *apfReceiveTask: Jan 18 13:48:24.162: 58:94:6b:d0:41:08 apfMs1xStateDec *apfReceiveTask: Jan 18 13:48:24.162: 58:94:6b:d0:41:08 Deleting mobile on AP 00:21:d7:93:f9:40(0) *DHCP Proxy DTL Recv Task: Jan 18 13:48:37.073: 58:94:6b:d0:41:08 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 29, encap 0xec03) *DHCP Proxy DTL Recv Task: Jan 18 13:48:37.073: 58:94:6b:d0:41:08 DHCP processing DHCP DISCOVER (1)
I have been assigned to create a basic IP Addressing Scheme. The company has a single class B private address range of 172.16.11.0/16 and it needs to be divided into four subnets. They are all based on a single router.
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
How to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?
I am getting ready to setup avtice/standby failover on our ASA 5520's and have run in to an issue.I currently only have one External IP address available. My Idea was to use a private/placeholder IP address for the standby external IP Address, will this cause any issues with the failover? I know I won't be able to access the secondary from the outside, but that is not an issue.
I have one router 2911 with the following image c2900-universalk9-mz.SPA.151-4.M4.bin I have two IPS on this routers and I tried to configure the IP SLA on this and I`m not able to do it and I don´t know why. I can configure almost everything but not the IP SLA command.this is the config:
track 10 ip sla 1 reachability delay down 10 up 1 ! track 20 ip sla 2 reachability delay down 10 up 1 !
What I need to do in this case? or why cannot configure the IP SLA?
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. how I can configure IP SLA on my router.
I have a router Cisco 2911 with two possible Wan interfaces out and a backup configuration using IP SLA. When the Primary Interface goes down the traffic is automatically rerouted through the Backup Interface, but the problem I have is that when the traffic is going through the Backup Interface (because the Primary is down) if the Backup Interface also goes down, if the Primary goes up, the traffic is not automatically rerouted to the Primary Interface. And it looks to me like it keeps trying to goes out the Backup Interface and cannot see that the Primary is down. I guess that the pings are going out the backup Interface and as it is down the router doen't receive any anwer to the ping and doesn't change to the Primary.
The main configuration related to the IP SLA is this:
! track 1 ip sla 1 reachability ! interface GigabitEthernet0/0 description backup Interface ip address 175.xx.xx.10 255.255.255.252 ip nat outside [Code]....
We have 2911 with HWIC-4ESW. System image file is "flash0:c2900-universalk9-mz.SPA.152-1.T1.bin"_2911#sh inv NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis" PID: CISCO2911/K9 , VID: V05 , SN: FGL16011005
The problem was that HWIC-4ESW no longer pass traffic although showing that the interfaces are up rebooting the router solved the problem. What IOS is more stable and not subject to this problem?
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic.I followed this doc here for classic IPSec in the last example. URL
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end.
I have to build HA environment, at the moment we have only one R1 and WAN1 but company wants to buy R2 + WAN2 and have HA between the routers, in case R1 or WAN1 goes down the other router will take over.
What would be standard methodology nowadays to do that - does HSRP will do what I need or it is better do some other way?
I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use all of them... Description:
gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.
The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.
Current configuration : 6072 bytes ! ! Last configuration change at 14:31:44 UTC Thu Aug 2 2012 ! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
I've got a 2911 with a primary ethernet link to the ISP, with BGP running over it. There's also an ADSL module in it, which will connect into the same ISP AS. how do i configure BGP over the ADSL so that it sits there doing nothing until the primary link fails? Do i need to setup a new instance of BGP with a different AS on the router or can it sit in the same AS as the primary link?
I thing that i find some bug in the newest IOS 15.1.4M.
The case is falow:
I start to configure failover for the costomer - make default route, make the default path but i cant find the comand IP SLA monitor. Is some meet this problem with this IOS or just Cisco make some chenge in the CLI commands?
I have a 2911 router that I am trying to use a h.323 gateway for faxing purposes.Right now I can 4 digit dial and 10 digit the number and my analog phone answers, but when I try to place a call I get a fast busy immediately (as soon as I pick up the receiver)
Were bringing up a new site shortly and I'm trying to configure Serial0/0/0 which will be connected to an MPLS over 1.5m T1 line. I am basically doing a simular configuration as other sites where one of the ethernet interfaces is handed off from a fiber optic wan, but a T1 MPLS is connected to a WIC card and this provides a redundant path (though slower) in case of a fiber cut or equipment failure. This should be pretty straightforward but it appears as if I have no serial interface on this router. Card is in and everything, it is a VMIC-3-1MFT-T1/E1 in EHWIC 0.
I want to connect a RPS2300 to a Cisco 2911 router to provide power backup.I have two questions ,Easy one : if the 2911 PSU (internal Power Supply Unit) fails, how to confirm the RPS2300 provides power to the 2911 with no reboot of the 2911 ?,Tricky one : After we replace the broken PSU, will the 2911 reboot or not as power revert from RPS2300 to internal PSU ?
I purchased a 2911 router and a 25-pack of VPN licenses (PID: L-FL-SSLVPN25-K9=).I registered the license, and supplied the serial number of my router when asked.I received a .lic license file.When I attempt to install the license on the appliance, I receive an error:
% Error: Install failed. UDI L-FL-SSLVPN25-K9=:FTX1542AKJ3 on license does not m atch any device 0/1 licenses were successfully installed 0/1 licenses were existing licenses 1/1 licenses were failed to install
However, the following establishes that the serial number is correct:
SFGallery#show inventory NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis" PID: CISCO2911/K9 , VID: V04 , SN: FTX1542AKJ3 NAME: "C2911 AC Power Supply", DESCR: "C2911 AC Power Supply" PID: PWR-2911-AC , VID: V03 , SN: AZS153303LY