If I want to use the command match protocol xxxx when configuring traffic classification for QoS, is necessary to have the following licence?
-FLASR1-FPI-RTU
-Flexible Packet Inspection RTU Feature License for Cisco ASR 1000 Series.
My Company use Core Sw 4507R-Sup 7L-E with Enterprise Services License. I has upgraded to use iOS cat4500e-universal.SPA.03.03.01.SG.151-1.SG1.bin
When I use match protocol in class-map, there are only about 10 protocols, and not have those ones I need. I intend to expand the list of protocols to do some Policy-map by loading PDLM. But 4507 is no longer support NBAR. So do we have another way to set Catalyst 4507R with Sup 7L-E recongnize more protocols in match protocol command?
I'm trying to configure an Cisco 1841 with IOS 12.4 to an FTTH conection.I would configure PPOE protocol in the vpdn-group 1 but I can't see this option in the command line,I have read about the command "bba-group pppoe global" but i'm not sure if it has the same result. It's valid? How can I use the bba-group pppoe global¿? I need to use it with a virtual template?
View 9 Replies View RelatedI've got a problem with an ASR1004 running "asr1000rp2-adventerprisek9.03.02.00.S.151-1.S.bin".
When I'm performing extended ping tests using a tclsh script i'm geting this error message:
ASR_X1A2#ping 172.27.1.250
% Authorization failed.
When i'm pinging 12 diffrent destinations this happens to about 3 of them.
Checking the logs I found this:
Apr 24 19:42:56.071: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
In my entire backbone this is happening only in this equipment, I've checked the connection between my ASR and the TACACS and it's OK, no packet loss. CPU and MEM are OK too.
I have just got a ASR1004 and try to upgrade it, but, I can not find the instruction, I guess it may just same as other production by copy. but, it is good to see in writing.
View 1 Replies View RelatedAs U know cisco feature for frame-relay is creating mfr link and binding them to physical interfaces I did so but my MFR links doesn't get up?
PS. router is ASR1004
frame-relay switching
interface MFR0 description Virtual FR ---> Serial0/0/0 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 908 interface Serial0/0/0 908!interface MFR1 description Virtual FR ---> Serial0/2/4:0 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 900 interface Serial0/2/4:0 900
interface Serial0/0/0 (Smart serial interface) description Serial ---> E1 no ip address encapsulation frame-relay MFR1
interface Serial0/2/4:0 (E1 serial interface) description Link ---> S no ip address encapsulation frame-relay MFR0
Ever since we switched to ASR1004 running XE15.1(2)S1, we have seen that the output of "show ip cache flow" stalls and is super slow to complete. We have a few interfaces with "ip flow ingress" defined. What can be causing this slowness? Any recommendations of commands to speed up the output?
View 1 Replies View RelatedWe faced with problem after upgrade ASR from 12(2) 33 XNE2. I know that this is an old XE release but our Radius deny authization from ASR with more new XE version. Here is our radius attribute configuretion:
!
radius-server attribute 44 include-in-access-req
radius-server attribute nas-port format d
radius-server host x.x.x.x auth-port 1812 acct-port 1813 non-standard
[Code]....
How can I add in my configuration that ASR send necesserry NAS-Port-Type - VPDN
I couldn't found out any info ((( for radius-server attribute 61 extended
We have pair of Cisco Nexus 7018 with four eight port 10gig modules.I have created two VDC's with mixing 10gig ports from diffrent modules.Now we requied some one gig SFP ports and we are planning to buy 48 port 1gig sfp+ card.My question is can
1- Can I still mix and match 1gig and 10 gig ports in two different VDC's? (1-24 for VDC1 and 25-48 for VDC2)
2- All 48 port module hve to allocate to one VDC which alreday have all 10gig ports.
I have a problem with latest Anyconnect Mobile clients, on any device(iPhone,PC..) I have this error message.Anyconnect cannot verify the VPN serverAll certificates(rootCA,userCER) - installed on client side, all of them are trusted.
View 1 Replies View RelatedI'm getting an "ACL does not match proxy IDs" error that I'm not able to troubleshoot, googled this with a lot of results, tried some; but nothing applied.I have setup 2 tunnels, 1/one from a pix 515e (office) to an ASA 5505 (hosted server) for my guys to access the hosted server2/A second one from the ASA 5505 to my client's firewall so that its equipments can reach the hosted server and from the hosted server reach the equipments.Both tunnels are working fine, my issue comes when I'm trying to join my clients equipments from my office, ie cascading the tunnels.
This is the first time I'm trying to cascade some tunnels, no issues with other vpns I have been building.I'm joining the configuration of the pix and the asa and an extract of the syslogs showing the error, any obvious error I haven't seen!
I am currently using a Cisco 1751 w/ 1-WIC-DUS-T1 to connect our branch locations via Frame Relay. I will be adding 2 new locations in about 2 months. What is the 1800 series match for the router I currently use and is there and performance advantages?
View 2 Replies View RelatedThis is happening to me to multiple computers on my domain. When it happens i can only log in as a local user or if I unplug the network cable, log in and then re-connect the networkThe time on all these machines is correct within at least 1 minute but still it's throwing off this error. When reading about this problem I see many fixes that all relate to how to sych the time on the PC.
View 1 Replies View RelatedData link-ARP,RARP, presentation-SSL,TSL,ASCII,JPG, Session layer-ASP(apple talk session protocol),SCP are these correct?can your provide 2 new protocols for each with the long name?
View 17 Replies View RelatedOn the laptop, the info bar is on the left side, the website tabs on the top, this shifts the other computers screenview down and to the right, it also cuts off the right side and bottom, with still leaving space on the right side and bottom. The pointer on the lap top does not line up with the desktop, because the screen is shifted, but only a portion of the screen is visible anyway. I used the same password and log in on both computers, don't know if they have to be different.There is full a screen option at the top right, but this causes the top tabs and info buttons on the left side to go black.
View 3 Replies View RelatedI live in a shared house, and I am the only one who has been experiencing issues connecting to the internet. I have to ask a housemate to reset the server, as this is the only thing that works.
When I am unable to connect, and I use command ipconfig, the following appears: Autoconfiguration IPv4 169.254.23.29 On the occasions when I am connected, the following appears in its place: IPv4 IP Address: 192.168.0.2
One tip that I came across was to check the box (Wireless Network properties, Connection tab) for "Connect even if the network is not broadcasting". I had hoped this simple solution would assist, but to no avail.
We have some ME3800MX router/switches running ME380x-UNIVERSALK9-M), Version 12.2(52)EY2. The Cisco website says:
The switch does not support these Cisco IOS router ACL-related features: # •Non-IP protocol ACLs (see Table 26-1) or bridge-group ACLs
how we would match ICMP traffic then?
We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN. I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface. A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
View 10 Replies View RelatedI've Cisco7609-S with IOS 12.2(33)SRC2 met an issue is that "show ip route x.x.x.x" and "show ip cef x.x.x.x" shown next-hop is not actual switched next-hop.
For example, "show ip route 192.168.1.1" and "show ip cef 192.168.1.1" shown correct next-hop is 10.1.1.1, but the traffic destine to 192.168.1.1 actually not through 10.1.1.1, but always through the default route next-hop. Everything works normal after rebooted the router. Suppose it should caused by a bug? BTW, my Cisco7609 is runing BGP with ISP which received about 10K routes.
is it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.
View 6 Replies View RelatedI have a 10Mbps connection link which I will like to reduce to 5Mbps on a 6509 switch as indicated in the config below. [code] After applying the service policy on the vlan interface, i got this "match vlan is not supported for this interface". I actually tried the rate limit command but I cant see the effect using the speedtest.
View 2 Replies View RelatedI created several rules to balance on a specific server somes apps. Everythings works great in http but no in https.In my example, i would like [URL] to be redirected to my server2 but it's always using the default rules instead of the L7CLASSSrv2. Today [URL] is well redirected. All other apps are correctly loadbalance with the stickyness effect but I can't handle the https connections.
class-map match-all L4-WEB-IP
2 match virtual-address xxxx tcp eq www
class-map match-all L4-WEBHTTPS-IP
2 match virtual-address xxxx tcp eq https
class-map type http loadbalance match-any L7CLASSSrv1
[code]....
I am running ASR1002 with latest XE IOS version asr1000rp1-adventerprisek9.03.02.01.S.151-1.S1.bin configuration bellow
router bgp 65000 bgp router-id 1.1.1.1 bgp log-neighbor-changes timers bgp 5 15 ! address-family ipv4 vrf LABR01-VRF bgp router-id 1.1.1.1 neighbor bgprrclient peer-group neighbor bgprrclient remote-as 65001 neighbor bgprrclient password 7 1234 neighbor bgprrclient update-source Loopback0 neighbor bgprrclient version 4 neighbor bgprrclient route-reflector-client neighbor bgprrclient route-map set_weight in I then tried to create new route-map and get error that match next-hop can not be used on inbound
route-map set_weight permit 10 match ip next-hop prefix-list thirdparty match as-path 1 set weight 1000
LAB-ASR1002(config)#route-map set_weight permit 10LAB-ASR1002(config-route-map)# match ip next-hop prefix-list thirdparty% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match Not sure why Cisco is not supporting a pretty basic feature for BGP route maps.I tried looking into matching other variables but I am unable to get same result as I have same routes on bgp table from multible inbound peers.
I also get this message when configuring tacacs. I looked for "new" cli but no luck:LAB-ASR1002(config)#tacacs-server host 2.2.2.2 This cli will be deprecated soon. Use new server cli
i want to ask , how to match youtube in my qos, i want to give youtube the best priority in the rush hour. currently im using an acl that match the ips of youtube but i think its not sufficeitt :
View 5 Replies View RelatedI am setting up officeexten. I have placed the officeextend wlc in the dmz with an mgmt ip of 192.168.10.2. in the process of anchoring this to the internal wlc. Also the ip on the firewall for this interface is 192.168.10.1
1. does the mobility group need to match the same on the internal wlc ?
2. Now do i need a NAT transnational on the firewall for the external WAN ip (AP primed address say 66.10.10.10) to NAT back to 192.168.10.2 ?
3. The 5508 WLC is running on ver6.0.199.4 (license level base) - will this support office extend?
While on facebook I search a friend and in the search bar it says we have say 10 mutual friends however when I click this person to and view their profile it suddenly says we only have 8 mutual friends.An even stranger thing is I have a friend on facebook (she has her friend's list hidden) who will appear on MOST mutual friends lists of others I am also friends with. However she won't appear on two of my friend's mutual list when I am CERTAIN she is friends with them and also she will appear on mutual lists of some I am not friends with but also fail to appear on mutual lists of people I'm not friends with but I know she is. TO SUMMARIZE:1.) why doesn't the mutual friends number match up. it will say 10 mutual friends but show 8.2.) why does she not appear on some lists but does on others when I KNOW she should be on the others know of any scripts to just see hidden friend lists?
View 1 Replies View RelatedI'm trying to get an HP laptop running Win7 to see a desktop running WinXP on my network (both wired and wireless) When I run the troubleshooter in Win7, it tells me "system clock does not match local time" as the reason. I have a Belkin wireless router attached to my cable router. I have updated the system clock via the internet on the desktop and checked the time setting in BIOS. These seem to match. I have googled around on this and can't find any accounts similar. My son's Vista laptop and the Win7 laptop have seen each other since day one. The laptop and desktop did see each other at one time, but the connection was lost after I went to a hotel and changed public network settings temporarily. I can ping the desktop from the laptop, but it times out when pinging the laptop from the desktop. I'm running an avast firewall on both, but can't see a problem there.
View 6 Replies View Relatedwe have bought 2911 router recently has to set up VOIP line seperately for the network we have two two broadband service provider:
1. how can i use 1 line as an active and other line as a failover(when 1 line is down other line should automatically bear the traffic).clear config will be useful. NATTING using MAtch address objects( roughly )
broadband service provider 1: 97.89.X.X 255.255.252.0
broadband service provider 2: 10.0.x.x 255.255.240.0
2. there are only 20 users to set up a voip line now. here we have telecom provider where they should route the traffic to make any international calls( say telecom public ip 200.200.109.110)from lan - wan everything is allowed from wan -lan we have to allow only telcom provider IP(200.200.109.110)
we're using openldap for authorising our user to connect to the webvpn via our ASA.We'd like to rely on operational attributes to do some DAP matching. This is an example of how a user record looks in our LDAP tree:
# extended LDIF
#
# LDAPv3
[Code]......
Are LDAP operational attributes supported at all by the Cisco ASA?
I have configured a lab for RA VPNs with a ASA5510 software version 8.2 and VPN Client 5 using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco website: URL
Now the vpn works just fine, but now I need to configure different tunnel-groups so I can provide different services to different users. The problem I have now is that I don't know how to configure it so the certificate matches the tunnel-group name. If i do a debug crypto isakmp on ASA I get this error messages:
%ASA-7-713906: IP = 165.98.139.12, Trying to find group via OU...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload: Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IKE ID...%ASA-3-713020: IP = 165.98.139.12, No Group found by matching OU(s) from ID payload: Unknown%ASA-7-713906: IP = 165.98.139.12, Trying to find group via IP ADDR...%ASA-7-713906: IP = 165.98.139.12, Trying to find group via default group...%ASA-7-713906: IP = 165.98.139.12, Connection landed on tunnel_group DefaultRAGroup
So basically when using certificates I always connect the RA VPN only with the default group DefaultRAGroup. Do I need to use a different web enrollment template for certificate request instead of the user template??? How can I define the OU on the User certificate so it matches the tunnel-group???
I change DHCP scope to match corporate IP scheme Friday came back To discover only some stations picked up new leases from the scope.
View 2 Replies View RelatedI had a problem earlier today upgrading to a new N router. All PCs in the house connected wirelessly except my laptop which I got the message below.The settings saved on this computer for the network do not match the requirements of the network.
View 1 Replies View RelatedMy wife's laptop will disconnect from our ATT Netscape router/dsl modem. The error we get is that the "security types do not match" ultimately we have to reboot the router and then her laptop will connect for a while. (we do not have this problem with any other devices that use this wifi connection.
View 1 Replies View Related