I have a 2811 Router with two fast ethernet wic cards installed. I need traffic to go out one interface, but it's received back through another. Both interfaces have public IP's and the same subnet, and are connected directly to satellite modems. One can receive data / the other only send.
View 3 RepliesI have a question that so far I haven't been able to find a suitable answer for. This is focused from an ISP perspective. So suppose I have the following scenario:
I have a BGP transit area. On each edge of the my network I have a e BGP connection to the same client for redundancy. This client has his own ASN, iBGP and prefixes. I'm receiving the same NLRI from the client through both sides. Let's assume he's advertzing the prefix 10.10.0.0/16 through both ends. I'm receiving it with no problems and I'm passing it along to the next providers with whom I also have multiple ingress and egress points.
Something like this:
PROVIDER A PROVIDER A
| |
eBGP eBGP
| |
CLIENT A (ASN65100) --- eBGP --- MYROUTERA(ASN65200) ----- iBGP --- MYROUTERB(ASN65200) --- eBGP --- CLIENT A(ASN65100)
| |
eBGP eBGP
| |
PROVIDER B PROVIDER B
Let's say my client pays for a 10Mb. Both links are configured to 10Mb so that each can handle the load in case the other one fails and both are always active. So my question is:
How can I shaped or police the client's traffic across multiple points of entry on different routers so that it won't go beyond the 10Mb. The same scenario applies on how can I limit traffic coming from the providers A, and B destined to the client's prefix: 10.10.0.0/16.
I don't mean using MED, local-pref, weight. Sure I can funnel all the traffic through one single point, but consider that I'm also trying to move away from basic routing and more into PfR, which mean that I have more granular control of the flows. Perhaps there is a PfR service-policy or something that can work.
For this scenario I'm using 7200 as my routers. If there is a solution that assumes any other model don't hesitate to post it. TLDR; How can I police or shape across multi interfaces on different routers?
I have ASA5510 with PLUSE License.I have 2 Inside interfaces as STAFF and MAIL and two Outside interface OUT_STAFF and OUT_MAIL which is in separate ISP's.now i want to nat STAFF to OUT_STAFF and MAIL to OUT_MAILbecause I'm having two default routes it gets impossible to do.
View 1 Replies View RelatedDue to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL
crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic
crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic
crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2
crypto isakmp enable ISP_1crypto isakmp enable ISP_2
route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2
1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel.
2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3
It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
I'm currently configuring per port policing on a 3560 and want to limit inbound traffic to 750mbit:
mls qos
access-list 1 permit any
class SET_IF
match access-group 1
policy-map SET_QOS
class SET_IF
[code].....
When I test the setup with iperf I always get different results when I change the nummber of parallel connections.Isn't there a way to limit the throughput regardless of the number of conns (INGRESS!) like with srr-queue bandwith limit?
recently we had some performance issues with C2811 which caused us to do some lab testing. For testing we used also C1812. The results were quite surprising for us, as the C1812 appeared to be more efficient than C2811. Below you can see the lab scenario and results.
1. Why C2811 is performing worse than C1812?
2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)
[URL]
as presented on the small diag:
All routers had enabled onboard hw VPN modules and SEC/K9 IOS ver. Configuration was very simple and beside encryption there were also GRE tunnels configured and EIGRP process for routing between "remote LANs". Part of conf responsible for encryption:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600crypto isakmp key ......... address ......... no-xauth!crypto ipsec transform-set SHA-AES256 esp-aes 256 esp-sha-hmac
crypto map VPN 90 ipsec-isakmp set peer ......... set transform-set SHA-AES256 set pfs group5 match address .........
TEST RESULTS
Cisco 1812Cisco 2811iperf generated BW [bps]WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)500k--540k5%1M1,1M3%1,2M8%2M2,1M4%2,3M14%5M5,4M10%5,7M34%10M10,6M20%11,5M65%15M15,8M28%17M96%16M--17,2M99%25M27M48%--35M38M64%--45M48,2M72%--53M60,8M88%--59M67M94%--61M72M97%--
I have an office c2811 and it has three Ethernet interfaces(two onboard and one expansion). Faste0/0 is on one isp and faste0/1 is on another. The third is private. I have multiple site ipsec vpn’s terminating on faste0/0. I had a client ipsec vpn on faste0/1. One of the site vpn’s on faste0/0 terminates at a collocation site. Both the site vpn and client vpn need access to the same collocation. When I connect via client vpn, I cannot ping/access collocation subnet. I suspect this is because I have a site vpn already terminating to the collocation. Can I have a site and client ipsec vpn on the same router terminating to same place and still work?
View 1 Replies View RelatedRequired by regulations to implement CoPP on our routers, I installed the following configuration on a C2811 router pair with integrated DSU/CSU cards connecting a point T1. STAC compression(software) is configured on the serial interfaces and the link is often congested.
[code]...
This configuration severely degraded the IP traffic flow and I had to remove it. Not having any practical experince with CoPP.
I have setup ipsec VPN in my C2811 router but when "show crypto isakmp/ipsec sa" shows nothing. Remote end point is an "ASA5520". Does it indicates that the remote ASA5520 not yet configured?
Code...
As above, I got a problem with C3750e, ios c3750e-universalk9-mz.122-58.SE1.bin, when send AF41 traffic passing through it. My topolygy is as following
WAN link <----------> G0/0/2.100 - ASR1002 - G0/0/5 <---------> G1/0/1 - C3750e - G1/0/3 <--------> G0/0/1 - ASR1004
On this C3750e, I turned on mls qos, trust dscp on both G1/0/1 and G1/0/3 and no else is configured. ASR1002 G0/0/2.100, i applied the CB shaping fror AF41 traffic.
C3750e#sh mls qos
QoS is enabled
QoS ip packet dscp rewrite is enabled
C3750e#sh mls qos int g1/0/3
GigabitEthernet1/0/3
trust state: trust dscp
[code]....
Then, from ASR1004, i send ICMP traffic with TOS set to AF41 (136) and i found out that
1. The traffic is dropped on c3750e
sh mls qos int g1/0/3 statistics
GigabitEthernet1/0/3 (All statistics are in packets)
30 - 34 : 63 63 48 86 1534
2. The traffic never get hit into AF41 class in ASR1002 ? Why C3750e dropped this AF41 traffic? and what can I do to fix it?
I have couple C2960G and C3750. Is there any way to filter (on ingress port) type of traffic? I would like to allow IP only, and discard (i.e.) IPX, or other garbage, that any device can produce.I have tried to find something about this, but only thing I have found is feature : protocol filter, which doesn't seems to be working on my hardware.
View 6 Replies View RelatedI not able to access cisco 2811 router (AC operated) through console port when I try to access it by selecting COM Port, but I able to access by selecting the TCP/IP option.
View 5 Replies View RelatedMy fiance recently signed up for the Screen-wise Panel for Google research. Basically they monitor your TV usage and your internet usage. As part of the program they installed a Cisco WIFI router. I've got no issue with them logging the sites visited etc but I'm a little worried about them possible collecting private information (banking / work related stuff) that I don't want going out there. According to what I've read what's supposed to happen is they replace your router with the new Cisco router.The "technician" who came in and installed the router was actually a builder and not an IT technician and rather than replace our router he connected the Cisco router into port 4 of our router... I wasn't in at the time.
What I was looking to do is separate Port 4 of my router into a separate VLAN that can access the internet, but not access anything on ports 1-3, or the wireless. However, I want to be able to see everything on port 4 from the other side (in other words I want to see "into" the port 4 VLAN, but don't want them to see out). I also wanted DHCP to assign IP addresses correctly depending on where you were plugged in. In this example the first VLAN (your current router ip address) is going to be on 192.168.1.1, and the second VLAN (the new on we create on port 4) is going to be on 192.168.2.1.This is exactly what I'm looking to do, I could then connect the kids machines / tablets / ipods to the Cisco router and have the main machine and my work laptop on the main router... but I don't have a clue how to do it. </quote> Is this something that I am able to do with the Netgear router I own and is it hard to set up?
why ip flow egress is not functioning on 7600?When I do "sho ip cach flow", I can see only inbound flows.
View 5 Replies View RelatedIn regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies View Relatedi have a question regarding egress queuing on cat6500 modules. e.g. WS-X 6704 has 1p7q4t is egress-modell. my goal is to limit the priority queue to 15% of the available bandwidth. i can put weights on the wrr-queues and limit their ressources: "wrr-queue bandwidth 50 20 15 0 0 0 0." but this isn´t possible for the priority-queue. only available command is "priority-queue queue-limit 15" but this only restricts the buffer to 15%.
at the end of the day i want to prevent that the wrr-queues don´t have remaining bandwidth when the priority-queue is saturated.
is there an easy way to restrict the bandwidth of the priority queue or do i have to implement additionally some kind of policing?
I have a 7204VXR Router, with Neflow. The collection for all interfaces is ok, but one interface (Gigabitethernet 1/0), is not showing the egress traffic in the pictures. The configuration has "ip route-cache flow", ip flow egress, and ip flow ingress set. But, is not showing the egress traffic.
View 4 Replies View RelatedProblem: My traffic coming inbound appears to be marked but is not marked when egressing.
Setup:
Ingress from encoder G3/9->> Egress G8/1Default DSCP/COS map table (DSCP 24 is COS3)
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
------------------------------------
dscp: 0 8 16 24 32 40 48 56
1. Any reason COS 3 is not marked outbound on this traffic? I'm determining this by doing a wireshark off of interface g8/1. The traffic appears to be marked on the ingress correctly but does not maintain its mark on the egress. I can confirm this with equipment on other Ethernet links in produciton as well as my test port listed in the config below with wireshark.
FYI: Unfortunately with my cards in the 6509 I cannot port mirror and see outbound multicast (determined through a TAC case). Because the STB does not understand tagged traffic I setup the native vlan for it to function. To see the multicast with tags I temporarily remove the native command and do the wireshark to see the multicast. It still shows a COS setting of 0. I will try to attach a capture of a multicast packet.
interface GigabitEthernet3/9 description Mulicast Encoder
switchport
switchport access vlan 962
switchport mode access
logging event link-status
load-interval 30
having a bit of trouble setting up our 5510. None of us have ever played with a firewall before. We've got most of the basics covered. I was able to get to the outside world to do a software update to the box, but my laptop that sits in the inside can't see the outside. We only have the default access rules in place at the moment. Our old ISA firewall rules don't really translate all that well to this new box.
View 2 Replies View RelatedI have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ?
View 1 Replies View RelatedI have ASA 5510 with 8.3 version and using multi context. I created a new context ABC and tryed to add routes in the context for the ABC networks it would not work. There was an error in the log stating, “failed to locate egress interface”. I changed the metric on the static routes from 1 to 2 and it started working. Is it normal in a multi context?
View 4 Replies View RelatedI have ASA 5505, in routed mode, basic license.I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.
Here is sample of my config file:
interface Vlan1
nameif inside
security-level 100
ip address 162.160.1.3 255.255.255.0
!
interface Vlan2
[code]....
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
I have an issue where I'm seeing output discards on pretty much all my ports configured for QoS. The switches are cisco WS-C3750V2-48PS running 12.2(50)SE1. There are four switches stacked using stack cables. The QoS implemeted was auto-qos with no modifications to the standard config. All ports are in queue-set 1. The phones connected are Cisco 7942's. Already did the standard check for speed duplex mismatch, crc's, runts, giants, etc...No discards before the QoS was applied. No bug ID's I could find regarding these switches and this IOS version. The one thing noticed is that 99% of all the drops are from queue's 2 and 4 or 1 and 3 doing the below command.
**I've limited the cut and paste as to not clutter the discussion until someone requests something else**
show platform port-asic stats drop
Port 18 TxQueue Drop Statistics
Queue 0
Weight 0 Frames 0
Weight 1 Frames 0
[Code]....
when using egress netflow (v9) and output marking.
The topologie : Server <-----> R1 1>-----<1 R2 2>----<2 R3
R2 is a 7200 with c7200p-adventerprisek9-mz.124-15.T11.bin What I'm doing :- R2 forwards ping packets from Server to R3. When they arrive on R2, icmp packets are marked with CS3
- I change the DSCP to CS4 on R2 before forwarding packet to R3. I'm using for that an output service-policy on the R2-2 interface like this : interface ATM2/0.36 point-to-point
ip address 192.168.1.1 255.255.255.252
ip flow ingress
ip flow egress
[Code]....
I'm trying to configure a egress netflow in a 6500 (VSS) with VS-S720-10G supervisor. I foud some old posts and understood that netflow wasn't supported on 6500 but i found a new document and it seems that netflow is supported in Supervisor Engine 2T:[URL] Does the netflow still not supported in VS-S720-10G? It's weird because the command is supported:
#sh run int vlan 4
Building configuration...
Current configuration : 353 bytes
!
interface Vlan4
ip address X.X.X.X 255.255.0.0
[cod]....
We have a pair of 6509 working in a VSS configuration (IOS 12.2(33)SX5). The 6509s connect to a pair of ASAs (7.2 code) running in an Active/Standby setup. These ASAs in turn connect to routers going to remote sites. I have configured Netflow on the following VLANS,
VLAN 10 - Servers Vlan
VLAN 9 - Transit/ASA VLAN (connects ASAs to 6509s). All traffic originating from any VLAN on the 6509 crosses this VLAN in order to reach remote sites and vice versa
I configured the netflow source VLAN 11 although I am not collecing any netflow from it.Although I have been getting lots of Netflow info, I noticed that netflow for traffic originating from any user VLAN on the 6509s going to any remote site via TRANSIT/ASA VLAN(9) does not get reported, I even tested with 4 GB traffic but no result. Only reverse traffic (i.e. from remote site to user VLAN) is reported as it traverses the Transit VLAN (9).
I read somewhere that egress netflow is not supported in 6500, but isnt traffic originating from a user vlan to a remote site via the transit VLAN (9) considered ingress with respect to the transit VLAN (9)? I would like to know whether bidirectional Netflow is supported on 6500 VLANS. I have mimimum control on routers beyond the ASAs, and since these ASAs run 7.2 code netflow is not supported, and Monitoring this Transit Vlan gives me extremely useful info.
I do get netflow biderectional traffic from the Server Vlan 10, but I think it is correlated by the netflow collector from vlans 9 and 10. [code]
We have CISCO ASA 5505 in our office , right now port 0 has configured for outside and port 1 for inside (I believe it is the default configurations) now for security reason I want to separate the Network traffic from inside (office LAN) and WIFI , I believe since i have 6 ports in vlan1 (inside) if I make the port which has the connecting to our switch and the port which i m going to connect to my wireless router (same vlan1) protected / isolated then this should work , but here is what is happening , the minute I save the configurations port 3 which is supposed to be my wifi port will lose its connection to the Internet.
i tried to make another vlan for wifi to separate the trafic from vlan1 , but I m not getting internet connection on that port which is been assigned to new vlan for wifi.
I have 2 PCs at home. Lets name one of them as PC 1 which has two onboard LAN Ports. Now, PC1 has to connect to PC 2, just a home network for easy transfer on files and stuff, and it also has to connect to the internet via a network. The problem is both of them use static ip and when I tried configuring PC 1, it allows only one of the connections to remain active. I simply get an error otherwise saying "Multiple Gateways" will cause conflict and I will be stuck with only one connection. After much study I "somehow" connected both. I vaguely remember using the "route" command in cmd to achieve this. But now, I am getting an error when I try to access PC 2. My Internet is working fine.I am not network savvy at all. run both these connections from PC 1. I should add that I can in no way modify/change/or do anything else to my internet network since it is out of my control. I can do anything, however, for my Home Lan with PC 2. I run windows 7. Both the connections are wired, by the way.
View 2 Replies View RelatedWhat I am looking to do is separate my lan traffic from my wan traffic. The amount of Lan traffic is slowing my Internet connection. The media server is the host of all my music and movies and photos and well just about everything, Some of the files are excessivly large and just kill the throughput for the other machines. I'm wondering if it's possible to put 2 NICS in each machine and have all file transfers on one subnet and all internet activities on another. I have heard it's possible to put multiple addies on a single nic but doesn't this defeat the purpose of thru put?
Network 1 - one line diagram
Internet
Cable modem
Router/wifi
Switch 1
6 PC's 1 Media/file/print server.
All pc's and wifi use this to access internet, and all outside connections like remote desktop.
Network 2 - one line diagram
Switch 2
6 PC's, 1 Media/file/print server.
All pc's use this to stream audio and video from the media server as well as print functions and file storage.I have most of the hardware already except the additional nics for each machine. so if it's not feasible I'll not waste the extra monies.
I'm trying to separate my management traffic from regular traffic by splitting the management and "outside" interface to separate vlans but I'm hitting a routing issue. Say I have have a management network of 192.168.1.0 255.255.255.0 running across vlan 1 and I want to use 192.168.2.0 255.255.255.0 running across vlan 2 for the outside interface to send all the other traffic excluding the management traffic across. Tag both vlans on the external interface, say Eth0/0 Default route of route outside 0.0.0.0 0.0.0.0 192.168.2.1, With this, you can not hit the management interface because there is no route defined for the 192.168.1.0 network. However of course if you try to set one, you'll get the "connected route exists" error. How can I set the default route or gateway of the 192.168.1.0 network on the ASA. Switches just don't complain like the ASA does.
View 8 Replies View RelatedOur VMware guys want to use shared networking infrastructure to create a DMZ on a network.
[ASA (subif;VLAN 4)] <-trunk-> [DMZ Switch] <-trunk-> [LAN Core Switch] <-trunk-> [ESX vSwitch] <-VLAN 4-> [VM]
The DMZ Switch does not participate in VTP with the LAN but will have a VLAN ID created (same VLAN ID used from VM to ASA) No vlan interface will be created for the vlan
Is this a bad idea from a security or otherwise point of view? i.e. Best practices that should be followed here? Should I configure the link between the LAN Core Switch and DMZ switch as access ports so the port on each switch is forced to be on one specific vlan? I was going to use allowed vlans command to limit the vlans that can pass on it and possibly vtp pruning for all vlans.
is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?
View 6 Replies View RelatedI am planning the following network setup.Get a server with 2 NICs, a router and a switch ,1st NIC is connected to Internet2nd NIC is connected to a router,A router is connected to a switch,All the client workstation are connected to Switch to access the server.I believe with this setup all my client workstations can browse the internet on their local machine via server.
View 11 Replies View Related