How to successfully implement OER w/ NAT? I will have an 1841 with the 4-port EtherSwitch module that will have 3 cable modems connected and utilizing cisco's OER to utilize all 3 links for outbound Internet traffic. However, I am concerned about NAT. The only other interface used on the 1841 will be the connection to the local LAN (inside). I'm thinking this will require a loopback, but I'm not finding anything on CCO to back me up. Is it possible to just let the CMs do NAT? 1 CM is a static IP and the 2 others are DHCP.
i have a problem with a cisco cat. 4507 edge switch as when i have a login ssh session to the switch the supervisor engine restart and the redundant Sup. engine becomes the active and so on this problem mainly happen when i have multible SSH session to the switch and it happened very rarely with a single ssh login
the ios version i use is cat4500-entservicesk9-mz.122-54.SG which im using on all my edge switch and they are all working fine excpt this one
Today I'm going to be re-organzing my network, kind of and I just wanted to get a second opinon. Right now I have an ASA 5510 and a Cisco 2911 and a Cisco 2960 (and I have two more 2911s and 2960s that handles our phone network).
Router 2911 is on the edge Gi0/0 has the public IP and Gi0/1 is not used and then I have 5 individual VLANs (Gi0/1.100, 1.200, 1.300, 1.400, 1.500) VLAN 100 is our internal network 10.10.18.1/24 (router is 10.10.18.1)And the 2960 is used for swichport access, the ASA is on the side and only used as a VPN.
What I want to do is put the ASA on the edge so I can dump all the access-lists and everything then 2911 will only be used to route the traffic. Now I know I will have to reconfigure the VPN, which isn't a problem. My question is when putting the ASA on the edge do I just put the public IP on the ASA's e0/0 and then plug the 2911 into the e0/1 of the ASA and give the Gi0/0 of the 2911 the ip address of 10.10.18.1 or do I just shut it down? The reason behind this is because I would actually like to use the ASA for more than just the VPN passthrough.
I have a very basic networking question If I have, say, 3750's (or any L3 switch, capable of routing) at the edge and a 4500 at the core, where should I route? At the edge? At the Core? Both?
I am trying to upgrade my 2960 edge switch through tftpd...i have configured vlan 1 with IP address 172.16.10.1 and tftpd as 172.16.10.2 I am trying to ping tftpd, but I couldn't, but when I try to ping vlan 1 from tftpd, i can?
I have a Lorex Edge 4 channel surveillance DVR system.One camera shows color, the other 3 show color, but every once in a while one of the others shows color.Have rebooted DVR.
I need to make some changes on our network. We currently have two sites 150 miles apart we join both by way of fiber and on each side we have Cisco 3750 stack switches, configure trunking for all V lans on one port in site one then through the the long haul fiber to site two with site one using 10.1.1.30 and site two using 10.1.1.40 as their default gateway, with static routing all V lan sub nets to the other sites default gateway life is good.
My question - seeing how we have sites using the same sub net 10.1.1.x to trunk all data to each site through switches; we need to now change the network and add each site to the MPLS network, site one switch 1 IP address 10.1.1.30 going to MPLS router one with FA0/0/0 using IP 10.1.1.31, site two having switch 1 IP address 10.1.1.40 going to MPLS router one with FA0/0/0 using 10.1.1.41. I need to know will this work.
We have the same sub net in each site 10.1.1.x to the MPLS routers then the external router interface connecting each site to local switches, will this cause any problems by using the same local sub net for each site?
I've been fighting what seems to be an increased number of outqueue drops on our core stack and edge switches for the last 3 or 4 weeks.(The core consists of a stack of 5 3750s in 32-gig stack mode. The wkgrp switches are 3560s. all are at 12.2.52) The wkgrp switches are directly connected to users. We use Nortel IP phones with the phone inline with the user PC. auto-neg to 100/full. [code] However I have tried turning off QOS on a couple of workgroup switches (no mls qos, but left individual port configurations the same) but am still seeing drops.Since I have disabled qos on the switches in question (no mls qos) (not the core tho) I am presuming these commands have no affect on the switch operation and therefore cannot be related to the problem. With QOS turned off one would presume that it is general congestion - especially at the user edge where busy PC issues might contribute. So I wanted to see if I could see any instances of packets in the output queues building up.
I wrote some scripts and macros that essentially did a snapshot of 'show int' every 20 seconds or so, and looked for instances of 'Queue: x/' where x was greater than zero.What I found after several days of watching the core stack, and a few of the workgroup switches that are most often displaying the behavior, was that I NEVER saw ANY packets in output queues. I often saw packets in Input queues for VLAN1, once in a great while I would see packets on input queues for fa or Gi interfaces, but NEVER on output queues. [ code] Additionally, when I look (via snmp) at interface utilization on interfaces showing queue drops (both core and wkgroup), they are occurring at ridiculously low utilization levels (as low as 4 to 8%). I've tried to look for microbursts between the core and a wkgroup switch where the core interface was experiencing drops, but haven't seen any (using observer suite). [code] While the queue-drop counts aren't critically high at this point, they are happening more frequently than in the past and I would like to understand what is going on... In most cases, no error counters are incrementing for these interfaces. Is there some mechanism besides congestion that could cause output queue drops?
From My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
I'm just getting started with cisco kit so you will have to bare with me.I have a cisco 1841.i have a very wierd issue of routing...i cannot ping and browse through this.
I have two VLANs - 10 and 20. 2 DHCP pools are configured on 2 1841's interfaces - 192.168.1.0 /25 and 192.168.1.128/26 with default router sitting on 192.168.1.1 and 192.168.1.129 respectively. No issues with obtaining IP address from any of those pools.Laptop connects to L3 3550 switch (switchport access vlan 10), which, in turn, connects to 1841 router through trunk (with VLANs 10 and 20 allowed).3550 is connected to 2960 through trunk with VLANs 10 and 20 allowed.Wireless router is connected to 2960.I can successfully ping my wireless router and outside world from 1841 from fa0/1 interface, but not from fa0/1.10 or fa0/1.20 sub-interfaces - all packets got dropped. My laptop can obtain IP from both pools (depending on port I connect it to), but can't ping my wireless router and anything beyond it.
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this? I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.
How to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. configuration examples for both the edge router and the Asa?
I'm trying to figure out the best design for my network. I currently have a setup like this:Internet - Cable Modem - Pix 515E (doing NAT) - 2621 - Internal Network.Now, should I have the 2621 as my edge device or the Pix?
I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch. I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access. Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
We have two 6509 will active/passive sup 720-3BXL cards in each and 1GB DRAM. Each handles full bgp routing table with 4-5 ISP(eBGP) connections. The problem we are facing is.. 6509 were meant for core/aggregation and seam to be wasted are edge devices. With each ISP added the DRAM creeps up to a point were is it 80% utilized.
I am looking to replace both 6509's with routers which were meant to work on the edge. As mentioned earlier, it will have 4-6 external bgp peers per router. Handle full bgp tables. Should be capable of policy based routing.
I am looking to implement 25 Cisco 3750 switches with IPBASE image at the edge, across many cabinets. I understand I am limited to EIGRP Stub on the 3750 switches (with IPBase) and cannot acheive funding to upgrade to IPServices. Though I am not fully aware on the limitations, in terms of what I am trying to acheive.
Broadly speaking I want to install 2 x 3750 switches at the edge, with point-to-point links to two 6500 core switches (at the data centre) and then have HSRP interfaces on the 3750's, tracking the up links to the core switches. I am presuming this will be the best solution to ensure reliability.My 6500 switches run EIGRP and have many VLANs and other L3 networks advertised, which will need advertising to the 3750 switches. I would be looking to advertise two or three HSRP networks on the 3750 switches, up to the core switches.At the moment, the entire network is Layer 2 (VLANS + STP).
how to configure EIGRP across the 3750 switches and 6500 switches to allow for the 3750's to see the whole network and also advertise back up it's directly connected (HSRP) networks to the core. At the moment, after configuration, none of the switches see each other as EIGRP neighbours but can ping the L3 addresses on each end.
We are replacing a DS3 Internet connection with a 100 Mbps fastE connection from a Tier 1 Provider. I currently have a Cisco 7204VXR with 512 Mb DRAM and 128 Mb of Flash and two 10/100 ports that is connected to the DS3. I also have a 3845 with 1 Gb of DRAM and 256 Mb of Flash with two 10/100/1000 ports available.
We are currently running BGP, below is the summary
BGP table version is 88880414, main routing table version 88880414 379041 network entries using 44347797 bytes of memory 379043 path entries using 19710236 bytes of memory(code)
I am trying to configure an asa5505 8.4 ASDM 6.4 to a watchguard edge. This is in my homelab setup is 5505 connected to an 1841 simulating internet and other end a watchguard edge. Even after the wizard there is no negotiation of the tunnel at all.[URL]
I recently ran into some problems concerning the use of a Cisco layer 3 switch (3560) as an Internet edge device to perform a simple static route between the customers network and the ISP POP router. Although this device can perform the routing at the edge for Internet traffic, I am concerned that this device has limitations when it comes to functions such as traffic shaping to the subscribed bandwidth of the Metro Ethernet access to the Internet. Since the 3560 could not conform to the 20 Mbps of subscribed bandwidth, any traffic beyond 20 Mbps was dropped causing performance issues with applications that use TCP. I am trying to find design documents or white papers that would either support or not support using a layer 3 switch as an Internet perimeter device instead of a router. I would like to know if Cisco has a specific perspective on this subject and whether or not they would ever recommend actually using a layer 3 switch model that is a 37XX or below?
My company has purchased a second ASA for fail over reasons and I'm needing to attach it to my core router (ASR 1001). Currently I'm running the connection between my ASA and my Core as a /19 ie. ASA-10.10.10.2/19 -- ASR-10.10.10.1/19. I know the 2nd interface on the ASR will need to be on a different network segment then the first connection (10.10.10.1/19). What would be the best way to segment this out with out breaking up my /19?
Run /30 segments for each interface? Use a VLan ?
I don't want to use up my Internet rout able IP's on /30 segments. Attached diagram.
Any router (I'm considering ASR 1002 with 10GE SPAs) that can support the following:
-10GE interfaces -can handle 1.5Gbps but scales up to 5-6Gbps different seasons -take on full internet routes from 2-3 providers -will live on the internet edge
I am fairly new to Cisco IOS, yet I've managed to get it up and running on a Cisco 1841 to act as a router and firewall between WAN and LAN. Everything works *except* I am unable to ping or make any other connection from the router itself to the WAN. It will ping or telnet to the LAN, all LAN to WAN traffic is functioning properly, NAT is setup and functioning, WAN to LAN and inbound firewall is working, yet I still cannot ping or telnet from the IOS interface to anything on the WAN side (I've tried using different source addresses)
I am hoping there is something obvious that I overlooked, perhaps IPS is blocking the traffic? Do I need a specific route entry for the local device? I can post entire config if necessary, but would rather not if there is an obvious solution.
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
I have a cisco 3560 switch set up as my edge router. It is working as my external demarc switch and edge router. It is sitting between the ISP's switch and my ASA firewall. It's a very basic configuration with port 1 set up with a fixed ip and switchport turned off which is connected to the ISP switch. VLAN2 is configured with an IP address and 3 ports, two of which go to different firewalls.
I found that I cannot ping a specific address from the inside interface (VLAN2), but I can from the outside interface Gig0/1. I have a few deny commands in an access list, but they don't apply to the network i'm trying to access, and I haven't had any other inaccessible networks otherwise.
Here's my config minus passwords and full IP ranges. There are two ranges, one with xxx and one with xx. The xxx is set as secondary, but is the one we really use.
Current configuration : 4808 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname my-rtr-ext!boot-start-markerboot-end-marker!enable secret 5 ! !!no aaa new-modelsystem mtu routing 1500ip routing! [Code] ............
Used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?
I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Contexts will route via a L3 switch.
