I have configured a qos policy and I am trying to apply the policy to a vlan interface which is physically connected to a switch module port of a 3845 Router.When I try to apply, the message configuration failed appears.
View 4 RepliesI have a cisco router 3845 with Etherswitch modules and one Vlan configured "172.16.6/24", many switch ports are assigned to this vlan. i would like to translate one IP address 172.16.6.200 to a new one "172.25.42.10" but need to keep the other IPs from "172.16.6/24" without changes. below is the configuration of vlan interface and switch port. [code]
View 8 Replies View RelatedI have a 3560G that I cannot apply a policy route-map to one of the VLAN interfaces. I am running up to date software, c3560-ipservicesk9-mz.150-2.SE2 and it accepts the command, but does not show it in the sh run of the interface. I updated to this code as I had seen previously someone said it needed to be version 15 before you could apply route-maps to VLAN interfaces.
View 4 Replies View RelatedMy company recently failed a PCI scan because our router was returning 56bit des encryption for isakmp negotiation on an existing default isakmp policy. How do I remove this default isakmp policy. I am not running 12.4(15)T1 so the no crypto isakmp policy default does not work. Is there any way other than upgrading the IOS?
Is there any way to configure a maximum number of isakmp policies that an authenticating router will check? I have 2 configured higher priority ISAKMP policies. Maybe if there is a command to limit the number of isakmp policies the router checks, that would eliminate this default policy being matched?
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
I have a problem in configuring two pair of backup interface on my customer's router (3845). It's ok when I configure just one of them. If I configure both pairs of interfaces into backup interface, one of them will be in disabled mode, as shown below :
WANR01#sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.16.199.106 YES NVRAM up up
GigabitEthernet0/1 172.16.3.5 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 unassigned YES NVRAM administratively down down
FastEthernet0/1/0 125.213.133.186 YES NVRAM standby mode down
FastEthernet0/2/0 172.112.22.6 YES NVRAM standby mode/disabled down
FastEthernet0/2/1 123.231.177.238 YES NVRAM up up
Loopback0 172.16.199.12 YES NVRAM up up
I have a Cisco 3845 Integrated Service Router and I have installed a Service Module. I want to use the integrated Gigabit ports as switch ports and put ports in the Service Module and Gigabit port in a VLAN.
Is this possible? can it be done by setting internal Gigabit link as trunk and how? Below is the somewhat the setup i am looking for
Service module
fa0/1 |
fa0/2 | Vlan X
fa0/3 |
[Code]....
Router interface for N450 DB fails to load/loads slowly/loads partially. I am running Windows 8, and have tried IE10 both from Start Screen and desktop, no luck.
View 4 Replies View Related I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below.
50.200.2.2
50.200.2.3 secondary
50.200.2.4 secondary
50.200.2.5 secondary
I wan to allow ports 80 to 90 on 50.200.2.3 for my webserver (192.168.10.50)
I read the User Guide section on Internet Access Policy for the Linksys E3000 but I could not find this menu to create a policy from the web interface. I have the latest firmware version (1.0.04 Build 6,)
View 1 Replies View RelatedI have an Ethernet Loopback Plug (4 Pairs) made and trying to test the Gigabit Interface on a 3845 Router with a fail result. The interface will show up/up only if I set the interface to 100M/Full Duplex when I plug-in the Ethernet Loopback Plug (4 Pairs). I don't see this Gigabit Interface @ 3845 router has any option to set it to internal or external loopback.
View 2 Replies View RelatedI have configured eigrp routing on cisco 1941 ISR with two interfaces advertised. However i can not ping the router interface on g 0/0 but can ping the device and computers attached to that network. When i ping from the same network i'm able to ping the interface but not from anyway else. i can also ping the other devices on other network from g 0/0 attached hosts. How can i enable ping to this interface so that i start monitoring the network?
Below i have attached the network configurations for the router;
!boot-start-markerboot-end-marker!!enable secret 5 xxxxxxxxxxx!no aaa new-model!no ipv6 cefip source-routeip cef!!!!!multilink bundle-name authenticated!crypto pki token default removal timeout 0!!license udi pid
[Code].....
I am currently using g0/3 for failover between my two ASA5520's. I would like to move that to the management interface to free up g0/3 for a second DMZ segment. are there any implications to doing this live other than i would only have a single ASA during the move?
View 1 Replies View RelatedI have Cisco 3845 with two Gigabit interfaces configured as port-channel with subinterface and with QoS.However shape does not work, why? [code]
View 1 Replies View RelatedIs it possible to configure more than one layer 3 interface for netflow on a 3845? I can't seem to do it. Is there something I am missing?
View 2 Replies View RelatedI'm having an issue that I can't quite understand. I set up a test lab to get familiar with EIGRP routing. I have a Cisco 3845-MB with 2 VWIC2-2MFT-T1/E1 cards.sh ip int brief shows UP UP status on all serial ports. I gave it an IP address but I'm having trouble pinging the serial interface IP. It's dropping pings to its own S 1/1/0 interface when pinging from console. I have known good T1 crossover cables 1&2 - 4&5.
Here is the "ip int brief" from 3845-MB
3845-MB#sh ip int brief
Interface IP-Address OK? Method Status Prot
ocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 172.30.2.1 YES NVRAM up up
Serial1/1/0:0 10.3.29.2 YES manual up up
Right now it's pinging itself at about 60 -90% success rate... and I can't figure out why it's dropping any packets at all. I have other issues with in the lab as well... but i think this might be my "core" issue.To make matters even more "weird" I've tried two different VWIC2-2MFT-T1/E1 cards and I drop pings with both of them.
Here is a sh run and a sh diag:
3845-MB#sh run
Building configuration...
Current configuration : 1434 bytes
!
version 12.4
service timestamps debug datetime msec
[code].....
We have a number of 3845 routers, some running IOS 12.4(22)T2 and earlier and some running 12.4(24)T4. On the ones with 12.4(22)T2 and earlier, gigabit interface g0/1 shows interface down/line protocol down when there is no cable connected to the interface and the interface is not in shutdown state. On the ones with 12.4(24)T4, gigabit interface g0/1 shows interface up/line protocol down when there is no cable connected to the interface and the interface is not in shutdown state. Interestingly in both cases, the "show controller g0/1" command shows " network link is down (NO CARRIER)" when there is no cable attached. It makes sense to us that the interface status would be down/down when there is no cable attached. It does not makes sense to us that the interace would be up/down. Did Cisco at some point change their philosophy on whether an interface should show down/down or up/down when there is no cable attached, or is this a bug?
View 1 Replies View RelatedI have a question regarding mlppp and bonding mpls T1 circuits. For the longest time we have been able to get by on one T1 circuit coming into our 3845 router. Well this T1 has now become congested and they are wanting to add bandwidth to this T1. We connect to the phone company via an MPLS T1 currently. So now it appears as though we are going to purchase another MPLS T1 circuit and bond the two T1's together. The way our network is currently set up, we utilize the same AS number on all of our remote routers regardless of location. Keep in mind I don't have any sort of mlppp set up at this moment, so unfortunately I can't post any configs. I'm just questioning the design portion and how to go about doing this.
Here is where my dilemma begins........
For every MPLS circuit we order on the remote end, we specifiy an IP for the remote router itself and one for the provider to assign to their equipment (the bgp neighbor statements). Now granted i'm no BGP extraordinaire, not even a novice really, but I don't understand how I am going to bring two T1 circuits into the same router (basically with 2 pairs of IP's). In order to bond the two T1's together, i'll need to create a multilink interface and assign an IP to that, but yet I still have 2 SETS of ip addresses. And if that isn't enough of a dilemma, I also need to spedify a neighbor statement in order for my AS to bind to the adjacent provider AS, but yet I have two IP addresses for that as well.
i'm going mad on following problem. I'm trying to get 2 networks seeing each other while one of the network is a non VLAN network and the other one is a VLAN network.They should use the same interface so i added VLAN e0/0.122 to the interface e0/0.Send a ping from my asa to both gw-IP's made me happy at first. In second in figured out that i cannot reach any client in the other network. For testing purpose i created an permit acl to any/any for both networks, but the packets still get dropped by the default implicit rule. (deny any/anyMaybe i'm to stupid for this
View 10 Replies View Relatedwhen the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
port config:
interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500
[code]....
Trying to work out if I can setup a VLAN interface on a 1721 router.The only interfaces that are listed are the Ethernet (W1-ENET) and the Fast Ethernet interface.I'm still super new to all of this and learn how to change IOS via rommon and TFTP after realizing I had an IOS too large for the memory?
View 3 Replies View RelatedI have two Cisco 3845 routers which receive a multicast stram via a tunnel interface, i.e Tunnel163 (PIM Dense mode is enabled). These routers are both connected to a LAN segment (FastEthernet0/1/0) where receivers are. [code] Router1 is the assert winner (highest IP address), it sees igmp joins request, but it's pruning the interface. It happens sometimes and it lasts until I manually issue clear ip mroute.Unfortunately I cannot migrate to Sparse Mode.
View 15 Replies View RelatedClass and Policy maps are defined properly but when I am going to apply the policy-map on interface ,throwing an error as "'set' command is not supported in a 2nd level policymap".
Class/Policy map configuration given below ....
class-map match-any cm_traffic_control
match access-group name acl_traffic_control
class-map match-any BE
match access-group name be
[Code] ....
When I try to apply an ACL to a port on my SGE2010P, I get the following error:Can't bind acl/policy-map to an interface when the security suite is enabled in a per-port mode.I don't see an option where I can set the security suite mode.
View 10 Replies View RelatedI have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties tab. The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
From config guide: For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
Using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
I am trying to configure policy based routing however when i try to apply to an interface vlan. The configuration does not show in the interface.
route-map OTHER_ROUTE permit 10
match ip address OTHER_ROUTE
set ip next-hop x.x.x.x
[Code]....
I'm unable to apply a policing limit in a switchport of the CISCO861 router. This is my configuration:interface FastEthernet0, service-policy input wired-input,service-policy output wired-output end.
View 3 Replies View RelatedHere is my configuration below , i have upgraded my C-3750 switch IOS from IPbase to IPservices , after upgrading i have tried to apply PBR on my Vlan 4 and failed , when i am tying to apply route-map to Vlan4 the command was taking but i am unable to see the route-map when sh run , i am giving the command as "ip policy route-map TTSL" in my Vlan4 , below is the configuration.
In Vlan2 i have connected one ISP and Vlan4 I have connected one ISP , my local subnets are 192.168.1.x and 192.168.2.x , now i want to route the 192.168.1.x traffic from Vlan2 and 192.168.2.x Traffic from Vlan4 .
sh boot
coreswitch#sh boot
BOOT path-list : flash:c3750-ipservices-mz.122-35.SE5/c3750-ipservices-mz.122-35.SE5.bin
[Code].....
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I have a requirement to provide stats on a per-department, per-destination basis between sites. If I take Voice as an example I have 5 child classes referring to the 5 departments each matching EF and a particular access-list that matches the department's subnet. I tie these 5 child classes into a parent Voice class-map.
Now when I issue a "show policy-map interface" command I see stats for the parent class-map only whereas I would expect to see a breakdown for each of the child classes which is what is required.
I am doing this on an ASR1002 running 3.2.2.
I'm trying to add an outbound policy on Layer3 interface on a 6500. The will be used to prioritize voice traffic. The environment contains 2 sites with 2 6500's each with VSS and a metro Ethernet link between them. I seem to be having problems prioritizing the voice across this link.
View 1 Replies View RelatedIs there any physical or technical diferrences between PWR-3845 AC/2 and PWR-3845 AC? We are trying to order replacement parts and wondering if PWR-3845 AC is for one power supply and AC/2 means you get two with one order?
View 1 Replies View RelatedWe have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies View Related