Cisco WAN :: Redundant Transit ISP Design With 7206NPE
May 29, 2013
We are small transit ISP for other downlinks. And currently have such setup 7201 and 7206NPE-G1, as core and edge routers also we have connected to IXP. Downlinks usually BGP connected to one of border router which is terminated via VLAN, thus sub interface. IXP are also connected via VLAN on router.
What I don't like about this is when one borderd goes down downlink will lose connectivty, also recently we start growing and getting more downlinks, so balancing between borders become problem. So my question is, how to make setup less fragile and more redudant.
View 1 Replies
ADVERTISEMENT
Apr 17, 2011
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
View 1 Replies
View Related
Feb 26, 2013
How to trust the transit CoS value on ASR1013?
Tried so:
Router# configure terminal
Router(config)# interface gigabitethernet 0/0/0.1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# plim qos input map cos enable
But not worked.
Traffic path without ASR:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> DLnk 3526_2 --> Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 5
If we add ASR1013:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> Cisco ASR1013 --> Cisco 7600 global --> DLink 3526_2 - Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 0
View 3 Replies
View Related
Aug 16, 2012
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
View 4 Replies
View Related
Jul 11, 2012
We have two 7609 routers at different city . Our both 7609 routers make MTU 1800 bytes and when I ping the other router with packet (1500 bytes) ,it can get thought .But when I ping with 15000 even 1506 bytes ,it didn.t work .As I didn't disable the DF field .
Internet address is 202.112.38.54/30
MTU 1800 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 96/255, rxload 81/255
[Code].....
View 4 Replies
View Related
Mar 10, 2013
I understand that Cisco *wants* the APs to be directly connected to the new 3850.I have a few questions. Unfortunately, I think I know the answers. I just want to confirm.
a. When MA/MC is enabled on the 3850, does the 3850 start intercepting *all* CAPWAP packets it sees (much like CDP)? Even non-Cisco CAPWAP packets?
b. If I have a WLC 5500 upstream from the 3850, would APs hanging off a downstream 2960 be able to register to the 5500 through the 3850 when the 3850 is NOT in MA/MC mode?
c. If I have a WLC 5500 upstream from the 3850, would APs hanging off a downstream 2960 be able to register to the 5500 through the 3850 when the 3850 IS in MA/MC mode?
What I'm afraid of is:
a. yes, yes
b. yes
c. no
From the Q&A page:Q. Does the Cisco Catalyst 3850 support indirectly connected access points?A. No. The Cisco Catalyst 3850 switch will always terminate the CAPWAP tunnel locally. Pass-through mode or indirectly connected access point is not supported at this time.
View 2 Replies
View Related
Nov 24, 2011
Is GET VPN be a better choice than DMVPN in order to support VoIP, Video over IP, Advanced QoS and Multicast? I think it should be the better choice based on what is described as the benefits and how it works but I just want an expert opinion.
Can separate groups be created using the same key serves? I need to protect two functionally separate WAN segments that terminate on the same DC core routers. However I want the separate WAN segments to have different encryption policies. Is this possible?
It is stated in the deployment guide for GET VPN that "Network Address Translation (NAT) is not supported by GETVPN. NAT must be performed before encryption or after decryption when GET is used." However the NAT capability is required on all the routers.
The 2900 series routers has embedded hardware encryption but according to the router perfomance guide, with a mix of traffic such as NAT, QoS and IPSec VPN they are unable to provide 100 mbps of throughput. Does the new ISM VPN modules would allow the routers to achieve 100 mbps of throughput with the services mentioned above?
View 5 Replies
View Related
May 29, 2012
we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
View 2 Replies
View Related
Aug 3, 2009
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
View 4 Replies
View Related
Sep 30, 2012
and this router will connect to 18 access point.and each access point need 30 usable host...how to design this netwotk, what subnet should i use...there is only 1 router, so just have only 1 default gateway,it is if the network have too many host, the speed will slow down, because they need wait others host to broadcast?
View 11 Replies
View Related
Jan 31, 2013
I have a customer with a unique configuration. They have two point to point connections - one using a laser link between buildings, and a backup fiber connection running ospf. Issue is when the laser link goes down, there is loss/no forwarding during the reconvergence, causing issues with transffering video feeds.
View 7 Replies
View Related
Apr 1, 2012
I'm working on a new network design for my company. We're expanding and opening some more offices and satalite sites. We're a UK based company but opening some US sites.We have a main UK office (Office A on the diagram) a call centre (Office B) and then two buildings on another site (Office C). The USA offices will be very small and only require a couple of computers, hence the small IP allocation. I have marked the IP addresses of the links on the diagram, I intend to use 3560 switches for all the switches marked and all links will be layer 3 to route multiple VLANs from each site to each site (where permitted). question is this: How do I achieve this in the switches? I'm thinking that OSPF is the way forward, is this right? I want to do as little configuration on the switches as possible to allow for dynamic updates of the network (i.e. I don't want to add static routes for everything).
View 7 Replies
View Related
Jan 10, 2011
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
View 2 Replies
View Related
Apr 3, 2011
i need to design a site-to-site VPN and VPN for remote users. I have attach a drawing, need to know if this is good setup. Mostly my concern is security. Im using ASA5520 for edge firewall and Linux firewalls are for additional security.I have to create 5 site-to-site VPN using IPSEC and 5 remote VPN clients. Site-to-site VPN are for trusted Office and remote VPN clients are only for our staff use.
From the diagram ASA5520 is configured as followed
outside interface is set to security 0 and connected to boder router to internet, inside interface is set to security 100 which is connected to a linux firewall which then goes to our internal lan.DMZ interface is set to security 50 which is connected to DMZ segment ,I decided to use the 4th interface for all VPNs which is set to security 100, and for this 4th interface i have created two sub interfaces vlan 400 (for site-tosite VPN) and vlan 500 (for remote access VPN). I did this because i have to use two separate linux firewall box. Linux firewall box for Site to Site VPN is configured with NAT but Linux firewall box for remote access VPN users are configured without NAT. I also want to know do i need to create a CA server or can i use pre-shared key with XAuth for remote access VPN users?
View 1 Replies
View Related
Nov 30, 2012
Can someone give me a sample router config (Cisco801) for the below scenario. Not familiar with networking.Server with 2 nic, connected to 2 different switches, each switch connected two lan interfaces of Same cisco801 for redundancy.Server must be able to reach gateway IP (in router) in case of either switch failure/server NIC failure.I also have 2 vlans, going to use same link for management vlan and application vlan.
View 11 Replies
View Related
Feb 24, 2012
Does OSPF work between a VSS L3 MEC & an ASA Redundant Interface? Both 6509 are in VSS and a L3 MEC is formed to the ASA.Both ASA ports are a part of a L3 Redundant Interface. Please note there is only a single ASA in this topology. [code] Now, the OSPF neighboring does occur and go into the FULL state on this device, however soon enough, the state enters INIT/DROTHER state.But as soon as I disconnect the physical connection 6509(Standby) The OSPF adjacency goes into FULL mode.
View 5 Replies
View Related
Dec 5, 2010
What is the purpose of Redundant Port that says "future use RJ45" on the Cisco WLC 5508?
View 3 Replies
View Related
Dec 7, 2010
We need rededunt uplink in Cisco 2960 from Cisco 3550 , one uplink is primary and one is for backup.As per current scenerio one uplink in Cisco 2960 interface fe0/1 from Cisco 3550 int fe0/1 through OFC cable configuration 2960 int fe0/1 interface fe0/1desciption *** Connect to Cisco 3550 port 1 ***switchport mode accessswitchport access vlan 2spanning-tree guard loop Configuration Cisco 3550 int fe0/1desciption *** Connect to Cisco 2960 port 1 ***switchport mode accessswitchport access vlan 2spanning-tree guard loop We have facing the problem when OFC cable down , so now we are considering anather OFC via anather route to connect same Cisco 2960 Switch in Fe0/2 from Cisco 3550 int fe0/2 so when primary uplink goes down then backup uplink which is connect to Cisco 2960 fe0/2 from Cisco 3550 fe0/2 it's up.what is the command we need configure as per my require in both the Cisco 2960 and 3550 swith in interface and global mode also.
View 10 Replies
View Related
Jun 7, 2012
i am using cisco 2821 router at the edge in my network where the WAN link is terminated.i want to configure Redundancy . So will 2821 support ? If yes what is the another router .Is it the same series or different for redundant configuration.
View 2 Replies
View Related
Jun 11, 2012
Q: a client has a network with 60 AP's controlled by a AIR-CT5508-50-K9 (+ L-LIC-CT5508-25A) with a redundant power supply. Can he get full redundancy by purchasing a second controller? If he purchases one, can he bring it into the network? What about the extra license for 25 extra AP's installed on the first controller?
View 4 Replies
View Related
May 23, 2011
i want complete details about ethernet design and technologies
View 1 Replies
View Related
Mar 5, 2013
I have gotten the assignment of constructing a fictional network for my school.. and i cannot quite agree with myself upon which equipment i should choose.. its supposed to be all cisco. i need to supply 5000 users all in all, but only 300 on this site. i need to know which connections would be the most reasonable to use and of course which routers "if any" and switches i need.. (+ additional modules if needed) i have tried to make a visio representation, but i just think something is way off.
View 6 Replies
View Related
Jul 5, 2011
I have a new project coming up that will require more IPs added to an already quite full class C network. My other issue stems from foolishly putting all hosts in the crowded C network onto the management VLAN. In turn, I have to make each port a trunk.Moving forward I'm wondering what's best for design.or if I should just attempt to change the subnet mask across the board.?
View 5 Replies
View Related
Aug 22, 2011
I am in the process of planning our new network. Our business is changing from hosting its own data centre, to moving it to a professional facility. We have 120 users, over 100 servers (physical and virtual) and three sites (main premise, data centre, dr site). The new network will connect all three. Our new WAN links are almost ordered. We will be making use of a managed MPLS IP VPN, with a 100M access rate at each site. I am currently focusing on the desing of the network at the main business premise. We have a significant investment in Cisco 2960 & 3750 switches and Fortinet firewall appliances. I plan to re-use these in the design.
Our current LAN is very flat and I want to segment the network. My plan is to create a number of VLANs, enable the Inter VLAN routing on the 3750 and then attach the 3750 to the Fortinet appliance which will provide stateful firewalling and traffic policin based on the VLAN (subnet) addresses. It is important that the traffic be routed as quickly as possible from this site to our prod and dr data centres.The 2960's act as the access layer, the 3750 as the distribution layer. The 2960's will connect via port channels (layer 2) to the 3750's and the VLAN interfaces will be configured on the 3750.
I was then planning on creating a VLAN on the 3750 to connect to the Fortigate appliance with a /29 address to limit the addresses used whilst also providing some flexibility for any future design changes.I want to implement a little security between the VLANs on the 3750 switches. I have a question about this coming up.I then plan to use the Fortigate appliance to do basic traffic policing based on source/destination addresses.
The WAN routers will connect to the Fortinet appliance on a Gigabit copper interface. The WAN routers will run HSRP between themselves and only one router will be active at any one time. The failover will be managed by the Fortigate and Cisco routers.I plan to define those addresses hosted at the other data centres and associate them with the interface associated with the WAN.I will then define the routing on the firewall for the two other data centres through summary routes for each of the sites. We will run static routing from the Cisco 3750 to the Fortigate and Fortigate to WAN router. We have no other networks/sites and won't have any others in the future.
View 25 Replies
View Related
Sep 12, 2011
If I have five iBGP routers in AS 64512 and one of the iBGP router has an eBGP peer to a different AS, which iBGP router (r1, r2, r4, r5, or r8) should I chose to be my route reflector and why? Also, what happens if the route reflector router fails? Do I designate a backup route reflector? I'm new to BGP.
View 4 Replies
View Related
Sep 8, 2011
I have a pair of SRP527W-U units, which each connect to a seperate ISP by ADSL2+I am attempting to use each simulatenously as follows:ISP-A via CiscoA for general traffic, and to run HTTP server X,ISP-B via CiscoB to run HTTP server Y,HTTP servers X and Y are on one machine, but binding to two seperate IP addresses eg x.x.x.3 and x.x.x.4,In a situation like this, I would normally configure CiscoA and CiscoB with x.x.x.1 and x.x.x.2 respectively,CiscoA would run DMZ to x.x.x.3 and CiscoB DMZ to x.x.x.4,The server would use x.x.x.1 as the default route.Then I would set CiscoA to have a policy route catching source address x.x.x.4 and sending it to next-hop/gateway x.x.x..
View 5 Replies
View Related
Jun 22, 2012
We have remote office where we have 2921 router with 6 layer 2 switches. We have few servers which need to be in specific vlan.
2921 router does not have switching engine we are using this to support VOIP.
So on 2921 router i created 6 sub interfaces for each vlan and assign them to their specfic vlans. Then I have trunk connection to switch 1. Now switch 1 connects to all other switches in the network. As our company design all layer 2 switches should be transparent mode. i tested them i can ping from one switch to all other switches.
Router vtp mode i set to transparent mode and from all switches i can ping the router sub interfaces.
View 4 Replies
View Related
Apr 17, 2012
Currently we have a 50mb pipe with our carrier SONIC. We have signed another contract with another provider here in town (Charter) to multihome our Internet connections in an active/active configuration. We have leased our /24 space through our carrier SONIC. ARIN has already approved our org-ID for an ASN and they will be sending us that once the billing portion is finished.
There a few design considerations I was hoping I could get some insight from the community on.. Before I start, the ultimate goal for us to use BOTH Internet connections in an active/active configuration - utilizing both pipes..
Disclaimer: I have gathered this design from a lot of other posts that have somewhat of a similiar topology with ASA-->3750-->router pair-->CPE--internet...
What kind of routes should I get from each carrier? I have been told that partial/partial routes plus a default route form each carrier is the way to go. Also, I've heard mention that full routes from both carriers are preferred. My ASR1001's can support ~500k routes. I know the global table is approximately ~337k routes. My goal is to use both pipes and use the best outbound path per carrier.
We will be leasing our /24 space from SONIC. I plan on running OSPF on the DC-Edge-SW1 in conjunction with iBGP - so I can default originate two equal cost routes back to my ASA. My confusion is when the traffic hits DC-Edge-SW1, there will be default equal-cost iBGP routes to both ASR1001's (DC-Edge-RT1 & DC-Edge-RT2). If the switch does not have the BGP table, it will just load-share across both ASR's. When the traffic hits the ASR's, will they know which carrier has the best path and route accordingly?
Should the iBGP connection between both routers be directly connected ? Or will it suffice through the L3 3750 connection? Also, with the limitations on the routes for the ASR1001 at ~500k. If we end up getting full routes from carriers and create a iBGP neighborship between both routers, will this exceed the route limitations on this platform? On both routes, I will have the network statement 'network 12.231.69.0 mask 255.255.255.0.' This is a leased network from SONIC, and we NAT everything on our ASA to 12.231.69.10. My question is, will this be a problem broadcasting this network from our AS to both carriers AS? Refer to bgp-design.jpg - is it a requirement that I use our leased public subnet 12.231.69.0/24 for the interfaces from ASA5510 -> 3750 -> ASR1001?
View 15 Replies
View Related
Nov 20, 2011
I'm new to routing and cisco in general. I'm inheriting a rather simple setup but would like to approach the next steps with a good strategy. Currently we have a 2901 router with public IP's on bother interfaces. The internal facing interface is our gateway for some webservers and a firewall. Not we are looking to add a colocation site and establish a site to site VPN using another 2901. My goal is to have the colocation use the same internal 10.100.0.0/23 network. My question is what is the best way of going about this since the router at the main site has public IP's on both interfaces? Do I need to multi-home the internal facing interface? If so, what else needs to be done?
View 1 Replies
View Related
Oct 29, 2011
How to replace a defective redundant sup. I read on several articles that inserting new redundant sup should not be an issue as the active sup will always send its configuation to the standby. We are running SSO on the Sup720. Should I switch it to RPR before I install the redundant sup? I read a case wherein they switched it to RPR from SSO before inserting the new redundant sup. My concern is the IOS mismatch since Cisco doesn't always send the same IOS on RMAs.What I am planning is this.
1. Save/Backup configuration
2. Remove the redundant sup on slot 8 (since it is a 6513)
3. Insert the new redundant sup on slot 8.
4. Check if all the configurations were synced from slot 7 to slot 8.
5. Copy the IOS from sup-bootflash to slavesup-bootflash. (if the IOS are not the same)
6. Check show bootvar to see if the boot variables are correct.
7. If bootvar is the same, reload slot 8 to boot the new IOS.
Is this a good plan or am I missing something? I am worried with this document if the redundant sup has a different software. If i insert the card in slot8, according to Cisco, it will revert to RPR. If slot 8 boots and it has a different OS, then slot 7 will switch to RPR even if it's active. Would I still be able to access the slavesup-bootflash of slot 8? Is it going to boot 100%? I read that doing a force switchover will cause a flip and RPR would cause the line cards to reinitialize and I don't want that. Well I am not going to do a force switchover since i want slot7 to be active and retain slot 8 as hot.
View 3 Replies
View Related
Sep 21, 2012
We have 3750-X's with dual power supplies. When one of them is disconnected the NMS/Netcool is not picking up the trap. What MIB is needed to monitor the power supplies?
View 1 Replies
View Related
Feb 14, 2012
I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.
View 7 Replies
View Related
Dec 26, 2012
We have a six node MPLS network, all nodes route to our main office for a variety of services (email, core, fire shares, Internet, etc). Therefore, the link to our main office is crucial. In the event that the MPLS link to/from our main office becomes unavailable, we would like to establish a secondary route into our main office via virtual private network. Our main office and two branch offices have redundant broadband internet connectionsWe currently have Cisco 1921 routers as our branch routers and a Cisco 2800 as our “core” router at the main office. We also have two SonicWall TZ-200 series firewalls at the two branch locations and a SonicWall NSA-2400 at our main office. The VPN connection seems to work okay.How would I configure my branch routers to advertise and route traffic out the VPN connection in the event that the MPLS leg to/from our main office is down?
View 3 Replies
View Related
