Cisco WAN :: Securing SRDF Between Two 7204 Routers
Jan 3, 2011
We have a leased line from one office to a DR site which we use to back up our data. We are using Cisco 7204 and and OC3 circuit. The data is sent in blocks (SRDF) and we are sending changes only. However, we are getting requests from compliance to further secure this connection since it is a leased line. I guess I need to know how secure SRDF traffic is and then if required, how to secure it.
Can we create a simple VPN between the two routers without having to use a VPN concentrator or Firewall? If so, what IOS would be required? How much impact will the VPN have on current bandwidth?
I would like to find out what the status is of the Cisco 7204 VXR and 7206 VXR routers?I understand they are EOLife and EOSale.Are they also EOSupport? we planning to upgrade 3 of them in our environment and management requires feedback around this.We thinking of going the ASR1000 route..
I have a site that is connected to the internet via T1 into 2811 runing C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)X. I have noticed that when i do a port scan on the outside nat pool i see well know ports in the closed state .ie...7,21,22,23,25,99,100,80,443. These pools for end users to access internet. Does this pose a security risk? What can i change to provide end user access to web but not let these well know ports open?
In my building there are 2 wireless access points connected directly via switch into the router.So the problem is i dont want to set a password for the wireless but i want to be able to filter all computers that are connected wireless to my internet because many of them are mass-downloading torrents movies etc. and it slows the internet massively. What do i need to do to make it like a filter , which would be like a ISA server or something.
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
Need securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
Besides MAC address filtering, is there another good / easier way to keep visiting laptops etc from plugging in a CAT cable and accessing a LAN protected by a perimeter firewall?
I have 2800 series router which is directly connected to ISP. How can secure the router from outside access; I am totally new to the security concepts.
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
I have run three computers on my wireless network for a few years now, and have an HP OfficeJet 6500 Wireless printer that has worked seamlessly on all computers. That is, until I secured my router. I had an open wireless connection that I changed to secure (WPA) a couple of weeks ago and have been unable to connect to my printer wirelessly to print. It will print if connected to USB. The first day I was able to enter in my WPA key just fine, but not since. It doesn't appear to be finding my connection. Oddly enough one of our computers (a laptop) is able to print to this printer so I am not sure. All computers are running Windows XP, I believe with SP3. I use a D-link wireless router. I have tried using the HP solutions to no avail and have checked in the documentation that came with the printer.As an aside, I now appear to also have another wireless connection which is a "computer-to-computer" connection, I believe an ad-hoc connection?
I have a cisco 7204 vxr that terminates a 300 meg ethernet circuit asn well as an mpls DS-3. CPU increases along with utilization of the ethernet circuit. When the utilization gets to around 150 Mbps on the receive, the cpu is maxed out at 100%. I am wondering if the router can support the amount of traffic coming through it. The majority of the traffic is voip using g729 codec, so packet size is small. We are no where close to peak utilization and cpu is at 39%. Here is what I see currently:
#sh verCisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)Technical Support: [URL] 1986-2008 by Cisco Systems, Inc.Compiled Thu 13-Mar-08 10:40 by prod_rel_team ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(15), RELEASE SOFTWARE (fc3) uptime is 3 years, 1 week, 3 days, 6 hours, 40 minutesSystem returned to ROM by Reload CommandSystem restarted at 08:26:49 UTC Wed May 14 2008System image file is "disk2:c7200-advipservicesk9-mz.124-15.T4.bin"
This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.
is 633+ seconds (approximately 10 minutes) load time normal for a Cisco 7204 router? I find that it takes forever for the router to do :Self decompressing the image". I tried the latest IOS and tried different bootloaders but it doesnt seem improve it?
We have point to point metro ether net link terminating on 7204VXR router.On this point to point link we are configuring GRE over ip sec. Problem is when the traffic exceeding 8mbps we started getting packet drops. from the Cisco documentation it seems the tunnel bandwidth is by default 8mbps and there is parameter like Inherit/receive but those actually not change the tunnel interface bandwidth.If we just give tunnel bandwidth with bandwidth mentioned it allows me to give option of 100mbps but again the tunnel interface bandwidth remains 8mbpos only and probably that 100mbps is useful only for routing decisions.
i am using advance security 12.4.15T12 image. Whether this is a limitation or any other way to go beyond 8mbps for the tunnel interface (7204VXR-NPEG1 processor)
I need to route a subnet from a 7204 to 2 different gateway's which are not Cisco based. I cannot use HSRP, GLBP or VRRP as the other 2 gateways don't support theses protocols. Yet they do support OSPF, RIP, and BGP.... Take note that this setup is in a ISP scenario. How can I acheive gateway redundancy?
I need to configure BGP on our 7204 and 2811 router. The 7204 is our main router and currently running EIGRP internally. Our remote locations just moved to an MPLS connectivity and they have a 2811 router. I will need to configure BGP for the routing protocol. I have the AS number and the remote AS number. Attached is the the current configuration of the two routers.
We are replacing a DS3 Internet connection with a 100 Mbps fastE connection from a Tier 1 Provider. I currently have a Cisco 7204VXR with 512 Mb DRAM and 128 Mb of Flash and two 10/100 ports that is connected to the DS3. I also have a 3845 with 1 Gb of DRAM and 256 Mb of Flash with two 10/100/1000 ports available.
We are currently running BGP, below is the summary
BGP table version is 88880414, main routing table version 88880414 379041 network entries using 44347797 bytes of memory 379043 path entries using 19710236 bytes of memory(code)
I can't seem to find out what this means. Every 6 months or so, my 7204 locks up. I can't even get to it via the console port and I must reboot to access it. I noticed this alarm in my logs.( ASSERT CRITICAL PO1/0 Threshold Cross Alarm - B3) I've looked on-line but can't pinpoint it's meaning. Looks like a flapping interface but might be something else.
My router, a Cisco 7204 with NPE 300, is experiencing output drops and input errors on a fastethernet interface. I have a 100Mbps connection with less than 15Mbps utilization at peak times.
FastEthernet1/0 is up, line protocol is up Hardware is DEC21140, address is 0014.a985.1a1c (bia 0014.a985.1a1c) Internet address is 38.102.66.134/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 1/255
I was planning to buy 7204 VXR for my site's router for the following requirements:
- support for ATM, Serial, ISDN - support for 3 10/100/1000 ethernet interface - support for 2 WAN interface
However, I realized that the 7200 series will not be available for sale after September of this year!! Any "reasonable" replacement for 7204 VXR that meets the above requirements?
I have a 7204VXR Router, with Neflow. The collection for all interfaces is ok, but one interface (Gigabitethernet 1/0), is not showing the egress traffic in the pictures. The configuration has "ip route-cache flow", ip flow egress, and ip flow ingress set. But, is not showing the egress traffic.
I have a Cisco 7204 vxr router that does not have a valid image on the boot flash or on the pcmcia card (disk 2). I tried everything i could to try and get the router to recognize the flash but it keeps giving me a magic card error. I'm losing my mind slowly but surely.
The router boots into Rommon every time and the Rommon options for this router are horrible. No tftpdnld option. Can I get this router to boot from tftp, from Rommon?
I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network.
My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protocol matching, I can't really get this to pass properly. What is the new IOS versions support SCTP? Any options to pass this traffic through the firewall?
I'm looking for a Cisco device to run a full BGP table with a 60Mb link. And one of the main restrictions is that my traffic is almost 100% real-time (voip). So the average packet size is small. Today we own a Cisco 7204 NPE400 with 512Mb RAM. I think even though I upgrade it to a G2, due to the small average packet size, the router will be near to its limit. Maybe a Cisco 7300 NSE-150? Or should I think about a switch?
I am preparing to move two branch offices from a point to point T1 connection to Century Link Metro Ethernet.Currently my branch locations connect to my HQ 7204 router via a channelized DS3. I have a 4507R at HQ that I will connect the ME circuit to.We will also be moving our Internet connection on the ME circuit.Our service provider Clink will hand me a single Ethernet handoff for the Internet and branch office connections. For the first phase I will connect one branch office using ME. Once that is in place and tested we will move another office and so on. Then our final step is to move our web connection to the ME circuit.Each branch office has their own unique voice and data subnet. They each have a 2801 router and a 3560 switch. The routers are MGCP gateways with only one PSTN connection, a POTs 911 line on a FXO port.
So my questions are;
1 - Should I connect the ME directly in to the 3560 at the branch offices or use the Fa0/1 on the 2801? Fa0/0 is currently connected to the 3560.
2 - On my 4507R at HQ how will I configure the ME switch port? As a dot1q trunk port?
3 - Given that ME is basically a LAN connection will I have to re IP the branch office? HQ is 10.10.1.x/24. Branch is 10.10.166.x/24 (data) 192.168.166.x/24 (voice).
4 - On the 4507R will I need to configure a vlan interface for each branch subnet?
I attached two network diagrams. One represents our current topology (MEexisting) and the second represents the new ME circuit changes (MEprojected).
Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.
My config:
aaa group server radius RADIUS_AUTH server x.x.3.11 auth-port 1645 acct-port 1646 aaa authentication login networkaccess group radius local
[Code]....
For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.
I was attempting to setup our 7204 Cisco router to use RADIUS for authentication via the AAA commands. I must have messed up when configuring it as it comes up via TELNET asking for a username and password but doesn't take my AD credentials. How might I login to this router to fix the config? Do I need to do a password recover process?
One note, I didn't save the running-config to startup-config, so if I restart the router will it load the startup-config, thus overwriting the running-config that wasn't working?
One of my newly installed router got reloaded ,showing me below error . The same IOS im using in another router and it works fine without any issue ,but this newly installed router gave me this problem. [code]
cisco 7204VXR (NPE-G1) processor (revision B) with 983040K/65536K bytes of memory.
securing a back-toback connection using E1.The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.
The E1 connections has been provided by our local telco, and they are completely private. The customer is a bank, and they asking me if this is a secure connection or not. If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
I have 2 internet connections in my office one via Verizon Fios and another one via the local cable company. On the fios connection I have an RV042 VPN router and on the Cable company connection I have an rvs4000 router, I would like to know if there is a way I can connect the 2 so I can share a printer I have on one of the 2 networks from the other network without using the VPN feature, like via an ethernet cable connected between the 2 and some kind of static route maybe?
