Cisco WAN :: Too Much Traffic On Interface - Link L2 Between SW4500 And SW6500
May 22, 2013
LINK L2, Between SW4500 and SW6500.
I have experience too much traffic between the link L2 (Fastethernet - GigabitEthernet),, 90%. What can I do to fix that, any command? rate-limit or something?
Here is some outputs of the interfaces:
FastEthernet2/30 is up, line protocol is up (connected)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 247/255, rxload 27/255
Encapsulation ARPA, loopback not set
[Code].....
View 1 Replies
ADVERTISEMENT
Oct 2, 2012
My customer has two SW6500 on VSS mode connected via VSL. Anyone connected WLC5508 with SW6500 VSS using LAG feature ?I wish to connect one uplink from LAG to the first switch and the second uplink to the other. The two switches are considered like one logical software.I have already read the best practice from CISCO when we connect a 5508 to a switch regarding the port-channel but nothing regarding VSS and VSL link.
View 3 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
May 5, 2011
There is a remote server that downloads info from a server here at HQ. When the dowloads start the rxload on the S0/0/0 interface jumps to 98 percent or so; rxload 250/255. I needed to limit the bandwidth utilization between the servers, so I added the below line to the LAN interface on the remote router.By adding the command, it reduced the download utilization -which is what I wanted.
access-list 185 permit ip host 10.6.27.1 any
!
int f0/0
traffic-shape group 185 10000 8000 8000 1000
Question:How would applying this to the LAN interface cause the download utilization (Coming from s0/0/0) to decrease?
View 4 Replies
View Related
Nov 2, 2011
i want to monitor interface traffic in/out by eem and the if the values is overer than some value i will change the policy. for example my router is 2821 is have 2 fastEthernet port , i want to monitor the traffic on fasE1/0 if traffic over than 80Mbps i will change some configuration ( example: change next-hop on static route) for via traffic to interface fasE1/1 for reduce the traffic on interface fasE1/0?
View 6 Replies
View Related
Jul 17, 2012
I want to allow ICMP traffic on ASA 5510 from LAN interface to DMZ. I've permit any traffic and added ICMP to the inspestion list also but still there is problem. Belos is the configuration. The image is asa822-k8.bin
:
ASA Version 8.2(2)
!
hostname fw-01
names
!
interface Ethernet0/0
[code]....
View 1 Replies
View Related
Jan 15, 2013
I am facing a very big problem with site to site vpn on cisco 2900 ios.
I configured the vpn and when i ping from router itself to destination ip with source as lan interface , VPN works, no problem.
but when i connect any computer directly to router's lan interface to initiate traffic , it doesnot work at all. and on computer's lan i see yeloow sign.
mtu is 1500, speed is auto (I tried changing also) , duplex is auto ( i tried changing also) , through firewall on pc should not affect but still i disabled it.
since their is no problem with vpn config as vpn comes up when i initiate ping from router itself but i dont know why it is not working from lan.
do we need any inspect icmp on this router also ? or any policy modification to pass traffic across the interfac on router is required ?
I was useinf c2900k9-15.0(M4).bin and i upgraded it to 15.3 which is lated to get reed of any bug .
I connected two laptops directly to router's gi0/0, g0/1 interface to ping from one laptop to another but this also did not work.
View 3 Replies
View Related
Jul 7, 2011
I have two ethernet adaptors on my windows machine. OS is Win-XP.I am running ADSL broadband on LAN1 and on LAN2 I am accessing applications on our company's WAN. LAN1 is on 192.168.1.0/24 subnet and LAN2 is on 10.68.104.0/22 subnet.Accessing application through LAN2 involves DNS that is located distantly, therefore routers are also in picture.Problem is that while accessing the application that run on the network of LAN2, I have to disable LAN1. Otherwise the traffic goes on LAN1.
View 2 Replies
View Related
Mar 12, 2012
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?
View 2 Replies
View Related
Dec 20, 2011
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
View 4 Replies
View Related
Sep 3, 2012
I'm having some problems blocking IP blocks. I have several blocks of IP's that I want blocked.I want to block 77.0.0.0/8 from communicating with a server on my lan.So I make a rule in the RV042 to deny all traffic from 77.0.0.0 to 77.255.255.255, source wan1, destination lan, my server's ip,As soon as I move that rule above the traffic forwarding rules I have created, no traffic moves in or out via the wan interface. It seems to just cut off all traffic.
View 2 Replies
View Related
May 31, 2011
I have my main branch router (3825) and two remote routers (2821's). They are connected through leased lines that do not touch the internet. For various security reasons I have to ensure that the traffic from the remote's are encrypted in a VPN tunnel even though it is still part of a private network.I have went ahead and created the tunnels and I can verify that they are up. I have applied the cryptomap to the correct interfaces, etc.So the question is - How do I ensure that traffic is not just being router out of the interface from the remote sites back to the branch router with or without using the VPN tunnel? I've taken down the tunnels and of course, the traffic is still being passed back and fourth.
View 1 Replies
View Related
Apr 16, 2012
I have a number of WLCs/WiSM2 running 7.0.230.0 (still using WCS for management). The management interfaces for the controllers are on a purely private subnet. While going through the intenet edge ASA logs I noticed some traffic drops for the controllers on the Inside interface. I took a packet capture from the controllers and found that they were sending TCP traffic to a number of IP addresses (Microsoft, Hotmail and Google) - always with a src port 2028 (submitserver) with the ACK/FIN flags set. Why this traffic is coming from the management interfaces? The management interface is not used by any wireless clients and is not the default interface for any of the SSIDs.
View 4 Replies
View Related
May 22, 2013
I have a number of WLCs/WiSM2 running 7.0.230.0 (still using WCS for management). The management interfaces for the controllers are on a purely private subnet. While going through the intenet edge ASA logs I noticed some traffic drops for the controllers on the Inside interface. I took a packet capture from the controllers and found that they were sending TCP traffic to a number of IP addresses (Microsoft, Hotmail and Google) - always with a src port 2028 (submitserver) with the ACK/FIN flags set.
View 2 Replies
View Related
Jul 31, 2012
I have little experience with firewalls, what I've learned has been by dealing with issues like this that arise from time to time.I know, I need to upgrade the version. It's in the works now. Anyways, my question/problem is: Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running contstantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
View 2 Replies
View Related
Jan 16, 2012
I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the outside interface
View 1 Replies
View Related
Sep 23, 2011
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes
!
! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
[Code].....
View 6 Replies
View Related
Mar 7, 2012
we have a Cisco 3825 router which does not work well with a DSL modem(ISP provided). I have configured the Gi0/0 port of the router to plug into this DSL modem but it does not ping to the ISP gateway. If we do a shut/no shut on the interface then it work fine for about 30 secs. Sometimes even for 1 hr. Then the packets drop and we cannot pass any traffic through this interface.
Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet.I have tried various options like using a straight/cross cable. I have tried to configure the interface negotiation for 100/full, 100/half, auto/auto and almost all the options.I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.
View 5 Replies
View Related
Apr 19, 2013
I am building a new VPN Anyconnect solution. I want the traffic to enter a interface and that traffic should be forwarded to my "VPN-Machine".
The system is a ASA5520 with old software, I am not at work now so i cannot tell exactly.
So my question is, how do i make the traffic enter one interface and being forwarded to another? I have splitted the physical interface to several sub-interfaces.
View 5 Replies
View Related
May 13, 2013
we have a cissco 4506-e switch with ios version 03.02.05.SG . We ae currently facing a strange problem . Vlan interfaces configured in he switch are not showing input and output traffic, whereas the traffic is seen on the Gig interfaces mapped to the respective vlans . We also tried configuring the load-interval 30 , but there is no change . Interace 3/5 is mapped to vlan 5 . For this issue we have also done the IOS upgrade from 3.1.1SG to 3.2.5SG recently still the issue is same. [code]
View 2 Replies
View Related
Mar 26, 2012
We have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
View 0 Replies
View Related
Oct 13, 2012
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
View 4 Replies
View Related
Jul 21, 2012
We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description
305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers
172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved
:
ASA Version 7.2(3)
!
hostname [redacted]
[code].....
View 5 Replies
View Related
Feb 24, 2012
The top device of my network is cisco router 7609. There are two part subnet of my network, each part use same device type, same running-configs and same network topple: sw6506(to campus)--->sw3560(to buildings)<--->linksys sr324(to offices). IP addresses for manager vlan is 192.168.1.0/24.Suppose we name two part subnet as A and B. the problem is from 7609 I can telnet to every device of part A quickly, but when telnet to each sw3560 of part B,it responses very slowly. And only sw3560 of part B are response slowly, other devices of part B are ok.If I telnet to linksys sr324 first, then from linksys sr324 telnet to the current sw3560, it's ok.I try to capture packets of manage vlan, but there seems no strange things in it.No users of part B report problems, it seems the network is running well. Compare two sw6506s, the only diffirent thing is, there are "overrun" count at each interface in use of part B's sw6506. Each interface traffic is far less than it's capability, but it's "overun" count still increasing at working hours everyday.
View 1 Replies
View Related
Aug 8, 2012
Cisco ASA 5510. Between 5 to 10 minutes of reseting the asa traffic stop accessing outside ip addresses. Ping from console fails to ISP router IP. Ping to google name server failes. I have reset to factory default only setting up nic and natting and it still happens.
View 2 Replies
View Related
Apr 8, 2013
Initially we had a rv110w in place and had problems with the port forwarding stopping a few times a day so we replaced with with a RV180W. Now port forwarding appears to be staying up, however I have a new problem. We host a web page, for some reason when an internal user points the url to the web page it resolves to the web interface of the Router and not the expected web page. If you are outside of the network it resolves to the correct web page. I am not sure why this is happening as it didn't happen with the RV110W or the PIX before that.
View 2 Replies
View Related
Oct 4, 2011
I have problem with traffic coming from GRE interface and going further through FWSM on the same 6509-E chassis.It's very interesting and confusing. If packets are fragmented, I can go through, however, if I use normal packets (usual ping for example) traffic goes from outside to inside and stops on it's way back.
Here is the detailed info:
WS-C6509-E with WS-SUP720-3B
FWSM HW 4.0, SW 4.1(4)
GRE is done in hardware (source is loopback interface - only one loopback per GRE tunnel).
View 5 Replies
View Related
Sep 17, 2011
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
View 10 Replies
View Related
Jun 1, 2011
I'm trying to route all default traffic from my production environment through my ASA 5520 on the "outside2" interface.The 5520 has a site to site VPN to our DR site on the "outside/inside" interfaces via one ISP. On another ISP, interfaces "outside2/inside2" go to the internet.
When I make my 3750 stack default route for the inside2 interface IP I cannot get to the internet. When it is pointed to the inside interface on my 5505, I can.
I get the following errors when I try to open google.com from a production server:Why is the 5520 trying to use the "outside" interface instead of the "outside2" interface to go out?
View 6 Replies
View Related
Jun 11, 2013
this is my first time configuring a cisco router. For instance, a cisco router 1700 with 2 ethernet WICs and 1 LAN port. We have 2 ISPs one more stable than the other. We use an RDP session to an external host identified by lets say IP address 200.1.1.2 using ISP2 to get to this computer. We use ISP1 for all the internet usage, web pages, youtube etc. We are thinking of using this cisco router 1700 to make the packet filtering and routing of this RDP session to the correct ISP2 since we only have 1 NIC per computer on the LAN side.
The main idea would be:
| YES -----> ----------- then use ISP2
LAN---------> Are the packets RDP ?
| No--------> ----------- then use ISP1
Does this can be achieved using packet filtering using extended ACLs and to be router from the lan interface to route rdp (port 3389) packets to ISP2 WAN interface?
View 2 Replies
View Related
Oct 4, 2011
We have 3560 switch with following IOS. version 12.2(55)SE3 and image name is C3560-IPSERVICESK9-M. On one of the interface we need to know what are traffic is flowing.
Do we have "ip nbar or ip route-cache" support on this switch IOS? Is there any other way to find out which protocol traffic is flowing through that interface.
View 1 Replies
View Related
Mar 15, 2013
I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
View 5 Replies
View Related
Apr 25, 2012
For ASA v8.3 and above we don't need to use nat-controll, traffic from high security interface can go to low security interface without matching NAT statements.So does the ASA automatically NAT s the outgoing traffic to the outside interface by default?
For example
ASA inside int---10.1.1.1
outside int---120.11.1.1
when the inside hosts try to go out they will be NATed to 120.11.1.1 by default on version 8.3 and later.is that right?
View 7 Replies
View Related
