I want to provide some outside interface protection on an ASR 10001 router. The Internet facing interface is the ingress for all remote access home users that have created a DMVPN. I want to protect the network from the Internet but, at the same time protect against breaking the tunnels created from the home users.We are running EIGRP between the home users and the HQ router. How would you build the access-list applied to the outside interface and what protocols would you allow through?
So, I have this router at home a WRT150N. I put in access restrictions so my siblings won't stray onto unwanted pages.I enabled SPI Firewall Protection and what do you know, it worked. The next day though, we didn't have an internet connection.I checked everything with the modem (power cycles, etc.) and then I tried the router. Upon disabling SPI Firewall Protection, the internet connection came back.I tested it yet again, to see if it really was the SPI. Enabled and bam, no internet access again. I made sure to select "Allow" in the Access Restrictions for "Internet access during selected days and hours" making sure also that "Everyday" and "24 Hours" are selected.Now my question is, what do I need to do in order to enable my Access Restrictions without having to lose internet connection via the SPI Firewall?
Nexus infrastructure is pair of N7K switches, with dual homed 5K/2K devices connected, links use vPC. They want to extend vlan's from the 5K/2K side across a L2 path into another DC, this path is only connected into one of the N7K switches, call this 7K switch A.I'm concerned that packets from the 5K/2K side back to the remote DC could get dropped due to the vPC loop dectection process. If a packet from the 5K/2K side traverses the path into the same N7K (7K switch A) as the L2 extension, I dont see a problem. But, if the etherchannel load balance in the 5K sends traffic to the packet to N7K B, in order to get to the L2 path extension to the remote DC the packet gets forwarded across the vPC. My understanding is that this packet will get dropped by N7K A as its local L2 path to the remote DC is up, is this the case?I see a solution is to plug the L2 path into a 2K, but before I suggest this is my understanding of the loop detection process correct?
url...I discovered that it would be possible to be protected from portscan, i mean when someone scan our nework/host from outside, the attacker will see all the 65535 ports as "open" (in that way it will be more difficult for an attacker to perform customized attacks...)So I have follow the setup in that link: policy-map global_policy class class-defaults set connection embryonic-conn-max 15 per-client-embryonic-max 3 service-policy global_policy global . The problem is that I don't have the exepected result..If i do a portscan over Internet from an external host to my hosts the portscan is successfully working and I can view my open ports...I have also tried to set this through a "match" in an access-list but without any sucess.
have just set up a WLC 4402 as a Guest WLAN controller on the DMZ of our network. I have successfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was OK but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0.
I have a problem with the command mls qos trust dscp, I used the ios c2800nm-ipvoice_ivs-mz.124-25f.bin but i can not enable dont show me the complete command in the interface Ethernet o Giga. I want to configuring mls qos trust dscp.
I was trying to enable AutoQoS on my router 3925 GE interfaces, but failed to do so !! But I was able to do so on FE interfaces !! I have Security/K9 and Data/K9 license on this router. Or do I still miss out anything ?? I am on IOS 150-1(M4).
I was able to enable AutoQoS on all my Cisco 2811 and 1841 routers !
I've been using a WRT120N on a local area connection.The WRT120N acts as a gateway and also to connect to the PPOE connection, via a bridged adsl modem.I've noticed that the LAN port 1 was flashing although the network cable was disconnected from the physical port. I've restarted a few times but to no avail as well. Ever since that, I've noticed that connection through cable are unstable and hard.Now, I'm not able to reset or upgrade the router's firmware.Is there any other way to be done so that I can get this router working as normal again.
My system problem is after starting the computer within 5minits network services are disabled and network path not connected but communication is working when i am testing the ping command.
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
I have a 1801 router connected to a 3550 switch with a regular 802.1q trunk, and I am curious as to what may be causing the unknown protocol drops on the connected router interface.
The switch is without any configuration at all except the following for the trunk configuration on the interface connecting to the router.
There is nothing connected to the switch other than the router so the dropped traffic must be originating from the switch itself.The unknown protocol drop counter on the router increments by one every 30 seconds, and I tried using a packet sniffer but nothing noticeble showed up.
I read elsewhere on these forums that it might be udld, but that is not enabled by default, and just to be sure I tried disabling it on the interface and as expected it said it was not enabled, so I am ruling that one out.I also read that it could be because the router is recieving traffic from other protocols than IP, but I do not see how it applies in this case.
what does a 3550 send every 30 seconds that my 1801 does not understand?Could it have something to do with STP?
i have a requirement to enable pbr in vrf interface of a 4948 switch. but as i browse the internet, it is quite impossible to do that. is there any alternative way / feature to get the same result as pbr does? which is to reroute the specific vrf traffic to another interface based on source and destination ip address?
Class and Policy maps are defined properly but when I am going to apply the policy-map on interface ,throwing an error as "'set' command is not supported in a 2nd level policymap".
Class/Policy map configuration given below ....
class-map match-any cm_traffic_control match access-group name acl_traffic_control class-map match-any BE match access-group name be [Code] ....
I'm trying to add some 2800 series routers to our monitoring environment, but I can't get them discovered.
On the Mgmt Server I need to go through a "discovery" process to add the 2800 to the system. For this I target the internal interface ( i) but the discovery fails. I'm assuming the packets are getting dropped on the outside interface (e). I know SNMP is set up correctly and works as I had PRTG installed on a local box (p) for testing purposes.
The intention is to do the data gathering via a proxy agent (p), so enableing SNMP on the outside interface is not going to do me any good.What do I need to do to let those discovery packets pass through? At least temporarily?
I have a AIR-LAP1131AG-A-K9 this Ap is registered but, i cant enabling admin status on interface B/g, when select option throws a error. "Error in Enabling Admin Status"
I have an WAG120N that works just fine except the IPTV.I don't see any options where I can enable the IGMP on the WAN interface (DSL).In the routing table I see a route 239.0.0.0 255.0.0.0 gw 0.0.0.0 that is only for LAN interface.how to enable the IGMP on the WAN interface.
During an installation, we plugged a Ruckus wireless bridge (powered by a PoE injector) into G0/0 on the 1941. The port status remained down/down. We then tried connecting it to G0/1. Again, the port status remained down/down. We took another wireless bridge, plugged it into G0/0 and the port changed to up/up status within a few seconds. The same happened when connected to G0/1. Both ports are have speed/duplex set to auto/auto.We took the cable from the first wireless bridge and connected it a 3550 switch, the FastEthernet port went up/up. We then took the cable and connected it to a switchport card (HWIC-4ESW) that was installed in the 1941 router. The port came up/up.We connected to wireless bridge back to G0/0 in the 1941 and manually set the speed/duplex to 1000/full. The link light on the router became illuminated after a few seconds but no console message was displayed (nor did any events appear in the log) and a "show int g0/0" showed the port status as down/down. This was could not be duplicated as this only happened one time The wireless bridges sit atop of a water tower and are connected each via a shielded ethernet cable. The cable that we're having trouble with is cat5e STP and about 310feet in length. I should note that we have not yet swapped the PoE injector but it seams to be functioning properly as power is getting to the wireless bridge and its accessible. Also because if the wireless bridge for some reason didn't come back up after a power cycle it would potentially mean climbing the tower to perform a hard reset. We tried another 1941 with same results however we have not tried another router model to rule out a potential platform issue. Can you recommend any troubleshooting steps to determine why the port status of the gig interfaces on the 1941 don't come up?
i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.i have supressed this port mirroring.when i try to reconfigure a port mirroring from port FE17 to FE3. The SF200 web interface crash. the SF200 seems to reboot.
i have updated the SF200 firmware from V1.1.2.0 to V1.1.2.9.44 when i was able to configure (via SF200 web interface) a port mirroring from port FE17 to FE7.But after having suppressed this port mirroring again, i was not able to reconfigure a new port mirroring from port FE1 to FE3 (the SF200 hangs).
i have also tried to return to default factory setting but this does not solve the issue.i am working on SF200-24P
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
I have internet line came from my neighbor throught his hub directly connected to my laptop.. My problem is, i buy wireless ADSL model router but when i check the DSL line port its rj14 which i can not connect my RJ45 internet line. Addtional information, my wireless router have another 4 port LAN. Can i connect my internet line to LAN port,if it so how will i configure the router..
I need a small number of computers connected to the Internet through the E4200.E4200 must be connected to the switch via the LAN port.The basic network is a network of class A - 10.xxx/255.0.0.0.How do I do?E4200 can not enter a mask of 255.0.0.0.
I am switching out our old WRVS4400 router to the Cisco 891. Having a problem configuring the Cisco 891 router. I changed the V LAN port on the 891 from 10.10.10.1 to 192.168.2.1 and the ip address saves but when I try to rediscover it through the CCP to the new Ip address 192.168.2.1 I get the message discovery failed.
The sub net mask I used is 255.255.255.0 The only thing connected to the 891 router is our linksys 48 port switch which is SL248G and my laptop is connected to the switch. The port its connected to is FE LAN 0 . How do discover the 891 so I can do further configuration and to enable the FE8 port for using it for our internet connection?
I wondering whether the Linksys e1200 and/or e1500 offer any kind of Denial of Service (DoS) protection?I'm currently looking for a new router and would love some info.
I'm about fed up with with having this issue that no one can seem to solve. It dates back to when I owned a WRT54G router. I started experiencing random disconnects with the router, both wired and wireless. I only owned the router a year and figured it was going bad.
So I purchased this WRT120N router late August. Soon after I set the router up, low and behold the same problem started. I've called my ISP a couple occasions and they tell me that everything is fine from their end. I've spoken with Linksys tech support on 3 seperate occasions. I have changed the MTU to 3 different values and upgraded the firmware. The 2nd support tech suggested that I do those two things. To my surprise this worked for 2 or 3 weeks with no problem. The same problem started again just last night disconnecting intermittingly. I spoke with another support tech and they suggested that disable the SPI Firewall protection and Anonymous internet request. That did not work for the brief time I had this disabled.
More into the problem, when it disconnects the modem seems fine but the activity light on it stops as it should. The router itself appears to reboot, then when it comes back up the connection restores. What could possibly cause this? I currently have version 1.0.02.This is getting very frustrating and I am getting very near not using Linksys/Cisco products any longer.
I'm trying to connect an Epson Stylus Color 740 USB printer to a newly purchased E4200 wireless router. I've upgraded to the latest Cisco Connect software and to version 1.0.0.3 router firmware. I get the message "A non-supported device is connected to your router's USB port. Disconnect that device and follow the steps below to connect a USB printer to your router." Cisco support was not beneficial.
I'm using packet tracer, I enabled port security on fa0/18 and set it to shut down when a violation occurred, I set it to only allow 1 mac address, so I tested it by plugging in another PC and the port shut down so the security was working, however when I plug the old pc back into the port it still stays shut down, how do I activate it again.
FastEthernet0/18 is down, line protocol is down (err-disabled)
I have applied port security in one cisco switch and i have enabled port security in one port.I have applied port security as sticky and applied "restrict" on violation of the portsecurity.Now i have connected a PC to that switch port. Later i have connected another PC. The packets got dropped. But when i connected the original PC again, the packets flow started again.So, i have a doubt. Will the packet flow get establish, when the original PC is connected again to a port which is applied with port security violation "Restrict"?