We are small transit ISP for other downlinks. And currently have such setup 7201 and 7206NPE-G1, as core and edge routers also we have connected to IXP. Downlinks usually BGP connected to one of border router which is terminated via VLAN, thus sub interface. IXP are also connected via VLAN on router.
What I don't like about this is when one borderd goes down downlink will lose connectivty, also recently we start growing and getting more downlinks, so balancing between borders become problem. So my question is, how to make setup less fragile and more redudant.
In case customers buy IP transit(there is a BGP session between ISP and customer), they often ask for default route and for example prefixes from local internet-exchanges. What is the advantage to have default route + certain smaller(for example /17, /18 and /24) prefixes?
We have two 7609 routers at different city . Our both 7609 routers make MTU 1800 bytes and when I ping the other router with packet (1500 bytes) ,it can get thought .But when I ping with 15000 even 1506 bytes ,it didn.t work .As I didn't disable the DF field .
Internet address is 202.112.38.54/30 MTU 1800 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 96/255, rxload 81/255
I understand that Cisco *wants* the APs to be directly connected to the new 3850.I have a few questions. Unfortunately, I think I know the answers. I just want to confirm.
a. When MA/MC is enabled on the 3850, does the 3850 start intercepting *all* CAPWAP packets it sees (much like CDP)? Even non-Cisco CAPWAP packets?
b. If I have a WLC 5500 upstream from the 3850, would APs hanging off a downstream 2960 be able to register to the 5500 through the 3850 when the 3850 is NOT in MA/MC mode?
c. If I have a WLC 5500 upstream from the 3850, would APs hanging off a downstream 2960 be able to register to the 5500 through the 3850 when the 3850 IS in MA/MC mode?
What I'm afraid of is:
a. yes, yes b. yes c. no
From the Q&A page:Q. Does the Cisco Catalyst 3850 support indirectly connected access points?A. No. The Cisco Catalyst 3850 switch will always terminate the CAPWAP tunnel locally. Pass-through mode or indirectly connected access point is not supported at this time.
We are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
I have a question which i am unsure of, on the 6500 i know i can set mls qos trust to cos or dscp since I don't have any trunks configured on that switch that i want to trust cos most of my ports trust dscp instead. The question is will packets coming in or going out at L3 with the TOS bits set get placed in the correct in/out queue. For example if a packet comes in on a port with a mls qos trust dscp and has the TOS set to XX will this XX get mapped to the correct COS value based on the default dscp to cos map and end up going out the correct queue which handles that specific COS number?
I mainly asked this because i saw the following on the cisco site and again i am suing dscp trust and not cos.
Weighted Round Robin (WRR), Deficit Weighted Round Robin (DWRR) and Shaped Round Robin (SRR). WRED and all the Round Robin scheduling options use the priority tag (CoS) inside an Ethernet frame to provide enhanced buffer management and outbound scheduling.
I applied command "auto qos voip trust" to the uplink interface. But I found that the interface shown command "auto qos trust" was applied when i show running-config. Could the command "auto qos voip trust" show in the configuration after i applied? If not, how can i check the interface that applied "auto qos voip trust"?
I have a problem with the command mls qos trust dscp, I used the ios c2800nm-ipvoice_ivs-mz.124-25f.bin but i can not enable dont show me the complete command in the interface Ethernet o Giga. I want to configuring mls qos trust dscp.
I want to know what the default behavior about the command 'mls qos trust dscp' under router platform interface. the router is ASR1000 series.we don't need to put above command line to trust dscp in case of router? otherwise, we have to add it as welll as like switch platform.
I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but UN trust the PC DSCP value. How can I trust one thing but not the other? I am using a 2960 Cisco switch with IP base IOS.
i have Catalyst2950SI with iOS12.1, connect a wifi-access-point to f1/1(dot1q trunk port),and connect another L2SW to f1/2(dot1q trunk port),and IP phone, MobileCamera connects to wifi-access-point,IP phone has dscp=40 value on its own packet,but MobileCamera doesn't have any dscp value or cos.now, i wanna do QoS by that dscp, So i type as below,
I have a computer connected to a domain trying to login and I got this error message "the trust relationship between this workstation and the primary domain failed"
Then I tried to login as local Administrator and after trying a few passswords get this error. Your account has been disabled.. please see your system administrator
We have QoS configured throughout the company, but the standard config we have applied across the 3750 switches only includes the below: We have IP phones (not cisco) attached that are marking with EF, and the PC is an untrusted end device (so needs to be by default marked as zero).Is the above enough to trust VOIP DSCP EF without resetting it to DSCP 0, or do I also need to add a trust line (i.e.: mls qos trust dscp)?
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1 Building configuration...
When attempting to log in to a computer (running Windows 7 Professional) here at the office using the network administrator account, I get the error message: "The trust relationship between this workstation and the primary domain failed." I wasn't here when this laptop was set up, and so I don't know if any local user accounts were made or what their passwords would be if they were there, so I can't think of any way to log in to the machine and disconnect/reconnect to the domain which is really my only idea on how to fix it. Finding out what would cause this to suddenly start happening would also be nice, but mostly I just need to figure out how to get reconnected so I can get this back up and running.
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
I am wondering if having a Nexus 7K is mandatory to implement SGACLs within a TrustSec Infrastructure deployment or having a Nexus 5500 could be enough?
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2 GigabitEthernet0/2 trust state: not trusted trust mode: not trusted trust enabled flag: ena [Code]......
I'm trying to test fast roaming using a Cisco 2100 Series controller and 2 1140 APs. The initial authentication succeeds fine and the wireless connection works ok using WPA2+CCKM and LEAP with a Cisco ACS radius server.The problem is that the client does not attempt to preauthenticate with the other AP because the RSN Capabilities IE in the AP beacons and probe responses do not set the RSN Preauthentication capable bit. I can't figure out what it takes to get the APs to indicate to clients that it can do preauthentication. I'm been crawling through all the documentation I can find, to no avail.
We are about to share a 10 MBit ISP connection with 2 others companies, and they are going to split the bill up into 3,3 and 4 Mbit, so we where thinking that we could setup a switch before their and ours router and provide them with a static IP from our ISP. But is it possible to set a bandwidth limit on the ports of a Cisco Catalyst 2960-8TC, so that we can set a limit of 3,3 and 4 on 3 ports.
I want to PAT my project of WLAN and i attached the document, how I create the Testing Criteria of the said scenarios, PAT document includes WCS 7.0, WLC 5508, MSE 3310, Cisco AP 3502e and ACS 4.2.
I have 7 POE switches that have ESI IP phones attached. I have two VLANS, 1 and 2. VLAN 2 is used for voice and is defined in each switch.The ESI IP phones connect to my POE switch ports and the pc attaches through the ESI IP phone.
I have had voice quality issue between floors in my building. Talking to others on my floor via the IP phone, there are no voice quality issues. [code]
I am looking at a config on a 5550 FW, and am trying to make sense of the syntax of the following rules. I have been to the Cisco site, but can't find much on the syntax.
I currently use a device called the Access Enforcer which runs OpenBSD. I have 3 stable, working VPN tunnel's where the other side's device is a Cisco ASA 5520 or 5540. I was setting up my 4th VPN where the other side used a Cisco ASA 5520 and ran into issue's. The Cisco side can bring up the tunnel. Once the tunnel is up each side can talk to the other side. However, when the tunnel is dropped, the OpenBSD side cannot bring up the tunnel. The error received is on the OpenBSD device is "isakmpd[29581]: transport_send_messages: giving up on exchange from-XX.X.X.0/24-to-XX.XXX.XXX.240, no response from peer XX.XX.XXX.141:4500". I have been trying to figure this out for weeks now and can't seem to find the cause.
I am trying to configure a 3750G that has been sitting on the shelf for several months and am getting the following error -
% Error: Unable to create flash:/microcode_update% Error: It must not already exist
Normally, getting an error during POST isnt a good thing. My first thought was that flash was corrupted or flagged RO somehow. I did fsck flash: with no change. I next tried fsck /test flash:. It tested 77 blocks and performed 0 erasures. It had been running for about 15 minutes with no problems reported so far. Multiple reboots of the switch still report the same error.
I have reviewed the history of what I have done on this switch and finally think I found the problem. I noticed a microcode_update directory that I am not used to see on a 3750. Deleted the directory using the rmdir command and rebooted the switch. On reboot, I noticed that a front_end/ directory was listed as being created as well as fe_type_1 and fe_type_2 were created. The switch now boots up without any errors.
I have two Cisco Aironets 1401 connected to a Cisco Catalyst 3560 Switch. When users log onto the Wifi the APs authenticate with a Freeradius that then authenticates with LDAP.
Recently users have been getting kicked off of the network but I'm not sure why.If so how do I set these APs to roam with my setupd?For all I know there could be an issue with the switch I'm just not sure where to start when it comes to troubleshooting this issue.
Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 0,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.
I bought a new cisco 3550 switch to prepare for my Cisco certification prepration. Actually i dont know how to connect the cisco switch to a laptop with only usb ports....... earlier i used to do my practise using Cisco packet tracer but i think for CCNP switch that is not enough thats y i bought second hand switch. how can i connect that switch with my toshiba laptop which has only USB ports. do i need to buy some sort of convertor or other hardware. And if so what does u call it and how much does it cost?
