Help with WAN load balance

Question:

I need to do a load balance Cisco 3560 Price between 02 MPLS's link, but is not totaly balance, because my client want that only one specific application (Terminal Service) go to on link, the rest of traffic have to go to another link.

I was tried to do this configuration using PBR, but didn't work because the catalyst 3560 don't allow apply the route-map in the normal interface.

I attached the topology just help you understand better.

If anyone knows how to do it, I'll be very greatful.

Answer:

You need to have IP Services or Universal IOS version on 3560 to support PBR under interface.

https://supportforums.cisco.com/community/netpro/network-infrastructure/routing/blog/2011/03/31/pbr-on-switches-37503560

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-579326.html

For more Cisco Switch news about Price ans Specification, you can click here.

Cisco 2921 Router Wan configuration

Question:

i have a Cisco 2921 Catalyst Switches Price Router,

with 3 giga interfaces

i have a leased line for the internet with a public ip address and i want to configure this router as NAT /PAT gateway, so that users in my network can ue the internet by the router,

my wan interface is g0/0 - ip 122.xx.xx.xx

lan is g 0/1 -- 192.168.1.1 /24

please advice me the configuration.

i have tried doing nat once but i was not able to make the wan port up.

using cisco CP when i test the interface it givves error and i dont get internet to my users.

Please guide the configuration.

Answer:

Please try the following commands and let me know the results:

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/0

For more Cisco Switch news about Price ans Specification, you can click here.

Catalyst 3750 SFP module

Question:

Is there a command that Catalyst 3560V2 can be used  to veiw what type of SFP module that is installed in Catalyst 3750 switch?

Answer:

show interface status will give u whether the sfp is lx,sx,lh

Sent from Cisco Technical Support iPhone App

There are several commands:

1.  sh interface status;

2.  sh inventory;

3.  sh interface capabilities; and

4.  sh idprom interface <SFP port>

If your SFP ends with a "D", example GLC-SX-MMD, then you can also try "sh interface <PORT> Catalyst 3560V2 Price transceiver [details/properties]".

IPSec VPN Tunnel with NAT

Question:

I'm setting up WS-C3750X-24P-S a IPSec Tunnel between 3800 and  2600 routers over the internet.

Do I need to create a tunnel interface as they suggest in this document?

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml#diag

I just watched a couple of you tube videos saying I don't need to do that...

Answer:

For IPSec no need to creat tunnel interface. you have to assing you peer IP and then push your packet via NAT.

check generic comfiguration of the IPsec site to site VPN

rypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set XXX esp-3des esp-md5-hmac

!

crypto map YYY  local-address <<<FastEthernet0/0 your local int>>>

crypto map YYY 10 ipsec-isakmp

set peer 10.10.10.10

set transform-set ZZZ

match address 101

interface <<<FastEthernet0/ your public int>>>

crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

Extended IP access list 100 (NAT Access list)

     deny ip 192.168.1.0 0.0.0.255 host 11.11.11.11

     deny ip 192.168.1.1 0.0.0.255 host 22.22.22.22

     permit ip any any

Please rate this WS-C3750V2-48PS-S if helpful

VLSM Subnets - Destination Host Unreachable

Question:

I started a CCNA Cisco 3560 Switch class a couple weeks ago and we're using PacketTracer 5.3 to build a basic network.  I'm not quite sure what I'm doing wrong though - I cant get hosts on one subnet to ping hosts in another subnet.  My Show IP Route command shows all the direct connections between the routers. Ran router rip ver 2. Can someone take a look please and let me know why my routers are not talking to each other and why I'm getting "destination host unreachable"?  Maybe just a push in the direction of what I should be looking for?

I'd ask my instructor, but my next class isnt until Saturday and I think I'll go nuts trying to figure out why its not working before then :-).  i'm sure its something small that I'm missing. I attached my saved packet tracer file if anyone wants to take a look.  Any help would be appreciated!

Quick info just in case

PERTH (required 60 hosts) 192.168.10.0/26

KUALA (required 28 hosts) 192.168.10.64/27

SYDNEY (required 12 hosts) 192.168.10.96/28

SINGAPORE (required 12 hosts) 192.168.10.112/28

If anyone is willing to help out and needs more info from me, I'd be happy to provide it.

Answer:

It looks like you have missed the network command under rip configuration. Please apply below configurations all routers.

router rip

version 2

network 192.168.10.0

no auto-summary Cisco 3560

Reditribution of ospf into ebgp

Question:

hi i am configuring router WS-C3560X-48PF-L  as the clients sholud connect to internal network over the MPLS link.

we are running ospf in our internal network and BGP for ISP.

the scenario is like this

our internal network working fine up to 192.168.1.10 thorugh ospf routing.

and BGP is configured as the client 192.168.20.2 should reach to internal server 192.168.10.1

the client is able to reach up to 192.168.1.10 over MPLS link but cannot reach the server 192.168.10.1 or core switch.

for that i have to configure redistribution but after redistribution also i am not able to reach that server.

can any one give the steps for redistributing the ebgp into ospf and ospf into ebgp.

thankyou

Answer:

could you post the output from sh run WS-C3560X-48PF-L Price | s router bgp|ospf on your CE router

VLSM Subnets - Destination Host Unreachable

Question:

I started a CCNA class Cisco 2951 price a couple weeks ago and we're using PacketTracer 5.3 to build a basic network.  I'm not quite sure what I'm doing wrong though - I cant get hosts on one subnet to ping hosts in another subnet.  My Show IP Route command shows all the direct connections between the routers. Ran router rip ver 2. Can someone take a look please and let me know why my routers are not talking to each other and why I'm getting "destination host unreachable"?  Maybe just a push in the direction of what I should be looking for?

I'd ask my instructor, but my next class isnt until Saturday and I think I'll go nuts trying to figure out why its not working before then :-).  i'm sure its something small that I'm missing. I attached my saved packet tracer file if anyone wants to take a look.  Any help would be appreciated!

Quick info just in case

PERTH (required 60 hosts) 192.168.10.0/26

KUALA (required 28 hosts) 192.168.10.64/27

SYDNEY (required 12 hosts) 192.168.10.96/28

SINGAPORE (required 12 hosts) 192.168.10.112/28

If anyone is willing to help out and needs more info from me, I'd be happy to provide it.

Answer:

It looks like you have missed the network command under rip configuration. Please apply below configurations all routers.

router rip

version 2

network 192.168.10.0

no Cisco 2901-SEC auto-summary

Policy based routing on Cisco 2911 ISR

Question:

I have setup a basic WS-C3560X-48P-S PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.

Is anyone able to see whats wrong?

Config attached minus the crypto stuff and the publics have been changed.

Answer:

There is no need to take out the route-maps with the 'no' commands.

You can just edit the existing route-maps:

route-map SDM_RMAP_1 permit 1

match ip address 101

match int gi0/1

!

route-map SDM_RMAP_2 permit 2

match ip address 101

match int fa0/0/0

Obviously there's a need for caution since the nat statements are in place and could potentially break WS-C3560V2-24PS-S Price things

difference between received-only and received&used about BGP.

Question:

I need to WS-C3560X-48T-L Price know exacly about subjected. Can anyone explain about what is the difference when we execute 'show ip bgp x.x.x.x' ?     

Answer:

received-only:

the prefix  from a soft-reconfiguration-enabled peer was filtered by our route-map so not placed into regular BGP table. It is still held in memory in case someone changes the filtering config and the prefix gains the right to go into BGP table without requesting an update (by sending REFRESH_REQ) from the peer:

R3#sh ip bgp 1.1.1.6

BGP routing table entry for 1.1.1.6/32, version 0

Paths: (1 available, no best path)

  Not advertised to any peer

  4 5 6, (received-only)

    2.34.34.4 from 2.34.34.4 (1.0.0.4)

      Origin IGP, localpref 100, valid, external

(show ip bgp   command does  not show this prefix)

received & used:

the prefix  from a soft-reconfiguration-enabled peer was not filtered by our route-map so it is placed into regular BGP table. It is not necessarily the best path so not necessarily placed into the routing table.

R4(config-router)#do sh ip bgp 1.0.0.5/32

BGP routing table entry for 1.0.0.5/32, version 4

Paths: (2 available, best #2, table default)

  Advertised to update-groups:

     1

  3, (received & used)

    2.34.34.3 from 2.34.34.3 (1.0.0.3)

      Origin IGP, metric 0, localpref 100, valid, external

  5, (received & used)

    2.45.45.5 from 2.45.45.5 (1.0.0.5)

      Origin IGP, metric 0, localpref 100, valid, external, best

R4(config-router)#do show ip route 1.0.0.5 255.255.255.255 lo

B        1.0.0.5 [20/0] via WS-C3560X-48T-L 2.45.45.5, 00:35:20

How to config c892FSP as internet gateway

Question:

after hours of Cisco 2951 price searching, reading and trying I'm still not able to get our new router working.

No doubt it's me, but what seemed a simple task is taking into a graveyard shift :/

Here is the situation:

we are on a campus network

My router wan interface has ip address 1.2.200.8/24 (first digits are fake)

My external gateway is 1.2.200.100

dns servers are 1.2.15.13 and 1.2.250.7

I would like to see the network 10.0.0.0/24 on the lan side of my router, so I configed 10.0.0.1/24 on vlan1

I also configured a dhcp server giving out ip address, excluding of 10.0.0.1-10.0.0.99

The dhcp works fine in clients behind the router, they receive an ip address, 10.0.0.1 as gateway and the above mentioned dns servers

After fiddling around with routes

0.0.0.0 0.0.0.0 1.2.200.100  => does not work for the clients

I disabled routes and set default-gateway as  0.0.0.0 0.0.0.0 1.2.200.100 => also not working for the clients

Whatever I do, I cannot get the clients to access the internet, they can ping 10.0.0.1, they can open the CP express webinterface.

I can however ping internet address from the CLI on the router without a problem.

Beeing really lost, can someone tell me how to get this configured please?

i really don't know what is wrong...

So if I erase nvram and start over, what would be the steps to get it working?

Thank you in advance

Answer:

Yes.  Let's assume your internal interface is F0/0 and your External is F0/1.

You would need the following configuration:

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat inside source list 1 interface F0/1 overload

int f0/0

ip nat Cisco 2901-SEC inside

Regarding broadband config

Question:

Please find the attached Cisco 3560 Price config and please expalin how broadband  connectivity has been configured for serial interface. What is the function of pseudewire and virtual ppp and how it works when serial fails.

Answer:

Your attachment can not Cisco Catalyst 3560 be opened.

ip route 0.0.0.0 0.0.0.0 x.x.x.x fa0/1

Question:

Can someone explain Cisco 3560V2 Price about the below mentioned command ?

ip route 0.0.0.0 0.0.0.0 x.x.x.x(Nxt Hop IP)  fa0/1

Answer:

is there something in particular you want to know?

Static routes, in your case the default route, can be configured to point to a numerical next hop (IP address), an exit-interface, or -like your example shows- both:

ip route <network> <subnetmask> <numerical-next-hop>

ip route <network> <subnetmask> <exit-interface>

ip route <network> <subnetmask> <exit-interface> <numerical-next-hop>

The differences are explained in this document:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml

Dinesh Kumar Mariappan:

This is command for default route.. What ever packet received to the router it simply forward to fa0/1 interface or to next IP.

This is true as long as no more specific route for the destination exists.

There are situations, where the combination of exit-int and numerical next-hop is desired.

Let me give you an example.

Lets say you have an AS and use the IP address range 192.168.0.0/16.

Your default route points to 192.168.12.2

ip route 0.0.0.0 0.0.0.0 192.168.12.2

Now imagine that there's another route to the next-hop address 192.168.12.2, e.g. a discard route (just an example):

ip route 192.168.0.0 255.255.0.0 Null0

Do you know what happens when you disable the interface connecting 192.168.12.2 (say Fa0/0)?

interface FastEthernet0/0

      ip address 192.168.12.1 255.255.255.0

      shutdown

Because of the recursive nature of the this type of routes, there's still a valid route to 192.168.12.2:

R1#show ip route 192.168.12.2

Routing entry for 192.168.0.0/16, supernet

Known via "static", distance 1, metric 0 (connected)

Routing Descriptor Blocks:

* directly connected, via Null0

R1#show ip route

S*   0.0.0.0/0 [1/0] via 192.168.12.2

S    192.168.0.0/16 is directly connected, Null0

So the link is down, however, the default-route is still there.

This behavior changes if you add the exit-interface:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.12.2

ip route 192.168.0.0 255.255.0.0 Null0

R1#show ip route

S    192.168.0.0/16 is directly Cisco 3560V2  connected, Null0

Command to show all possible routes

Question:

Is there any way/command to Cisco Catalyst 3560 see all the possible routes to the particular destination irrespective of routing protocols. For example, you have external bgp and floating static route to the destination. sh ip route will show only the best route.. sh ip bgp x.x.x.x would show only the bgp routes.. but i want to see eBGP and static route using show command.

Answer:

Only best routes from Routing Protocols are installed in Routing Table. ie., show ip route.
There is no other way other than checking Cisco 3560 Switch in topology tables...

Configuring cisco 861 router for internet usinf static ip address

Question:

I am having a cisco 861 WS-C3750X-24S-S Price series router.

The Cable from the isp was connected to fastethernet4(wan port)

Following are my isp details

IP address:172.16.62.130

subnet:255.255.0.0

default gate way:172.16.62.1

dns primary:202.153.32.2

secondary:202.153.32.3

How do i configure this details in the router and access the internet in my devices.

i want the network to be in 192.168.1.0 to 254.

plz let me know how do i configure my router with this details using cisco configuration professional

Answer:

I haven't seen cisco configuration professional but since its gui based I'm sure you could find your way around or go through a setup procedure? Here is a tutorial i found which may help - the wizard should be able to take you through the whole setup.

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtml

Anyway - just incase you are interested in CLI...

There might be a couple of things you have missed here, like DHCP for your LAN and NAT for outbound traffic. So I will assume you need this in the configuration below

If this is a static address assigned by your ISP then you can do this:

ip name-server 202.153.32.2

ip name-server 202.153.32.3

!

interface fa4

ip address 172.16.26.130 255.255.0.0

no shut

!

ip route 0.0.0.0 0.0.0.0 172.16.62.1

If you want to configure your LAN for example on fa1 you can do this:

interface fa1

ip address 192.168.1.1 255.255.255.0

no shut

To configure DHCP for your clients to connect you can do this:

ip dhcp pool INSIDE

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 202.153.32.2 202.153.32.3

To configure NAT using PAT (port address translation you can do this)

access-list 1 permit 192.168.1.0 0.0.0.255

!

ip nat inside source list 1 interface fa4 overload

!

interface fa1

description INSIDE

ip nat inside

!

interface fa4

description OUTSIDE

ip nat WS-C3750X-12S-S  outside

Importing a BGP route from a VRF which isnt the best path

Question:

Ok so we are in the middle Catalyst 3560V2 Price of designing our new service provider network to offer IPVPN's and leased line internet, now i have a problem which im hoping you might be able to help out with. In summary importing multiple default routes into a premium leased line internet VRF and Buget DSL internet with the DSL internet using the "budget" internet transit carrier.

So we are recieving 2 default routes from our IP Transit:

PE1:

show ip bgp vpnv4 vrf IP_Transit

BGP table version is 7, local router ID is 169.254.0.0

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

              x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 4445:2001 (default for vrf IP_Transit)

* i 0.0.0.0          169.254.0.1              0    100      0 1 i

*>                   Primary Inet Peer                          0 2  i

PE2

show ip bgp vpnv4 vrf IP_Transit

BGP table version is 8, local router ID is 169.254.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

              x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 4445:2001 (default for vrf IP_Transit)

* i 0.0.0.0          169.254.0.0              0    100      0 2 i

*>                   1.1.1.1                                0 1 i

When importing a default between IP_Transit vrf and DIA (direct internet access)  import map removed for the moment. Also one way importing for the moment.

PE1

ip vrf DIA

rd 4445:2000

route-target export 4445:2000

route-target import 4445:2000

route-target import 4445:2001

ip vrf IP_Transit

rd 4445:2001

route-target export 4445:2001

route-target import 4445:2001

PE2

ip vrf DIA

rd 4445:2000

route-target export 4445:2000

route-target import 4445:2000

route-target import 4445:2001

ip vrf IP_Transit

rd 4445:2001

route-target export 4445:2001

route-target import 4445:2001

I only get the best path being imported:

PE1

show ip bgp vpnv4 vrf DIA

     Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 4445:2000 (default for vrf DIA)

*>  0.0.0.0          Primary Inet Peer                          0 2 i

PE2

show ip bgp vpnv4 vrf DIA

    Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 4445:2000 (default for vrf DIA)

*>  0.0.0.0          1.1.1.1                                0 1 i

^--- Is there a reason why i wouldnt see both routes since PE1&2  are importing there best paths within this vrf?----^

So what I actually want for this VRF (DIA) is for PE2 to use PE1 for 0.0.0.0/0 rather than its EBGP neighbor, but we dont have that in the BGP table for me to apply a route-map to.

I would just apply a route-map statement to the IP_Transit VRF to set local preference to 0.0.0.0/0 on PE1 however will face the same issue when I create a Budget DSL Internet VRF which would use the economy provider with backup to PE1

For reference a Customers bgp table (Global) connecting the PE1 (10.173.100.0) & 2 (10.173.100.2) 

show ip bgp

BGP table version is 34, local router ID is 192.168.1.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

  Network          Next Hop            Metric LocPrf Weight Path

*  0.0.0.0          10.173.100.2           200             0 4445 1 i

*>                  10.173.100.0           100             0 4445 2 i

Answer:

the use of different route distinguisher on different PE nodes is quite common.

>> do you know if there is a logical reason why when you import a route between vrfs (IP_Transit -> DIA) on PE1 the route doesn't appear on PE2 requiring you to import the routes on PE2 as well?

This is to be expected the imported route in vrf DIA is not re-advertised in vpnv4 address-family so each device has to perform the necessary import action.

Importing is an action that has local node scope.

The reason for this is routing loop avoidance.

PE2 should import the best path from VRF IP_transit to VRF DIA, if the direct eBGP session with AS2 fails it should be able to pick up the route learned by PE1 and propagated in vpnv4 to PE2.

You should test what happens Catalyst 3560V2 in case of this type of failure to validate your design.

Only one user can log into a switch via Telnet

Question:

 The switch will allow only Cisco Catalyst 3560 one user to connect to it at any given time. Below are the configs and oputputs.

ol-dr-6509-01#show users

    Line       User       Host(s)              Idle       Location

*  1 vty 0     gkeo   idle                 00:00:00 192.168.3.130

   2 vty 1                idle                    23w6d 

   3 vty 2                idle                    37w4d 

   4 vty 3                idle                    37w4d 

   5 vty 4                idle                    never 

   6 vty 5                idle                    never 

   7 vty 6                idle                    never 

   8 vty 7                idle                    never 

   9 vty 8                idle                    never 

  10 vty 9                idle                    never 

  11 vty 10               idle                    never 

  12 vty 11               idle                    never 

  13 vty 12               idle                    never 

  14 vty 13               idle                    never 

  15 vty 14               idle                    never 

  16 vty 15               idle                    never 

  Interface      User        Mode                     Idle     Peer Address

net_mgmt>>192.168.1.2

Trying 192.168.1.2 ...

% Connection refused by remote host

-----

!

aaa new-model

!

!

aaa group server tacacs+ site-tacacs

server 192.168.3.4

server-private 192.168.3.4 key 7 xxxxxxx

ip vrf forwarding vpn_mgmt

ip tacacs source-interface Vlan23

!

aaa authentication login default group site-tacacs local

aaa authentication enable default group site-tacacsenable none

aaa authorization exec default group site-tacacs local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

!

!

line vty 0 4

session-timeout 1

exec-timeout 30 0

password 7 xxxxxxx

line vty 5 15

session-timeout 1

exec-timeout 30 0

password 7 xxxxxx

Answer:

I've found a bug (CSCeg52893) where the symptoms are "VTY or TTY sessions may hang after unsuccessful authentication attempts to an external AAA server".

Although the show line info you provided does not really match, there's some additional information in the bug that states:

Symptom: A VTY session on a 7206VXR may become hung and be unable to be cleared. The session does not drop after the exec-timeout period. Conditions: This condition is noted using IOS version 12.3(3)B1.

Workaround: The workaround is to reload the router.

Further Problem Description: The hung VTY session cannot be cleared using "clear line". It has no TCP TCB entry in "show tcp brief". The detailed TCP information from "show tcp " shows the TCP state as CLOSED.

The above seems pretty close to what you're seeing so I think this is a possibility.

It's not great that the workaround is a reload, but the bug also states:

To prevent the symptom from occurring, configure the maximum authentication attempts on the Cisco platform to be lower than the maximum authentication attempts on the external AAA server by entering the aaa authentication attempts login number-of-attempts global configuration command, in which the number-of-attempts argument is a value that is smaller then the maximum authentication attempts that are configured on the external AAA server.

If you are hitting this you can at least avoid hitting it again.

I can't get a list of all known affected versions to confirm whether 12.2(33)SXI5 is listed or not so it's probably worth going to TAC with this and see and they can confirm Cisco 3560 Switch whether you're definitely hitting this and getting a confirmation of the fix.