Question:
This is C2901-VSEC ios 12.2. I'm attempting to discern if these two NAT statements conflict.
One appears to be a PAT and the other a one-to-one NAT for the same inside host. If that is true, would this function correctly?
The public .234 is the router interface and the public .235 is part of the outside range, but again the same inside host is used. Since the second statement looks like a one-to-one nat, then the route-map is just adding the NAT Exemption onto it?
ip nat inside source static tcp 192.168.1.18 3389 24.x.y.234 3389 extendable
ip nat inside source static 192.168.1.18 24.x.y.235 route-map static-sec extendable
route-map static-sec permit 10
match ip address 100
match interface Ethernet1/0
access-list 100 deny ip host 192.168.1.18 host 172.16.1.4
access-list 100 deny ip host 192.168.1.18 host 172.16.1.3
access-list 100 deny ip host 192.168.1.18 host 172.16.1.2
access-list 100 deny ip host 192.168.1.18 host 172.16.1.1
access-list 100 permit ip host 192.168.1.18 any
Can someone clear me up on this? Thanks.
Answer:
In my personal opinion, these two statements should not conflict.
The first statement establishes a static translation entry in the NAT table with the correspondence
192.168.1.18:3389 <---> 24.x.y.234:3389
Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.
The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:
the traffic must be permitted by the ACL 100, and
the traffic must be routed out the interface E1/0
You could say it is a kind of NAT Exemption, but for a different global (public) IP address.
If you configure both these statements in a router, the show ip nat translation will show you this:
R1(config)#do show ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp 24.1.2.234:3389 192.168.1.18:3389 --- ---
--- 24.1.2.235 192.168.1.18 --- ---
R1(config)#
Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.
My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:
access-list 100 deny tcp host 192.168.1.18 eq 3389 any
This will make the route-map based translation to never apply to the static PAT entry. C2911-VSEC For more info, http://lilirouter.livejournal.com/7641.html
2013年8月30日星期五
2013年8月29日星期四
Packets: icmp unreachable need to frag (mtu 1416)
Question:
We have recently WS-C3560X-48T-L been dealing with a situation where we get the above packets and
access to one of our applications just hangs.
To tell you a bit about our network, hub and spoke topology, with IPSEC GRE tunnels
over MPLS, and the application stored at the hub site.
Now on the link into the hub site we have a firewall that filters the data coming in
from remote sites. On the outside interface of the firewall (which is connected to
the hub router) I capture a lot of 'icmp unreachable need to frag (mtu 1416)' packets
from the router interface when the app attempts to reply to the client request.
Basically the application is not accessiblefrom any remote sites.
I have checked the mtu size on the firewall interface and 1500, on the router is not
changed so I'm presuming it'll be the default one so am not quite sure where to look
or what the problem might be.
Any help or direction is much appreciated.
And here's a sample of the packet capture:
101: 10:18:50 0x0800 70: 192.168.60.254 > 192.168.240.11: icmp: 192.168.67.10
unreachable - need to frag (mtu 1416) (ttl 255, id 23798)
Where is 192.168.60.254 is the router interface, 192.168.240.11 is the application
and 192.168.67.10 is the client.
Answer:
try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.
This need to be done on both sides. WS-C3560X-24T-S
Original comes from
http://switch.2329893.n4.nabble.com/
We have recently WS-C3560X-48T-L been dealing with a situation where we get the above packets and
access to one of our applications just hangs.
To tell you a bit about our network, hub and spoke topology, with IPSEC GRE tunnels
over MPLS, and the application stored at the hub site.
Now on the link into the hub site we have a firewall that filters the data coming in
from remote sites. On the outside interface of the firewall (which is connected to
the hub router) I capture a lot of 'icmp unreachable need to frag (mtu 1416)' packets
from the router interface when the app attempts to reply to the client request.
Basically the application is not accessiblefrom any remote sites.
I have checked the mtu size on the firewall interface and 1500, on the router is not
changed so I'm presuming it'll be the default one so am not quite sure where to look
or what the problem might be.
Any help or direction is much appreciated.
And here's a sample of the packet capture:
101: 10:18:50 0x0800 70: 192.168.60.254 > 192.168.240.11: icmp: 192.168.67.10
unreachable - need to frag (mtu 1416) (ttl 255, id 23798)
Where is 192.168.60.254 is the router interface, 192.168.240.11 is the application
and 192.168.67.10 is the client.
Answer:
try to set "ip tcp adjust-mss 1360" on router interface looking to the LAN side.
This need to be done on both sides. WS-C3560X-24T-S
Original comes from
http://switch.2329893.n4.nabble.com/
2013年8月28日星期三
Cisco 1921 not passing traffic
Question:
I'm fairly new to Cisco 3945 router Cisco routing, and I'm a bit lost on this issue. I have a 1921 that is going to be a WAN router for a fiber Internet connection. It will sit in front of the network firewall and needs to route all traffic to the Internet. I thought I had the config set right with a default route of '0.0.0.0 0.0.0.0 <wan gateway>' but it doesn't seem to be working. Config is below.
The router can ping from itself to hosts on both sides and hosts on the Internet with no problem, but a laptop connected to the "LAN" side and assigned a public IP address can ping both sides of the router but no further.
I've done a bit of searching on the forums but every similar issue I've found seems to involve NAT - I have another device doing NAT so I don't want to do NAT on this router (traffic needs to be able to reach the public IP addresses on the "LAN" side).
hsw-comcast-rtr1#show run
Building configuration...
Current configuration : 5806 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hsw-comcast-rtr1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 5 $1$KBXN$nCauuQhWW/hWlyVZHi94e1
!
no aaa new-model
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name comcast.net
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-27425356
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27425356
revocation-check none
rsakeypair TP-self-signed-27425356
!
!
crypto pki certificate chain TP-self-signed-27425356
certificate self-signed 01
<snip>
quit
license udi pid CISCO1921/K9 sn FTX161582TB
!
!
username routeradmin privilege 15 secret 5 $1$e/pA$p#SbrqCTS*7NiyKxbt0De/
!
!
ip tcp synwait-time 10
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description LAN
ip address 50.202.39.222 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN
ip address 50.202.39.210 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.202.39.209
!
logging trap debugging
access-list 23 permit 50.202.39.216 0.0.0.3
!
no cdp run
!
!
control-plane
!
!
banner exec ^C
<snip> (Cisco CP stuff)
^C
banner login ^C
<snip> (more Cisco CP stuff)
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Answer:
can you add auto mdix to the wan interface?
also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too? Cisco 3945 price
For more info, http://www.indyarocks.com/blog/1424577/Cisco-2-pair-HWIC-2SHDSL
I'm fairly new to Cisco 3945 router Cisco routing, and I'm a bit lost on this issue. I have a 1921 that is going to be a WAN router for a fiber Internet connection. It will sit in front of the network firewall and needs to route all traffic to the Internet. I thought I had the config set right with a default route of '0.0.0.0 0.0.0.0 <wan gateway>' but it doesn't seem to be working. Config is below.
The router can ping from itself to hosts on both sides and hosts on the Internet with no problem, but a laptop connected to the "LAN" side and assigned a public IP address can ping both sides of the router but no further.
I've done a bit of searching on the forums but every similar issue I've found seems to involve NAT - I have another device doing NAT so I don't want to do NAT on this router (traffic needs to be able to reach the public IP addresses on the "LAN" side).
hsw-comcast-rtr1#show run
Building configuration...
Current configuration : 5806 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hsw-comcast-rtr1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 5 $1$KBXN$nCauuQhWW/hWlyVZHi94e1
!
no aaa new-model
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name comcast.net
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-27425356
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27425356
revocation-check none
rsakeypair TP-self-signed-27425356
!
!
crypto pki certificate chain TP-self-signed-27425356
certificate self-signed 01
<snip>
quit
license udi pid CISCO1921/K9 sn FTX161582TB
!
!
username routeradmin privilege 15 secret 5 $1$e/pA$p#SbrqCTS*7NiyKxbt0De/
!
!
ip tcp synwait-time 10
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description LAN
ip address 50.202.39.222 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN
ip address 50.202.39.210 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.202.39.209
!
logging trap debugging
access-list 23 permit 50.202.39.216 0.0.0.3
!
no cdp run
!
!
control-plane
!
!
banner exec ^C
<snip> (Cisco CP stuff)
^C
banner login ^C
<snip> (more Cisco CP stuff)
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Answer:
can you add auto mdix to the wan interface?
also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too? Cisco 3945 price
For more info, http://www.indyarocks.com/blog/1424577/Cisco-2-pair-HWIC-2SHDSL
2013年8月15日星期四
OSPF routing with ISP
Question:
I am new to WS-C3750X-24P-L this technology so please be kind. I need assistance in making OSPF work between out Head Office (HO) and the Branch Offices where the ISP is not involved in OSPF routing.
We are using OSPF protocol on our entire network and our ISP 1 is involved in OSPF routing between the HO and the branch. We are now trying to establish another link to the branches with a second ISP but they do not support OSPF like the first ISP and only use static routing. They redistribute our routes via BGP. The HO can talk to the branch using static routes but of course I would like to use dynamic routing instead.
How could I make OSPF work in the new backup link? The Engineer for the IS said that I need to use tunneling but I don't know how to configure it. Is there any other way to make it work aside from tunneling?
Please see attached diagram.
Answer:
Hello Gensonator,
you need to use a GRE p2p tunnel in order to run OSPF over it.
On new ISP facing routers you just need one static route to reach the remote end router
MAIN office new ISP CE
ip route 10.90.0.8 255.255.252 10.90.0.5
interface tunnel 12
description GRE tunnel over new ISP
tunnel source 10..90.0.6
tunnel destination 10.90.0.10
ip address 10.91.0.1 255.255.255.252
!
router ospf 10
network 10.91.0.0 0.0.0.3 area 0
Note: do not configure network area commands in OSPF for the PE-CE IP subnets of new ISP to avoid instabilities
The same has to be done in a mirrored way on the branch office CE router facing the new ISP.
The tunnel creates a logical common subnet (10.91.0.0/30 in my example) that allows to run OSPF over it.
Both OSPF messages and user traffic are encapsulated in GRE packets with source and destination according to the commands tunnel source and tunnel destination and new ISP will see only packets like IP SA 10.90.0.6 IP DA 10.90.0.10 and does not need to inspect the inner payload
Edit:
You can tune OSPF cost with ip ospf cost under interface tunnel configuration
Another important note is that the aggregated traffic that can travel on the GRE tunnel is limited to 8 Mbps by default. WS-C3750X-24P-S Price
This parameter can be changed in advanced security packages
For more info, http://switch.blogcindario.com/2013/06/00001-bienvenido-a-blogcindario.html
I am new to WS-C3750X-24P-L this technology so please be kind. I need assistance in making OSPF work between out Head Office (HO) and the Branch Offices where the ISP is not involved in OSPF routing.
We are using OSPF protocol on our entire network and our ISP 1 is involved in OSPF routing between the HO and the branch. We are now trying to establish another link to the branches with a second ISP but they do not support OSPF like the first ISP and only use static routing. They redistribute our routes via BGP. The HO can talk to the branch using static routes but of course I would like to use dynamic routing instead.
How could I make OSPF work in the new backup link? The Engineer for the IS said that I need to use tunneling but I don't know how to configure it. Is there any other way to make it work aside from tunneling?
Please see attached diagram.
Answer:
Hello Gensonator,
you need to use a GRE p2p tunnel in order to run OSPF over it.
On new ISP facing routers you just need one static route to reach the remote end router
MAIN office new ISP CE
ip route 10.90.0.8 255.255.252 10.90.0.5
interface tunnel 12
description GRE tunnel over new ISP
tunnel source 10..90.0.6
tunnel destination 10.90.0.10
ip address 10.91.0.1 255.255.255.252
!
router ospf 10
network 10.91.0.0 0.0.0.3 area 0
Note: do not configure network area commands in OSPF for the PE-CE IP subnets of new ISP to avoid instabilities
The same has to be done in a mirrored way on the branch office CE router facing the new ISP.
The tunnel creates a logical common subnet (10.91.0.0/30 in my example) that allows to run OSPF over it.
Both OSPF messages and user traffic are encapsulated in GRE packets with source and destination according to the commands tunnel source and tunnel destination and new ISP will see only packets like IP SA 10.90.0.6 IP DA 10.90.0.10 and does not need to inspect the inner payload
Edit:
You can tune OSPF cost with ip ospf cost under interface tunnel configuration
Another important note is that the aggregated traffic that can travel on the GRE tunnel is limited to 8 Mbps by default. WS-C3750X-24P-S Price
This parameter can be changed in advanced security packages
For more info, http://switch.blogcindario.com/2013/06/00001-bienvenido-a-blogcindario.html
2013年8月14日星期三
Cisco devices - Default interface delay values
Question:
I've been trying Cisco3925E to find an overall scheme
for understanding what the default interface delay would be across an Ethernet
switching network. Essentially I am trying to fix a network's routing so that
redundancy between sites is achieved via EIGRP metrics rather then via manual
administrative distance adjustments across all infrastructure. There is a long
story here... but one that is not really important towards the point of this
post.
Basically, when looking online I can't
really see a definitive guide saying "Ethernet is 1000usec default
delay". The best I could find is a support forum post
(https://learningnetwork.cisco.com/thread/6116). My point is that when looking
at Nexus switches and some (not all) interfaces on a Cisco Catalyst 3750 the
default interface delay is 10usec rather then the 1000usec suggested elsewhere.
As some examples I have the "show run" segment for some interface and
the "show interface" section of the same interfaces:
interface GigabitEthernet2/0/5
switchport access vlan 700
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface Vlan700
description Data-Server-01
ip address 10.150.1.1 255.255.255.0
secondary
ip address 10.200.0.1 255.255.255.0
secondary
ip address 10.150.1.252 255.255.255.0
ip helper-address 10.1.0 .27
no ip redirects
no ip unreachables
ip pim sparse-mode
!
3750-CORE#show int gig 2/0/5
GigabitEthernet2/0/5 is down, line protocol
is down (notconnect)
Hardware is Gigabit Ethernet, address is 0026.0ab5.6d85 (bia
0026.0ab5.6d85)
MTU
9000 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX
[...]
interface GigabitEthernet4/0/24
no switchport
ip address 10.200.50.254 255.255.255.252
ip summary-address eigrp 1 10.0.0 .0
255.0.0.0
3750-CORE#show int gig 4/0/24
GigabitEthernet4/0/24 is up, line protocol
is up (connected)
Hardware is Gigabit Ethernet, address is 0026.0a95.f141 (bia
0026.0a95.f141)
Internet address is 10.200.50.254/30
MTU
9000 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
[...]
interface GigabitEthernet5/0/24
description Telstra Secondary WAN Link
no switchport
ip address 10.200.50.250 255.255.255.252
ip summary-address eigrp 1 10.0.0 .0
255.0.0.0
3750-CORE#show int gig 5/0/24
GigabitEthernet5/0/24 is up, line protocol
is up (connected)
Hardware is Gigabit Ethernet, address is 0026.0a95.f159 (bia
0026.0a95.f159)
Internet
address is 10.200.50.250/30
MTU
9000 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
[...]
So all of the above are from the same 3750G
switch stack. The only pattern I can see in the above is that the 10usec NICs
are "routed interfaces" and the 1000usec NICs are
"switchports". In GNS I have a 3700 router setup and all NICs are
1000usec, granted it is a different platform (a router rather then a switch).
Anyone know what the pattern here is? Is
there any reference documents that explain this clearly?
The reason I want to know is that EIGRP is
in use for dynamic routing failover. I need to calculate delay across several
links to provide a deterministic and non-load balanced routing topology (i.e.
active/standby). I'm aware there are likely easier ways to achieve my routing
requirements (OSPF comes to mind) but I'm stuck with a single AS EIGRP topology
for the moment. Summarily, I just want to know about interface delay default
settings.
Answer:
Hello Jonathan,
Great, thanks for all that information..
Really appreciated it
Please mark the question as answered so
future users having the same questions can use it.
Kudos for you For futher information, please refer to http://www.3anetwork.com/cisco-cisco3925e-sec/k9-price_p290.html
HELP HELP HELP !!!
Question:
I have configured WS-C3750X-48T-S a NAT in my lab
environment Static route and all configured can ping 4.2.2 .2
from router after NAT can ping same DNS from local host as well. Did trace
route worked perfect. NOW THE big issue is i can't access internet :S. i can't
browse at all. please guys help me out.
And funny thing i have discoverd is my
Skype is connecting but no one services seems to be working at all.
Answer:
Did you try to configure helper-address or
ip forward udp commands??
Alessio
Sent from Cisco Technical Support iPad App Original comes from http://www.3anetwork.com/cisco-ws-c3750v2-24ts-s-price_p105.html
2013年8月11日星期日
BGP soft in - any negative effects?
Question:
I am familiar with inbound soft Catalyst 3560X reconfiguration - but I do not know of any negative impacts this can have. Can anyone say if there are any negatives
about this?
Answer:
To my best knowledge, having inbound soft
reconfiguration will increase your memory footprint and may increase the CPU
utilization slightly as the BGP code will need to crawl through more entries in
its table, skipping the ones-would-be-filtered-out. Otherwise, I am not aware
of any outspokenly harmful effects.
Then again, if you do not know exactly you
need it, you don't need it BGP
implementations support the Route Refresh functionality for years now, and
turning the soft reconfiguration on does not bring any additional functionality
from the viewpoint of re-applying inbound policies. WS-C3560X-24T-L Price
2013年8月8日星期四
Confusion with multiple upstream eBGP peers (Routing beyond our control)
Question:
I am imagining WS-C3750V2-24PS-S a smallish networking
(AS1234) with say three full BGP table peers that provide transit to the
network (just to keep the maths simple here);
Lets say AS100 and AS200 are preferred
transit providers with AS300 as a backup/least prefered (AS prepends or similar
stop us from using this network by default). So in this scenario our little
network gets two different paths across the Internet, as not to rely solely on
one provided, with a backup provider to hand also.
How do you mange issues like packet loss
somewhere in AS100's or AS200's network?
So lets say a host on our AS1234 network is
talking to host in AS888 and the preferred route is through AS100 but somewhere
deep in AS100 a link is flapping (for example) and I can't get to AS888 reliably
through there anymore, but I can through to other peers of AS100 OK. We can
postulate that AS100 is the best path for 50% of the Internet and AS200 for the
other 50% (this is a best case fictional scenario). I can't ping 50% of the
internet via AS100 and then in the event a ping fails (or some other more
reliable test) tear down the BGP session to use AS100 until it's fixed again,
nor vice versa with AS200.
So what do you do?
First of all, I asume you don't know about
the issue between AS100 and AS888 until someome moans about it to you?
Secondly, do you then some how modify the route(s) to AS888 that come from
AS100 (route map for example to change the weight or preference) so AS200 is
now preferred for AS888? Do you infact shut down the AS100 peering and now use
AS200 & AS300? How do you rectify these situations that are beyond you
control using what is in your control?
Answer:
OER sounds like what you'll need. With OER
(Optimized Edge Routing) or PFR (Performance Routing), you can sense latency,
packet drops, etc, and move traffic to another circuit. OER uses BGP or static
routing to perform the changes, but it can automatically move traffic to
another circuit if one starts to exhibit issues.
For futher information, please refer to http://www.3anetwork.com/cisco-ws-c3750v2-48ps-s-price_p110.html
2013年8月7日星期三
. IP SLA's
Question:
I have looked in Catalyst 3560X multiple areas online with
still no firm understanding of the not command in the tracking of IP SLA's. I
am working a failover solution from a Cellular interface 0/1/0 to take over if
the primary gig0/1 fails. However the guy before me had these statements below
and I am curious as to what the NOT means after the object 1 and 2. Obviously
it negates the operation but could someone provide an example so I can better
understand it. Also if you can look at the routes that are in there to tell me
what you think the guy before me was thinking if possible. Thanks in advance
for anything you can provide.
track 1 ip sla 1 reachability
!
track 2 interface Tunnel0 line-protocol
!
track 101 list boolean and
object 1 not
!
track 202 list boolean and
object 1 not
object 2 not
delay down 10 up 20
!
ip sla 1
icmp-echo 206.253.180.250 source-interface GigabitEthernet0/0
frequency 10
ip sla schedule 1 life forever start-time
now
ip route 10.200.200.204 255.255.255.255
Cellular0/1/0 235 track 101
ip route 10.250.0.0 255.255.0.0 Tunnel0 235
track 101
ip route 172.17.17.0 255.255.255.0 Tunnel0
235 track 101
ip route 172.18.18.0 255.255.255.0 Tunnel0
235 track 101
ip route 172.31.1.0 255.255.255.0 Tunnel0
235 track 101
ip route 206.253.xxx.0 255.255.255.0
Tunnel0 235 track 101
ip route 206.253.xxx.0 255.255.255.192
Tunnel0 235 track 101
ip route 206.253.xxx.128 255.255.255.192
Tunnel0 235 track 101
ip route 206.253.xxx.0 255.255.255.0
Tunnel0 235 track 101
ip route 10.250.0.0 255.255.0.0
Cellular0/1/0 240 track 202
ip route 172.17.17.0 255.255.255.0
Cellular0/1/0 240 track 202
ip route 172.18.18.0 255.255.255.0
Cellular0/1/0 240 track 202
ip route 172.31.1.0 255.255.255.0
Cellular0/1/0 240 track 202
ip route 206.253.xxx.0 255.255.255.0
Cellular0/1/0 240 track 202
ip route 206.253.xxx.0 255.255.255.192
Cellular0/1/0 240 track 202
ip route 206.253.xxx.128 255.255.255.192
Cellular0/1/0 240 track 202
ip route 206.253.xxx.0 255.255.255.0
Cellular0/1/0 240 track 202
ip route 12.21.xxx.0 255.255.255.0
Cellular0/1/0 track 202
ip route 66.xxx.25.0 255.255.255.0
Cellular0/1/0 track 202
ip route 10.200.200.202 255.255.255.255
Cellular0/1/0
ip route 12.21.xxx.0 255.255.255.0
Cellular0/1/0
ip route 63.235.xxx.195 255.255.255.255
Cellular0/1/0
ip route 66.xxx.25.0 255.255.255.0 Cellular0/1/0
ip route 67.130.xxx.54 255.255.255.255
Cellular0/1/0
ip route 206.253.xxx.0 255.255.255.0
Cellular0/1/0 240
ip route 206.253.xxx.250 255.255.255.255
GigabitEthernet0/1 220
ip route 206.253.xxx.250 255.255.255.255
Null0 230
ip route 206.253.xxx.0 255.255.255.192
Cellular0/1/0 240
ip route 206.253.xxx.128 255.255.255.192
Cellular0/1/0 240
ip route 206.253.xxx.0 255.255.255.0
Cellular0/1/0 240
ip tacacs source-interface
GigabitEthernet0/0
Answer:
ip route 10.200.200.204 255.255.255.255
Cellular0/1/0 235 track 101
this route will be installed in RIB if the
tracked object 101 is UP
You have
this:
track 101 list boolean and
object 1 not
so tracked object 101 will be UP if object
1 is not UP( so is down)
track 1 ip sla 1 reachability
ip sla 1
icmp-echo 206.253.180.250 source-interface GigabitEthernet0/0
frequency 10
ip sla schedule 1 life forever start-time
now
object 1 tracks IP sla 1 and so if ping to
206.253.180.250 sourced from G0/0 is down then object 1 will be down
and so object 101 will be UP and the static
route will get installed.
second track object:
track 202 list boolean and
object 1 not
object 2 not
AND means 202 will be UP if both are UP and
down if one or both are down so
object 1 UP and object 2 UP will yield 202
as DOWN
object 1 DOWN and object 2 DOWN will yield
202 UP
object 1 DOWN and object 2 UP will yield
202 DOWN
object 1 UP and object 2 DOWN will yield
202 DOWN
For more WS-C3560X-24T-L Price news about Price ans Specification, you can click here.http://www.3anetwork.com/cisco-ws-c3560x-24t-l-price_p44.html
2013年8月6日星期二
Sub Interfaces on E1
Question:
I need to create WS-C3750V2-24PS-S two point to point links
between two routers connected via E1.
They need to be in separate VRFs for my
requirement.
Is there any way I can create that on an E1
interface? Please let me know.
Many Thanks in advance.
Answer:
I have used fractional E1 in the past for
this kind of scenario.
you can use fractional E1 for this, under
controller e1 you can define more then one channel-group, each of them with
different timeslots associated. Two different serial interfaces are generated
from this
controller e1 x/y
channel-group 1 timeslots 1-15
channel-group 2 timeslots 17-30
(check the syntax of the commands above it
may be different)
this generates two serial interfaces
serx/y:1
serx/y:2
you can associated the first to VRF1 and
the second to VRF2 do this on both routers and use appropriate addresses.
To be noted this provides a fixed division
of resources ( 64 kbps timeslots) between the two derived serial interfaces. WS-C3750V2-48PS-S Price
For more Cisco WS-C3750V2-24PS-S news about Price ans Specification, you can click here http://www.3anetwork.com/cisco-ws-c3560v2-24ps-s-price_p54.html .
2013年8月5日星期一
[PPPoE] - Show authentication protocol used
Question:
When connected to a DSL Catalyst 3560X service provider
with a Cisco router using a dialer's basic configuration as follow:
interface Dialer1
ip address negotiated
[OUTPUT_OMITTED]
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp authentication pap chap callin
ppp chap hostname [OUTPUT_OMITTED]
ppp chap password 0 [OUTPUT_OMITTED]
ppp pap sent-username [OUTPUT_OMITTED]
password 0 [OUTPUT_OMITTED]
!
Is there a way to see whcich authentication
protocol (PAP, CHAP...) has been used other than running a debug ppp
authentication while authenticating ?
Answer:
There is no way beside using debiug
command. Note for PPPoE you do not need:
dialer idle-timeout 0
dialer persistent WS-C3560X-24T-L Price
NAT Internal Address to External IP
Question:
I am
in the process of WS-C3750V2-24PS-S trying to create a DMZ using two routers and a switch and
would like some assistance regarding NAT'ing the external IP to an Internal
one. All internal devices can communicate
with each other. We are using a router
to act as a DMZ. This router directly
connects to a switch on our LAN which is directly connected to its router. There is no physical connection between the
DMZ router and the Internal router.
Currently, the main issue is that the
external IP is not recognised from an external location i.e. from Home i cannot
navigate to our external IP address through IE however, i can ping the IP
successfully from an external location.
The below config is our DMZ router.
Is there another command that i am
missing? Our DNS records are still being
generated but accessing via IP should still be working, right?
Your help is appreciated
Regards,
!
!
!
interface Ethernet0/0 ## External IP
##
ip address 10.10.10 .10
255.255.255.252
ip nat outside
ip virtual-reassembly
half-duplex
!
interface FastEthernet0/0 ##
Internal IP ##
ip address 192.168.20.200 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0/0.1 ##
Sub-Int created to talk to 11.0.0 .0 nw ##
encapsulation dot1Q 11
ip address 11.0.0 .1
255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/0.2 ##
Sub-Int created for Isolation VLAN
##
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
no snmp trap link-status
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
ip route 0.0.0 .0
0.0.0.0 10.10.10.1
ip route 11.0.0 .0
255.255.255.0 192.168.20.254
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface
Ethernet0/0 overload
ip nat inside source list Allelse interface
Ethernet0/0 overload (i am unable to
remove this rule. get a 'dynamic mapping
error')
!
!
access-list 1 permit 11.0.0 .0
0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0 .255
access-list 1 remark ## Control NAT Service ##
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
logging synchronous
login local
transport input telnet
transport output telnet
!
end
Answer:
You need to configure static NAT if you
would like to have access from internet to internal servers
I assume the IP you have put on the outside
interface E0/0 is not the actual IP. You need to have public IP on your
External WS-C3750V2-48PS-S Price interface
2013年8月2日星期五
Login to directly into "privilege mode"
Question:
I have created users WS-C3560X-48PF-L and given them telnet
access to router 7200.
They have full privilges(15) but everytime
they login they login into user-exec mode instead of privilege mode.
Is there a way to skip user-exec mode and
allow the users to login directly into privilge mode so they dont have to enter
password twice?
Answer:
line vty 0 15
privilege level 15
that will do it WS-C3560X-48PF-S Price
2013年8月1日星期四
IP inspect and 3640 router
Question:
In my GNS3 lab i'm trying WS-C3560X-48PF-S to setup IP
inspect in order to understand the
functionnality of this command "ip inspect " , but I cant' found the command under global config
mode
my show ver of is :
Cisco IOS Software, 3600 Software (C3640-JK9S-M),
Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems,
Inc.
Compiled Wed 20-Jun-07 11:43 by
prod_rel_team
ROM: ROMMON Emulation Microcode
ROM: 3600 Software (C3640-JK9S-M), Version
12.4(16), RELEASE SOFTWARE (fc1)
Answer:
There is no firewall feature set in this
image , you need an image with the FW feature set( with o3 in the name).
For more Cisco Switch news about Price ans Specification, you can click here.
订阅:
博文 (Atom)