Question:
please explain me C2921-VSEC what is VRF also I have found that vrf can be configured on both router and switch. I have 3750 and 3800 so where should I configure vrf.
Answer:
VRFs in general used to virtualizes the routing tables where you can have multiple routing tables in one physical router
VRFs can be used with MP-BGP and MPLS for network like ISPs
also VRFs can be used locally to perform separation between multiple routing instances aka VRF lite
both can be used for Path isolation
useful links
http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html C2951-VSEC
Original comes from http://switch.2329893.n4.nabble.com/3900-router-td14.html
2013年8月30日星期五
2013年8月29日星期四
Help with basic config of 819 using CP Express please
Question:
I set up a basic WS-C3560V2-24TS-S Linksys E2500 with the following information and connected to the
internet straight away without a problem:
I have spent several hours simply trying to get this basic information into the Cisco
819 using CP Express without success, i.e. I get no internet. Rather than show my
inputs, I'd appreciate some guidance of the correct setup. I am a novice so I'd
rather solve this issue using CP Express just to get connected in the first instance.
By the way, I have a static IP address, I connected the ethernet cable carrying the
internet to the internet port of the E2500 and an ethernet cable from one of the
ethernet ports of the E2500 to my PC. For the 819, I connected the internet cable to
the GE WAN 0 port and the PC to one of the FE ports. Thanks.
Answer:
just mark the thread as resolved and rate any post you found valuable.
PM me and we'll find a way to test it and see what is not working. WS-C3560X-48T-S Original comes from http://www.kerchoonz.com/lilirouter
I set up a basic WS-C3560V2-24TS-S Linksys E2500 with the following information and connected to the
internet straight away without a problem:
I have spent several hours simply trying to get this basic information into the Cisco
819 using CP Express without success, i.e. I get no internet. Rather than show my
inputs, I'd appreciate some guidance of the correct setup. I am a novice so I'd
rather solve this issue using CP Express just to get connected in the first instance.
By the way, I have a static IP address, I connected the ethernet cable carrying the
internet to the internet port of the E2500 and an ethernet cable from one of the
ethernet ports of the E2500 to my PC. For the 819, I connected the internet cable to
the GE WAN 0 port and the PC to one of the FE ports. Thanks.
Answer:
just mark the thread as resolved and rate any post you found valuable.
PM me and we'll find a way to test it and see what is not working. WS-C3560X-48T-S Original comes from http://www.kerchoonz.com/lilirouter
2013年8月28日星期三
iBGP or IGP in this design?
Question:
According to this example Cisco 3925E from official CCNP book, the BGP design calls for making the packets flow over the route as shown.
And according to that book, two actions must take place for this design to work:
Make BGP specify a prefix as being best reached through a particular link (BGP PA settings). I'm fine with that, no questions here.
Need to run BGP between multiple routers. E1 and E2 must communicate BGP routes using iBGP connection and because packet forwarding between E1 and E2 goes through other routers (such as Core1 and Core2), those routers also need to run BGP.
Here is my question:
Instead of running iBGP on non-enterprise routers, can't we just add IGP to Enterprise routers and have them to redistribute their eBGP learned routes into IGP, forward them to enterprise network and leave the non-enterprise routers running IGP?
Answer:
i totally agree with you. An IGP (OSPF,EIGRP or IS-IS) would be even more flexible in this scenario that otherwise in the near future can represent some scalability problems should you add some routers more due to the fact that no BGP route reflectors are in place. If the Joseph guessing is right (you have a lot of prefixes) just use summarization and you will definitely see benefits in your design. Except for SP environment, iBGP should never be extensively deployed in an enterprise. You you want a more valuable opinion about this topic, Jeff Doyle (TCP/IP Vol 2) makes clear why we use BGP and ...it is very interesting Cisco3925E For more info, please refer to http://lilirouter.soulcast.com/
According to this example Cisco 3925E from official CCNP book, the BGP design calls for making the packets flow over the route as shown.
And according to that book, two actions must take place for this design to work:
Make BGP specify a prefix as being best reached through a particular link (BGP PA settings). I'm fine with that, no questions here.
Need to run BGP between multiple routers. E1 and E2 must communicate BGP routes using iBGP connection and because packet forwarding between E1 and E2 goes through other routers (such as Core1 and Core2), those routers also need to run BGP.
Here is my question:
Instead of running iBGP on non-enterprise routers, can't we just add IGP to Enterprise routers and have them to redistribute their eBGP learned routes into IGP, forward them to enterprise network and leave the non-enterprise routers running IGP?
Answer:
i totally agree with you. An IGP (OSPF,EIGRP or IS-IS) would be even more flexible in this scenario that otherwise in the near future can represent some scalability problems should you add some routers more due to the fact that no BGP route reflectors are in place. If the Joseph guessing is right (you have a lot of prefixes) just use summarization and you will definitely see benefits in your design. Except for SP environment, iBGP should never be extensively deployed in an enterprise. You you want a more valuable opinion about this topic, Jeff Doyle (TCP/IP Vol 2) makes clear why we use BGP and ...it is very interesting Cisco3925E For more info, please refer to http://lilirouter.soulcast.com/
2013年8月15日星期四
Understanding show policy-map interface xx
Question:
I need to understand the WS-C3750X-24P-S difference between "total drop" and "no-buffer drop" in the output:
Router#sh policy-map int gi 0/0
GigabitEthernet0/0
Service-policy output: SHAPE-OUT
Class-map: class-default (match-any)
441790059 packets, 219164243756 bytes
30 second offered rate 23718000 bps, drop rate 228000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3447160/0
(pkts output/bytes output) 443857262/223879827364
shape (average) cir 40000000, bc 160000, be 160000
target shape rate 40000000
Answer:
You can have drops due to rasons below
1. WRED dropping the packet
2. You excceded the configured rate and you are buffering the packet and you have exceeded the configured queue limit.
3. You are exceeding the confgured rate, you are trying to buffer the packet. But you have not reached the configured queue limit, but there is no buffer available to allocate the configured queue-limit
Drops due to 3rd Reason will come as " no-buffer drops"
Drops due to all the above reasons, WS-C3750V2-24PS-S Price is Total drops
For futher information, please refer to http://www.journalspace.com/index.php?do=/blog/3405/influencing-eigrp-path-over-tunnel-interfaces/
I need to understand the WS-C3750X-24P-S difference between "total drop" and "no-buffer drop" in the output:
Router#sh policy-map int gi 0/0
GigabitEthernet0/0
Service-policy output: SHAPE-OUT
Class-map: class-default (match-any)
441790059 packets, 219164243756 bytes
30 second offered rate 23718000 bps, drop rate 228000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3447160/0
(pkts output/bytes output) 443857262/223879827364
shape (average) cir 40000000, bc 160000, be 160000
target shape rate 40000000
Answer:
You can have drops due to rasons below
1. WRED dropping the packet
2. You excceded the configured rate and you are buffering the packet and you have exceeded the configured queue limit.
3. You are exceeding the confgured rate, you are trying to buffer the packet. But you have not reached the configured queue limit, but there is no buffer available to allocate the configured queue-limit
Drops due to 3rd Reason will come as " no-buffer drops"
Drops due to all the above reasons, WS-C3750V2-24PS-S Price is Total drops
For futher information, please refer to http://www.journalspace.com/index.php?do=/blog/3405/influencing-eigrp-path-over-tunnel-interfaces/
2013年8月14日星期三
Simple network architecture for redundant switches and firewalls?
Question:
We'll be building Cisco 3945 price a small remote site that
will use two Windows 2008 servers. We
would like redundancy in firewalls, IPS's and switches. Is it better to buy stand-alone ASA 5510s
(with embedded IPS's) and 2960s, or is it a better option to buy a Cat 6000 with FW modules. We'll have several internet IP addresses
available. I don't know much about Nexus
or latest HW options, so perhaps there's options I don't know about. Thanks
Answer:
The Cat6500 with ASA-SM is far more
expensive then standallone devices. If you think about the 5510 and the
throughput is enough, then I would use the following equipment:
2* ASA 5515-X-IPS as Active/Standby
2* Cat 3750-X as a stack with redundant
power-supplies.
That will give you a maximum of redundancy
for an affordable price.
--
Don't stop after you've improved your
network! Improve the world by lending money to the working poor:
For futher information, please refer to http://www.3anetwork.com/cisco-cisco3945-sec/k9-price_p289.html
Enabling CEF Question
Question:
Hey, would WS-C3750X-48T-L it be a wise move, to enable CEF
on the WAN interface going to the Internet, if cef memory is currently at 98%.
AS of right now, this interface is process
switching. The other two interfaces are cef switching.
Answer:
I agree with Rick.
Your router will work better with CEF
enabled on all interfaces.
About memory usage by CEF: your device is a
SW based router that already has built a CEF table to be used for CEF
switching. The table is populated by routing information ( topology driven) so
adding the third interface to CEF should not cause a big increase in memory
usage as the CEF table is already built and you should be able to see lower CPU
usage with all interfaces running CEF.
Original comes from http://www.3anetwork.com/cisco-ws-c3750x-48t-s-price_p104.html
2013年8月11日星期日
OSPF Database & routing table
Question:
Why would there be WS-C3560X-24T-L discrepancies between
the ospf database and the entries in the routing table. If I do show ip ospf
database there are a significant number of entries that are not shown but are
in the network list under router ospf....
Why would this be? We are having occasional
connectivity problems with 2 of the subnets that are not in the ospf database
but are in the network router list.
Any help you can give is appreciated.
Alex
Sent from Cisco Technical Support iPad App
Answer:
As I said earlier, all routers with in an
area would have the same topology database. That means, same entries.
The only thing i think u are missing is,
you have to check it under the Router LSA for the advertising router.
show ip ospf database router
<192.168.162.1>
Check the same command on the router in
which u suspect its not there. WS-C3560X-24T-S Price
2013年8月8日星期四
Redundant interface configuration in cisco router
Question:
I have a scenario WS-C3750V2-48PS-S like this.
Two firewalls are connected in
Active-standby mode and tracking the inside and outside interfaces. There is a
connectivity from router to the primary firewall portX and router is used for
reaching the backoffice locations.Here my problem is whenever the firewall
failover happens i lost connectivity to the backoffice networks from my inside
network of firewall. So is ther anyway to configure the Cisco router with
redundant interface like if the interface (connected to primary firewall) goes
down, traffic should automatically pass through some other port and it should
be connected to standby firewall portX.
Answer:
Cisco routers support "backup
interface" feature
Backup interface remains down when primary
is up. When primary goes down, backup interface comes up
You need to configure the backup interface
command under primary interface
Original comes from http://www.3anetwork.com/cisco-ws-c3750x-12s-s-price_p111.html
2013年8月7日星期三
RIPv1
Question:
suppose we have WS-C3560X-24T-L the following diagram with
ripv1 enabled
RIPv1 does not send the mask. so R2 will
see in the update message a route to 192.168.1.0 that is less specific than
192.168.1.128/25
so why it will not add it to its routing
table as 192.168.1.0/24 so that it will have 2 routes :
R
192.168.1.0/24 via 192.168.0.1
C
192.168.1.128/25 via e0
this will not make any confusion for R2
Answer:
When R2 receives the update it will see if
it is in the same major network as the receiving interface which is not the
case here( it receives a 192.168.1.0 and it is connected to 192.168.0.0) so it
checks if any subnets of the received network already exist in the rib and it
is the case here with 192.168.1.128/25 and so it ignores the update
For more WS-C3560X-24T-S Price news about Price ans Specification, you can click here.http://www.3anetwork.com/cisco-ws-c3560x-24t-s-price_p45.html
2013年8月5日星期一
two Dsl lines Failover Nat problem
Question:
i have two DSL lines and i WS-C3560X-24T-L m
configured route map NAT-TO-101 to specify address which use Line 1
and route map NAT-TO-102 to use line 2 and
everything is working fine .
but now i want to configure failover for
both lines so i suggest to do this
route-map redirect permit 10
match ip address To-101
set interface Dialer1 Dialer2
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2 Dialer1
but i dunno what to do with the NAT rules ?
if i change NAT rules
ip nat inside source route-map NAT-To-101
interface Dialer1 overload
ip nat inside source route-map NAT-To-102
interface Dialer2 overload
ip nat inside source route-map NAT-To-101
interface Dialer2 overload
ip nat inside source route-map NAT-To-102
interface Dialer1 overload
that will solve the problem
but i don't understand matching nat rules
will be based on interface dialer up or down or not ?
Originial Configuration file :
!
interface GigabitEthernet0/0
description
$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.52
encapsulation dot1Q 52
ip address 192.168.3.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map redirect
!
interface GigabitEthernet0/0.55
encapsulation dot1Q 55
ip address 192.168.55.10 255.255.240.0
ip access-group DNS-Guest in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description $ES_LAN$
ip address 10.23.200.10 255.255.255.248
ip flow ingress
ip flow egress
duplex auto
speed auto
service-policy input ETH-IN
interface ATM0/1/0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
dsl enable-training-log delay 0
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface ATM0/2/0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
dsl enable-training-log delay 0
dsl lom 200
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 2
!
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7
xxxxx
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer-group 2
ppp authentication pap chap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7
xxxxx
!
!ip nat inside source route-map NAT-To-101
interface Dialer1 overload
ip nat inside source route-map NAT-To-102
interface Dialer2 overload
ip route 0.0.0 .0
0.0.0.0 Dialer1
ip route 0.0.0 .0
0.0.0.0 Dialer2
!
ip access-list extended To-101
permit ip host 192.168.3.8 any
ip access-list extended To-102
permit ip host 192.168.55.9 any
permit ip host 192.168.55.8 any
permit ip host 192.168.3.7 any
permit ip 10.23.251.0 0.0.0 .127
any
!
route-map redirect permit 10
match ip address To-101
set interface Dialer1
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2
!
route-map NAT-To-101 permit 10
match ip address To-101
set interface Dialer1
route-map NAT-To-102 permit 10
match ip address To-102
set interface Dialer2
Answer:
change these :
route-map To-102 permit 10
match ip address To-102
match interface Dialer2
!
route-map To-101 permit 10
match ip address To-101
match interface Dialer1
To:
route-map To-102 permit 10
match ip address NAT
match interface Dialer2
!
route-map To-101 permit 10
match ip add NAT
match interface Dialer1
ip access-list extended NAT
permit ip 192.168.3.0 0.0.0 .255
any
And add an EEM applet that clears the
existing NAT translation when the Dialer2 gets down:
event manager applet CLEARNAT
event syslog pattern
"%LINEPROTO-5-UPDOWN: Line protocol on Interface Dialer.*, changed state
to down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip WS-C3560X-24T-S Price nat
translation *"
For more WS-C3560X-24T-L news about Price ans Specification, you can click here.
http://www.3anetwork.com/cisco-ws-c3560x-24t-l-price_p44.html
traceroute behavior in MPLS VPN network
Question:
I'm trying to WS-C3750V2-48PS-S understand traceroute
behaviour in an MPLS VPN network. Below is the traceroute from our management
station (Linux machine) to the CE router Loopback address. From what I
understand, if TTL expires on a P router (hop 15-18), using ICMP extension, P
then will use the Label information received and attached to ICMP TTL expired
message packet and forwards it along the LSP since P does not know how to reach
the source. P routers will use IP address on the receiving interface as source
for ICMP TTL expired message. The confusion is when TTL expires on PE router.
I can see it is using the IP address on the
vrf interface instead the IP of the receiving Interface (WAN interface). I've
googled but cannot find a satisfying answer. Can someone please explain? Thank
alot.
~$ traceroute -n -f 15 10.0.17 .136
traceroute to 10.0.17 .136
(10.0.17.136), 30 hops max, 38 byte packets
15
172.30.253.49 310.019 ms 310.464 ms
310.091 ms
MPLS Label=397 CoS=5 TTL=1 S=0
MPLS Label=1435 CoS=0 TTL=1 S=0
16
131.228.129.53 309.899 ms 310.079 ms
315.642 ms
MPLS Label=541 CoS=5 TTL=1 S=0
MPLS Label=1435 CoS=0 TTL=2 S=0
17
131.228.129.130 309.527 ms 309.825 ms
313.037 ms
MPLS Label=1898 CoS=5 TTL=1 S=0
MPLS Label=1435 CoS=0 TTL=3 S=0
18
172.28.87.10 309.917 ms 310.807 ms
309.786 ms
MPLS Label=136 CoS=5 TTL=1 S=0
MPLS Label=1435 CoS=0 TTL=4 S=0
19 10.58.24 .253 309.183 ms
310.194 ms 309.008 ms
MPLS Label=1435 CoS=5 TTL=1 S=0
20 10.58.24 .254 308.081 ms *
310.713 ms
Answer:
First check this article :
http://blog.ine.com/2008/11/24 /mpls-ping-and-traceroute/
it's very detailed.
With regards to your question:
"The confusion is when TTL expires on
PE router.
I can see it is using the IP address on the
vrf interface instead the IP of the receiving Interface (WAN interface)."
Yes, it's expected that remote PE will
reply with the ip of vrf interface, P will reply with the interface ip facing
the WS-C3750X-12S-S Price source.
For more Cisco Switch news about Price ans Specification, you can click here.
| http://www.3anetwork.com/cisco-ws-c3750x-12s-s-price_p111.html |
2013年8月2日星期五
Multiple VLAN, 2 WAN - Load Balance, Failover and NAT - Oh my
Question:
I'm bashing my WS-C3560V2-48PS-S head here trying to figure
out something which I believe is really not as difficult as I'm making it out
to be.
I have 3 VLANs (router on a stick setup)
and 2 WAN interfaces on a single router.
VLAN1 -> ISP1
VLAN2, VLAN3 -> ISP2
How can I set this up so that VLAN1 uses
ISP1 as it's primary internet connection?
How can I set this up so that VLAN2 and
VLAN3 use ISP2 as their primary internet connection?
How can I set this up so that VLAN1 will
use ISP2 if ISP1 fails?
How can I set this up so that VLAN2, VLAN3
will use ISP1 if ISP2 fails?
I ran into problems before with issues due
to NAT - when trying to use IP SLA and event applets to just update route-map
commands. That failed horribly. So I think I'll send this to the community
since I'm at a loss and I need to have another set of eyes look at this -- if
its something even possible using just a single router.
Answer:
here is one way you can do:
ip access-list extended VL1_TRAFFIC
permit ip 192.168.1.0 0.0.0 .255 any
ip access-list extended VL23_TRAFFIC
permit ip 192.168.2.0 0.0.0 .255 any
permit ip 192.168.3.0 0.0.0 .255 any
ip sla 1
icmp-echo 8.8.8 .8
source-interface s1/0
frequency 4
timeout 2000
ip sla 23
icmp-echo 8.8.8 .8
source-interface s1/1
frequency 4
timeout 2000
ip sla schedule 1 start now life forever
ip sla schedule 23 start now life forever
track 1 ip sla 1
track 23 ip sla 23
1) VLan 1---> ISP1( Primary), ISP2(
secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL1_ACL
set ip next-hop x.x.x.x verify-reachability track 1 # ISP1 next-hop
set ip next-hop x.x.x.x # ISP2 next-hop
interface f0/0.1
ip nat in
ip policy route-map VL1_TRAFFIC
2) VLan 2,3---> ISP2( Primary), ISP1(
secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL23_ACL
set ip next-hop x.x.x.x verify-reachability track 23 #ISP2 next-hop
set ip next-hop x.x.x.x # ISP1 next-hop
interface f0/0.2
ip nat in
ip policy route-map VL23_TRAFFIC
interface f/0.3
ip nat in
ip policy route-map VL23_TRAFFIC
3) NAT overload:
route-map NAT_VL1 permit 10
match ip address VL1_TRAFFIC
match interface s1/0
route-map NAT_VL23 permit 10
match ip address VL23_TRAFFIC
match interface s1/1
ip nat inside source route-map NAT_VL1
interface s1/0 #ISP1
ip nat inside source route-map NAT_VL23
interface s1/1 #ISP2 WS-C3560X-48PF-L Price
2013年8月1日星期四
2 tunnel interfaces, one as backup
Question:
I have 2 tunnel interfaces on WS-C3560X-48PF-L my spoke with
GRE, 1 connects to hub1 the other to hub2.
all is working well, both tunnels are up
and with eigrp only 1 is being used while the other will be used if the main
tunnel fails.
now is there a way for me to have tunnel 1
up but not tunnel 2. tunnel 2 will come up only if tunnel 1 fails?
Answer:
Wouldn't you want both tunnels up at all
times? Convergence times would be shorter during failover if they were.
Sent from Cisco Technical Support iPad App
For more Cisco WS-C3560X-48PF-S Price news about Price ans Specification, you can click here.http://www.3anetwork.com/cisco-ws-c3560x-48pf-s-price_p61.html
订阅:
博文 (Atom)