Internet access for users in remote location

Question:

i configured MPLS vpn for remote Cisco 3560 Switch locations using cisco 881 at remote side and cisco 2811 on our head-office side with a ip vpn service provider.

the remote user is able to access head office network.

now the problem is he needs internet access, which i only know the way  is we have allow him to use head office internet connection or another MPLS vpn tunnel with service provider for internet connection which will be a huge cost.

whcih our office reluctent to give.

now i am looking for a way to get the internet traffic out from the modem connected to his router cisco 881 and the head- office traffic to go on MPLS vpn

now the traffice flow is like

remote user-------->cisco 881------>internet modem------------------>serivce provide netowrk----------------->head office(cisco 2811)----------->Servers

Any help will be highly appriciated

Answer:

sorry that i didn't say it clearly, you should ping 192.168.1.1 from remote user's computer only after you configure default route to internet (ip route 0.0.0.0 0.0.0.0 192.168.1.1) but not when tunnel is up.

for nat, TRY this out:

access-list 2000 deny ip any HO_net1

access-list 2000 deny ip any YOUR_HEAD_OFFICE_SUBNET2

access-list 2000 permit ip any any

interface FastEthernet4

ip nat outside

interface Vlan1

ip nat inside

ip nat inside source list 2000 interface FastEthernet4 overload

verify nat:

sh access-list

sh nat Cisco 3560

Cisco Router 2900 not able to access any DSL commands for ADSL2/2+ or 1ADSL

Question:

When i enter configuration mode Cisco 3560 for ATM any DSL commands are not recognized. Believe i have the right IOS. Any suggestions will help.

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
multilink bundle-name authenticated
!
vpdn enable
!
redundancy
!
controller VDSL 0/1/0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 218.12.1.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
atm bandwidth dynamic
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/1/0
no ip address
shutdown
no fair-queue
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan6
no ip address
!
interface Dialer1
description hwic1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
keepalive 300
ppp chap hostname @att.net
ppp chap password 0
ppp pap sent-username @att.net password 0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 218.12.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
scheduler allocate 20000 1000
Sent from Cisco Technical Support iPad App

Answer:

check your config/hardware


"controller VDSL 0/1/0"


its a VDSL and not ADSL, for the option that you are looking for are available depending on the card , some cards are VA which has VDSL as well as ADSL some are just V(ie VDSL)

Hence check what your current hardwar is Cisco 3560V2 Price or what you are looking for.

http://www.cisco.com/en/US/docs/routers/access/interfaces/software/feature/guide/vdsl2_hwic.pdf

how to configure ipsla monitor in IOS XR Software, Version 4.2.3?

Question:

how to configure ipsla WS-C3750X-48P-L Price monitor in IOS XR Software, Version 4.2.3?

I don't see ipsla commands in IOS XR Software, Version 4.2.3. Any other ways to detect ethernet WAN links to trigger HSRP on ASR 9000 series routers? I don't even see track commands.

RP/0/RSP0/CPU0:grx-rtr2(config)#ip

iphc  ipv4  ipv6

RP/0/RSP0/CPU0:grx-rtr2(config)#t

tacacs-server  tacacs  taskgroup  tcam

tcp            telnet  template   tftp

Answer:

1. configure

2. track track-name

3. type line-protocol state

4. interface type interface-path-id

5. exit

6. (Optional) delay {up seconds|down seconds}

7. Use one of the following commands:

end

commit

Please see if the commands in this link are available to you on cli

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/system_management/configuration/guide/b_sysman_cg42asr9k_chapter_01110.html

And then to use the track command in HSRP

hsrp [group-number] track type interface-path-id [priority-decrement]

I'm not sure if these are required.

As demonstrated here:

RP/0/0/CPU0:router(config)# router hsrp

RP/0/0/CPU0:router(config-hsrp)# interface TenGigE 0/2/0/1

RP/0/0/CPU0:router(config-hsrp-if)# hsrp track TenGigE 0/1/0/1

RP/0/0/CPU0:router(config-hsrp-if)# hsrp track TenGigE 0/3/0/1

RP/0/0/CPU0:router(config-hsrp-if)# hsrp preempt

RP/0/0/CPU0:router(config-hsrp-if)# hsrp ipv4 192.92.72.46 WS-C3750X-24S-S  

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r3.9/addr_serv/command/reference/irasr9khsrp.html#wp999728

Cisco 2821 for home office use & voip?

Question:

Would the above router be Catalyst 3560X Price a good choise for a home office setup for use with WAN speeds upto 30Mbps and VOIP?

Any other, preferable serjestionns welcomed?

Thanks in advance for any input.

Answer:

With 2821 you will be able to go up to 87Mbps.

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

This router should handle Catalyst 3560X  everything you need for home office and VoIP.

Redistribute 0.0.0.0 0.0.0.0 route only on Eigrp

Question:

I have configured the Catalyst Switches eigrp routing protocol. At the main router I have many static routes and I want to redistribute only the default route (0.0.0.0 0.0.0.0). But now every static route is distributed on each router. How to distribute the default route only.

I have got the backup router of the main router and I want to redistribute the R1 default route only to other routers and in the failure of R2 I want to redistribue the R2 default route to other routers. The destination of default route of R1 and R2 is different. Is this possible or not.

Answer:

if you want to redistribute the default route only:

ip prefix-list REDIST_STATIC permit 0.0.0.0/0

route-map REDIST_STATIC permit 10

match ip add prefix REDIST_STATIC

router eigrp 10

redistribute static route-map Cisco 3560 Price  REDIST_STATIC

Need VPN HELP!!! UP-IDLE only.

Question:

I am trying to connect my Cisco Catalyst 3560 office 2801 router with a static IP to my home 2851 router that has a dynamic IP address via a VPN

Currently I seem to have a VPN connection but no data crosses it.  When I issue the command SHOW CRYPTO SESSION, here is what I get:

OFFFICE 2801

Interface: FastEthernet0/0

Session status: UP-IDLE

Peer: 70.193.201.242 port 10327

  IKEv1 SA: local 40.197.68.9/4500 remote 70.193.211.19/10327 Active

HOME 2851

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: 40.197.68.9 port 500

  IPSEC FLOW: permit ip 192.168.70.0/255.255.255.252 40.197.68.0/255.255.255.7

        Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/0

Session status: UP-IDLE

Peer: 40.197.68.9 port 4500

  IKEv1 SA: local 192.168.70.2/4500 remote 40.197.68.9/4500 Active

Any idea why I am not able to get the IPSec part to work?

CONFIG FILES:

2801 OFFICE

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS-1 esp-3des esp-md5-hmac

!

crypto dynamic-map NCL-vpn 10

set security-association lifetime seconds 86400

set transform-set TS-1

match address VPN1-FLA-TRAFFIC

!  

crypto map VPN-FLA-MAP 10 ipsec-isakmp dynamic NCL-vpn

!

interface FastEthernet0/0

ip address 40.197.68.9 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-FLA-MAP

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip forward-protocol nd

!   

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 40.197.68.10

ip route 192.168.2.0 255.255.255.0 192.168.10.5

!

ip access-list extended VPN1-FLA-TRAFFIC

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

! ---------- This is used for local SSH only ----------

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2516279958

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2516279958

revocation-check none

rsakeypair TP-self-signed-2516279958

!

!

crypto pki certificate chain TP-self-signed-2516279958

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

!  ------------------ END LOCAL USE PKI --------------------------

------------------For VPN use ------------------------

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key VPNpassword address 40.197.68.9

!

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto map vpn-to-hq 10 ipsec-isakmp

set peer 40.197.68.9

set transform-set TS

match address VPN-TRAFFIC

!

interface GigabitEthernet0/0

description Router - C3524 Port Fa0/23 192.168.70.1

ip address 192.168.70.2 255.255.255.252

duplex auto

speed auto

crypto map vpn-to-hq

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

Answer:

2801 OFFICE

permit ip 40.197.68.0 0.0.0.248 192.168.70.0 0.0.0.3

2851 HOME

permit ip 192.168.70.0 0.0.0.3 40.197.68.0 0.0.0.248

you should replace the bolded IP addresses by your LAN subnet IPs as an IPSec tunnel is for LAN to LAN Cisco 3560 Switch communication.

simple question

Question:

Kindly i need to ask ,WS-C3560X-24T-L  what does it mean by subnet zero at this phrase " The ip subnet zero command is not configured on a router "

Answer:

clear explanation with WS-C3560X-24T-S Price example.

http://www.packetu.com/2011/11/14/the-ip-subnet-zero-command/