861Router

Question:

i have a new 861 router no cisco price wireless or anything and i am having trouble gettting it to work. i put the IP address on the Fastethernet 4 and the inside ip address on the VLAN1 i can ping out from the router both ways to the gateway and back to the local machine but i can not get out to the internet from the local machines.the DHCP works just cant get to the internet

below is a copy of current config any help would be great.

!

hostname 861router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3456406442

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3456406442

revocation-check none

rsakeypair TP-self-signed-3456406442

!

crypto pki certificate chain TP-self-signed-3456406442

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343536 34303634 3432301E 170D3036 30313032 31323231

  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353634

  30363434 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D7A9 53C08EAE 1558F10B AE84A678 A0C98D33 AB41472B 9D4248DA 0675896C

  E7CF40E4 E634905F 17F0E3F2 A35013BC 93204847 3AF54F16 44321BC8 72DFAEE5

  0DE1D6FD D5BC7190 A973E790 8982ED1C 29E5ADDC 8EC06918 6375A32E D2274953

  21286478 9FE65AF0 A0E6FE38 8953F3B5 7BA52054 F92FF817 662197F8 5744A8C8

  30090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1483DEC0 6CEEAF08 85AB21E1 E00C85F2 F438E12A EA301D06

  03551D0E 04160414 83DEC06C EEAF0885 AB21E1E0 0C85F2F4 38E12AEA 300D0609

  2A864886 F70D0101 05050003 8181005E 4DEEDF37 6D619DAD 6A91E463 AB1B7EE7

  8340BB76 2FC84662 B9DCE3F1 5F3FADB0 D83AE457 9392C3EC 4FD15173 487D54F8

  F9F4286D C56820FB 0AF9DEB2 AA6FDC56 19F181A2 82CA2D07 2AE15644 2C224F4F

  9FC2E1CF F396724D A5003947 306921F9 A38B7CC4 B72B94AA D9C76774 B4FCC4D7

  CB65C7D6 B833F6F7 BD879AA6 94A8F3

   quit

ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.10

ip dhcp excluded-address 192.168.4.200 192.168.4.250

!

ip dhcp pool PPool

import all

network 192.168.4.0 255.255.255.0

default-router 192.168.4.1

dns-server 10.5.60.2

domain-name domain

lease 0 2

!

!

!

ip cef

no ip domain lookup

!

!

license udi pid CISCO861-K9 sn FGL1708240F

!

!

username admin privilege 15 secret 4 password

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description outside wan

ip address 10.5.35.1 255.255.0.0

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.4.1 255.255.255.0

ip nat enable

ip virtual-reassembly out

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 10.5.10.1

ip route 192.168.4.0 255.255.255.0 10.5.10.1

!

access-list 4 permit any

access-list 23 permit 192.168.4.0 0.0.0.255

access-list 110 permit ip any any

no cdp run

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

!

hostname 861router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3456406442

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3456406442

revocation-check none

rsakeypair TP-self-signed-3456406442

!

!

crypto pki certificate chain TP-self-signed-3456406442

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343536 34303634 3432301E 170D3036 30313032 31323231

  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353634

  30363434 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D7A9 53C08EAE 1558F10B AE84A678 A0C98D33 AB41472B 9D4248DA 0675896C

  E7CF40E4 E634905F 17F0E3F2 A35013BC 93204847 3AF54F16 44321BC8 72DFAEE5

  0DE1D6FD D5BC7190 A973E790 8982ED1C 29E5ADDC 8EC06918 6375A32E D2274953

  21286478 9FE65AF0 A0E6FE38 8953F3B5 7BA52054 F92FF817 662197F8 5744A8C8

  30090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1483DEC0 6CEEAF08 85AB21E1 E00C85F2 F438E12A EA301D06

  03551D0E 04160414 83DEC06C EEAF0885 AB21E1E0 0C85F2F4 38E12AEA 300D0609

  2A864886 F70D0101 05050003 8181005E 4DEEDF37 6D619DAD 6A91E463 AB1B7EE7

  8340BB76 2FC84662 B9DCE3F1 5F3FADB0 D83AE457 9392C3EC 4FD15173 487D54F8

  F9F4286D C56820FB 0AF9DEB2 AA6FDC56 19F181A2 82CA2D07 2AE15644 2C224F4F

  9FC2E1CF F396724D A5003947 306921F9 A38B7CC4 B72B94AA D9C76774 B4FCC4D7

  CB65C7D6 B833F6F7 BD879AA6 94A8F3

   quit

ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.10

ip dhcp excluded-address 192.168.4.200 192.168.4.250

!

ip dhcp pool PPool

import all

network 192.168.4.0 255.255.255.0

default-router 192.168.4.1

dns-server 10.5.60.2

domain-name domain

lease 0 2

!

ip cef

no ip domain lookup

!

license udi pid CISCO861-K9 sn FGL1708240F

!

!

username admin privilege 15 secret 4 password

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description outside wan

ip address 10.5.35.1 255.255.0.0

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.4.1 255.255.255.0

ip nat enable

ip virtual-reassembly out

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 10.5.10.1

ip route 192.168.4.0 255.255.255.0 10.5.10.1

!

access-list 4 permit any

access-list 23 permit 192.168.4.0 0.0.0.255

access-list 110 permit ip any any

no cdp run

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

Answer:

As mentioned you need to configure NAT properly.

Something like:

interface fa0/4

ip nat outside

interface vlan1

ip nat inside

ip nat inside source list 4 interface fa0/4 overload

And remove this line - you don't need it:

ip route 192.168.4.0 255.255.255.0 10.5.10.1

I am curious as to what else you have upstream of this router - you are natting from one private range to another so there will need to be something further upstream that can NAT this traffic Catalyst Switches Price to a routable address.

Issue with floating static route

Question:

 am having issues with my WS-C3560X-48T-L  floating static route - this must be something easy but I am not "seeing" it today... :-)

I have a few hundred prefixes from the 10.0.0.0/12 range in my BGP table and I want to be able to advertise another range (192.168.1.0/27) when any element of the 10.0.0.0/12 aggregate is present in the routing table. Example: If 10.1.1.1/32 is present, then advertise 192.168.1.0/27. My current problem is that the floating static doesn't kick in, even when the locally originated aggregate is present. Looks like the floating static doesn't like following another static route that is pointing to Null0 (which gets dynamically originated by the aggregate). Currently the floating static only kicks in when a prefix is present in the routing table that has zeros in all of the last three octets, i.e. 10.0.0.0/12 , 10.0.0.0/16 , 10.0.0.0/32

Any solutions / ideas to get around this?

!

ip route 192.168.1.0 255.255.255.224 10.0.0.0

!

router bgp 65000

aggregate-address 10.0.0.0 255.240.0.0

network 192.168.1.0 mask 255.255.255.224

!

CE1#sh ip route 10.0.0.0 255.240.0.0

Routing entry for 10.0.0.0/12

  Known via "bgp 65000", distance 200, metric 0, type locally generated

  Routing Descriptor Blocks:

  * directly connected, via Null0

      Route metric is 0, traffic share count is 1

      AS Hops 0

Answer:

Try changing the next hop address for your static route as follow:

ip route 192.168.1.0 255.255.255.224 10.0.0.1

10.0.0.1 should always be resolvable via the aggregate route (10.0.0.0/12), which should always be present WS-C3560X-48T-S Price in the RIB as long as there is a more specific route in the RIB.

VPN UP-ACTIVE but cannot ping across VPN

Question:

I have a VPN setup that cisco price I am trying to get workling.  When I issue the command sh crypto session on both routers I get the following:

OFFICE:

Interface: FastEthernet0/0

Session status: UP-ACTIVE   

Peer: 70.193.192.131 port 14275

  IKEv1 SA: local 40.197.68.9/4500 remote 70.193.192.131/14275 Active

  IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.30.0/255.255.255.252

        Active SAs: 2, origin: dynamic crypto map

HOME:

Interface: GigabitEthernet0/0

Session status: UP-ACTIVE   

Peer: 40.197.68.9 port 4500

  IKEv1 SA: local 192.168.30.1/4500 remote 40.197.68.9/4500 Active

  IPSEC FLOW: permit ip 192.168.30.0/255.255.255.252 192.168.10.0/255.255.255.0

        Active SAs: 2, origin: crypto map

But when I issue a ping 192.168.10.1 from the home router it returns .....

Here is my network topology:

Attached are my config files.

First, I do not know what I need to do to get the home router to ping the office router.  Secind, what do I do to get the 192.168.2.0 network (phone) to cross the VPN all the way to my phone.

Any help you can provide, I will be greatly thankful for!!!

Answer:

Looking at your config, you're doing NAT per ACL 1, on your OFFICE router, for source of 192.168.10.0/24.  You're NATing your OFFICE LAN to your public interface BEFORE it's being sent through tunnel:

http://www.techrepublic.com/article/understand-the-order-of-operations-for-cisco-ios/6055946 (NAT Order of Operations)

Change it to an extended and insert a line to that to deny NAT for your HOME network destinations across the tunnel:

ip access-list extended SDM_ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.3

permit ip 192.168.10.0 0.0.0.255 any

That will take care of connectivity to the /30 subnet, but if you're wanting access to the OFFICE from your 110 and 115 VLANs from your HOME, then you'll need to add those networks to Catalyst Switches Price the VPN1-FLA-TRAFFIC and VPN-TRAFFIC ACL's, respectively.

Cisco 887VA M K9 on domestic (dynamic IP) BT ADSL

Question:

IDoes anyone have a working WS-C3750X-12S-S Price config for this setup, I configured using the BT instructions but still no internet, I have tried various solutions from the forums but still no internet or ability to ping outside networks. I have in vain tried to get the latest BT firmware for the router but no joy so far.

Answer:

Okay then just change the dhcp pool to have your isp dns server address in###########stead of  your ##router then you should be good to go.

You can remove the two virgin WS-C3750V2-48PS-S dns server address also is you wish.

static route definition

Question:

what is the difference WS-C3750X-48P-L between those static routes :

ip route 150.0.0.0 255.255.255.0 150.0.1.1

ip route 150.0.0.0 255.255.255.192 150.0.1.1

Answer:

ip route 150.0.0.0 255.255.255.0 150.0.1.1

#means route anything matching 150.0.0.x to 150.0.1.1

ip route 150.0.0.0 255.255.255.192 150.0.1.1

#mean route anything matching WS-C3750X-48PF-L Price from 150.0.0.1 to 150.0.0.64 to 150.0.1.1

Outbound Traffic Manage via eBGP

Question:

We are using multihomed eBGP Cisco 3560X  in single Router from multiple ISPs bandwidth for internet.

We have our own IP Address , at present our oubound traffic going throug ISP 1 , when ISP-1 b/w goes down then it will autometic traffic going throug ISP-2 bydefault.

But our required when ISP-1 B/W goes down our all outbound traffic will going throug ISP-3 inplace of ISP-2.

How can i achieve this as per our requirement.

Answer:

Another option is to specify weight - with again giving  the higher vaule to the most preferred path.

Local pref on a single router is a possibility but as I understand it, It would usually be best utilised with ibgp peering-res

ust to clarify - do you mean when the link on ISP1 goes down? It is just that you said "when ISP-1 b/w goes down" which could be interpreted differently.

It would be helpful if you could share your existing configs but the solution that springs to mind is to use local preference on the BGP learned routes with ISP1 routes having a higher local preference than ISP3.

Yes - that will do it. Ignore my comments about Local Preference - for some reason I thought you had 3 routers on site which is why I recommended LP. Weight is a better option if you have a single router.

You can do the configuration as you have written above or write a route-map statement to apply weight Catalyst 3560 Price to the routes learned from each peer.

OSPF path selection ??

Question:

I have the below topology Catalyst 3560 Price in my network I am planing to configure ospf in my network .
Can any one confirm that how traffic will flow from B router to reach the networks behind the a router .
with default ospf configurations .

will it take the directly connected link to reach the router A 's network network ? or will it go through router C to reach the router A ?

Answer:

If you have default OSPF configuration. It will do load balance.

Cost of link connecting Router-A and Router-B = 10^8/1mb = 100
Cost of link connecting Router-B and Router-C = 10^8/2mb = 50
Cost of link connecting Router-C and Router-A = 10^8/2mb = 50

So router B is having two equal Catalyst 3560V2 Price cost path to reach A.

Outbound Traffic Manage via eBGP

Question:

We are using multihomed eBGP in WS-C3750X-48T-L Price single Router from multiple ISPs bandwidth for internet.

We have our own IP Address , at present our oubound traffic going throug ISP 1 , when ISP-1 b/w goes down then it will autometic traffic going throug ISP-2 bydefault.

But our required when ISP-1 B/W goes down our all outbound traffic will going throug ISP-3 inplace of ISP-2.

Answer:

Another option is to specify weight - with again giving  the higher vaule to the most preferred path.

Local pref on a single router is a possibility but as I understand it, It would usually be best utilised with ibgp peering-

Just to clarify - do you mean when the link on ISP1 goes down? It is just that you said "when ISP-1 b/w goes down" which could be interpreted differently.
It would be helpful if you could share your existing configs but the solution that springs to mind is to use local preference on the BGP learned routes with ISP1 routes having a higher WS-C3750X-24T-S local preference than ISP3.

L2L VPN, Cisco 3640 with IOS 12.3(16) no crypto

Question:

I have a Cisco 3640 router Cisco 3560 Switch with IOS v.12.3(16)

It does not recognize the crypto commands.

What reading I have been able to find says that it should be there.

Any idea?

Thank you.

#sh version

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.3(16), RELEASE SOFTWARE (fc4)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Tue 23-Aug-05 20:03 by ssearch

Image text-base: 0x60008B00, data-base: 0x60D36000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

ROM: 3600 Software (C3640-I-M), Version 12.3(16), RELEASE SOFTWARE (fc4)

router01 uptime is 3 hours, 43 minutes

System returned to ROM by power-on

System image file is "flash:c3640-i-mz.123-16.bin"

cisco 3640 (R4700) processor (revision 0x00) with 89088K/9216K bytes of memory.

Processor board ID 18209909

R4700 CPU at 100MHz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Answer:

That IOS image is not a crypto image:

System image file is "flash:c3640-i-mz.123-16.bin"

Actually images with K9 in the image name are indicating only that they have crypto support that will do RSA keys and SSH. It does not necessarily mean that the image will support VPN.

I am pretty sure that the image given by the OP is the IP Base image and it does not support VPN. Perhaps the best way to know what is supported in an image is to use the Feature Navigator from Cisco which has an option to research an image and will list the features supported in that image.Cisco 3560 This link will get you to the Feature Navigator

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Cannot get outside access

I have my router setup with a gig 0/1 as WS-C3560X-48P-L my primary interface and I'm using cellular as a backup.  However, I cannot get outside access

MWA-CTT#sh run

Building configuration...

Current configuration : 2596 bytes

!

! Last configuration change at 19:24:01 UTC Wed May 15 2013

! NVRAM config last updated at 19:24:03 UTC Wed May 15 2013

! NVRAM config last updated at 19:24:03 UTC Wed May 15 2013

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

!

hostname MWA-CTT

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$OPFk$X6REGd34.xo/ZU5nnIbQC1

enable password verizon

!

no aaa new-model

!

no ipv6 cef

!

!

!

!

!

!

!

ip dhcp excluded-address 10.1.1.1 10.1.1.20

!

ip dhcp pool DHCP_POOL

network 10.1.1.0 255.255.255.0

default-router 10.1.1.1

dns-server 8.8.8.8

!

!

ip name-server 8.8.8.8

ip cef

multilink bundle-name authenticated

!

chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1921/K9 sn FTX160685BJ

license boot module c1900 technology-package datak9

!

!

!

redundancy

!

!

controller Cellular 0/1

!

!

!

!

!

interface Loopback1

ip address 1.2.3.9 255.255.255.255

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 166.150.246.179 255.255.255.0

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex full

speed 100

no cdp enable

!

interface Cellular0/1/0

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string ltescript

dialer watch-group 1

async mode interactive

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Cellular0/1/0 overload

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip route static adjust-time 1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 166.150.246.180 100

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 166.159.128.30 110

!

access-list 100 permit ip any any

access-list 101 permit ip any any

dialer watch-list 1 ip 5.6.7.8 0.0.0.0

dialer watch-list 1 delay route-check initial 60

dialer watch-list 1 delay connect 1

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec 

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 0/1/0

script dialer ltescript

modem InOut

no exec

line 0/1/1 0/1/3

no exec

line vty 0 4

password verizon

login

transport input all

!

scheduler allocate 20000 1000

!

end

MWA-CTT#

The supplier 3Anetwork.com can help but their technical support charge is a bit high, so I would prefer to WS-C3560X-48P-S do by myself.

Thanks for your help.

Cisco 887VA M K9 on domestic (dynamic IP) BT ADSL

Question:

Does anyone have a working config Cisco Catalyst 3560 for this setup, I configured using the BT instructions but still no internet, I have tried various solutions from the forums but still no internet or ability to ping outside networks. I have in vain tried to get the latest BT firmware for the router but no joy so far.

Answer:

Okay then just change the dhcp pool to have your isp dns server address in###########stead of  your ##router then you should be good to go.

You can remove the two virgin dns server address also is you wish.

more information ,you can visit  http://www.3anetwork.com/cisco-catalyst-3560-switches-price_c40

WIC 1DSU-T1 vs VWIC2-1MFT-T1/E1

Question:

I'm looking at a production router Catalyst 3560X  with a VWIC2-1MFT-T1/E1 module and neither side of the serial p2p connection has any clock rate configurations. Now I know with the VWIC2-1MFT-T1/E1 that everything is configured under the controller interface. However I'm seeing no clock rate command like with the WIC 1DSU. How does this work? Does that mean that there is a DSU/CSU at that location? I'm just used to seeing the WIC 1DSU-T1 more and haven't worked with the multiflex modules before.

Answer:

If you have a WIC-1DSU-T1, WIC-1DSU-T1-V2 or HWIC-1DSU-T1, you need to go under interface configuration and type service-module t1 clock source:

3845_2(config)#int serial 0/1/0

3845_2(config-if)#service-module t1 clock source ?

  internal  Use adapter internal clock

  line      Recover clock from line

You have 2 options here as you can see. Internal provides clocking and line receives clocking. In a back-to-back circuit, it is recommended to configure one end as "internal" while the other remains "line". If your provider is in the middle providing clocking for both ends, the "line" configuration is recommended but this depends on the circuit specifications. You can use the "show service-module" (do not forget clearing the counters to see the fresh statistics) command to know if there are clocking issues. Basically, you need to focus on the " Slip Secs" value. If it is increasing, it is recommended to check if clocking is properly configured. Sometimes you will need to get the provider involved to confirm the proper clocking configuration you should have.

On the other hand, if you have a VWICX-XMFT-T1/E1 you need to enter controller configuration and choose the proper clocking configuration. It basically works the same as in a WIC-1DSU-T1 and similar hardware.

3845_1(config)#controller t1 0/0/0

3845_1(config-controller)#clock source ?

  free-running  Free Running Clock

  internal      Internal Clock

  line          Recovered Clock

"The free-running keyword  specifies a free-running clock derived from the oscillator on the  motherboard, which is used only for testing and back-to-back  connections".

http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2zj/feature/guide/gthwecan.html

To look for statistics use the "show controllers t1 X/X/X" command and avoid using any "loopback" command for it would affect the connection since it is used just for testing purposes. WS-C3560X-24T-L I hope this information helps and do not forget rating the useful posts.

Limiting bandwidth in GRE Tunnel

Hello experts

We have two Cisco 2811 Routers Cisco 3560 from 3Anetwork.com setup with a GRE tunnel that we would like to constrain the bandwidth on to replicate a

satellite connectinon of 400 kbits. We tried the bandwidth command 400, but from what I understand that is only for routing metrics and not actual speed of the interface. Any suggestions?

The supplier 3Anetwork.com can help but their technical support charge is a bit high, so I would prefer to do Cisco 3560V2  by myself.

Thanks for your help.

Sharing routes between carriers using BGP

Question:

I currently have 14 US offices WS-C3560X-24P-L connected via MPLS.  We have recently opened a new office in Ottawa Canada.  Our primary US MPLS carrier cannot provide services in Canada.  I currently have a site to site tunnel setup between Ottawa (Internet circuit) and our head quarters in the US.  It works, but at times we experience connection issues.

I am in the process of ordering MPLS services from a different carrier.  Below is what I have in mind of doing.

                               ------------------ Chicago Head Quarters ( Cisco 2951) Primary BGP -------------- MPLS ------------|------------ BGP Remote Office

Core 6509 (Chicago)  |                                                                                                               |                  |

                               |                                                                                                                |-----------------|------------ BGP Remote Office

                                |                                                                                                       

                               -------------------- Chicago Head Quarters ( Cisco 2851) New Carrier----------------MPLS--------|----Ottawa Office

So I would like my Ottawa office to also be able to see my other remote offices.

What would I need to configure on both of my Cisco routers in Chicago and my core 6509 switch?

Answer:

Yes, you should be good to go,

The ASA will participate in the OSPF cluster and it will learn the default route via the Chicago Head-quarters router,

So most of the job will be done on the Core router (where redistribution will happen)

On the Chicago Head-quarters router you will just build the OSPF relationship with the ASA and advertise the default route,

The ASA and internet breakout is in Ottawa, not Chicago.

Jaime - I don't see any problems with what you propose but you will need to alter the design I suggested slightly. You will need to:

1. Configure users in Ottawa to use the MPLS router as their default gateway (not the ASA)

2. Add a default route on the Ottawa MPLS router pointing at your ASA firewall. Do not redistribute this default route into BGP.

3. In Chicago you will need to redistribute your other site and Chigaco subnets from OSPF into BGP and advertise them out to Ottawa.

I would use route-maps in the redistribute statements so you tightly control what you are advertising. This is not essential but it is useful to keep on top of what is being advertised where and can stop things breaking in the future if additional links WS-C3560X-24P-S are added.

877 default route using track command

Question:

I have an 877 router WS-C3750X-12S-S which has a DSL WAN interface. The DSL service at this site is unreliable, so the company have purchased a separate 3G router to be used as a backup. This device maintains 3G connectivity at all times and has a static IP on the internal subnet (for arguments sake let's say 10.0.0.253).

What I want to do with the Cisco router is to track the DSL interface and if it is up, install a default route pointing to it. If it is down, I want the default route to be the 3G router.

I am thinking the best way to do this is to set up a track and then set 2 default routes; one which is installed if the tracking is up, the other has a higher admin distance and points to the 3G router and thus should only be used if the track is down. For example:

track 10 interface Dialer0 ip routing
delay down 30 up 30

ip route 0.0.0.0 0.0.0.0 Dialer0 track 10

ip route 0.0.0.0 0.0.0.0 10.0.0.253 100

Is this likely to work or is there a better way to do it?


Answer:

This configuration will work in your scenario. No further config required as far as I know.
This will track the interface as well as up up state and if it has a IP address.

If it fails it will switch over to your backup route which has a higher metric.

If you want faster switch over time you might want to tweak the delays?

Apart from this, all good :)

Sent from Cisco Technical WS-C3750V2-48PS-S Support iPhone App

QOS on 3560's Problem

Hello Experts

I am replacing some WAN Catalyst 3560X  connections: Point to Point T1's (running from 2820's to a 7200).  I am replacing them with metro Ethernet connections with a 3560 layer 3 switch at each end.  We run Cisco Call Manager, and have IP phones at our locations.  I want to set up QOS on my WAN connection to make sure my packets arrive in the correct order.  I have a few remote users complaining of voice problems, crackling, etc.  The 3560's are acting as routers, and don't directly connect to all the phones.  So I won't be using the mls/auto QOS features, I don't think.  I am trying to use service-policies and class-maps to handle qos, as I have done in the past, but I'm not finding the correct commands.  This is the QOS I currently have set up on my 7200/2820:

class-map match-any voip-control
  match ip dscp af31
class-map match-any voip-rtp
  match ip dscp ef
!
!
policy-map my-voice
  class voip-rtp
    priority 512
  class voip-control
   bandwidth percent 5
  class class-default
   fair-queue

I can create the class-maps on my 3560's, but when I start trying to modify the class settings under the policy-maps, the commands like "priority", "bandwidth", and "fair-queue" are not available.  These are the options at the (config-pmap-c)# prompt:

QoS policy-map class configuration commands:
  exit            Exit from QoS class action configuration mode
  no              Negate or set default values of a command
  police          Police
  service-policy  Configure QoS Service Policy
  set             Set QoS values
  trust           Set trust value for the class
  <cr>


Perhaps I am trying to do this the old way, but I'm just looking to set up some QOS on these switches.  These switches are running a mix of
ip base and ip services IOS versions.  Can anyone help me with the right syntax to setup QOS?

The supplier 3Anetwork.com can help but their technical support charge is a bit high, WS-C3750X-48T-S so I would prefer to do by myself.

Thanks for your help.

Object-groups in access-lists on 3750X?

Question:

I have started to use ip extended access-lists on several 3750X-switches WS-C3750X-24S-S to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?

I am running sw version 15.0(1)SE2.

Answer:
It is not supported on switches.
I had a brief look at the cisco feature navigator http://tools.cisco.com/ITDIT/CFN/ and it only shows support on router type platforms - not switches.
With exception to the 6500 WS-C3750X-12S-S

Cisco WS-C2960S-24TD-L Problem

Hello experts,

I just got the 2960 switch Cisco Switches Price from 3Anetwork.com and I would like to MGBSX1 when connect to SG500X switches , need configuration adittional ?? or only plug and play ?

The SFP-10G-LRM= is compatible for connect between WS-C2960S-24TD-L with SG500X ??

The supplier 3Anetwork.com can help but their technical support charge is a bit high, so I would prefer to do by myself cisco price.

Thanks for your help.

Cisco SG300 L3 Performance

We have a network with over 300 devices.Cisco Switches We have one primary switch from 3Anetwork.com(SG300-52 L2) with 10 secondary switches (SG300-28 L2) to handle all the traffic.
Alle devices are operating in the same subnet (10.10.0.0/16), and in the same VLAN.

Because we have quiet a lot of video-traffic on the network we want to split the network in 10 different VLAN's and change the primary switch from L2 to L3.
Each VLAN will handle one subnet (10.10.x.0/24) with 15 devices (video).

The routing between the VLAN's will be done by inter-VLAN-routing in the SG300-52

Is a SG300-52 switch in L3-mode able to route this amount of devices in a decent way ?


The supplier 3Anetwork.com WS-C3750V2-24TS-S can help but their technical support charge is a bit high, so I would prefer to do by myself.

Thanks for your help.