Cisco 2801 and Cisco Switch Trunk Port

Question:

can any one Cisco 3560V2 Help me the below scenerio

Sceniuor

1- Cisco Router

Eth0/0 : Ip address 192.168.1.1 /24   == connected my laptop of 192.168.1.2

Eth0/1: Ip address : 192.168.2.1 /24   = connected cisco swith

2 - Cisco Switch

VLAN 2 Name : Sales : ip address 192.168.3. 1 = connected computer 192.168.3.2

VLAN 3  Name : Marketing : ip addres 192.168.4.1 = connected computer 192.168.4.2

so i want my lapto that connected the router Eth0/0 Interface should access both VLAN 2 and VLAN 3 computers

so how i can create it pls help , and give me a helpfull link like video or document or youc an wrirte me below

thank you very much

Answer:

Configuring InterVLAN Routing and ISL/802.1Q Trunking on a Catalyst 2900XL/3500XL/2950 Switch Using an External Router

For more Cisco Switch news about Price ans Specification, you can click here.

BGP ebgp-multihop

Question:

I have configured a test Catalyst Switches Price lab with BGP. I have two different AS setup with dual connections between the systems. I configured the loopbacks and update-source between the AS but BGP did not become active until I changed the ebgp-multihop count from default and set hop count to 2. My question is, is there a troubleshooting command I can use that will show me that the ebgp-multihop is not set correctly.

Answer:

If the ebgp-multihop is missing for an indirectly-connected eBGP neighbor, at the bottom of the show ip bgp neighbor X.X.X.X you will find these lines:

[ ... cut ... ]

  Connections established 0; dropped 0

  Last reset never

  External BGP neighbor not directly connected.

  No active TCP connection

There is the indication of the eBGP peer not being directly connected.

You may also be interested in reading the following thread about the ebgp-multihop and disable-connected-check that can be used specifically for loopback peerings between directly connected eBGP neighbors like yours.

https://supportforums.cisco.com/message/3571118#3571118

For more Cisco Switch news about Price ans Specification, you can click here.

New 2901 Router - Crypto Commands

Question:

I have just received Cisco3925E a new cisco 2901 and started on its configuration.

For my surprise, when I started configuring VPN tunnels, I saw that non of the crypto commands are available.

The router runs on iOS 15.1.

From what I read, people refer that the router needs to past a license activation or something like that. When I run show verison - i do see "none" under most of the categories.

Does anyone familiar / faced such an issue?

Thanks for the help!

Answer:

You will need a security license. You should be able to get a 30 day license until you can purchase the license.

http://www.cisco.com/en/US/prod/collateral/routers/ps10536/qa_c67_606268.pdf

For more Cisco Switch news about Price ans Specification, you can click here.

Router: port forwarding problems.

Question:

I want to make Catalyst 3560X  my HTTP-server accessible from the outside (it's located on my LAN).

HTTP-server listens on port TCP 80 on all interfaces, IP address 192.168.112.17/24. (I can ping outside addresses from this machine.) My router - Cisco 2951, here's a part of its config:

interface GigabitEthernet0/0

ip address W.A.N.IPAddress W.A.N.Netmask

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 192.168.112.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

ip forward-protocol nd

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.112.17 80 W.A.N.IPAddress 80 extendable

ip route 0.0.0.0 0.0.0.0 W.A.N.GatewayIP

!

access-list 1 permit 192.168.X.0 0.0.0.255

access-list 1 permit 192.168.112.0 0.0.0.255

access-list 1 permit 192.168.Z.0 0.0.0.255

access-list 101 permit tcp any host W.A.N.IPAddress eq www

So I cannot reach the server from the outside. The router responds to pings (ICMP echo packets). I'm entering router's W.A.N.IPAddress in my browser's address field and there's no result. Help me, please!

Answer:

Here is simple config:

ip nat inside source static tcp 192.168.112.17 80 46.45.33.X 80

As WAN IP address for server here you need to use one spare address from your scope e.g. 46.45.33.5 as you have big enough subnet /25.

Also I would not recommend to Catalyst 3560X Price post here real Public IP addresses.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

T1 Card for data on Cisco 3945 and Cisco 7206

Question:

I am working on a case where WS-C3750X-12S-S Price T1 card is required for Cisco 3945 and Cisco 7206 Router.

For Cisco 3945 we have variety of cards available i.e.

HWIC-4T      (Clear channel)

HWIC-1CE1T1-PRI (Channelized T1\E1)

Which one should i go for and what is the difference between clear channel and channelized ports

 

For Cisco 7206

PA-MC-8TE1+ , seems only this one is available.

Would requuire your inputs on the same.

Answer:

The problem that I find with the HWIC-4T is that this is not a real T1 card. Its synchronous maximum speed is 8 Mbps and you will need an external DSU, which will provide clocking and determine the speed of the link. On the other hand, HWIC-1CE1T1-PRI is basically an ISDN PRI card but it can be also used as a T1/E1 card for data. Check this configuration guide and look for the options you have with this card:

http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_11xw/fmt1e1ic.html

PA-MC-8TE1 is also a versatile card that has T1/E1 functions so you will need to use the "card type" command to determine if the card would be a T1 or an E1.

http://www.cisco.com/en/US/docs/interfaces_modules/port_adapters/install_upgrade/multichannel_serial/8-port_multichannel_t1.ei_8pri_install_config/2738cfg.html

The configuration for both cards to get a T1 circuit is pretty similar because you need to configure "card type", controllers and their respective channel-groups and timeslots to get the proper number of DS0s to obtain a T1 (For a full T1 is always timeslots 1-24). Moreover, avoid using "network-clock-participate" and "network-clock-select" commands for they are voice/ISDN commands that could trigger clocking issues in a normal data circuit. The clock source command is important and is configured under the controller T1. When the Telco provides clocking in the middle, you can keep "clock source line" on both ends but if the circuit is back-to-back, it is recommended to use "clock source line" in router A and "clock source internal" in router B. In summary, I think the cirucit will come up if you use PA-MC-8TE1/HWIC-1CE1T1-PRI in the circuit as long as you use the proper clocking, timeslots, WS-C3750X-12S-S  framing and line coding for a T1.

CME 2911 load balancing for two Internet gateway

Question:

I have a customer he has Catalyst Switches Price two internet gateway connected through fast-Ethernet, and he wants to load balancing between two internet gateway.

How can I make load balancing for two gateway



Answer:

By searching forum before asking. Catalyst Switches

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

http://www.discountroutercenter.com/wp-admin/

Redistribution - Perplexing

Question:

I greet everyone.WS-C3560V2-24PS-S  Please be patient with me.  Here I am supposed to have a very basic network.

The configurations are as follows:

R1#

!

!

ip cef

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

speed 100

full-duplex

!

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.252

speed 100

full-duplex

!

!

router bgp 100

no synchronization

bgp log-neighbor-changes

network 2.2.2.2 mask 255.255.255.255

network 10.0.0.0 mask 255.255.255.0

network 192.168.1.0 mask 255.255.255.252

neighbor 192.168.1.2 remote-as 100

no auto-summary

!

!

end

*************************************************************************************

R2#

!

!

ip cef

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!

!

interface Loopback1

ip address 6.6.6.6 255.255.255.255

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.252

speed 100

full-duplex

!

!

interface FastEthernet0/1

ip address 172.16.1.1 255.255.255.0

speed 100

full-duplex

!

!

router eigrp 45

redistribute bgp 100 metric 1000 100 255 1 1500

network 6.6.6.6 0.0.0.0

network 172.16.1.0 0.0.0.255

no auto-summary

!

!

router bgp 100

no synchronization

bgp log-neighbor-changes

network 3.3.3.3 mask 255.255.255.255

network 192.168.1.0 mask 255.255.255.252

redistribute eigrp 45

neighbor 192.168.1.1 remote-as 100

no auto-summary

!

!

end

*********************************************************************************************

R3#

!

!

ip cef

!

!

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!

!

interface FastEthernet0/0

ip address 172.16.1.2 255.255.255.0

speed 100

full-duplex

!

!

router eigrp 45

network 4.4.4.4 0.0.0.0

network 172.16.1.0 0.0.0.255

!

!

end

******************************************************************************************************

The verifications are as follows:

R1#show ip route

!

!

     2.0.0.0/32 is subnetted, 1 subnets

C       2.2.2.2 is directly connected, Loopback0

     3.0.0.0/32 is subnetted, 1 subnets

B       3.3.3.3 [200/0] via 192.168.1.2, 00:04:57

     4.0.0.0/32 is subnetted, 1 subnets

B       4.4.4.4 [200/156160] via 172.16.1.2, 00:04:52

     6.0.0.0/32 is subnetted, 1 subnets

B       6.6.6.6 [200/0] via 192.168.1.2, 00:04:57

     172.16.0.0/24 is subnetted, 1 subnets

B       172.16.1.0 [200/0] via 192.168.1.2, 00:04:57

     10.0.0.0/24 is subnetted, 1 subnets

C       10.0.0.0 is directly connected, FastEthernet0/0

     192.168.1.0/30 is subnetted, 1 subnets

C       192.168.1.0 is directly connected, FastEthernet0/1

  

    No problems in this case.  I see all the routes to the remote subnets.

*****************************************************************************************************************

R2#show ip route

!

!

     2.0.0.0/32 is subnetted, 1 subnets

B       2.2.2.2 [200/0] via 192.168.1.1, 00:23:33

     3.0.0.0/32 is subnetted, 1 subnets

C       3.3.3.3 is directly connected, Loopback0

     4.0.0.0/32 is subnetted, 1 subnets

D       4.4.4.4 [90/156160] via 172.16.1.2, 00:23:49, FastEthernet0/1

     6.0.0.0/32 is subnetted, 1 subnets

C       6.6.6.6 is directly connected, Loopback1

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, FastEthernet0/1

     10.0.0.0/24 is subnetted, 1 subnets

B       10.0.0.0 [200/0] via 192.168.1.1, 00:23:35

     192.168.1.0/30 is subnetted, 1 subnets

C       192.168.1.0 is directly connected, FastEthernet0/0

This is okay, I see all the remote subnets.

************************************************************************************************************************

R3#show ip route

!

!

     3.0.0.0/32 is subnetted, 1 subnets

D EX    3.3.3.3 [170/2588160] via 172.16.1.1, 00:00:34, FastEthernet0/0

     4.0.0.0/32 is subnetted, 1 subnets

C       4.4.4.4 is directly connected, Loopback0

     6.0.0.0/32 is subnetted, 1 subnets

D       6.6.6.6 [90/156160] via 172.16.1.1, 00:00:34, FastEthernet0/0

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, FastEthernet0/0

     192.168.1.0/30 is subnetted, 1 subnets

D EX    192.168.1.0 [170/2588160] via 172.16.1.1, 00:00:36, FastEthernet0/0

As you can see, only two out of the four remote networks are in this routing table.  R2 simply redistributed the BGP networks that are directly connected to it.  What happened to the BGP networks that R2 learned from R1?  How come these BGP routes were not redistributed even though they are in R2's routing table?

Please, help in any way you can.

Answer:

Hello Jaighobahi,

you are on the right track about iBGP and IGP redistribution, you need also a command under router bgp to allow injection of iBGP routes into IGP redistribution. I'm sorry I have missed it in my first replay.

BGP by default provides a protection mechanism to avoid to overload the IGP database being BGP much more scalable,

This protection can be disabled with the commands below:

on R2:

router bgp 100

bgp redistribute-internal

BGP AS number and EIGRP AS number are different concepts and they don't need to be equal and this does not change the behaviour

see

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/command/bgp-a1.html#wp4270480859

https://supportforums.cisco.com/docs/DOC-1575  WS-C3560V2-24PS-S Price

CME 2911 load balancing for two Internet gateway

Question:

I have a customer Cisco 1900 sereis router he has two internet gateway connected through fast-Ethernet, and he wants to load balancing between two internet gateway.

How can I make load balancing for two gateway



Answer:

By searching forum Cisco 2921 price before asking.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

How to check QoS queues on an interface?

Question:

We were dropping packets WS-C3560V2-24TS-S Price across some WAN links and we found that the problem cleared up when we removed our QoS configs from the interface. So I'm thinking that some of the queues were becoming saturated with specific types of traffic. But I can't remember the commands to check individual queues. Can anyone suggest some commands to see if the different queues on our interfaces are filling up?

Answer:

you haven't specified the platform you are interested in.

For a router with modular QoS you should be able to get  enough information from

show policy-map interface type x/y

='m� r p c �6 P�3 >

Would the best option for  OSPF network statements be:

MPLS router: network 192.168.1.0 0.0.0.255

Core router: network 192.168.1.0 0.0.7.255

or

MPLS router: network 192.168.1.0 0.0.7.255

Core router: network 192.168.1.0 0.0.7.255

or

MPLS router: network 192.168.1.0 0.0.0.255

Core router: network 192.168.1.0 0.0.0.255, network 192.168.2.0 0.0.0.255, network 192.168.3.0

Answer:

I would enable OSPF just in the interfaces that are going to speak this protocol, for WS-C3560V2-24TS-S example:

net 192.168.1.1 0.0.0.0 area 0

net 192.168.2.1 0.0.0.0 area 0

net 192.168.3.1 0.0.0.0 area 0

routing problem on cisco 887

Question:

i have pings from router Cisco 1900 sereis router to outside (internet) and from router to inside (lan) but i have no ping from inside to outside ,

it seem like nat table is wrong or router just not doing routing...

please have a look at my configuration, may be you'll see something suspicious.

##############################

##############################

##############################

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Riwip-R

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$ijuH$FLQZC0k.e.Zq/ya41uYFa0

enable password *********

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

ip domain name

*********

no ipv6 cef

!

!

license udi pid CISCO887VA-K9 sn FTX1715828L

!

!

username ***** privilege 15 secret 4 8R9Jpx2OkfxKJM2qBI.

d617QvuuNwdr@#EA7Yb.ebRE

!

!

!

!

controller VDSL 0

!

ip ssh version 2

!

!

!

!

!

!

!

interface Ethernet0

no ip address

pppoe-client dial-pool-number 1

!

interface ATM0

  no ip address

shutdown

  no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

  no ip address

!

interface Vlan1

ip address 10.0.0.130 255.0.0.0

ip nat inside

no ip virtual-reassembly in

!

interface Dialer0

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly in

  encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp pap sent-username *****@****password 0 ************

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list NAT-ACL interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended NAT-ACL

permit ip 10.0.0.0 0.255.255.255 any

!

dialer-list 1 protocol ip permit

!

!

!

!

!

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password **********

transport input ssh

!

end

##############################

##############################

##############################

Answer:

Your config looks correct. Can you verify the default-gateway on the hosts is the vlan 1 IP address and that they Cisco 2921 price are in the correct subnet.

Running Remote Access VPN and DMVPN on the same router

Question:

we're having an issue with Cisco 3560V2 Price a few of our routers that mobile users use to remote access VPN into. These routers are also DMVPN spokes.

Basically I have two isakmp policies and ipsec policies as below:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

!

crypto isakmp key ABC address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 30 5 periodic

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set TS1 esp-3des esp-md5-hmac

mode transport

!

Until this morning, all of the spoke routers on DMVPN were having major issues where they would try to talk to one another but fail due to CONF_XAUTH error. Once I added the no-xauth keyword at the end of crypto isakmp key, all started working well without any issues. However since then, our remote access VPN clients are no longer working. If I remove no-xauth, remote access clients start working but DMVPN starts to flap.

Any ideas?

Answer:

I think you can use isakmp profiles to split the keyring for the remote access and the one that is Cisco 3560V2 for dmvpn

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

IP SLA Not Recovering

Question:

This is driving me crazy.WS-C3560X-24P-S IP SLA works for failing over to the secondary connection (from Cable to DSL), however the SLA can never reach 4.2.2.2 from the cable, even when it is up. I can ping the interface from the outside world and get responses, but the SLA still thinks the connection is down. I think it has something to do with the NAT, but I seem to be spinning my wheels.

On the SLA, when the source isn't specified, it toggles up/down - I'm assuming because it's going out the backup connection, then the SLA comes up thinking all is well, realizes its down, and jumps back. When I specify source IP (or interface), it stops doing this, but never recovers from the failover.

Reloading the router causes it to switch back to the cable and all is well again until the cable drops and comes back up.

I'm 99% sure that I've overlooked something quite elementry, I just can't think of it.

Answer:

Besides possible additional connection problems the up-/down-flapping of the IP-sla is the expected behaviour with your design in case of a primary link failure.

The route selection for icmp sla packets is based soley on the routing table, not the source interface. If track 1 goes down, your ip sla is using the remaining route. Assuming the backup link is working properly, the IP sla is successfull again and track 1 comes up. Now IP sla is using the 68.x.x.201 route again, although the primary link is still down, so ip sla goes down and here we go...

Your backup link is not going to work this way. You need to make sure the icmp sla always uses the primary way no matter wether the primary route is installed in the routing table. One way would be to use

ip local policy route-map

matching on icmp and the source interface ip.

The only question left, is how to get the backup WAN interface (FA0/2/0) to respond to pings from the internet. I'm assuming this will require a similar local route map, but I'm not too sure how to swing that without conflicting with the new addition above ..

Just refine your ACL:

access-list 129 permit icmp 68.x.x.204 4.2.2.2

Now it is only applied for this specific router WS-C3560X-48P-L Price generated traffic.

Problem upgrading C2960 IOS via TFTP

Question:

I got my new C2960 a couple Catalyst 3560 Price of days ago with an outdated IOS version (12.2) and i wanted to test the new IOS (15).

I know i can delete the current IOS version and download the new one from tftp server but i just want to test the new IOS without deleting anything yet. Once i like it, i will put it in the flash.

So, i created a tftp server, tested it,  and it worked fine. I even copied the running-config file from the flash to my computer using tftp server with no problems. So, tftp server and its connection are working fine.

Now, i tried

Switch(config)#boot system tftp://192.168.4.17/c2960-lanbasek9-mz.150-2.SE4.bin

This command should boot the switch using the IOS in the tftp server which resides in my computer (192.168.40.17) the next time i reload the switch. I saved my config and i rebooted the router.

This is what i got when reloading...

Loading "tftp://192.168.4.17/c2960-lanbasek9-mz.150-2.SE4.bin"...tftp://192.168.4.17/c2960-lanbasek9-mz.150-2.SE4.bin: no such device

Error loading "tftp://192.168.4.17/c2960-lanbasek9-mz.150-2.SE4.bin"

When i think of it, how can the switch access my computer's ip address during booting process? In booting process all the ports are showndown for failure testing purposes.

Am i using the wrong command to achieve what i want?

Answer:

TFTP boot don't work all the time.

Don't even bother trying Catalyst 3560V2 Price  to do this.

Why BGP can not accessible internationally?

Question:

I have recently setup Catalyst Switches a router and found that i can access any website in my country also my IP block is pingable from my country
but i can not access any site which is outside of my country and i can not ping also. i am very new in routing can you someone tell me where is the problem.

Answer:

checking from a public router, it doesn't reach your IP.

ask your upstream peer, Mega Host Zone India, to advertise your routes out to the internet.

route-views>tr 103.16.100.1

Type escape sequence to abort.
Tracing the route to 103.16.100.1

  1 vl-51.uonet1-gw.uoregon.edu (128.223.51.2) [AS 3582] 236 msec 296 msec 244 msec
  2 vl-3.uonet9-gw.uoregon.edu (128.223.3.9) [AS 3582] 244 msec
    vl-2.uonet9-gw.uoregon.edu (128.223.2.9) [AS 3582] 244 msec 236 msec
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *

route-views>sh ip ro 103.16.100.1
% Subnet not in table

route-views>sh ip bgp 103.16.100.1
BGP routing table entry for 0.0.0.0/0, version 458090
Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
  Not advertised to any peer
  19214 12989 2828
    208.74.64.40 from 208.74.64.40 (208.74.64.40)
      Origin IGP, localpref 100, valid, external, best


% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:        103.16.100.0 - 103.16.100.255
netname:        MEGAHOSTZONE-IN
descr:          MegaHostZone Pvt. Ltd.
country:        IN
admin-c:        SR552-AP
tech-c:         CEO6-AP
mnt-by:         MAINT-IN-IRINN
mnt-routes:     MAINT-IN-MEGAHOSTZONE
mnt-irt:        IRT-IN-MEGAHOSTZONE
status:         ASSIGNED PORTABLE
changed:        hm-changed@apnic.net 20130205
source:         APNIC  Cisco 3560 Price

Need to use both links at same time for site-to-site vpn

Question:

i'm having some cofussion WS-C3750X-12S-S Price that i have 2 internet connections and i want to use them as ACTIVE & STANDBY or both can load share at the same time with site to site vpn configuration  

if i configure gateway of vlans on multilayer switch then how can i configure HSRP or if i do PBR then how it can be???????????             

     

Devices:

cisco 881 router with 5mbps link

cisco 837 router with 2mbps link

cisco 3560x multilayer switch

Answer:

Here is simple config for VPN backup on Head office:

crypto ipsec transform-set XX esp-3des esp-sha-hmac

crypto map MAP-A 100 ipsec-isakmp

set peer 2.2.2.2

set peer 1.1.1.1

set transform-set XX

match address vpn-to-branch

And on Branch you could configure HSRP on routers for failover.

Hope it WS-C3750V2-48PS-S will help.

VRF - Exporting and Importing

Question:

I’m working with MP-BGP.Cisco 3560X  I am trying to import and export routes to and from 3 vrf's within the same Cisco 4948 switch.

Essentially i have 3 vrf's : UAT-VRF , GLOBAL-VRF and INFRA-VRF

Route leaking is configured between the following: UAT-VRF-> GLOBAL-VRF <-INFRA-VRF

I also have filter lists which permit certain routes into UAT and INFRA.

ip vrf INFRA-VRF

rd 65201:3

import IPv4 Unicast map INFRA-VRF-IMPORT

route-target export 65201:3

route-target import 65201:1

route-target import 65201:3

!

ip vrf GLOBAL-VRF

rd 65201:1

route-target export 65201:1

route-target import 65201:3

route-target import 65201:1

route-target import 65201:6

!

ip vrf UAT-VRF

rd 65201:6

import IPv4 Unicast map UAT-VRF-IMPORT

route-target export 65201:6

route-target import 65201:6

route-target import 65201:1

!

Note - the import filters are based around prefix lists which do match the exact route's required.

interface Vlan1130

ip vrf forwarding UAT-VRF

ip address 10.11.130.253 255.255.255.0

standby 130 ip 10.11.130.254

standby 130 priority 150

standby 130 preempt

standby 130 authentication md5 key-string

interface Vlan1067

ip vrf forwarding INFRA-VRF

ip address 10.11.67.253 255.255.255.0

standby 67 ip 10.11.67.254

standby 67 priority 150

standby 67 preempt

standby 67 authentication md5 key-string

interface Vlan2508

ip vrf forwarding GLOBAL-VRF

ip address 10.31.8.253 255.255.255.0

standby 8 ip 10.31.8.254

standby 8 priority 150

standby 8 preempt

standby 8 authentication md5 key-string

router bgp 65201

address-family ipv4 vrf UAT-VRF

  redistribute connected

no synchronization

exit-address-family

address-family ipv4 vrf GLOBAL-VRF

  neighbor 10.31.8.252 remote-as 65201

  neighbor 10.31.8.252 activate

  neighbor 10.31.8.252 send-community both

  no synchronization

exit-address-family

address-family ipv4 vrf INFRA-VRF

  redistribute connected

  no synchronization

exit-address-family

!

Network 10.11.130.0/24 originated in BGP from the UAT VRF (UAT-VRF) with a redistribute connected (as shown above in the BGP configuration). As you can see below the GLOBAL-VRF VRF has the imported route successfully. Now we need to leak the best route out into the INFRA-VRF VRF.

SWITCH#sh ip bgp vpnv4 vrf GLOBAL-VRF 10.11.130.0

BGP routing table entry for 65201:1:10.11.130.0/24, version 1485372

Paths: (2 available, best #2, table GLOBAL-VRF)

Advertised to update-groups:

     1         2         3         4

Local

   10.31.8.252 from 10.31.8.252 (10.21.101.248)

     Origin incomplete, metric 0, localpref 100, valid, internal

     Extended Community: RT:65201:1

Local, imported path from 65201:6:10.11.130.0/24, imported path from 65201:6:10.11.130.0/24

   0.0.0.0 from 0.0.0.0 (10.21.101.249)

     Origin incomplete, metric 0, localpref 100, weight 32768, valid, external, best

     Extended Community: RT:65201:6

     mpls labels in/out nolabel/nolabel(GLOBAL-VRF)

Is this technically possible? Or is this not working as expected due to a loop prevention mechanism?

It seems we cannot export an already imported prefix.

Any comments would be appreciated.

Answer:

I think its not possible because by the command route-target export you are only exporting the routes which are locally originated.

Not the one whicha re imported from other vrfs. If it is possible with otut leaking the rt at the needed vrf, Catalyst 3560 Price then it can be a security issue also...

Interlink between the two backbone switchs

Question:

We are operating the two backbone Cisco 3560 switchs for redundancy with hsrp and eigrp.

I am wondering if I connect the two links (trunk and L3) or just one port (trunk or L3) between the backnone switch.

I attached the diagram that simply indicates the my concers.

In this case, what would be the best option ?

Please give me a recommendation.

Answer:

both HSRP and EIGRP requires L2 adjacencies so you need a L2 trunk on all the involved Vlans between the two switches.

If you like you can add a separate L3 link between the two as an added protection.

The minimum is a L2 trunk, you should consider the use of an etherchannel bundle with two member links configured as 802.1Q L2 trunk. In this case I recommend the use of LACP ( mode active) for better resiliency ( bundle only if LACP messages are exchanged on Cisco 3560V2 Price each member link)