Reroute some vrf traffic between 2 sites over redundant link

Similar Messages

• FXO traffic is going over Wan link after enabling QoS

  Hi,
  We have CCM 5.0,2811 voice gateway,1 4FXO and 1 g.shdsl card on it. 4 Telco lines are on 4FXO card.CCM is at the other side of g.shdsl line.Topology like that,
  2811 ---------------- CCM
  4fxo g.shdsl
  When a call receives from FXO port, system is working normally without QoS. When we enable QoS traffic,traffic is going over wan link then return again.Because of that,delays and timeouts occuring.Router's config is at the attachment. Please Help!
  Thank you

  Check your H323 gateway config in CCM to be sure the Media Termination Point Required box is unchecked. Using MTP forces the call to terminate on the closest MTP resource which is likely at your CCM site.
  Please rate helpful posts.
  Dave

• Unable to pass traffic between sites

  I've read through dozens of posts and so far have had no luck getting any of the suggestions to work - combined with many of these posts being multiple years old...so I'm going to try posting something current and see if I get anywhere.
  Scenario:
  Site A - Cisco ASA 5510 running 8.4(4)1 with two interface connections to a Cisco ME 6500 (which I do not manage), one for internet and one for a MPLS connection.
  Site B – connecting to an unknown switch which is connected to the MPLS network.
  Site C – Cisco ASA 5505 running 7.2(3) with one connection to an unknown switch (which I do not manage) for internet access.
  Site A to Site B traffic flows between the two without issue.
  Site A to Site C is a site-to-site VPN connection. Traffic flows between the two without issue.
  The main issue I’m having is that Site B cannot talk to Site C and vice versa. Also my client VPN connections to Site A cannot get to Site B or Site C.
  My first question is; is this even possible? (I sure expected it to be). And if so, what the heck am I doing wrong???
  I’ve included a config from Site A which is where I’m guessing the problem is. Any insight is appreciated.

  "I'm not following what you mean by that."
  Your Site "A" and "B" connected through MPLS cloud and they are not connected through vpn-connection, right?  I assume that your site "B" cannot communicate to site "C", therefore you must permit site-B's subnet traffic transit between site "A" and site "C" i.e. Site-B should have access to "C", right ?
  "I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1"."
  Great 10.17.0.0/16 route meant for site "B", that is fine, you wouldn't need an additional one.
  "You completely lost me there :)"
  I presume that your Site "B" and "C" does not have direct MPLS connection, therefore Site "A" becomes a transit path for site "B" and "C".   You allow site-B's transit through the vpn-tunnel between site "A" and "C".  Your site "C" assumes that subnet belong to site "B" is directly connected at site "A" but in reality it connects via a MPLS cloud and one last thing is that a route needed at site-B to push site-C's traffic to Site "A", a static route would do that.
  As you would permit site-B's traffic to pass through vpn-tunnel site "A" and "C", in other words your "A" become a hub for traffic flowing between site "B" and "C".
  "Should the route be applied to the inside or the outside interface?"
  Outside.  Your tunnel terminated on the outside interface, right? If so then it must point to outside's default-gateway address.
  object network SiteB-network
   subnet 10.17.2.0 255.255.255.0
  this would allow you to access site-c subnet when you are remote-in to Site-A.
  nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network
  this is to allow Site-B to access site-C subnet via the tunnel between site A and C.
  nat (MPLS,outside) source static SiteB-network SiteB-network destination static SiteC-network SiteC-network
  object network inside-network
   subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) source static inside-network inside-network destination static SiteC-network SiteC-network
  access-list outside_cryptomap extended permit ip object inside-network object SiteC-network
  this is allow Site-B to access site-C subnet via the tunnel between site A and C.
  access-list outside_cryptomap extended permit ip object SiteB-network object SiteC-network 
  Thanks
  Rizwan Rafeek

• Traffic Shaping on 6880 between sites over metro ethernet

  Hi
  I have a new dual site setup with 6880s at the core at one side and 3650 stack at the other. We have a 200mbps ethernet solution from our service provider but on testing we are maxing at a bit over 100mbps, iperf tests directly on the link are giving 200mbps so I need to apply some shaping to get the full usage from the link. In the past I have used srr bandwidth on metro switches but the 6880s don't support this. So I assume I need to setup  policy maps and apply to the physical interface? The interfaces are layer 2 trunks and we are stretching vlans between the sites. E.g. siteA has vlan20 and site B has vlan 20 over the metro ethernet service, site b is layer2 only and all routing and services are provided at siteA
  Is it as simple as this? It seems too easy :) So I may be missing something. I just apply this on the physical interface at each side?
  policy-map POLICY-S2S-200MB
  class class-default
  shape average 204800000
  policy-map POLICY-S2S-200MB-IN
   class class-default
     police cir 204800000
       conform-action transmit 
       exceed-action drop 
  ~                          
  int gi1/1/1
  service-policy out POLICY-S2S-200MB-OUT out
  service-policy out POLICY-S2S-200MB-IN in
  Your input would due treaty appreciated!
  Thanks,
  Aidan.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Ah, well that's great!  (Hmm, now I wonder if same feature is available on 6500 with sup2T or 6807.)
  In that case, your output policy might be just as simple as what's in your OP.  Cisco isn't really clear whether all their shapers (or policers) are counting L2 and L3 or just L3. I suspect many just count L3. If that's true in this case, you may need to shape about 10 to 15% slower to allow for L2 overhead (this assuming your provider is providing 200 Mbps of "wire" bandwidth.
  If you're able to shape on the other side, then there should be no need to also police the ingress.  Also, assuming provider limits bandwidth, there's no reason to police ingress at CIR rate.

• I need some help taking my site over the top.

  Ok, i built the site for a small business and i believe it looks better than most sites in the industry. How do i get it noticed in searches and take it over the top and make it look like it was done by a professional. How do i increase the search hits. Has a cottage industry spawned with people who do this in IWEB. i want to maintain control of the site.
  Your thoughts and direction
  john

  Rugbyjoey wrote:
  How do i get it noticed in searches...
  John ~ This article may help:
  _How to get your iWeb Websites into Google & Other Major Search Engines_
  Rugbyjoey wrote:
  ...and make it look like it was done by a professional.
  “Do only what is necessary to convey what is essential. Carefully eliminate elements that distract from the essential whole, elements that obstruct and obscure....Clutter, bulk, and erudition confuse perception and stifle comprehension, whereas simplicity allows clear and direct attention." — Richard Powell, in his book +Wabi Sabi Simple+.
  "One of the biggest mistakes typical business people make with documents is going out of their way to seemingly use every centimeter of space on a page, filling it up with text, boxes, clip art, charts, footers, etc. Space, often called "white space," is good. Embrace it. Use it. Often, the more space you don't use on a page, the clearer your message becomes.
  Empty space is beautiful, yes. But empty space also implies importance, elegance, professionalism. This is true with graphic design, but you can see the importance of space (both visual and physical) in the context of interior design. Think of the retail space, for example. Target is dedicated to design although they are a discounter. They know about space. Target stores are well designed. They have more empty space than other discounters, Walmart, for example."
  ...Understanding such basic points on graphic design will help set you apart. You can read more design tips in this Presentation Zen article:

• Make some text popup when hovered over a link

  On this page:
  http://www.valentines-day-flowers-by-schaefers.com/valentines-day-flowers/roses.html
  my client wants a small paragraph of text to "popup" when
  mouse goes over the Nationwide and Local text at the bottom of each
  product area.
  What would I use for this? CSS somehow? Java? Has anyone seen
  a Behavior or Extension for something like this?

  Google "overlib".
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================
  "synterx" <[email protected]> wrote in
  message
  news:eo6hhj$ajo$[email protected]..
  > On this page:
  >
  http://www.valentines-day-flowers-by-schaefers.com/valentines-day-flowers/roses.
  > html
  >
  > my client wants a small paragraph of text to "popup"
  when mouse goes over
  > the
  > Nationwide and Local text at the bottom of each product
  area.
  >
  > What would I use for this? CSS somehow? Java? Has anyone
  seen a Behavior
  > or
  > Extension for something like this?
  >

• Trustsec Mac Encryption Between Sites

  Hi,
  See attached - might make question more clear
  we have a layer 2 connection between sites using a local provider for the link. On the remote side is a 3750-X and on the Main Campus side is a 2960. The link is connected via a VLAN. The VLAN interface exists on the Main Campus 5548, core switch
  From What I understand, Trustsec cannot be configured on a logical interface but, if we were to configure the logical interfaces as a physical interfaces could we encrypt traffic between the 5548 and the 3750-X?
  Even though it would also have to traverse through the 2960 as well?
  And traverse the Layer 2 WAN link?
  Any other suggestions for accomplishing this?
  Thank you, Pat

  No, it is not supported on the 2960 series.  Also, if you want to encrypt traffic between sites, a better solution is to use IPsec tunnel, but you need a firewall or a router in each location.
  It doesn't have to be anything expensive if you don't need a lot of bandwidth.
  I use these and they work really well.
  have a look:
  http://www.amazon.com/Juniper-SSG-5-SB-Security-Services-Gateway/dp/B000IZDN88
  HTH

• Mouse cursor appearing as an arrow instead of a hand over album links

  Hi. I've just published my iWeb 08 site on .Mac (using Zone Edit to set up the CNAME for my personal domain, purchased from Last Digital). For some reason, when I hover over the links in the My Albums page, the mouse cursor appears as an arrow instead of the usual hand cursor. This has already confused a few of my testers, as obviously people are conditioned to expect a link where they see a hand. The links themselves work fine, it's just that the mouse cursor makes it look like they're not links. Does anyone know how this can be fixed so that the hand appears when you hover over each image? You can see the page in question here - http://www.paulinelockie.com/Pauline_Lockie/Portfolio/Portfolio.html

  That's the way it is.
  When you have multiple images in an album, and move the pointer over the album, you see the images displayed.
  Since it is not really a link, a pointer is used instead of the hand. It's a design decision.
  Send a feedback to the iWeb team.

• Redundant link between two core sites with MPLS

  Hi,
  we have 50+ sites connected via MPLS. (see diagram)
  Out core sites are SITE A (primary) & SITE B (secondary). These core sites are connected via a ptp link.
  Both sites connect to the MPLS cloud via their own routers and all sites can reach SITE A & SITE B.
  Now, if I pull the cable on SITE A's MPLS router, nothing can reach SITE A as expected.
  Is it possible to get all of the MPLS sites to reach SITE A via SITE B's MPLS router and PtP link (and vice versa if SITE B's MPLS router went down)
  Basically, redundancy if one of the MPLS routers went down at one of the core sites?

  Hi,
  yes, it's clearer now.
  So what I'd think about would be running OSPF between the MPLS router and L3 switch on each site.
  You would redistribute BGP prefixes to OSPF then.
  And also configure a default route on the L3 switch pointing to the other L3 switch over the ptp line.
  Plus keep the static routes for the other core site prefixes pointing to the other L3 switch over the ptp line.
  That way:
  1) Under normal conditions the L3 switch in site A will use a static route over ptp line (better AD than OSFP) to reach site B and vice versa.
  2) In a case of MPLS router A failure:
  The outging traffic from Site A would be routed via the ptp line to the L3 switch in site B (due to the default route). The L3 switch in site B will know the routes to the remote MPLS sites (received via OSPF from MPLS router B).
  The incoming traffic will be received on the MPLS router B (due to prefixes for site A advertised from B with worse BGP attributes - but no prefixes advertised to MPLS from A). The MPLS router in Site B will use its static routes to forward the traffic to the L3 switch in site B. And the L3 switch will use its static routes for site A prefixes to forward the traffic over the ptp line.
  Analogic routing will be applied in a case of MPLS router failure in site B.
  3) In a case of the ptp line going Down:
  The static routes should disapper from the routing tables on both L3 switches.
  But they should still get the routes to the other core site received from OSPF (redistributed from BGP).
  4) So the only problematic case might be the ptp line failing but the L3 switch interface remaining Up.
  You might need to get either some tracking (not sure if available on L3 switches) or dynamic routing involved to overcome this.
  Either running OSPF between the L3 switches  or even runnig EIGRP to route the site A and B prefixes only possibly?
  But I'm not sure if this wouldn't bring too much complexity to the design?
  Best regards,
  Milan

• ''Well When i plug in my ipod touch the battery life is low..i let it sit a wyhle.And it starts up to the apple logo and it stay there some time then it restartsback over to the very low battery and repeat(Over&Over)?

  ''Well When i plug in my ipod touch the battery life is low..i let it sit a wyhle.And it starts up to the apple logo and it stay there some time then it restartsback over to the very low battery and repeat(Over&Over)

  Can you reset the device by holding the sleep and home button until the Apple logo comes back again?
  If this does not work, try to connect in recovery mode, explained here: iOS: Unable to restore

• Howto control/filter traffic between VRF-(lite) using route leaking?

  Hi,
  does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
  Scenario 1:
  I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
  Scenario 2:
  Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
  Kind Regards,
  Thorsten

  Thanks.
  That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
  Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
  Does cisco offer software for managing this?

• Share network traffic between 2 parallel wireless bridges - What kit?

  Dear All,
  I'm a technology professional, but mainly in electronic design rather than high end networking. Hence my request for your advice.
  I wish to specify some items of kit that I can ask a networking professional to fit and configure to solve my particular application.
  I would like to use (and already have in place) two parallel wireless bridges between 2 buildings. One is on 2.4GHz and the other is on 5GHz. In my simple testing so far (of each link in turn), they both work brilliantly. So far, these are in place just for test purposes, but soon I will be required to make the system "live".
  The reason I'm doing this is to split network traffic over both links (to possibly get enhanced bandwidth) but to mainly build in redundancy should one link fail.
  What kit is required to do this (apart from the 4 access points configured as bridges)?
  I imagine I may need a load balancing device(s) or possibly something more suitable for this task.
  I'd like the solution to be very transparent to the rest of the system, I'd like it to "look" like it's a simple wireless bridge (but really it's a highly robust dual bridge). I hope my waffle makes sense.
  Any thoughts?
  Best regards,
  L.O.

  You can certainly copy the addresses from one machine to the other - the contact files are held in user/Library/Application Support/AddressBook. Copy all files into the same respective location on the other machine (they will overwrite any existing contacts).
  If you want the address books kept in sync, take a look at SyncTogether or SeeCard Rendezvous.
  Matt

• WCCP on ASA & traffic between physical interfaces on ASA

  Hello,
  I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
  Eth 0/0 : Outside (to internet)
  Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
  Eth 0/1.211 : Vlan211 (20.21.10.0/24)
  Eth 0/1.212 : Vlan212 (20.21.20.0/24)
  Eth 0/1.220 : Vlan220 (20.22.0.0/16)
  Eth 0/2 : WAAS (20.21.30.0/24)
  I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
  I get this error message:
  3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
  How can I fix this?
  My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
  wccp 61 redirect-list WCCP_To_LAN
  wccp 62 redirect-list WCCP_To_WAN
  wccp interface outside 62 redirect in
  wccp interface LAN 61 redirect in
  access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
  access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
  I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
  Thanks
  Ankit

  common guys
  Am I doing something wrong here?
  No one replies to my posts. I had the same experience with the previous one.
  Is this not the right forum for this query???
  Ankit

• Encrypting traffic between Sharepoint and SQL

  We have a 2013 Environment used by internal and external users. External traffic (external users accessing the extranet site) is encrypted using SSL certs. Internal traffic (internal users to the intranet site) is not encrypted which is fine. We are being
  asked by some auditors to encrypt traffic between SharePoint (WFE and APP servers) to SQL backend. What options do we have and how involved each one is? On SQL backend we know we can enforce encryption.
  Thanks

  When you say just enforce encryption on SQL does that mean no steps to take on SharePoint to facilitate the process? Will traffic be automatically encrypted once encryption is done on SQL?
  Absolutely correct! You will need to restart the SQL Server service, which will cause a brief outage for SharePoint, but you do not need to do anything for SharePoint. You'll
  probably want a certificate that is trusted by the SharePoint servers. I was personally using a Microsoft Certificate Authority server which hands out certificates to machine names and also hands out root certificates to all machines on the domain
  (thus a trusted issuer). I am also using a SQL alias on my SharePoint servers, so the alias/SQL machine name mismatch is not an issue.
  Once the SQL Server is set to encrypted, you can use the following T-SQL statement and validate the encrypt_option is TRUE. You may also consider adding a SPN to the SQL Server Service account (MSSQLSvc protocol) to enable Kerberos connections, which are
  not only faster, but significantly more secure. You can use the same T-SQL statement to see if connections are using NTLM or Kerberos.
  select * from sys.dm_exec_connections
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Encrypting vlan-trunk traffic between switches

  Hi,
  Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
  I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
  Thanks for any input,
  Regards,
  Oyvind Mathiesen
  mnemonic
  Norway

  Hi,
  Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
  We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
  The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
  We also need to encrypt the datatraversing this connectivity.
  MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
  And that would cause me to eat into the 100 MAC limit.
  Ridiculous I know, but we are looking for an out-of-the-norm plan...
  Thanks