Border Routers

Similar Messages

• BGP Border Designs

  A quick question about BGP on the enterprise edge with the internet.
  Most designs I see use a model where two border routers each have 1 connection to only 1 service provider.  Is there a reason for this as opposed to peering with both ISPs on both border routers? 
  Any information about why one design would be used, or why peering with both ISPs on both routers should not be used would be appriciated.

  In the book of Sam halabbi of Internet Routing Protocols and the book of BGP Design Solution Guide you could find all designs and why is better a dual peer to both ISP if you want to archive 99.9999% availability + got more bandwidth on your WAN network
  Sent from Cisco Technical Support iPhone App

• HTTPS certificate problem on MPLS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tableau Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi everyone,
  We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
  Network description :
  The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
  Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
  Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
  Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
  B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
  OSPF is used as the infrastructures routing protocol between all equipments.
  (cf the network diagram attached)
  Configuration :
  When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
  Below is a sample configuration.
  mpls ip
  mpls label protocol ldp
  mpls ldp router-id loopback0
  interface GigabitEthernet1/1
  mtu 9216
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 XXXXXXXXXXX
  ip ospf network point-to-point
  ip ospf cost 1
  ip ospf hello-interval 1
  mpls mtu 1512
  mpls ip
  Problem :
  The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
  When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
  But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
  Below are major differences between Border and Core routers connection schemes:
      A DPI equipment between Core and Border,
  GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
  ­    The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)
  Regards.

  Hi,
  Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
  MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
  Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
  Thanks,
  Luc

• BGP Best Practice / Private-AS vs. Public-AS in the MPLS Core

  Dears,
  We have recently aquired a large network with ASR9K as Internet Gateways and non-Cisco devices in the MPLS Core.
  We would liike to know which is the best recommended solution to use Private MP-BGP AS in the MPLS Core or extend the IGW Public AS, knowing  that the IGW will be in a VRF and not the global routing table. Moreover, the clients of the MPLS Core have their own BGP Public AS and would need to connect to the MPLS Core to obtain internet services from the IGW.
  (Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_2)[VRF_IGW]------EBGP-----(IGW AS_1) in the case of having a private BGP AS in the core
  (Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_1)[VRF_IGW]------iBGP-----(IGW AS_1) in the case of having same public BGP AS in the core
  Waiting for your feedback and thoughts.
  Thanks,
  Michel.

  Michel,
  if your mpls core is also used for internet transit, then it is best to be a public AS.
  if not, then you can leave it be and remove the private AS at your border routers.
  If oyu are connecting multiple MPLS networks together to link L2 or L3 VPN services, I think it is easiest to have it all one AS, otherwise you end up with complex designs such as Carrier supporting Carrier (CSC) or Inter-AS option A (vrf lite), B (using vpnv4 at the inter AS gateay) or C (using vpnv4 at the interAS gateway with route reflectors in each AS peering with each other).
  regards
  xander
  Xander Thuijs CCIE #6775
  Principal Engineer 
  ASR9000, CRS, NCS6000 & IOS-XR

• Inject BGP Default Routes into Multiple VRF before Best Path Selection

  Hello, 
  I have the following setup:
  Multiple Border Routers with eBGP sessions to external AS. We receive a default route from this multiple AS to keep the Table manageable. We noticed an important part of our traffic was been SW routed instead of CEF when we had the Full Internet table. Router Resources came to the ground when we changed to a default. 
  Now I want to separate this default routes into different VRF. Attached is the Diagram. 
  My question is,  the multiple default route all go into the BGP Table. The BGP table then select the best route and place it on the RIB and then to the FIB. 
  I want to redistribute the different Route on the BGP table prior to the Best path selection algorithm and placed on the RIB. 
  How can I achieve this?

  Hi,
  Redistribution of multiple routes to same prefix is not possible. Even if you have configured BGP multipath and all different bgp routes got installed into routing table, during redistribution only route will be redistributed. 
  Also would like to understand the requirement of redistributing multiple BGP routes in to IGP. As per your diagram, 3 different eBGP sessions are on three different routers, so you can prefer eBGP route over iBGP received from other routers and can distribute eBGP route to IGP from each router. Thus you will have three different default routes in to IGP in core.
  Please don't forget to rate this post if it has been helpful
  - Akash

• Difference between Device and Tower/Network failures?

  I could not use the MiFi 4510L device last night. I tried multiple computers and each was assigned an IP address, correctly. The modem status appeared to be normal when I used the mifi.admin management console, but I could not ping and I could not load web pages. The same problem happened if I tried to use 4G (LTE only) or 3G (CDMA etc.).
  I'm thinking the network was overloaded. I think the network failed. I restarted the MiFi 4510L device multiple times with the same scenario. I am accessing the Internet this morning (it's 6:15 am right now where I live). It appears to be ok. Until the device starts hanging up again.
  Is it possible to know when the failures are due to the device versus when they are due to the towers? As far as I could tell, I had Internet and connectivity, but no traffic. Are there tools that can be used to determine whether this is the problem? I did not get in my car and start driving around to see whether I had connectivity elsewhere. Next time this happens, I will do that.

  statdetective wrote:
  Thanks for taking the time to reply. It's hard to know whether the problem is with the device because the device has intermittent failures as we all know.
  On the other hand, I should have been more specific. Ping/ICMP did not work, either. This morning, I didn't have 4G connectivity, but I did have 3G connectivity. Speed test for 3G gave about 1.2Mbps download and about 0.10 MBps upload. The upload speed was especially painful.
  It seems like one of the reasons the 4G problems have been so difficult to resolve are due to multiple failure points which include devices, towers, network, and probably Internet software (such as DNS lookup problems).
  It would be helpful to be able to have scenarios of symptoms that could determine the failure point.
  Keep in mind that this is no different a situation than any network/communications issue.  If you're on your corporate network, situations such as this could be the result of problems with firewalls, proxy servers, authoritative DNS, NAT rules, PAC files, core, distribution or access switches, border routers, choke routers, and the list goes on. 
  In this case it "seems" as though the MiFi is acting as a combination of access/distribution switch, router, and firewall.  It's also I guess sort of a bridge router.  Because we have very limited access to any technical data around the network at large, we have a very limited ability to troubleshoot except for on the client side.  I would disagree that a "network problem should be resolved for you, where a device problem will not" to some extent.  I think BOTH "should" be resolved for you - the former without your participation, the latter requiring your participation in some fashion.  However, in this particular situation I don't believe Verizon is resolving either.
  The bottom line here is that due to the very proprietary nature of the MiFi and its integration with the LTE network there is yet a further level of abstraction which makes troubleshooting difficult - and as a result I doubt we'll come up with any conclusive "test cases" which could really accurately point us in the right direction.  Until such time as Verizon actually SOLVES some of the recurring and systemic issues which have not been addressed or resolved since day one, we have no consistent functioning baseline to measure again.  In other words, since it's never worked properly so far, we really don't know how much of the issues are resulting from HW design issues with the 4150L for example, how much are from firmware issues loaded on the 4150L, and how much are in the design/implementation of the LTE network at large (including all of its components). 

• Troubleshooting pfr configuration

  I have recently configured PfR on our routers (Two routers) one as a MC and BR with 200 mbps internet connection directly conenctioned to MPLS and the other as a BR with 100 mbps internet connection directly connected to MPLS and change the aggrigation type to BGP and mode route is set to be on observe with below configuration,
  The main purpose here by deploying PfR is to use PfR magic to have a redundent path/connection so if traffic on the 1st router hit the 75% of BW utilization treshhold,  the rest of the traffic (25%) would get re-routed to the 2nd router (100 mbps ).
  I have been monitoring it for last few days but it doesnt seem to be working fine becaouse the trfaic on the primary router hitting almost 95 percent of its BW and nothing is being re-routed to the backup router!
  All configuration looks to be fine and the connection status is success on both MC and BRs...
  I am currently using PfR v. 3.3 on primary router and v.3.0 on back up router.
  We are redistributing bgp to eigrp and eigrp to bgp using route-maps.
  I wonder if anyone could provide some feedback so that i could fix and troubleshoot this issue and make it work.
  BR configuration on the backup router :
  ===========================
  sh run | s pfr
  logging
  local Loopback0
  master xx.xx.xx.xx key-chain *******
  sh pfr border
  oer BR xx.xx.xx.xx ACTIVE,  MC xx.xx.xx.xx UP/DOWN: UP 19:00:44
  Auth Failures : 0
  Conn Status : SUCCESS
  OER Netflow Status : ENABLED, PORT : 3949
  Version: 3.0   MC Version: 3.3
  Exits
  Gi 0/0      INTERNAL
  Gi0/1       EXTERNAL
  MC cofiguration on the primary router :
  ===========================
  sh run | s pfr
  pfr master
  max-range-utilization percent 10
  logging
  border xx.xx.xx.xx key-chain *****
  interface gi 0/1 external
  interafce gi 0/0 internal
  border xx.xx.xx.xx key-chain *****
  interface gi 0/1 external
  interafce gi 0/3 internal
  learn
  inside bgp
  aggregation-type bgp
  backoff 90 90
  mode route observe
  pfr border
  local Loopback0
  master xx.xx.xx.xx key-chain******
  sh pfr master
  OER State: ENABLES and ACTIVE
  Conn Status : SUCCESS
  Version: 3.3
  Number of Border routers : 2
  Number of Exits : 2
  Number of monitored prerfixes : 210 (max 5000)
  Max Prefixes : total 5000 learn 2500
  Prefix count : total 210, learn 210, cfg 0
  PBR Requirements not met
  Nbar staus : Inactive
  Auto Tunnel Mode : On
  Global Settings:
  max-range-utilization percent 10 recv 0
  rsvp post-dial-delay 0 signaling-retries 1
  mode route metric bgp local-pref 5000
  mode route metric static tag 5000
  trace probe delay 1000
  logging
  exit holddown time 60 secs, time remaining 0
  Default Policy Settings:
  backoff 90 90 90
  delay relative 50
  holddown 90
  periodic 0
  prob frequency 56
  number of jitter probe packets 100
  mode route observe
  mode monitor both
  loss relative 10
  jitter threshhold 20
  mos threshhold 3.60 percent 30
  unreachable relative 50
  trigger-log percentage 30
  Learn Settings :
  current state : STARTED
  time remaining in current state : 70 seconds
  throughput
  no delay
  inside bgp
  monitor-period 1
  periodic-interval 0
  aggregation-type bgp
  prefixes 100 appls 100
  expire after time 720
  ======
  Please let me know if you need additional details so that i can provide.
  Thank you all.

  Gentelmen,
  Any help/comments please?
  FYI> It learns all the traffic and prefixes and border router is now running the probes but when i run sh pfr border routes bgp the outcome is none...!!
  Sh pfr master statitistics exit shows no activity on one of the border routers and it only shows activities on BR that is in MC router,
  I can provide you more details if it would help,
  The 2nd boder router doesnt have a direct conenction to master controler but the seeion has established per sh pfr master and sh pfr border.
  Any feedback please?

• Ospf selection

   Hi Experts.
   i have some confusion in ospf path selection process. I have a core switch which connects to two router(RA&RB) these are running ospf. Core switch is receving E2 routes for x.x.x.x/24 from both routers. How is it possible to make one router say RA as primary & RB as secondary. I can not manipulate this routes other than E2 so in this case path cost is going to work??
  Pls help me here.

  Hi,
  the main characteristic of E2 routes is that the external part of the metric takes precedence over the internal part.
  That means, the cost of the Type-5 LSA's 'metric' fields are always evaluated first, the LSA with the lower cost will be installed in the routing table, regardless of the internal cost, which is the cost of the path to the border router [1].
  If, like in your case, the costs of the LSAs are equal, the paths to the ASBRs (in terms of costs) [1] are evaluated. The lower-cost path wins; in case of equality both routes are installed (ECLB).
  You can see the two parts of the metric with a "show ip route <prefix>":
  R1#show ip route 169.254.0.0
  Routing entry for 169.254.0.0/16
    Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 100
  R1#show ip ospf border-routers
  i 2.2.2.2 [100] via 172.16.12.2, Serial0/0, ASBR, Area 0, SPF 9
  i 3.3.3.3 [64] via 172.16.13.3, Serial0/1, ASBR, Area 0, SPF 9
  This route has been installed although there is a "cheaper" ASBR, but it obviously injects the LSA for this prefix with a metric greater than 20:
  R1#show ip ospf database external 169.254.0.0
    LS Type: AS External Link
    Link State ID: 169.254.0.0 (External Network Number )
    Advertising Router: 3.3.3.3
    Network Mask: /16
          Metric Type: 2 (Larger than any link state path)
          TOS: 0
          Metric: 30
  So yes, you can achieve a primary/secondary path when both LSAs have the same metrics by changing a interface's cost, but remember that this may affect the whole topology.
  HTH
  Rolf
  EDIT:
  [1]: More precisely it's the path to the 'forwarding address', which is another field of external LSAs and used to avoid unnecessary extra-hops. If the FA is 0.0.0.0, the path to the advertising ASBR is used instead.

• OSPF external route selection problem

  Hello. I have a situation where I got two paths to get to a destination. Router A can get to subnet C either through my Telco's onsite router (Router A->telco router->Router C)or through a secondary link that travels from Router A-> Router B->diffenent Telco router->Router C.
  The link between Router A and the telco router is area 0. The link between Router A->B->Telco router is also area 0.
  Normally I want traffic to go directly through the onsite telco router...and only go through the longer route if the onsite router goes down.
  For some reason I'm going through the suboptimal path. Here's what the OSPF database is telling me:
  Routing Bit Set on this LSA
  LS age: 1267
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 192.168.33.0 (External Network Number )
  Advertising Router: 192.168.50.14
  LS Seq Number: 80000084
  Checksum: 0x4B8B
  Length: 36
  Network Mask: /24
  Metric Type: 1 (Comparable directly to link state metric)
  TOS: 0
  Metric: 100
  Forward Address: 0.0.0.0
  External Route Tag: 66
  LS age: 262
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 192.168.33.0 (External Network Number )
  Advertising Router: 192.168.50.94
  LS Seq Number: 800003B8
  Checksum: 0xF757
  Length: 36
  Network Mask: /24
  Metric Type: 1 (Comparable directly to link state metric)
  TOS: 0
  Metric: 100
  Forward Address: 0.0.0.0
  External Route Tag: 66
  Both telco routers advertise this route as an extern type 1 with a metric of 100. Can anyone shed some light as to why my router is picking the path via 50.14 instead of 50.94? 50.94 is a locally connected network. 50.14 is a couple of hops away.
  Thanks,
  Mike

  No problem.
  Here's the output...
  show ip ospf border-routers
  OSPF Process 2 internal Routing Table
  Codes: i - Intra-area route, I - Inter-area route
  OSPF Process 1 internal Routing Table
  Codes: i - Intra-area route, I - Inter-area route
  i 10.0.22.3 [2] via 192.168.19.14, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.22.2 [2] via 192.168.19.2, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 192.168.30.5 [501] via 192.168.19.15, Vlan168, ASBR, Area 0, SPF 42
  i 192.168.30.5 [501] via 192.168.19.14, Vlan168, ASBR, Area 0, SPF 42
  i 172.29.50.1 [1] via 192.168.19.11, Vlan168, ASBR, Area 0, SPF 42
  i 172.18.1.2 [3] via 192.168.19.15, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.18.1.3 [2] via 192.168.19.15, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 192.168.1.5 [1] via 192.168.19.8, Vlan168, ASBR, Area 0, SPF 42
  i 10.0.32.2 [2] via 192.168.19.15, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.32.3 [2] via 192.168.19.3, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.27.95.1 [2] via 192.168.19.16, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.19.1.3 [1] via 192.168.19.15, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.19.1.2 [1] via 192.168.19.14, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.24.2 [1] via 192.168.19.22, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.24.3 [1] via 192.168.19.23, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 192.168.19.4 [1] via 192.168.19.4, Vlan168, ASBR, Area 0, SPF 42
  i 172.27.87.1 [1] via 192.168.19.12, Vlan168, ASBR, Area 0, SPF 42
  i 192.168.19.19 [1] via 192.168.19.19, Vlan168, ASBR, Area 0, SPF 42
  i 172.20.1.2 [3] via 192.168.19.3, Vlan168, ASBR, Area 0, SPF 42
  i 172.20.1.3 [2] via 192.168.19.3, Vlan168, ASBR, Area 0, SPF 42
  I 10.0.16.11 [2] via 192.168.19.3, Vlan168, ASBR, Area 0, SPF 42
  I 10.0.16.11 [3] via 192.168.19.2, Vlan168, ASBR, Area 0, SPF 42
  I 10.0.16.10 [2] via 192.168.19.2, Vlan168, ASBR, Area 0, SPF 42
  I 192.168.50.14 [2] via 192.168.19.14, Vlan168, ASBR, Area 0, SPF 42
  i 192.168.50.94 [100] via 192.168.50.94, Vlan162, ASBR, Area 0, SPF 42
  i 172.21.1.2 [1] via 192.168.19.16, Vlan168, ASBR, Area 0, SPF 42
  i 10.0.229.2 [1] via 192.168.19.24, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.17.2 [2] via 192.168.19.2, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 10.0.17.3 [2] via 192.168.19.3, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 192.168.8.1 [1] via 192.168.19.28, Vlan168, ASBR, Area 0, SPF 42
  i 192.168.16.173 [565] via 192.168.19.14, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 192.168.16.173 [565] via 192.168.19.15, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.27.193.2 [1] via 192.168.19.20, Vlan168, ASBR, Area 0, SPF 42
  i 172.16.1.2 [1] via 192.168.19.2, Vlan168, ABR/ASBR, Area 0, SPF 42
  i 172.16.1.3 [1] via 192.168.19.3, Vlan168, ABR/ASBR, Area 0, SPF 42

• A very odd VLAN question -please help

  Hi,
  We have two subnets 10.1.1.0 and 10.1.2.0 and these subnets are phisically separated. we also have two VLANS, VLAN 2 and 3, please think of the VLAN 2 as the default VLAN 1. strenge, it has been like this when I took over. there is no trunking between these two VLANS. 10.1.1.0 is the main network and all the servers and users arfe on it and 10.1.2.0 is a Dev environment and some development severs are on it.
  I have given an IP address from the maon subnet i.e. 10.1.1.0 to a switch which is used for Dev environment on its SC0 and have assigned it to VLAN 2 but the rest of the 10.1.2.0, i.e. the Dev environment is on VLAN 3. from the main network I cannot ping that IP address (naturally) and I don't know how to build on what we currently have without making major changes and build over time as transparant as possible.
  I am sorry for this very long expalanation.
  I guess I need to know if I can make trunking between these two VLANs, i.e. VLAN 2 (main 10.1.1.0) and VLAN 3 (Dev environment 10.1.2.0) with out needing a router? of if I need a router, how? so that I can build upon it over time.
  well, I have given an IP address from main subnet from VLAN 2 to a swotch which is for VLAN 3 or Dev environment!!! I really didn't know how to do this in order to make it as trasnparant possible to others since I am not in charge of the AD and the servers.
  Please forgive me for my somehow vague explanation and I hope I could have made a question.
  Thanks,
  Masood

  Hi and thanks for responding. Almost all my switches are L2/L3 Cisco CAT switches with two 3560 at the edge with knowledge of public network located between my two border routers and my Firewalls. My main switch is a Cisco CAT 4510 R with is a layer 2 and 3 switch with Cisco IOS and a few 3550s and 3512s around. I also have two CAT 4006s with CAT OS but these aren't my current concern as I know that I need to either use one of these swithes or a router to route between my VLANs. I do have a Cisco Router, a 2621 as my main router with its fa 0/1 is used for my two mian subnets (servers, devices, and users are on these two subnets 10.1.1.0 and 10.1.4.0) and the DHCP server is givng out IPs out of these two private subnets. the other interface on this router fa0/0 is used for 10.1.2.0 which is totally isolated subnets with a bounch of servers on it called Dev Environment. The AD guys want it this way.
  Ok, now, when I take over this network I realized that those people who were looking after this network had created two VLANs, VLAN 2 (acting as the default VLAN 1 actually and used for managemnt of devices too) and VLAN 3 (VLAN 3 is for 10.1.2.0, i.e. the DEv Evironment, so bacically all of my devices, servers and users are on VLAN 2!!! and no trunking.....
  I have provided a Diag of my network topology.
  what I need to do is to find the best way to create a few more VLANs on my main network (10.1.1.0 and 10.1.4.0) and put all the servers on one VLAN; say VLAN 2 and few other segments and ten start to route between them by trunking. My problem is that the AD guys do not want to get involve and do not want (one of them my boss) to do IP renumbering so i need to do this at the L2 (by MAC addrss may be) and then use the router or (I can upgrade my main router to provide more interfaces with more mem and processing power) and use t to route between VLANs. this router is also used to connect us to a remote office where we have our Web Servers hosted via a T1 point-to-point as we are an online business so I need to be very carefull with this mission and have all the server and web Servers at this locations and my remote locations (10.5.1.0) on a same VLAN and then user on different VLANs by segmenting departments.
  Now, you see my delema and the challange that I am facing. how this can be done slowly and gradually. first adding one more VLAN put all the servers on it (also, back interfaces and clustering of servers in mind) and users on another, then, start trunking and see how it works. if all goes well then I can start creating more VLANs and that would be the easy part and point them to the trunk Interface / Link.
  Your thoughts will be greataly apreciated.
  Thx,
  Masood

• IPS reactions in passive mode

  Hi
  we are planning to deploy cisco IPS 4200 series on our network. We have a redundant network so what I need is an a device that would react to threats(via acl, shun, resets) while in passive mode ( using span or taps). couple of questions
  1- Is this device capable of preventing threats whilein passive mode.
  2- What is the diffrence between cisco IDS and IPS series ?
  Thanks

  Hi!
  The Cisco 4200 IDS series work as IPS also when used with version 5.0. This means that you can use an IDS/IPS device as a tap in a line to "prevent" attacks by not passing attacking packets. Of course this is a mode of operation, and if you just want to use the device as IDS you can. As IDS you will "monitor" VLANs o ports usually, from a span port. The IDS will alarm and send resets (if configured for) to prevent attacks. You can also configure the IDS to put ACL on border routers or PIX to stop the offending traffic (this may require some tedious and carefull config).
  Consider deploying Cisco ASA5500 appliances also. They are IDS/IPS, FW, VPN, and much more.
  http://www.cisco.com/go/asa
  Mario S.
  CCIE #14047

• SPAN monitor source -help please

  Hi,
  I have two CAT 3560s at the edge of my network and they are sitting between my two edge routers, Visco 2621, one active and the other shadow and the PIXs, 4 of them. Two PIXs and the active router connect to the fisrt 3560 and the second router and the other two pixs connect to the second 3560 switch.
  I have done local SPAN as follow:
  LanEdge-SW-6#sh monitor se 1
  Session 1
  Type : Local Session
  Source Ports :
  Both : Gi0/11
  Destination Ports : Gi0/13
  Encapsulation : Native
  Ingress : Disabled
  the question is: if I connect the cable comming from my active edge router to the source port on the 3560, then I don't have Internet connection but if I leave the source port unlugged (nothing pluged in it) and connect the cable comming from my active router toi other ports (except the destination port which connected to a hub and then to my IDSs) then I have Interrnet connection>
  is this how it should be? the local SPAN source port must be empty with nothing plug in it?
  Please help clartify this.
  Thx,
  Masood

  hello everyone,
  I want to thank all of you who took the time to try to help me withthis issue.
  what I finally did, i put the switches back to the factory default and started to re-configure the switches from scratch, in doing that, I did a "shut" under VLAN 1 (the default VLAN) and set up the local momnitoring sessions and that did the tick.
  my border router is now connected to the monitor source and thedestination to mymonitoring HUB coinnecting to my VMS and Stealthwatch for monitoring all the public traffic.
  here how it was connected or is connected.
  two border routers, one active and the other shadow, active connected to one 3560 along with my prim PIX and the other router to my second 3560 along with my two othet pixs (sewcondary and two pix for a whole different subnet - isolated fro mmy main subnets).
  the switches are suppose to do only switching connecting inside private network to the outside public (i.e. the routers.), the PIX is set to make that decision.
  I have one port, namely int gi0/1 configured to be on VLAN 2 (my main VLAN) and made the accesss vlan 2 and mode to access and coonneced that port to my main network for managemnet of the switch but the rest of the iterfaces are factory default.
  I don't know if i was able to explain correctly but by reconfiguring and doing "shut" under VLAN 1 interface, I ws able to connect my border router bcable to the port configured as source and the destination to my HUB and all is working now.
  just wanted to let you guys know what happend at the end of this delima.
  Thx,
  Masood

• WAAS network design

  Hi all,
  In enterprise network there are these WAAS devices: several SRE-SM-700-K9 modules (each installed in separate branch border routers) and WAE-674 appliance located at head office. At the head office border router there is no WAE module installed (there is only WAE-674 appliance at head office). Branch sites are connected to Head Office via IPsec tunnels. How all of these devices must come together to optimize traffic flows from branch offices to central servers? Which device mode to select on WAE-674 appliance - application-accelerator or central manager? If application-accelerator mode is selected, where to place WAE-674 appliance assuming that Head Office border router has one inside and one outside interface?

  Hi Stan,
  I guess it comes from the fact that if we save the configuration of a device, it is to restore it at a later time.
  If we saved the IP address of the interface in the output, it would create problems once you would try to restore it as you can see:
  NME-WAE-2(config)#interface GigabitEthernet 1/0 NME-WAE-2(config-if)#ip address 2.2.2.2 255.255.255.0 Specified interface is configured from router.NME-WAE-2(config)#
  I agree it is debatable on whether or not this info should be included in the running config and you can see it as a bug, I see it as an implementation choice
  Regards,
  Nicolas

• Ichat.. not working at school?

  hi everyone
  I have a macbook and ive had it since july and ichat has been working fine since then and then just recently today i cant sign on. whenever i try it says: The connection to the host was unexpectedly lost.
  I've been at school for a month now and ichat had been working since except just today. ive tried changing my server to 443, using ethernet instead of airport, installed all software updates, and restarted like a million times. i dont know what to do and i'd really like to talk to my friends back home
  pleaseee help

  We just discovered the problem here at the University I work for. It appears that IChat utilizes random UDP ports after the invitation is sent. Instead of using UDP 5190 and 54500 (example) for each, it keeps randomizing the recipient port. So you could have several connections coming back to ports 54500, 54501, 54502 etc.
  Cisco, in their latest revision of IOS for the firewall and router, has issues with this. The old "fixup" protocol on the firewall worked flawlessly, however that is gone now (with 7.2.1) and has been replaced with the Inspect command. This doesn't work. On the firewall...if you are Inspecting RTSP and SIP, these need to be removed.
  Also, on our border routers we are using dynamic acl's with the evaluate option on UDP. This doesn't work either. We had to create an entry before the evaluate statement:
  permit udp any any eq 5060
  permit udp any any eq 5190
  permit udp any any range 16384 16403
  This fixed it....talk about a pain! All the other IM packages worked fine...MSN, Yahoo and AOL...but IChat was the difficult one.
  Hope this helps.
  S
    Mac OS X (10.4.7)  

• The default-information originate and blackhole

  I have read an article :
  (((1- The default-information originate OSPF routing process subcommand will generate a default route into the OSPF domain.
  2- By default this default cannot be advertised unless the local device actually has a default route installed
  in the routing table.
  3- This stipulation is added to prevent the case where default reachability is lost from an upstream peer, but default reachability is still advertised into the OSPF domain.
  4- An example of this case is as follows.
  Suppose that your OSPF domain has two or more connections to an upstream Internet provider. At these exit points from your internal network the border routers are learning a default from the ISP.
  5- Additionally these border routers are generating default routes into the OSPF domain by issuing the default-information originate routing process subcommand.
  6- Now suppose that one of these connections to the upstream provider is lost. If the border router with the lost upstream connection is still advertising default reachability into the OSPF domain some of the traffic will be blackholed.
  7- Instead the router with the
  lost connection should withdraw the default route from the OSPF domain, which
  in turn would cause all internal devices to reroute out a still valid exit point from the network))).
  Regarding to point 6 how does it make a blackhole ?

  Because the router still anounces default route into ospf domain, and the packets which prefer this route will be blackholed. because the link to isp is broken. and the router will drop these packets.but the packets those prefer the other default route will go through the second router cause its link to isp is still up.
  is it clear?