Cisco 2901 Dual WAN, VRF, Vlan Isolation configuration help

Similar Messages

• Cisco RV320 DUAL WAN router USB setup with Telstra 4G MF823

  I am trying to setup Cisco RV320 DUAL WAN router to work with my prepaid Telstra 4G MF823 device. Could you please assist. My settings are as follows: InterfaceUSB2Connection Type:3G/4G PIN Code:Confirm PIN Code:USB Connection Status:3G/4G modem is not available.Access Point Name:telstra.internetDial Number:Username:Password:Enable DNSDNS Server (Required): 8.8.8.8DNS Server (Optional): 8.8.4.4MTU:AutoManualB

  Hi oz000,
  Unfortunately we don't have anyone here to assist with this particular issue. Our team here provides assistance for the device standalone, we ensure that the 4G device connects to the network and functions correctly on its own.
  -Matt W
   

• Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble

  PID VID :
  RV042 V03
  Firmware Version :
  v4.0.0.07-tm (Aug 19 2010 19:19:50)
  Ever since I setup my RV042 with load balancing using the Dual Wan system I have had trouble staying connected to some secure sites. After doing some searching I found that the potential issue is the IP change mid session.
  "http://www.broadbandreports.com/forum/r25537589-Cisco-RV042-can-not-use-load-balancing-for-some-web-sites"
  Although my interface is significantly different I was able to find the same area in my RV042 admin area however, it doesn't seem to work.
  System Management
  > Dual Wan
  In Wan 1 & Wan 2 I have HTTPS and HTTPS Secondary all forwarded to use Wan 2 under Protocol Binding
  This however has not managed to do anything at all for my network and every computer conneceted experiences the same HTTPS irregularities at some websites.
  I'm sure I must be doing something wrong, but I don't know what it is.
  Both incoming connections are from the same service provider although the plans are different.
  Any help with this would greatly help me stop losing my mind trying to fight with my website control panel for 10 minutes to just login and get something done.
  Thanks

  Any ideas or advice from anyone?

• Dual WAN and Log mail SMTP on RV082 ?

  I use a RV082 with dual Wan and I cannot configure two SMTP.
  Without authentication; a SMTP is specific of the provider.
  When WAN1 comes down, SMTP to be used is the SMTP corresponding to WAN2 and vice versa.
  Implementation of authentication with the mail server wil be useful.
  Possibility of two mail servers with indication of the corresponding WAN is also useful.

  I don't know how or if it's possible to set up two SMTP servers, but I know that may ISPs block SMTP traffic that is not directed to one of their SMTP servers.  You could try picking just one SMTP server, and find out if it can be conacted on a non-standard port.  A lot of SMTP providers allow for this.
  If you can configure a single SMTP server on a non-standard port, you should be able to conatct that SMTP server from anywhere on the internet because the traffic won't be blocked (at least not port-based blocking, which is what most ISPs use).
  So in a scenario where WAN1 is the ISP who owns the SMTP server and WAN2 is a diferent ISP that blocks standard SMTP traffic...
  1) If both WANs are working, SMTP traffic goes out WAN1.  No problem.
  2) If only WAN1 is working, SMTP traffic goes out WAN1.  No problem.
  3) If only WAN2 is working, SMTP traffic goes out WAN2, but is not blocked because it is on a non-standard port.  No problem.
  I hope that helps.

• RV325 Dual WAN Router - Use only one IP

  I have a rv325 dual wan router. I have setup load balancing on the router, but I don't want one of the servers here being load balanced. How do i set it to only use a specific WAN while everything else is load balanced?

  Michael,
  I like to share link that will has a step by step screenshots on how to configure protocol binding. Your source ip will be server and Destination is whichever WAN you are shaping that traffic. Hope this helps
  Article ID: 4242
  http://sbkb.cisco.com 

• SG300's vlan isolation except for shared printers

  Hello,
  We have 2 x SG300-20's and 1 x SG300-10.
  We want to have a few vlans to isolate different departments from each other while still providing access to the broadband uplink as well as shared printers.
  The setup we would like would be something like this:
  1 x SG300-20 for VLAN 2
  1 x SG300-20 for VLAN 3
  1 x SG300-10 for VLAN 4-6
  Shared printer(s) on VLAN 6 which should be accessible from all other vlans
  We also have a RV180 router sitting in front of the switches which should provide broadband uplink access and trunking for the switches.
  We need to forbid vlan 2-5 from communicating with each other.
  In order to simplify and test, we are using the SG300-10 switch only in L3 mode at the moment with 3 computers to simulate 3 vlans but it seems to turn on inter-vlan routing on every port and vlan automatically when you set the switch in L3 mode and in L2 mode, vlan isolation works but we need to use the router to serve up dhcp and inter-vlan routing on a single vlan, which after over 6 hours of having the cisco tech logged into our system to try to set it up he gave up and said he didn't understand why it was not working...
  Is there a way to use this setup, or something simillar?
  We have contacted cisco support a second time and have had a tech test our switch config file for a week now and still no progress on this and we need to have this working asap.
  We were told that this was possible with our equipment but it seems there are serious limitations with this gear that even the cisco techs don't know about...
  We can provide the switch config upon request.
  Thanks!

  Hi Tom,
  I replaced the cisco RV180 with a netgear FVS318N and so far, in the lab anyways, I've gotten the setup the following setup to work:
  SG300-10 in layer 3 mode:
  Port 1 - Admin Port - Vlan 1 pvid
  Port 2 - general - VLAN 2 pvid - tagged vlan 4 - forbid vlan 3 - dhcp 192.168.2.0/24 (iface 192.168.2.203)
  Port 3 - general - VLAN 3 pvid - tagged vlan 4 - forbid vlan 2 - dhcp 192.168.3.0/24 (iface 192.168.3.203)
  Port 4 - general - VLAN 4 - Tagged vlan 2 - Tagged vlan 3 - dhcp 192.168.4.0/24 (iface 192.168.4.203)
  Port 10 - Trunk - pvid vlan 1 - Tagged 2-3-4 - (iface 192.168.254.203)
  Routes:
  Added default gateway to vlan 1 iface on router
  Added 192.168.1.0/24 gateway vlan 1 iface router ip (lab's upstream router is on that block which doesn't have an iface on the switch)
  IPV4 ACL:
  Port 2 - priority 500 - Deny any to vlan 3 subnet
              priority 1000 - permit any to any
  Port 3 - priority 500 - Deny any to vlan 2 subnet
              priority 1000 - permit any to any
  On the netgear router, vanilla config with the 4 vlans added to it and inter-vlan routing enabled with switch port 10 plugged into router port 7 for uplink.
  So far it seems to be working correctly, still need to test vlan hopping and static ip's and routing to simulate mis-configured or malicious computers plugged into the two main vlans but replacing the router seems to have done the job.
  Perhaps further testing would of resulted in a working setup with the RV180 but after so many hours wasted on this setup by us and by the cisco tech, it was time to make a move.
  What's your opinion on this setup Tom?
  I'm so tired I'm getting cross-eyed and might be forgetting something important.
  Thanks!

• RV320 - Dual WAN - Load Balance Problem

  Hi all,
  I've just bought a RV320 Dual WAN router an try to get it running. My network setup looks lice the picture attached.
  I have 2 WAN Connections:
  - Router 1 (16Mbit Down / 512kbit up) - no public WAN IP
  - Router 2 (3 Mbit Down / 512kbit up) - Fixed public IP
  Router 1 ist connected to WAN1 and router 2 to WAN2 port on the RV320.
  I have enabled load balancing mode.
  Qustions:
  1.
  I want WAN1 to be the primary line to be used until capacity reached.
  Currently for some reason I don't understand the cisco always uses WAN2.
  That's not good as all browsing and downloading is limited to 3mbit.
  When I switch to "fail-over" mode and set primry live to WAN1 that works, but WAN2 is not kept alive.
  2.
  I am using VOIP and need to route all VOIP traffic to WAN2 interface.
  The best would be to tell the router IP 192.168.177.9 (voip phone) should use WAN2. So far I didn't figure out how to do that.
  Can I put VOIP into one VLAN group and allocated VLAN to one specific WAN interface?
  Brgds

  So, you can hear the phone ringing and answer it? which means that SIP pakets are coming through WAN to LAN and well redirected to the phone IP, but you cannot hear after that, which means that there could be a problem with the RTP packets. 
  If you have problem only with the incoming calls and not the outgoing, than try enable/disable SIP ALG (Firewall). If that doesn't fix the issue, try to allow (or even forward) from WAN to LAN RDP -  UDP ports 16384-32767 to the phone IP.
  Regards,
  Kremena

• Connectivity issues between Cisco 2901 and Cisco SG300-52

  Hello,
  I am having some serious connectivity issues between the hosts in my LAN.
  My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
  The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
  All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation  established on the router (reserved with the MAC address of every host).
  I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
  Many thanks in advanced.
  Sair Amer
  EDIT:  After doing every test we could think of, we finally found the reason behind this problem.
  It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
  After manually setting the speed on all ports to 100 Mbps the problems have stopped.
  Many thanks for you help on this issue. 

  Building configuration...
  Current configuration : 4123 bytes
  ! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Foninsa
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local 
  aaa session-id common
  clock timezone PCTime -4 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
  no ip cef
  ip dhcp excluded-address 192.168.1.1 192.168.1.10
  ip dhcp excluded-address 192.168.1.151 192.168.1.255
  ip dhcp pool FONINSA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 8.8.4.4 
  ip dhcp pool Laptop-Sporta-Wifi
   host 192.168.1.10 255.255.255.0
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-213585710
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-213585710
   revocation-check none
   rsakeypair TP-self-signed-213585710
  crypto pki certificate chain TP-self-signed-213585710
   certificate self-signed 01
    30820229 30820192
    quit
  license udi pid CISCO2901/K9 sn
  license boot module c2900 technology-package securityk9
  username ccp privilege 15 password
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 190.196.21.98 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  no ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 192.168.1.3 21 190.196.21.98 21 extendable
  ip nat inside source static tcp 192.168.1.3 80 190.196.21.98 80 extendable
  ip nat inside source static udp 192.168.1.8 1194 190.196.21.98 1194 extendable
  ip nat inside source static tcp 192.168.1.4 3389 190.196.21.98 3389 extendable
  ip nat inside source static tcp 192.168.1.9 3389 190.196.21.98 10000 extendable
  ip nat inside source static tcp 192.168.1.3 3389 190.196.21.98 20000 extendable
  ip route 0.0.0.0 0.0.0.0 190.196.21.97
  access-list 1 permit 192.168.1.0 0.0.0.255
  control-plane
  line con 0
   password $
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 5
   access-class 23 in
   privilege level 15
   password #
   transport input telnet ssh
  no scheduler allocate
  end

• Simplest dual-WAN setup for LRT224 ?

  Hi folks
  Hope someone can help with some insight / advice here.
  First, some background :
  For a while I’ve been using a conventional ADSL modem-router device to connect to my primary ISP, and thereby provide internet connectivity to a number of desktop PCs, laptops and other mobile devices in a small office environment. I plug the “output” (LAN port) of the ADSL modem-router into a switch, and I also plug a dual-band wireless access point (WAP) into the switch to provide wireless access for the mobile devices. Generally this all works fine.
  One problem of course is that if/when my ISP goes down - which does happen occasionally - I have no internet. Also, I am starting to need extra bandwidth, and ADSL connectivity has pretty much reached its speed ceiling in my area. So I’ve been looking at ways of providing redundancy and higher speed by having multiple connections, possibly with different technologies and different ISPs. One option is to go with multiple ADSL connections; another (perhaps better) option is to go with a high-speed fixed-wireless (LTE) connection. With LTE, I can easily get over 30Mbps, so I’ve gone with that option for now. FTTH may be an option on the future. Obviously I needed a 2- or 3-WAN router device to do the connection management.
  I had a preference for a dual-WAN router that isn’t tied to any particular communication technology (like ADSL, or VDSL) to give a degree of future-proofing for new technologies like FTTH. I prefer modem devices that have a conventional ethernet port as an output, and hence router devices that have ethernet ports for WAN inputs. This eliminates “combined” devices like Draytek’s “Vigor” ADSL+WAN modem-routers, or routers that have provision to connect a USB 3G stick modem for failover. 
  While shopping around, I looked at options like the Cisco RV042/043, the Peplink Balance 20/30, and the Belkin/Linksys LRT224. The LRT224 seemed to offer a reasonable compromise between price, features and performance, so I went with it.
  Both my CPE devices are combined modem-routers that completely manage the connection to their respective ISPs, presenting me simply with an ethernet port (or ports) for connection to my local LAN. Specifically, I’m using a D-Link DSL-2500U ADSL modem (1 LAN port) and a Huawei B593s-601 LTE modem (4 LAN ports). Both include the usual functions such as DHCP server, NAT, firewall etc. Previously I’d always give the ADSL modem a fixed IP, and then it let it handle DHCP for the whole of the downstream network. So far, so good.
  My requirements for now are pretty straightforward :
  - Simple failover operation, ie if one ISP (WAN) goes down, the router should transparently and quickly re-route traffic to the other ISP.
  - Load-balancing, ie the ability to apportion traffic between the two ISPs according to a number of different algorithms. Ideally I would want to see options like : equal traffic (bytes) per ISP, % traffic split (eg 60:40), pro-rata split based on connection speed or latency, etc etc ..
  - Ability to log into the ‘Web control panel for any of the three devices (LTE modem, ADSL mode, or dual-WAN router) directly from the office LAN without unplugging or re-cabling anything.
  - I've no need to use the VPN functionality on the LRT224 at the moment, though that might come later.
  Here’s where I need some input and help :
  So far, the only way I’ve been able to get this all to work together is as follows :
  1) Set up the ADSL modem with a fixed IP of 192.168.1.1 and let it do DHCP on a range like 192.168.1.50/149.
  2) Set up the LTE modem with a fixed IP of 192.168.2.1 and let it do DHCP on a range like 192.168.2.50/149.
  3) Set up the LRT224 to get WAN-side IP’s from the upstream devices on both WAN1 and WAN2.
  4) Set the LRT224 in “Gateway” mode.
  5) Set up the LRT224 with a fixed IP of 192.168.0.1, and to issue downstream DHCP IP addresses in the range 192.168.0.50/149.
   What I've noticed in trying to get this all to work is the following:
  6) This only works (and gives visibility of all 3 devices) when the two modem devices are on different subnets (like 192.168.1.x and 192.168.2.x). Trying to put them both on the same subnet as the downstream side (all on 192.168.0.x) just doesn't work, or one device is not visible.
  7) This only works with the LRT224 in "Gateway" mode, even though "Router" mode seems more fitting.
  The setup given above (1 through 5) does work, and gives a situation like the following :
  Failover works OK, and I can see any of the three edvices from the office LAN by connecting to any of the assigned IPs.
  However, the problem is that the throughput really sucks.
  If I connect the LTE modem (only) direct into the office LAN, I get in excess of 20Mbps downlink speed. However, when connecting via the LRT224, I don't even get half that speed, even if the LRT224 is in simple failover mode and the ADSL modem is turned off or out of the picture.
  Given that the LRT224 isn't "processing" the packets at all, and there's no VPN overhead, I find it hard to understand why it sucks up over 50% of the throughput. Also, the reviews I read on the LRT224 listed throughputs in the hundreds of Mbps, so this really shouldn't even be a factor. Also, having the LRT224 eat half the throughput partly defeats the one object (higher speed).
  So my question is : Is the above setup really the way to do what I want ? Or is there a better way ? The upstream arrangements with dual DHCP on different subnets seems overly complex. Is there a simpler way with PPoE, or PPTP, etc ?
  What might I be doing wrong ?
  Any input or advice would be much appreciated.
  Thanks

  Thanks for the suggestions, guys; although I've pretty much covered all of those things.
  For info :
  1) The router came with firmware v1.0.0.9 (Nov 25, 2013 - the initial release), but I have updated it to the latest v1.0.2.06 (Mar 28, 2014). (This is the third release in 4 months, so it seems Linksys is working fairly actively on LRT2x4 firmware).
  2) I have the "Maximum Bandwidth" figures (reached at Configuration / System Management / Bandwidth Management) set to the appropriate values, including a maximum downstream value of 61 440kbps (60Mbps) for the WAN port to which the LTE modem is connected. My understanding, though, is that the LRT224 doesn't DO anything with this information unless there are one or more bandwidth management policies set. (My understanding may be wrong, and the manual isn't much help). I have no bandwidth management policies set.
  3) I did try disabling all of the firewall rules as suggested by Flybyknight - no improvement.
  One interesting (and unintended / undesired) consequence of my setup is that I can only "see" the configuration pages (web interfaces) for both upstream modems (ADSL and LTE) when the router is in "Load Balance" mode. If it is in "Failover" mode and the primary WAN is up, then I can't see the modem on the secondary (failover) WAN. I assume this is because traffic is only being routed to the active WAN port.
  I guess my uncertainty is more about the upstream setup, ie the way in which the upsream-facing WAN ports on the LRT are configured to talk to the downstream-facing LAN ports on the respective modems.
  The user guide for the LRT224 is really poor, unfortunately. It doesn't explain the actual workings of the various features at all. For instance, it does not explain what the ACTUAL working of "load balance" is. Does the device route the same amount of traffic (bytes) to both WAN ports, or does it do so in proportion to their configured speeds ? Proper explanations for these features are really indispensable! Belkin/Linksys, are you listening ??

• ASA 5505 Dual WAN - Ping inactive wan from outside?

  I currently have some small branch offices using ASA 5505 with Security Plus license and dual wan connections. They are configured wil an sla monitor so if the primary WAN goes down the secondary connection becomes active. This works as expected, however...
  I can't ping the non-active interface from an outside source. I beleive this is by design or due to some limitation on the 5505. The problem is that I don't know if the backup WAN connection is functioning normally without forcing the ASA to make it active. We use a flaky wireless connection for the backups. The problem recently bit me because both WAN connections were offline.
  I'm looking for an easy way to monitor the inactive wan interface, preferably by pinging from an outside location. Is this possible?

  Hello,
  This wont work because the ASA receives the ping on the backup link but has the default route pointing to the outside.
  You would have to add a more spefic route for your IP.
  Example:
  If you want to ping coming from IP 1.1.1.1
  route outside 0 0 x.x.1.1 1 track 1
  route backup 0 0 x.x.2.2 250
  route backup 1.1.1.1 255.255.255.255 x.x.2.2
  Regards,
  Felipe.
  Remember to rate useful posts.

• Problem: IPv6 w/ PPPoE on Cisco 2901

  Folks: I have this Cisco 2901 configured with PPPoE and IPv6 and connect it through a CO (DSLAM) to an Actiontec xDSL router. PPPoE connections are on FE0/0/0, through virtual template.
  The Actiontec router gets NA and PD addresses succesfully and LAN PC connected to Actiontec router can surf the IPv6 Internet w/ no problem. However, Cisco 2901 can't reach the Actiontec router by its NA or TA public IPv6 address. A 'stupid' workaround is to manually add a route w/ the virtual access. It is stupid cuz each new connection will bring up a different virtual acess.
  I guess this is a bug on 2901, but want to confirm with you guys first. Now the whole config:
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname AEI_SV_Cisco_2091
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  no aaa new-model
  ipv6 unicast-routing
  ipv6 dhcp pool HE
  prefix-delegation pool HE-48
  address prefix 2001:470:1F05:7A::/64
  ipv6 cef
  ip dhcp pool default
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  dns-server 10.10.10.1
  ip dhcp pool dslam1
  network 10.11.11.0 255.255.255.0
  default-router 10.11.11.1
  dns-server 10.11.11.1
  ip domain name yourdomain.com
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip cef
  multilink bundle-name authenticated
  vpdn enable
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3962993046
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3962993046
  revocation-check none
  rsakeypair TP-self-signed-3962993046
  crypto pki certificate chain TP-self-signed-3962993046
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33393632 39393330 3436301E 170D3131 31313232 31363132
    31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39363239
    39333034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100E6AF 1640A998 F13E9F8B EB9E404C F0D6E105 8DE05E45 9C9C525A 5AAEAF59
    456A4578 1C0E283C 39B3751D 3F362D64 13FACD69 A92C31BA 6D2EEFBE 52BCC70C
    73359968 2F76B830 A978BD5F 9A86903F C12BB00B C35C47D1 BADBE727 773E205D
    A839969D FE3854B3 26E93F21 63DC4E57 D4C44821 FBE88BAA 4A1D5565 DA416138
    3A7D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14BA6DEA 79E4742D 4878C88E D014C7A3 8022546A FE301D06
    03551D0E 04160414 BA6DEA79 E4742D48 78C88ED0 14C7A380 22546AFE 300D0609
    2A864886 F70D0101 05050003 818100CE C6732F7E 6AB385C5 5BF4E241 BE179F5D
    E7C5CC78 2BFB33EC 3181D4D2 90981D2B 1106205F A3C5FEE8 E78A013B ABF3F5E0
    52772A22 F3A0A24C C4F62DDB E2E6A21D AC75772B 6FEC9323 3DFC4165 CC645E62
    5C8F5842 18B8DF5B C3E3C39C EBB60D3E E7ADA89B A72FB468 92F77F0A A33B5591
    F5048271 F074C64E 38291F93 848F09
              quit
  license udi pid CISCO2901/K9 sn FCZ15489123
  username admin privilege 15 secret 5 $1$.CdN$d0DXERD9PqUtu6XPilTv/.
  username chap password 0 chap
  bba-group pppoe global
  virtual-template 1
  sessions max limit 256
  interface Tunnel0
  description Hurricane Electric IPv6 Tunnel Broker
  no ip address
  ipv6 address 2001:470:1F04:7A::2/64
  ipv6 enable
  tunnel source 173.13.177.215
  tunnel mode ipv6ip
  tunnel destination 72.52.104.74
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  ip nat allow-static-host
  ip nat enable
  ip virtual-reassembly in
  shutdown
  duplex auto
  speed auto
  ipv6 enable
  ipv6 dhcp server HE1
  interface GigabitEthernet0/1
  ip address 173.13.177.215 255.255.255.240
  ip nat outside
  ip nat enable
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  ip address 10.11.11.1 255.255.255.0
  ip nat inside
  ip nat enable
  ip virtual-reassembly in
  duplex auto
  speed auto
  ipv6 address 2001:470:1F05:7A::1/64
  ipv6 enable
  ipv6 nd managed-config-flag
  ipv6 nd other-config-flag
  ipv6 dhcp server HE
  pppoe enable group global
  interface FastEthernet0/0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Virtual-Template1
  mtu 1492
  ip unnumbered FastEthernet0/0/0
  ip nat inside
  ip nat enable
  ip virtual-reassembly in
  ipv6 enable
  ipv6 nd managed-config-flag
  ipv6 nd other-config-flag
  no ipv6 nd ra suppress
  ipv6 dhcp server HE
  peer default ip address dhcp-pool dslam1
  peer default ipv6 pool HE
  ppp authentication chap
  no routing dynamic
  ip forward-protocol nd
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat source list 1 interface GigabitEthernet0/1 overload
  ip route 0.0.0.0 0.0.0.0 173.13.177.222
  access-list 1 permit any
  ipv6 route ::/0 Tunnel0
  ipv6 local pool test 2001:470:7007::/48 64
  ipv6 local pool HE-48 2001:470:8008::/48 64
  control-plane
  line con 0
  login local
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  privilege level 15
  login local
  transport preferred none
  transport input all
  transport output all
  line vty 5 15
  privilege level 15
  login local
  transport preferred none
  transport input all
  transport output all
  scheduler allocate 20000 1000
  end
  See both IPv4 and IPv6 are using virtual template to get PPPoE work. Everything's working fairly well on IPv4. I can ping from cisco to the 10.11.11.x address on Actiontec router. But with IPv6, I can't ping 2001:470:1f05:7a:: address on Actiontec router. The correct route through virtual-access is not installed, or the F0/0/0 interface doesn't pass the IPv6 traffic to the corresponding virtual access interface:
  AEI_SV_Cisco_2091#sh ipv6 route
  IPv6 Routing Table - default - 7 entries
  Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
         B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
         IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
         ND - Neighbor Discovery, l - LISP
         O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
         ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
  S   ::/0 [1/0]
       via Tunnel0, directly connected
  C   2001:470:1F04:7A::/64 [0/0]
       via Tunnel0, directly connected
  L   2001:470:1F04:7A::2/128 [0/0]
       via Tunnel0, receive
  C   2001:470:1F05:7A::/64 [0/0]
       via FastEthernet0/0/0, directly connected (this sounds correct, but I'm not able to reach client from this interface)
  L   2001:470:1F05:7A::1/128 [0/0]
       via FastEthernet0/0/0, receive
  S   2001:470:8008::/64 [1/0]
       via FE80::21F6:88C4:497E:6F9C, Virtual-Access2.2
  L   FF00::/8 [0/0]
       via Null0, receive
  Can some help? Thanks!
  Henry

  Hi,
  The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet.
  Carsten

• What's wrong? Verify and compare Cisco 2901 config after loading old config from Cisco 2801

  Hi Cisco Community / Friends,
  I am new to this site though I have cisco account for many years. I am a CCNA ,I  passed my certification on January 2013 I seldom use and utilized my skills on networking becuase of my type of work. I am Project Eng'r working in a System integrator company . Anyway, I would like to ask assistance on the configurations of my Cisco router for this gov't projects.. Here's the situation.
  We have a new project for the VSAT Comm'n of  Coast Watch Station ,  The VSAT was installed 7 years ago. The VSAT was only used for a year by this Gov't agency because of  subscription issue. Now, they wants to revive and use their VSAT facilities for the Coast watch monitoring. Now, some of this routers are working up to now and for some site  are already defective so I need to replace the old 2801 router with a new equivalent model which is Cisco 2901. My plan was just to load the old config into the new Cisco 2901 router. However, after loading it to the new router, I am a little worried because I've got some errors received. I load the old config by copying the old files, edit it in notepad, and load the config using Secure CRT (terminal emulator). When I copy the old config of cisco 2801 to new router cisco 2901 , below are the command not recognized on Cisco 2901. What's wrong ? What are these commands for? 
  Appreciate your comments and help on this matter.. Thank You very much
  Note: I Attached the original config from Cisco 2801 and the other file is the config after I load the config file to Cisco 2901.
  (Errors see below)
  CWS_4_Pandami(config-erm)#mmi polling-interval 60
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi auto-configure
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#no mmi pvc
                                                         ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-erm)#mmi snmp-timeout 180
                                                          ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config-if)#interface GigabitEthernet0/1
  CWS_4_Pandami(config-if)# description ===CWS4 SAT Modem===
  CWS_4_Pandami(config-if)# bandwidth 256
  CWS_4_Pandami(config-if)# ip address 192.168.42.1 255.255.255.0
  CWS_4_Pandami(config-if)# duplex auto
  CWS_4_Pandami(config-if)# speed auto
  CWS_4_Pandami(config-if)# priority-group 1
                                                      ^
  % Invalid input detected at '^' marker.
  CWS_4_Pandami(config)#access-list 100 permit ip any any dscp cs5
  CWS_4_Pandami(config)#priority-list 1 protocol ip high list 100
                                                  ^
  % Invalid input detected at '^' marker.

  Hi
  From Cisco's website:
  The Modem Management Interface (MMI) is software that enables auto-provisioning for the Cisco 827 routers. The MMI uses a fixed PVC to communicate with the Proxy Element (PE) residing on the digital subscriber line access multiplexer (DSLAM). Using MMI, the Cisco 827 router updates the running image and downloads the prescribed configuration using a configuration file or configuration values in a provisioning information database.
  The customer premise equipment (CPE) can be automatically configured using the Cisco DSL CPE download, but it can be configured only with the image provisioning feature.
  So because this is your device, you don't want to use MMI anyways.
  And "priority-list" is QoS. Probably that QoS-command is old and removed, because now QoS is configured using class-maps and policy-maps.

• Dual Wan and port routing

  Hi,
  I am setting up a configuration with SA520W and 2 Wan, in load balancing. But I face a problem that I could not understand.
  Traffic is HTTP, SIP and 2 servers.
  Servers are for a VPN tunnel and a mail server with ActiveSync
  Both services absolutely need port 443 on the external IP, and that's one of the dual wan reason.
  The 2 wan are running, load balancing mode is enable and NAt routing in firewall tab as follow :
  443  Enabled     WAN     LAN     ALU_OpenVPN     ALLOW always     Any         192.168.0.150     WAN1     Always    
  443   Enabled     WAN     LAN     ActiveSync     ALLOW always     Any         192.168.0.254     WAN2     Always 
  If load balanced
  Port 443 is NOT routed from wan1 to 192.168.0.150
  Port 443 is routed from wan2 to 192.168.0.254
  If only WAN 1
  Port 443 is routed  from wan1 to 192.168.0.150
  If only WAN 2
  Port 443 is routed  from wan2 to 192.168.0.254
  In fact I did other testing and no port routing with WAN1 when load balancing is enable, even on port that is not used at all on Wan2.
  With a FTP filezilla server, it's OK if on wan2, and it stop before logging if on a wan1 (on laod balancing, ok on both case if only one wan)
  Firmware : latest 2.1.18
  Any Clue ??

  Hello,
  I confirm, there is a strange behaviour.
  Simple test :
  Dual Wan configured.
  A FTP server on the LAN (192.168.0.254) port 21
  Firewall , ipv4 config :
  WAN   to   LAN     FTP     ALLOW always     Any         192.168.0.254     WAN1
  WAN   to   LAN     FTP     ALLOW always     Any         192.168.0.254     WAN2
  Then some testing using a FTP client outside the LAN, connection from Internet.
  Then, changing ONLY the Wan Mode :
  1/ Use only single WAN port : Dedicated WAN
  ==> FTP connect through WAN1
  2/ Use only single WAN port : Optional WAN
  ==>FTP connect through WAN2
  3/ Load Balancing
  ==>FTP connect through WAN1
  ==>FTP DO NOT connect through WAN1
  Is that a bug or do I have some strange stuff somewhere ?
  I will pick up another SA520W from stock, brand new, update the firmware, configure the 2 WAN (invering the 2 provider just in case) and do the same test.

• VPN and a Dual Wan router confusion

  I am running a Border Manager 3.9 server with a Dual Wan router supplying the 2 ISPs load balancing to a single NIC on the Border Manager Server. I want to try setting up a VPN.
  Whats the easiest most pain free way of doing this?
  Just wondering,
  [email protected]

  In article <[email protected]>, Rlmillies wrote:
  > Whats the easiest most pain free way of doing this?
  >
  Hah! Well, inbound traffic in general can be problematical on a
  dual-wan system.
  Here you have two issues, if the router is like ones I've worked on.
  First, load balancing. You can't (probably - this is based on my
  experience) set up a static NAT of one of the public IP addresses to
  the BM 'public' address and still load balance. My experience is that
  as soon as you do that, it forces both inbound and outbound traffic
  onto that particular WAN link, so it kills load balancing/failover.
  Which means you need to do port forwarding on the router for all the
  VPN ports. You will need TCP and UPD 353, and UPD 500 and 4500 inbound
  (and replies outbound). If using a site-site VPN, you also need TCP
  213 inbound.
  You will have to configure the VPN address in BMgr to use one of the
  WAN public IP's. The VPN will only work on that one WAN link.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Trend Micro Dual WAN Issue

  Question from a partner:
  Has Trend fixed the hosted issue with two WAN connections?  It used to be that even though your device had dual WANs, Trend would only forward the emails to one of the connections.  If it went down, you had to submit an email request to move it to the other connection and it could be 12-24 hours before it went into effect and 99 times out of 100, the original WAN port would be back online.  It does slightly defeat the purpose of having Dual WANs if you cannot receive email in this day and age.
  Any help out there?
  Art

  I got with Trend on this because I thought it was something very interesting....
  here is what they said...
  I think  you’re talking about the same setup as a customer having 2 mail servers, right?  If so we have had a solution for this for a while.
  They  want us to send email to 1.1.1.1, but if that is down, send it to  2.2.2.2.
  They  would use the MX record method.
  A  customer would need to create a hostname that points to two MX  records.
  Give the  primary site IN MX 10 and the backup IN MX 20.
  Then we  change the IMHS configuration to use the hostname they  created.
  >cat  imhs.multiple.customer.mailservers
  Hello,
  Our  postfix servers will only allow us to configure 1 IP address or 1 hostname in  our transport file to deliver email back to the customer.  If the customer has 2  or more mail servers they want us to use, they will need to create a new  hostname DNS entry and point it to their multiple servers.
  If they  want our servers to try to deliver the email to their mail servers in a specific  order, say mailserver1 and if that server is not available then try to deliver  the email to the mailserver2, then they would need to setup the following DNS  entries as an example:
  mailserver1.customerdomain.com.    IN  A  1.2.3.4
  mailserver2.customerdomain.com.    IN  A  2.3.4.5
  imhs.customerdomain.com.   IN MX 10 mailserver1.customerdomain.com.
  imhs.customerdomain.com.   IN MX 20 mailserver2.customerdomain.com.
  Then we  setup our server to deliver to  imhs.customerdomain.com.
  customerdomain.com     smtp:imhs.customerdomain.com:25
  If a  specific order is not important then they can just make imhs.customerdomain.com  point to multiple IP addresses:
  imhs.customerdomain.com.   IN A 1.2.3.4
  imhs.customerdomain.com.   IN A 1.2.3.5
  This  will make our server send an email to 1.2.3.4 and the next email to 1.2.3.5,  then to 1.2.3.4, etc.
  Then we  setup our server to deliver to  imhs.customerdomain.com.
  customerdomain.com     smtp:[imhs.customerdomain.com]:25
  Our  servers will only deliver the email to the first server that will accept the  email.  They will not deliver the same email to both mail  servers.
  I hope  that is detail enough,
  Regards,
  Nosa