Cisco 3945 Policy Base Routing
I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MOVLABT3-CA-ES
boot-start-marker
boot-end-marker
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
no aaa new-model
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
hw-module sm 2
controller T3 1/0
cablelength 75
controller T3 2/0
cablelength 75
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end
This is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end
Similar Messages
-
CAT 3750 Policy base routing preformance
Does anybody know where i can find data about preformance of routing on Catalyst 3750 when i use the policy base routing on it. And what methods of packets switching is availalbe witch policy base routing.
check out the following link on configuring PBR on Catalyst 3750 switches :
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a0080502417.html#wp1228588 -
Ip helper address with Policy Base Routing
Does ip helper work with Policy Base Routing? and if so how and what version of the router software do you need?
thanksAs first function at the ingress interface is ip_helper, as second function at the same ingress interface is policy-based-routing.
We have the same situation regarding ip nat in combination with policy-based-routing. -
hi
i attach picture
i want answer to any user from the same router
example :
request user1 from isp1 , i answer it from same isp1 router
i think asa dose not support pbr ,, please help me with same senario .policy-based routing, similar to what an IOS router can do based on incoming traffic and then overriding the routing table for the next hop, isn't a feature in the ASA.
We can do policy based NAT, inspection and filtering, but not policy based routing. -
Hi all,
I have one ASA 5525 with 2 ISP connected to ASA and have 4 LAN be-hide The ASA. I need sunbet1 and subnet2 access internet via ISP1 and subnet3 and subnet4 access internet via ISP2. so What step by step to complete this requirement. pls see diagram with attached file. thank for support.Hi,
Have a look at this link for config example:
https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla
HTH -
WSA and Cisco Policy Based Routing
I'm looking to convert my WSA from explicit to transparent proxy using policy based routing on a Cisco router. See the config below where xxx.xxx.xxx.xxx is the P1 interface on the WSA. Does anyone see any issues with the following in a production environment?
access-list 110 permit tcp any any eq www
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop xxx.xxx.xxx.xxx
interface ethernet0/1
ip policy route-map proxy-redirect
The P1 interface on the WSA is located upstream from the router so I'm not checking for it in the ACL.That router configuration looks good to me, but just make sure that the WSA was configured for Transparent mode during the initial System Setup Wizard configuration. If it was initially configured for explicit only, then you will need to run the wizard again to change it to transparent.
Also, make sure to add a deny statement to the top of access-list 110 for the WSA IP address if the WSA will be going out to the Internet through the same e0/1 interface. Loops are bad. :twisted:
Cheers,
Jason -
Debug IP Policy on Cisco 4451-X ISR Router
Cisco 4451-X ISR router is running IOS XE Software version 03.13.00.S. I am trying to run the command "debug ip policy" on the router to verify if the traffics are policy-routed correctly, but I get no output displayed on the router for the debug command. I am connected via a console cable and the logging console is enabled. How do I get the debug outputs to display on the router for monitoring? Thanks.
Actually, you can use a TFTP server...
First of all, create a text file using a text editor (call it 'dhcpstatic', for instance) with the following contents (don't include the dashes):
*time* Jan 21 2005 03:52 PM
*version* 1
!IP address Type Hardware address Lease expiration
172.16.12.100 /24 1 0011.4342.e9a5 Infinite
Then do the following:
no service dhcp
ip dhcp pool pool1
network 172.16.12.0 255.255.255.0
domain-name xxxdomain.com
dns-server 172.16.12.20 172.16.12.21
netbios-name-server x.x.x.x
default-router 172.16.12.1
lease 0 12
origin file tftp:///dhcpstatic
Then do a 'service dhcp'...
Once you have this working, we can do a further optimisation by storing the file on your switch so that you don't need to use a TFTP server...
Hope that helps - pls rate the post if it does.
Paresh -
Hi,
I am having Cisco 3945 router and is having image "c3900-universalk9-mz.SPA.150-1.M1.bin" , and now want to check if SRST can be enabled on the same or not.
I have checked it with command output "show callmanager fallback" and "show call-manager fallback all", attaching the output of the same. Please confirm id SRST already configured on it or not?
And if not configured how to configure it.Hi Chris,
Thank you for your reply. I have one more query on this.
After creating new Device Pool for SRST, we need to move remote Ip phones from their original Device Pool and map them into newly created Device pool. So in the scenario of calls working through WAN link,will those phones work? as we have removed them from their original Device Pool. -
Cisco 3945 Router error while adding in Cisco Works
Hi,
I have a Cisco 3945 Router and when we try to add the same into the Cisco Works it gives me an error saying " CM0056 Config fetch failed for 192.168.xx.xx Cause: CM0204 Could not create DeviceContext for 1238 Cause: CM0206 Could not get the config transport implementation for 192.168.xx.xx Cause: UNKNOWN Action: Check if required device packages are available in RME. Action: Check if protocol is supported by device and required device package is installed.
We are using LMS version 2.6. Please let me know the latest router 3945 with support or not.
Thanks in advance.
Thanks & Regds,
LalitHi Joe,
Thanks for the quick reply.The following version we are using :
LMS 2.6 , RME : 4.0.5.
Is this confirm Joe that Older verison will not support new Cisco devices ie 3945 Router.Any documents will be more helpful with regard to the same.
Thanks & Regds,
Lalit -
CISCO 3945 Router - ARE POWER SUPPLIES LOAD BALANCED?
CISCO 3945 Routers - Are the 3945 Router power supplies load balanced by default?
We are trying to determine if our switch/server rack at our remote location has maxed out it's power load requirements. I just need to know if the 3945 power supplies load balance by default or if the redundant power supply is ON but not really providing the router with power and is just there incase the other power supply fails - Thank you.Thank you for your reply. I had read that the "Cisco 3845 and 3845-NOVPN router accommodates two hot-swappable power supplies and a single power supply meets router requirements. The second power supply provides redundancy, load sharing, and increased router availability. Either power supply can be removed without affecting router operation. Any combination of two power supplies is permitted."
Unfortunately, I couldn't find any specific information for the 3900 series routers that stated it also load balanced power.
Follow-up question: Do you know if the 3800 series routers load share by default? I know it is capable of power load sharing based on the above description but do they load share equally by default? If that's the case for the 3800's then hopefully that's the case for the 3900'S series routers. Which means, we have not maxed out our power requirements in our racks. -
Dear Support Community ,
previously we have cmm model on core now we are upgrede the E1 on Cisco 3945 router .
under "voice service voip" on cmm model its configure as " fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco"
but on 3945 router its taken as " fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none" little change from cisco to none does its work fine shall i need to configure as "
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw .
and even in the dial
on CMM model
dial-peer voice 54 voip
destination-pattern xxxx
voice-class h323 1
session protocol sipv2
session target ipv4:x.x.x.x
dtmf-relay rtp-nte
codec g711ulaw
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco
no vad
on router 3945
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw.
so please advice which one we need to configure for the fax services none or pass-through g711alaw because cmm we use as cisco now its not available .
highly appricated for your fast response.
Thanks
Syed
orJust adding root cause: The PVDM3 modules in the ISR G2 hardware no longer support proprietary [legacy] Cisco Fax Relay. They only support fax passthrough or T.38 fax relay.
As Paolo stated, assuming everything is behaving and supports T.38 (more on that in a moment) you should be fine since they will negotiate T.38. If something doesn't cooperate they will not have compatible fallback options and the fax would fail at that point. The most common example of a device that supports ONLY passthrough is the ATA-186. It didn't have the CPU capacity to run relay, cisco or T.38.
Since the older CMM and 3800 hardware also supports g711ulaw fax passthrough I suggest updating the config on the legacy hardware to do that for fallback instead of cisco fax relay.
Please remember to rate helpful responses and identify helpful or correct answers. -
Cisco 3945- boot up fails with no error
Greetings,
Just throwing it out there to see if anyone throw some ideas my way. I recently sent a working/tested Cisco 3945 ISR router out to a office for redundancy. Before I did that, I removed WLAN controller and slot module, 1xVWIC2 T1 and 1xVIC2 FX0 modules. I did however leave the PVDM3 64ch and 1x VWIC t1 modules and flash card, which had a v15 IOS loaded and basic config. Upon delivery they said it doesn't work, "it hangs" and no damage externally or failed hardware (power supplies/fans). These things always make me wonder, cause hangs is so vague and do not really see Cisco routers do this unless they are taking larger than normal packets or someone turned on debugging without turning it off.
Here's my thinking and hope someone can chime in and throw some ideas at me before I get on a call with them on Monday. I attached a screen shot they sent of the boot up and looks to me that its trying to initialize the current config file which which may be trying to initialize the voice channels. Could this be as easy as killing the current config loaded, going into rommon and setting it back to default maybe? Or just removing the PVDM card maybe?
I hate to say something is just broke, I rarely see this and being I powered it up and tested the hardware, I don't want to involve tac until I can rule out the obvious. I did, however, test and powered down the router before removing the additional hardware. Would this current config on the router that may have lingering hardware (which I removed) in the config cause this to happen as well?
Side note: The flash cleared and below were the contents of the flash before sending out the router.
Router#sho flash
-#- --length-- -----date/time------ path
1 55277232 Jul 07 2014 07:51:20 c3900-universalk9-mz.SPA.150-1.M3.bin
201228288 bytes available (55279616 bytes used)
Thanks in advanceRemove all modules and boot.
Another thing, your IOS is very old. VERY.
If you want to stick with 15.0(1)M-series then go to M10 but don't just "sit" in an old M3. -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
HI,
Which router can accomodated maximum no of fast ethernet port.
we have several offices connected thru LL. we need maximum no of ports to accomodate LL.
regards
rajatHi,
Plesae find below:
http://www.cisco.com/c/en/us/products/routers/3900-series-integrated-services-routers-isr/series-comparison.html
Now coming down to the questoin...if you read the below link you would decide to go with the 3945 router.
http://www.cisco.com/c/en/us/products/routers/3945-integrated-services-router-isr/index.html
3945e:
http://www.cisco.com/c/en/us/products/routers/3945e-integrated-services-router-isr/index.html
Only difference you see is that 3945e will have one extra port:-( 4 integrated 10/100/1000 Ethernet ports with 2 SFP ports ) were as 3945 will have 3 integrated ethernet port with 2 SFP.
HTH
Regards
Inayath
*Plz rate if this info is helpfull. -
I observed two cisco 3945 routers lose IOS during password recovery. Router was rebooted, break sequence ctrl-break, then boot(instead of reset) issued. The router booted to its existing configuration or password recovery failed and router was power cycled again then ctrl-break issued. However this time the IOS was gone and all flash file systems were blank! It happened on two routers. Anyone know why such an anomaly would occur or has anyone witnessed such?
config register was set to confreg 0X2142 first time password recovery was attempted. It took but only after the power cycle(not when I simply typed boot) but by then the IOS images were gone. I found that very disturbing when it happened on two different routers and I never saw such a thing happen to a router before.
Maybe you are looking for
-
SAP message before you log on - instead of using SM02
I know you can create a message via SM02 so that when a user logs on, they see the message. Hwoever we have locked out our users in order to complete year end. Rather than a warning message at the bottom of the screen which says they are locked out,
-
I updated my iPhone 4, and now it won't let me download Apps. Why?
I updated my iPhone 4, and now it won't let me download Apps. When I try to download an App, it just keeps spinning/thinking, but nothing ever happens. Help!
-
Hi Gurus, I have a problem. I have created an HR report with PNP logical database. I created my own report category for the purpose. In the <b>Selection</b> option I have given two select options. One is personnel number and the other is company code
-
HT1414 could not activate iphone
upon updating my old 3gs to a new software it always prompt me an error message "Could not activate Iphone.Your iPhone could not be activated because the activation server is temporarily unavailable. try connecting you iphone to itunes to acivate it,
-
Slide timing in iDVD slideshow
Is there any way to customize the time per slide for an iDVD slideshow? The 1, 3, and 5 second choices aren't adequate. Thanks.