Cisco CSR 1000v and General comment on SDN/NFV
Now Cisco has produced this magnificent compute engine, coupled with this equally excellent Data Centre grade switching family both of which seem to be maturing, I am struggling - repeatedly - to convince myself that not only is near complete virtualisation is desirable it is in fact inevitable and I should be making steps towards planning this today.
Can anyone share their experiences with the CSR1000v, the success - failures and recommendation?
If from a cloud providers point of view, they can provide multi-tenanted environments - then from an enterprise point of view why can I not simply leverage this same approach to logical division for my own trusted/semi-trusted/untrusted network segments - why should I not basically put as many services as I possibly can into a virtual environment and provide the bare basics for my own store/transport/compute requirements and present an ethernet hand off to everything else? Let my carrier deal with the variability in the circuit type, and connect to him with ethernet leaving me with a near completely uniform architecture that simply scales up as I need it? More horsepower? New blade, new chassis, new filer, new core? Bolt on, snap off. etc. In the SDN environment is there really a tool that is 'overkill'? Can it just not be scaled back or up depending on my needs, which are likely to change dependant on my companies business cycles?
Is there any strong arguments against this kind of approach now?
Is Cisco now building "software instances" that are more service based as opposed to routers? For instance could the CSR1000v evolve to become the "appliance of the cisco portfolio"? Should Cisco write software for netflow analysis running on UNIX/ Wintel when they have already written software in the shape of the Master Controller that is already doing this? If this is the case would they only really need to develop a web front end or XML API that would provide human readable format for the presentation of this data, if not why not use the CSR1000v as a platform for this development? With PfR, FabricPath/TRILL, and LISP is there a justification for getting maybe a more graphical visibility of traffic flows like https://www.youtube.com/watch?v=3dHH_nVPyug or is the intention to leave this for third parties?
Similar Messages
-
Cisco CSR 1000V dont forward packets
Hi,
I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
CISCO1000V# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
Policy:
Extended IP access list IPSEC
10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
IPSEC is set up on GigabitEthernet 2 (PEER IP)
Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
I dont have any other acls.
Where is the problem?Hi,
I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
CISCO1000V# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
Policy:
Extended IP access list IPSEC
10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
IPSEC is set up on GigabitEthernet 2 (PEER IP)
Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
I dont have any other acls.
Where is the problem? -
IOS5 "Reminders" bug and general comments
I found a problem with the new app "Reminders" and the location (GPS) function... if you use "Restrictions" to avoid someone without security code to disable GPS then the reminders app won't allow you to add a location to the reminder that you are creating... and obviously i grant access to location service to the app reminders in the restrictions settings.
Comments:
Notifications in the lock screen are great but they should be persistent... at this time if you have notifications and unlock the iPhone and then you lock it again whitout check the notifications the lock screen won't display any unreaded/unchecked notification it just clear the notifications but you may want to keep the information that you have not checked.
The notification scroll bar should show you information when you start scrolling down... at this time you have to complete scroll down the bar or at least the half of it to see any informationpaulfromburke wrote:
Can reminders have the capability to link them to contacts so with a push of a button the number is dialed, email generated or texted app opened; have active URLs embedded so if I want to go to a site, it will open Safari; or the map open on an address?
No. -
Cisco CSR 1000V - BDI learning mac address
Hello all,
about BDI, I know it is not supported through OTV. DDTS CSCuj59314 has been logged to track support of BDI over OTV. Anyone know if this problem is resolved?
Thanks in advance
Roberto LoiudiceHello,
no one else has encountered the same problem?
In general, someone has managed to run correctly csr1000v as SSL VPN terminator on Amazon environment ?
Any example / network schema / suggestion?
Thanks in advance for any replies.
Paolo -
Build a Cisco CCNA/CCNP/CCIE Virtual Lab with ArchLinux and CSR-1000V
Hi All,
I'm working on the CCIE certification, thought I would share with you my scripts for building a virtual LAB. I'm using ArchLinux and the latest CSR-1000V (ISO) as of June 20th. Cisco should allow you to download this ISO for free. You'll be limited to 100kb/sec out of the box, but you can also get a free 60-day eval license that will unlock 50MB/sec.
These scripts assume you have QEMU installed of course, bridge-tools, etc.
Probably want to enable KSM first
echo 1 >/sys/kernel/mm/ksm/run
This script makes one virtual disk per virtual router. I suppose you could boot one router, let it go through the install, then power it off. Then use that disk as the parent for many others (qemu backing_file). However, the CSR-1000V seems to generate various UUID's for itself during this process and I wasn't sure how this might affect the trial license.
Boot'em up:
# How many vrouters you want
ROUTERS="1 2 3"
# Location of your ISO
ISO="/mnt/nfs/downloads/csr1000v-universalk9.03.15.00.S.155-2.S-std.iso"
# Path virtual hard drive storage
VDISKS="/srv/qemu"
# Build Virtual Disks (might only want to do this once)
for x in $ROUTERS; do
sudo qemu-img create -f raw $VDISKS/r$x.raw 8G
done
for x in $ROUTERS; do
sudo nice qemu-system-x86_64 -name r$x -daemonize -enable-kvm \
-nodefconfig -nodefaults -no-shutdown -rtc base=utc \
-S -cpu host -m 4096 -smp 1,sockets=4,cores=1,threads=1 -balloon virtio \
-drive if=virtio,media=disk,cache=none,format=raw,file=$VDISKS/r$x.raw \
-drive if=ide,index=1,media=cdrom,file=$ISO \
-net nic,vlan=1,macaddr=68:09:68:09:68:5$x,model=virtio \
-net tap,vlan=1,script=no \
-net nic,vlan=2,macaddr=68:09:68:09:69:5$x,model=virtio \
-net tap,vlan=2,script=no \
-serial telnet:127.0.0.1:720$x,server,nowait \
-monitor telnet:127.0.0.1:710$x,server,nowait,nodelay \
-nographic
echo Booting Router $x
done
Note that VM's boot in CPU suspended state. That's because the CSR-1000V ISO installer doesn't correctly auto-detect serial-console mode, so you have to manually select it (but only on first boot, subsequent boots seem to get it right).
So, get xterm's going and in each one, telnet to the virtual serial port: 7201, 7202, 7203, and so on for each router.
Boot them each with this command
echo "cont" | nc 127.0.0.1 7101
echo "cont" | nc 127.0.0.1 7102
and so on
Now just tie together the interfaces however you want. For the connectivity in the picture, use the following:
# Build lab ethernet segments
for x in 1 2 3; do
brctl addbr lab$x
ip link set up dev lab$x
done
# Bring up tap devices - allocated by QEMU but not up'd
for x in 0 1 2 3 4 5; do
ip link set up dev tap$x
done
# Virtually plug in our ethernet cables to correct switch ports
brctl addif lab1 tap0
brctl addif lab1 tap2
brctl addif lab2 tap3
brctl addif lab2 tap5
brctl addif lab3 tap1
brctl addif lab3 tap4
Sample configurations for each router:
Router 1:
en
conf t
hostname r1
no ip domain-lookup
cdp run
int gi1
ip address 192.168.101.1 255.255.255.0
cdp enable
no shut
int gi2
ip address 192.168.103.1 255.255.255.0
cdp enable
no shut
router eigrp 6809
network 192.168.101.0
network 192.168.103.0
redistribute connected
end
Router 2
en
conf t
hostname r2
no ip domain-lookup
cdp run
int gi1
ip address 192.168.101.2 255.255.255.0
cdp enable
no shut
int gi2
ip address 192.168.102.2 255.255.255.0
cdp enable
no shut
router eigrp 6809
network 192.168.101.0
network 192.168.102.0
redistribute connected
end
wr
Router 3
en
conf t
hostname r3
no ip domain-lookpu
cdp run
int gi1
ip address 192.168.103.3 255.255.255.0
cdp enable
no shut
int gi2
ip address 192.168.102.3 255.255.255.0
cdp enable
no shut
router eigrp 6809
network 192.168.102.0
network 192.168.103.0
redistribute connected
end
wr
Last edited by gshearer (2015-06-20 16:47:36)Very Interesting, but i think it fits better in the wiki then on forum.
Care to create a wiki page ? -
Hi,
We are planning to install Cisco Nexus 1000v in our environment. Before we want to install we want to explore little bit about Cisco Nexus 1000v
• I know there is 2 elements for Cisco 1k, VEM and VSM. Does VSM is required? Can we configure VEM individually?
• How does Nexus 1k integrated with vCenter. Can we do all Nexus 1000v configuration from vCenter without going to VEM or VSM?
• In term of alarming and reporting, does we need to get SNMP trap and get from individual VEM or can be use VSM to do that. OR can we get Cisco Nexus 1000v alarming and reporting form VMware vCenter.
• Apart from using Nexus 1010 can what’s the recommended hosting location for VSM, (same Host as VEM, different VM, and different physical server)
Foyez AhammedHi Foyez,
Here is a brief on the Nexus1000v and I'll answer some of your questions in that:
The Nexus1000v is a Virtual Distributed Switch (software based) from Cisco which integrated with the vSphere environment to provide uniform networking across your vmware environment for the host as well as the VMs. There are two components to the N1K infrastructure 1) VSM 2) VEM.
VSM - Virtual supervisor module is the one which controls the entire N1K setup and is from where the configuration is done for the VEM modules, interfaces, security, monitoring etc. VSM is the one which interacts with the VC.
VEM - Virtual ethernet module are simply the module or virtual linecards which provide the connectivity option or virtual ports for the VMs and other virtaul interfaces. Each ESX host today can only have one VEM. These VEMs recieve their configuration / programing from the VSM.
If you are aware of any other switching products from Cisco like the Cat 6k switches, the n1k behaves the same way but in a software / virtual environment. Where the VSM are equal of a SUPs and the VEM are similar to the line cards. The control and the packet VLANs in the n1k provide the same kind of AIPC and Inband connectivity as the 6k backplane would for the communication between the modules and the SUP (VSM in this case).
*The n1k configuration is done only from the VSM and is visible in the VC.However the port-profiles created from the VSM are pushed from the VSM to the VC and have to be assigned to the virtual / physical ports from the VC.
*You can run the VSM either on the Nexus1010 as a Virtual service blade (VSB) or as a normal VM on any of the ESX/ESXi server. The VSM and the VEM on the same server are fully supported.
You can refer the following deployment guide for some more details: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html
Hope this answers your queries!
./Abhinav -
Does CSR 1000v support HA feature & how?
Does CSR 1000v support HA feature?
I noticed that redundancy command support in configuration mode,but neither sso/ha mode can config,
Router(config-red)#?
Redundancy configuration commands:
default Set a command to its defaults
exit Exit from redundancy configuration mode
main-cpu Enter main-cpu mode
mode redundancy mode for this chassis
no Negate a command or set its defaults
timer Select a timer to configure
Router(config-red)#mode ?
none no redundancy
Router#show platform
Chassis type: CSR1000V
Slot Type State Insert time (ago)
R0 CSR1000V ok, active 00:18:57
F0 CSR1000V ok, active 00:18:57
Is it possible to enable HA feature in csr1000v?
I noticed that in startup, R1 was insert,but not online,which was in disabled state.Alan,
HA provided across a network segment within AWS is not a simple solution due to the restrictions that they place on the L2 segments. As an example, here is Amazon's suggestion for NAT HA:
http://aws.amazon.com/articles/2781451301784570
With that said, we're working on documenting a solution that will work around some of the restrictions through overlaid connections. At a high level, one way that you can do this is with a couple of CSR1000Vs connected via a GRE tunnel over their Amazon segment. You then would have to setup BFD and configure an EEM script to watch for a peer down event. This script would then have to modify the AWS VPC Routing table (the VPC gateway) so that the hosts use the appropriate CSR as an exit point. The unfortunate piece is that from the CSR1000V we cannot call the AWS API directly so this requires use of a second EEM script to SSH to a helper VM and execute the AWS VPC commands. Hopefully within the next couple of weeks we will have a configuration guide to step through the individual components, as there are many moving parts. At a high level this solution was presented in the Cisco Live session BRKARC-2023 around slides 35-40 (Session PDF) are some of the network diagrams and an example of the EEM script.
With that said, another solution that you might consider is Cisco InterCloud:
http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/InterCloud/InterCloud/Cirrus_2.html
This allows for a secure Layer 2 extension from your data center into the public cloud which could remove some complexity in dealing with the AWS infrastructure. This solution is not one that would be for the one off, single CSR type deployment, however if you are looking at scale it could be a good alternative.
As for TAC support with the Advanced License, this is the hourly paid model that we have within Amazon. Support for this type of licensing is currently only offered through the support forum, however we are looking at other options that could allow direct TAC engagement on a case by case basis rather than a term license. Depending on where you are at with regards to your deployment it may be appropriate to engage your Cisco Account Team to help determine which solution is best for you. I can help track them down if you want to send me a private message.
-Nick -
Cisco Nexus 1000v on Hyper-v 2012 R2
Dears;
I have deployed Cisco Nexus 1000v on Hyper-v hosts 2012 R2, and I'm in phase of testing and exploring feature, while doing this I removed the Nexus Virtual Switch {VEM} from HOST, it disappeared from host but I couldn't use the uplink attached previously with the switch as it sees it still attached on Nexus 1000v. I tried to remove it by several ways finally the host gets unusable and I had to setup the host again.
the question here; there is no mention on cisco documents for how to uninstall or remove the VEM attached to a host, can any one help in this ?
Thanks
RegardsZoning is generally a term used with fibre channel, but I think I understand what you mean.
Microsoft Failover Clusters rely on shared storage. So you would configure your storage so that it is accessible from all three nodes of the cluster. Any LUN you want to be part of the cluster should be presented to all nodes. With iSCSI,
it is recommended to use two different IP subnets and configure MPIO. The LUNs have to be formatted as NTFS volumes. Run the cluster validation wizard once you think you have things configured correctly. It will help you find any potential
configuration issues.
After you have run a cluster validation and there aren't any warnings left that you can't resolve, build the cluster. The cluster will form with the available LUNs as storage to the cluster. Configure the storage to be Cluster Shared Volumes
for the VMs, and left the witness as the witness. By default, the cluster will take the smallest LUN to be the witness disk. If you are just using the cluster for Hyper-V (recommended) you do not need to assign drive letters to any of the disks.
You do not need, nor is it recommended to use, pass-through disks. There are many downsides to using pass through disks, and maybe one benefit, and that one is very iffy.
. : | : . : | : . tim -
Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum
Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum!
This forum helps CSR users interact, share knowledge and build communities with one another.
We hope you enjoy participating in the CSR discussion forum!
Best Regards,
Cisco CSR Product Teamhi,I have a question on sql database high availability. I have tried using database mirroring, where I am using sql standard edition, in this database mirroring of synchronous mode is the only option available, and it is giving problem, like sql time out errors on my applicatons since i had put in the database mirroring, as asynchronous is only available on enterprise version, is there any suggestions on this. thanks ---vijay
-
Cisco 877W router and external ADSL modem
Cisco 877W router and external ADSL modem
In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname xxxxxxxxxxxxxxxxxxxxx
boot-start-marker
boot-end-marker
logging buffered 4096 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa group server radius sdm-vpn-server-group-2
aaa group server radius rad_eap
server 192.168.253.1 auth-port 1812 acct-port 1813
server 192.168.253.1 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_2 local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2834265337
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2834265337
revocation-check none
rsakeypair TP-self-signed-2834265337
crypto pki certificate chain TP-self-signed-2834265337
certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
dot11 syslog
dot11 ssid GuestAP
vlan 101
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 113B162712001F4A2D2B25
dot11 ssid LanAP
vlan 100
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
mbssid guest-mode
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.252.1 192.168.252.8
ip dhcp excluded-address 192.168.252.15 192.168.252.254
ip dhcp pool sdm-pool1
import all
network 192.168.252.0 255.255.255.0
domain-name XXX.Local
dns-server xxx.xxx.xxx.xxx
default-router 192.168.252.254
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name XXX.Local
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip reflexive-list timeout 120
vpdn enable
vpdn-group 1
request-dialin
protocol pppoe
username administrator privilege 15 secret 5 £££££££££££££££££££££
class-map type inspect match-any IN_to_OUT_CLASS
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any OUT_to_IN_CLASS
match protocol https
match protocol smtp extended
class-map type inspect match-any DMZ_to_IN_CLASS
match protocol http
match protocol https
match protocol smtp extended
policy-map type inspect DMZ_to_IN_POL
class type inspect DMZ_to_IN_CLASS
inspect
class class-default
drop log
policy-map type inspect IN_to_OUT_POL
class type inspect IN_to_OUT_CLASS
inspect
class class-default
drop log
policy-map type inspect OUT_to_IN_POL
class type inspect OUT_to_IN_CLASS
inspect
class class-default
drop log
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
service-policy type inspect OUT_to_IN_POL
zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
service-policy type inspect IN_to_OUT_POL
zone-pair security DMZ_TO_IN source DMZ destination INSIDE
service-policy type inspect DMZ_to_IN_POL
bridge irb
interface Loopback0
no ip address
interface Null0
no ip unreachables
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet0
description Outside Interface (PPPoE)
interface FastEthernet1
description Inside Interface
switchport access vlan 10
interface FastEthernet2
description Inside Interface
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
description Inside Interface
switchport access vlan 10
spanning-tree portfast
interface Dot11Radio0
no ip address
no ip route-cache cef
no ip route-cache
encryption vlan 100 mode ciphers aes-ccm tkip
encryption vlan 101 mode ciphers aes-ccm tkip
ssid GuestAP
ssid LanAP
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
interface Dot11Radio0.100
description LanAP
encapsulation dot1Q 100
no ip route-cache
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!interface Dot11Radio0.101
! description GuestAP
! encapsulation dot1Q 101
! no ip route-cache
! no cdp enable
! bridge-group 1
! bridge-group 1 subscriber-loop-control
! bridge-group 1 spanning-disabled
! bridge-group 1 block-unknown-source
! no bridge-group 1 source-learning
! no bridge-group 1 unicast-flooding
interface Vlan1
description $ES_LAN$
no ip address
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 1
interface Vlan10
no ip address
ip virtual-reassembly
bridge-group 10
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security OUTSIDE
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXX
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
interface Dialer0
no ip address
interface BVI10
description Inside Interface
ip address 192.168.253.254 255.255.255.0
ip access-group 101 in
ip helper-address 192.168.253.1
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
interface BVI1
description DMZ Interface
ip address 192.168.252.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security DMZ
ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
ip access-list extended DMZ_to_IN_POL
remark SDM_ACL Category=128
permit ip any any
ip access-list extended Inside_Clients_NAT
remark SDM_ACL Category=2
permit ip 192.168.253.0 0.0.0.255 any
logging 192.168.253.10
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.253.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
access-list 101 deny tcp any host 192.168.253.254 eq telnet
access-list 101 deny tcp any host 192.168.253.254 eq 22
access-list 101 deny tcp any host 192.168.253.254 eq www
access-list 101 deny tcp any host 192.168.253.254 eq 443
access-list 101 deny tcp any host 192.168.253.254 eq cmd
access-list 101 deny udp any host 192.168.253.254 eq snmp
access-list 101 permit ip any any
access-list 199 permit ip any host 10.1.1.1
dialer-list 1 protocol ip permit
no cdp run
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
banner login C Border Router
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
length 0
transport input telnet ssh
scheduler max-task-time 5000
scheduler interval 500
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
sntp server xxx.xxx.xxx.xxx
endHi Jody,
Apologies delay in replying. I have done the following:
Made two of the FE ports vlan1,BVI1 (for LAN traffic)
Left one port as VLAN10 as the pppoe client conected to the externalmodem
Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
I have DHCP configured to serve the DMZ addresses.
This all works for LAN clients and also works for a client attachedto that physical DMZ port.
When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
I cannot add another VLAN due to the 2 vlan limit in this image.
Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
Think I am about to give upon this.
Regards, -
Cisco 3850 Switch and Windows 7 IP Conflicts
Team,
Last evening (Christmas eve) we setup a pair of Cisco 3850 with IP Base version 3.3.35SE (recommended) and 3.7.0E (very latest).
We got these to replace a very old switch that had died. Attached to this network are windows 7 PC's with all the standard patches, service packs, etc.
with standard port configs - no PC would work - and in fact on each screen we got the windows 7 IP Conflict pop up box.
This seemed very odd to us, as we know these IP's are all static (no dhcp on this segment at all)
we went with a very vanilla config on each port
interface g1/0/1
switchport host
that is it - nothing special at all.
well, after hours of research we found the 3850 has a problem where its "ip device tracking" (even though disabled, by way of NOT being enabled on any interface) will effect the windows 7 PC's ip address in use detection port start up phase!
This is a very big problem. I am frankly SHOCKED Cisco would release a major switch that is going to not work when connected to the average network with windows 7 PC's.
we tried 3+ hours of prescribed work-arounds found when researching this issue -
ip device tracking probe delay 10 (global config)
ip device tracking max 0 (disabed, on interface)
finally,
nmsp attach suppress (interface, however this appears to be a default command in all IOS-XE versions we tried, as the command did NOT show in the show run) . this effected many different nic card vendors (laptops, desktops) and nic card drivers levels from old to very recent.
Finally,
we compared a 3850 in another location to this one - and we never got HIT by this problem before because that 3850 only as TRUNK ports and no windows 7 hosts directly attached.
Doing more research, I found out this also can effect vmware guests running windows SERVER.
this is now a huge issue as we have a scheduled deployment of 3850's throughout our network which is going to be put on hold.
the work-around I came up with which is not great is -
Make ALL the "access" ports connected to PC TRUNK ports and leave the NATIVE vlan (untagged) as the vlan you want the PC's to be in
interface g1/0/1
switchport mode trunk
switchport trunk native vlan 1
this is NOT an acceptable workaround as this presents security issues even with
switchport trunk allowed vlan 1, etc. as the only allowed vlan.
Note: this issue manifested itself and windows 7 PC's were UNABLE to use the network. if you do "ipconfig /all | more" you would see
192.168.0.140(duplicate) and the interface would actually use 169.254.0.239(duplicate) so the duplicate message appeared twice in the output.
1) With and without an SVI interface on each 3850 for the vlan where the windows 7 machines had a duplicate
2) when we had an SVI and the command ip device tracking probe use-svi (or whatever the hidden command is I forget now, but it took it)
3) when we had aaa new-model configured - and not configured - thinking this was some artifact of having aaa turn on something like 802.1x port state
4) when could confirm NO DHCP SNOOPING
5) when we DID not use static IP's - and had the switch assign DHCP addresses - the Windows 7 PC's STILL had duplicates and didnt work for their "Just leased" ip's.
6) when we could confirm ios-xe ip device tracking = disabled with show ip device tracking status, etc.
This is a major problem for this 3850 and unless we get a definitive answer on why this is happening and how we can rectify we are going to have to return our 3850's and get HP Procurve's something I would rather avoid doing. There is NO REASON I can imagine other than older switches who's ports default to ROUTED ports (i.e.. no ip switchport) where a switch should not at least function as a bare switch with essentially a default configuration out of the box.
Any ideas? I'm working well now with the ports ALL in trunking mode with vlan 1 native, but this is not a scalable workaround we can live with as we have security risks of a port not blocking certain vlans from going out ports to pc's, etc. that attackers could send tags on at that point, etc.
thanks,
Joe Brunner
#19366thanks for replying - i'm not onsite (its a standalone network) - but here is what it is -
Answers in line -
This all stems from a switch replacement correct?
yes a 10 year old Allied Telesyn switch was replaced that had no config - like a hub, just used for connectivity.
Are these 3850's in a stack?
>yes, tested all aspects of the stack many times.
Does it have a managment ip address -If so, is it using the old switch ip address
>old switch had no ip - i made a "management interface" on vlan 1 - BUT no ip on the built-in management interface on the switch.
What are they connecting to? (a router/L3 switch/anohter switch- cisco-HP etc..)
>various other devices - only 1 link back to a single 3750x stack. that switch is "hardened" so to speak to reveal or propagate very little by design.
How are they connected( L3 interface/L2 trunk/access port)
>all ports are left in trunk mode with vlan 1 as the active and untagged port. this was the workaround done to ever get the switch going. in "out of the box" or default mode as we initially wanted (no config) links to windows 7 PC's didnt work. links to linux or other devices non-windows did work!
Are thse switches performing inter-vlan routing or just acting as host switches?
>dumb flat network, no routing.
Is ip routing enabled?
>not unless enabled on 3850 by default. I didnt type "ip routing"
Do you have multiple vlans in your network and if so ar ethe being propergated to these new switches?
Your 7 pcs = are they just client pcs not servers?
client PC's - no servers OS per say.
can you confirm something like ICS isnt enabled (Internet connection sharing) on any of them?
>yes not enabled.
Are the just using one NIC each?
> one machine is dual homed - but we know where its "second nic" goes - to another cisco network which is NOT connected back to this one. we traced all our ports a few times thinking even perhaps some small hub was "reflecting" traffic back to us - like a blackbox. Strangest thing -
default config out of the box - with ALL ports SHUTDOWN EXCEPT the single windows 7 facing port - the windows 7 machine STILL registered an IP CONFLICT when connected to the 3850 - even when it had NO SVI's!!! (i know mind numbing). if you disconnected the pc and connected it to an old cisco switch - it worked fine!!! wow.
sh switch
2 identical 3850's in working stack. power and network stacked. both at same version, etc - upgraded each time with "software install file flash:<long ios name>.bin
tested all power and general 3850 stacking. saw no issues.
sh int trunk
>all ports are now trunks (hence the workaround used to get it up).
has 20 trunks to PC's and some single connected switches (far away on fiber) - all allow only vlan 1 - no other vlans were created - very very simple network. vlan 1 is native
sh vlan brief
>just vlan 1 - no vlans created, checked this many times - had vlan 100 at one point - made sure it was gone over a period of hours.
sh vtp status
not setup - left complete default; no vtp domain set - connected to all switches in transparent model if a switch connection exists.
sh cdp neighbours
cant post (for god and country LOL) but there is one link back to our "core" so to speak - that switch is hardened not to allow any settings to slip over to new switches so hence no vtp, cdp is one to help troubleshooting.
sh ip route
just the L and C routes for the vlan 1 ip address 192.168.17.1/24
no static routes
no vlan interfaces other than int vlan 1
no ip address on g0/0/0 -> the default 3850 management interface hard assigned to the 3850 VRF you cant remove.
int g0/0/0
ip vrf forwarding Switch_Mgmt
i can get over there if you think of anything else key to show the group.
thanks,
Joe -
Problem leaking route from VRF to global table on CSR 1000V
Hi Guys,
So I have a problem with VRF's on a CSR 1000V, specifically exporting a connected subnet from a VRF into the global routing table.
My config, very abbreviated, is as follows:
Router:
GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))
Now sh ip route displays:
0.0.0.0/0 (BGP)
172.30.20.1/24 (Connected)
sh ip route vrf TEST displays:
0.0.0.0/0 (BGP)
10.0.0.1/31 connected
My VRF config is as follows:
ip vrf TEST
rd 1:1
import ipv4 unicast map GLOBAL
export ipv4 unicast map CONNECTED-SUBNET
ip prefix-list CONNECTED seq 1 permit 10.0.0.1/31
ip prefix-list DEFAULT seq 1 permit 0.0.0.0/0
route-map CONNECTED-SUBNET permit 10
match ip address prefix-list CONNECTED
route-map GLOBAL permit 10
match ip address prefix-list DEFAULT
Now my import command works perfectly (0.0.0.0/0 is imported from BGP into the VRF's routing table), however my export command does not function - seemingly at all.
Even though my prefix list is an exact match, I do not see 10.0.0.1/31 appearing in the global routing table, or the BGP table at all (show ip bgp 10.0.0.1 shows only the 0.0.0.0/0 default route)
Any thoughts on what is going on here? Am I misunderstanding the export command for VRF's? I was under the impression this will export directly to the BGP table, and then be imported to the global routing table if applicable?
Any thoughts/input would be appreciated!Hello
"GE1: 10.0.0.1/31 VRF TEST
GE2: 172.30.20.1/24 (No VRF, BGP neighbor to 172.30.20.2, receiving 0.0.0.0/0 (default route))"
I must have misunderstood somewhere I was assuming you had no vrf bgp between GE1-2 , and just vrf on subnet 10.0.0.0/x which needed to be advertised in the global routing table hence my last post suggested you redistribute into bgp,
So assuming you are accepting a default route from GE2 it went like this
GE1
int fa0/1
ip vrf forwading TEST
ip addresses 10.0.0.1 255.255.255.255
int xx
ip address 172.30.20.1 255.255.255.0
router bgp xy
neighbour 172.30.20.2 remote-as yx
redistribute static ( to advertised the vrf subnet to GE2)
ip route 10.0.0.1 255.255.255.255 fa0/1 ( this is tell the global rib where to go for the vrf route)
ip prefix-list VRF permit 0.0.0.0/0
route-map VRF_rm
match ip address prefix VRF ( match on the default route advertised from GE2 which is in the global rib)
ip vrf TEST
import-map ipv4 vrf VRF-rm ( import the default from global rib into the vrf rib)
res
Paul -
VN-Tag with Nexus 1000v and Blades
Hi folks,
A while ago there was a discussion on this forum regarding the use of Catalyst 3020/3120 blades switches in conjunction with VN-tag. Specifically, you can't do VN-Tag with that Catalyst blade switch sitting inbetween the Nexus 1000V and the Nexus 5000. I know there's a Blade switch for the IBM blade servers, but will there be a similar version for the HP C-class blades? My guess is NO, since Cisco just kicked HP to the curb. But if that's the case, what are my options? Pass-through switches? (ugh!)
Previous thread:
https://supportforums.cisco.com/message/469303#469303wondering the same...
-
Cisco Nexus 1000v Virtual Switch for Hyper-V Availability
Hi,
Does anyone have any information on the availability of the Cisco Nexus 1000v virtual switch for Hyper-V. Is it available to download from Cisco yet? If not when will it be released? Are there any Beta programs etc?
I can download the 1000v for VmWare but cannot find any downloads for the Hyper-V version.
Microsoft PartnerAny updates on the Cisco Nexus 1000v virtual switch for Hyper-V? Just checked on the Cisco site, however still only the download for VMware and no trace of any beta version. Also posted the same question at:
http://blogs.technet.com/b/schadinio/archive/2012/06/09/windows-server-2012-hyper-v-extensible-switch-cisco-nexus-1000v.aspx
"Hyper-V support isn't out yet. We are looking at a beta for Hyper-V starting at the end of February or the begining of March. "
-Ian @ Cisco Community
|| MCITP: EA, VA, EMA, Lync SA, makes a killer sandwich. || -
Nexus 1000v and vcenter domain admin account
I changed out domain admin account on our domain in which vcenter services runs as and now its using a different services account. I am wondering if I need to update anything on the nexus 1000v switch side between the 1000v and venter
Hi Dan,
You are on the right track. However you can perform some of these function "online".
First you want to ensure that you are running at a minimum, Nexus 1000v SV1(4a) as ESXi 5.0 only began support on this release. With SV1(4a), it provides support for both ESXi 5.0 and ESX/i 4.1.
Then you can follow the procedure documented here:
Upgrading from VMware Release 4.0/4.1 to VMware Release 5.0.0
This document walks you through upgrading your ESX infrastructure to VMware Release 5.0.0 when Cisco Nexus 1000V is installed. It is required to be completed in the following order:
1. Upgrade the VSMs and VEMs to Release 4.2(1)SV1(4a).
2. Upgrade the VMware vCenter Server to VMware Release 5.0.0.
3. Upgrade the VMware Update Manager to VMware Release 5.0.0.
4. Upgrade your ESX hosts to VMware Release 5.0.0 with a custom ESXi image that includes the VEM bits.
Upgrading the ESX/ESXi hosts consists of the following procedures:
–Upgrading the vCenter Server
–Upgrading the vCenter Update Manager
–Augmenting the Customized ISO
–Upgrading the ESXi Hosts
There is also a 3 part video highlighting the procedure to perfrom the last two steps above (customized ISO and upgrading ESXi hosts)
Video: Upgrading the VEM to VMware ESXi Release 5.0.0
Hope that helps you with your upgrade.
Thanks,
Michael
Maybe you are looking for
-
Itunes wont sync iphone because of apps
I was listening to music with the lock screen on when all of a sudden i got a text, i went to open my text my phone showed the apple logo. it dose that every once in a while so i just waited for it to turn back on as usual. this time it told me i nee
-
Interesting comparison between ABAP and JAVA stacks
1) what is the equavalent of RZ70 in a JAVA only system? 2) what is the equavalent of $sync in a JAVA only system? 3) what is the equavalent of $tab in a JAVA only system? Thx.
-
For GRC 5.3 can I use the SAP GRC 5.2 rule set
We are going for an upgrade to GRC 5.3, I have a small concern here.... Can I use the same ruleset what I used in GRC 5.2 to SAP GRC5.3 ...? because when I checked ruleset at permission level in GRC 5.2 it displays first object of an action from one
-
The speakers of my ipod touch 3g are not working. I alrady restarted it but that didn't work
The speakers of my ipod touch 3g are not working. I alrady restarted it but that didn't work
-
This has been asked before but: Anyone got good ati tvout configurations and care to share? I'm using svideo tvout and would like to change the tv resolution to tv native resolution (or 800x600) while having my tft display 1680x1050 resolution... Als