Cisco ISR G2 EHWIC Shaping is available ? (SDWRR)

Similar Messages

• LDAP Source Query IP (Cisco ISR G2 WebSecurity)

  Hi Cisco folks,
  Goal:
  I would like to implement Cisco ISR Connector with ScanSafe for the company.
  I have followed the ISR Solution Guide carefully (found here:
  http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf)
  So far I have managed to get a basic configuration working.
  Problem:
  This configuration consists of the basic Web Security features and a VPN to our internal network.
  I would now like to implement authentication on the device with LDAP.
  As far as I can tell the configuration is correct. (I followed the solution guide precisely)
  The authentication though doesn't work.
  Here an output from the debug:
  *Feb 22 13:07:35.034: LDAP: LDAP: Queuing AAA request 52 for processing
  *Feb 22 13:07:35.034: LDAP: Received queue event, new AAA request
  *Feb 22 13:07:35.034: LDAP: LDAP authentication request
  *Feb 22 13:07:35.034: LDAP: Username sanity check failed
  *Feb 22 13:07:35.034: LDAP: Invalid hash index 512, nothing to remove
  *Feb 22 13:07:35.038: LDAP: New LDAP request
  *Feb 22 13:07:35.038: LDAP: Attempting first  next available LDAP server
  *Feb 22 13:07:35.038: LDAP: Got next LDAP server :scansafe-ldap-server
  *Feb 22 13:07:35.038: LDAP: Free connection not available. Open a new one.
  *Feb 22 13:07:35.038: LDAP: Opening ldap connection ( Internal IP of DC, 636 )ldap_open
  ldap_init libldap 4.5 18-FEB-2000
  open_ldap_connection
  ldap_connect_to_host: Internal IP of DC
  :636
  *Feb 22 13:07:35.038: LDAP: socket 5 - connecting to Internal IP of DC (636)
  *Feb 22 13:07:35.038: LDAP: socket 5 - connection in progress
  *Feb 22 13:07:35.038: LDAP: Connection on socket 5
  *Feb 22 13:07:35.038: LDAP: Connection to LDAP server (scansafe-ldap-server, Internal IP of DC) attempted
  *Feb 22 13:07:35.038: LDAP: Connection state: DOWN => CONNECTING
  *Feb 22 13:07:35.038: LDAP: LDAP request saved. Will be served after Root Bind is done.
  *Feb 22 13:07:35.038: LDAP: LDAP request successfully processed
  *Feb 22 13:08:05.038: LDAP: Received socket event
  *Feb 22 13:08:05.038: LDAP: Process socket event for socket = 5
  *Feb 22 13:08:05.038: LDAP: Server is not valid and non-TLS
  *Feb 22 13:08:05.038: LDAP: Socket read event socket=5
  *Feb 22 13:08:05.038: LDAP: Found socket ctx
  *Feb 22 13:08:05.038: LDAP: ldap tcp transport closing on socket 5
  *Feb 22 13:08:05.038: LDAP: Transport DOWN notification for scansafe-ldap-server/5
  *Feb 22 13:08:05.038: LDAP: Clearing all ldap transactions
  *Feb 22 13:08:05.038: LDAP: Triggering server failover for transit requet
  *Feb 22 13:08:05.038: LDAP: Connection state: CONNECTING => DOWNldap_unbind
  ldap_free_connection lc=0x8C5C14D4
  ldap_free_connection: actually freed
  As you can see the router can't contact our DC.
  Now I did some sniffing and noticed that the router sends the LDAP query with the source address of the external interface (Public IP).
  This results, that the queries are sent out into the internet with an internal destination IP. --> hence can't connect.
  Question:
  Now to my actual question.. How can I force the ISR to originate the LDAP queries from our internal interface ... which would then enter the VPN and connect to the DC?
  Thanks in advance, and if you need any additional information, please don't hesitate to ask
  Kind regards
  - Sam

  I recently went through this exact issue with Cisco TAC. The answers are quite unpleasant, but Cisco feels the LDAP protocol doesn't need a source-interface command because an LDAP server doesn't need a specific source IP. The "workaround" is to include your egress interface IP in the VPN tunnel so it will get encapsulated and be able to reach the LDAP server over the VPN. There is another even less desirable workaround to use a Virtual Tunnel Interface, but it is not practical for companies with more than 1 remote site or using the headend VPN concentrator for internet routing because of the requirement of the tunnel being ip any any.

• Cisco ISR G2 SIP Calls Capacity

  Dear all,
  We're planning for Cisco Voice Gateway configuration with SIP trunk, till now no E1s are used.
  I would like to know how can we calculate the number of simulataneous calls that a cisco ISR G2 router (1921. 2921.3945,etc...) can support ?
  How much sip simultaneous calls each ISR G2 model can support ?
  Is it better to use SIP or we must get into E1 PRI ?
  Regards,

  The Q and A below has the call capacity you are looking for
  Table 1. Number of IP-to-IP Calls per Platform
  Platform
  Maximum Number of Simultaneous Calls (Flow-Through)
  Cisco 3945E
  2500
  Cisco 3925E
  2100
  Cisco 3945
  950
  Cisco 3925
  800
  Cisco 2951
  500
  Cisco 2921
  400
  Cisco 2911
  200
  Cisco 2901
  100
  Cisco ASR 1004; and Cisco ASR 1006 Router Processor 2 (RP2)
  5000; 16000*
  Cisco ASR 1002, ASR 1004, and ASR 1006 RP1
  1750
  Cisco AS5350XM and AS5400XM
  600
  Cisco 3845
  500
  Cisco 3825
  400
  Cisco 2851
  225
  Cisco 2821
  200
  Cisco 2811
  110
  Cisco 2801
  55
  http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps5640/prod_qas09186a00801da69b.html
  Please rate all useful posts
  "opportunity is a haughty goddess who waste no time with those who are unprepared"

• Rate limit in Cisco ISR 4451X

  Hello friends,
  I have a problem; now i'm changing the router that have at work of Cisco 3925 to Cisco ISR 4451X but in the new router i can't put the command that have in my old router:
  rate-limit input access-group 110 16384000 3072000 6144000 conform-action transmit exceed-action drop
  Can someone help me telling what command replace it or which is the equivalent?
  Atte.
  Percy

  Edison,
  Thanks for helping with this it is greatly appreciated.  I have been playing around with this and have managed to get the policing working successfully on the SVI. 
  The problem was basically the direction the policing was being applied.  Initially I was applying the service policies to the customer SVIs in an inbound direction.  This would only be traffic coming into the VLAN interface from within the VLAN; therefore, in terms of internet traffic this would be upload and NOT the required download.
  In order to resolve this, I have applied the service policy to the Internet facing VLAN.  Please see below -
  Class Maps and Policy Maps
  class-map match-all CUST-A-VL10-CMAP1
  match input-interface  FastEthernet1/0/24
  class-map match-all CUST-A-VL10-CMAP2
  match access-group name CUST-A-VL10-ACL-POL
  policy-map CUST-A-VL10-PMAP1
  class CUST-A-VL10-CMAP1
  police 100000 18750 exceed-action drop
  policy-map CUST-A-VL10-PARENT-PMAP1
  class CUST-A-VL10-CMAP2
  set ip precedence 1
  service-policy CUST-A-VL10-PMAP1
  VLAN Confguration
  interface Vlan300
  ip address ************
  service-policy input CUST-A-VL10-PARENT-PMAP1
  This works successfully and polices the traffic as expected.  However, I have now run into the problem with assigning multiple service policies to the VLAN interface.  As this is the internet facing VLAN for the routing of traffic to and from the internet, all customer service policies need to be applied to this interface.  When I attempt to apply more than one service policy to this VLAN i receive the following error -
  (config-if)#service-policy input CUST-B-VL20-PARENT-PMAP1
  Policy map CUST-A-VL10-PARENT-PMAP1 is already attached
  Looks like another couple of hours needed working around this problem!!
  Thanks
  Nick

• Cisco isr 819 cellular interface...

  my cisco isr 819 constantly cycles between the gigabyte interface and the cellular...? _i have the device configured for auto failover with the gigabyte interface being the primary and the cellular as backup. _i used Cisco Configuration Pro to configure the router. _i have attached the router config for expert evaluation.....thanks in advance.

  Yes you are correct Cinthia, it is the NAT and depending on which external interface i configure first with NAT, that's the only interface providing NAT to out going packets.
  What i hope to achieve with my C819HG ISR router is provide the G0 interface as primary internet access. If that access goes down i want the Cellular0 interface to come up and provide a path to the internet. When the G0 access is restored i want the Cellular0 interface to go back to standby.   
  here is my config.....
  ! Last configuration change at 14:30:15 Chicago Thu Feb 19 2015 by ADMIN
  version 15.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname rtr-cisco
  boot-start-marker
  boot-end-marker
  aqm-register-fnf
  no aaa new-model
  clock timezone Chicago -6 0
  clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-3083563774
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3083563774
   revocation-check none
   rsakeypair TP-self-signed-3083563774
  crypto pki certificate chain TP-self-signed-3083563774
   certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33303833 35363337 3734301E 170D3135 30323133 32313035
    35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30383335
    36333737 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100AB4C 2DA1C3C3 CABBB054 765A1E14 A7BA0347 AFFD1913 B04113DD A21D7CEB
    F09F6572 5BF58323 586BEF24 929003D4 4CAD8864 A00FF40A A59A9969 C12615A0
    1DFE5527 BA6E2C27 33F75615 A36DA242 42862F33 D2823AA3 B838AA3B C938930A
    6D48BD79 11BD9CF5 8B7BEBC8 8C6D9D34 6E5415EB A3CFF3C7 E48F20C4 B18B15FE
    38BD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14B5AEAA D7E9FEF2 3A4FF79D 4251425F EF9F28DC 61301D06
    03551D0E 04160414 B5AEAAD7 E9FEF23A 4FF79D42 51425FEF 9F28DC61 300D0609
    2A864886 F70D0101 05050003 81810039 C6D2590C 0741F53E 62E6E7CE 62534CF9
    3A8A6C79 BECBACD7 AF73FA4C 8ED5C059 58A7B08C FBCE2ED0 66196250 20C570AC
    8D802A6B 5E33FFD7 580BBC4C 7C442C42 0F77E3FD F465B724 69D29CFF 19F59635
    D55A9E71 290CE668 B2C74CA1 ED641A2E 714BC06F 17CE9E44 B998945A C1733318
    BFDA96CD 9D66ACA7 B1D79229 8A1322
          quit
  ip dhcp excluded-address 172.17.37.1 172.17.37.9
  ip dhcp excluded-address 172.17.37.16 172.17.37.254
  ip dhcp pool ciscoPool
   import all
   network 172.17.37.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 172.17.37.1
  ip domain name sr.nwris.noaa.gov
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
  license udi pid C819HG-4G-V-K9 sn FTX181583HV
  username ADMIN privilege 15 secret 4 wYSo2PORqoebHxp3dazS6tzNpgOc5RQBMmrsFZ5l6jE
  controller Cellular 0
  track 1 ip sla 1 reachability
  ip ssh version 2
  ip scp server enable
  interface Cellular0
   ip address negotiated
   ip nat outside
   ip virtual-reassembly in
   encapsulation slip
   dialer in-band
   dialer string lte
   dialer-group 1
   async mode interactive
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface GigabitEthernet0
   description $ETH-WAN$
   ip address dhcp client-id GigabitEthernet0 hostname rtr-wxk37
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface Serial0
   no ip address
   shutdown
   clock rate 2000000
  interface Vlan1
   ip address 172.17.37.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  ip local policy route-map track-primary-if
  ip forward-protocol nd
  no ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 1 interface Cellular0 overload
  ip nat inside source list 2 interface GigabitEthernet0 overload
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 track 1
  ip route 0.0.0.0 0.0.0.0 Cellular0 253
  ip sla auto discovery
  ip sla 1
   icmp-echo 8.8.8.8 source-interface GigabitEthernet0
  ip sla schedule 1 life forever start-time now
  dialer-list 1 protocol ip permit
  route-map track-primary-if permit 1
   match ip address 100
   set interface GigabitEthernet0
  route-map source permit 10
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 172.17.37.0 0.0.0.255
  access-list 2 remark CCP_ACL Category=2
  access-list 2 permit 172.17.37.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=0
  access-list 100 permit icmp any host 8.8.8.8
  control-plane
  mgcp behavior rsip-range tgcp-only
  mgcp behavior comedia-role none
  mgcp behavior comedia-check-media-src disable
  mgcp behavior comedia-sdp-force disable
  mgcp profile default
  line con 0
   no modem enable
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   stopbits 1
  line 3
   script dialer lte
   modem InOut
   no exec
   transport input all
   rxspeed 100000000
   txspeed 50000000
  line vty 0 4
   login local
   transport input ssh
  scheduler allocate 20000 1000
  ntp update-calendar
  ntp server 24.56.178.140 source GigabitEthernet0
  ntp server 129.6.15.28 prefer source GigabitEthernet0
  ntp server 132.163.4.102 source Cellular0
  end

• Manage Cisco ISR routers as one device

  I'm looking for a tool that allows me to manage two Cisco ISR routers (2911) as one device ("cluster" device or "virtual" device).
  Both routers are connected directly to the internet and are using HSRP to perform a function of the virtual default gateway for LAN devices.
  What about Cisco ASA in Active/Active or Active/Passive Failover mode?
  Thanks,
  Jernej

  No, this is not currently possible.  The devices need to be managed using their individual IP addresses (i.e. not the virtual IP of HSRP).  You'll generally want to do that for the time being since both devices will have their own CPU, memory, buffer, etc. characteristics.

• Cisco ISR 4K Voice Compatability

  Does anyone know if the newer ISR 4K series of routers is backwards compatible with CUCM 8.6 using MGCP; and if so, is a COP file required for CUCM?
  After doing a little research it appears that the 4400 series does not support FXO/FXS lines and looks like it is primarily being marketed as a CUBE router used for establishing SIP trunks to an ITSP. I am mainly curious about the 4351 router and its capabilities as a voice gateway.
  Any info regarding MGCP compatibility using T1/PRIs in CUCM 8.6 would be appreciated! Thanks again.
  This is all I could find on Cisco's website:
  http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/data-sheet-c78-729824.html
  http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr/Overview.html#pgfId-1055274

  Hi,
  Please check the following enhancement for MGCP support
  https://tools.cisco.com/bugsearch/bug/CSCuo85914/?reffering_site=dumpcr
  Symptom:
  To add support of ISR 4351, ISR 4331 and ISR4321 platform in UCM. User can provision ISR4351, ISR4331 and ISR4321 and NIM T1/E1 cards on UCM UI.
  Conditions:
  New enhancement done
  Workaround:
  New enhancement done
  Known Fixed Releases:
  (8)
  10.5(1.98000.29)
  10.5(1.98000.77)
  10.5(2.10000.5)
  11.0(0.98100.18)
  8.6(1.20014.1)
  9.1(2.13083.1)
  9.1(2.13900.10)
  9.1(2.13900.2)
  HTH
  Manish

• HWIC-3G-HSPA module on Cisco ISR Router

  I have a plan to implement HWIC-3G-HSPA radio module as a backup line rather than wired.
  If you have an experienced one to use one with VOIP, could you tell me that it could be available as the appropriate solution?

  Thanks to everyone,
  Cisco change the Hwic-3g-hspa card. Whole serises of Card was produce with problem.
  Now everything is working  perfectly.

• Cisco Unified Presence 8.5 High Availability problem

  As we have two Cisco presence version 8.5 node as subcluster and configure as High Availability in a Subcluster . Once i click enable HA on the
  presence server . its give the below messages as meniton
  Primary server : 
  node state  : Running in backup mode
  node reason : peer down during initialization
  Seconary server :
  node state : unknown        
  node  reason : High Availability not enabled.
  Even All the service are up and running.
  So please advice hightly appreciate for you response.

  Hi,
  Are both the CUP servers in different subnets/networks? If yes, then there is a setting under cluster topology page that has to be modified. It must be in Settings under cluster topology page. The default parameter will be 'MDNS'. This has to be changed to 'Router to Router' if the servers are in different subnets.
  -Sankar
  Sent from Cisco Technical Support iPad App

• VPN Client and AAA services on a Cisco ISR Router

  Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
  So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
  1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
  2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
  3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
  4.  Are there helpful articles I can read that will answer some or all of these questions? 
  Thanks in advance,
  Jim

  Hi Jim,
  congratulations
  Assuming a basic setup, your router will have something like this:
  crypto isakmp client configuration group MyGroup
    key cisco123
  So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
  I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
  Does this help?
  Herbert

• Cisco Prime Infrastructure 2.1 High availability Question

  Hello All,
  I am configuring high availability for two prime infrastructure 2.1 servers. I have configured manual HA between the servers. I need to know what will be the configuration in the devices ( switches,routers etc.) for proper working of the HA. For example
  Should we need to configure both the prime infra servers as snmp hosts in the devices??. If we have to when an event happens the switch well unnecessarily send the traps to the secondary even when the primary is alive??. 
  If anyone has a copy of the configuration of such a set up please share it with me. 
  Thanks and Regards
  Shabeeb

  Hi Shabeeb,
  You are correct on that part that unnecessarily devices will  try to send traps to the secondary server if you specify that in the device's config. I don't think it should be a concern , this is expected.
  otherwise you need to configure them later once the PI server fail over to secondary .
  If you have any other doubt ,kindly ask.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Need Cisco VPNClient for 10.8. Available? Will OS VPN work with Cisco?

  Need to connect to VPN serve using Cisco VPNClient but cannot find client for OS 10.8. Last VPN Client I have only works in 32 bit mode. Anyway to use OS VPN?

  Have you tried setting up a Cisco connection through the VPN network preference panel? You need an account credentials (name and password) as well as either a certiicate or a general password.
  System Preferences - Network - add network port - choose VPN interface - choose Cisco IPSec type, then configure it as needed.
  Matt

• Cisco Prime LMS 4.2 Device Availability Poller & Portlet

  The default, non-editable "System" Device Availability poller appears to be the only one used by the Availability Pie Chart Portlet. Or is there a way to a show a chart based on a user defined poller, which excludes devices known to be currently offline?

  Hi ,
  It's true  that you will not be able to Delete the system Defined pollers ,however you can DEACTIVATE them.
  selecet system defined device availblity poller and De-activate it..
  Now created a NEW poller , add the devices which you are interested in. and you should able to see the data in the PIE chart for the user defined poller.
  Thanks-
  Afroz
  [Do rate the useful post]

• Cisco ISR-2801 With ADVIPSVC-K9-MZ and no IDS

  Can someone tell me why I have some older routers with the advanced ip services images and ip audit (IDS) services work and the new ISR router with the
  Advanced ip services k9 image doesnt. I went throught the software advisor and it looks like it should support audit rules and signatures with defined actions etc. I dont have any of these options. on this 12.4-12-mz image its running on. Can someone clarify why?
  Thanks,

  Secure Sockets Layer provides security for web transactions by handling authentication, data enryption and digital signatures. The 2800 Series supports SSL VPNs and SSL acceleration via the AIM-VPN/SSL-3.

• Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

  Hi Gurus,
  I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
  I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
  is this possible with the ISRs?
  Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
  BGP won't be used.
  I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
  Any ideas will be greatly appreciated..
  Civicfan

  I found the problem but dont know how to fix it now!
  Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
  crypto map outside_map 9 match address SiteA
  crypto map outside_map 9 set peer 212.89.229.xx
  crypto map outside_map 9 set transform-set ESP-AES-256-SHA
  crypto map outside_map 9 set security-association lifetime seconds 28800
  crypto map outside_map 9 set security-association lifetime kilobytes 4608000
  crypto map outside_map 10 match address SiteA
  crypto map outside_map 10 set peer 212.89.235.yy
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 10 set security-association lifetime seconds 28800
  crypto map outside_map 10 set security-association lifetime kilobytes 4608000
  If I remove:
  no crypto map outside_map 9 match address SiteA
  the IPSEC through 2nd ISP on siteA is working correct