Cisco MDS Port channel load balancing
A customer recently asked an interesting question about exchange based load balancing on an FC port channel. The platform is UCS with an 8 and 16 port channel per fabric interconnect on two separate UCS domains. The application is Oracles data warehousing which has been known to saturate 4 x 8gb fc links. Since the balancing method is exchange based what constitutes the start and end of an exchange? We are trying to avoid a condition where and intense read write conversation locks to a single link in the port channel and not spread across 8/16 links. Where can I find more information about exchange based routing protocol or how should I go about managing extreme io in a converged infrastructure.
The default loadbalance method on FI and MDS is src-dst-ox-id based. Note that loadbalancing is done by a device on *outgoing traffic*. FI and MDS do not have to negotiate anything here. Technically, one device can do src-dst-id based while the other can use src-dst-ox-id. However, in your case there is no reason for such a change.
As I wrote before, If all of the links in the port-channel are touching the max capacity, you should recommend your customer to increase links in the bundle (max 16) or upgrade to 16G links. If few of the links are heavily utilized while other links in the same port-channel are under utilized, you may want to check the application or HBA for capability of breaking down the large reads/writes under smaller exchanges. If no traffic is going on few of the links at all, then I would suspect UCS to FI pinning as well.
Similar Messages
-
Nexus port channel load balance
Hi
I just want to clarify one setting for the port channel load balance on Nexus 6k switch. If I use the load balance option source-dest-ip-only, will following four converstions be load balanced?
10.10.10.1 -> 192.168.1.1
10.10.10.2 -> 192.168.1.1
10.10.10.1 -> 192.168.1.1
10.10.10.1 -> 192.168.1.2
Thanks. LeoHi Leo,
I think there may be typo in your question as I only see three conversations and not four. That aside I've not seen the Nexus port-channel load balancing sufficiently well documented to be able to give you the exact answer.
In their configuration guides Cisco only include the following statement:
Cisco NX-OS load balances traffic across all operational interfaces in a port channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
There is other documentation that states the load balancing algorithm uses a CRC-8 based polynomial, but as we don't know exactly which parts of the frame are used in the calculation, I don't see it's possible to calculate the answer and so derive the link that will be used for a given conversation.
While I've not seen full documentation regarding the science used in the calculation, what Cisco have done is provide a command on the switch CLI that will allow you to determine which link of a port-channel will be used.
If you run the command show port-channel load-balance forwarding-path interface port-channel vlan src-ip dst-ip then one of the parts of the output is the member link of the port-channel that will be used for that flow.
You can find full details of the options for the show port-channel load-balance command in the command reference.
One other point to remember is that the load balancing across a port-channel is unidirectional, and the hashing might be completely different for the return flow of a conversation. For example it is entirely possible that traffic from A to B could use one link of a port-channel, while the return traffic from B to A for the same conversation could use a different link.
In general I would use the source-dest-port option for load balancing on the Nexus switches as this will obviously include the Layer-4 port numbers in the calculation, and so give you a better distribution of flows across all member links.
Regards -
Port Channel Load-Balancing Algorithm (North Bound)
I'm trying to figure out what the load balancing algorithm for the 6100 and 6200 FIs for the Northbound connections. I can't find any documentation on how to change it.
The Nexus 7000s use an 8-bit hash, making it very easy to do something other than 2, 4, or 8 link port channel and get even (at least algorithmically) distribution.
Catalyst switches (not sure about Sup2T though) would use a 1, 2, or 3-bit index, which would skew traffic algorthmically if you used a non-power of 2.
Looking at the 5K documentation, it seems to use the Catalyst style (though haven't been able to confirm). My guess is that whatever is used for the 5Ks is used for the 6100/6200.
Design wise, this would mean you would want to use powers of 2 for your NB uplinks.Hello Tony,
On UCS FI, it uses " sr-cdest-ip " as the load balancing algorithm and uses 8 parameters for hashing
6248-01-B(nxos)# sh port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-ip
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-ip source-dest-mac
6248-01-B(nxos)# show platform fwm info pc port-channel 1
dump pc info: if_index 369098752 dump_all 0 verbose 1
Po1: state 0x0 #pifs 1 fwimpd ctx 0x9666c1c
Po1: hash params - l2_da 1 l2_sa 1 l3_da 1 l3_sa 1
Po1: hash params - l4_da 1 l4_sa 1 xor_sa_da 1 hash_elect 1
I could not find an option to change these values.
Padma -
Nexus 6K: Port-Channel Load-Balance
Hi all,
I configured "port-channel load-balance ethernet source-dest-mac" on Nexus 6001. But when I use "show run all | in load-balance", it displays module 1 and module 2 are still using source-dest-ip for port-channel load-balance. And for command "show port-channel load-balance" and "show port-channel load-balance forwarding-path interface", it still shows switch using MAC for hash algorithm. The NXOS is 6.0(2)N1(2a).
Does anybody know:
- What is the function of "port-channel load-balance ethernet source-dest-ip module" and in which situation this command will be effective?
- It shows "port-channel load-balance ethernet source-dest-ip module" command for both module 1 and 2. Module 1 is N6K Supervisor and module 2 is 4xQSFP Ethernet Module. Is it possible to set different load-balance algorithm to these 2 modules?
# show run all | in load-balance
port-channel load-balance ethernet source-dest-mac
port-channel load-balance ethernet source-dest-ip module 1
port-channel load-balance ethernet source-dest-ip module 2
# show port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-mac
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-mac
# show port-channel load-balance forwarding-path interface port-channel 30 vlan 150 src-ip 172.25.228.6 dst-ip 172.25.226.97
Missing params will be substituted by 0's.
Load-balance Algorithm on switch: source-dest-mac
crc_hash: 977 Polynomial: CRC10b Outgoing port id Ethernet1/2
Param(s) used to calculate load-balance:
seed: 0x701
dst-mac: 0000.0000.0000
src-mac: 0000.0000.0000
# show module
Mod Ports Module-Type Model Status
1 48 Norcal 64 Supervisor N6K-C6001-64P-SUP active *
2 10 Nexus 4xQSFP Ethernet Module N6K-C6001-M4Q ok
Mod Sw Hw World-Wide-Name(s) (WWN)
1 6.0(2)N2(3) 1.0 --
2 6.0(2)N2(3) 1.0 --Hi all,
I configured "port-channel load-balance ethernet source-dest-mac" on Nexus 6001. But when I use "show run all | in load-balance", it displays module 1 and module 2 are still using source-dest-ip for port-channel load-balance. And for command "show port-channel load-balance" and "show port-channel load-balance forwarding-path interface", it still shows switch using MAC for hash algorithm. The NXOS is 6.0(2)N1(2a).
Does anybody know:
- What is the function of "port-channel load-balance ethernet source-dest-ip module" and in which situation this command will be effective?
- It shows "port-channel load-balance ethernet source-dest-ip module" command for both module 1 and 2. Module 1 is N6K Supervisor and module 2 is 4xQSFP Ethernet Module. Is it possible to set different load-balance algorithm to these 2 modules?
# show run all | in load-balance
port-channel load-balance ethernet source-dest-mac
port-channel load-balance ethernet source-dest-ip module 1
port-channel load-balance ethernet source-dest-ip module 2
# show port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-mac
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-mac
# show port-channel load-balance forwarding-path interface port-channel 30 vlan 150 src-ip 172.25.228.6 dst-ip 172.25.226.97
Missing params will be substituted by 0's.
Load-balance Algorithm on switch: source-dest-mac
crc_hash: 977 Polynomial: CRC10b Outgoing port id Ethernet1/2
Param(s) used to calculate load-balance:
seed: 0x701
dst-mac: 0000.0000.0000
src-mac: 0000.0000.0000
# show module
Mod Ports Module-Type Model Status
1 48 Norcal 64 Supervisor N6K-C6001-64P-SUP active *
2 10 Nexus 4xQSFP Ethernet Module N6K-C6001-M4Q ok
Mod Sw Hw World-Wide-Name(s) (WWN)
1 6.0(2)N2(3) 1.0 --
2 6.0(2)N2(3) 1.0 -- -
Nexus - port-channel load balancing
Port-channel load balancing is a global command or interface command in Nexus switch?
Thanks,
ManuHi,
It's a global command; port-channel load-balance ethernet.
You can find details in the Configuring Load Balancing Using Port Channels section of the Nexus 5500 Series NX-OS Interfaces Configuration Guide.
Regards -
Cisco MDS port channel with USC FI
Hello,
Can anyone help me to configure/troubleshoot Cisco MDS 9148 with Cisco USC ? M stuck in port channel..i have configured but interfaces are not coming UP.It is showing init state.
My Topology is like,
Nexus 5000-->USC FI (single FI) -->Cisco MDS 9148
--> Two Chassis
Any help would be highly appreciated...
ThanxTMC-UCSFI-A-A(nxos)# sh interface brief
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
fc1/31 1 NP off errDisabled swl -- --
fc1/32 1 NP off errDisabled swl -- --
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
Eth1/1 1 eth fabric up none 10G(D) --
Eth1/2 1 eth fabric up none 10G(D) --
Eth1/3 1 eth fabric up none 10G(D) --
Eth1/4 1 eth fabric up none 10G(D) --
Eth1/5 1 eth access down SFP not inserted 10G(D) --
Eth1/6 1 eth access down SFP not inserted 10G(D) --
Eth1/7 1 eth access down SFP not inserted 10G(D) --
Eth1/8 1 eth access down SFP not inserted 10G(D) --
Eth1/9 1 eth access down SFP not inserted 10G(D) --
Eth1/10 1 eth access down SFP not inserted 10G(D) --
Eth1/11 1 eth access down SFP not inserted 10G(D) --
Eth1/12 1 eth access down SFP not inserted 10G(D) --
Eth1/13 1 eth access down SFP not inserted 10G(D) --
Eth1/14 1 eth access down SFP not inserted 10G(D) --
Eth1/15 1 eth trunk up none 10G(D) 100
Eth1/16 1 eth trunk up none 10G(D) 100
Eth1/17 1 eth fabric up none 10G(D) --
Eth1/18 1 eth fabric up none 10G(D) --
Eth1/19 1 eth fabric up none 10G(D) --
Eth1/20 1 eth fabric up none 10G(D) --
Eth1/21 1 eth access down SFP not inserted 10G(D) --
Eth1/22 1 eth access down SFP not inserted 10G(D) --
Eth1/23 1 eth access down SFP not inserted 10G(D) --
Eth1/24 1 eth access down SFP not inserted 10G(D) --
Eth1/25 1 eth access down SFP not inserted 10G(D) --
Eth1/26 1 eth access down SFP not inserted 10G(D) --
Eth1/27 1 eth access down SFP not inserted 10G(D) --
Eth1/28 1 eth access down SFP not inserted 10G(D) --
Eth1/29 1 eth access down SFP not inserted 10G(D) --
Eth1/30 1 eth access down SFP not inserted 10G(D) --
output ommitted
TMC-UCSFI-A-A(nxos)#
Here it shows that Fc1/31- 32 which are in trunk , status is errdisabled and admin trunk mode is off -
Port channel Load balancing in Storage VDC
Hi i am not able to find how to check PO load balancing for storage VDC, although i know by default for FCoE traffic on storage vdc it is OXID but whether it is src-dst l4port or src-dst ipl4port.
Hi,
From "Nexus 5500 to Nexus 7000 Multi-Hop FCoE Configuration Example" ,
Note: On Nexus 7000, by default the source-destination-oxid load balancing mechanism is used for FCoE traffic.
So let's see what is the default load balancing mechanism in Nexus 7000,
From "Nexus 7000 interface configuration guide" ,
The default load-balancing mode for Layer 3 interfaces is the source and destination IP address, and the default load-balancing mode for non-IP interfaces is the source and destination MAC address.
Which means src-dst ip.
So what I think is you need to have src-dst ip in default VDC for OXID load balancing in Nexus 7000. -
3750X Port-Channel Load-Blanace method
I have a 3750X and I'm wondering what would be the best Port-Channel Load-Balancing method would be for my network.
switch(config)#port load ?
dst-ip Dst IP Addr
dst-mac Dst Mac Addr
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
We have a few Layer 3 VLANs: Default, Servers, Clients, and Guests.
Some of our servers are LACP bundled.
So it would be mainly clients on the one layer 3 VLAN accessing the server on the other layer 3 VLAN.
We also have a few smaller switches that are trunked and LACP bundled back to the core 3750X.
Can anyone suggest which Load-Balancing method would be best for our situation?
Thanks!The default load balancing method on the 3750 series is based on source-MAC address. This usually works fine in most cases. If you change it to something different than this, it will affect all your port-channels in that switch.
HTH -
How can ftp service on non-standard port be load balanced using Cisco ACE.
How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port
Hi Samarjit,
you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
Regards
Abijith -
Does Solaris 10 support cisco Virtual Port Channels over IP?
Does anyone know if Solaris 10 support cisco Virtual Port Channels open IP?
Hi user11114413,
The issue you are seeing actually has little to do with VIP, and more to do with there being multiple IP addresses for us to choose from on your box. For such multi-IP boxes, you'll want to tell us the IP to use, and in your case you want to tell as a VIP. This can be done either by editing your operational configuration file, and including an <address> element within the <unicast-listener> element, or via the tangosol.coherence.localhost system property. For example:
<unicast-listener>
<well-known-addresses>
<socket-address id="1">
<address>1.2.3.260</address> <!--virtual ip -->
<port>8088</port>
</socket-address>
</well-known-addresses>
<address>1.2.3.260</address> <!--virtual ip -->
<port>8088</port>
</unicast-listener>or
java ... -Dtangosol.coherence.localhost=1.2.3.260If you are using the same operational configuration on all nodes in your cluster then the system property approach is likely preferable, and would only be necessary on the two machines sharing the VIP.
As for using VIP or an extended WKA list, the choice is yours, either will work. If you do go the VIP route, it would obviously be a very bad idea to simultaneously use the same VIP and port at the same time from the two machines.
thanks,
Mark
Oracle Coherence -
Cisco CSS 11503 Arrowpoint/Load Balance question
I am troubleshooting an issue with my 11503. I am running version 07.40.0.04. I have it configured as follows:
content upcadtoa-rule
add service cadtoa-wls1-e0
add service cadtoa-wls1-e1
add service cadtoa-wls2-e0
add service cadtoa-wls2-e1
add service cadtoa-wls3-e0
add service cadtoa-wls3-e1
add service cadtoa-wls4-e0
add service cadtoa-wls4-e1
add service cadtoa-wls5-e0
add service cadtoa-wls5-e1
add service cadtoa-wls6-e0
add service cadtoa-wls6-e1
arrowpoint-cookie expiration 00:00:15:00
protocol tcp
port 8001
advanced-balance arrowpoint-cookie
redundant-index 2
vip address 172.30.194.195 range 2
arrowpoint-cookie name TOA
active
However, the load-balancing across the servers does not seem to be doing much balancing. One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all. With the cookie expiration set, one would think that this would all balance out over time.
I just came across this information from Cisco and I am wondering if it is relevant:
If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
content testing
vip address 192.168.128.131
add service s1
balance url
active
The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
content testing
vip address 192.168.128.131
add service s1
advanced-balance arrowpoint-cookie
active
The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
Thanks in advance for any help you can give. The thing is not down, it is just balancing strangely causing application performance issues.
JamesHey James,
You will need to suspend the content rule in order to add the url statement. This will cause a quick downtime until the content rule is activated again. I have shown below the commands to add the statement. Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
content MY-SITE
vip address 10.201.130.140
port 80
protocol tcp
add service MY-SERVER
active
CSS11503# config t
CSS11503(config)# owner TEST
CSS11503(config-owner[TEST])# content MY-SITE
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
%% Attribute may not be modified on active rule
CSS11503(config-owner-content[TEST-MY-SITE])# suspend
CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
CSS11503(config-owner-content[TEST-MY-SITE])# active
CSS11503(config-owner-content[TEST-MY-SITE])# exit
CSS11503(config-owner[TEST])# exit
CSS11503(config)# exit
CSS11503# show run
content MY-SITE
vip address 10.201.130.140
add service MY-SERVER
port 80
protocol tcp
url "/*" <--------
active
Hope this helps,
Sean -
Cisco 1921 Dual ADSL Load Balancing/Failover?
Hello,
We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
This is my current config which I think only one ADSL line is being used. Some input would be appreciated
Robbie
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 xxxxx
enable password xxxx
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx
username admin privilege 15 secret 5 xxxxxxxxxx/
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
endHi,
Can anyone help me with this config? not very reliable.
Building configuration...
Current configuration : 17349 bytes
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
no ip source-route
ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
multilink bundle-name authenticated
cts logging verbose
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
license udi pid
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
redundancy
controller VDSL 0/0/0
operating mode adsl2+
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
track 1 interface Dialer0 ip routing
delay down 15 up 10
track 2 interface Dialer1 ip routing
delay down 15 up 10
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface GigabitEthernet0/3/0
no ip address
interface GigabitEthernet0/3/1
no ip address
interface GigabitEthernet0/3/2
no ip address
interface GigabitEthernet0/3/3
no ip address
interface GigabitEthernet0/3/4
no ip address
interface GigabitEthernet0/3/5
no ip address
interface GigabitEthernet0/3/6
no ip address
interface GigabitEthernet0/3/7
no ip address
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 1444405858557A
ppp pap sent-username [email protected] password 7 135645415F5D54
ppp multilink
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 01475E540E5D55
ppp pap sent-username [email protected] password 7 055F5E5F741A1D
ppp multilink
router eigrp as#
router eigrp 10
network 192.168.1.1 0.0.0.0
router rip
version 2
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
control-plane
banner login ^CCE-Rescue Systems^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
Thanks
Shawn -
Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble
PID VID :
RV042 V03
Firmware Version :
v4.0.0.07-tm (Aug 19 2010 19:19:50)
Ever since I setup my RV042 with load balancing using the Dual Wan system I have had trouble staying connected to some secure sites. After doing some searching I found that the potential issue is the IP change mid session.
"http://www.broadbandreports.com/forum/r25537589-Cisco-RV042-can-not-use-load-balancing-for-some-web-sites"
Although my interface is significantly different I was able to find the same area in my RV042 admin area however, it doesn't seem to work.
System Management
> Dual Wan
In Wan 1 & Wan 2 I have HTTPS and HTTPS Secondary all forwarded to use Wan 2 under Protocol Binding
This however has not managed to do anything at all for my network and every computer conneceted experiences the same HTTPS irregularities at some websites.
I'm sure I must be doing something wrong, but I don't know what it is.
Both incoming connections are from the same service provider although the plans are different.
Any help with this would greatly help me stop losing my mind trying to fight with my website control panel for 10 minutes to just login and get something done.
ThanksAny ideas or advice from anyone?
-
Two gateways, port-based load balancing
Hello,
I have a simple question on Mac OS X Leopard/SL Server regarding the use of 2 distinct internet connections on a single LAN.
Gateway #1 : 10.0.1.1 (delivering IPs) - 18 mbps
Gateway #2 : 10.0.1.254 - 4 mbps
Any computer accessing the network is delivered an IP by the DHCP server (10.0.1.1), thus uses #1 as of main gateway.
The main server (10.0.1.16) is running DNS services and a Squid proxy-cache.
Now, is it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
For example:
mail,http,https,jabber -> #1
skype,rtsp,... -> #2
Thank you very much for your help
Tha
Message was edited by: Kwintinis it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
No. routing is based on destination IP address, not port.
Therefore each client will send all traffic for a specific address to a specific router address. It doesn't matter whether it's talking HTTP, SMTP, IMAP, POP, AIM, or any other protocol - any traffic for that IP will go to the same router.
You have three ways of getting around this.
One is to install a router that supports dual WAN connections. Point all internal clients to the LAN address of the router and let it do the work of routing the traffic as needed, based on its routing policies (routers may be able to route based on port).
Option two is to setup a proxy server for specific services - for example you could setup a HTTP/HTTPS proxy server on a machine that has router #1 as its default gateway and configure the clients to talk to router #2. All traffic on the clients will go over router #2 except the proxied traffic which will go to the proxy and then out via router #1.
This is relatively simple to setup, but is limited to traffic that can be easily proxied (e.g. that probably excludes email).
The third option is static routing. Look at the servers each machine is contacting and setup static routes for the smaller set of addresses. For example, if you're only splitting off traffic to Skype's servers then set each client with a default route of router #1, and static routes to Skype's server to router #2. Now all traffic except that to Skype will use router #1.
This is really only viable if you have a relatively small number of destination addresses you're trying to divert. That's why it works well for Skype (single server address), but wouldn't work well for something more generic such as 'web traffic' since you cannot predict which web servers (and therefore which IP addresses) need static routes.
Of the three options, only option #1 will cover all protocols for all clients, but it's also the only option that costs $$s if your current router doesn't support multiple WAN interfaces. -
Cisco Ceasing Development Of Load-Balancer Products
Has anybody heard of Cisco's ceasing on developing the ACEs past ACE30?
Thanks.All-
At this current point in time, the ACE30 and ACE4710 will continue to be developed through A5(3.X) code as part of the planned lifecycle of those products. Any of the other future products including vACE, RISE, Nexus based Modules, appliances, etc. currently have no ETA, nor has any lifecycle ever been defined as they are not released products. There is also no official Cisco response at this point in time to the rumors of cancellation, holds, etc. despite the hinting of certain articles to "confirmed by Cisco resources" based comments.
Your best avenue for information is to talk with your local Cisco sales representative or account manager. They may have more specific information pertaining to questions at a per-product/per-scenario level. As well, they will have the ability to help you plan your future deployments and designs queries accordingly.
Regards,
Chris Higgins
Cisco ANS Escalation Team
Maybe you are looking for
-
Unable to Reinstall iTunes - error message: "Apple Application Support was not found"
When attempting to update my iPhone today, my iTunes would not open. I followed the instructions to completely uninstall iTunes, Apple Software Update, Apple Mobile Device Support, Bonjour, and Apple Applications Support. I then attempted to reinst
-
We have deployed printers from the Print Manager MMC to our computers. However, two new Windows 8.1 computers don't get the printers. GPResult shows the policy has not applied after many logins. Is there some change for printers under 8.1? Jim Hay
-
Anything available to connect itunes with home stereo?
i would like to be able to play itunes in one room while my home stereo plays the same track in a different room... is there anything out there that would allow me to do this?? i already have a dock for my ipod... but looking for something that allow
-
Changing iCloud email - will my purchase history stay?
I want to discontinue the use of an old gmail account as my apple id for iTunes and iCloud. If I change my email account in iTunes settings, will I retain my purchase history etc? Seems like a silly question, but this type of change has totally wiped
-
I'm uninstalling Firefox.
The new design, even with "Classic Theme Restorer," is a step down. One example: I was customizing my address bar and lost -- yes lost -- the home icon. I accidentally dropped it halfway between the page of available icons and the address bar, and it