Configuring QoS on Cisco 3845 router for Polycom Video Conferecing
Dear All,
We have implemented a Polycom Video Conferecing solution at our Head Office. Using this we communicate with other branch offices through WAN (2mbps, MPLS).
The problem is that this WAN link is also used for data. When the traffic is high on the link, the voice and the video quality goes down drastically and we experience connection drops.
At the moment we have configured our Polycom box to communicate at 512kbps speed and we would like to reserve it in our WAN link. In case, video conferencing is not happening we would like it to be utilised by other traffic.
Can we configure QoS on our Cisco 3845 router to do this? I'm not a Cisco expert and have pressures from Management to correct this before the next conference.
I have already googled a fair bit but couldn't find something for me.
Could someone please tell me the exact commands that need to be given on our router to achieve this.
I'll be very thankful for this help.
Best Regards.
Hi,
You can use something like the following to guarantee 5122k of bandwidth to your video-conferencing bandwidth but to allow that bandwidth to be used by other traffic when it is not being used for video-conferencing:
class-map VDOConf
match ip dscp af41
policy-map WANPolicy
class VDOConf
bandwidth 512
interface
service-policy output WANPolicy
Note that the above assumes that your video conferencing traffic is being marked to AF41. If that is not the case, you can always match on the IP address of your polycom device using an ACL:
class-map VDOConf
match access-group 101
access-list 101 permit ip .....
Hope that helps - pls rate the post if it does.
Paresh
Similar Messages
-
Cisco 878 router for ADSL connectivity
Hi All,
I got a Cisco 878-k9 G.SHDSL router. I am trying to configure to get connectivity to my Service Provider.
Earlier i have configured Cisco 877 router serval times. But Cisco 878 for the first time. There is a DSL
controller in 878 rtr. I think i m missing something somewhere.
Below is the config that i have done
controller DSL 0
mode atm
loopback digital
dsl-mode shdsl symmetric annex A
line-rate auto
line-term cpe
line-mode 2-wire line-one
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool INSIDE-Pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 212.77.192.59 212.77.192.60
lease 8
interface ATM0
description (Outside Public Interface)
no shutdown
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
ip address negotiated
no ip redirects
no ip proxy-arp
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname p4411XXXX
ppp chap password qatarXXXX
ppp pap sent-username p44114032 password 0 qatarXXXX
no sh
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip nat inside source list 101 interface Dialer0 overload
access-list 1 permit any
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permiti have an adsl line
i try to configure the router 878
but no connection ,, kann u tel me how do u have resolve the probleme please
this is the running config
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname cisco2
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
ip cef
ip name-server 212.217.0.1
ip name-server 212.217.0.12
ip name-server 212.217.1.1
ip ddns update method sdm_ddns1
DDNS both
vpdn enable
vpdn-group pppoe
crypto pki trustpoint TP-self-signed-201735762
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-201735762
revocation-check none
rsakeypair TP-self-signed-201735762
crypto pki certificate chain TP-self-signed-201735762
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303137 33353736 32301E17 0D303230 33303130 32353235
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3230 31373335
37363230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A62304BC 27194971 2A4FAEB3 9D57240E 26EDED2A 1674FF9A 7CBBB8F2 85245C3B
C4DDBBF8 F8A67D31 5FDCBD11 72A2735D 9E8FC84B 17B55C71 43C10E41 ACC50BEC
FCE8D9EE 6D2B0B55 9BD5B62C 3981506F 04B92C25 CA4C307E BC6A6A5F 4FBEF0EE
05FEFA57 C7D879FD 79EF442F 121D6393 57E96F31 5414D1D5 4FADFBC0 95C9EAB3
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820763 6973636F 322E301F 0603551D 23041830 16801418 6C8FED13
FFD7B2FB F6FA47E7 682B0093 FAE2AC30 1D060355 1D0E0416 0414186C 8FED13FF
D7B2FBF6 FA47E768 2B0093FA E2AC300D 06092A86 4886F70D 01010405 00038181
007C867C AC28A7F0 4BDD261C 81A71F1D E0671C28 F4724F5D ED1FE702 BCE234D9
1F85FE90 4D0AD23E 9904CBF9 D44A8CD5 0F5515BB 8FEEE4BB FF9795E1 7770B60A
E37455CC D6606EAF E0EAEEA4 932F55E6 91C6F87F 1D022203 08AD7C78 4DCF5AEA
819D2367 2B5054CC 695A4EF5 BC9ADA26 F7803106 E94BD666 179EB3DF 4CDE4CB8 1C
quit
username xxxxx privilege 15 password 0 xxxxx
controller DSL 0
mode atm
line-term co
line-mode 4-wire standard
dsl-mode shdsl symmetric annex B
ignore-error-duration 15
line-rate 4608
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description lan
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
interface Dialer1
ip ddns update hostname xxxx.dyndns.org
ip ddns update sdm_ddns1
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp pap sent-username xxxxx password 0 xxxxx
interface Dialer0
no ip address
ip classless
ip http server
ip http access-class 24
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip access-list extended to-sip-servers
remark --- traffic to any sip server
permit udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
control-plane
banner motd ^CINE welcome
banner ^C
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end -
Configuring wireless on cisco 877w router
Hi all
I have a Cisco 877W wireless/ADSL router and having great difficulty with configuring wireless on this router. Here is a quick summary.
1. The ADSL is configured to obtain public IP from the ISP
2. Default interface vlan 1 is configured with an IP address
3. I went into vlan database, tried to configure multi vlans and the router prompted me that it can only have max 2 vlans. Hence what's the use of up to 16 different SSID using wireless?
4. I've setup DHCP scope on the router to give out IP address to clients (both wireless and wired)
5. I'm able to configure WPA-PSK on the router and was able to connect wirelessly to the router but I won't be able to obtain an IP address from the router
6. There are two scenarios that I'd like to do:
A. Setup wireless to connect to the same subnet as what's on vlan1
B. Setup wireless to connect to a different subnet to vlan1
For the life of me, I could not find docs on Cisco web site that shows me how to exactly this. I found some documents that use interface F0 as a trunk port and treat the interface Dot11Radio0 with sub-interfaces. I don't connect this router to a switch (standalone router) so how can I do this? Please point me to some docs.
Thanks in advance for your help.My configuration works for wireless no authentication, but failed for WPA-PSK:
ip dhcp excluded-address 172.16.250.1
ip dhcp pool TEST
import all
network 172.16.250.0 255.255.255.0
default-router 172.16.250.1
bridge irb
interface FastEthernet4
description $ES_WAN$
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Dot11Radio0
no ip address
ssid 111
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 Cisco1234
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
After I configured the same wpa-psk key on the XP computer using windows zero configuration and tried to connect to the wireless work, I got the following errors on the router:
*Mar 1 03:00:51.623: *** Not encrypted dot1x packet from 000c.f123.25cf has been discarded
*Mar 1 03:00:52.623: %DOT11-7-AUTH_FAILED: Station 000c.f123.25cf Authentication failed
What could be wrong? Thanks! -
Cisco 3845 Router, SSH, Secure HTTP & CS-MARS
Hello,
I have a 3845 router (Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)) which I have configured SSH access through vty. Th e problem is that SSH access fails when I try to connect to it using Putty. It also fails to connect using ip http secure-server both from a browser & through CS-MARS (IOS IPS). All user names exist and are working fine with telnet.
Does IOS 12.3 have issues with SSH * secure http?
I get this error in MARS:
"Error in INIT GET. Check the username/password"Hi -
I searched all open/closed TAC cases for you with that error message - I found 1 similar case.
Here's the results of their case:
"we managed to fix the issue it was ip http authentication enable command (change to accept local usernames/passwords)."
Can you review this and see if you need to tell SSH and HTTPs to use the local database?
Please let us know.
thxs
peter -
Cisco 3725 Router for Internet Connectivity
Hi,
We have en existing Internet connection using our Cisco 3725 router (ISP A). The router does the NAT and here's the existing default route:
S* 0.0.0.0/0 [1/0] via 1.2.3.153
This router has a "16 Port 10BaseT/100BaseTX EtherSwitch".
Now we have a new Internet connection (ISP B). What I did was to configure two ports on the Etherswitch and added route maps:
interface FastEthernet1/0
description "ISP B to provider"
no switchport
ip address 4.5.6.66 255.255.255.252
interface FastEthernet1/1
description "ISP B to my network"
no switchport
ip address 4.5.7.225 255.255.255.248
ip policy route-map ISPBInternetTraffic
access-list 101 permit ip 4.5.7.224 0.0.0.7 any
route-map ISPBInternetTraffic permit 101
match ip address 101
set interface FastEthernet1/0
set ip default next-hop 4.5.6.65
What I want to happen is that when the router sees the traffic coming from the public IPs of ISP B (4.5.7.224 /29) it will direct that to go out ISP B on F1/0.
1. Is my configuration correct?
2. Any suggestions, recommendations?
3. Can I do load balancing or load sharing between the two ISPs?
Best,
TonyHi Tony,
Your question has already been answered here: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd276a5 -
Hi,
My setup
router > ASA5515(ver8.6) > 4 SGE2010p switches
I want to put the guest WiFi users on a separate network. I have layer 2 switches and want to configure the ASA5515 as a 'router on a stick' setup for the guest vlan to have access to the DHCP server on the native vlan.
I have
1. created a sub-interface for the inside interface and enabled intra-interface traffic.
2. A static route on the ASA point the guest network to the switch.
What else do I need to configure on the ASA for inter-vlan routing?
ASA related config:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.15.xx.1 255.255.252.0 standby 10.15.xx.2
interface GigabitEthernet0/1.2
vlan 100
no nameif
no security-level
ip address 10.100.xx.1 255.255.255.0
C 10.15.xx.0 255.255.252.0 is directly connected, inside
S 10.100.xx.0 255.255.255.0 [1/0] via 10.100.xx.2, insideThanks for the quick response Reza.
Actually that command is already there. Didn't include it in my post.
So I am guessing my ASA config is correct.
I am having trouble setting up the trunk ports on the layer2 SGE2010P switch for trunk port.
I am used to command line layer3 switches (CLI is wasy) but not familiar with these switches GUI. I am going through the config guide right now.
Could you help me with that too?
Not to bother you with a completely different issue though.
Thanks again! -
Which is better for Branch Office Cisco ASA or Cisco 1900 router for Branch Office?
Which is a better solution ?
Using ASA55XX or 1900 series router for WAN and Internet access for 25 - 100 users?Without knowing more about the environment and what the real requirements are, it is difficult to give a really good answer. If your main concern is effective stateful inspection of traffic entering and leaving the site then the ASA is optimized for that. If you want redundancy (active/active or active/standby) then the ASA is better for this. There are other potential requirements which may make the router the better choice:
- what is the connection to the Internet? If it is Ethernet then either ASA or router will do fine. But if it is something other than Ethernet then you may need the router.
- is there a need for services such as Policy Based Routing? These are available on the router and not on the ASA.
- is there a need for load balancing on outbound traffic? This is available on the router and not on the ASA.
- will there be a need to do routing on the inside network? The range of available options is wider on the router than on the ASA.
- is there a need to run a routing protocol with the Internet provider? The usual choice for this is BGP and that is available on router and not on ASA.
So consider these criteria as you make your choice. Or provide more detail about your environment and what your real requirements are and we may be able to give better advice.
HTH
Rick -
Jetpack 5510L needed for Polycom video conference - is this possible - has progress been made?
We've has a successful connection when a static IP was available and we can at least connect to a bridge and see the template and the image of our own classroom in the top right corner, but we can not see or hear the far end and the far end cannot see or hear us.
How should we approach this when the bridge is our only IP option to connect to? What is required to make this connection complete on both ends?I would actually contact PolyCom since they are the video conference vendor that own the software you are attempting to use. PolyCom most likely has experience dealing with VZW network connections and should be able to help you identify why their application is not working.
If you truly have a static and public IP address assigned to your Jetpack then the port forwarding options will be available to you. You may have to customize the ports to get all of the video conferencing communication lines opened.
If you can find a specific limitation from PolyCom then come back to us and let us know what it is. We may be able to provide you with steps or suggestions on how to customize your Jetpack to work around them. For now, the problem could be anything so VZW and the community really cant help you. -
Cisco cme paging security 3845 router password for paging access voip
Hi,
We have a Cisco 3845 router running CME, ephones and ephone-dn are configured, there is ephone-dn is configured for paging. The system and paging work fine. We want to give password for those who make announcement. There are currently more than 30 extensions but we only want to give paging access to three users. How can we do this?
Thank youSure. Using the same (or similar) example:
Extensions: 2XXX
Primary Phone: 2025552000
We can address the need with the following:
voice translation-rule 10
rule 1 /^2...$/ /2025552000/
voice translation-profile cme-to-itsp
translate calling 10
dial-p v 100 voip
description Example Egress Dial Peer to ITSP
destination-patt
translation-profile out cme-to-itsp
HTH.
-Bill (http://ucguerrila.com) -
SIP over UDP routing in Cisco 3845
dear friends,
How can we configure the SIP over UDP protocol by Cisco 3845 router?
For more details please fine the attachment.Yes I tried but that is not helpful for me
How can I contact those people (engage a reputable consultant, or Cisco partner)?
Also I tried this commands in below.
voice class codec 1
codec preference 1 g711alaw
dial-peer voice 3250 voip
destination-pattern 3250
session protocol sipv2
session target ipv4:10.156.67.6
session transport udp
codec g711ulaw
sip-ua
retry invite 2
retry response 2
retry bye 2
retry cancel 2
no inband-alerting
sip-server ipv4:10.156.67.6
ip classless
ip route 0.0.0.0 0.0.0.0 10.157.67.1
ip route 10.157.67.0 255.255.255.0 10.167.67.225
access-list 101 permit ip host 10.156.67.1 host 10.156.67.100
access-list 101 deny udp any eq rip any
access-list 101 deny udp any any eq rip
access-list 101 deny udp any eq isakmp any
access-list 101 deny udp any any eq isakmp
access-list 101 permit ip any any
snmp-server engineID local 000000090200003094202740
snmp-server community public RW -
Still trying to configure a Cisco 877W router
Hi,
I am still unable to configure my Cisco 877W router for use on a B.T. ADSL phone line.
I can log in to the router which starts up the SDM Express. I then select the wizard and get as far as filling in the DHCP server configuration.
When I then press next it does not go to the next step, it just stays on the DHCP config screen. I am now using a Windows XP machine to configure the router as someone suggested, but it continues to halt at the same place.
Can anyone help please,
Thanks.
Dave.Hi. You may check out the topics in this link instead.
-
Does Cisco 3845 with NM-16A/S support OIR feature or Hot swap for this NM.
Dear Sir
My customer would like to implement Cisco 3845 with NM-16A/S x 4. I found that Cisco 3845 support OIR function but I am not sure OIR function that Cisco 3845 support, it support with which NM models. Can anyone tell me that NM-16A/S on Cisco 3845 support OIR function on this NM or not.
Thank you very much
WisitHi,
From what I have read from the following document.
http://www.cisco.com/en/US/products/ps5855/products_installation_guide_chapter09186a00802ccf1d.html
Network Modules
Network modules install directly into slots in the rear of the router. The Cisco 3845 router supports online insertion and removal (OIR, or hot swap) of network modules. The Cisco 3825 router does not support OIR.
Caution The Cisco 3845 router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
Interface Cards
Cisco 3800 series routers do not support OIR (hot swap) of interface cards inserted directly into router slots. You must turn off the router before installing or removing an interface card.
The Cisco 3825 router and the Cisco 3845 router each provide four interface card slots, labeled on the rear panel by HWIC and a number. Each slot can be occupied by one single-wide WIC, VIC, VWIC, or HWIC.
Hope this helps
Sarb -
Setting up SSH on a 3845 router?
Greetings everyone!
Just curious, how does one set up SSH on a cisco 3845 router? Specifically, how does one generate the RSA keys?
It seems to be missing the "generate" subcommand for crypto. When I type crypto key the only sub-commands are lock and unlock. I'm unfamiliar with this and don't want to mess around too much since it's a production box.
I'm running c3845-spservicesk9-mz.124-11.T2.bin so I should have the ability, yes? Any guidance would be appreciated. I really would prefer not to use telnet.you have k9 image , it should support crypto commands, are you sure you were at the configuration mode?
try again.., here is a link for setting up ssh in IOS.
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
way to do it is open two telnet sessions to the router, in one session be in the enable mode and leave the session opened. On the other telnet session work with the SSH configuration implementation. When finished do not save the config , exit the session and open a new session using ssh to ensure you can connect and login to the router via ssh... if for any reason fails you still have the other telnet session opened to undo the ssh changes or correct them.
also for making sure your telnet sessions do not time out while working with configs permit yourself more time by entering exec-time out 60 <-- one hour for your vty lines.
line vty 0 4
exec-timeout 60
you can also do the complete ssh implementation via console port as well.
Regards
PLS rate any helpful posts if it helps -
Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
Using 2297 out of 29688 bytes
! Last configuration change at 17:20:27 PDT Tue May 20 2008
! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Tester
logging buffered 10000 debugging
aaa new-model
aaa group server radius RadiusServers
server 172.26.0.2 auth-port 1812 acct-port 1813
aaa authentication login default group RadiusServers local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
enable secret xxx
username test password xxx
clock timezone PST -8
clock summer-time PDT recurring
ip subnet-zero
no ip domain-lookup
no ip bootp server
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
description To Main Network
ip address X.X.X.X 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
interface Ethernet0/1
description To Internal Network
ip address 172.26.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
load-interval 30
full-duplex
no cdp enable
ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
ip nat inside source list 3 pool test overload
ip nat inside destination list 3 pool test
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
ip radius source-interface Ethernet0/1
access-list 3 permit 172.26.0.0 0.0.0.255
no cdp run
snmp-server community public RO 15
radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
radius-server retransmit 3
radius-server key secret
line con 0
password xxx
logging synchronous
line aux 0
line vty 0 4
access-class 10 in
password 7 1234567890
logging synchronous
ntp clock-period 17208108
ntp server 192.43.244.18
end
My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
Thank you for any assistance you may be able to provide.I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
The command I shared:
aaa authentication enable default group radius local
... was erroneous. The keyword should have been "enable", as you have discovered.
Therefore use:
aaa authentication enable default group radius enable
When I view a Wireshark trace I see the following:
AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
Like you, I see the user password appended with the group of \000 grouping's.
Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
However, there are other mainstream authentication methods that I think you should investigate as well.
You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
I think you should:
1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
2. Investigate whether PPPoE support exists on your router's interfaces.
3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
4. Decide which methods appeals to you.
5. Dive in.
I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
Good luck. -
3845 router failing to look up routes from routing table correctly!
Hi all,
Got a really strange issue which I am wondering if someone can point me in the right direction for. Facts of the issue:
- Some customers, all with a specific ISP, cannot access a hosted service we host internally
- External user can reach service but never gets a response - hence focussing on reachability of their public IP
- Cisco 3845 router used, peers with service provider over BGP - receives full internet routing tables
- All affected customers receive dynamic IP addresses within the same /10 public IP range
I received an example IP address and when doing "show ip route x.x.x.x" for this IP, the router responds "Subnet not in table". When trying to traceroute to the IP, the router doesnt even go to the next hop. However, the subnet is definitely in the routing table with the correct next hop (and, for complete information, is also within the BGP updates). Before anyone asks the question :) - yes I have definitely verified that the hosts are within this subnet.
If I put a static /32 route in for this specific IP address, everything works fine - then fails again once its taken out.
I literally cannot understand why the router is not correctly performing the lookup for the hosts within this subnet. I can understand a lot of potential reasons why the BGP received route wouldnt be placed in the routing table, but that is not the case here.
Some other factors (if applicable):
- Nothing showing in the logs
- Plenty memory available (despite the high number of routes)
- Plenty CPU resource available
- No default route is ran
I am going to restart the router and really expect this to resolve the issue (would log a TAC but this one is a bit time precious) - but it is frankly doing my head in and I assume I am missing something!
Any help or guidance would be appreciated!Hi all,
Got a really strange issue which I am wondering if someone can point me in the right direction for. Facts of the issue:
- Some customers, all with a specific ISP, cannot access a hosted service we host internally
- External user can reach service but never gets a response - hence focussing on reachability of their public IP
- Cisco 3845 router used, peers with service provider over BGP - receives full internet routing tables
- All affected customers receive dynamic IP addresses within the same /10 public IP range
I received an example IP address and when doing "show ip route x.x.x.x" for this IP, the router responds "Subnet not in table". When trying to traceroute to the IP, the router doesnt even go to the next hop. However, the subnet is definitely in the routing table with the correct next hop (and, for complete information, is also within the BGP updates). Before anyone asks the question :) - yes I have definitely verified that the hosts are within this subnet.
If I put a static /32 route in for this specific IP address, everything works fine - then fails again once its taken out.
I literally cannot understand why the router is not correctly performing the lookup for the hosts within this subnet. I can understand a lot of potential reasons why the BGP received route wouldnt be placed in the routing table, but that is not the case here.
Some other factors (if applicable):
- Nothing showing in the logs
- Plenty memory available (despite the high number of routes)
- Plenty CPU resource available
- No default route is ran
I am going to restart the router and really expect this to resolve the issue (would log a TAC but this one is a bit time precious) - but it is frankly doing my head in and I assume I am missing something!
Any help or guidance would be appreciated!
Maybe you are looking for
-
Data not updated to cube from DSO
Hi all, We have a scenario where in the dtp from the DSO to cube does not write any data records to the cube, where as we are able to see 9 records when we debug the transformation which has a start routine. Could you kindly suggest what the issue ca
-
I want to purchase APPLE TV. Is connecting it to the 30" display station a good idea or are there better displays available? I have to buy either a HD display or TV but I am not sure which is best. I also have a Fujitsu Siemens Lifebook Windows XP Pr
-
KEYNOTE DIFFERENCES BETWEEN A CATALYST LAN SWITCH & A STORAGE SWITCH (MDS)
Hi Guys, I had a very simple query. I had a very basic query. I wanted to know the difference between a switch which we connect to our campus netorks and switches connected to storage area networks. I dont mean the cost and stuff, but more into how t
-
URGENT - Client,UI,Observable & Observer
I have a Client who receives packets from other Clients or the server. This Main class for Client creates a "User Interface class".And then the UI class creates the "Central Class" which deals with packet handling etc. When I receive a packet, "Centr
-
Hi Friends, Can anybody tell me how to implement the events in table maintanance. Regards, Manjula