Ip local policy - DMVPN head-end router

Similar Messages

• Rsrb with multiple ring groups on head ends with one phy ring?

  working on an issue for a customer and I cant find good documentation on this anywhere for multiple ring-groups
  have 2 routers, each with 2 ring groups connected on a mau terminating multiple serial connections (wan, hence the rsrb) and utilizing rsrb tcp with local ack. The configuration was done sometime ago. It was set up to utilize frame which now they are using ptp t1s. I see in the remote routers they are forwarding pakcets to both routers to ring 20. (there are 2 routers if one fails then it is meant to learn its path to the CIP through the other router)
  ---------router1
  source-bridge ring-group 30
  source-bridge ring-group 31
  blahblah peers tcp local-ack
  int t0
  source-bridge 20 1 30 <----notice bridge 1
  source-bridge spanning
  int t1
  source-bridge 20 1 31 <----notice bridge 1
  source-bridge spanning
  --------router2
  source-bridge ring-group 30
  source-bridge ring-group 31
  blahblah peers tcp local-ack
  int t0
  source-bridge 20 2 30 <----notice bridge 2
  source-bridge spanning
  int t1
  source-bridge 20 2 31 <----notice bridge 2
  source-bridge spanning
  I thought the physical rings had to be different in order to run parrallel links. Or are different bridge #'s feasible? The end issue they are having is that when links bounce, they are not releasing the tcp session and the show llc shows remote sides as busy and the head end as connected. (then obviously removal of local ack fixed the issue)
  Not ready to live without local ack... could the same ring # on both routers be the issue since they are on the same mau and destined for the same location?
  ==MAU to CIP==
  | | | | all physical connection on mau are ring 20
  router1 router2
  | | | | | ring groups 30 and 31 configured on both routers with 1 statement to each router in the network per router (so each remote side is only connected to either ring group 30 or 31 (not both since you can only do over token ring) and the show source-bridge is showing forwards to each head end router's physical ring 20. I thought I would see one with forwards the other 0 since first response, but then saw the bridge # differed.)

  case was opened over a month ago with no luck or serious help. Have had great luck in the past with tac, but this one was frustrating and nothing was done.
  case#D039413
  And the remote routers connect directly to the cip with LLC2. (end to end connection, not remote to router 1 and 2 to CIP)
  show llc shows the local mac of the gateway and the cip token.
  the network goes like this
  rr = remote router
  fr= frame relay
  ptp= ptp t1
  rtr1 and rtr2 = router 1 and 2
  rr--fr--rr--ptp--rtr1 and rtr2 ---rr---cip
  I have tried numerous things on this and its apparent that the only option is dlsw and I have pressed the issue enough to start on it with test segments.
  my theory was when the host queried the gateway, its first reply was local-ack on rtr2 (could be rtr1 but for theory we will say rtr2) which was giving back RR and the other end was actually in a disconnect state and sending rnr's to the rtr1 (in this exapmple the host was talking thru rtr2 to the remote side and the remote side was trying the opposite router) which local ack would reply to the supervisor frames
  what was causing the problems in my opinion is the host provider does not utilize local ack since they only have lanned token rings and the customer provides their own wan routers. So the explorer would be answered quicker by the other router and that would be the source route bridged path to the remote side, where the other sides local ack and rif cache was routing through the opposite router. Unfortunately the site where we collected the data on I can not test since I have transitioned it to dlsw to solve their issues and show them the benfits of dlsw

• Head End Build between MPLS and standard IP network

  Hi,
  I'm a bit new to MPLS to please excuse my ignorance if I'm completely wrong here, but here goes.
  We provide standard IP services to our customers. We have recently gone into an agreement with an MPLS wholesale provider, where they supply our customers with MPLS connections. We then supply IP services to these customers such as SMTP POP and Web browsing etc.
  We have a pipe into the MPLS providers MPLS cloud that provides such connectivity. This circuit is terminated on a 7206VXR on our network.
  Each customer has their own DLCI on this circuit with a /30 subnet. There is then a BGP session for each customer using the /30 from our Head End Router to the MPLS Provider's P router.
  The MPLS provider announces the customers subnets that are connected to the MPLS cloud to our Head End Router using BGP.
  My issue is that I want routes announced from each BGP session to be injected into their own, per customer VRF table so that the routes are kept seperate from other customers routes.
  I've setup a lab to simulate the above, but cannot seem to get it to work.
  I suppose my question is does the MPLS provider's P router that our Head End connects to have to announce the BGP routes to us using VRF also or can it just use standard BGP and I can use a route map to place routes announced from a specific BGP peer IP into a per Customer VRF table?
  Is this actually possible?
  Any advice would be greatly appreciated

  Hello,
  you probably would need a config like this on the Head end router:
  ip vrf Cust1
  rd 65000:1
  interface Vlan10
  description Customer1
  ip vrf forwarding Cust1
  ip address 10.1.1.1 255.255.255.252
  router bgp 65000
  address-family ipv4 vrf Cust1
  neighbor 10.1.1.2 remote-as 60000
  neighbor 10.1.1.2 description ISP PE for Customer1
  Adjust the interface names, IP addresses, RD, RT, etc. for your environment.
  This would insert the routes learned from the mpls Provider into your VRFs. The scenario, by the way, is described in RFC2547bis section 10a.
  You could off course also place filters and other stuff into BGP for security reasons depending on your requirements.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Local policy route-map for policy route

  Hi 
  this is related my previous question:
  I want to set policy route on asr1004, that redirect vpn traffic. 
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
  assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
  Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.2.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  if not, do I have any change to do policy route for this case?
  any comment will be appreciated
  Thanks in advance
  Julxu

  hi Jon
  can I refresh the question again:
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
  assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24)  to be redirect to10.10.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
  Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  such as:
  interface TenGigabitEthernet0/0/0
   description bgp to get default
   ip address 10.100.100.100 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface TenGigabitEthernet0/1/0
   description get internaltraffic
   ip address 10.3.3.3 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface GigabitEthernet0/2/1
   description vpn
   ip address 10.10.2.1 255.255.255.248
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   media-type rj45
   negotiation auto
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  ip route 10.200.200.0/24 10.10.2.2
  Could you please advise if it is correct?

• Local policy-map in IOS-XR

  We are migrating an IOS based PE to ASR9K with XR4.2. Customer has a local policy-map to match SNMP, telnet packets generaing from router and set Precedence value 3.
  ip access-list extended MGMT
  permit tcp any any eq telnet
  permit udp any any eq snmp
  route-map MARK permit 10
  match ip address MGMT
  set ip precedence flash
  ip local policy route-map MARK
  With ABF we can only set next-hop. Any other way we can do this in XR?
  Thanks,

  Thanks Maxime, but actually I have few more traffic in the same class like syslog, ntp, tacacs.  Not all are supported with this direct marking..
  ipv4 access-list MGMT
  10 permit tcp any any eq telnet
  20 permit udp any any eq snmp
  30 permit udp any any eq snmptrap
  40 permit udp any any eq ntp
  50 permit udp any any eq syslog
  60 permit tcp any any eq ssh
  70 permit tcp any any eq tacacs

• Metro Ethernet Design With Redundant Head Ends

  We're getting ready to turn up some metro ethernet circuits that were just installed by AT&T. AT&T has provided a VLAN for each remote site (so each site has its own VLAN), and those VLANs are trunked to our head end switches (Cisco 3750 Metro Switches).
  I'm struggling with the best design for IP routing. We currently use OSPF on our internal network, and I was going to extend OSPF to our metro solution as well, but I'm not so sure now.
  I don't want routing to occur directly between head end #1 and head end #2, we already have redundant paths within our corporate network, and allowing our two head ends to route between each other via our metro ethernet solution is not what we want. However, running OSPF on each of the VLANs which have been provisioned for us would permit routing between the head ends.
  We simply need to allow redundanny for our remote locations in the event that one head end were to fail, all of the traffic to/from the remote site would be routed through the head end which is still online.
  Anyone suggestions on the best routing design for this situation would be greatly appreciated. I've attached a network diagram to make things clear. I believe I can also go back to AT&T and request one VLAN that includes all sites if that would simply things. I just need to make sure I can still do our traffic shaping because the remote sites are only 10mbps and the head ends are 1gbps.
  Thanks,
  -Steve

  just at a glance it looks as if you should be able to have stp on and setup 1 site as primary and other as secondary

• My SCCM 2012 server is listed in the Windows updates local policy

  On my end user computers Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Updates > Specify intranet Microsoft update service location
  Does it specify your Primary Site server? YES
  Endpoint Protection leverages the software update component of ConfigMgr for delivery of definitions. This local Windows Updates policy was created when you configured this component. 
  1. How do I disable this local Windows Updates policy in SCCM ?  Thanks

  The client will set these local policy settings if your Client Settings are set to manage software updates and you don't have a group policy in place.
  If you do NOT want ConfigMgr to control updates, then you can go to Client Settings > Software Updates and change "Enable software updates on clients" to No.
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you've found a bug or want the product worked differently,
  share your feedback.
  <-- If this post was helpful, please click "Vote as Helpful".

• Opinions about MHP solutions (head-ends, middlewares) ...

  I am not satisfied with MHP solutions I use at the moment.
  Thus, I would like to know other opinions about MHP systems they use (bad or good).
  May be somebody can reasonably suggest some STBs with MHP middlewares and reliable and stable working head-end systems. I am not able to try out a number of MHP systems available on the market due to financial reason.

  Thanks, I think that might be the key here for me....
  When I created the .swf in Flash CS4 I imported the .flv files as "load with external playback component", which seems to reference the oringal .flv files. Moving them or renaming them locally on my computer would render the .swf non-functional for movie playback locally...so YES I certainly do need .flv files for my .swf to reference as the movies are not re-encoded into the published .swf  I do see an option to do this however so it is food for thought on if this embedded method may be better in my situation.
  The thing remaing for me to fix now seems to be how to properly reference the .flv files on the remote server when they and the properly configured .swf file are all uploaded.  I see how I can change the .flv source in the properties window within Flash but I will have to do a bit of testing to make sure that it follows a logical and working path when uploaded to my server.
  Hope that all makes sense...if anyone has any input on how best to finish this up or suggest on if I am on the right path I'd love to hear from them!
  Thanks for the help, btw.
  James

• Remote user received a "deny log on locally" policy - and is now locked out

  Hello,
  A traveling user who received a "deny log on locally" policy remotely.
  He was accidentally added to a wrong group and is now locked out. 
  What are the steps to clear this policy?  We have a backup local admin account I can remote into.
  I appreciate any suggestions or comments. 

  > What are the steps to clear this policy?  We have a backup local admin
  > account I can remote into.
  Resolve the wrong setting, remote into the machine and issue "gpupdate
  /target:computer". Reboot and go ahead :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Local policy for 8.1 Tablet lock screen behaviour

  We've just loaded our corporate SOE onto a couple of different Windows tablets. An Acer and a Surface Pro 3. Now by default it seems to activate a default lock screen behaviour of having to hold the windows button and press the power button to unlock the
  device. We didn't set this, it seems to kick in automatically. Now the problem is that this works on the Acer and not the SP3. I'd like the lock screen behaviour to revert back to the default, which is to swipe up to unveil the login box. However, I can't
  seem to find the local policy or registry setting to do this. Any ideas?

  This is not a MDT issue. There is something Group Policy or somewhere else (VPN software). that is forcing Windows to act this way.
  Keith Garner - Principal Consultant [owner] -
  http://DeploymentLive.com

• Dehydration Store and Header Based Routing

  Hi
  Can anyone please tell me the brief meaning of BPEL Dehydration Store and ESB Header Based Routing in simple language with example?
  Thanks
  Deepak

  Hi,
  Would suggest you to read the link http://www.oracle.com/technology/pub/articles/bpel_cookbook/blanvalet.html.
  Hope below statements from the above link will make you clear about Dehydration Store:
  "all successfully executed process instances are stored in the Dehydration Store. Currently a BPEL instance is saved in two tables after the instance is completed: cube_instance and cube_scope. The former stores the instance header information: domain, creation date, state (completed, running, stale, cancelled), priority, title, and so on. The latter stores the state of the instance, (variable values and so on). By default, both tables are used to store a completed instance."
  Regards

• Unable to login Windows Server 2012 after making local policy changes

  Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
  out saying user name or password incorrect. below are the steps which we followed
  1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
  2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication. 
  3. Logged off from the server and then server doesn't allow any user to login.
  regards,
  Jakk 

  Have you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
  last choice would be restart the DC into safe mode. 

• Local Policy / Group Policy

  With 300 machines you are going to have to use GPO and not local policies. The scope is just way too large for going to each machine and doing the configAs for where and when to use Computer vs User GPO's, that's totally up to youYou should read the below:Computer Configuration in Group PolicyUser Configuration in Group PolicyWhat policies to apply will be in the scope of the desktop hardening so you will have to do your searches on that. Typically hardening would include security settings or some sort which will include password complexity, length and expiration right down to stopping the installation of executables on a machine.These policies will be different in each environment so you will have to do some homework about what GPO's need to be applied

  Hi Spiceheads,
  I have a question regarding local policy and group policy.
  I received a workstation hardening procedure but I need to apply this settings for 300 computers can I use group policy instead of local policy? if yes how and what option I need to select Computer Configuration of User Configuration?
  All 300 computers are connected to the same Domain.
  Thank you.
  This topic first appeared in the Spiceworks Community

• Metropolis DMX Multiplexer or Higher End Router

  hello to all,
  i want to understand which one is best Metropolis DMX Access Multiplexer or Higher End Cisco Router?
  some where i read that DMX mulitplexer is used to fill up the bandwidth gap... it means it will divide DS3 to multiple T1 or can combine multile T1 to DS3... right... now we can do it with router also if we are usind 10000 cisco router with DS3 modules and T1 card then also we can have same workout... so which one is best? and Why?
  regards
  Devang

  Hello Devang,
  the first question in a design study is: what are the requirements?
  Based on that one could then look for the required features and finally hardware/software can be picked.
  In other words, to define "best" one needs some explanation about the "rating system".
  Based on the requirements the answer also might be: "Neither DMX nor High End Router will be best".
  Regards, Martin

• Windows Local Policy - which settings get uploaded?

  A quick question on expected behaviour when configuring local policies - does ZCM capture all settings from the gpedit.msc on the machine being captured or is it only the changes?
  e.g. if the machine being used has UAC enabled in its local policy store and I use that machine to configure a completely different setting e.g. Windows Updates, when uploading to the server will the uploaded bundle include all the defaults from the machine (i.e. the UAC setting etc)?

  gshaw0 wrote:
  >
  > A quick question on expected behaviour when configuring local
  > policies - does ZCM capture all settings from the gpedit.msc on the
  > machine being captured or is it only the changes?
  >
  > e.g. if the machine being used has UAC enabled in its local policy
  > store and I use that machine to configure a completely different
  > setting e.g. Windows Updates, when uploading to the server will the
  > uploaded bundle include all the defaults from the machine (i.e. the
  > UAC setting etc)?
  I would say it does not - but I could be wrong. I believe I've done a
  hold set of different local ploicies from the same computer so if it
  was to import all the settings they would all be the same policy...
  Niels
  A true red devil...