Pseudowire headend vc 4 and 5
can someone explain what is the difference of vc 4 and 5 in the pseudowire technology? in addition to this, in a pseudowire headend setup, what is the usage of VC 4 and 5?
Hi Wong
Below is the short difference between VC type 4 and VC type 5:-
A VC type 5 tunnels an Ethernet port over MPLS
Also check the below mentioned post.
http://www.mplsvpn.info/2009/12/modes-of-ethernet-over-mpls-eompls.html
regards
Shivlu Jain
A VC type 4 transports a VLAN over MPLS
Similar Messages
-
L2 tunnel between me3600x and 3925
Hello,
We are currently trying to configure a l2tunnel between a ME3600X (running 15.3(3)S3 with the AdvancedMetroIPAccess licence) and a 3925 (running 15.0(1)M2 with the datak9 licence).
We are part of a CsC architecture, playing the role of the customer carrier, using BGP for label distribution between the Backbone carrier and the Customer carrier.
Our architecture is quite flat as the CE and PE roles are on the same routers.
we have the view on the following architecture and can configure the R1, RCV1, RCV2 and R2 routers :
R1 --- RCV1---(Backbone Carrier)---RCV2--- R2
We have 3 sites A,B and C but only 2 dark fibers to connect them.
We are using the CsC to build a L2 tunnel and close the triangle :
A-ME=tun=3925-B
df df
C
For year were using a 2911 and a 3900 to build the tunnel and it was good. The tunnel was build with an xconnect l2tpv3.
we replaced our 2911 for a ME3600X few weeks ago following the advice of our backbone CsC contact, and we are now facing the following problem :
the configuration we used is not working any more : we can build the tunnel but the spanning tree BDPU are not passing through (We use rstp for spanning-tree protocol).
3925 : ______________
pseudowire-class backup-sro-ypa
encapsulation l2tpv3
ip local interface GigabitEthernet0/0/0.777
interface GigabitEthernet0/1
description interface connecting site B
no ip address
duplex auto
speed auto
no keepalive
no cdp enable
xconnect 10.193.32.50 5 pw-class backup-sro-ypa
interface GigabitEthernet0/0/0.777
description interface facing the CsC
encapsulation dot1Q 777
ip address 10.193.32.42 255.255.255.252
mpls bgp forwarding
ME3600 : ______________
pseudowire-class backup-ypa-sro
encapsulation l2tpv3
sequencing both
ip local interface Vlan777
interface GigabitEthernet0/1
description interface facing the CsC
switchport trunk allowed vlan none
switchport mode trunk
mtu 1512
service instance 777 ethernet
description *** Transport vers to CsC***
encapsulation dot1q 777
rewrite ingress tag pop 1 symmetric
l2protocol tunnel
bridge-domain 777
interface GigabitEthernet0/2
description interface connecting site A
no switchport
no ip address
xconnect 10.193.32.42 5 encapsulation l2tpv3 pw-class backup-ypa-sro
interface Vlan777
description vers RCV
dampening
mtu 1512
ip address 10.193.32.50 255.255.255.252
no ip unreachables
mpls bgp forwarding
As we have no experience with the ME3600X and their EVC and service instance concepts we have a hard time figuring out what solution to use :
- According to this post l2tpv3 is not supported on the ME3600X : https://supportforums.cisco.com/discussion/11919131/configuring-pseudowire-between-3800-router-and-me3600x
- According to this one it seems possible to interoperate a tunnel between a 2911 and a Me3600 : https://supportforums.cisco.com/discussion/11848451/eompls-and-layer-2-tunneling
Our need is slightly different though, as we are trying to pass a dot1Q trunk in the tunnel.
We tried to switch to encapsulation mpls, with no luck so far...
Any help or feedback would be greatly appreciated.
Best Regards,
Jérôme SchlumbergerNews from the lab...
I decided to start again my config from scratch :
On the ME3600X___________ :
pseudowire-class backup-ypa-sro
encapsulation l2tpv3
ip local interface Vlan777
sequencing both
interface GigabitEthernet0/2
description *** Backup L2 VLans Internes avec RSROHES1 ***
no switchport
no ip address
no keepalive
no cdp enable
xconnect 10.193.32.42 5 pw-class backup-ypa-sro
On the 3900___________
pseudowire-class backup-sro-ypa
encapsulation l2tpv3
ip local interface GigabitEthernet0/0/0.777
sequencing both
interface GigabitEthernet0/1
description Tunnel_BB_HEIGVD
no ip address
duplex auto
speed auto
no keepalive
no cdp enable
xconnect 10.193.32.50 5 pw-class backup-sro-ypa
-> The "sequencing both" is mandatory to get the tunnel UP.
-> I configured l3 interfaces on the devices facing the ends of the tunnel and I can't ping them. Looking a little bit more carefully, I noticed that the arp table does not fill on the 3900, but it does on the 3600. I guessed that's a limitation on the 3600, but still not sure.
I then tried to switch to mpls encapsulation with the following configuration :
On the ME3600X_____________________________
pseudowire-class backup-ypa-sro
encapsulation mpls
interface GigabitEthernet0/2
description *** Backup L2 VLans Internes avec RSROHES1 ***
no switchport
no ip address
no cdp enable
xconnect 10.193.32.42 5 pw-class backup-ypa-sro
On the 3900___________
pseudowire-class backup-sro-ypa
encapsulation mpls
interface GigabitEthernet0/1
description Tunnel_BB_HEIGVD
no ip address
duplex auto
speed auto
no keepalive
no cdp enable
xconnect 10.193.32.50 5 pw-class backup-sro-ypa
This time, impossible to get the tunnel UP :
sh xconnect all detail :
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
DN ac Gi0/1(Ethernet) UP mpls 10.193.32.50:5 DN
Interworking: none Local VC label 147
Remote VC label unassigned
pw-class: backup-sro-ypa
Actually, as I am in a CsC architecture using BGB for label distribution with the CsC core, there is not ldp neighbor, and it seems to be the reason why I can't get the tunnel UP.
I am now trying to avoid ldp for the signaling of the tunnel using AToM Static Pseudowire Provisioning but I am to much of a newbie for that. I get a "Incomplete AToM manual config" when configuring the xconnect on the me3600...
Here is my config on the ME3600x so far :
pseudowire-class backup-ypa-sro
encapsulation mpls
protocol none
interface GigabitEthernet0/2
description *** Backup L2 VLans Internes avec RSROHES1 ***
no switchport
no ip address
no cdp enable
xconnect 10.193.32.42 5 encapsulation mpls manual pw-class backup-ypa-sro
! Incomplete AToM manual config
Funny, I tried to configure
RYPRC01(config-if-xconn)#mpls label 0 1048500
on the xconnect sub config section of the interface, but it won't appear in the config...
I am really stuck, and any help would really be appreciated.
Best Regards,
Jérôme Schlumberger -
L2VPN Pseudowire Redundancy/IPSEC
I have a customer with L2VPN Pseudowire Redundancy configured and they want a more secure environment and would like to implement IPSEC and still maintain the Pseudowire Redundancy. The only way I can come up with is to put a device behind each side of the L2VPN tunnel to do the IPSEC VPN. Is there a way to do Pseudowire Redundancy with IPSEC and not L2VPN? As far as I know you can not because its run on layer 2 and IPSEC is layer 3, but maybe I am missing something.
Thanks.The L2VPN Pseudowire Redundancy feature enables you to configure your network to detect a failure in the network and reroute the Layer 2 (L2) service to another endpoint that can continue to provide service.
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080819eea.html#wp1053684
Configuring IPSec Redundancy: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml -
ASR 9000 IOS-XR 5.22 BNG: PPPoE termination with PWHE
I'm successfully using a classic BNG configuration for PPPoE clients using PW (xconnect).
Now I'm trying in lab the pseudowire headend configuration but without success.
Here is my configuration:
l2vpn
pw-class gia1
encapsulation mpls
protocol ldp
transport-mode ethernet
xconnect group prova
p2p numero1
interface PW-Ether101
neighbor ipv4 192.168.201.1 pw-id 888
interface PW-Ether101.1
service-policy type control subscriber policy1
pppoe enable bba-group bba1
encapsulation dot1q 140
I receive the PPPoE client PADI and in the debug output you can see the PADO who inexplicably is not received from the client CPE:
RP/0/RSP0/CPU0:test_9001#RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: PW-Ether101.1: I dst ffff.ffff.ffff src 90f6.525a.ace1: len 46 0x11090000000c01010000010300040000016f00000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: PW-Ether101.1 peer-mac 90f6.525a.ace1
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: vlan-id-outer 140
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: Host-uniq: 0000016f
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: PW-Ether101.1: O dst 90f6.525a.ace1 src e0ac.f112.c675: len 31 0x11070000001901010000010300040000016f01020009746573745f39303031
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: [PADO-Sent]: PW-Ether101.1 peer-mac 90f6.525a.ace1
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: [PADO-Sent]: vlan-id-outer 140
PADO packet disappears and there are zero packet in output in the pw-ether interface (and in the "show l2vpn xconnect detail" too)
RP/0/RSP0/CPU0:test_9001# sh int pw-ether 101.1
Thu Feb 12 11:31:02.071 UTC
PW-Ether101.1 is up, line protocol is up
Interface state transitions: 11
Hardware is VLAN sub-interface(s), address is e0ac.f112.c675
Internet address is Unknown
MTU 1518 bytes, BW 10000 Kbit (Max: 10000 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation 802.1Q Virtual LAN, VLAN Id 140, loopback not set,
Last input 00:00:09, output never
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
352 packets input, 22528 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 352 broadcast packets, 0 multicast packets
0 packets output, 0 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
show l2vpn xconnect detail
Statistics:
packets: received 672, sent 0
bytes: received 43008, sent 0
Any ideas?
Thankyou
Gianrico Fichera
ITESYS SRLI'm successfully using a classic BNG configuration for PPPoE clients using PW (xconnect).
Now I'm trying in lab the pseudowire headend configuration but without success.
Here is my configuration:
l2vpn
pw-class gia1
encapsulation mpls
protocol ldp
transport-mode ethernet
xconnect group prova
p2p numero1
interface PW-Ether101
neighbor ipv4 192.168.201.1 pw-id 888
interface PW-Ether101.1
service-policy type control subscriber policy1
pppoe enable bba-group bba1
encapsulation dot1q 140
I receive the PPPoE client PADI and in the debug output you can see the PADO who inexplicably is not received from the client CPE:
RP/0/RSP0/CPU0:test_9001#RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: PW-Ether101.1: I dst ffff.ffff.ffff src 90f6.525a.ace1: len 46 0x11090000000c01010000010300040000016f00000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: PW-Ether101.1 peer-mac 90f6.525a.ace1
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: vlan-id-outer 140
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 11:25:38.568 : pppoe_ma[453]: [PADI-Recv]: Host-uniq: 0000016f
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: PW-Ether101.1: O dst 90f6.525a.ace1 src e0ac.f112.c675: len 31 0x11070000001901010000010300040000016f01020009746573745f39303031
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: [PADO-Sent]: PW-Ether101.1 peer-mac 90f6.525a.ace1
RP/0/RSP0/CPU0:Feb 12 11:25:38.569 : pppoe_ma[453]: [PADO-Sent]: vlan-id-outer 140
PADO packet disappears and there are zero packet in output in the pw-ether interface (and in the "show l2vpn xconnect detail" too)
RP/0/RSP0/CPU0:test_9001# sh int pw-ether 101.1
Thu Feb 12 11:31:02.071 UTC
PW-Ether101.1 is up, line protocol is up
Interface state transitions: 11
Hardware is VLAN sub-interface(s), address is e0ac.f112.c675
Internet address is Unknown
MTU 1518 bytes, BW 10000 Kbit (Max: 10000 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation 802.1Q Virtual LAN, VLAN Id 140, loopback not set,
Last input 00:00:09, output never
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
352 packets input, 22528 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 352 broadcast packets, 0 multicast packets
0 packets output, 0 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
show l2vpn xconnect detail
Statistics:
packets: received 672, sent 0
bytes: received 43008, sent 0
Any ideas?
Thankyou
Gianrico Fichera
ITESYS SRL -
BRAS Config for MPLS carrying PPPoE
Hi all
DSLAM----(PPPoE)---7600----(Xconnect)----7600----(VLAN/PPPoE)---(BRAS ASR1K)
we currently have a distributed access network where the DSLAMs send us PPPoE packets which we are wrapping into xconnects back to a central BRAS.
the xconnects terminate on the upstream device to the BRAS. The BRAS is connected by a VLAN trunk and each DSLAM is identified by a unique VLAN-ID.
so the BRAS gets native PPPoE frames.
I wish to extend the MPLS to the BRAS itself. So that the xconnect ( or VPLS ) terminates on the BRAS itself.
I cant see how to stitch in the PPPoE features to get this to work.
I was thinking about an external looping cable on the same BRAS device but thats a bit crap
Is there a more elegant solution?
many thanksHi,
You can try pseudowire headend configuration. But I am not sure its avaliable for AS1K.
http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.1/lxvpn/configuration/guide/vc41vpls.html#wp1323446 -
Hello,
As I understood, ASR 9001 has integrated 4 onboard 10 GB interfaces and two Line Card slots. It has MOD 80 architecture.
Onboard 10 Gb interfaces has same QoS capabilities as MOD TR modular line cards. ( 8 queues per port and etc)
What about the two Line Card Slots? If I use A9K-MPA-20x1GE, A9K-MPA-2x10GE or A9K-MPA-4x10GE line card , which QoS specifications I will have? Like MOD SE or MOD TR? As I know, these line cards has SE functions on the ASR 9001/9001S. Does it mean more than 8 queues per port? Can I terminate Pseudowire Headend on these interfaces and use QoS on them?
Regards,
GunerNoup, the ingress / egress counters keep in 0, some times ARP complete sometimes it dont.
The router crash traing to do an OIR.
RP/0/RSP0/CPU0:ASR-9001#admin show inst act summ
Default Profile:
SDRs:
Owner
Active Packages:
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-optic-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-mpls-px-4.3.4
disk0:asr9k-px-4.3.4.CSCul58246-1.0.0
disk0:asr9k-px-4.3.4.CSCui94441-1.0.0
disk0:asr9k-px-4.3.4.CSCug75299-1.0.0
disk0:asr9k-px-4.3.4.CSCuj01579-1.0.0
disk0:asr9k-px-4.3.4.CSCum51429-1.0.0 -
[OSPF/LDP/PW Fast convergence] ASR9k/ME3800/ME3600
Hello, Netpro:
I'm having a bit of a problem with OSPF/LDP Pseudowire fast convergence.
I have a test lab scenario with 2 ASR9000, 1 ME3800X and 1 ME3600X.
They are connected in an L3 MPLS ring, like this:
ME3800X---[a]---ASR1--[b]--ASR2---[c]---ME3600X
| |
|--------------------------------[d]-----------------------|
The MEs are connected back to back closing the loop.
The ring is configured for: OSPF fast convergence timers, LDP session protection, MPLS LDP sync and BFP for OSPF on all interfaces.
For testing purposes I've configured a pseudowire between the MEs and forced the path via OSPF to go through the ASRs.
My problem is that I do not get the same responses when breaking the ring in different places. For example: if I break the ring in (b) or (d) i get ~100ms loss (when breaking the d connection, I change OSPF so that the PW takes the direct route between MEs). If I break the ring in (a) or ( c ) I get ~ 500ms loss.
Also for testing purposes, I ran a similar test but with regular L3 interfaces ( NO pseudowire) between MEs and for all scenarios i get 60-100ms. So, basically I'm assuming OSPF is converging like it's supposed to and the issue is within LDP.
Any ideas?
Regards,
c.Yes, I did test traffic engineering, but there's a bug (on 3600/3800) that when a PW changes paths, it will stop passing traffic, so that part is stuck.
Is there an OSPF problem with ASR? I didn't understand very well your comment
My description of my scenario is just for simplicity purposes. The real question here is, what is going on between an IOS box and an XR box that when you cause a fault in between those 2, LDP recovers in 500ms and when you cause a fault in same-OS boxes, recovery is 100ms. -
Hi,
I'm a little confused, hope you can help. I'm playing with MPLS TE these days and here is what I read in the "Traffic Engineering with MPLS book" by Cisco Press:
After a downstream router receives a Path message, it does a few things. It checks the message's format to make sure everything is OK, and then it checks the amount of bandwidth the received Path message is asking for. This process is known as admission control.
If admission control is successful and the Path message is allowed to reserve the bandwidth it wants, the downstream router creates a new Path message and sends it to the next hop in the Explicit Route Object (ERO), which is covered later in this chapter. Path messages follow this chain until they reach the last node in the ERO-the MPLS TE tunnel tail.
The tunnel tail performs admission control on the Path message, just like any other downstream router. When the tail realizes that it is the destination of the Path message, it replies with a Resv message.
Well, when I test this my observations are like this:
1) Bandwidth is reserved only on tailend-facing interfaces, not on headend-facing ones.
2) If the tailend has no ip rsvp bandwidth command on the headend-facing interface it still replies with a correct RESV message and the tunnel comes up. Traffic is forwarded as supposed.
3) If you do not enter the ip rsvp bandwidth command on headend-facing interfaces in the path the tunnel still comes up and everything works fine.
These things, however, do not match those written in the book. It seems like that the tailend does not care about the required by the headend tunnel parameters and as long as the message format is correct it always returns a RESV message. I assume this is a simple principle which cannot have changed over the years so either these guys are wrong (however unlikely this is), or I'm missing something. Any help will be appreciated.
Kind Regards,
Stefan
P.S. I'm testing this on a 7206 VXR running ADVIPSERVICES 12.2(33)SRD but I don't think it matters at all.Hello Stefan,
MPLS TE tunnels are strictly unidirectional and so this explains why bandwidth reservations are done in a single direction.
This is normal and it should be expected.
So in your tests having no ip rsvp bandwidth in the other direction doesn't block the setup of the MPLS Te tunnel in the intended direction.
This is different from what you can see for example on a GRE tunnel.
So I would say all you see is correct.
By the way I think also classic RSVP reservations are undirectional.
Each router should check if in the direction to the destination it has enough rsvp BW resources to allocate taking in account already existing reservations made by other tunnels (if any) the bandwidth to the headend is checked only when you create a tunnel from the current destination node to the current source node
Hope to help
Giuseppe -
Checking L2/L3VPN traffic path through SP network (for ECMP)
Folks,
Scenario:
CE1-----PE1=====P1=====P2=====PE2-------CE2
Lets say CE1 and CE2 are doing L2VPN and all hops between PE1, P1,P2 and PE2 have more than one equal cost paths (ECMP).
I am trying to ascertain a way of knowing what path the EoMPLS traffic would take inside the SP core.
Some vendors say the way the hashing works is that if a PE finds its got more than one path to the egress PE, it would do hashing based on src/dst MAC and in other cases if a P device finds its got more than one path to egress PE, it would do hashing based on VC-label.
In either case, lets say we know what hashing method the P or PE device is using, obviously we would need an easier method to determine what path a pseudowire would take inside the provider network - Again, some vendors use what is called a "pseudowire traceroute" to determine this path. A pre-requisite of this is that at the time of setting up of the PW, the control word needs to be turned on.
I am looking for more knowledge on whether someone knows how the pseudowire traceroute would work and the process behind the PW traceroute which uses the control word ? more like how we know a normal traceroute works is through UDP pakcets with incremenyting TTL... and so forth
Anyone ??Hello Ulatif,
it looks like that mpls traceroute for a pseudowire is not possible.
Actually the VCCV should be under the implementation of ping mpls and ping mpls pseudowire. The following document is a little old but explains the basic concepts under ping mpls and traceroute mpls.
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/gslsppt.html#wp1156080
However, sh mpls l2transport vc detail provides the choice for a specific pseudowire between two parallel paths
see this example from our network:
sh mpls forw 10.80.0.25
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
21 295 10.80.0.25/32 0 Te1/2 10.82.0.233
341 10.80.0.25/32 0 Te1/6 10.82.0.237
sh mpls l2transport vc det
Local interface: Te1/7 up, line protocol up, Ethernet up
Destination address: 10.80.0.25, VC ID: 1, VC status: up
Output interface: Te1/2, imposed label stack {295 372}
Preferred path: not configured
Default path: active
Next hop: 10.82.0.233
Create time: 7w4d, last status change time: 6w4d
Signaling protocol: LDP, peer 10.80.0.25:0 up
Targeted Hello: 10.80.0.24(LDP Id) -> 10.80.0.25
Status TLV support (local/remote) : enabled/supported
Label/status state machine : established, LruRru
Last local dataplane status rcvd: no fault
Last local SSS circuit status rcvd: no fault
Last local SSS circuit status sent: no fault
Last local LDP TLV status sent: no fault
Last remote LDP TLV status rcvd: no fault
MPLS VC labels: local 1429, remote 372
Group ID: local 0, remote 0
MTU: local 9216, remote 9216
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 5172156, send 5361948
byte totals: receive 676971483, send 917397631
packet drops: receive 0, seq error 0, send 610
This solves the question at source PE or destination PE of the pseudowire but I agree that in the middle in your scenario there are other possible choices of intermediate nodes.
All I can say is that once a path is chosen by source PE it determines a complete path because intermediate nodes will make a choice and keep it.
Hope to help
Giuseppe -
ATM over Ethernet and pseudowires
Hello.
Could somebody tell me if there is a Cisco Router that can work ATM over ethernet. This ATM circuits comming from an ethernet interface sholuld be transported as pseudowires through an IP/MPLS Backbone. Routers 12000 can do this? wich version do I need?
ThanksHi Narayan. Thank you.
I have now the following doubt. If we have the following topology:
lan-(CE)--ethe--(pe)--MPLS--(pe)--atm-(ce)-lan
Consider a lot of atm access at the right side, but we need to use only one vlan at the left side to connect all the remote atm sites.
You are telling me that we can convert the left CE in to a PE. But Can we maintain the router as a CE but terminating the ATM circuits (pseudowires) transported over one one vlan? ( atm over ethernet)
I appreciate everyting. -
2 ISPs with addresses /32 and PPtP Server onboard of Cisco 3825
First of all, excuse me for my bad English, it's not my native language.
A couple of years ago our company changed our central router Cisco 1841 with more powerfull 3825 ISR.
Here is show ver
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(24)T7
This Cisco 3825 contains 2 DIMMs - 256Mb and 512 Mb of RAM onboard.
Now it works with 2 ISPs (take a glance on pdf picture http://www.intelcom-ug.ru/scheme.pdf or in the attached file). We're using the failover scheme, the ISP1 with statically assigned IP address 85.20.20.20/32 (Dialer 1) is used as Backup link. The ISP2 L2TP link is main.
Now our authorities organize the remote office with Cisco 1841. And we face with the problem, we cannot connect via PPtP from anywhere to the 85.20.20.20/32 (Dialer 1). And we need some help or advise. The config of Cisco 3825 is like this:
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
hostname CENTRAL-OFFICE
boot-start-marker
warm-reboot
boot-end-marker
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 64000
enable secret 5 HEREISTHESECRETPASSWORD
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
aaa authentication ppp default local
aaa authentication ppp vpn-users local
aaa authorization exec default local
aaa authorization exec vpn-users local
aaa authorization network vpn-users local
aaa session-id common
clock timezone MSK 4
ip source-route
no ip gratuitous-arps
ip cef
no ip domain lookup
ip domain name somewhere.net
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 239
accept-dialin
protocol pptp
virtual-template 100
vpdn-group global
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
password encryption aes
voice-card 0
username administrator privilege 15 password 7 737364645252414571
username vpnuser password 7 85956353413120384645373930
archive
log config
hidekeys
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 5
ip tcp path-mtu-discovery
ip ssh version 2
l2tp-class beeline
pseudowire-class pw-beeline
encapsulation l2tpv2
protocol l2tpv2 beeline
buffers tune automatic
interface Loopback0
ip address 10.111.111.111 255.255.255.255
interface GigabitEthernet0/0
descrition --Our Local Network--
ip address 192.168.7.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
description --Trunk Connection--
no ip address
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1.10
description --Connection to ISP1 through vlan on our managed switch--
encapsulation dot1Q 10
pppoe enable group global
pppoe-client dial-pool-number 2
interface GigabitEthernet0/1.20
description --Connection to ISP2 through vlan on our managed switch--
encapsulation dot1Q 20
ip address dhcp
ip virtual-reassembly
interface Virtual-PPP5
description --Interface for ISP2--
ip address negotiated
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1380
no peer neighbor-route
no cdp enable
ppp authentication chap callin
ppp chap hostname 8282828282828
ppp chap password 7 theSecretForISP2
pseudowire 10.255.255.242 10 pw-class pw-beeline
interface Virtual-Template100
description --TEMPLATE for incoming PPtP connections of our users--
ip unnumbered Dialer1
autodetect encapsulation ppp
peer default ip address pool for-vpn
no keepalive
ppp authentication ms-chap ms-chap-v2 vpn-users
ppp authorization vpn-users
interface Dialer1
description --Interface for ISP1. PPPoE--
bandwidth 10240
ip address negotiated
ip accounting output-packets
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
load-interval 30
dialer pool 2
dialer-group 2
no fair-queue
ppp authentication chap callin
ppp pap sent-username reteretere password 7 PasswordForISP1
ip local policy route-map External_VPN
ip local pool for-vpn 172.16.135.1 172.16.135.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 100 track 1
ip route 0.0.0.0 0.0.0.0 Virtual-PPP5 track 2
ip route 192.168.239.0 255.255.255.0 172.16.135.1 name C1841-Rossiyskaya70
ip route 194.87.0.8 255.255.255.255 Dialer1
ip route 194.87.0.9 255.255.255.255 Virtual-PPP5
ip route 10.255.255.242 255.255.255.255 dhcp
ip route 10.255.255.247 255.255.255.255 dhcp
no ip http server
no ip http secure-server
ip nat inside source route-map Beeline interface Virtual-PPP5 overload
ip nat inside source route-map UTK interface Dialer1 overload
! This access-list is for local Network proxy
ip access-list standard fwd-squid
permit 192.168.7.100
permit 192.168.7.0 0.0.0.255
! This access-list is for ip local policy
ip access-list extended External_VPN_access
permit tcp host 85.20.20.20 eq 1723 any
permit tcp host 85.20.20.20 eq 22 any
permit tcp host 85.20.20.20 eq telnet any
permit icmp host 85.20.20.20 any echo-reply
track 1 ip sla 1 reachability
ip sla 1
icmp-echo 194.87.0.8 source-interface Dialer1
timeout 7000
threshold 100
frequency 15
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type immediate action-type triggerOnly
track 2 ip sla 2 reachability
ip sla 2
icmp-echo 194.87.0.9 source-interface Virtual-PPP5
timeout 7000
threshold 400
frequency 15
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 2 react timeout threshold-type immediate action-type triggerOnly
access-list 1 remark --SNMP Watching--
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.7.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
route-map External_VPN permit 10
match ip address External_VPN_access
set default interface Dialer1
route-map UTK permit 10
match ip address 100
match interface Dialer1
route-map Beeline permit 10
match ip address 100
match interface Virtual-PPP5
snmp-server community public RO 1
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
line vty 5 15
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp update-calendar
ntp peer 194.33.84.1
event manager applet nat_clear_isp1
event track 1 state any
action 1 wait 5
action 2 cli command "enable"
action 3 cli command "clear ip nat translation *"
event manager applet nat_clear_isp2
event track 2 state any
action 1 wait 5
action 2 cli command "enable"
action 3 cli command "clear ip nat translation *"
endOkay, you are not going to be able to do this using the interconnect between the switch and the router. The issue is -
1) if you make the interconnect a L2 trunk then you would have subinterfaces on the router interface connecting to the switch. But you cannot have multiple interfaces on the router configured from the same IP range so it won't work ie. you would need a subinterface using the same IP range as one of the other interfaces
2) if you make the interconnect L3 as you have then you cannot route to the same subnet ie. think of it as two separate devices, a L3 switch and a router. You connect the L3 switch to the router using a L3 connection.
On the switch you then configure a client with a public IP and on another interface on the router ie. not the interface used to connect to the switch, you use the same public IP range.
You cannot then route from the client to that other interface because you don't route to the same IP subnet and the client and the other interface are separated by a different IP subnet.
So neither will work. The L3 switch is usually used where you have multiple vlans/IP subnets and you create L3 vlan interfaces for these on the switch and then you route to other subnets that are reachable from the router, whether these are directly connected subnets or remote networks.
But you aren't doing that.
The only way i could see you doing what you need is to not configure the interconnect at all and instead run cables from the relevant router interfaces to the switch. Then you could configure vlans on the switch and have them route via the physical router interface.
The switch is then only acting as a L2 switch and all L3 is done on the router.
One thing i should say is i have never used the switch module this way so i can't guarantee it will work although i can't see why it wouldn't.
Jon -
C2901, SSL_VPN and iPad/iPhone problem
Hello,
I've got C2901SEC/K9 and SSL-VPN licence. I've got problem with connectin to SSL-VPN from iPad via AnyConnect Secure Mobility Client 2.5.5112. In log II've got message:
Apr 24 2012 10:27:55.563: %SSLVPN-5-SSL_TLS_ERROR: vw_ctx: UNKNOWN vw_gw: SSL_GW i_vrf: 0 f_vrf: 0 status: SSL/TLS connection error with remote at 178.180.86.42:56562
It looks like context is unknown??? It's strange because sh webvpn context returns:
WABAGRTGW001#sh webvpn context
Context Name: SSL_USER
Admin Status: up
Operation Status: up
Error and Event Logging: Enabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: default
AAA Authorization List not configured
AAA Accounting List not configured
AAA Authentication Domain not configured
Authentication mode: AAA authentication
Default Group Policy: SSL_POL
Associated WebVPN Gateway: SSL_GW
Domain Name and Virtual Host not configured
Maximum Users Allowed: 10
NAT Address not configured
VRF Name not configured
Virtual Template: 10
Virtual Access : 2
If I'm trying login via browser I've got login page to SSL-VPN.
VPn config
WABAGRTGW001#srs webvpn
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-2.5.3055-k9.pkg sequence 2
crypto vpn csd flash0:/webvpn/sdesktop.pkg
webvpn gateway SSL_GW
ip interface GigabitEthernet0/0 port 443
http-redirect port 80
ssl trustpoint local
logging enable
inservice
webvpn context SSL_USER
title "Centrum Medyczne MML SSL-VPN"
login-photo file flash:/webvpn/mml_o-nas01.jpg
logo file flash:/webvpn/logo.jpg
secondary-color white
title-color #6060FF
text-color black
login-message "Authorized users only!"
policy group SSL_POL
functions svc-enabled
timeout idle 600
timeout session 43200
svc dns-server primary 10.1.1.81
svc wins-server primary 10.1.1.81
virtual-template 10
default-group-policy SSL_POL
aaa authentication list default
gateway SSL_GW
max-users 10
logging enable
ssl authenticate verify all
url rewrite
unmatched-action redirect
inservice
For me it's confusing. It works before IOS upgrade. Currently I'm using :
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T, RELEASE SOFTWARE (fc1)
Thanks for help
MarcinMarcin,
Anyconnect from mobile devices to IOS headend (unlike ASA) is not something that Cisco supports (yet). Some people have reported it to work, but we have never claimed that it would.
We're tracking this under following enhancement request:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx24822
You can get in touch with your account team to discuss this, for now it's due for March 2013 (tentative).
M. -
Transparent Tunneling and Local Lan Access via VPN Client
Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
Mike BowyerHi Mike,
"Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
What do you mean exactly with "disabled once the connection is made" ?
You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
Are any local LAN routes displayed when your are connected ?
And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
1: This feature works only on one NIC card, the same NIC card as the tunnel.
2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
Carsten
PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel. -
Some of you may have noticed a few things on the National Broadcast channels such as NBC ABC and CBS with tests saying if you can see this then your not on Digital.
The entire Verizon Footprint is all Digital please do not allow these commercials to fool you into thinking anything else. Just sit back relax and enjoy your Fios TV services knowing that your all digital and have no worries.
The Bottom line is any customer with Fios will not have a problem regardless of what you see now.
Message Edited by Kathleen on 12-22-2008 09:18 AMI beg to differ with you a bit. These are local stations doing these tests - not the networks. They are only feeding these messages out over their analog channel. You may convert that analog channel to digital at your headend, but it's still the programming they are sending out on their analog signal. If Fios does not get the digital signal from these stations by the time the digital transition happens, then Fios customers watching those channels will see a blank screen.
Here is the good news: when this test was conducted in the Dallas-Fort Worth area a few weeks ago, I looked and did not see any problem at all. You guys are getting their digital signals and putting them on both the SD and HD versions of their channels on your system. That is the way it should be. I can't speak for how Fios does it in all parts of the country, but it is being done right here in North Texas. -
What is the maximum throughput for a 7341 and 7371?
I found the data sheet that describes the size of the two boxes, and lots of other statistics, but no throughput stats. Is the main difference between the 7341 and 7371 the memory and hard drive cache size?
Our data center headend WAE will be L2 connected to a redundant pair of 6506 distribution switches with gig uplinks.
I need to make sure I get the right device that can handle gig throughput of redirected accelerated traffic . Will the 7371 handle that?Hi Jim,
WAE-MODEL WAN-SUPPORTED LAN-THROUGHPUT-MAXIMUM TFP-ONLY-THROUGHPUT MAXIMUM-CONNECTIONS-CAPACITY(TCP)
WAE-7341 310 MBPS 600 MBP 800 MBPS 12000
WAE-7371 1 GBPS >1 GBPS > 1 GBPS 50000
MAXIMUM SUPPORTED PEERS PER WAE
APPLIANCE CONCURRENT-PEERS
7341 200
7371 400
The WAE-7341 and WAE-7371 appliances provide the following features and benefits:
Feature Benefit
Hardware RAID-5
Allows the appliance to continue operating with one drive in a non-functioning state for increased reliability.
Provides increased logical disk capacity.
Disk hot-swap capability
No downtime when removing or installing hard disk drives.
64-bit kernel
Allows a larger memory footprint for the TCP Proxy application and increases the number of concurrent optimized connections for increased scalability and performance.
300-GB SAS1 hard disk drives
4 x 300 GB in the WAE-7341
6 x 300 GB in the WAE-7371
Disk monitoring
Allows you to monitor, analyze, and control the RAID status through the CLI and view basic disk status in the RAID from the Central Manager GUI.
1 SAS = Serial Attached SCSI
FOR MORE INFO ON HARDWARE SPECIFICATION PLZ CLICK FOLLOWING URL:
http://www.cisco.com.ru/en/US/docs/app_ntwk_services/waas/wae/installation/7341-7371/guide/7300spec.html
FOR Global Price List - Effective: 20-apr-2009 KINDLY REFER URL:
http://price.c-group.com.ua/cisco/-0002.html
PLZ RATE
KIND REGARDS.
SACHIN GARG
Maybe you are looking for
-
MESSAGE_TYPE_X IN BI_CONT 7.03 INSTALLATION
Hi, i am installing bi_cont 7.03, installation stuck at xpra_excution IN SAPKIBIII4 WITH LOG BELOW Runtime Errors MESSAGE_TYPE_X Date and Time 13.06.2009 14:15:25 Short text The current application triggered a termina
-
Why does Firefox sometimes open a new window when I navigate to an existing tab?
I often have 7 or 8 tabs open in Firefox. Sometimes when I click on a tab, Firefox opens it in a new window instead of just going to that tab. I haven't figured out a pattern when it does this.
-
GROUP BY error executing a dblink querie on 11g
Hi all, I would appreciate your help. Thanks in advance. Best regards, Cristina. Our customer is upgrading DB from 10g to 11g (11.2.0.3) and the querie that used to work on 10g does not work on 11g throwing the following error. The querie uses a dbli
-
Hi, I tried to read a balance value using pay_balance_pkg.get_value by passing appropriate parameters from sql query. It was throwing an error says that DDL/DML statements cannot read from SQL statement. Then I have written a function "XX_READ_BAL_VA
-
Guys, I am not familiar with TCL or EEM yet, but i need a script that will shut down port 7/43 on my 4507. Basically i have an application that can log in via SSH to my core, and only execute one command from enable mode. I need that command to shut