Real-time traffic, static routes, ports, filters, EIGRP.

Similar Messages

• UCCM QoS tagging real time traffic

  Good day.
  I have a trunk connection between my PBX and my Call Manager. When users on the PBX side dial another site that passes over the WAN their traffic gets tagged best effort. I can see this on a sniff trace where i see the traffic hit the Call Manager and get passed on. My question is there a way on the Call Manager to take that real time traffic and tag it with DSCP, so it confirms to our other policies. If a user uses his cisco phone that tagging is retained. I know i can match the UDP traffic but i was hoping there would be a way to do it on the Call Manager. I'm trusting DSCP on the Call Manager port.
  Thanks in Advance.

  Nevermind just had to trust on the gateway ports.

• How does real time traffic work?

  Just can't seem to figure out this feature of maps!
  Thx

  Check this link for the locations where traffic data are available on Google Maps.
  Hope this helps...

• Realtime traffic through router?

  Hi!
  Is it possibel to see the "real time" traffic/ip connection through the Time Capsule Router? Or, can One see the connection ip somehow? I have Little Snitch and there I see what my Mac is doing "in the back". But as a cearing father of to boys I´d like to see what our other Mac´s are doing.
  Doc

  thanks for your response. The ssh is coming in from the wan, which is via the wic-1 adsl card through the NAT and then to a lan port to the server. I tried the config you gave but it shut off all access to the internet - but maybe I did something wrong. Also, for the line:
  permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22
  the router told me this was incomplete.
  The config I used was:
  ip access-list extended DENY_SSH
  permit tcp 0.0.0.0 eq 22 any
  deny tcp any any eq 22
  permit ip any any
  int dialer0
  ip access-group DENY_SSH in
  Thanks for any further advice.

• Route decisions based on destination TCP port with EIGRP

  Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port.  I have a third party partner that we communicate too and they are adding a second location which we will connect too.  They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B.  I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue.  We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP.  Can EIGRP make decisions based on IP and Port?

  No routing protocol makes decisions based on port number as far as I know.
  You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
  Depending on your connections you may well need to use tracking as well but it depends.
  If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
  If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back.

• How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

  Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
  My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
  Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
  56128's where my static routes are:
  ip route 192.168.101.0/24 192.168.30.77 name firewall 250
  router eigrp 65100
     redistribute static route-map Static-To-Eigrp
  route-map Static-To-Eigrp permit 10
     match ip address prefix-list Static2Eigrp
  ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
  Edge device:
  router eigrp 65100
   network 172.18.0.5 0.0.0.0
   network 172.18.0.32 0.0.0.3
   network 172.18.0.36 0.0.0.3
   redistribute ospf 65100 metric 2000000 0 255 1 1500
   redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
   passive-interface default
   no passive-interface Port-channel11
   no passive-interface Port-channel12
   eigrp router-id 172.18.0.5
  router ospf 65100
   router-id 172.18.0.5
   log-adjacency-changes
   redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
   passive-interface default
   no passive-interface GigabitEthernet1/0/1
   no passive-interface GigabitEthernet1/0/2
   no passive-interface GigabitEthernet2/0/1
   no passive-interface GigabitEthernet2/0/2
   network 172.18.0.0 0.0.255.255 area 0
  ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
  route-map EIGRP_INTO_OSPF permit 10
   match ip address prefix-list EIGRP_INTO_OSPF

  So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
  I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

• Multiple instances of EIGRP or static routes

  I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!
  I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.
  Does anyone have any thoughts concerning this design.
  Thanks.
  Mitch

  Mitch
  I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.
  I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.
  You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.
  Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.
  I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.
  Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.
  HTH
  Rick

• Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

  In your scenario, how is the 'OS X 10.6 Server' supposed to identify which FM machine to proxy the connection to?
  The FM client uses a proprietary protocol, so it's not something simple like HTTP.  Off hand I don't know of any way the server can accept arbitrary connections on port 5003 and know which FM server to relay it to.
  Two options come to mind. One is to nix the OS 10.6 Server altogether - I don't understand this machine's purpose in your network - the second is to setup different ports on the OS X 10.6 Server machine and map each port to a different FM server, e.g. 5003 -> FM11, 5004 -> FM12, then you configure the remote client to connect to a different port number based on the server they want to connect to. I haven't used FM client in a long time to know if this is supported on the client side, but I'm guessing it is.
  Either way, using a proprietary protocol, there's no way for the proxy machine to be able to filter the traffic on any given ports.

• Routing issue. EIGRP/Static's Vlans... eek

  First, I have minimal experience with Routing Layer3.
  Just some Vlan Layer3 stuff, but nothing like this...I'm sure some of you recognize me from some Vlan, HSRP, and port-security stuff...
  I notice when I try to get to this 228.5 address, it takes
  quite a while. Here is the tracert:
  C:\Documents and Settings\sk>tracert 200.1.228.5
  Tracing route to 200.1.228.5 over a maximum of 30 hops
  1 1 ms 1 ms 1 ms 200.2.131.1
  2 <1 ms <1 ms <1 ms 200.2.129.37
  3 1043 ms 627 ms 648 ms 10.22.103.2
  4 617 ms 710 ms 630 ms 200.1.225.246
  5 651 ms 620 ms 624 ms 200.1.225.245
  6 661 ms 637 ms 642 ms 200.1.228.5
  7 * * * Request timed out.
  8 * ^C
  Yet when I tracert 228.2 in the same network, I get:
  C:\Documents and Settings\sk>tracert 200.1.228.2
  Tracing route to 200.1.228.2 over a maximum of 30 hops
  1 1 ms 3 ms 1 ms 200.2.131.1
  2 <1 ms <1 ms <1 ms 200.2.129.36
  3 <1 ms <1 ms <1 ms 200.1.228.2
  4 1 ms <1 ms <1 ms 200.1.228.2
  Trace complete.
  That 200.2.131.1 address is VLAN12 on a Layer3 switch.
  We have a few Layer3's, but this switch has the highest
  standby priority...
  This is a 'sh ip route' from the Layer3
  LAY3#sh ip route | include 200.1.228.0
  200.1.228.0/24 is variably subnetted, 3 subnets, 3 masks
  S 200.1.228.0/24 [1/0] via 200.1.228.64
  Now, I don't have access to the 228.64 Router, but shouldn't
  this routing be done via the Layer3?
  Eek, this stuff probably isn't nearly enough info for you guys
  to make an educated guess. But can someone explain to me the
  possible scenerios on why the tracert would take two different paths for two different IP's in the same network?

  You are correct that there is not enough here to really determine what is causing this. I notice that while both destination addresses may be in the same subnet that after the first hop they are taking different paths through the network. If you want to investigate this I suggest that you start at 200.2.131.1. Do more than show ip route include 200.1.228.0. It would be interesting to see the results for show ip route 200.1.228.5 and the results for show ip route 200.1.228.2.
  It certainly looks like that device has multiple routes. It could be because there are static routes somewhere, it could be that there are mismatches in the subnet mask being advertised by some devices. It could be that the switch has two equal cost paths to that subnet and is doing per destination load sharing.
  And you are making an assumption that both addresses are in the same subnet. In fact if some were to configure those addresses with a /30 mask (255.255.255.252) they would be in different subnets.
  HTH
  Rick

• I have a 2T apple time capsule and router. I bought a Hauppauge WinTV extender which allows regular TV to be broadcasted on a PC. The program allows streaming to a Mac or iPad, iPhone, etc. I need to open a port on the router to allow this to work.

  I have a 2T apple time capsule and router. I bought a Hauppauge Win TV extender which allows TV to be broadcasted on a PC. The program allows for the TV to be streamed on a Mac, Iphone, Ipad. I need to access the router set up options to open a port on the router to allow this program to stream the TV to the Mac and Iphone. I do not know how to access the apple time capsule router to change the settings to open a port on the router. help please.

  Firstly you do not need to open ports to stream locally.. there is no port block in local LAN.. only WAN to LAN. So there is a good chance it is not needed at all..
  Opening ports on the TC I strongly recommend a v5 airport utility.. you can download one for windows if you don't have a Mac.. iOS version of the utility I am not sure but it will not work to do complex things.
  In the v5 utility go to the NAT area, and click on port mappings.
  Sorry I don't have a screen shot at the moment of the actual mapping page.. but simply put the IP of the device you want opened and the port.
  There are plenty of posts with this info if you google.
  But as noted.. this is purely WAN to LAN.. nothing else.

• Best way to acquire data from both serial port and D/A board in real time?

  In my experiment, I have 2 kinds of data: analog and digital. Now, I have to write a programme to acquire both data not only in real time but also in sychronicity. My colleague tried to write a program for this purpose. However, the digital part was failed. For example, the data length found from "data buffer" is correct in the first 10 seconds; however, the format became wrong later.
  Is it one program involved two different data acquisition methods? 

  Hi,
  You need to figure out when the serial port sample occured by some technique and then obtain the equivalent sample from the aquisition board, probably from a circular buffer. If you know the sample rate (pretty implicit really) you can 'cherry pick' the appropriate measurement from the buffer to be synchronus with the serial port measurement.

• Nexus 5548 and Define static route to forward traffic to Catalyst 4500

  Dear Experts,
  Need your technical assistance for the Static routing in between Nexus 5548 and Catalyst 4500.
  Further I connected both Nexus 5548 with Catalyst 4500 as individual trunk ports because there is HSRP on Catalyst 4500. So I just took 1 port from each nexus 5548, make it trunk with the Core Switch (Also make trunk from each Switch each port). Change the speed on Nexus to 1000 because other side on Catalyst 4500 line card is 1G RJ45.
  *Here is the Config on Nexus 5548 to make port a Trunk:*
  N5548-A/ N5548-B
  Interface Ethernet1/3
  Switchport mode trunk
  Speed 1000
  Added the static route on both nexus for Core HSRP IP: *ip route 0.0.0.0/0 10.10.150.39 (Virtual HSRP IP )*
  But I could not able to ping from N5548 Console to core Switch IP of HSRP? Is there any further configuration to enable routing or ping?
  Pleas suggest

  Hello,
  Please see attached config for both Nexus 5548. I dont have Catalyst 4500 but below is simple config what I applied:
  Both Catalyst 4500
  interface gig 3/48
  switchport mode trunk
  switchport trunk encap dot1q
  On Nexus 5548 Port 1/3 is trunk
  Thanks,
  Jehan

• Real time routing

  I want to know please, if MapViewer can be used for real time navigation and/or deployed in a GPS navigation device

  Certainly mapviewer can be used for gps.  They provide a good example within their demos/tutorials (for tracking).  I have built GPS applications previously, and depending upon configuration believe it could be useful for local configuration as well.

• Need Help for configuring Floating static route in My ASA.

  Hi All,
  I need your support for doing a floating static route in My ASA.
  I have tried this last time but i was not able to make it. But this time i have to Finish it.
  Please find our network Diagram and configuration of ASA
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
  route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
  route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
  route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.10.3.77 255.255.255.255 inside
  http 10.10.8.157 255.255.255.255 inside
  http 10.10.3.59 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 123
  type echo protocol ipIcmpEcho 8.8.8.8 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  crypto ipsec transform-set cpa esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map vpn_cpa 1 match address acl_cpavpn
  crypto map vpn_cpa 1 set peer a.a.a.a
  crypto map vpn_cpa 1 set transform-set abc
  crypto map vpn_cpa 1 set security-association lifetime seconds 3600
  crypto map vpn_cpa interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 123 reachability
  telnet 10.10.3.77 255.255.255.255 inside
  telnet 10.10.8.157 255.255.255.255 inside
  telnet 10.10.3.61 255.255.255.255 inside
  telnet timeout 500
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.10.3.14
  webvpn
  tunnel-group .a.a.a.a ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
  inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 10.10.5.11
  prompt hostname context
  Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
  : end
  i think half of the configuration stil there in the ASA.
  Diagram.
  Thanks
  Roopesh

  You have missed the last command in your configuration, Please check it again
  route ISP1  0.0.0.0 0.0.0.0 6.6.6.6 track 1
  route ISP2   0.0.0.0 0.0.0.0 3.3.3.3
  sla monitor 10
  type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  You can do NAT in same way, here the logical name of the interface will be different.
  Share the result
  Please rate any helpful posts.

• Is it possible in IOS to have two static routes for the same subnet, one a higher priority and "failover" between the 2?

  Hi All
  Is it possible in IOS to have for a particular subnet:
  a) Two static routes?
  b) Make one static route a higher priority than the other?
  c) If one static router "goes down", failover to the lower priority static route?
  We have a l2tp/vpdn connection to a supplier which can be accessed via two vlans/routes. I would like to make one route the preferred one but the "route" to failover if the preferred route goes down.
  Again, many thanks in advance for all responses!
  Thanks
  John

  Hi John,
  Hope the below explaination will help you...
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  If you notice the Administrative Distance for the secondary route pointing to ISP2 is increased to 10 so that it becomes the backup link.
  The above configuration with just two floating static routes partially accomplishes our requirement as it will work only in the scenario where the routers interfaces connected to the WAN link are in up/down or down/down status. But in a lot of situations we see that even though the links remain up but we are not able to reach the gateway, this usually happens when the issue is at the ISP side.
  In such scenarios, IP SLAs becomes an engineer's best friend. With around six additional IOS commands we can have a more reliable automatic failover environment.
  Using IP SLA the Cisco IOS gets the ability to use Internet Control Message Protocol (ICMP) pings to identify when a WAN link goes down at the remote end and hence allows the initiation of a backup connection from an alternative port. The Reliable Static Routing Backup using Object Tracking feature can ensure reliable backup in the case of several catastrophic events, such as Internet circuit failure or peer device failure.
  IP SLA is configured to ping a target, such as a publicly routable IP address or a target inside the corporate network or your next-hop IP on the ISP's router. The pings are routed from the primary interface only. Following a sample configuration of IP SLA to generate icmp ping targeted at the ISP1s next-hop IP.
  R1(config)# ip sla 1
  R1(config)# icmp-echo 2.2.2.2 source-interface FastEthernet0/0
  R1(config)# timeout 1000
  R1(config)# threshold 2
  R1(config)# frequency 3
  R1(config)# ip sla schedule 1 life forever start-time now
  The above configuration defines and starts an IP SLA probe.
  The ICMP Echo probe sends an ICMP Echo packet to next-hop IP 2.2.2.2 every 3 seconds, as defined by the “frequency” parameter.
  Timeout sets the amount of time (in milliseconds) for which the Cisco IOS IP SLAs operation waits for a response from its request packet.
  Threshold sets the rising threshold that generates a reaction event and stores history information for the Cisco IOS IP SLAs operation.
  After defining the IP SLA operation our next step is to define an object that tracks the SLA probe. This can be accomplished by using the IOS Track Object as shown below:
  R1(config)# track 1 ip sla 1 reachability
  The above command will track the state of the IP SLA operation. If there are no ping responses from the next-hop IP the track will go down and it will come up when the ip sla operation starts receiving ping response.
  To verify the track status use the use the “show track” command as shown below:
  R1# show track
  Track 1
  IP SLA 1 reachability
  Reachability is Down
  1 change, last change 00:03:19
  Latest operation return code: Unknown
  The above output shows that the track status is down. Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by the tracking process. The return code may return OK, OverThreshold, and several other return codes.
  Different operations may have different return-code values, so only values common to all operation types are used. The below table shows the track states as per the IP SLA return code.
  Tracking
  Return Code
  Track State
  Reachability
  OK or over threshold
  (all other return codes)
  Up
  Down
  The Last step in the IP SLA Reliable Static Route configuration is to add the “track” statement to the default routes pointing to the ISP routers as shown below:
  R1(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
  R1(config)# ip route 0.0.0.0 0.0.0.0 3.3.3.3 10
  The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up. Hence if the track status is down the secondary route will be used to forward all the traffic.
  Please rate the helpfull posts.
  Regards,
  Naidu.