Router management traffic using loopback0

Ok,  I have been out of it for a while, now it is kicking me.
Problem.   Have to install a router in a network, with some restictions
all things like SNMP, TACACS, Radius, NTP etc must be set up to use loopback0 as the source.
this is on a 2811 router.  The current setup has 10.0.0.0/24 as the management network
the rest of the 10 network used for testing, along with 192.168. and the 172 network.
all are NAT behind the router.
problem I have been having is seting up the loopback as ip 10.0.0.250 and being able to get it to talk with the rest of the management network on vlan 999
router is set up with 192.168.0.19/24 on the FE0/1, and  commercial IP on FE0/0
also have 4port switch card installed.
Tried seting up FE0/3/0 connected to VLAN 999  NO IP, with route set to point 10.0.0.0/24 to VLAN999
But none of the management stuff in geting out to the rest of the management network.
Any suggestions.
thanks

Denis
There are a couple of things that could produce the symptoms that you describe. First I would check to verify that the multilink is being advertised in EIGRP: does router A1 see router B as a neighbor and does router B see router A1 as a neighbor? Does either router have a passive interface statement that could affect routing? Does either router have a distribute list that could affect routing.
If the multilink is working and routes are being advertised over it then it implies that the router is choosing the path over the T1s based on metrics. Check all of the interfaces and see whether the multilink has a quite low bandwidth or a very high delay and check the T1s for their bandwidth and delay parameters.
If that has not given us the answer then perhaps some more detail from the routers might help us. Could you post the output of show ip interface from each router? And maybe the output of show ip protocol?
HTH
Rick

Similar Messages

  • Routing traffice using 2 interfaces

                    my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900

    You can use PBR.
    Here are 2 documents with examples:
    http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
    https://supportforums.cisco.com/docs/DOC-1634
    HTH

  • Copp and management traffic

    Good afternoon fellow Ciscorians.
    I have configured a Copp to rate limit ICMP traffic and fragmented traffic from saturating the RP via the control-plane and also ignore the same traffic class from our trusted IP addresses.  But i am wondering about management traffic such as telnet and SSH, we have an access list on the VTY lines dropping traffic from un-trusted sources on 22+23, i am wondering what the benefits are to employing a Copp policy as well as the access-list on the VTY lines?
    Could an attack still saturate the RP with an access-list dropping the un-trusted traffic on the VTY lines?  (6509-Sup720)
    Matthew.

    Hi Matthew,
    access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.
    Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.
    If you are blocking some traffic via ACL, it should not saturate the RP.
    --Pls dont forget to rate helpful posts--
    Regards,
    Akash

  • VLAN for Management Traffic

    Hello Everyone,
    I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
    Switch(config)# vlan 15
    switch(config-vlan)# name Management
    switch(config)# interface GigabitEthernet2/6
    switch(config-if)# switchport access vlan 15
    Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

    In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
    Example:
    ==== C4500 – L3 SWITCH CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
    //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
    ip access-list extended MGMT_SWITCH
    remark ====ICMP====
    permit icmp any 10.0.15.0 0.0.0.255
    remark ====ADMIN====
    permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
    //create SVI/interface of the VLAN 15, add IP address and assign access list
    //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
    interface Vlan15
    description MGMT
    ip address 10.0.15.1 255.255.255.0
    ip access-group MGMT_SWITCH out
    //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
    ip access-list standard VTY
    remark ====ADMIN====
    permit 10.0.1.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit 10.0.100.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit 10.0.200.0 0.0.0.255
    //assign ACL to vty lines
    line vty 0 4
    access-class VTY in
    ==== OTHER L2-ONLY SWITCHES CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create SVI 15
    interface Vlan15
    description MGMT
    ip address 10.0.15.50 255.255.255.0
    //set default gateway/default route to SVI of c4500
    ip default-gateway 10.0.15.1
    //some higher-level switches require use of following CLI parameters instead:
    ip routing
    ip route 0.0.0.0 0.0.0.0 10.0.15.1
    This is just one of many ways to do the management separation.

  • Mountain Lion Server VPN unable to route internet traffic

    Hi! I have set up a VPN server on my home network specifically so that I could connect via a VPN client remotely and tunnel all internet traffic through my home network (It is a long story but I need to be able to access services that are specific to my home IP . . . ) I have been tearing my hair out trying to get it work but can not. The VPN connection happens OK and I can set up the remote client to send all traffic via VPN but any internet traffic just times out . . . In other words I can not get the server to share my home network via the VPN connection.

    Hi and thanks for taking the time to answer.
    As I am sure you have guessed I don't have much experience or knowledge with this. So I will try to clarify what I am trying to do.
    I do not need a VPN server for the conventional reasons of being able to access a private network (i.e my home network) remotely, although this is a nice additional benefit. I need the VPN server so that I can log in remotely (when I am using my mobile broadband or when I am overseas for example) and make it look like the machine I am using is on my home network.
    The reason for this is that I have access to web services that are IP specific. That is I can ONLY log in if I am logging in from my registered home IP (which is static for this exact reason).
    I have been told on similar support sites that if I route ALL traffic through the VPN, then when I use my browser on the remote machine all web traffic will go through the VPN as well and it will look like the traffic is coming from the subnet of my home IP.
    I guess in other words I am trying to use my VPN as an "anonymous" proxy (anonymous in the sense that although the traffic is coming form somewhere else, it still looks like it is coming from my home IP).
    I know this will cripple the speed due to the narrow upstream bandwidth but I am willing to pay this price.
    Now as for your questions:
    I have the server set up on a machine on my home subnet and I have enabled VPN port forwarding on the ADSL router.
    I know the connection happens as when I connect the VPN either from my iPhone using 4G or my laptop using my mobile broadband I get the "connecting . . . authenticating . . . connected" messages and when I check in properties it shows it to be connected to my home IP as VPN server and has an IP address that looks like it is on my home subnet.
    By internet traffic timing out I meant web traffic.
    As I mentioned above, I need all web traffic to go through the VPN. So indeed not ALL traffic but definitely ALL web traffic. The only way I could find to do this is to enable the "Send all traffic" option.
    Now I guess the obvious question is why am I not using a proxy. I have tried (and spent ages setting up Squid) but could never get it to "hide" the true origin of the traffic completely.
    Now having written all this, I reinstalled mountain lion and server yesterday (out of sheer frustration rather than anything else) and it seems to work this morning. So if I log in via VPN on my mobile or laptop and use an IP checker on the web it comes up with my home IP : ))
    The only thing I have now noticed is that if the VPN server stops working (which seems to be as soon as the computer I run it on goes to sleep) web traffic reverts to using the normal channels which is potentially problematic for me.
    So my questions now are -
    Any ideas what I was doing wrong in the first place?
    Any suggestions on how I could set this up better?
    Any way to set up the remote device so that it only allows web traffic via VPN (so that if the VPN connection drops, it is unable to use it's own internet connection for continuing web traffic)?
    Thanks for any suggestions : )
    Cheers

  • Not able to connect with managed server using ssl connection

    Hi Guys,
    My weblogic server is running on linux. I have setup ssl connction bu using Demo Identity and Demo Trust.In server logs i can find the following infomation that server is running on secure port.
    But once i try connect to managed server using client i m facing below error:
    <May 27, 2013 2:55:00 PM IST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
    <May 27, 2013 2:55:00 PM IST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
    <May 27, 2013 2:55:00 PM IST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
    javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://host:port: Destination unreachable; nested exception is:
         javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination]
         at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
         at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:767)
         at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:366)
         at weblogic.jndi.Environment.getContext(Environment.java:315)
         at weblogic.jndi.Environment.getContext(Environment.java:285)
         at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
         at javax.naming.InitialContext.init(InitialContext.java:242)
         at javax.naming.InitialContext.<init>(InitialContext.java:216)
         at com.akt.client.WLCLIENT.makeConnection(WLCLIENT.java:40)
         at com.akt.client.WLCLIENT.main(WLCLIENT.java:60)
    Caused by: java.net.ConnectException: t3s://host:port: Destination unreachable; nested exception is:
         javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination
         at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:216)
         at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
         at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:165)
         at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:345)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
         at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:340)
         ... 9 more
    Caused by: java.rmi.ConnectException: Destination unreachable; nested exception is:
         javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination
         at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:470)
         at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:321)
         at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:260)
         at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:197)
         at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)
         at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)
         ... 15 more
    But in server logs i can see below message
    opt/Oracle/Middleware/wlserver_12.1/server/lib/DemoIdentity.jks.>
    <May 27, 2013 2:47:06 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/Oracle/Middleware/wlserver_12.1/server/lib/DemoTrust.jks.>
    <May 27, 2013 2:47:06 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jdk1.7.0_21/jre/lib/security/cacerts.>
    <May 27, 2013 2:47:06 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on hostname:port for protocols iiops, t3s, ldaps, https.>
    <May 27, 2013 2:47:06 PM IST> <Notice> <WebLogicServer> <BEA-000332> <Started the WebLogic Server Managed Server "Server-Test" for domain "base_domain" running in development mode.>
    Please suggest
    Edited by: 1008140 on May 27, 2013 2:37 AM

    Welcome to OTN
    This section related to Database question not fusion middle ware Post your question
    Oracle Discussion Forums » Fusion Middleware

  • Cisco Model 870 router for home office connected to WRT160NL wireless router for personal use

    I am using a Cisco Model 870 router for home office. I just bought a WRT160NL wireless router for home use. I setup the personal wireless router off the personal port of the 870 and can connect with my PC but not with my MAC machines. It can see the Network but when it asks me for passwords, it says they are wrong, which after several attempts I know they are correct.
    The new router is setup as WPA2 personal. Can you advise?
    Cisco Account Manager- Services

    I think I answered my own question. I tried downloading something on my desktop and checked my cellular usage afterwards didn't go up so it's using my home internet and not my data plan.

  • How to manage traffic of livestreams or youtube

    Hi all,
    at the moment we are discussing about how to control or limit traffic used by livestreams. At the moment there are many web pages with livestreams of the olympic winter games and customers facing very high traffic by hd videostreams.
    So we are now thinking about managing this videostreams by implementing some policies on the proxies.
    And we alternatively think about how to restrict traffic of videostreams or youtube video using asa.
    Did not find anything in the knowledgebase. Do you have any hints how to manage this?
    thank you in advance and best regards
    Vincent

    Just go trough Manage application and Modify application and use reindex and full process.
    This normally should fix your issue.
    Regards
    Sorin Radulescu

  • Router Managment Access when interface is down

    Hi,
    Please see the topology attached.
    We have a customer network with number of routers/switches. We have a management network to manage devices via telnet/ssh.
    On switches we have a vlan interface for switch management  while on routers we have sub-interfaces ( 802.1Q trunk, with encapsulation) connected back to the switch for the management.
    Problem :
    Customer has ask us to give them a access to router/switches, we have give them telnet/ssh access via management network, to access router remotely customer ssh router (the sub-interface IP address F0/0.10 on router), but when the router interface Fa0/0.10 is down ( because switch at the remote end is down), customer cannot  the telnet/ssh to router.
    How can I allow customer to keep accessing the router while sub-interface on the router is down ( which they are telneting to)? I am happy to change to router config, but not sure which bits.
    I can't create the loopback interface and assign the IP address to it from the managment network as the router subinterface F0/0.10 is already have IP address from that subnet and router gives overlapping mask error message.
    I created the new looback interface on router and give is the same IP as of F0/0.10 and configure  F0/0.10 as a IP unumbered loopback 0,  it;s not working either for me.
    Can I somehow configure the router to respond to the telnet/ssh when subinteface is down- I am happy to move the addresses, create new interfaces , change routing etc. but I can't change the network subnet that is already assigned to customer.
    Please see the topology attached.
    Any idea from anyone.
    Regards

    Thanks for your responses.
    I don't want to allocate the new subnet with /32 for the management as it will require many changes in the network such firewall  etc.
    There will be a single  switch connected to the router physical interface F0/0, but there will be a multiple switches hanging off the first switch. ( all switches in the vlan10, including router sub-interface F0/0.10).
    Customer will require access to both, switch(es) and router, customer understand that if the first switch ( that physically connects to the router interface F0/0 ) fails, access to all other switches will also fail, which is acceptable. At this point we must have access to router regardless we have lost access to the switch.
    Customer want router to be accessible even if the switch(es) are down, as the router at the point router is fine and is still connected to the WAN network. Customer will lose the access to the switch(es) but should not lose the router access.
    We have different IP subnets ( VRF's) for the customer data network ( LAN) and the router management, so I can't assign the router management IP address from the customer LAN subnet
    Forgot to mentioned that we have three VRF's on router ( vrf-lite/ multi vrf) , one for customer data network, one for router management, one switch ( es) management.
    Fa0/0.10 is in the switch management VRF, while  router Loopback 0 is in the router VRF.
    We have to maintain the vrf's to keep router and switch management traffic separate.
    Router is always accessible  to us ( not to customer) via router vrf hence its still available even if the router LAN management interface F0/0 is down. 
    Customer lose the access to both router and switch(es) if the F0/0  down.
    The only option I can see would be to allocate a new subnet for customer router management and assign this to a new loopback and put under the switch management vrf.
    Regards

  • Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

    Can OS X Server 10.6 reverse proxy be setup to route port traffic 5003 (FileMaker Server) to 2 seperate servers (FM 11 and FM 12)?

    In your scenario, how is the 'OS X 10.6 Server' supposed to identify which FM machine to proxy the connection to?
    The FM client uses a proprietary protocol, so it's not something simple like HTTP.  Off hand I don't know of any way the server can accept arbitrary connections on port 5003 and know which FM server to relay it to.
    Two options come to mind. One is to nix the OS 10.6 Server altogether - I don't understand this machine's purpose in your network - the second is to setup different ports on the OS X 10.6 Server machine and map each port to a different FM server, e.g. 5003 -> FM11, 5004 -> FM12, then you configure the remote client to connect to a different port number based on the server they want to connect to. I haven't used FM client in a long time to know if this is supported on the client side, but I'm guessing it is.
    Either way, using a proprietary protocol, there's no way for the proxy machine to be able to filter the traffic on any given ports.

  • Management traffic to the ACE

    Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?
    also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?

    Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.
    access-list ALL line 8 extended permit ip any any
    class-map type management match-any remote_access
    2 match protocol xml-https any
    4 match protocol icmp any
    5 match protocol telnet any
    6 match protocol ssh any
    7 match protocol http any
    8 match protocol https any
    policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
    permit
    interface vlan 121
    ip address
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown

  • Change cipher strength for management traffic

    Hi All,
    I’m performing a new deployment for my customer on a C370 Ironport and my customer has an internal team performing a band test on the Ironport box. The results show that the management traffic (HTTPS) is only using medium strength traffic (56bits – 112bits) in which does not meet the compliance of the organization. From the knowledge base, I checked that our management traffic is using either RC4-SHA or RC4-MD5. Any way to change this to AES or 3DES?
    Besides that, in the band test, customer also notices that the box supports anonymous SSL ciphers. Any way to disable this?
    Thanks.

    Hi there,
    check out these articles:
    Article #1399: How can I alter what ciphers are used with the Graphical User Interface (GUI)? Can I disable SSL v2 for the GUI? Link: http://tools.cisco.com/squish/80676
    Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
    So to exclude low and anonymous ciphers, sompthing like this would apply:
    HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
    Hope that helps,
    Andreas

  • Management traffic load over the WAN

    Management process(include monitoring and security) with the central WCS system will cause Management traffic over the WAN links.
    Can you tell me more about the traffic load over the WAN links if we will use it as only as Wifi detection and prevention system(inclue location and not for wireless services..for now).
    We will use 150 air-AP1000(lwapp)on AIR-MONITOR mode over the WAN and 4400 controllers one in each remote sites(10 sites).

    I think the following documents might provide you with some good information.
    http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a008059c98b.html
    http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a008059ca16.html

  • Routing VLAN traffic

    Is it possible to route VLAN traffic?
    We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
    Can we connect the 2651s together and expand the VLANs into the other building?

    HI
    Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
    for example if u r having 3 vlans then u can configure the the physical interface on u r router as
    interface f0/0.1
    encapsulation dot1q 1
    ip address 192.168.1.1 255.255.255.0
    and so on
    Thanks
    Mahmood

  • Trying to Download a Software Image to Cisco 2800 series router through TFTP Using the tftpdnld ROMmon Command

    Trying to Download a Software Image to Cisco 2800 series router through TFTP Using the tftpdnld ROMmon Command
    and I am getting an Error , I cant figure out what I am doing wrong. I have also pasted my display down here can someone help me out, thanks in advance, I am still new to this utility.
    My questions are How do you direct this utility to point to the desktop or the TFTP folder
    does FE_PORT: Fast Ethernet 0 imply or point to Fa0/0 on my router
    My router is suppose to have 10.0.0.3 255.0.0.0
    Gateway of 10.0.0.1 255.0.0.0
    My TFTP Server 10.0.0.2 255.0.0.0
    How do I get the MAC address of the Router or the TFTP Server and which one  is required?
    my Ethernet port is 100Mb/Sec I cant tell whether it is full duplex or not so How do i set this FE_SPEED_MODE: Auto???
    =====================================================================================
    rommon 10 >
    rommon 10 > set
    PS1=rommon ! >
    FE_PORT=0
    WARM_REBOOT=
    RET_2_RTS=20:35:55 UTC Thu Sep 25 2014
    BSI=0
    RET_2_RCALTS=
    RANDOM_NUM=1600357627
    ?=0
    IP_ADDRESS=10.0.0.3
    IP_SUBNET_MASK=255.0.0.0
    DEFAULT_GATEWAY=10.0.0.1
    TFTP_SERVER=10.0.0.2
    TFTP_FILE=
    rommon 11 > TFTP_FILE=c2800nm-adventerprisek9-mz.124-24.T4
    rommon 12 > TFTP_CHECKSUM=0
    rommon 13 > SET
    monitor: command "SET" not found
    rommon 14 > set
    PS1=rommon ! >
    FE_PORT=0
    WARM_REBOOT=
    RET_2_RTS=20:35:55 UTC Thu Sep 25 2014
    BSI=0
    RET_2_RCALTS=
    RANDOM_NUM=1600357627
    IP_ADDRESS=10.0.0.3
    IP_SUBNET_MASK=255.0.0.0
    DEFAULT_GATEWAY=10.0.0.1
    TFTP_SERVER=10.0.0.2
    ?=0
    TFTP_FILE=c2800nm-adventerprisek9-mz.124-24.T4
    TFTP_CHECKSUM=0
    rommon 15 > tftpdnld
              IP_ADDRESS: 10.0.0.3
          IP_SUBNET_MASK: 255.0.0.0
         DEFAULT_GATEWAY: 10.0.0.1
             TFTP_SERVER: 10.0.0.2
               TFTP_FILE: c2800nm-adventerprisek9-mz.124-24.T4
            TFTP_VERBOSE: Progress
        TFTP_RETRY_COUNT: 18
            TFTP_TIMEOUT: 7200
           TFTP_CHECKSUM: No
            TFTP_MACADDR: 30:37:a6:49:35:a8
                 FE_PORT: Fast Ethernet 0
           FE_SPEED_MODE: Auto
    Invoke this command for disaster recovery only.
    WARNING: all existing data in all partitions on flash: will be lost!
    Do you wish to continue? y/n:  [n]:  y
    ARP: address resolution for 10.0.0.2 timed out.
    ARP failed with failure code 1.  TFTP transfer aborted.
    TFTP: Operation terminated prematurely.
    rommon 16 >       " not found
    rommon 17 >FE_SPEED_MODE=2
    variable name contains illegal (non-printable) characters
    rommon
    rommon 18 > set
    PS1=rommon ! >
    FE_PORT=0
    WARM_REBOOT=
    RET_2_RTS=20:35:55 UTC Thu Sep 25 2014
    BSI=0
    RET_2_RCALTS=
    RANDOM_NUM=1600357627
    IP_ADDRESS=10.0.0.3
    IP_SUBNET_MASK=255.0.0.0
    DEFAULT_GATEWAY=10.0.0.1
    TFTP_SERVER=10.0.0.2
    TFTP_FILE=c2800nm-adventerprisek9-mz.124-24.T4
    TFTP_CHECKSUM=0
    ?=0
    rommon 19 > tftpdnld [ur]
    usage: tftpdnld [-hr]
      Use this command for disaster recovery only to recover an image via TFTP.
      Monitor variables are used to set up parameters for the transfer.
      (Syntax: "VARIABLE_NAME=value" and use "set" to show current variables.)
      "ctrl-c" or "break" stops the transfer before flash erase begins.
      The following variables are REQUIRED to be set for tftpdnld:
                IP_ADDRESS: The IP address for this unit
            IP_SUBNET_MASK: The subnet mask for this unit
           DEFAULT_GATEWAY: The default gateway for this unit
               TFTP_SERVER: The IP address of the server to fetch from
                 TFTP_FILE: The filename to fetch
      The following variables are OPTIONAL:
              TFTP_VERBOSE: Print setting. 0=quiet, 1=progress(default), 2=verbose
          TFTP_RETRY_COUNT: Retry count for ARP and TFTP (default=18)
              TFTP_TIMEOUT: Overall timeout of operation in seconds (default=7200)
             TFTP_CHECKSUM: Perform checksum test on image, 0=no, 1=yes (default=1)
              TFTP_MACADDR: The MAC address for this unit
                   FE_PORT: 0= (default), 1
             FE_SPEED_MODE: 0=10/hdx, 1=10/fdx, 2=100/hdx, 3=100/fdx,
                            5=Auto (default)
          TFTP_DESTINATION: The flash destination device for the file
                            flash:(default), usbflash0:, usbflash1:
      Command line options:
       -h: this help screen
       -r: do not write flash, load to DRAM only and launch image
    rommon 20 > tftpdnld
              IP_ADDRESS: 10.0.0.3
          IP_SUBNET_MASK: 255.0.0.0
         DEFAULT_GATEWAY: 10.0.0.1
             TFTP_SERVER: 10.0.0.2
               TFTP_FILE: c2800nm-adventerprisek9-mz.124-24.T4
            TFTP_VERBOSE: Progress
        TFTP_RETRY_COUNT: 18
            TFTP_TIMEOUT: 7200
           TFTP_CHECKSUM: No
            TFTP_MACADDR: 30:37:a6:49:35:a8
                 FE_PORT: Fast Ethernet 0
           FE_SPEED_MODE: Auto
    Invoke this command for disaster recovery only.
    WARNING: all existing data in all partitions on flash: will be lost!
    Do you wish to continue? y/n:  [n]:  y
    ARP: address resolution for 10.0.0.2 timed out.
    ARP failed with failure code 1.  TFTP transfer aborted.
    TFTP: Operation terminated prematurely.
    rommon 21 >

    What I notice in the original post is this error
    ARP: address resolution for 10.0.0.2 timed out.
    which says that the router is looking for the 10.0.0.2 server but not getting response to its arp request. Can the original poster clarify for us how the device that has the image file is connected to the router that has the problem? Also what kind of device is 10.0.0.2? Is it a PC running TFTP server software or is it something else?
    HTH
    Rick

Maybe you are looking for