Router mode selection
I have set up a router 1 to connect to the broadband line to the WAN port and create a wired and wireless network successfully. I bought a new router 2 and create another wireless network within my home. I use an ethernet cable to connect to an ethernet port of router 1 and the WAN port of router 2. The clients work correctly with router 2. The router 2 status shows Double NAT. The router 2 mode is set to DHCP and NAT. Did I set to an incorrect mode? Which model is right for this scenerio? The other two choices are DHCP Only and Off (Bridge Mode). Thanks!
Technically, Bridge Mode is the correct setting for router 2, since router 1 is already providiing DHCP and NAT services. That's why you see the Double NAT error now.
As it stands, devices that are connected to router 2 cannot "see" devices connected to router 1. So, if you have a printer connected to router 1, clients on router 2 will not be able to print, for example.
Double NAT also makes it virtually impossible to connect an online gaming console and play interactively over the Internet.
On the other hand, if you do not want clients on router 2 to see clients on router 1, or vice versa, the current setup that you have will do that. For example, the clients on router 2 might be "guests" that you do not want to allow access to devices on your main "private" network.
I'm not recommending Double NAT.....it can create other issues as well.......just pointing out the upsides and downsides.
Bottom line....it is a matter of what your requirements might be for your network.
Similar Messages
-
Can VIP and Rservers be in the same subnet in ACE Routed Mode
Good Day,
Sorry for the lengthy post.
Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
Unfortunately I don't have a spare ACE to test scenario.
As always any help would greatly be appreciated.
Regards,
RamanLink-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections. -
How to configure a RV220W in normal routing mode (No NAT)
Hi,
I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes.
Setup:
Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
On the 192.168.12..0/24 network the printer, fileserver and PBX are connected.
Please help me in configuring this.
The firmware is the latest 1.0.5.8.
Thanks in advance!
PeterHello Peter,
Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.
I am only looking at an emulator, but I believe this will cause a reboot. Once in router mode NAT and the firewall are disabled, however access rules do still work.
You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface. You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
Thank you for choosing Cisco,
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center -
Does ACE-30 support multicast in routed mode?
We currently have ACE20's, which only support multicast in bridge mode.
Was wondering if it's the same on ACE30's, or if Cisco finally implemented support for mcast in routed mode.
thx
KevinCould you please confirm if this applies to both ACE20 & ACE30, or just ACE20?
If both, when does Cisco plan on supporting mcast in routed mode?
thx
Kevin -
RV220W - in routing mode changes external Ip with router IP
Good day.
I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).
It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.
Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.
Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.
Any idea is apreciated.
Thank you,
Catalin BurlaI have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.
This is how it looked when using the linksys:
Apr 9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]
Apr 9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>
This is how it looks when using the RV220W:
Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long. -
My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations? Not just how-to scenarios.
And the primary question that brings me here:
I've got an ACE module in a 6500 chassis that's configured for routed mode. For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers. vIP VLAN is 12 and rserver VLAN is 101. I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver. The same if user devices are sending traffic to the App servers vIP.
When a Web server tries to send over to the App servers vIP, I get no response. In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101). How do I get the Web server to send traffic loadbalanced across the App servers?
Here's an example ACE config:
access-list ALL line 8 extended permit ip any any
probe tcp 5555
port 5555
interval 5
passdetect interval 30
probe http HTTP
interval 5
passdetect interval 30
expect status 200 200
rserver host APP01
description App Server 1
ip address 10.10.101.15
probe 5555
inservice
rserver host APP02
description App Server 2
ip address 10.10.101.16
probe 5555
inservice
rserver host WEB01
description Web Server 1
ip address 10.10.101.17
probe HTTP
inservice
rserver host WEB02
description Web Server 2
ip address 10.10.101.18
probe HTTP
inservice
serverfarm host APP-SERVERS
predictor leastconns
rserver APP01
inservice
rserver APP02
inservice
serverfarm host WEB-SERVERS
predictor leastconns
rserver WEB01
inservice
rserver WEB02
inservice
sticky ip-netmask 255.255.255.255 address both WEB-STICKY
replicate sticky
serverfarm WEB-SERVERS
sticky ip-netmask 255.255.255.255 address both APP-STICKY
replicate sticky
serverfarm APP-SERVERS
class-map match-any APP-VIP
description App Servers VIP
2 match virtual-address 10.10.12.21 tcp eq 5555
class-map match-any WEB-VIP
description Web Servers VIP
2 match virtual-address 10.10.12.20 tcp eq https
3 match virtual-address 10.10.12.20 tcp eq www
policy-map type loadbalance first-match L7-APP-SERVERS
class class-default
sticky-serverfarm APP-STICKY
policy-map type loadbalance first-match L7-WEB-SERVERS
class class-default
sticky-serverfarm WEB-STICKY
policy-map multi-match L4-CONTEXT-A-VLAN
class WEB-VIP
loadbalance vip inservice
loadbalance policy L7-WEB-SERVERS
loadbalance vip icmp-reply
class APP-VIP
loadbalance vip inservice
loadbalance policy L7-APP-SERVERS
loadbalance vip icmp-reply
interface vlan 12
description ACE-CONTEXT-A-vIPs
ip address 10.10.12.5 255.255.252.0
alias 10.10.12.4 255.255.252.0
peer ip address 10.10.12.6 255.255.252.0
access-group input ALL
service-policy input MGMT-ACCESS
service-policy input L4-CONTEXT-A-VLAN
no shutdown
interface vlan 101
description ACE-CONTEXT-A-SERVERS
ip address 10.10.101.2 255.255.255.0
alias 10.10.101.1 255.255.255.0
peer ip address 10.10.101.3 255.255.255.0
access-group input ALL
no shutdownHi Adam,
You can check Gilles' DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
Now going back to your issue, you problem can be splitted in two parts.
1. Web server not able to ping VLAN 101 ACE's SVI.
ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
one just for ICMP, that's up to you.
2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
load balancing for clients reaching it out through VLAN 101.
In order to do load balancing between APP & Web Servers you need to configure L4-CONTEXT-A-VLAN on SVI 101 as well.
Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
I've attached a sample with NAT based on your config.
HTH
Pablo -
Ace routing mode desging issue
need some assistance in configuring an application using routing mode on cisco ace
clients ---asa--3750--cisco ace--- servers behind vip
|
visa card transaction servers
i am able to setup a vip on ace using routing mode on ACE,as the servers need to see the client ip ,so we are not performing SNAT,this part is working fine
when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
Or do we need to have static routes defined on the visa servers to point to ASA
please advise me on thisClint
No they are completely in a different network ,
When a client hits the VIP ,the request goes to the ASA
ASA fwd the vip traffic to the ACE (VIP) interface ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
But when visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
Are on the farm servers can we have static routes for the visa servers
Or can I defind static routes on ACEs for the visa servers. -
Can I configure csm as one arm and routing mode at the same time?
My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
Thanks in advance.
JasonGille,
Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
Thanks
Jason -
How BOM and routing is selected for Planned order and Production order?
Hi,
Can any1 plz tell me how BOM and routing is selected for a planned order and production order. ?Hello Mathisuthan,
BOM and Routing selection for the planned order and production order through production version, If u have more than one BOM and more than one Routing then u can maintain this information as Production Version in the system.
Production version you maintained
MM01/MM02 -- MRP4--- Production version
Or you can create Production Versions in Mass also with Transaction Code "C223"
In the case no production version maintained/created for the material, then system by default will pick the first BOM and routing.
I hope this information helpful to you.
Regards
Umesh Mali -
Example Config ACE routed mode with NAT
Hi all,
i have a two-arm loadbalancer (routed mode).
client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
BR
DominikHi Dominik,
Something like this:
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 10.198.16.2
inservice
rserver host SERVER_02
ip address 10.198.16.3
inservice
rserver host SERVER_03
ip address 10.198.16.4
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 452
interface vlan 451
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 452
description Servers vlan
ip address 10.198.16.1 255.255.255.0
access-group input ANYONE
nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cesar R
ANS Team -
Sharing a VLAN between FWSM and ACE (Routed Mode)
Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
I wanted to configure it like this.
firewall vlan group 10 <FWSM only vlans>
firewall vlan group 20 <shared FWSM and ACE vlan>
or
svclc vlan group 20 <shared FWSM and ACE vlan>
svclc vlan group 30 <ACE only vlans>
The design hides the client side network and the server side network for the ACE behind the FWSM module.
Layout:
|-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
So allocation on the 65xx would be like this.
firewall module n vlan-group 10,20
svclc module n vlan-group 20,30
Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
FWSM and ACE will be in routed mode.
Thanks for reading...
RobleNever mind...
Just found the perfect answer for this in a another posting from Syed.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
Roble -
I am configuring ACE in routing mode ,
Below is my ACE interface config.
interface vlan 28
description "CLIENT VLAN"
ip address 192.168.10.11 255.255.255.248
peer ip address 192.168.10.12 255.255.255.248
mtu 1500
mac-sticky enable
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
interface vlan 29
description "SERVER VLAN"
ip address 192.168.10.19 255.255.255.248
peer ip address 192.168.10.20 255.255.255.248
mtu 1500
mac-sticky enable
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
When I configuring my servers in vlan 29 and point the default gateway to 192.168.10.19 it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19 do i need to manually change it .20
or can I configure HSRP,Please advise me on thisHi ,
Yes the alias should be set as gateway for the servers.
The alias is a shared address between the peers. This address will be on the ACTIVE ace.
Regards
Dan -
Hi,
Can the CSM be used in both the bridge and router mode for different VLANS ? Or does it need to use all router mode and all bridged mode ?you can have a mix of both.
Gilles. -
Create Development mode selection popup
Hi All,
I have to implement the popup as like Development mode selection popup. What is the component name of the popup. how to implement it?
thanks,
dhinaWhat language or SDK are you using for your development? There are other forums where this question can be moved, as this isn't the right forum for development-related questions.
Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery! -
ISE iPEP + 3rd party device VPN bridge or route mode
Dear All,
I would like to get some advice from the community regarding my idea.
We would like to integrate ISE iPEP with a 3rd party VPN device using bridge mode.
However i can only find documents describing the following scenarios,
- routed mode with VPN device
- bridge mode with Wireless Controller
So the questions is that is bridge mode supported if i would like to integrate ISE iPEP with a 3rd party VPN device or is it even possible to achive this kind of deployment?
Thank you in advance.
Best Regards,
Erik MolnarThanks for the reply Marcin. Both of your suggestions are good ones, however in this scenario both DC firewalls are alive at the same time, so there needs to be some kind of logic on the device at the remote site to say that it should only use tunnel B if tunnel A is down.
Thinking on this, is it possible to run an 'interface' or 'routed' mode IPSEC VPN with the ASA? I know this is possible with the Fortigates and think it's the default mode for Junipers. If that were possible we might be able to have both tunnels up and have OSPF run over them which would be another way to solve this problem.
Maybe you are looking for
-
Using the new Photos app on multiple devices - confusion!
I find the recent way ios/Photos handles photos quite confusing. I am not too concerned about not having a Camera Roll, but seeing how not having this creates strange behavior when editing/deleting photos, I can see how the Camera Roll is definitely
-
How do I transfer photographs from my pc to my iPad?
How do I transfer photographs from my pc to my iPad?
-
How can I access my FaceTime call history?
I am trying to access my FaceTime call history....can anyone offer some guidance?
-
Status Updation in JHA1X / JHA2X
Hi Experts, Is there any option in JHA2X for updating the status of the order we create in transaction JHA1X. I am expecting something like the Posting Status in VF02 transaction, where we can keep a status of particular billing document. Regards,
-
%AUTHMGR-4-UNAUTH_MOVE messages in WLC 5760
Hi, We're getting this messages on a WLC 5760: Mar 7 14:24:32.136: %AUTHMGR-4-UNAUTH_MOVE: (fast) MAC address (0011.21c2.1f2f) from Ca7 to Ca44 Mar 7 14:24:53.148: %AUTHMGR-4-UNAUTH_MOVE: (slow) MAC address (0011.21c2.115f) from Ca15 to Ca22 Mar 7