Router with BRI interface
i need your support to know model Router with BRI interface
The Cisco 876 (cheapest option) provides ADSL over ISDN
http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html
For integrated ISDN BRI, I suggest looking at the 1800 Series
http://www.cisco.com/en/US/products/ps6184/index.html
Similar Messages
-
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
RRI not removing routes even with outside interface down
Hi,
I'm having trouble with RRI and static crypto map.
If I configure the RRI with the outside interface down the ASA doesn't create the static route to the remote subnet.
If I bring up the interface it creates the route, but if I shutdown the interface the RRI routes never go away meaning the ASA would turn into a black hole.
Any suggestion on how to get it to remove the RRI routes if the interface is down?
I tested it with two versions with the same problem:
9.2(2)4
9.3(1)We're sorry to hear that Firefox is crashing. In order to assist you better, please follow the steps below to provide us crash ID's to help us learn more about your crash.
#Enter about:crashes in the address bar (that's where you enter your website URL) and press Enter. You should now see a list of submitted crash reports.
#Copy the 5 most recent crash ID's that you see in the crash report window and paste them into your response here.
Thank you for your cooperation!
More information and further troubleshooting steps can be found in the [[Firefox crashes]] article. -
MIB walk for a router with MPLS enabled interfaces
To perform some testing in an agent I am building, I need a MIB walk for a router with MPLS enabled interfaces. I would greatly appreciate help with this MIB walk
You can do a walk-through of the MIB by running a command such as getmany -v2c public mplsLsrMIB . For detailed instructions refer http://cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/lsrmibt.html.
-
Applying "route-map" in interfaces with encapsulation dot1q
Hello,
I would like to ask you if there were some trouble in applying route-maps in a interface and its subinterfaces, as it is shown:
interface GigabitEthernet0/2
ip address 11.0.9.26 255.255.255.252
ip policy route-map GestionRadios
interface GigabitEthernet0/2.11
encapsulation dot1Q 11
ip address 11.0.9.18 255.255.255.252
ip policy route-map RedOperativaA
interface GigabitEthernet0/2.12
encapsulation dot1Q 12
ip address 11.0.9.22 255.255.255.252
ip policy route-map RedOperativaB
I am not sure if it is correct totally. Besides I get this informacion doing "show ip policy" and it seems to be right.
Router#show ip policy
Interface Route map
Gi0/2 GestionRadios
Gi0/2.11 RedOperativaA
Gi0/2.12 RedOperativaB
I would be very grateful for your help.
Thanks in advance
Regards,
SandroSandro
We do not have much to work with in your post so giving you really good answers is difficult. You do not tell us what type of device this is (I assume probably a router, but perhaps it is a layer 3 switch?) or what version of code it is running. These things make a difference sometimes in what is supported or is not supported. But since you get output in show ip policy then I assume that the device does support configuration of this feature.
You show us the configuration of the interfaces but not the configuration of the route maps or the access lists which the route maps probably use. So we can not form an opinion of the validity of the route maps or the access lists.
And you do not tell us whether the Policy Based Routing is working or not (and in fact you do not tell us for sure that you are doing PBR - though that is generally what route maps on the interfaces are doing) so we are not clear whether there is a problem here or not.
But based on what you show us in this post I do not see any particular problems with the route maps and the way that you have applied them to interfaces (assuming that your goal is really to do PBR).
HTH
Rick -
No dialer command under ISDN BRI interface
Hi all,
I have a 2901 router voice bundle with 4 ISDN BRI ports and would like to have them bundled under Dialer1 interface. Unfortunately it doesn't give me option for Dialer command under BRI interface as expected.
router(config-if)#int bri0/0/0
router(config-if)#dia
router(config-if)#dia
^
% Invalid input detected at '^' marker.
router(config-if)#dialer
^
% Invalid input detected at '^' marker.
router(config-if)#
I assume it's down to the UC license installed on the device but not sure. Does the ISDN BRI interface behave in different way under this license?
Pasting portion of "show ver" as well.
Cisco CISCO2901/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID
2 Gigabit Ethernet interfaces
4 ISDN Basic Rate interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2901/K9
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc uck9 Permanent uck9
data None None None
Configuration register is 0x2102Hi,
Snippet of "sh ver" with IOS version is below:
router#show ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 14:59 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
router uptime is 2 days, 21 hours, 47 minutes
System returned to ROM by reload at 16:48:03 UTC Mon Aug 18 2014
System restarted at 16:50:01 UTC Mon Aug 18 2014
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M5.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
The output of trying to type dialer command is in the initial post, I'm also pasting all available commands under bri0/0/0.
router(config-if)#int bri0/0/0
router(config-if)#?
Interface configuration commands:
aaa Authentication, Authorization and Accounting.
access-expression Build a bridge boolean access expression
arp Set arp type (arpa, probe, snap), timeout, log
options or packet priority
authentication Auth Manager Interface Configuration Commands
autodetect Autodetect Encapsulations on Serial interface
bandwidth Set bandwidth informational parameter
bgp-policy Apply policy propagated by bgp community string
bridge-group Transparent bridging interface parameters
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
clns CLNS interface subcommands
clock Configure serial interface clock
cwmp Configure CPE WAN Management Protocol(CWMP) on this
interface
dampening Enable event dampening
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dot1q dot1q interface configuration commands
dot1x Interface Config Commands for IEEE 802.1X
down-when-looped Force looped serial interface down
encapsulation Set encapsulation type for an interface
ethernet Ethernet interface parameters
exit Exit from interface configuration mode
flow-sampler Attach flow sampler to the interface
full-duplex Configure full-duplex operational mode
h323-gateway Configure H323 Gateway
half-duplex Configure half-duplex and related commands
help Description of the interactive help system
history Interface history histograms - 60 second, 60 minute
and 72 hour
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
iphc-profile Configure IPHC profile
ipv6 IPv6 interface subcommands
isdn ISDN Interface configuration commands
isis IS-IS commands
iso-igrp ISO-IGRP interface subcommands
keepalive Enable keepalive
line-power Provide power on the line.
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mab MAC Authentication Bypass Interface Config Commands
mac-address Manually set interface MAC address
macro Command macro
metadata Metadata Application
mop DEC MOP server commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
network-clock-priority Configure clock source priority
no Negate a command or set its defaults
ntp Configure NTP
ospfv3 OSPFv3 interface commands
pulse-time Force DTR low during resets
rate-limit Rate Limit
redundancy RG redundancy interface config
routing Per-interface routing configuration
sdllc Configure SDLC to LLC2 translation
serial serial interface commands
service-policy Configure CPL Service Policy
shutdown Shutdown the selected interface
smds Modify SMDS parameters
snapshot Configure snapshot support on the interface
snmp Modify SNMP interface parameters
source Get config from another source
tarp TARP interface subcommands
timeout Define timeout values for this interface
topology Configure routing topology on the interface
transmit-interface Assign a transmit interface to a receive-only
interface
trunk-group Configure interface to be in a trunk group
tx-ring-limit Configure PA level transmit ring limit
vpdn Virtual Private Dialup Network
vrf VPN Routing/Forwarding parameters on the interface
waas WAN Optimization
router(config-if)# -
I have 2 bri interfaces, either in one router or in 2 different ones. the first has the following config:
interface BRI1/0
no ip address
isdn switch-type basic-net3
isdn protocol-emulate network
isdn layer1-emulate network
isdn static-tei 0
isdn skipsend-idverify
and on the b1/1:
interface BRI1/1
no ip address
isdn switch-type basic-net3
isdn static-tei 0
and the network side never comes up! I try the user side with the Telco and works fine. I tried all possible commands on both, like overlap-receiving, twait-disable, tei-negotiation, point-to-point-setup etc but still none b1/X ever lights up as green.
Also i tried straight cable and rollover cable, nothing.
Any idea how it can work? or if the PBX can not operate as USER, how can i make the router network?
Thanks, Chrisyou will need to connect the BRI to a switch/pbx that provides network termination.
(what is the exact BRI module part number? ie: VIC-2BRI-NT/TE, VIC-2BRI-S/T-TE, VIC2-BRI-NT/TE)
(if your using the VIC-2BRI-S/T-TE, you'll need your PBX to provide network termination)
your commands for isdn protocol and isdn layer1 emulate are correct for emulating network side.
static TEI seems fine if in fact your TEI can be set staticallly. (not sure of your pbx configuration possiblities)
what type of pbx are you attempting to connect the BRI to?
what type of router model are you using?
also, run a 'debug isdn q921' and even a 'debug isdn q931' and provide the output. this should help us help you a bit more. -
If I had 2 isdn routers on different sites and wanted them to connect, do I need to put both BRI interfaces on the same subnet or does it not matter with isdn ?
Hi
AFAIK there are 2 ways one is considering the isdn connectvitiy as a seperate point to point link and assigining a seperate /30 block for that connectivity or else you can also use ip unnunmbered option and make use of your ethernet ip or the loopback ip.
But i would suggest to go with the first option coz of the simplicity involved, also the second option may create or result in some operational problems if you have some routing protocol in place between your locations.
regds -
How To Use Your Own Router with Out Loosing Verizon's FIOS Services
How to use your own router with Verizon’s FIOS Service
First, you need a basic understanding of how FIOS works but unfortunately there are two types of FIOS systems out there. All of the systems utilize a fiber optic cable to bring TV, phone and internet to your location over one optic cable. In addition these systems provide interactivity including widgets, remote DVR, movies on demand and so forth via an IP (Internet Protocol) signal. Your STB (Set Tip Box) requires both a video and IP signal. The IP signal is necessary for all of the aforementioned interactivity. The fiber cable terminates at the Optical Network Terminal or ONT for short. The ONT converts the optics into a digital signal that can be utilized by ones equipment. From the ONT your video, phone and internet are provided to the location. This is where things can differ as the internet signal can be provided via a coaxial (MoCA or Multimedia over Coax Alliance) or RJ45 Cat5 (Ethernet) cable. It is important to identify and understand the differences of these two setups. In my case I have my internet entering via Ethernet cable, which in my humble opinion makes things a heck of a lot easier.
How does one tell the difference? In most cases it’s rather simple; just look at the Verizon’s router WAN (Wide Area Network) Port. Does it have a RJ45 (Ethernet) or Coax (TV cable Cord) going to it? If the router’s WAN port doesn’t have a coaxial connector then one will need to convert the MoCA signal into a usable Ethernet signal that routers understand. The easiest way is to use Verizon’s router as a bridge. In this method the Verizon’s router simply converts the signal and passes it along to your own router. The challenge is to try to maintain the interactivity that FIOS TV provides. Because of this one needs to supply the IP routed signal back to the FIOS router. There are multiple methods for doing this and I would recommend investigates which one make the most sense.
In my particular case the IP signal was provided by Ethernet. Again there are various ways of installing one’s own router. The hardest is to utilize Verizon’s router as a bridge. This setup requires configuring Verizon’s router as a bridge and also creating a VLAN (Virtual Local Area Networks). In addition one needs to set up their own router so it will work with the various routing tables and networks. For me this is too complex for the average person and it can be difficult to trouble shoot if something goes wrong. Please consider that Verizon will not support utilizing third party routers.
The easier method is to request an Ethernet signal (if you don’t already have one) from their ONT. I would highly recommend getting your hands on a NIM or Network Interface Module. This device is used to convert Ethernet to Coaxial so it can be fed back to your STBs. These can be purchased online and Verizon technicians can be a valuable resource with these sorts of acquisition. At the very least they can point you to the right direction. Once you have a NIM the rest is rather simple.
Log into the current Verizon Router.
Located the router’s MAC address and copy it down.
Go to the port forwarding section and copy down the Applied Rules.
Example:
Network Computer/Device: 192.168.1.100:63145
Application & Ports Forward: Application UDP Any -> 6347
Note: There may be up to three entries for each one of your Set Top Boxes.
Look at your current device list, typically found on the home screen. Copy down your STB MAC and IP address.
Example:
IP-STB1
Connection Type: Ethernet
* IP Address: 192.168.1.100
IP Address Allocation: DHCP
*MAC Address: 07:73:fFe:ad:8b:3f
* Things you will need to write down
Go to the network section and look for the main Ethernet connection. Select this and then select more setting, typically found at the bottom. Release the current lease.
Remove the Verizon router
Install your router
Connect the NIM by plugging in an Ethernet from one of the routers LAN (Local Area Network) ports to your NIM. Then connect the coax cable, the same cable that was used by Verizon router.
Set you DHCP routing IP pool to accommodate Verizon’s STB IP’s (note their IP’s start at 192.168.1.100)
Go to DHCP section and reserve the STB IP’s by inserting the IP’s and MAC addresses. This shall ensure that nothing else utilizes the same IPs as the STBs thereby preventing IP address conflict.
Add the port forwards from Step 5 above.
Clone Verizon’s Mac Address utilizing the info from step 2
Finish setting up the router in typical fashion.
Unplug and re-plugin your STB’s and test functionality. It’s best to try using a widget or Movie on demand function.
Note: if the new router can net get an internet signal contact Verizon’s support and have them release the IP and reset the ONT.
EVERYTHING should be working at this point.3 Go to the port forwarding section and copy down the Applied Rules.
Example:
Network Computer/Device: 192.168.1.100:63145
Application & Ports Forward: Application UDP Any -> 6347
Note: There may be up to three entries for each one of your Set Top Boxes.G
Your display obviously is not like mine as mine does not dosplay the port associated with the ip address
whatever, the STB's start at 192.168.1.100 and icement by 1 for each
the port addr's will be 63145 alo incrementing by 1
there is 1 entry for each in my pf list
however each ip addr also has a port entry starting at 35000 also incrementing by 1 for each ip addr
For some unknow reason these are duplicated e.g I appear to have 11 entries exaactly the same for each stb and as the fios services rules have no action switc there is nowhere to delete the extraneous garbage.
Why do you clone the mac addr?? -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
Router with payload compression and QOS
I have searched for 2 days trying to find information on this subject. I have a 2851 router with an AIM-COMPR2-V2 module. The software level is 15.1(4)M7. We have point-to-point T1 between two of the exact same routers. I would like to run payload compression, use the AIM module, and enforce a QOS policy on the interface. The "Show Compress" command counters will not increase as long as the interface has the "Service-Policy Output" command on it. I found several articles that discuss that as an issue before 12.X versions of software, but I can't find anything newer.
Should this work? If not, where can I find the most recent documentation as to why it won't? Also, if not, what is my best option in the given scenario?I have searched for 2 days trying to find information on this subject. I have a 2851 router with an AIM-COMPR2-V2 module. The software level is 15.1(4)M7. We have point-to-point T1 between two of the exact same routers. I would like to run payload compression, use the AIM module, and enforce a QOS policy on the interface. The "Show Compress" command counters will not increase as long as the interface has the "Service-Policy Output" command on it. I found several articles that discuss that as an issue before 12.X versions of software, but I can't find anything newer.
Should this work? If not, where can I find the most recent documentation as to why it won't? Also, if not, what is my best option in the given scenario? -
How to do destination NAT in a 2600 router with IOS 12.3?
Hi All
I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
FE 0/0 - 10.0.0.1/24 - client LAN - inside
FE 0/1 - 10.1.1.1/24 - server LAN - outside
The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
Many Thanks
[email protected]Yes, you can do this. You don't need destination NAT. Source NAT translations work both ways. This should work:
ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
int fa 0/0
ip nat inside
int fa 0/1
ip nat outside
The bigger question is why you'd want to. Just because you CAN do something doesn't mean you SHOULD. Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts. Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10? If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead? You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense. If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem. -
Policy based routing on VRF interfaces to route traffic through TE Tunnel
Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajanhi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan -
Cisco 2811 Router with 3 ADSL card and load balancing
Dear All,
I have few queries:
1. Does Cisco 2811 Router support 3 ADSL card?
2. We are the ISP. I want to do load balancing with 3 dsl
line on Cisco 2811 Router.
Please send me the linke for this configuration.
Thanks/Regards
Atulhi
In 2811 you have 4 HWIC and 1 NME you can install 1-port ADSL WAN Interface Cardon the HWIC slots.
Also just enable 3 default (equal cost) routes towards the interfaces which will take care of the load balancing.
if you need more info and inputs do post out with ur requirements along with network topology in place at present..
regds -
Assistance Needed: Inter-VRF Routing with MP-BGP
hello everyone,
I've been trying to solve a problem for over a day regarding inter-vrf routing using MP-BGP and I can't seem to figure a few things out.
I have Cisco 1921 which has VRF-JLAN and VRF-JGLOBE with 3 interfaces configured as (g0/0 = vrf JLAN, g0/1=no vrf, g0/2 = dot1q trunk to 2960S). vrf JLAN is a restricted network for users access, dns server, e.t.c. vrf JGLOBE is for Video server and global routing table belongs to Wifi Access. I've been able to seperate all the network and I can route traffic out to the Internet from vrf JLAN and the global route table but where I'm having issues is getting vrf JGLOBE to route traffic using the Global route table.
For example: vrf JLAN should not be accessed by either Global or vrf JGLOBE. JGLOBE should be able to access vrf JLAN dns server but it should route its internet traffic via Global route table (g0/1). Last JLAN should be able to access 2 networks from the Global route table.
I've attached my config and diagram so you can better understand what I'm trying to achieve. More light to solving this problem would be much appreciated.
ip vrf JGLOBE
rd 65001:2
export map WIFI
route-target export 65001:2
ip vrf JLAN
rd 65001:1
import ipv4 unicast map C-GLOBAL
route-target export 65001:1
route-target import 65001:1
route-target import 65001:2
interface GigabitEthernet0/0
description LAN-ACCESS-INTERNET [TO Nexthop FIREWALL]
ip vrf forwarding JLAN
ip address 192.168.4.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect INTERNET-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/1
description GLOBAL-Wifi-INTERNET [TO Nexthop - FIREWALL]
ip address 192.168.5.3 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect GLOBAL-FW in
ip inspect GLOBAL-FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
interface GigabitEthernet0/2.3
description Users LAN
encapsulation dot1Q 3
ip vrf forwarding JLAN
ip address 192.168.30.1 255.255.255.240
interface GigabitEthernet0/2.4
description Video Server
encapsulation dot1Q 4
ip vrf forwarding JGLOBE
ip address 10.6.40.1 255.255.255.0
router ospf 1 vrf JLAN
router-id 10.6.6.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router ospf 2 vrf JGLOBE
router-id 10.5.7.10
redistribute bgp 65001 subnets
network 0.0.0.0 255.255.255.255 area 0
router bgp 65001
bgp router-id 10.4.6.4
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
address-family ipv4
redistribute connected
exit-address-family
address-family ipv4 vrf JGLOBE
redistribute connected
redistribute ospf 2
exit-address-family
address-family ipv4 vrf JLAN
redistribute connected
redistribute ospf 1
exit-address-family
ip dns view vrf JGLOBE default
ip dns view vrf JLAN default
ip route 0.0.0.0 0.0.0.0 192.168.5.1
ip route vrf JGLOBE 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.5.1
ip route vrf JLAN 0.0.0.0 0.0.0.0 192.168.4.1 name LAN_INET
ip prefix-list GLOBAL-INET seq 5 permit 0.0.0.0/0
ip prefix-list SERVER-NET seq 5 permit 10.6.40.2/32
ip prefix-list WIFI-NET seq 5 permit 10.254.0.0/22 le 32Hi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma
Maybe you are looking for
-
Ipod touch wont turn on after my brother unplugged it
I have an ipod touch 4g, i went on my laptopp and rebooted my ipod i left to take a shower so it can reboot it self i came back and saw my brother on the laptopp and saw he unplugged it, it was turning on and off until it finally shut off i tried tur
-
Anyway to connect a USB jump drive to the ipad?
Is there an adapter for the ipad that lets you use a USB device?
-
Jdeveloper 10 EA and spring frameworks what about integration?
jdeveloper 10 EA and spring frameworks what about integration?
-
HP Pavilion dv7-6c80us Entertainment Notebook PC, Windows 7 64 bit audio.
Occasional audio distortion and video stops briefly when playing videos on you tube.
-
E-Recruiting Assigning of roles in R/3 ECC6.0 EHP4
Hi Experts need your Advice once again.i am trying to build E-recruiting System suppose say i have Higher level Manager Manager Recruiter Recruiting Adminiistrator If i want to assign roles in R/3 SU01 so what are the standard roles i have to assign