Routing traffice using 2 interfaces
my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900
You can use PBR.
Here are 2 documents with examples:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
https://supportforums.cisco.com/docs/DOC-1634
HTH
Similar Messages
-
Policy based routing on VRF interfaces to route traffic through TE Tunnel
Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajanhi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan -
Can you add routes to use ipsec0 interface on SRP521W?
I bought a couple of these to trial for location to remote telemedicine sites. However I am only able to route one network range over the IPSec VPN. I have to route multiple network ranges, and I am not able to make any modifications to the static routes for the ipsec0 interface, only WAN1 and LAN1. Ideally, I would change the default route to use ipsec0. But if that isn't an option, then just add specific ranges.
Can anyone help with this?
Thanks,
JimThat sucks. I have never used a GRE tunnel before, I tried yesterday building one to my Nexus 7010 with no success. It seems like it would be so easy if I could just get the option to select the ipsec0 interface when adding static routes.
Can you recommend the next step router or firewall I could use to be able to send all traffic over the VPN, or at least add additional routes or network lists to send over the VPN? I am assuming the ASA 5505 would work perfectly, but I was hoping for a more budget concious option as we'll have these all over town.
Otherwise, if anyone can give me tips or suggestions on how to build the GRE tunnel from the SRP521W to a Nexus 7010 that would be great.
Thanks,
Jim -
Confgiure router to use particular interface IP add.for TACACS+ authenticat
How to confgiure router to use particular interface's IP address for all comunications with ACS server for TACACS+ authentication.
Thanks a lot...Use the command:
ip tacacs source-interface -
Route Traffic to down a specfic link
I need to route traffic that is sourced from 10.1.50.0 network down link 1. Currently all traffic goes down Link 2. I want all traffic except 10.1.50.0 network to still use Link 2 as primary. What would be the best approach a static route for the 10.1.50.0 network or some type of policy map or something else? Thanks for the help
Thanks for the reply. I created the access list and policy map from above but can not put the policy map on the VLAN interface. The commands are there but when I verify by looking at the interface it is not there. It is a 3750 G with IPSERVICES IOS. Any ideas? Thanks
Standard IP access list 50
10 permit 10.2.50.0, wildcard bits 0.0.0.255 log
sh route-map
route-map **VLAN250**, permit, sequence 10
Match clauses:
ip address (access-lists): 50
Set clauses:
interface GigabitEthernet2/0/1
Policy routing matches: 0 packets, 0 bytes -
NM-16ESW - adding a switch into a 3725 router slot - can i route traffic out of the switch ?
Hi all,
I have added the above module (16 switch port) into my router.
R16#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
FastEthernet1/2 unassigned YES unset administratively down down
FastEthernet1/3 unassigned YES unset administratively down down
FastEthernet1/4 unassigned YES unset administratively down down
FastEthernet1/5 unassigned YES unset administratively down down
FastEthernet1/6 unassigned YES unset administratively down down
FastEthernet1/7 unassigned YES unset administratively down down
FastEthernet1/8 unassigned YES unset administratively down down
FastEthernet1/9 unassigned YES unset administratively down down
FastEthernet1/10 unassigned YES unset administratively down down
FastEthernet1/11 unassigned YES unset administratively down down
FastEthernet1/12 unassigned YES unset administratively down down
FastEthernet1/13 unassigned YES unset administratively down down
FastEthernet1/14 unassigned YES unset administratively down down
FastEthernet1/15 unassigned YES unset administratively down down
Vlan1 unassigned YES unset up down
R16(config-if)#int fa1/0
R16(config-if)#ip address 192.168.10.1 255.255.255.0
% IP addresses may not be configured on L2 links.
R16(config-if)#
q1) Not being able to set IP to the interface as shown above, I would believe it is really a switch port. Is there anyway I can see what kind of port a interface is or can be ? (switch port, routed port etc ?) or whether is it a L2 or L3 switch ?
q2) in that case, since the switch is already inside the router, how do i route L3 traffic out of the switch ?
Assuming fe0/1 on the router is the interface connected to external network.
and 2 workstations attached to the switch ports fe1/1 and and fe1/2, how can i set their gateway to point to fe0/1's IP ? Can fe0/1 to be connected to fe1/0 internally ?
Regards,
NoobHi KOE SIZE JIE,
q1) I tried the no switchport command on the 16switch port module and it works. I can set an IP on the switch port. But according to Liam, it is a L2 switch, how come we can assign no switchport command ?
As Bilal pointed out, I was mistaken you can issue the "no switchport" for a L3 routed port on that specific module.
q2) it is said that on a L2 switch only 1 SVI can be connected (for management purpose only) and L2 switch is not able to do routing. With the L2 switch module inserted into the router, will the SVI be able to do routing then ?
I believe this goes back to what Bilal was saying about limited functionality on the EtherSwitch. I will have to play with one in GNS3 to give you a solid answer.
But I think what it is trying to say is... You cannot use SVI's for inter-vlan routing. You can only have a single SVI for management purposes.
q3)Liam, you mention earlier fa0/0 is pointing to some network. is fa0/0 in the same router as the 16 switchport module ?
ip route 10.10.10.0 255.255.255.0 192.168.1.254 -- this command seems to be saying to access the 10.10.10.0 network, please go to the next hop IP 192.168.1.254 (but again, you are setting this next hop IP on the current router interface itself) - did i get anything wrong ?
I have read back my post and this reads wrong.
When i showed you the code snippet, 192.168.1.254 would be the interface on the next hop router. Not the router you are issuing the ip route command on. You would also need an IP address on the router interface directly connected to the next hop router. I.E 192.168.1.253
You will not then receive that error. Sorry about that, my sloppy config without a diagram!
HTHs,
Liam -
Browser sound not routing via external interface
I am running an external audio interface which IS selected as output in sound settings.
When using iTunes or any other audio software, the sound routes properly via the interface.
However, sound from my browsers all seem to route via the Powermac internal speaker, and i cant seem to find out why or where to set it to route via the interface.
Help!!!I am running an external audio interface which IS selected as output in sound settings.
When using iTunes or any other audio software, the sound routes properly via the interface.
However, sound from my browsers all seem to route via the Powermac internal speaker, and i cant seem to find out why or where to set it to route via the interface.
Help!!! -
Possible to Route Traffic Based on AVC?
Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of? Here's my issue: I have two ISP's. One is at about 120% utilization. The other isn't doing anything. I can specify ip routes based on IP addresses. For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic. The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook. Is there a way to route traffic based on application? I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application. I was wondering if the same was possible with AVC. Thanks for any help.
Hello.
Yes, it's possible and, actually, you have 2 ways.
1. use manual load-balanace between links.
2. use PfR to load-balance traffic automatically.
PS: you also will need NAT with route-map. -
Routing Packets between interfaces
I have two zones, the firt my zone have the ipaddress 172.24.0.1/23 and 190.144.55.107/29 whit network 172.24.0..0 and 190.144.55.104 this zone is conected a Routet with internet conection with ip 190.144.55.105/29.i can do ping y traceroute to whatever internet address
the routing table by the proxy zone is
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 190.144.55.105 UG 1 890
172.24.0.0 172.24.0.1 U 1 30 vnet2
190.144.55.104 190.144.55.107 U 1 38 vnet1
224.0.0.0 190.144.55.107 U 1 0 vnet1
127.0.0.1 127.0.0.1 UH 3 116 lo0
i have activated the ip-forwarding and routing services
Configuración Actual Actual
Opción Configuración Estado del sistema
Encaminamiento de IPv4 enabled enabled
Reenvío de IPv4 enabled enabled
Servicios de enrutamiento "route:default ripng:default"
Daemons de enrutamiento:
STATE FMRI
online svc:/network/routing/route:default
the ipfilters is configured to pass all packets:
cat /etc/ipf/ipf.conf .
pass in all
pass out all
In the cvs Zone have the ip address 172.24.0.3 and this is the routing table
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 172.24.0.1 UG 1 2188
172.24.0.0 172.24.0.3 U 1 2570 vnet0:4
224.0.0.0 172.24.0.3 U 1 0 vnet0:4
127.0.0.1 127.0.0.1 UH 4 110 lo0:3
as you can see I use different interfaces in each zone, in cvs's zone vnet0 y and the proxy's zone vnet1 y vnet2
My problem is. i can do ping since cvs zone to ip 190.144.55.107 and login with ssh through the default gateway
but if want to do ping to router(190.144.55.105) or if i want traceroute to google o whatever address i cannot do. by example
in the cvs's zone:
-bash-3.00# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 209.85.133.99
traceroute to www.google.com (209.85.133.99), 30 hops max, 40 byte packets
1 proxy (172.24.0.1) 1.611 ms 0.963 ms 0.853 ms
2
3
in the proxy zone if i do this
-bash-3.00# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 74.125.65.147
traceroute: Warning: Multiple interfaces found; using 190.144.55.107 @ vnet1
traceroute to www.google.com (74.125.65.147), 30 hops max, 40 byte packets
1 local.gateway (190.144.55.105) 0.861 ms 0.757 ms 0.661 ms
2 10.175.23.254 (10.175.23.254) 0.894 ms 7.283 ms 9.102 ms
3 200.26.157.5 (200.26.157.5) 1.541 ms 1.408 ms 1.373 ms
4 bbint-bogota-ortezal-1-g2-1-0.uninet.net.mx (201.125.239.126) 1.445 ms 1.491 ms 1.376 ms
5 bbint-miami-americas-3-pos9-0.uninet.net.mx (201.125.224.222) 43.512 ms 43.554 ms 43.609 ms
6 74.125.49.245 (74.125.49.245) 43.548 ms 160.618 ms 43.631 ms
7 72.14.236.178 (72.14.236.178) 43.536 ms 43.670 ms 43.674 ms
8 209.85.254.252 (209.85.254.252) 58.551 ms 56.805 ms 57.012 ms
9 72.14.239.131 (72.14.239.131) 83.880 ms 57.814 ms 57.593 ms
10 209.85.253.214 (209.85.253.214) 62.891 ms 58.590 ms 57.665 ms
11 gx-in-f147.google.com (74.125.65.147) 59.671 ms 57.849 ms 59.426 ms
i probe use snoop to see what was happening:
snoop 172.24.0.3 (ip of cvs zone) and did ping to 190.144.55.105 since cvs zone
-bash-3.00# snoop 172.24.0.3
Using device /dev/vnet1 (promiscuous mode)
172.24.0.3 -> local.gateway UDP D=33437 S=42956 LEN=20
172.24.0.3 -> local.gateway UDP D=33438 S=42956 LEN=20
172.24.0.3 -> local.gateway UDP D=33439 S=42956 LEN=20
other view
-bash-3.00# snoop -v 172.24.0.3
Using device /dev/vnet1 (promiscuous mode)
ETHER: Ether Header ETHER:
ETHER: Packet 1 arrived at 9:07:31.90892
ETHER: Packet size = 54 bytes
ETHER: Destination = 0:d:da:6:22:cd,
ETHER: Source = 0:14:4f:fa:5f:20,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: IP Header IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 40 bytes
IP: Identification = 22220
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 1 seconds/hops
IP: Protocol = 17 (UDP)
IP: Header checksum = 80e4
IP: Source address = 172.24.0.3, 172.24.0.3
IP: Destination address = 190.144.55.105, local.gateway
IP: No options
IP:
UDP: UDP Header UDP:
UDP: Source port = 42959
UDP: Destination port = 33437
UDP: Length = 20
UDP: Checksum = 5D64
UDP:
ETHER: Ether Header ETHER:
ETHER: Packet 2 arrived at 9:07:37.88318
ETHER: Packet size = 98 bytes
ETHER: Destination = 0:d:da:6:22:cd,
ETHER: Source = 0:14:4f:fa:5f:20,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: IP Header IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = not ECN capable transport
IP: .... ...0 = no ECN congestion experienced
IP: Total length = 84 bytes
IP: Identification = 22221
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 254 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = c3c6
IP: Source address = 172.24.0.3, 172.24.0.3
IP: Destination address = 190.144.55.105, local.gateway
IP: No options
what must to do to recieved response of the router o can traceroute a whatever internet address since the cvs zone:
PD: since my browser in the cvs zone with this configuration and configuring in the option preference(firefox) that my proxy is 172.24.0.1 i have intenet conectionI can see by example in my proxy zone if i do ping 190.144.55.105 since this zone i received this messages
snoop 190.144.55.105
Using device /dev/vnet1 (promiscuous mode)
proxy -> local.gateway ICMP Echo request (ID: 14207 Sequence number: 0)
local.gateway -> proxy ICMP Echo reply (ID: 14207 Sequence number: 0)
but if i do ping since my cvs zone
snoop 190.144.55.105
Using device /dev/vnet1 (promiscuous mode)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 0)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 1)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 2)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 3)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 4)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 5)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 6)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 7)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 8)
172.24.0.3 -> local.gateway ICMP Echo request (ID: 14195 Sequence number: 9)
the replies messages never are sent towards the zone cvs -
Configuring Static Route Tracking Using ASDM 7.1(3) ASA 9.1(2)
I have recently updated my ASA5520 to 9.1(2) and I am using ASDM 7.1(3) to configure Static Route Tracking. I have done this previoussy in earlier version of ASDM without a problem. There seems to be a new field in the Tracked Options section. What is the "Target Interface"? Is it the interface I want to use as the standby route when the Monitor fails? Or is it the Interface that is doing the monitoring?
I have looked through Cisco ASA Series General Operations ASDM Configuration Guide Software Version 7.1, as well as older ASDM books and this field is never listed or described.Hi,
The target interface will be the interface through which you will be polling some destination IP address with ICMP Echos to determine if the route through that interface is still valid.
So in your case you would use "Outside"
Heres the link to the ASA Command Reference listing the above "type" command under the "sla monitor 1" configuration
http://www.cisco.com/en/US/docs/security/asa/command-reference/t2.html#wp1568359
- Jouni -
Cascaded routers: no internet access when second router not use NAT
Cascaded routers: no internet access when second router not use NAT
Here is my setup:
[pre]
WAN
|
| 74.96.170.x (WAN IP) |
| Router1(Verizon FiOS Router) |
| Model: MI424WR-GEN2 (Rev F) |
| Firmware: 20.21.0.2 |
| Def router: 74.96.170.1 |
| 192.168.1.1 (Local IP) |
|
| 192.168.1.22 (WAN IP) |
| Router2(Linksys) |
| Model: WRT54GL v1.1 |
| Firmware: v4.30.16 |
| Def Router: 192.168.1.1 |
| 192.168.2.1 (Local IP) |
|
| Computer 192.168.2.160 |
| Def Router: 192.168.2.1 |
"q.route" 120L, 4441C written
[m.wang@m-wang-ltm2:/Users/m.wang/m/Network]
$ more q.route
Cascaded routers: no internet access when second router not use NAT
Here is my setup:
[pre]
WAN
|
| 74.96.170.x (WAN IP) |
| Router1(Verizon FiOS Router) |
| Model: MI424WR-GEN2 (Rev F) |
| Firmware: 20.21.0.2 |
| Def router: 74.96.170.1 |
| 192.168.1.1 (Local IP) |
|
| 192.168.1.22 (WAN IP) |
| Router2(Linksys) |
| Model: WRT54GL v1.1 |
| Firmware: v4.30.16 |
| Def Router: 192.168.1.1 |
| 192.168.2.1 (Local IP) |
|
| Computer 192.168.2.160 |
| Def Router: 192.168.2.1 |
| NO iptables, basic setup |
[/pre]
On computer, I have:
[pre]
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 2 0 0 enp2s0
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.2.0 * 255.255.255.0 U 0 0 0 enp2s0
[/pre]
On Router2, I have:
[pre]
Routing Table Entry List
Destination LAN IP | Subnet Mask | Gateway | Hop Count | Interface
192.168.2.0 255.255.255.0 0.0.0.0 1 LAN & Wireless
192.168.1.0 255.255.255.0 0.0.0.0 1 WAN (Internet)
0.0.0.0 0.0.0.0 192.168.1.1 1 WAN (Internet)
[/pre]
Router2's Operating Mode is Gateway. On Router1, I have:
[pre]
[Router1] Routing Table
Name Destination Gateway Netmask Metric Status
Network (Home/Office) 192.168.2.0 192.168.1.22 255.255.255.0 0 Applied
Network (Home/Office) 192.168.1.0 192.168.1.1 255.255.255.0 0 Applied
Routing Protocol: Internet Group Management Protocol (IGMP)
Default Gateway: 74.96.170.1
[/pre]
On computer, I can run tcptraceroute to yahoo.com OK:
[pre]
# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 46596 for outgoing packets
Tracing the path to yahoo.com (206.190.36.45) on TCP port 80 (http), 30 hops max
1 192.168.2.1 0.610 ms 0.729 ms 0.735 ms
2 192.168.1.1 1.843 ms 1.378 ms 1.363 ms
3 l100.washdc-vfttp-107.verizon-gni.net (96.241.146.1) 13.620 ms * *
... /* It reached the destination. */
[/pre]
I want to change Router2's Operating Mode from "Gateway" to "Router" because I
want to turn off NAT on Router2 so that I can access all computers attached to
Router2 by their individual IP instead of using port forwarding at Router2.
The problem is after the mode change from "Gateway" to "Router", and regardless
whether I disable RIP or enable RIP, and on what interfaces it is enabled, computer
192.168.2.160 does not have internet connection.
Observations:
[0] INTRAnet works as I can reach computer 192.168.2.160 from computer behind Router1
192.168.1.x and vice versa.
[1] ping and traceroute *work* on Router2 itself using the built-in dianostic tool.
[2] nslookup on computer 192.168.2.160 always works on new lookup. It uses
192.168.2.1 as the resolver.
[3] tcptraceroute stops after step 2:
[pre]
# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 45999 for outgoing packets
Tracing the path to yahoo.com (98.139.183.24) on TCP port 80 (http), 30 hops max
1 192.168.2.1 2.553 ms 0.534 ms 0.638 ms
2 192.168.1.1 1.342 ms 0.964 ms 0.867 ms
3 * * *
[/pre]
[4] tcpdump shows that computer 192.168.2.160 tries to reach out and nothing is returned:
[pre]
13:34:03.172828 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:06.175786 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:09.178804 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
[/pre]
This is not expected because NAT to internet should still be done by Router1, no? Computer
behind Router1 with IP 192.168.1.x has internet connection.
[5] It looks like I cannot change the Routing Table Entry on Router2. I do not think I need to change anything,
just an observation.
[6] If I use LAN to LAN connection, then both intranet and internet works. [The internet IP of Router2 can be
anything not in the same subnet of the Router1, and DHCP on the local side should be disabled to avoid conflict
with the the DHCP on Router1].I have a question. Unfortunately in order to ask my question, I have to have a lengthy description of my setup. Basically, I have a second Linksys router in "router" operating mode with NAT disabled connected to the Verizon router, and I have a computer which is in a different subnet (192.168.2.x) behind the Linksys router. This computer can communicate with computers behind Verizon router in subnet (192.168.1.x), but cannot reach internet. This is a simplified version of my question, full details are in the original post.
If I setup the Linksys router in "gateway" operating mode, which means with NAT enabled, then both intranet and internet works, but there is no easy way to setup port forwarding for 10 compueters in 192.168.2.x network to communicate with 10 computers in 192.168.1.x network.
If I setup the Linksys router in a LAN to LAN configuration with Verizon routers, but this way all computers are in the same subnet, I want them to be in different subnet for access control and things like that.
I hope this makes things a little clear.
Thanks. -
Incoming and Outgoing router traffic
Hi everybody,
What exactly is the concept of incoming and outgoing traffic at one particular router interface? Can outgoing traffic be considered as the traffic forwarded from that interface to another interface?
Cheers
Aditya Naiduimagine an interface has two doors.
|| interface ||
thus packet flowing towards the interface would be considered "in",
--> || interface || <--
alternatively, packet flowing the opposite direction would be considered "out",
<-- || interface || -->
now, let have a look at the router with 2 interfaces.
|| interface 1 || -- routing process -- || interface 2 ||
packet originated from subnet connected to interface 1 destined for the subnet connected to interface 2:
--> || interface 1 || --> --> || interface 2 || -->
in other words,
the packet firstly flows "in" interface 1, "out" interface 1, "in" interface 2, and finally "out" interface 2. -
ASA appears to randomly stop forwarding/routing traffic
Hi guys, got a curly one -
Our ASA appears to randomly stop forwarding traffic between interfaces. Traffic does not forward for several minutes, then it starts again. After a while the traffic stops again for a few minutes, and the cycle repeats.
If you are on a directly connected network you can still ping the ASAs local interface (I have ICMP turned on for testing). However you cannot ping the ASA from any remote network. I can ping or trace all the way up to the last hop without an issue. You also cannot ping across the ASA to servers on the other side, even from the immediate next hop (which as I mentioned above, still works) .
This would appear to point to a routing problem? Strangely, routing still functions for the management network - I have had no problems reaching the command line from elsewhere in the network.
Has anyone encountered something similar to this before?
Relevent ASA configuration commands below:
interface GigabitEthernet0/1
description DMZ Trunk interface
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.220
description F5 DMZ Internal
vlan 220
nameif DMZInternal
security-level 50
ip address 172.17.20.1 255.255.255.0 standby 172.17.20.2
interface GigabitEthernet0/2
nameif Internal
security-level 100
ip address 172.17.99.254 255.255.255.0 standby 172.17.99.253
icmp permit any DMZInternal
icmp permit any Internal
route management 0.0.0.0 0.0.0.0 172.17.42.1 1
route Internal 172.16.0.0 255.240.0.0 172.17.99.1 1
EDIT: sorry forgot to post -
#sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.4(1)
Compiled on Fri 30-Jul-10 17:49 by builders
System image file is "disk0:/asa832-k8.bin"
Config file at boot was "startup-config"Hi Dan - I suggest you ask this in the forum.
hth
Herbert -
When to use interface and when Abstract Class?
In a recent interview I was asked "When to use interface and when Abstract Class?" Explain with an example.
Also in what situations a class should be made final(real time example)Interface is a pure contract with no implementation. Typically used to define a communication contract between two different sub-systems. Example EJB home interface. This also allows the design to change as long as the contract is met.
Abstract class is when there exists a lot of common functionality already known and can be coded. However, a few unknowns exists (typically about data) for which abstract methods need to be defined and implemented by the sub class.
Example: Consider a workflow engine. A great example for abstract class. The workflow process has lot of common code that is independent of the workflow type (vendor flow, contract flow, payment flow etc). However, certain decisions on the route to take will depend on value of data being submitted. So the base class will define a abstract Data getData() method and proceed assuming data will come. The implementing subclass will provide the actual logic for getting the data.
Also see the "Template" design pattern.
Note: To some extent the common code design drives the behavior of the abstract methods. So if the design changes then so "might" the behavior expected from the abstract methods. -
Applying "route-map" in interfaces with encapsulation dot1q
Hello,
I would like to ask you if there were some trouble in applying route-maps in a interface and its subinterfaces, as it is shown:
interface GigabitEthernet0/2
ip address 11.0.9.26 255.255.255.252
ip policy route-map GestionRadios
interface GigabitEthernet0/2.11
encapsulation dot1Q 11
ip address 11.0.9.18 255.255.255.252
ip policy route-map RedOperativaA
interface GigabitEthernet0/2.12
encapsulation dot1Q 12
ip address 11.0.9.22 255.255.255.252
ip policy route-map RedOperativaB
I am not sure if it is correct totally. Besides I get this informacion doing "show ip policy" and it seems to be right.
Router#show ip policy
Interface Route map
Gi0/2 GestionRadios
Gi0/2.11 RedOperativaA
Gi0/2.12 RedOperativaB
I would be very grateful for your help.
Thanks in advance
Regards,
SandroSandro
We do not have much to work with in your post so giving you really good answers is difficult. You do not tell us what type of device this is (I assume probably a router, but perhaps it is a layer 3 switch?) or what version of code it is running. These things make a difference sometimes in what is supported or is not supported. But since you get output in show ip policy then I assume that the device does support configuration of this feature.
You show us the configuration of the interfaces but not the configuration of the route maps or the access lists which the route maps probably use. So we can not form an opinion of the validity of the route maps or the access lists.
And you do not tell us whether the Policy Based Routing is working or not (and in fact you do not tell us for sure that you are doing PBR - though that is generally what route maps on the interfaces are doing) so we are not clear whether there is a problem here or not.
But based on what you show us in this post I do not see any particular problems with the route maps and the way that you have applied them to interfaces (assuming that your goal is really to do PBR).
HTH
Rick
Maybe you are looking for
-
X-Fi ExtremeMusic Software doesn't look ri
I just installed the card last night and I figured I would just get the latest drivers from the web, rather than use the CD. The card works but the software does not look at all like what's advertised everywhere. I just have a boring panel with tabs
-
Hi friends, 1) I am using FDM 9.3.1, we can i create a user in FDM using user management and we are creating simple user authentication vb script in FDM but still we are able to access that user with any password. 2)I also donot know how to configure
-
Code review : why table name is invalid
Greetings all, I have written the following code to check if any column is null for all rows in a table. I'm confused as to why the column name is recognized but not the table name. If the table name is hard coded, executes. Any and all assistance is
-
Hello. We have issues in integration of SAP SM and SAP BI in our company. The SAP CRM components are the base for SAP SM in part of orders. The extractors have CRM prefix in their names, example 0CRM_SRV_PROCESS_H. We have explored a lot of documenta
-
I'm running Fireworks cs5 on a mac, OS 10.6.4. Installed as a trial to full version via serial #. Fairly consistently during designs, I will open the Properties panel to find it completely blank. All the usual, obvious things have been tried, ie clos